Ce n'est pas toujours qu'on utilise un certificat pour travailler avec TDE, dans ce cas on parle d'une configuration avec "PKI pairs", mais si c'est ça ce qu'on veut, il faut que ce certificat soit créé d'une manière particulière, voici la procédure pour le faire.
Bien sûr le chemin où j'ai mis sur place ma configuration n'est pas l'idéale mais c'est juste pour l'exemple,
Le mot de passe du wallet (MonMotDePasse) et le passe-phrase (MonPassePhrase) je les ai laissé visibles pour essayer de mieux clarifier le tout.
La note Oracle 1320239.1 est la référence initiale de cette note.
#############################################################
#############################################################
### Test wallet certificate self-signed OPENSSL : ###
### ###
### Ce test va créer un certificat qui pourra être ###
### utilisé pour une configuration TDE. ###
### ###
#############################################################
#############################################################
#######################################################
## 1. Créer la structure des répertoires pour le CA: ##
#######################################################
1.1 Créer les répertoires pour le CA
-------------------------------------
mkdir -p /tmp/VTIJERO/rootCA
cd /tmp/VTIJERO/rootCA
mkdir certs private
chmod g-rwx,o-rwx private
echo '01' > serial
touch index.txt
1.2. Préparer les fichiers de configuration pour le "user certificates":
------------------------------------------------------------------------
echo '[ ca ]
default_ca = rootca
[ rootca ]
dir = /tmp/VTIJERO/rootCA
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
RANDFILE = $dir/private/.rand
serial = $dir/serial
default_crl_days = 7
default_days = 365
default_md = sha1
policy = ca_policy
x509_extensions = certificate_extensions
[ ca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = supplied
organizationName = supplied
organizationalUnitName = optional
[ certificate_extensions ]
basicConstraints = CA:false
[ policy_anything ]
commonName = supplied
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
emailAddress = optional
[ req ]
default_bits = 2048
default_keyfile = /tmp/VTIJERO/rootCA/private/cakey.pem
default_md = sha1
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
0.organizationName = VTIJERO_COMPANY
organizationalUnitName = VTIJERO_OU
emailAddress = VTIJERO@COMPANY.COM
emailAddress_max = 40
localityName = QUEBEC
stateOrProvinceName = QUEBEC
countryName = CA
countryName_min = 2
countryName_max = 2
commonName = VTIJERO_ROOT_COMMONNAME
commonName_max = 64
0.organizationName_default = VTIJERO_COMPANY
organizationalUnitName_default = VTIJERO_OU
emailAddress_default = VTIJERO@COMPANY.COM
localityName_default = QUEBEC
stateOrProvinceName_default = QUEBEC
countryName_default = CA
commonName_default = VTIJERO_ROOT_COMMONNAME
[ root_ca_extensions ]
basicConstraints = CA:true' > openssl.cnf
#########################################################################
## 2. Créer la strcuture des répertoires pour le "user certificate" : ##
#########################################################################
2.1 Créer les répertoires pour le CA
-------------------------------------
mkdir -p /tmp/VTIJERO/user
cd /tmp/VTIJERO/user
mkdir certs
echo '01' > serial
touch index.txt
2.2 Préparer les fichiers de configuration pour le "user certificates". Porter attention au paramètre keyUsage=dataEncipherment, lequel permet qu''il soit utilisé pour une config TDE :
---------------------------------------------------------------------------------------------------
echo '[ policy_anything ]
commonName = supplied
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
emailAddress = optional
[ req ]
default_bits = 2048
default_keyfile = /tmp/VTIJERO/rootCA/private/cakey.pem
default_md = sha1
distinguished_name = user_distinguished_name
x509_extensions = user_extensions
[ user_distinguished_name ]
0.organizationName = VTIJERO_COMPANY_TDE
organizationalUnitName = VTIJERO_OU
emailAddress = VTIJERO@COMPANY.COM
emailAddress_max = 40
localityName = QUEBEC
stateOrProvinceName = QUEBEC
countryName = CA
countryName_min = 2
countryName_max = 2
commonName = VTIJERO_TDE_COMMONNAME
commonName_max = 64
0.organizationName_default = VTIJERO_COMPANY_TDE
organizationalUnitName_default = VTIJERO_OU
emailAddress_default = VTIJERO@COMPANY.COM
localityName_default = QUEBEC
stateOrProvinceName_default = QUEBEC
countryName_default = CA
commonName_default = VTIJERO_TDE_COMMONNAME
