| Oracle® Database Advanced Security Administrator's Guide 10g Release 1 (10.1) Part Number B10 772-01 |
|
<
br>
Home
<
br>
Feedback
|
View PDF |
| Oracle® Database Advanced Security Administrator's Guide 10g Release 1 (10.1) Part Number B10 772-01 |
|
|
View PDF |
The orapki uti
lity is provided to manage public key infrastructure (PKI) elements, such as wallets and certificate revocation lists, on the command
line so the tasks it performs can be incorporated into scripts. Providing a way to incorporate the management of PKI elements into s
cripts makes it possible to automate many of the routine tasks of maintaining a PKI.
The fol lowing topics are included in this appendix:
This command line utility can be used to perform the following tasks:
The basic syntax of the orapki command line utility is as follows:
orapki module command -par ameter <value>
where module can be
wallet (Oracle wallet), crl (certificate revocation list), or cert (PKI digital certificate).
The available commands depend on the module you are using. For example, if you are working with a wallet, t
hen you can add a certificate or a key to the wallet with the add command. The following example adds the user certifica
te located at /private/lhale/cert.txt to the wallet located at $ORACLE_HOME/wallet/ewallet.p12:
orapki wallet add -wallet $ORACLE_HOME/wallet/ewallet.p12 -user_cert -cert < em class="Variable">/private/lhale/cert.txt
This command line utility provides a convenient, lightweight way to create signed certifi cates for testing purposes. The following syntax can be used to create signed certificates and to view certificates:
orapki cert create [-wallet <wallet_location>] -request <certificate_request_ location> -cert < certificate_location> -validity <number_of_days> [-summary]
This command creates a signed certificate from the certificate request. The -wallet<
/code> parameter specifies the wallet containing the user certificate and private key that will be used to sign the certificate reque
st. The -validity parameter specifies the number of days, starting from the current date, that this certificate will be
valid. Specifying a certificate and certificate request is mandatory for this command.
This command enables you to view a test certificate that you ha
ve created with orapki. You can choose either -summary or -complete, which determines how much
detail the command will display. If you choose -summary, the command will display the certificate and its expiration da
te. If you choose -complete, it will display additional certificate information, including the serial number and public
key.
The following sections describe
the syntax used to create and manage Oracle wallets with the orapki command line utility. You can use these orapk
i utility wallet module commands in scripts to automate the wallet creation process.
orapki wallet create -wallet &l t;wallet_location>
This comm
and will prompt you to enter and re-enter a wallet password. It creates a wallet in the location specified for -wallet.<
/p>
orapki wallet create -wallet <wallet_location> -auto_login
T his command creates a wallet with auto login enabled, or it can also be used to enable auto login on an existing wallet. If the walle t_location already contains a wallet, then auto login will be enabled for it. To turn the auto login feature off, use Oracle Wallet M anager. See "Using Auto Login" for details.
|
Note: For
wallets with the auto login feature enabled, you are prompted for a password only for operations that modify the wallet, such as |
Displays the certificate requests, user certificates, and trusted certificates contained in the wallet.
orapki wallet add -wallet <wallet_location> -dn <us er_dn> -keySize <512|1024|2048>
This comma nd adds a certificate request to a wallet for the user with the specified distinguished name (user_dn). The request also specifies th e requested certificate's key size (512, 1024, or 2048 bits). To sign the request, export it with the export option. See "Exporting Certificates and Certificate Requests from Oracle Wallets with orapki"
orapki wallet add -wallet <wallet_location> -trusted_cert -cert <certificate_ location>
This command adds a trusted certificate, at the specified location (
orapki wallet add -wallet <wallet_location> -dn <certificate_dn> -keySize <512|1024|2048> -self_signed -validity <number_of_days>
This command creates a new self-
signed (root) certificate and adds it to the wallet. The -validity parameter (mandatory) specifies the number of days, s
tarting from the current date, that this certificate will be valid. You can specify a key size for this root certificate (-keyS
ize) of 512, 1024, or 2048 bits.
