Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Load an Oracle Wallet with certificates contained in a bundle file.
#!/bin/bash
# PURPOSE:
# Load an Oracle Wallet with certificates contained in a bundle file
# e.g. https://pki.goog/roots.pem
#
# NOTES:
# * Run as oracle
# * Assumes ORAENV is set
TMPDIR=/tmp/owbutil
if [ -z "$BUNDLE_FILE" ]; then
echo -n "Bundle file: "
read BUNDLE_FILE
fi
if [ ! -f "${BUNDLE_FILE}" ];
then
echo Please specify a valid file.
exit -1
fi
if [ -z "$WALLET_PATH" ]; then
echo -n "Wallet path: "
read WALLET_PATH
fi
if [ -d "${WALLET_PATH}" ];
then
echo "Wallet path exists"
exit -1
fi
if [ -z "$WALLET_PWD" ]; then
echo -n "Enter an Oracle Wallet password: "
read -s WALLET_PWD
fi
if [ -z "$WALLET_PWD_CONFIRM" ]; then
echo -e
echo -n "Enter the password again: "
read -s WALLET_PWD_CONFIRM
fi
if [ -z "${WALLET_PWD}" ];
then
echo Password required.
exit -1
fi
if [ $WALLET_PWD != $WALLET_PWD_CONFIRM ];
then
echo Passwords do not match.
exit -1
fi
if [ ! -d ${TMPDIR} ];
then
mkdir -p ${TMPDIR}
fi;
csplit -f ${TMPDIR}/cert- -b %02d.pem ${BUNDLE_FILE} \
'/-----END CERTIFICATE-----/1' '{*}'
orapki wallet create -wallet ${WALLET_PATH} -pwd ${WALLET_PWD}
for file in `ls ${TMPDIR}/*.pem`
do
if grep -Pzoq -e "-----BEGIN CERTIFICATE-----(.|\\s)*-----END CERTIFICATE-----" $file
then
orapki wallet add -wallet ${WALLET_PATH} -trusted_cert \
-pwd ${WALLET_PWD} -cert $file
else
echo Skipping file $file
fi
done
rm -rf ${TMPDIR}
@RichardSoule

This comment has been minimized.

Copy link

commented Feb 8, 2019

Adrian,

This is excellent.

I might suggest creating the wallet by default in the following directory:

$ORACLE_BASE/admin/dbName/ssl_wallet

Of course, $ORACLE_BASE/admin/dbName should already exist in a normal installation, so the script should just create the ssl_wallet in that directory (the xdb_wallet directory, created during database creation, already exists at that level) for you. While you could allow the user to create the wallet location, there is a good chance they will make something that isn't as intuitive (or potentially, even put it into the Oracle Home) which, especially now that Oracle is going to create a new Oracle Home every year, isn't as 'safe' as a location as it used to be.

An argument could even be made to put this wallet folder (ssl_wallet) directly into $ORACLE_BASE since it could be a 'universal ssl wallet' for all databases on the server, but I think it still makes sense to have an SSL wallet per database.

@fuzziebrain

This comment has been minimized.

Copy link
Owner Author

commented Apr 11, 2019

@RichardSoule Thanks for the feedback and sorry it took this long to reply. I have used the suggested path (with some tweaks) in this project/repo: https://github.com/fuzziebrain/docker-apex-stack

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.