Thursday, July 3, 2014

JKS & Keystore commands

Set the following env variables for the following section command to run


export MW_HOME=<</opt/appbin/oracle/idm_middleware>>
export JAVA_HOME=<<$MW_HOME/Oracle_IDM1/jdk>>

export ORACLE_HOME=<<$MW_HOME/Oracle_IDM1>>
export ORACLE_INSTANCE=<<$MW_HOME/asinst_1>>
export PATH=$JAVA_HOME/bin:$PATH:$MW_HOME/oracle_common/bin:$ORACLE_HOME/bin



Convert Wallets to JKS keystore



A) run the following command to convert the wallet cert entiries including privatekey, root ca  and signed cert types by specifying the list in alias with : delimeter.

pkcs12_to_jks -wallet p12wrl -pwd p12pwd [-jksKeyStoreLoc jksKSloc -jksKeyStorepwd jksKS_pwd][-jksTrustStoreLoc loc -jksTrustStorepwd pwd]


where the parameters are as follows:

wallet is the p12 wallet location
pwd is the wallet password
jksKeyStoreLoc is the JKS keystore location
jksKeyStorepwd is the JKS keystore password
jksTrustStoreLoc is the JKS truststore location
jksTrustStorepwd is the JKS truststore password

Note:
Passwords must have a minimum length of eight characters and contain alphabetic characters combined with numbers or special characters.
B) List the keystore to get the aliasname for Private Key Entry with below command:

keytool -list -v -keystore <path_to_keystore_file>

 

Convert JKS Keystore to Wallet

1. The following command will only work with JDK 1.6.X, and will not work with JDK 1.4/1.5 that ships with AS 10.1.2/10.1.3. So first it is necessary to download and install JDK 1.6. Alternatively install a Fusion Middleware 11.1.1.X Webtier, and follow the instructions for FMW 11g further down in this article.

2. Convert the Java Keystore to an Oracle Wallet:
a) create a empty Wallet using OWM GUI or thru command
   orapki wallet create -wallet . -pwd <<walletPswd>>
b)convert the jks to pkcs12 using keytool
  keytool -importkeystore -srckeystore <<jks file path>> -destkeystore <<same jks file path>> -deststoretype pkcs12
c) Run the following command:
%JDK16_HOME\bin\keytool -importkeystore -srckeystore <keystore> -destkeystore <wallet_loc> -srcstoretype JKS -deststoretype PKCS12 -srcstorepass <jks_storepasswd> -deststorepass <wallet_passwd> -srcalias <key_alias>
-destalias <key_alias> -srckeypass <jks_keypasswd> -destkeypass <wallet_passwd>
Note that the <wallet_passwd> must conform to Oracle standards.
  • Minimum password length (8 characters)
  • Maximum password length unlimited
  • Alphanumeric character mix required
For example:
%JDK16_HOME\bin\keytool -importkeystore -srckeystore keystore -destkeystore <path_to>/ewallet.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass jkspasswd -deststorepass Welcome1 -srcalias mykey -destalias mykey -srckeypass jkspasswd -destkeypass Welcome1
OR
i) Open the Wallet in Wallet Manager:
  • Run $ORACLE_HOME/bin/owm
  • Select "Wallet" -> "Open" and select the <path_to>/ewallet.p12
  • Select "Wallet" -> "Auto-Login" and "Save" the Wallet.
     or
    [It really seems that you can only provide the “-auto_login” option while creating the wallet but not after that point. well, this is an example of misleading syntax as you actually can change the option with “orapki wallet create” without destroying the original wallet:]

   $orapki wallet create -wallet . -pwd <<walletpswd>> -auto_login 

ii)convert the jks to pkcs12 using keytool
  keytool -importkeystore -srckeystore <<jks file path>> -destkeystore <<same jks file path>> -deststoretype pkcs12

iii)  $orapki wallet jks_to_pkcs12 -wallet /opt/appbin/oracle/Keystore/wallet -pwd <<WalletPswd>> -keystore <<servername.jks>> -jkspwd <<servername>>


Keystore Generation


Example:
$ cd /opt/AppBin/oracle
$ export JAVA_HOME=/usr/java6_64
$ export PATH=$JAVA_HOME/bin:$PATH
$ keytool -genkey -alias servName11 -keyalg RSA -keysize 2048 -sigalg SHA2withRSA -dname "CN=servName11,OU=<<Organization Name>>,O=<organization name>,L=Sacramento,ST=Ca,C=US" -keypass servName11 -keystore servName11.jks -storepass servName11

Cert Request


$ keytool -certreq -v -alias servName11 -file servName11.csr -keypass servName11  -storepass servName11 -keystore servName11.jks
Output
Certification request stored in file <servName11.csr>
servername11
Submit the generated csr to your CA
Once CA signed the csr request will send you the rootCA & signed crt
place the rootCA & Signed crt files into tmp/keystore location
Run the following command to import the root CA

Import rootCA

$ keytool -import -v -noprompt -trustcacerts -alias rootcacert -file /opt/appbin/oracle/Keystore/RootCA.cer -keystore servName11.jks -storepass servName11
Output
Certificate was added to keystore
[Storing servName11.jks]
Verify whether the the cert is imported into the keystore
$ keytool -list -v -keystore servName11.jks -storepass servName11

Import server Cert - signed


Import the Server Certificate into your keystore using the following command:
Note: alias name should be same as the cert request time specicied alias name.
$keytool -import -v -alias <alias> -file <server_cert_file> -keystore <keystore> -keypass <password> -storepass <password>

 Modify the cert alias

$keytool -changealias -keystore keystore.jks -storepass storepw -alias hostname -keypass keypw -destalias newhostname