orapki wallet add -wallet <wallet_location> -user_cert -cert <certificate_ lo cation>
This command adds the user certificate at
the location specified with the -cert parameter to the Oracle wallet at the <wallet_location>. Befor
e you add a user certificate to a wallet, you must add all the trusted certificates that make up the certificate chain. If all truste
d certificates are not installed in the wallet before you add the user certificate, then adding the user certificate will fail.
orapki wallet export -wallet <wallet_location> -dn < ;certificate_dn> -cert <certificate_filename>
This command exports a certificate with the subject's distinguished name (-d
n) from a wallet to a file that is specified by -cert.
orapki wallet export -wallet <wallet_location> -dn <certificate_request_dn> -request <certificate_request_filename>
This command exports a certificate request with the subject's disti
nguished name (-dn) from a wallet to a file that is specified by -request.
CRLs must be managed with orapki.
This utility creates a hashed value of the CRL issuer's name to identify the CRLs location in your system. If you do not use or
apki, your Oracle server cannot locate CRLs to validate PKI digital certificates. For detailed information about using o
rapki to manage CRLs refer to "Certificate Revocation List Management".
This section lists and describes the
following orapki commands:
Use this c ommand to create a signed certificate for testing purposes.
orapki cert c reate [-wallet <wallet_location>] -request <certificate_request_ location> -cert <certificate_location> -validity <number_of_days> [-summa ry]
-wallet paramete
r specifies the wallet containing the user certificate and private key that will be used to sign the certificate request.-request parameter (mandatory) specifies the location of the certificate
request for the certificate you are creating.-cert parameter
(mandatory) specifies the directory location where the tool places the new signed certificate.-validity parameter (mandatory) specifies the number of days, starting from the current date, that t
his certificate will be valid.Use this command to display details of a specific certificate.
orapki cert d isplay -cert <certificate_location> [-summary|-complete]
-cert parameter specifies the location of the certificate you wa
nt to display.-summary or the -compl
ete parameter to display the following information:
Use this command to delete CRLs from Oracle Internet Direct
ory. Note that the user who deletes CRLs from the directory by using orapki must be a member of the CRLAdmins (cn=CRLAdmins,cn=groups,%s_OracleContextDN%) directory group.
None
orapki crl delete -issuer <issue r_name> -ldap <hostname:ssl_port> -user <u sername> [-wallet <wallet_location>] [-summary]
-issuer parameter specifies the name of the certificate authority
(CA) who issued the CRL.-ldap parameter specifies the hostna
me and SSL port for the directory where the CRLs are to be deleted. Note that this must be a directory SSL port with no authenticatio
n. See "Uploading CRLs to Oracle Internet Directory" for more infor
mation about this port.-user parameter specifies the username
of the directory user who has permission to delete CRLs from the CRL subtree in the directory.-wallet parameter (optional) specifies the location of the wallet that contains the certificate of
the certificate authority (CA) who issued the CRL. Using it causes the tool to verify the validity of the CRL against the CA's certif
icate prior to deleting it from the directory.-summary parame
ter is optional. Using it causes the tool to print the CRL LDAP entry that was deleted.Use this command to display specific CRLs that are stored in Oracle Internet Dir ectory.
orapki crl display -crl <crl_location> [-wallet <wallet_location>] [-summary|-complete]
-crl parameter specifies the location of the CRL in the directory
. It is convenient to paste the CRL location from the list that displays when you use the orapki crl list command. See <
a href="asoappe.htm#638499">"orapki crl list"-wallet parameter (optional) specifies the location of the wallet that contains the certificate of the certifica
te authority (CA) who issued the CRL. Using it causes the tool to verify the validity of the CRL against the CA's certificate prior t
o displaying it.Use this command to generate a hash value of the certificate revocation list (CRL) issuer to identify the location of the CRL in your file system for certificate validation.
orapki crl hash - crl <crl_filename|URL> [-wallet <wallet_location>] [-symlink|-copy] <crl_directory> [-summary]
-crl parameter specifies the filename that contains the CRL or the URL where it can be found.<
/li>
-wallet parameter (optional) specifies the location of the wal
let that contains the certificate of the certificate authority (CA) who issued the CRL. Using it causes the tool to verify the validi
ty of the CRL against the CA's certificate prior to uploading it to the directory.-symlink or the -copy parameter:
-copy to cre
ate a copy of the CRL at the <crl_directory> location-summary parameter (optional) causes the tool to display the CRL issuer's name.Use this command to display a list of CRLs stored in Oracle Internet D irectory. This is useful for browsing to locate a particular CRL to view or download to your local file system.
