How to create the Oracle DB server Wallet

In this document, you’ll find a step-by-step guide on how to create an Oracle DB wallet.

It’ll take seven steps to configure the Oracle database so that it be accessible via Database proxy in senhasegura, this document is the first step.

Requirements

• Oracle DB Server configured the minimum version is 19.0.0.0.0
• Server with ORAPKI installed to create Wallets.
• Connectivity of the user's workstation with senhasegura on ports 1521 and 2484.
• Certificate authority (CA) for signing Oracle DB certificates and the database credential.
• Database client installed.
  • Dbeaver, minimum version: 23.1.0
  • SQLPlus, minimum version: 21.0.0.0.0
  • SQL Developer, minimum version: 23.1.0.097
• Don’t have filters enabled for the certificate.

Create an Oracle wallet

The first wallet to be created is that of the Oracle server. This wallet is necessary to validate the certificate related to the managed credential. For this reason, it’s necessary that both are signed by the same CA.

The CA that will be used can be either a senhasegura internal CA, which is present in the DB Proxy configuration files, or an internal client CA. It’s crucial that the same CA is used for signing the Oracle certificate as for the credentials.

Replace the strings presented in this table with the corresponding values:

Create the CA that will be used to sign Oracle certificates and credentials

Run the following command to create the CA:

oracle$ openssl genrsa -out <THAT>.key 4096
oracle$ openssl req -new -x509 -days 1826 -key <CA>.key -subj '/C=BR/OU=Class 2 Public Primary Certification Authority/O=VeriSign' -out <CA>.crt

Generate the server key and certificate from OracleDB server

Run the following command to generate the key and certificate from server:

oracle$ openssl genrsa -out <ORACLE_SERVER>.key 4096
oracle$ openssl req -new -key <ORACLE_SERVER>.key -out <ORACLE_SERVER>.csr -subj '/CN=<ORACLE_SERVER>'
oracle$ openssl x509 -req -days 730 -in <ORACLE_SERVER>.csr -CA <CA>.crt -CAkey <CA>.key -set_serial 01 -out <ORACLE_SERVER>.crt

Convert Oracle DB certificate to pkcs12 format

Run the following command to convert the created certificate to pkcs12 format:

oracle$ openssl pkcs12 -export -out <ORACLE_SERVER>.p12 -inkey <ORACLE_SERVER>.key -in <ORACLE_SERVER>.crt -chain -CAfile <CA>.crt -passout pass:<ORACLE_CERT_PASS>

Create the Wallet OracleDB server and import the .p12 certificate into the created wallet

Replace the strings presented in this table with the corresponding values:

Run the following command to create a new wallet:

oracle$ orapki wallet create -wallet "<ORACLE_WALLET_DIR>" -pwd <ORACLE_WALLET_PASS> -auto_login
oracle$ orapki wallet import_pkcs12 -pkcs12file <ORACLE_SERVER>.p12 -pkcs12pwd <ORACLE_CERT_PASS> -wallet "<ORACLE_WALLET_DIR>" -pwd <ORACLE_WALLET_PASS>

Finishing the first step of configuring Oracle for use via Database Proxy, access the document How to generate the database credential’s certificate and key to perform the second part and continue the configuration.

Do you still have questions? Reach out to the senhasegura Community.