Modify the keystore password

$keytool -storepasswd -storetype jks -keystore keystore.jks -storepass storepw -new newstorepw

Modify the certificate key password

$keytool -keypasswd -keystore keystore.jks -storepass storepw -alias hostname -keypass keypw -new newkeypw

Renewal of Server Signed Certificate & Root Certificate @Keystore Steps:

Renew the Server signed Certificate :

  • Assuming  originally created CSR exists
  • Send the csr to Certificate Authority to renew the Certificate.
  • On the server take the backup of the existing jks file and the old signed certificate.
  • Once received the newly signed server certificate, place the Certificate at jks keystore location.
  • Run the following command to delete the server signed certificate from the jks keystore.

    keytool –list –keystore <<hostname>>.jks –storepass <<hostname>>
     keytool -delete -v -alias< alias> -keystore <<hostname>>.jks -storepass <hostname>
  • Run the following command to add the server signed certificate into the jks keystore with same server alias as deleted in the above step.
    keytool -import -v -alias <alias> -file <<hostname>>.cer -keystore <<hostname>>.jks -keypass <hostname> -storepass <hostname>
  • Verify the server signed certificate is installed as desired.
    keytool –list –keystore <<hostname>>.jks –storepass <<hostname>> -alias <<alias>> -v
  • Restart the App servers where this jks keystore configured.

Renew the Root Certificate:

  • Assuming got the new root certificate from Certificate Authority.
  • Take the backup of the existing root cert & jks keystore.
  • Place the root certificate into the jks keystore location.

  • Run the following command to delete the root certificate from the jks keystore.
    keytool –list –keystore <<hostname>>.jks –storepass <<hostname>>
     keytool -delete -v -alias <root -aliasName>-keystore <<hostname>>.jks -storepass <hostname>
  • Run the following command to add the root certificate into the jks keystore with same server alias as deleted in the above step.
    keytool -import -v -noprompt -trustcacerts -alias <rootca-aliasName> -file<< hostname>>.crt -keystore <<hostname>>.jks -keypass <hostname> -storepass <hostname>
  • Verify the server signed certificate is installed as desired.
    keytool –list –keystore <<hostname>>.jks –storepass <<hostname>> -alias <<rootca>> -v

Renew the Server signed Certificate :

  • Assuming  originally created CSR exists
  • Send the csr to Certificate Authority to renew the Certificate.
  • On the server take the backup of the existing jks file and the old signed certificate.
  • Once received the newly signed server certificate, place the Certificate at jks keystore location.
  • Run the following command to delete the server signed certificate from the jks keystore.

    keytool –list –keystore <<hostname>>.jks –storepass <<hostname>>
     keytool -delete -v -alias< alias> -keystore <<hostname>>.jks -storepass <hostname>
  • Run the following command to add the server signed certificate into the jks keystore with same server alias as deleted in the above step.
    keytool -import -v -alias <alias> -file <<hostname>>.cer -keystore<< hostname>>.jks -keypass <hostname> -storepass <hostname>
  • Verify the server signed certificate is installed as desired.
    keytool –list –keystore <<hostname>>.jks –storepass <<hostname>> -alias <<alias>> -v
  • Restart the App servers where this jks keystore configured.

Renew the Root Certificate:

  • Assuming got the new root certificate from Certificate Authority.
  • Take the backup of the existing root cert & jks keystore.
  • Place the root certificate into the jks keystore location.

  • Run the following command to delete the root certificate from the jks keystore.
    keytool –list –keystore <<hostname>>.jks –storepass <<hostname>>
     keytool -delete -v -alias <root -aliasName> -keystore <<hostname>>.jks -storepass <hostname>
  • Run the following command to add the root certificate into the jks keystore with same server alias as deleted in the above step.
    keytool -import -v -noprompt -trustcacerts -alias <rootca-aliasName> -file <<hostname>>.crt -keystore <<hostname>>.jks -keypass< hostname> -storepass <hostname>
  • Verify the server signed certificate is installed as desired.
    keytool –list –keystore <<hostname>>.jks –storepass <<hostname>> -alias <<rootca>> -v

Renewal for Server certificate & root certificate @ Wallet Steps:

Renewal of Server signed certificate:

  1. set the env variables
  2. make the current wallet files & old server signed cert into the backup
  3. find the old csr file and submit to the Certicate authority to get the renewed server certificate.
  4. place the newly signed server certificate into the wallet located host.
  5. make sure if this is Unix host set the DISPLAY varaible setting to allow the GUI tools to open from Unix host.
  6. open the Wallet Manager thru owm command tool
  7. open the wallet from wallet Manager
  7. remove the User Certificate by select the user certificate -> remove the user Certificate
  5. install the user certificate from the user certificate [ requested] -> install the user certificate and choose the newely renewed server certificate.
  6. save. [make sure auto save is selected]
Renew the root Certificate :
  1. set the env variables
  2. make the current wallet files & old root certificate file into the backup
  3. Get the renewed server certificate from certificate Authority
  4. Place the new root certificate into the wallet located host.
  5. make sure if this is Unix host set the DISPLAY varaible setting to allow the GUI tools to open from Unix host.
  6. open the Wallet Manager thru owm command tool
  7. open the wallet from wallet Manager
  7. remove the Trusted Certificate by selecting the Trusted certificates -> remove the expired root Certificate [trusted cert] from the list
  5. install the root certificate from the Trusted certificates -> import Trusted certificate  menu to choose the newely renewed server certificate.
  6. save. [make sure auto save is selected]

Converting Oracle Access Manager Certificates to Java Keystore Format

ref: https://docs.oracle.com/cd/E25178_01/core.1111/e10043/osso_b_oam11g.htm#BABEDBBA