Friday, 1 June 2012

Oracle HTTPS Requests: Set up the Wallet

In addition to setting up the ACL, if you wish to make HTTPS requests you will need to set up a wallet - and more than likely, import trusted certificates.

On the oracle server, open the wallet manager. In linux this is with the command: owm.

Assuming no current wallet exists, create a new one by going to File --> New. At this point you will need to give the wallet a password. Save the wallet and take note of the directory it installed to (this is what you need to pass to utl_http, and no single file). The default directory this is saved to is generally: $ORACLE_HOME/owm/wallets/oracle.

The next step is to import trusted certificates into the wallet. The process varies between OS/Browser. First, go to the website you are intending on making requests to and view the certificate information which is normally done by clicking a button in the address bar.

Linux Chrome:


  1. Click the button the left of the URL
  2. Click certificate information
  3. Click Details
  4. Click Export
  5. Specify the type as PKCS #7, certificate chain
  6. Save to a convenient location. I find it best to actually save it into the same folder as the oracle wallet, so you have a future reference
Windows Chrome:

  1. Click the button to the left of the URL
  2. Click certificate information
  3. Click Details
  4. Click Copy to File...
  5. Click Next
  6. Click Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B)
  7. Click Next
  8. Save to a convenient location. I find it best to actually save it into the same folder as the oracle wallet, so you have a future reference
(The same dialogue can be got to in Internet Explorer by going to File --> Properties --> Certificates)

It is important to export the certificates in a type that allows you to export the full certificate chain, otherwise it is highly likely, and HTTPS requests will still not work.

To import the certificates into the wallet, from the wallet manager:

Right click on the tree node that reads Trusted Certificates, and select the option Import Trusted Certificate... 
Select the option Select a file that contains the certificates
Locate the file and click OK

If all went well, you should see at least 1 new certificate added to the node Trusted Certificates.

In any PL/SQL code, you then just need to pass in the wallet parameters - wallet directory, and wallet password (the wallet path parameter is used with the syntax "file:path", where path is the actual path the wallet directory). I normally do this with the set_wallet procedure, but the two properties are parameters on the functions/procedures to execute http requests (e.g. utl_http.begin_request).

Confirm the wallet is working with the following:

declare
 req utl_http.req;
 resp utl_http.resp;
 rw varchar2(32767);
begin

 utl_http.set_wallet('file:<path-to-wallet-directory>', '<wallet-password>');

 req := utl_http.begin_request( '<secure-url>');
 resp := utl_http.get_response(req);

 loop
  begin 
   rw := null; 
   utl_http.read_line(resp, rw, TRUE); 
   --do something with rw if you like
   exception when others 
    then 
     exit;
  end;
 end loop; 
 utl_http.end_response(resp);

end;

2 comments:

  1. Hi Trent,
    Not sure if my comment went through so repeating (sorry if it did).

    Will your method for setting up a Wallet work ok with Oracle XE on Windows?
    Is it necessary to set up an ACL on above platform first or is that only for Ora 11g?

    I tried using your test script you put in another blog but always get a cannot open file error.
    Regards
    Kim

    ReplyDelete
    Replies
    1. Hi Kim,

      This is the first comment that's come through.

      The oracle wallet manager (as described in this post) does not come with 11g XE.. I've used the method described here successfully in the past: https://blog.hazrulnizam.com/openssl-workaround-oracle-xe-wallet/ - and yes, you still need to set up ACLs in 11g XE.

      Hope it helps,

      Cheers,

      Delete