Use this command to
upload certificate revocation lists (CRLs) to the CRL subtree in Oracle Internet Directory. Note that you must be a member of the di
rectory administrative group CRLAdmins (cn=CRLAdmins,cn=groups,%s_OracleContextDN%) to upload CRLs to the d
irectory.
orapki crl upload -crl <crl_location> -ldap <hostname:ssl_port> -user <username> [-wallet <wallet_location>] [-summary]
-crl parameter specifies the directory location or the URL where the CRL i
s located that you are uploading to the directory.-ldap param
eter specifies the hostname and SSL port for the directory where you are uploading the CRLs. Note that this must be a directory SSL p
ort with no authentication. See "Uploading CRLs to Oracle Internet Directory" for more information about this port.-user paramet
er specifies the username of the directory user who has permission to add CRLs to the CRL subtree in the directory.-wallet parameter specifies the location of the wallet that contains the certif
icate of the certificate authority (CA) who issued the CRL. This is an optional parameter. Using it causes the tool to verify the val
idity of the CRL against the CA's certificate prior to uploading it to the directory.-summary parameter is also optional. Using it causes the tool to display the CRL issuer's name and the LDAP e
ntry where the CRL is stored in the directory.Use this command to add certificate requests and certificates to an Oracle wallet.
To add certificate requests:
orapki walle t add -wallet <wallet_location> -dn <user_dn> -keySize <512|1024| 2048>
-wallet par
ameter specifies the location of the wallet to which you want to add a certificate request.-dn parameter specifies the distinguished name of the certificate owner.-keySize parameter specifies the key size for the certificate.To add trusted certificat es:
orapki wallet add -wallet <wallet_location> -tr usted_cert -cert <certificate_ location>
-trusted_cert parameter causes the tool to add the trusted certificate, at the l
ocation specified with -cert, to the wallet.To add root certificates:
orapki wallet add -wallet <wallet_locati on> -dn <certificate_dn> -keySize <512|1024|2048> -self_signed -validity <number_of_days>
-self_signed parameter causes the tool to create a root certificate.-validity parameter is mandatory. Use it to specify the number of days, starting from the current date, that t
his root certificate will be valid.To add user certificates:
orapki wallet add -wallet <wallet_location> -user_cert -cert <certificate_ location>
-user_cert parameter causes the tool to add the user certificate at the location specified
with the -cert parameter to the wallet. Before you add a user certificate to a wallet, you must add all the trusted cer
tificates that make up the certificate chain. If all trusted certificates are not installed in the wallet before you add the user cer
tificate, then adding the user certificate will fail.Use this command to create an Oracle wallet or to set auto login on for an Oracle wallet.
< /a>orapki wallet create -wallet <wallet_location> [-auto_login]
-wallet parameter spec
ifies a location for the new wallet or the location of the wallet for which you want to turn on auto login.-auto_login parameter creates an auto
login wallet, or it turns on automatic login for the wallet specified with the -wallet option. See "Using Auto Login" for details about auto login wallets.Use this command to view the certificate reque sts, user certificates, and trusted certificates in an Oracle wallet.
ora pki wallet display -wallet <wallet_location>
-wallet parameter specifies a location for the wallet you want to open if it
is not located in the current working directory.Use this command to export certificate requests and certificates from an Oracle wallet.
To export a certificate from an Oracle wallet:
orapki wallet export -wallet <wallet_location> -dn <certific ate_dn> -cert <certificate_filename>
-wallet parameter specifies the location of the wallet from which you want
to export the certificate.-dn parameter specifies the disting
uished name of the certificate.-cert parameter specifies the
name of the file that contains the exported certificate.To expor t a certificate request from an Oracle wallet:
orapki wallet export -wallet <wallet_location> -dn <certificate_request_dn> -request <certificate_request_filename>
-request parameter specifies the name of the file that contains the exported certificate request.
|
 Copyright © 1996, 2003 Oracle Corporation All Rights Reserved. |
|
