Skip to content

Instantly share code, notes, and snippets.

@fuzziebrain
Last active September 27, 2023 13:22
Show Gist options
  • Save fuzziebrain/202f902d8fc6d8de586da5097a501047 to your computer and use it in GitHub Desktop.
Save fuzziebrain/202f902d8fc6d8de586da5097a501047 to your computer and use it in GitHub Desktop.
Load an Oracle Wallet with certificates contained in a bundle file.
#!/bin/bash
# PURPOSE:
# Load an Oracle Wallet with certificates contained in a bundle file
# e.g. https://pki.goog/roots.pem
#
# NOTES:
# * Run as oracle
# * Assumes ORAENV is set
TMPDIR=/tmp/owbutil
if [ -z "$BUNDLE_FILE" ]; then
echo -n "Bundle file: "
read BUNDLE_FILE
fi
if [ ! -f "${BUNDLE_FILE}" ];
then
echo Please specify a valid file.
exit -1
fi
if [ -z "$WALLET_PATH" ]; then
echo -n "Wallet path: "
read WALLET_PATH
fi
if [ -d "${WALLET_PATH}" ];
then
echo "Wallet path exists"
exit -1
fi
if [ -z "$WALLET_PWD" ]; then
echo -n "Enter an Oracle Wallet password: "
read -s WALLET_PWD
fi
if [ -z "$WALLET_PWD_CONFIRM" ]; then
echo -e
echo -n "Enter the password again: "
read -s WALLET_PWD_CONFIRM
fi
if [ -z "${WALLET_PWD}" ];
then
echo Password required.
exit -1
fi
if [ $WALLET_PWD != $WALLET_PWD_CONFIRM ];
then
echo Passwords do not match.
exit -1
fi
if [ ! -d ${TMPDIR} ];
then
mkdir -p ${TMPDIR}
fi;
csplit -f ${TMPDIR}/cert- -b %02d.pem ${BUNDLE_FILE} \
'/-----END CERTIFICATE-----/1' '{*}'
orapki wallet create -wallet ${WALLET_PATH} -pwd ${WALLET_PWD}
for file in `ls ${TMPDIR}/*.pem`
do
if grep -Pzoq -e "-----BEGIN CERTIFICATE-----(.|\\s)*-----END CERTIFICATE-----" $file
then
orapki wallet add -wallet ${WALLET_PATH} -trusted_cert \
-pwd ${WALLET_PWD} -cert $file
else
echo Skipping file $file
fi
done
rm -rf ${TMPDIR}
@RichardSoule
Copy link

Adrian,

This is excellent.

I might suggest creating the wallet by default in the following directory:

$ORACLE_BASE/admin/dbName/ssl_wallet

Of course, $ORACLE_BASE/admin/dbName should already exist in a normal installation, so the script should just create the ssl_wallet in that directory (the xdb_wallet directory, created during database creation, already exists at that level) for you. While you could allow the user to create the wallet location, there is a good chance they will make something that isn't as intuitive (or potentially, even put it into the Oracle Home) which, especially now that Oracle is going to create a new Oracle Home every year, isn't as 'safe' as a location as it used to be.

An argument could even be made to put this wallet folder (ssl_wallet) directly into $ORACLE_BASE since it could be a 'universal ssl wallet' for all databases on the server, but I think it still makes sense to have an SSL wallet per database.

@fuzziebrain
Copy link
Author

@RichardSoule Thanks for the feedback and sorry it took this long to reply. I have used the suggested path (with some tweaks) in this project/repo: https://github.com/fuzziebrain/docker-apex-stack

@jon-dixon
Copy link

Hi Adrian,
Firstly, thank you for the script; it is a big time saver.
As these are public certificates, couldn't you use the '-auto_login_only' option so we don't need to specify a password, e.g.
orapki wallet create -wallet ${WALLET_PATH} -auto_login_only
orapki wallet add -wallet ${WALLET_PATH} -trusted_cert
-cert $file -auto_login_only

@fuzziebrain
Copy link
Author

Hi Adrian, Firstly, thank you for the script; it is a big time saver. As these are public certificates, couldn't you use the '-auto_login_only' option so we don't need to specify a password, e.g. orapki wallet create -wallet ${WALLET_PATH} -auto_login_only orapki wallet add -wallet ${WALLET_PATH} -trusted_cert -cert $file -auto_login_only

Thanks Jon. I'll looking into an option to skip having a password. Thanks!

@RichardSoule
Copy link

I've updated my default TLS wallet location to tls_wallet instead of ssl_wallet (we stopped using SSL in the '90s).

When you use auto_login_only that means that wallet will only ever work on the machine it was created on. Why would we do that for a TLS wallet containing a list of public root-level certificates? Instead, use -auto_login instead of -auto_login_only

I'd also default the password to something very simple (oracle_4U for example) and just give people the command to update the password if they care.

While in the wallet directory, the following will change the password:

orapki wallet change_pwd -wallet . -oldpwd -newpwd

@jon-dixon
Copy link

Thanks for the info, Rich. I did not know that a no-password wallet would only work on the machine it was created on. My thinking of having a no-password wallet was indeed that the content was public and a password was not necessary.

@RichardSoule
Copy link

Jon, no there are two options for making the wallet readable without supplying a password:

-auto_login and -auto_login_only

-auto_login gives you the ability to read the wallet without a password and, if you copy the wallet to a new machine, it will still work.

-auto_login_only does the same read thing, but it will only work on the machine it was created on. If you copy it to a new machine, the saved password in the cwallet.sso will no longer work. You can generate a new cwallet.sso file but only if you know the password that was used to create the ewallet.p12 file.

@jon-dixon
Copy link

Ah, now I have it. Thanks again Rich.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment