7-14 Oracle Fusion Middleware Administrators Guide What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ., the field will be left blank. ----- Country Name 2 letter code [US]:US State or Province Name full name [Some-State]:California Locality Name eg, city []:Redwood Shores Organization Name eg, company [Some-Organization Pty Ltd]:Example Organizational Unit Name eg, section []:OAM Common Name eg, hostName.domainName.com []:adc123.example.com Email Address []: writing RSA key Your certificate request is in file : scratchinstallOAM10cwgaccessoblixconfigaaa_req.pem Please get your certificate request signed by the Certificate Authority On obtaining your certificate, please place your certificate in scratchinstallOAM10cwgaccessoblixconfigaaa_cert.pem file and Access Servers CA certificate in scratchinstallOAM10cwgaccessoblixconfigaaa_ chain.pem file Once you have your certificate placed at the above mentioned location, please run scratchinstallOAM10cwgaccessoblixtoolsconfigureWebGateconfigureWebGate program More Information on setting up Web Gate in Certificate mode can be obtained from the Setup Installation Guide Press enter key to continue ... Now we will sign the certificate request using CA cert. Enter the CA wallet password: Certificate request aaa_req.pem has been converted to orapki acceptable format in scratchinstallWTOracle_WT1rootCAWEBGATE The certificate has been signed by the root CA WebGate certificate have been installed into WebGate config directory. Testing connection to AAA Server ... Make sure AAA Server is up and running. Preparing to connect to Access Server. Please wait. Web Gate installed Successfully. Restarting OHS ... Using the SSL Automation Tool 7-15 Do you want to restart your OHS webserver? [yn] y Enter ORACLE_HOME for your OHS webtier install [e.g. scratchaimeWTOracle_ WT1]: scratchinstallWTOracle_WT1 Enter ORACLE_INSTANCE for your OHS webtier instance [e.g. scratchaimeWTOracle_WT1instancesinstance1]: scratchinstallWTOracle_ WT1instancesinstance1 Enter OHS component id [ohs1]: OHS instance has been startedrestarted Your 10g WebGate has been setup successfully in cert mode. 7-16 Oracle Fusion Middleware Administrators Guide 8 Managing Keystores, Wallets, and Certificates 8-1 8 Managing Keystores, Wallets, and Certificates This chapter explains how to use Oracle Fusion Middleware security features to administer keystores, wallets, and certificates. It contains these sections: ■ Key and Certificate Storage in Oracle Fusion Middleware ■ Command-Line Interface for Keystores and Wallets ■ JKS Keystore Management ■ Wallet Management

8.1 Key and Certificate Storage in Oracle Fusion Middleware

Private keys, digital certificates, and trusted CA certificates are stored in keystores. This section describes the keystores available in Oracle Fusion Middleware and contains these topics: ■ Types of Keystores ■ Keystore Management Tools

8.1.1 Types of Keystores

Oracle Fusion Middleware provides two types of keystores for keys and certificates: ■ JKS Keystore and Truststore ■ Oracle Wallet

8.1.1.1 JKS Keystore and Truststore

A JKS keystore is the default JDK implementation of Java keystores provided by Sun Microsystems. In 11g Release 1 11.1.1, all Java components and Java EE applications use the JKS-based keystore and truststore. You use a JKS-based keystore for the following: ■ Oracle Virtual Directory ■ Applications deployed on Oracle WebLogic Server, including: – Oracle SOA Suite – Oracle WebCenter 8-2 Oracle Fusion Middleware Administrators Guide In Oracle Fusion Middleware, you can use graphical user interface or command-line tools to create, import, export, and delete a Java keystore and the certificates contained in the keystore. See Section 8.1.2, Keystore Management Tools for details. While creating a keystore, you can pre-populate it with a keypair wrapped in a self-signed certificate; such a keystore is typically used in development and testing phases. The other choice is to generate a certificate signing request for a keypair, so that you can request a signed certificate back from a Certificate Authority CA. Once the CA sends the certificate back, it is imported into the keystore; the keystore now contains a trusted certificate, since it comes from a trusted third-party. Such a keystore is typically used in production environments. Keystores are always password-protected.

8.1.1.2 Oracle Wallet

An Oracle wallet is a container that stores your credentials, such as certificates, trusted certificates, certificate requests, and private keys. You can store Oracle wallets on the file system or in LDAP directories such as Oracle Internet Directory. Oracle wallets can be auto-login or password-protected wallets. You use an Oracle Wallet for the following components: ■ Oracle HTTP Server ■ Oracle Web Cache ■ Oracle Internet Directory In Oracle Fusion Middleware, you can use graphical user interface or command-line tools to create, import, export and delete a wallet and the certificates contained in the wallet. See Section 8.1.2, Keystore Management Tools for details. When creating a wallet, you can pre-populate it with a self-signed certificate; such a wallet is called a test wallet and is typically used in development and testing phases. The other choice is to create a certificate request, so that you can request a signed certificate back from a Certificate Authority CA. Once the CA sends the certificate back, it is imported into the wallet; such a wallet is called a third-party wallet. Either the test wallet or the third-party wallet may be password-protected, or may be configured to not require a password, in which case it is called an auto-login wallet.

