keytool -genkeypair -keyalg RSA -keysize 2048 -validity 3650 -dname "CN=WIOF,O=bcgov" \
-ext "SAN=email:{PO}@gov.bc.ca,URI:urn:apps.nrs.gov.bc.ca:wiof,``URI:urn:storage:openshift" \
-storetype PKCS12 -keystore keystore.p12 -alias orakey
-
keytool -certreq -keyalg RSA -file cert.csr -keystore keystore.p12 -alias orakey -
Pass
cert.csrto nris admin
- Request certifications from NRIS
- Below to be run by nris:
openssl s_client -servername NAME -connect {NRIS}:{PORT} | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > nris.crt
- in addition to the above, you also want the server, chain and root certs from them
- Install java
- Install SQLCL for pre-requisite libs https://www.oracle.com/database/technologies/appdev/sqlcl.html
- You can place these files unzipped in a
/oracle/dir, it just needs to match the paths in theorapki.batfile
- You can place these files unzipped in a
- Use the
orapki.batfile in the repo to perform wallet operations- adjust the sqlcl path on line 16 of the
orapki.batto match your unzip location - For issues with the .bat file refer to https://ogobrecht.com/posts/2020-07-29-how-to-use-mkstore-and-orapki-with-oracle-instant-client/
- adjust the sqlcl path on line 16 of the
- Note: you may be told part of the chain cert already exists
mkdir wallet.\orapki.bat wallet create -wallet .\wallet\ -auto_login -pwd <PASSWD>.\orapki.bat wallet add -wallet .\wallet\ -trusted_cert -cert .\nris.crt.\orapki.bat wallet add -wallet .\wallet\ -trusted_cert -cert .\server.crt.\orapki.bat wallet add -wallet .\wallet\ -trusted_cert -cert .\chain.crt.\orapki.bat wallet add -wallet .\wallet\ -trusted_cert -cert .\root.crt.\orapki.bat wallet display -wallet
- eg:
oc -n <NS> create configmap 2021-odb-wallet --from-file=wallet/
- Note: configmaps are create-only, so we'll take a timestamp approach
- update
wallet/to match wherever you created the wallet - these files will be encoded as binary on openshift's side
- Adjust this block in the manifest mounting the configmap:
spec: volumes: - name: logs-volume emptyDir: {} - name: odb-credentials configMap: name: odb-wallet # edit this name here to match your new configmap defaultMode: 420