How To: Generate the cwallet.sso file and Load SSL Certificates

Note: Please make sure that the Oracle Database you are connecting to is the same version as the Oracle version from where you are setting your Datical Oracle wallet project.

• For this tutorial, we are going to create cwallet.sso and add certificates for the following examples:
  1. AWS EC2 with Oracle Database (self-signed) certificate.
  2. Oracle RDS certificate.

Example 1: Connecting to an AWS EC2 instance with Oracle Database on Linux OS

Step-by-step guide

1. Connect to your EC2 instance with the desired target database.

   1. For example: 
      ssh -i ~/.ssh/<ssh_key> <instance_name>.net

   2. Login to oracle, for example: 
      su - oracle

2. a.Create a new folder, for example:

        mkdir myWallet 

   b.navigate to myWallet
   cd myWallet
   Notes:
   • For this example we are going to use the orapki tool to create and modify our Oracle Wallet.  Here is some info about orapki Utility wallet related commands.
   • If you already have an existing cwallet.sso and you just need to add an additional certificate please skip step #3 and continue to step #4
3. Run the following to create a cwallet.sso file.  This is where all your certificates will be stored.

   1. orapki wallet create -wallet wallet_location -auto_login [-pwd password]

   2. You should now notice a new file "cwallet.sso".
4. Self-sign and Add certificate to cwallet.sso file.  Run the following:

   1. orapki wallet add -wallet <path/to/wallet> -dn 'CN=<instance name>,C=US' -keysize 2048 -self_signed -validity 3650

   2. Run the following to view and confirm certificates that are currently stored in cwallet.sso file.

   3. orapki wallet display -wallet .
      Here is a sample output showing the self-signed certificate "CN=xxx.yyy.net" you have just added:

      environment variables

      Oracle PKI Tool : Version 12.1.0.1
      
      Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.
      
      
      
      Requested Certificates:
      
      User Certificates:
      
      Subject:        CN=xxx.yyy.net,OU=,O=Datical Dev
      
      Trusted Certificates:
      
      Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
      
      Subject:        CN=xxx.yyy.net,OU=,O=Datical Dev
      
      Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
      
      Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
      
      Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

5. Configure your Oracle listener with Oracle Wallet. 
   1. Edit the file listener.ora in the following path: $ORACLE_HOME/network/admin and set parameters for “LISTENER” and “WALLET_LOCATION” (see sample code below).

   2. For example: vi $ORACLE_HOME/network/admin/listener.ora

      USE_SID_AS_SERVICE_LISTENER=on
      LISTENER =
      (DESCRIPTION_LIST =
      (DESCRIPTION =
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
      (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))
      (ADDRESS = (PROTOCOL = TCPS)(HOST = localhost)(PORT = 2484))
      )
      )
      
      WALLET_LOCATION =
      (SOURCE =
      (METHOD = FILE)
      (METHOD_DATA =
      (DIRECTORY = /home/oracle/myWallet)
      )
      )
      
      SSL_CLIENT_AUTHENTICATION=FALSE

   3. Save the file.

6. To refresh the listener with the new information we have just updated in listener.ora run the following:

   1. lsnrctl stop

   2. lsnrctl start

   3. lsnrctl status - to check that the listener is running.  It takes a minute or two for the databases to re-register with the listener after it is restarted.

   4. To copy the cwallet.sso file to the machine where your Datical project is, open the command line from where your Datical project is and run the following (secure copy) command:

   5. scp -i ~/.ssh/<ssh_key> <instance_name>.net:/path/to/myWallet/cwallet.sso .

Example 2: Connecting to an AWS Oracle RDS instance

Step-by-step guide

1. Login to Oracle with the same database version as your Oracle RDS instance Database version.

   1. For example: 

      su - oracle

   2. Create a new folder, for example:

      mkdir myWallet

   3. navigate to myWallet. For example: 
      cd myWallet

2. Download the appropriate SSL certificate.

   1. For RDS instance, download the AWS SSL certificate from AWS website for example:

      1. You can run: wget https://s3.amazonaws.com/rds-downloads/rds-<cert_name>.pem

      2. Note: To find out what certificate you need you can go to AWS website your RDS instance -> your RDS settings -> Connectivity & security -> Security -> Certificate authority

      3. Please find the corresponding RDS SSL certificate in the following link guidelines https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html

3. 
   Notes:
   • For this example we are going to use the orapki tool to create and modify our Oracle Wallet.  Here is some info about orapki Utility wallet related commands.
   • If you already have an existing cwallet.sso and you just need to add an additional certificate please skip step #4 and continue to step #5
4. Run the following to create a cwallet.sso file.  This is where all your certificates will be stored.
   1. orapki wallet create -wallet wallet_location -auto_login [-pwd password]
   2. You should now notice a new file "cwallet.sso".
5. Run the following to add certificates to wallet:

   1. orapki wallet add -wallet . -trusted_cert -cert rrds-<cert_name>.pem -auto_login_only

6. Run the following to view and confirm certificates that are currently stored in cwallet.sso file.

   1. orapki wallet display -wallet .
      Here is a sample output showing the Amazon RDS certificate "CN=Amazon RDS Root CA" you have just added:

Oracle PKI Tool : Version 12.1.0.1
Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.

Trusted Certificates: 
Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        CN=Amazon RDS Root CA,OU=Amazon RDS,O=Amazon Web Services\, Inc.,L=Seattle,ST=Washington,C=US
Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

To copy the cwallet.sso file to the machine where your Datical project is, open the command line from where your Datical project is and run the following (secure copy) command:

scp -i ~/.ssh/<ssh_key> <instance_name>.net:/path/to/myWallet/cwallet.sso .

Related articles

• Page:
  How do I get my HTML reports to show up properly in Jenkins?
• Page:
  How To: Clone a Liquibase Enterprise project
• Page:
  How To: Update Liquibase Enterprise License
• Page:
  How To: Setup Network Connections with a Proxy Sever in the Liquibase Enterprise UI
• Page:
  How To: Change Default Location for Liquibase Enterprise Projects