Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Load an Oracle Wallet with certificates contained in a bundle file.
#!/bin/bash
# PURPOSE:
# Load an Oracle Wallet with certificates contained in a bundle file
# e.g. https://pki.goog/roots.pem
#
# NOTES:
# * Run as oracle
# * Assumes ORAENV is set
TMPDIR=/tmp/owbutil
echo -n "Bundle file: "
read BUNDLE_FILE
if [ ! -f "${BUNDLE_FILE}" ];
then
echo Please specify a valid file.
exit -1
fi
echo -n "Wallet path: "
read WALLET_PATH
if [ -d "${WALLET_PATH}" ];
then
echo "Wallet path exists"
exit -1
fi
echo -n "Enter an Oracle Wallet password: "
read -s WALLET_PWD
echo -e
echo -n "Enter the password again: "
read -s WALLET_PWD_CONFIRM
if [ -z "${WALLET_PWD}" ];
then
echo Password required.
exit -1
fi
if [ $WALLET_PWD != $WALLET_PWD_CONFIRM ];
then
echo Passwords do not match.
exit -1
fi
if [ ! -d ${TMPDIR} ];
then
mkdir -p ${TMPDIR}
fi;
csplit -f ${TMPDIR}/cert- -b %02d.pem ${BUNDLE_FILE} \
'/-----END CERTIFICATE-----/1' '{*}'
orapki wallet create -wallet ${WALLET_PATH} -pwd ${WALLET_PWD}
for file in `ls ${TMPDIR}/*.pem`
do
if grep -Pzoq -e "-----BEGIN CERTIFICATE-----(.|\\s)*-----END CERTIFICATE-----" $file
then
orapki wallet add -wallet ${WALLET_PATH} -trusted_cert \
-pwd ${WALLET_PWD} -cert $file
else
echo Skipping file $file
fi
done
rm -rf ${TMPDIR}
@RichardSoule

This comment has been minimized.

Copy link

RichardSoule commented Feb 8, 2019

Adrian,

This is excellent.

I might suggest creating the wallet by default in the following directory:

$ORACLE_BASE/admin/dbName/ssl_wallet

Of course, $ORACLE_BASE/admin/dbName should already exist in a normal installation, so the script should just create the ssl_wallet in that directory (the xdb_wallet directory, created during database creation, already exists at that level) for you. While you could allow the user to create the wallet location, there is a good chance they will make something that isn't as intuitive (or potentially, even put it into the Oracle Home) which, especially now that Oracle is going to create a new Oracle Home every year, isn't as 'safe' as a location as it used to be.

An argument could even be made to put this wallet folder (ssl_wallet) directly into $ORACLE_BASE since it could be a 'universal ssl wallet' for all databases on the server, but I think it still makes sense to have an SSL wallet per database.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.