Martins Blog

Trying to explain complex things in simple terms

orapki 11.2 bug when password complexity is too low

Posted by Martin Bach on June 15, 2010

I am currently experimenting with SSL encryption for ONS, an 11.2 new feature. My system is OEL 5.5 64bit with PSU 11.2.0.1.1 installed on the stack.

Apart from the poor documentation, the orapki tool that can be used to create self-signed certificates for testing has a bug in 11.2. There is also a documentation bug that fails to mention the need to set the sticky bit in the directory where the certificate is to be stored. Anyway, I followed the appendix F in the Advanced Security Guide to create the wallet but I failed to get this to work:

[grid@rac11gr2node1 ~]$ mkdir orapki
[grid@rac11gr2node1 ~]$ chmod +t orapki
[grid@rac11gr2node1 ~]$ ls -ld /home/grid/orapki/
drwxr-xr-t 2 grid oinstall 4096 Jun 15 08:48 /home/grid/orapki/
[grid@rac11gr2node1 ~]$ ls -al /home/grid/orapki/
total 16
drwxr-xr-t  2 grid oinstall 4096 Jun 15 08:48 .
drwx------ 20 grid oinstall 4096 Jun 15 08:48 ..
[grid@rac11gr2node1 ~]$ orapki wallet create -wallet /home/grid/orapki/ -pwd oracle -auto_login
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

Unable to save wallet at /home/grid/orapki/

Whatever I tried this didn’t work. I even tried creating the wallet in /tmp (which has the sticky bit set) but no luck. Oracle Support claimed I was doing something wrong, as their example worked:

[grid@rac11gr2node1 ~]$ orapki wallet create -wallet /home/grid/orapki/ -pwd "welcome1" -auto_login
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

[grid@rac11gr2node1 ~]$ ls -la orapki
total 32
drwxr-xr-t  2 grid oinstall 4096 Jun 15 08:49 .
drwx------ 20 grid oinstall 4096 Jun 15 08:48 ..
-rw-------  1 grid oinstall 3589 Jun 15 08:49 cwallet.sso
-rw-------  1 grid oinstall 3512 Jun 15 08:49 ewallet.p12

So where was the difference? The only thing I could see was the password. And indeed, the error message is wrong. Support created bug 9817962 – ORAPKI DISPLAYS INVALID ERROR MESSAGE WHEN PASSWORD COMPLEXITY IS NOT MET.

Funny enough, orapki displays the correct error message in 11.1.0.7:

$ orapki wallet create -wallet  -pwd "oraclexyzsss" -auto_login
Invalid password....
PASSWORD_POLICY : Passwords must have a minimum length of eight 
characters and contain alphabetic characters combined with numbers or 
special characters.

I wonder what other surprises await me…

2 Responses to “orapki 11.2 bug when password complexity is too low”

  1. laki said

    thanks for this – you save me time :-)

  2. vlad from .ru said

    thanx, you saved my day!
    owm and orapki are so ugly comparably to free openssl..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: