• Find us:
    +1-669-900-5138   |   +44-203-372-5553
  • Free Newsletter

    Get Latest Updates

  • Make Training Enquiry


  • Categories

  • Archive

  • SSL / Wallets in OID/OHS : How to manage certificates in Wallet using command line ?? ORAPKI

    Posted by "" in "oid, ssl" on 2013-08-24

    I discussed about  SSL basics in WebLogic like Certifying Authority and Certificate , configuring SSL for OID and SSL for OVD  using Graphical User Interface (GUI) using Fusion Middleware Control (EM).

    What if EM doesn’t work or you did not select Enterprise Manager during WebLogic Domain Creation?


    You are not allowed to use GUI like EM to configure/manage SSL in Oracle.

    If you are in situation like me where GUI is not an option and only Command Line Interface (CLI) is allowed then you can use utility orapki to manage certificates in Wallet for OID.

    Similar to keystore in WebLogic, you have wallet to store SSL certificate (both Identity & Trust certificate) for Oracle components managed by OPMN like Oracle Internet Directory (OID), Oracle HTTP Server (OHS), and Oracle Virtual Directory (OVD).

    In this post I am going to show how to create Wallet, create Certificate Signing Request (CSR) and importing Certificates (Identity and Trust).

    First terminology

    • Wallet: is store to keep certificates both Identity (to which certificate is issued) like OID/OHS/OVD server and Trust (Certificate of Certifying Authority that issued the certificate). Wallet can be protected by password (use option -pwd) or allowed auto login only (use option -auto_login_only)
    • Identity Certificate : is the certificate of the Server that client (Web Client for OHS and LDAP client for OID/OVD) connects to. – When you import Identity Certificate in to wallet, you must use option -user_cert
    • Trust Certificate : is the certificate of the Certifying Authority (CA) that issued Identity Certificate. There could be multiple Certifying Authority in chain that issued the certificate. When you import Trust Certificate in to wallet, you must use option -trusted_cert . If there are multiple CAs in certificate chain then you must import all CA’s certificates with option -trusted_cert
    • orapki : is utility to manage (create, import, export) certificate and wallet. orapki is under MIDDLEWARE_HOME/ oracle_common/ bin


    1. To create wallet
    orapki wallet create -wallet [wallet_location]

    orapki wallet create -wallet /u01/app/oracle/admin/oid_inst1/OID/admin/myWalletDir

    2. To Display certificates in wallet

    orapki wallet display -wallet [wallet_location]

    orapki wallet display -wallet /u01/app/oracle/admin/oid_inst1/OID/admin/myWalletDir


    • Requested Certificates” contains details of Certificate Signing Requests that are not yet signed 
    • User Certificates” contains signed certificate for identity aka Identity Certificate 
    • Trusted Certificates”  contains certificates of Signing Authority (aka Certifying Authority – CA) . These certificate are also called as Trust Certificate or Root/Intermediate Certificate
    • By default when you create wallet , you get four CA certificate

    3. To add a trusted certificate to an Oracle wallet:

    orapki wallet add -wallet wallet_location -cert certificate_location -trusted_cert -auto_login_only
    4. To add a user certificate to an Oracle wallet:

    orapki wallet add -wallet wallet_location -cert certificate_location -user_cert -auto_login_only



    Note: In above wallet, you can see 1 User Certificate (Identity Certificate ) and 6 Trusted Certificate (Certifying Authority certificate)



    Related Posts for OID

    1. Oracle Internet Directory OID
    2. Oracle Internet Directory – Basics II
    3. OID to OID/Active Directory/iPlanet other LDAP Server Integration
    4. Multi Master OID Replication
    5. OID Architecture
    6. Oracle Internet Directory , OID Troubleshooting
    7. Server Chaining in OID
    8. OID Quesries/ Scripts FAQ
    9. OIDADMIN Client
    10. Oracle Identity Management (OID) 11g installation Issues on Linux
    11. OID 11g – Oracle Directory Services Manager (ODSM)
    12. DIP : Synchronization, Provisioing, Connectors, DSS in Oracle Directory Services (ODS) 11g
    13. OID Replication – Suppliers, Consumers, DRG, ASR/LDAP based replication
    14. ASR setup has failed – Error occurred while dropping database link : ORA-02084 : database name is missing a component while Configuring Multi Master OID replication using “remtool -asrsetup”
    15. OID 11g Down : Unable to Start OID 11g using OPMN (ODS schema locked ORA-28002)
    16. OID/Directory Services 11g – Schema, Object Class, Attributes
    17. OID 11g Distributed Install : DIP/ODSM (Java Component) & OID (LDAP/REPLD) on different machine
    18. OID Server Mode R, RW, RM: LDAP: error code 53 – Server currently in read only mode
    19. How to change OID 11g database schema (ODS) password
    20. How to add custom attribute, Object Classe in OID from command line or GUI
    21. Oracle Internet Directory (OID) and Real Application Cluster (RAC) database : Things you must know
    22. How to Update User Password in OID (single account or bulk) – command line or GUI
    23. Error starting OID 11g during configuration stage of OID installation on Windows Server “ProvisionException: Failed to start the component”
    24. How to delete Entries in OID 11g in Bulk – Delete Failed : Ldap Error Code 66 Not allowed on Non-Leaf
    25. How to find latest changelog number (or changes) in OID ?
    26. Context Initialization Error on running ldapsearch commands on OID Server
    27. How to find OID version and patches applied on OID Home ?
    28. How to change OID 11g LDAP/LDAPS listen port
    29. How to find/audit Failed Login Attempts in OID 11g
    30. Step by Step configuration of OID Multi Master Replication – LDAP based in OID 11g
    31. OID 11g LDAP based Multi Master replication : Configuration Entries you must know
    32. Configure SSL for Oracle Internet Directory (OID)
    33. How to backup Oracle Internet Directory (OID) 11g – Data : Full / Partial
    34. SSL / Wallets in OID/OHS : How to manage certificates in Wallet using command line ?? ORAPKI
    35. How to debug OID : LDAP Error code 50 – Insufficient Access Rights
    36. What Hashing Algorithm OID uses to store user Password : SSHA or MD5

    One Response to “SSL / Wallets in OID/OHS : How to manage certificates in Wallet using command line ?? ORAPKI”

    1. David Richardson says:

      This was already on my to-do list!

      Just in Time Support!

    Leave a Reply

  • K21 Technologies is among the most experienced Oracle Gold Partner for Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.

    K21 Technologies
    8 Magnolia Place, Harrow,
    London, HA2 6DS

    UK: +44(0)7476444481
    USA: +1-888-414-1821

  • 2014, K21 Technologies. All rights reserved DMCA.com
  • TOP