8.1.2 Keystore Management Tools

Oracle Fusion Middleware provides these options for keystore operations: ■ WLST, a command-line interface for JKS keystores and wallets ■ orapki, a command-line tool for wallets ■ Fusion Middleware Control, a graphical user interface ■ Oracle Wallet Manager, a stand-alone graphical user interface for wallets, recommended for managing PKCS11 wallets This table shows the type of keystore used by each component, and the tools available to manage the keystore: Managing Keystores, Wallets, and Certificates 8-3 About Importing DER-encoded Certificates You cannot use Fusion Middleware Control or the WLST command-line tool to import DER-encoded certificates or trusted certificates into an Oracle wallet or a JKS keystore. Use these tools instead: ■ To import DER-encoded certificates or trusted certificates into an Oracle wallet, use: – Oracle Wallet Manager or – orapki command-line tool ■ To import DER-encoded certificates or trusted certificates into a JKS keystore, use the keytool utility. Using a Keystore Not Created with WLST or Fusion Middleware Control If an Oracle wallet or JKS keystore was created with tools such as orapki or keytool, it must be imported prior to use. Specifically: ■ For Oracle HTTP Server, Oracle Web Cache, and Oracle Internet Directory, if a wallet was created using orapki or Oracle Wallet Manager, in order to view or ComponentApplication Type of Keystore Tasks Tool Oracle HTTP Server Oracle Web Cache Oracle Internet Directory Oracle Wallet Create Wallet, Create Certificate Request, Delete Wallet, Import Certificate, Export Certificate, Enable SSL Fusion Middleware Control, WLST Oracle Wallet Manager and orapki for PKCS11 or Hardware Security Modules HSM-based wallets. Also for environments where Fusion Middleware Control and WLST are not available such as a stand-alone upgrade of these components without a domain. Oracle Virtual Directory JKS-based Keystore Create KeyStore, Create Certificate Request, Delete KeyStore, Import Certificate, Export Certificate, Enable SSL Fusion Middleware Control, WLST Oracle SOA Suite JKS-based Keystore All Keystore operations JDK Keytool Oracle WebCenter JKS-based Keystore All Keystore operations JDK Keytool Oracle WebLogic Server JKS-based Keystore All Keystore operations JDK Keytool Oracle WebLogic Server JKS-based Keystore Enable SSL Oracle WebLogic Server Administration Console All Java EE applications for example Oracle Directory Integration Platform, Oracle Directory Services Manager JKS-based Keystore All Keystore operations JDK Keytool See Also: For details about using keytool, see Oracle Fusion Middleware Securing Oracle WebLogic Server. Note: Pre-11g wallets corresponding to 10g Release 10.1.2 and 10.1.3 formats are supported in 11g Release 1 11.1.1. 8-4 Oracle Fusion Middleware Administrators Guide manage it in Fusion Middleware Control you must first import it with either Fusion Middleware Control or the WLST importWallet command. ■ For Oracle Virtual Directory, if a keystore was created using keytool, in order to view or manage it in Fusion Middleware Control you must first import it with either Fusion Middleware Control or the WLST importKeyStore command. Copying Keystores to File System Not Supported Creating, renaming, or copying keystores directly to any directory on the file system is not supported. Any existing pre-11g keystore or wallet that you wish to use must be imported using either Fusion Middleware Control or the WLST utility. Additional Information Details about the tools are provided in these sections: ■ Command-Line Interface for Keystores and Wallets ■ JKS Keystore Management ■ Wallet Management ■ Appendix H, Oracle Wallet Manager and orapki

8.2 Command-Line Interface for Keystores and Wallets

Oracle Fusion Middleware provides a set of wlst scripts to create and manage JKS keystores and Oracle wallets, and to manipulate their stored objects. How to Launch the WLST Command-Line Interface When running SSL WLST commands, you must invoke the WLST script from the Oracle Common home. See Section 3.5.1.1 for more information. This brings up the WLST shell. Connect to a running Oracle WebLogic Server instance by specifying the user name, password, and connect URL. After connecting, you are now ready to run SSL-related WLST commands as explained in the subsequent sections.

8.3 JKS Keystore Management

This section describes the typical life cycle of keystores and certificates, and how to use Oracle Fusion Middleware tools to create and maintain keystores and certificates. It includes these topics: ■ About Keystores and Certificates ■ Managing the Keystore Life Cycle ■ Common Keystore Operations ■ Managing the Certificate Life Cycle ■ Common Certificate Operations ■ Keystore and Certificate Maintenance Note: All SSL-related WLST commands require you to launch the script from the above-mentioned location only.