Managing Keystores, Wallets, and Certificates 8-21 Every time a password-protected wallet is created, an auto-login wallet is automatically generated. However, this auto-login wallet is different from the user-created auto-login wallet described in the previous bullet. While the user-created wallet can even be updated at configuration time without a password, an automatically generated auto-login wallet is a read-only wallet that does not allow direct updates. Modifications to the wallet must occur through the password protected file by providing a password, at which time the auto-login wallet is regenerated. The purpose of this system-generated auto-login wallet is to provide PKI-based access to services and applications without requiring a password at runtime, while still requiring a password at configuration time.

8.4.1.2 Self-Signed and Third-Party Wallets

Self-signed wallets contain certificates for which the issuer is the same as the subject. These wallets are typically created for use within an intranet environment where trust is not a high priority. Each self-signed wallet has its own unique issuer; hence, in an environment with multiple components and wallets, the trust management tasks increase n-fold. When created through Fusion Middleware Control, a self-signed wallet is valid for five years. Third-party wallets contain certificates that are issued by well known CAs. The functionality and security remain the same as for self-signed wallets, but the use of third-party certificates provides added trust because the issuers are well known, so they are already trusted by most clients. Difference Between Self-Signed and Third-Party Wallets From a functional and security perspective, a self-signed certificate is comparable to one issued by a third party. The only difference is that a self-signed certificate is not trusted.

8.4.1.3 Sharing Wallets Across Instances

Oracle recommends that you do not share wallets between component instances or Oracle instances, since each wallet represents a unique identity. The exception to this is an environment with a cluster of component instances, in which case wallet sharing would be an acceptable practice. Note that no management tools or interfaces are available to facilitate wallet sharing. However, you can export a wallet from one instance and import it into another instance.

8.4.1.4 Wallet Naming Conventions

Follow these naming conventions for your Oracle wallets: ■ Do not use a name longer than 256 characters. ■ Do not use any of the following characters in a wallet name: | ; , \ ` ~ { } [ ] = + space tab Note: Observe this rule even your operating system supports the character. 8-22 Oracle Fusion Middleware Administrators Guide ■ Do not use non-ascii characters in a wallet name. ■ Additionally, follow the operating system-specific rules for directory and file names Due to the way data is handled in an LDAP directory such as Oracle Internet Directory, wallet names are not case-sensitive. Thus, it is recommended that you use case-insensitive wallet names preferably, using all lower case letters. For example, if you have created a wallet named UPPER, do not create another wallet named upper; doing so could cause confusion during wallet management operations.

8.4.2 Accessing the Wallet Management Page in Fusion Middleware Control

An Oracle wallet is associated with the component where it is utilized. To locate a component instance: 1. Log into Fusion Middleware Control using administrator credentials. 2. Select the domain of interest. 3. From the navigation pane, locate the instance for example, an OHS instance that will use the wallet. Click on the instance. The component type now appears on the upper left of the page adjacent to the Farm drop-down. 4. Select the component type drop-down for example, Oracle HTTP Server. If the component is not started, start it by right-clicking to open the component menu, press Control, then Start Up. 5. Navigate to Security, then Wallets. 6. The Wallets page appears. On the Wallets page, you can: ■ Create a wallet. ■ Delete a wallet. ■ Import a wallet. ■ Export a wallet.

8.4.3 Managing the Wallet Life Cycle

Typical life cycle events for an Oracle wallet are as follows: ■ The wallet is created. Wallets can be created directly, or by importing a wallet file from the file system. ■ The list of available wallets are viewed and specific wallets selected for update. ■ Wallets are updated or deleted. Update operations for password-protected wallets require that the wallet password be entered. ■ The wallet password can be changed for password-protected wallets. Note: You can use Setup to discover a specific Oracle WebLogic Server domain to work with.