Load an Oracle Wallet with certificates contained in a bundle file.

createBaseWallet.sh

#!/bin/bash

# PURPOSE:
#   Load an Oracle Wallet with certificates contained in a bundle file
#   e.g. https://pki.goog/roots.pem
#
# NOTES:
#   * Run as oracle
#   * Assumes ORAENV is set

TMPDIR=/tmp/owbutil

if [ -z "$BUNDLE_FILE" ]; then
  echo -n "Bundle file: "
  read  BUNDLE_FILE
fi

if [ ! -f "${BUNDLE_FILE}" ];
then
  echo Please specify a valid file.
  exit -1
fi

if [ -z "$WALLET_PATH" ]; then
  echo -n "Wallet path: "
  read WALLET_PATH
fi

if [ -d "${WALLET_PATH}" ];
then
  echo "Wallet path exists"
  exit -1
fi

if [ -z "$WALLET_PWD" ]; then
  echo -n "Enter an Oracle Wallet password: "
  read -s WALLET_PWD
fi 

if [ -z "$WALLET_PWD_CONFIRM" ]; then
  echo -e
  echo -n "Enter the password again: "
  read -s WALLET_PWD_CONFIRM
fi

if [ -z "${WALLET_PWD}" ];
then
  echo Password required.
  exit -1
fi

if [ $WALLET_PWD != $WALLET_PWD_CONFIRM ];
then
  echo Passwords do not match.
  exit -1
fi

if [ ! -d ${TMPDIR} ];
then
  mkdir -p ${TMPDIR}
fi;

csplit -f ${TMPDIR}/cert- -b %02d.pem ${BUNDLE_FILE} \
  '/-----END CERTIFICATE-----/1' '{*}'

orapki wallet create -wallet ${WALLET_PATH} -pwd ${WALLET_PWD}

for file in `ls ${TMPDIR}/*.pem`
do
  if grep -Pzoq -e "-----BEGIN CERTIFICATE-----(.|\\s)*-----END CERTIFICATE-----" $file
  then
    orapki wallet add -wallet ${WALLET_PATH} -trusted_cert \
      -pwd ${WALLET_PWD} -cert $file
  else
    echo Skipping file $file
  fi
done

rm -rf ${TMPDIR}

Adrian,

This is excellent.

I might suggest creating the wallet by default in the following directory:

$ORACLE_BASE/admin/dbName/ssl_wallet

Of course, $ORACLE_BASE/admin/dbName should already exist in a normal installation, so the script should just create the ssl_wallet in that directory (the xdb_wallet directory, created during database creation, already exists at that level) for you. While you could allow the user to create the wallet location, there is a good chance they will make something that isn't as intuitive (or potentially, even put it into the Oracle Home) which, especially now that Oracle is going to create a new Oracle Home every year, isn't as 'safe' as a location as it used to be.

An argument could even be made to put this wallet folder (ssl_wallet) directly into $ORACLE_BASE since it could be a 'universal ssl wallet' for all databases on the server, but I think it still makes sense to have an SSL wallet per database.

@RichardSoule Thanks for the feedback and sorry it took this long to reply. I have used the suggested path (with some tweaks) in this project/repo: https://github.com/fuzziebrain/docker-apex-stack

Hi Adrian,
Firstly, thank you for the script; it is a big time saver.
As these are public certificates, couldn't you use the '-auto_login_only' option so we don't need to specify a password, e.g.
orapki wallet create -wallet ${WALLET_PATH} -auto_login_only
orapki wallet add -wallet ${WALLET_PATH} -trusted_cert
-cert $file -auto_login_only

Hi Adrian, Firstly, thank you for the script; it is a big time saver. As these are public certificates, couldn't you use the '-auto_login_only' option so we don't need to specify a password, e.g. orapki wallet create -wallet ${WALLET_PATH} -auto_login_only orapki wallet add -wallet ${WALLET_PATH} -trusted_cert -cert $file -auto_login_only

Thanks Jon. I'll looking into an option to skip having a password. Thanks!

I've updated my default TLS wallet location to tls_wallet instead of ssl_wallet (we stopped using SSL in the '90s).

When you use auto_login_only that means that wallet will only ever work on the machine it was created on. Why would we do that for a TLS wallet containing a list of public root-level certificates? Instead, use -auto_login instead of -auto_login_only

I'd also default the password to something very simple (oracle_4U for example) and just give people the command to update the password if they care.

While in the wallet directory, the following will change the password:

orapki wallet change_pwd -wallet . -oldpwd -newpwd

Thanks for the info, Rich. I did not know that a no-password wallet would only work on the machine it was created on. My thinking of having a no-password wallet was indeed that the content was public and a password was not necessary.

Jon, no there are two options for making the wallet readable without supplying a password:

-auto_login and -auto_login_only

-auto_login gives you the ability to read the wallet without a password and, if you copy the wallet to a new machine, it will still work.

-auto_login_only does the same read thing, but it will only work on the machine it was created on. If you copy it to a new machine, the saved password in the cwallet.sso will no longer work. You can generate a new cwallet.sso file but only if you know the password that was used to create the ewallet.p12 file.

Ah, now I have it. Thanks again Rich.