1 2 Previous Next 17 Replies Latest reply on Jun 5, 2019 8:51 PM by Jedi Knight

    Renewing a certificate in Oracle Wallet Manager

    Jedi Knight

      We are on Hyperion EPM system 11.1.2.4 with Oracle HTTP server having an Entrust certificate in Oracle Wallet Manager. We forgot the password to our Oracle wallet. How can we renew Entrust certificate in this case?

      Please advise the steps.

        • 1. Re: Renewing a certificate in Oracle Wallet Manager
          iArchSolutions-Joe

          Unfortunately there isn't a way to reset the Oracle wallet password for an already generated wallet.   However recreating a new wallet is a very simple process.  Maybe you can just do that?  Stop whatever processes/services are running and using the current wallet first.  Rename the existing wallet files as a BACKUP. Create a new wallet with the same name as the original wallet (this way any config you've done which referent that wallet is in-tact). Then you can update your certs and be on your way!

           

          Oh and don't forget to import your proper keychain (i.e. any root or intermedia CA certs).

          1 person found this helpful
          • 2. Re: Renewing a certificate in Oracle Wallet Manager
            Jedi Knight

            Hi, thanks!

            Currently our wallet is in D:\SSL folder (this folder is indicated in ssl.conf file in

            'D:\Oracle\Middleware\user_projects\epmsystem1\httpConfig\ohs\config\OHS\ohs_component' folder of our Hyperion Foundation server.

            This folder has 2 files: cwallet.sso and ewallet.p12
            So my questions are:
            1) Before creating a new OHS wallet, do I rename both files: cwallet.sso or only one of those files and which file is that?

            2) After we create a new OHS wallet and import our certificates, do we need to do any other configuration steps besides restarting the OHS?

             

            Thanks!

            • 3. Re: Renewing a certificate in Oracle Wallet Manager
              JohnGoodwin

              There is more to it than just recreating the wallet depending where the CSR was generated.

              Was the certificate signed with the CSR that was generated from the wallet that you don't have the password for? as that wallet will have the private key.

              I assume you are going to create a new wallet, generate CSR and then get it signed again.

              The original cwallet.sso and ewallet.p12 are no good to you if you don't have the password, well unless you try and crack it.

              Alternatively if you can obtain the PKCS#12 file then this can be renamed and opened in wallet manager, an example - https://knowledge.digicert.com/solution/SO28803.html

              1 person found this helpful
              • 4. Re: Renewing a certificate in Oracle Wallet Manager
                iArchSolutions-Joe

                I normally rename them both or the folder itself as a backup.  The wallet is the .p12 file but the .sso is your credentials so you can open the wallet - they go together.  You will need to ensure you have all required CA certs in the chain that might be required for the certificate authentication.  if you have all of those in place you should be in good shape.  The wallet location is tried in a few places (ssl.conf file, etc..) but if you use the same name and location, that should be all you need.

                 

                Let me know how it goes!

                1 person found this helpful
                • 5. Re: Renewing a certificate in Oracle Wallet Manager
                  iArchSolutions-Joe

                  I believe Jedi Knight had lost the password so that original wallet is no longer useful.  He has to create a new one, go through same config steps to recreate it (root/int certs import, generate CSR, get signed, etc.). Once all of this is done and the new wallet name is the same as old, you should be good to go presuming you did what  noted above, rename the wallet folder itself and have this new wallet in the exact location as the original.  If any issues, let me know.  We do this all the time and don't have issues.

                  1 person found this helpful
                  • 6. Re: Renewing a certificate in Oracle Wallet Manager
                    JohnGoodwin

                    I know he lost the password that is why I said the old wallet is of no use without the password. I said there is more to it than recreating and importing the certs in, a new CSR request is required and be signed.This was not mentioned so I included it, is there a problem with me saying that?

                    1 person found this helpful
                    • 7. Re: Renewing a certificate in Oracle Wallet Manager
                      Jedi Knight

                      Hi John,
                      Our vendor's documentation says that SSL was set up from OWM first by going to 'Operations > Add Certificate Request', then right-clicking the certificate > Import User Certificate, selecting the .cer file and clicking OK.

                      So my understanding is that you are advising exactly the same thing as iArch Solutions - that is we just need to re-create the wallet and repeat all the steps in the OWM starting from 'Operations > Add Certificate Request'.

                      PKCS#12 file, I think, is not the best option in this case.

                      Thanks a lot!

                      • 8. Re: Renewing a certificate in Oracle Wallet Manager
                        JohnGoodwin

                        Yes, repeat all the steps.

                        1 person found this helpful
                        • 9. Re: Renewing a certificate in Oracle Wallet Manager
                          Jedi Knight

                          Thanks!

                          So we created a new wallet, then created a certificate request, then we got 3 files from Entrust:Root.crt, Intermediate.crt, and ServerCertificate.crt and imported them all but the certificate status did not change from [Requested] to [Ready].

                          Any ideas why this is so??

                          • 10. Re: Renewing a certificate in Oracle Wallet Manager
                            iArchSolutions-Joe

                            Hi Jedi Knight - Just to make sure I follow, you created the new wallet, then imported your root and intermediate CA certs. Then you generated a new certificate request, exported that new request and sent that off to be signed.  Once you got it back signed, you right clicked (if using the GUI) and imported the signed cert right?  Did you try to "select the file to import" or "paste the certificate" option?  If you pasted it - did you get the entire contents of the signed cert file?

                             

                             

                            You could also take a look at the contents of the wallet using orapk to ensure you're seeing the right info:

                             

                            orapki wallet display -wallet <path to wallet>

                             

                            1 person found this helpful
                            • 11. Re: Renewing a certificate in Oracle Wallet Manager
                              Jedi Knight

                              Thanks Joe,

                              Sorry it was my bad: I imported ServerCertificate.crt via Operations > Import Trusted Certificate while I should have used Operations > Import User Certificate. Once I removed ServerCertificate.crt and re-imported it via Operations > Import User Certificate, it is now showing as [Ready].

                              After the successful import of the certificate, we have restarted the Oracle HTTP server and now the Hyperion Workspace page is not opening with the following message:

                                 "This page can’t be displayed

                                      -Make sure the web address https://<server_name>:4443 is correct.

                                      -Look for the page with your search engine.

                                      -Refresh the page in a few minutes."

                              Before we created the new wallet with the new certificate, this same page opened with the message that the certificate had expired, now we are getting the message that the page can't be displayed. I checked in the EPM System configurator that the Workspace page has port 19000 and SSL port 4443 assigned to it. Opening Hyperion Workspace as  non-SSL via http://<server_name>:19000 produces the same message...
                              Sorry for those cascading issues, but I will appreciate any advice on it!

                              • 12. Re: Renewing a certificate in Oracle Wallet Manager
                                JohnGoodwin

                                Did you set the wallet as "Auto Login"?

                                If you didn't enable it and save, restart ohs.

                                Also you can refer to the logs in <EPM_ORACLE_INSTANCE>\httpConfig\ohs\diagnostics\logs\OHS\ohs_component

                                1 person found this helpful
                                • 13. Re: Renewing a certificate in Oracle Wallet Manager
                                  Jedi Knight

                                  Hi John,

                                  Thanks! Yes, 'Auto Login' option was selected. As for logs, it's interesting - the latest log I see there is from Sep 2018 given that our system and OHS have been working fine until very recently.

                                  • 14. Re: Renewing a certificate in Oracle Wallet Manager
                                    JohnGoodwin

                                    Well if the last log is from Sep 2018 then that is not where the logs are being written too, have a search for ohs_component.log

                                    1 person found this helpful
                                    1 2 Previous Next