8-4 Oracle Fusion Middleware Administrators Guide manage it in Fusion Middleware Control you must first import it with either Fusion Middleware Control or the WLST importWallet command. ■ For Oracle Virtual Directory, if a keystore was created using keytool, in order to view or manage it in Fusion Middleware Control you must first import it with either Fusion Middleware Control or the WLST importKeyStore command. Copying Keystores to File System Not Supported Creating, renaming, or copying keystores directly to any directory on the file system is not supported. Any existing pre-11g keystore or wallet that you wish to use must be imported using either Fusion Middleware Control or the WLST utility. Additional Information Details about the tools are provided in these sections: ■ Command-Line Interface for Keystores and Wallets ■ JKS Keystore Management ■ Wallet Management ■ Appendix H, Oracle Wallet Manager and orapki

8.2 Command-Line Interface for Keystores and Wallets

Oracle Fusion Middleware provides a set of wlst scripts to create and manage JKS keystores and Oracle wallets, and to manipulate their stored objects. How to Launch the WLST Command-Line Interface When running SSL WLST commands, you must invoke the WLST script from the Oracle Common home. See Section 3.5.1.1 for more information. This brings up the WLST shell. Connect to a running Oracle WebLogic Server instance by specifying the user name, password, and connect URL. After connecting, you are now ready to run SSL-related WLST commands as explained in the subsequent sections.

8.3 JKS Keystore Management

This section describes the typical life cycle of keystores and certificates, and how to use Oracle Fusion Middleware tools to create and maintain keystores and certificates. It includes these topics: ■ About Keystores and Certificates ■ Managing the Keystore Life Cycle ■ Common Keystore Operations ■ Managing the Certificate Life Cycle ■ Common Certificate Operations ■ Keystore and Certificate Maintenance Note: All SSL-related WLST commands require you to launch the script from the above-mentioned location only. Managing Keystores, Wallets, and Certificates 8-5

8.3.1 About Keystores and Certificates

Keys and certificates are used to digitally sign and verify data and achieve authentication, integrity, and privacy in network communications. A Java keystore JKS is a protected database that holds keys and certificates for the organization. Oracle Fusion Middleware utilizes JKS keystores for Oracle Virtual Directory and for applications deployed in Oracle WebLogic Server. Access to a keystore requires a password which is defined at the time the keystore is created, by the person who creates the keystore, and which can only be changed by providing the current password. In addition, each private key in a keystore can be secured by its own password. This section contains these topics: ■ Sharing Keystores Across Instances ■ Keystore Naming Conventions

8.3.1.1 Sharing Keystores Across Instances

Oracle recommends that you do not share keystores between component instances or Oracle instances, since each keystore represents a unique identity. The exception to this is an environment with a cluster of component instances, in which case keystore sharing would be an acceptable practice. Note that no management tools or interfaces are available to facilitate keystore sharing. However, you can export a keystore from one instance and import it into another instance.

8.3.1.2 Keystore Naming Conventions

Follow these naming conventions for your JKS keystores: ■ Do not use a name longer than 256 characters. ■ Do not use any of the following characters in a keystore name: | ; , \ ` ~ { } [ ] = + space tab ■ Do not use non-ascii characters in a keystore name. ■ Additionally, follow the operating system-specific rules for directory and file names.

8.3.2 Managing the Keystore Life Cycle

Typical life cycle events for a JKS keystore are as follows: ■ The keystore is created. Keystores can be created directly, or by importing a keystore file from the file system. ■ The list of available keystores are viewed and specific keystores selected for update. Note: Observe this rule even if your operating system supports the character.