DB: Configuring wallet for http(s) calls

Before making https calls from the database, a wallet has to be created and an access security list must be created to allow outbound https connection.

In addition, the root or intermediate certificate s of the website being called must be stored into the wallet. With 12c, only the INTERMEDIATE certificate should be stored into the wallet. A good start to find the latest certificate is here.

Also, a database access list has to be created to grant the schema specified the privilege to access the host via the http call. When a proxy is used as a firewall, this access also must be part of this access list.

 

Setup the wallet

Here we create a wallet in the $ORACLE_HOME/wallet/<db> directory.

export LWALLET_DIR=$ORACLE_HOME/wallet/<db>

mkdir -p ${LWALLET_DIR}

orapki wallet create -wallet ${LWALLET_DIR} -pwd welcome1 -auto_login

# Example for www.oracle.com
orapki wallet add -wallet ${LWALLET_DIR} -trusted_cert -cert "GeoTrustSSLCA-G3.crt" -pwd welcome1
# Example for cloud.demo.com
orapki wallet add -wallet ${LWALLET_DIR} -trusted_cert -cert "SymantecClass3SecureServerCA-G4.crt" -pwd welcome1
ls -l ${LWALLET_DIR}

orapki wallet display -wallet ${LWALLET_DIR} -complete

In case of RAC, make sure to replicate the wallet over other RAC nodes.

 

Create the access list

connect sys/<password> as sysdba

ALTER SESSION SET CONTAINER=<pdb>;
begin
dbms_network_acl_admin.append_host_ace
 (host => '*'
 ,lower_port => 80
 ,upper_port => 443
 ,ace => xs$ace_type(privilege_list => xs$name_list('http','http_proxy')
 ,principal_name => 'schema'
 ,principal_type => xs_acl.ptype_db));
dbms_network_acl_admin.append_wallet_ace
 (wallet_path => 'file:/path to ORACLE_HOME/wallet/<db>'
 ,ace => xs$ace_type(privilege_list => xs$name_list('use_client_certificates','use_passwords')
 ,principal_name => 'schema'
 ,principal_type => xs_acl.ptype_db));

commit;
end;
/

 

To check the successful deployment of the wallet and certificate

sqlplus <sysman>/<password>
SQL> execute utl_http.set_wallet('file:<path to wallet>', 'welcome1');
SQL> select utl_http.request ('http://www.oracle.com') from dual;

or with a proxy:

sqlplus <sysman>/<password>
SQL> execute utl_http.set_wallet('file:<path to wallet>', 'welcome1');
SQL> select utl_http.request ('http://www.oracle.com','http://<proxy>:80') from dual;
Advertisements

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: