Wednesday, April 9, 2025

orapki for Oracle instant client

DISCLAIMER: The following is not recommended or supported by Oracle. This is simply an illustration of a possible workaround to the absence of orapki in the instaclient. Oracle recommends that you install the full Oracle database client when orapki is required.

As part of a series targeted at enabling customers with Entra ID integration for centralizing Oracle database authentication, authorization and user life cycle management, I published several blog posts on setting up TLS between the Oracle database clients and servers.  One of the commands used for wallet and certificate management is orapki. The orapki tool is included with the full Oracle database client but not the instant client.

A customer asked how to manage wallets and certificates on the client side without the orapki tool.  The good news is that orapki is just a java wrapper script that calls the PKI (oracle.security.pki.textui.OraclePKITextUI) library.  Therefore, if you copy the requisite java libraries to the client host, you can use the java command to manage wallets and certificates. This blog post describes how to get the orapki functionality working on an instaclient deployment without installing the full Oracle database client.

First, you download the full Oracle client from eDelivery.  In this example, I downloaded the Oracle 23.5 full zip file (V1044259-01.zip) for linux and put it in a subdirectory named pkilib of my Oracle 23.7 instacient base directory.

$ cd /u01/app/oracle/instantclient_23_7
$ mkdir pkilib
$ cd pkilib

Next, I extract the requisite jar files from the Full Oracle client installer.

$ unzip -q /tmp/V1044259-01.zip  client/stage/Components/oracle.crypto.*
$ unzip -q client/stage/Components/oracle.crypto.pki/23.0.0.0.0/1/DataFiles/filegroup1.jar  jlib/oraclepki.jar
$ unzip -q client/stage/Components/oracle.crypto.rsa/23.0.0.0.0/1/DataFiles/filegroup1.jar  jlib/*
$ mv jlib/* .
$ rm -fr client


Next, set the JAVA_HOME and a short variable for the jar files.

$ export JAVA_HOME=/u01/sw/jdk-21.0.6
$ pl="/u01/app/oracle/instantclient_23_7/pkilib/oraclepki.jar:/u01/app/oracle/instantclient_23_7/pkilib/cryptojce.jar"

If FIPS 140 compliance is required, you'll also need to add cryptojcommon.jar and jcmFIPS.jar in the pkilib to the pl string as well.

Now you can use java to perform orapki functions.  For example, let's create a wallet with auto_login enabled.

$ $JAVA_HOME/bin/java -classpath "$pl" oracle.security.pki.textui.OraclePKITextUI wallet create -wallet wallet -pwd Oracle123 -auto_login
Oracle PKI Tool Release 23.0.0.0.0 - Production
Version 23.0.0.0.0
Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.

Here is the command to display the wallet.

$ $JAVA_HOME/bin/java -classpath "$pl" oracle.security.pki.textui.OraclePKITextUI wallet display -wallet wallet -pwd Oracle123
Oracle PKI Tool Release 23.0.0.0.0 - Production
Version 23.0.0.0.0
Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved.

Requested Certificates: 
User Certificates:
Trusted Certificates: 


Here's the Microsoft Windows equivalent using powershell.

cd \u01\app\instantclient_23_7

mkdir pkilib

cd pkilib

Expand-Archive -Path C:\u01\app\V1045016-01.zip -DestinationPath client

Move-Item -Path client\jlib\cryptojce.jar -Destination .

Move-Item -Path client\jlib\oraclepki.jar -Destination .

Remove-Item -Recurse -Force client

$env:JAVA_HOME="C:\Program Files\Java\jdk-17"

$env:PATH="$env:JAVA_HOME\bin;" + $env:Path

$env:pl="C:\u01\app\instantclient_23_7\pkilib\oraclepki.jar;C:\u01\app\instantclient_23_7\pkilib\cryptojce.jar"

java -classpath $env:pl oracle.security.pki.textui.OraclePKITextUI wallet create -wallet wallet -pwd Oracle123 -auto_login

java -classpath $env:pl oracle.security.pki.textui.OraclePKITextUI wallet display -wallet wallet -pwd Oracle123
 




Thanks to the following to people that provided similar references to accomplish the same.

No comments: