7 Replies Latest reply: Oct 31, 2013 11:46 AM by Melolo RSS

    utl_http.request wallet problem


      Hello Everyone,

      an Oracle newbie needs your help.


      I have a CAS-Server (Central Authentication Service) running on my domain „sub.mydomain.com" and an Oracle 11g Database. On the CAS-Server I generated and use a keystore for HTTPS access. (keytool -genkeypair -alias sub.mydomain.com -keyalg RSA -keysize 1024 -dname "CN= sub.mydomain.com, OU=Organization, O=Company Name, L=City, S=State, C=US" -validity 365 -keystore .keystore)

      By entering https://sub.mydomain.com:8443/cas/ in the web browser I can access the page after downloading and adding the certificate (saved as sub.mydomain.com.crt with Firefox).


      Now I'd like to obtain XML-Code of this HTTPS Site with PL/SQL. Therefor I used the function utl_http.request(). The Oracle documentation says when fetching data from a Website using HTTPS, wallets are required. So I imported the recently downloaded certificate as a trusted certificate to the wallet manager and saved the wallet. Since I am using Oracle 11g I had also to create a new ACL-list. I followed this description: http://oraclepoint.com/oralife/2010/10/08/configuring-wallet-manager-to-enable-https-connect-with-oracle-11g-database/

      The PL/SQL command I used obtaining XML from the HTTPS-Server: returndata := utl_http.request('https://sub.mydomain.com:8443/', null, [path/to/oracle/wallet], [wallet_password]);


      Running this code I get the error:

      ORA-29273: HTTP request failed

      ORA-06512: at „SYS.UTL_HTTP“, line 1130

      ORA-29024: Certificate validation failure

      ORA-06512: at line 12


      Does anyone have an idea why it is not working?

      I hope I mentioned all relevant information and configuration steps. If not, please let me know and I'll add them.

      I'd be very grateful for any help.


      Thanks and best regards


        • 1. Re: utl_http.request wallet problem

          When I set up something similar on a 10g database I had to explicitly call the utl_http.set_wallet procedure. I had a similar certificate failure error when I tried to combine to two steps into one. I don't know if this would be the same on 11g.

          • 2. Re: utl_http.request wallet problem

            Hey DrabJay, thank you for your reply!

            Now i tried the following code:




                v_request        UTL_HTTP.REQ;

                v_response        UTL_HTTP.RESP;      

                v_data            VARCHAR2(32767);


                UTL_HTTP.SET_WALLET([path/to/oracle/wallet], [wallet_password]);


                v_request := UTL_HTTP.BEGIN_REQUEST('https://sub.mydomain.com:8443/'');


                v_response := UTL_HTTP.GET_RESPONSE(v_request)




                        UTL_HTTP.read_text(v_response, v_data, 32767);


                    END LOOP;


                    WHEN UTL_HTTP.end_of_body THEN







            Unfortunately I get the same errors. Maybe there is something wrong with the certificate. I imported one from https://fedoraproject.org/de/  to the wallet Manager and tried the same code (only adjust the url) again. That works!

            Do you or does anybody else have an idea?



            • 3. Re: utl_http.request wallet problem

              Sounds like root authority issue. If you are signing your own certificates, then you need your root authority certificate in the wallet too.


              PS. Did you generate the certificate request using orapki or owm?

              • 4. Re: utl_http.request wallet problem

                Hi BillyVerreynne, thanks for your reply!

                I just tried to work with the certificate request before - unfortunately without success. I also was not sure whether it was necessary, because the request was successful with other not self-generated certificates. To be honest I don't really understand the meaning of the certificate request. Why I can't handle this certificate like the certificate from, e.g. https://fedoraproject.org/de/ ? I'm very confused now. I'd be very grateful if you could post the most important steps or refer to some useful references to get this request working.

                • 5. Re: utl_http.request wallet problem

                  I believe the Oracle Wallet is fully detailed in Oracle Wallet Manager and orapki - 11g Release 2 (11.1.2).


                  I can comment on the approach I used for getting https implemented for Oracle's native web services (publishing a standard PL/SQL procedure as a web service over https).


                  The Oracle server needs a certificate. For a certificate to be created, a request is required. OWM enables you to generate such a request via the GUI - after which you can send this request to a signing authority to be signed and a certificate provided in return.


                  You then import that certificate you receive from the signing authority into the wallet. And this certificate will now be used by the Oracle Listener for servicing https connections to the database's XDB component/servlets.


                  You can also generate your own self-signed certificates using the CLI orapki tool. In this case you will have a certificate to use, but this will be treated with suspicion by clients as it is not signed by a recognised root signing authority.


                  Oracle's support.oracle.com has several support notes on this specifically - how to use orapki for self-signed certificates.


                  I have used both methods. Self-signed certificates on development for testing purposes. And generating a request on production that was then signed by a signing authority (after which the supplied certificate was imported into the wallet).

                  • 6. Re: utl_http.request wallet problem

                    Thank you for your comprehensive reply.

                    I will try it again and come back soon to share my results.

                    • 7. Re: utl_http.request wallet problem

                      It seems there was a problem with the self-signed certificate. Now I created it with the help of SelfSSL and the Windows IIS Manager. Thank you all for your help!