[ user_extensions ]
basicConstraints = CA:false
keyUsage=dataEncipherment' > openssl.cnf
#########################################################
## 3. Générer un "self signed certificate" pour le CA: ##
#########################################################
OPENSSL_CONF=/tmp/VTIJERO/rootCA/openssl.cnf
export OPENSSL_CONF
cd /tmp/VTIJERO/rootCA
openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM
Generating a 2048 bit RSA private key
...............+++
........................................................................+++
writing new private key to '/tmp/VTIJERO/rootCA/private/cakey.pem'
Enter PEM pass phrase: MonPassePhrase
Verifying - Enter PEM pass phrase: MonPassePhrase
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
VTIJERO_COMPANY [VTIJERO_COMPANY]:
VTIJERO_OU [VTIJERO_OU]:
VTIJERO@COMPANY.COM [VTIJERO@COMPANY.COM]:
QUEBEC [QUEBEC]:
QUEBEC [QUEBEC]:
CA [CA]:
VTIJERO_ROOT_COMMONNAME [VTIJERO_ROOT_COMMONNAME]:
#########################################################
## 4. Générer le "user certificate request" : ##
#########################################################
OPENSSL_CONF=/tmp/VTIJERO/user/openssl.cnf
export OPENSSL_CONF
cd /tmp/VTIJERO/user
openssl req -newkey rsa:2048 -keyout testkey.pem -keyform PEM -out testreq.csr
Generating a 2048 bit RSA private key
................................+++
........................................................+++
writing new private key to 'testkey.pem'
Enter PEM pass phrase: MonPassePhrase
Verifying - Enter PEM pass phrase: MonPassePhrase
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
VTIJERO_COMPANY_TDE [VTIJERO_COMPANY_TDE]:
VTIJERO_OU [VTIJERO_OU]:
VTIJERO@COMPANY.COM [VTIJERO@COMPANY.COM]:
QUEBEC [QUEBEC]:
QUEBEC [QUEBEC]:
CA [CA]:
VTIJERO_TDE_COMMONNAME [VTIJERO_TDE_COMMONNAME]:
#########################################################
## 5. Signer ce CR en utilisant la "CA private key" : ##
#########################################################
OPENSSL_CONF=/tmp/VTIJERO/rootCA/openssl.cnf
export OPENSSL_CONF
openssl ca -out /tmp/VTIJERO/user/testcrt.pem -in /tmp/VTIJERO/user/testreq.csr
Using configuration from /tmp/VTIJERO/rootCA/openssl.cnf
Enter pass phrase for /tmp/VTIJERO/rootCA/private/cakey.pem: MonPassePhrase
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
organizationName :ASN.1 12:'VTIJERO_COMPANY_TDE'
organizationalUnitName:ASN.1 12:'VTIJERO_OU'
emailAddress :IA5STRING:'VTIJERO@COMPANY.COM'
localityName :ASN.1 12:'QUEBEC'
stateOrProvinceName :ASN.1 12:'QUEBEC'
countryName :PRINTABLE:'CA'
commonName :ASN.1 12:'VTIJERO_TDE_COMMONNAME'
Certificate is to be certified until May 27 15:29:56 2017 GMT (1 days)
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y
Write out database with 1 new entries
Data Base Updated
#########################################################
## 6. Créer le pkcs12 wallet: ##
#########################################################
6.1 Générer un seul fichier en contenant les "user certificate" et le "trusted certificate of the CA" :
-------------------------------------------------------------------------------------------------------
cat testcrt.pem /tmp/VTIJERO/rootCA/cacert.pem > all_certs.pem
6.2 Créer le pkcs12 wallet:
---------------------------
openssl pkcs12 -export -in all_certs.pem -out ewallet.p12 -inkey testkey.pem
Enter pass phrase for testkey.pem: MonPassePhrase
Enter Export Password: MonMotDePasse
Verifying - Enter Export Password: MonMotDePasse
#########################################################
# 7. Valider l'information du wallet créé : ##
#########################################################
7.1 Placer le wallet au bon endroit :
-------------------------------------
Copier le fichier à bonne destination de votre configuration.
7.2 Vérifier l''information du wallet :
---------------------------------------
orapki wallet display -wallet ewallet.p12
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Requested Certificates:
User Certificates:
Subject: OU=VTIJERO_OU,O=VTIJERO_COMPANY_TDE,EmailAddress=VTIJERO@COMPANY.COM,C=CA,ST=QUEBEC,CN=VTIJERO_TDE_COMMONNAME
Trusted Certificates:
Subject: CN=VTIJERO_ROOT_COMMONNAME,C=CA,ST=QUEBEC,L=QUEBEC,EmailAddress=VTIJERO@COMPANY.COM,OU=VTIJERO_OU,O=VTIJERO_COMPANY
mkstore -wrl . -list
Oracle Secret Store Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Oracle Secret Store entries:
Ici le Wallet a été créé et il reste à se servir de lui pour notre configuration TDE. (Partie 2 ici)
