OpenSSL workaround for Oracle XE wallet

In Oracle, the UTL_HTTP package is used to fetch pages from the internet directly by the database.  For example, using the UTL_HTTP.REQUEST function, the first 2000 bytes of a web page can be displayed:

SQL> select UTL_HTTP.REQUEST('') from dual;

<!doctype html><html itemscope="" itemtype=""><head><me
ta content="Search the world's information, including webpages, images, videos a
nd more. Google has many special features to help you find exactly what you're l
ooking for." name="description"><meta content="noodp" name="robots"><meta itempr
op="image" content="/images/google_favicon_128.png"><title>Google</title><script
>(function(){{kEI:"X057UtKqGYvprQeorYDgAQ",getEI:function(a){for(var b;a&&(!a.g
etAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||google.kEI},h
:function(){},kHL:"en",time:function(){return(new Date).getTime()},log:function(
a,b,c,l,k){var d=new Image,,,g="",h="gen_204";k&&(h=
k);d.onerror=d.onload=d.onabort=function(){delete f[e]};f[e]=d;c||-1!"


However, for pages served with SSL i.e. the https protocol, UTL_HTTP will need access to an Oracle Wallet that stores the trusted certificates for the encryption. Attempting to connect without a wallet will result in a certificate validation error:

SQL> select UTL_HTTP.REQUEST('') from dual;
select UTL_HTTP.REQUEST('') from dual
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1722
ORA-29024: Certificate validation failure
ORA-06512: at line 1


An Oracle Wallet can be created by the Oracle Wallet Manager program.  Unfortunately, the Oracle Wallet Manager program is not distributed with Oracle XE.  I think this is because historically encryption has been part of Oracle Advanced Security, a paid optional Oracle feature.  The good news is SSL/TLS encryption is no longer part of Oracle Advanced Security, as per the Oracle 11gR2 Licensing Guide:

Network encryption (native network encryption and SSL/TLS) and strong authentication services (Kerberos, PKI, and RADIUS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database.

So far we have established that using TLS/SSL with Oracle XE is not violating any Oracle licensing issue.  We just have to find a way to create the wallet to be used by Oracle XE.  Of course you can run Oracle Wallet Manager from a non-XE Oracle installation somewhere, and transfer the wallet to your Oracle XE installation.  But what if you do not have access to any properly licensed installation of Oracle?

From the Oracle 11gR2 Advanced Security Guide:

Oracle Wallet Manager stores X.509 certificates and private keys in PKCS #12 format, and generates certificate requests according to the PKCS #10 specification. These capabilities make the Oracle wallet structure interoperable with supported third-party PKI applications and provide wallet portability across operating systems.

Therefore, we can use OpenSSL to create a PKCS #12 archive and it should work with Oracle XE.

In Oracle terminology, a wallet is a directory containing a file named ewallet.p12. Therefore, the PKCS #12 file must be named as such.

In this example I will use the Oracle Support web page as the target page.  First, grab the certificate and all the certificates in its chain by using a browser.  In Firefox, this is done by clicking the padlock icon in the address bar, then clicking on ‘More Information…’.

Firefox Page Info - Security tabThen click on ‘View Certificate’

Firefox Certificate ViewerGo to the ‘Details’ tab

Firefox Certificate Viewer - Details tabSelect the certificate at the bottom of the chain ( and click ‘Export…’.

Save Certificate to FileChange the ‘Save as type’ to ‘X.509 Certificate with chain (PEM)’ and save the certificates to a file.

Transfer this file (mine is named to your Oracle XE server where you want your wallet to be (I chose /u01/app/oracle/wallet).

Now use OpenSSL’s pkcs12 command to create the wallet file using the certificate file as input.  Use the -export flag to create a PKCS #12 file instead of reading one, and use the -nokeys flag to indicate that a private key does not exist inside the input file.  Enter a suitable password when prompted.  This password will have to be provided when using UTL_HTTP later.

[oracle@oraclexe ~]$ cd /u01/app/oracle/wallet
[oracle@oraclexe wallet]$ openssl pkcs12 -export -in -out ewallet.p12 -nokeys
Enter Export Password:
Verifying - Enter Export Password:
[oracle@oraclexe wallet]$

Now we can make SSL calls to the Oracle Support website from the database by providing the wallet and password to UTL_HTTP:

SQL> set pagesize 100
SQL> select UTL_HTTP.REQUEST('',null,'file:/u01/app/oracle/wallet','password') Output from dual;

<title>Oracle Configuration Support Manager</title>
<meta http-equiv="REFRESH" content="0;url=/epmos/faces/MosIndex.jspx"></HEAD>


17 thoughts on “OpenSSL workaround for Oracle XE wallet

  1. Thanks. It helped me a lot and I successfully created wallet for at least two servers. However I have a problem with third server/website and it is throwing:

    ORA-29273: HTTP request failed
    ORA-06512: at “SYS.UTL_HTTP”, line 1722
    ORA-28857: Unknown SSL error
    ORA-06512: at line 1

    I tried many times from scratch and even created a wallet from a non-xe version and it also throws the same error. Any ideas?

  2. Hi! Thanks for dropping by!

    I have come across this myself a few times. Unfortunately, it seems to me that the wallet sometimes does not play nice with certain certificates. I have not yet able to identify the root cause.

    1. I found the cause. Oracle up to (which Oracle XE is) doesn’t support SHA-2 based certificates. In non-XE version the solution is to apply patch or upgrade to the latest version but unfortunately with XE it is not an option. I therefore set up Apache Reverse Proxy pointing to https traffic and then called Apache server in https from Oracle. In this case you don’t need a wallet anymore.

      1. Hi, I would like to use the Apache Reverse Proxy solution to eliminate the wallet. Can you explain me how you achieved this?

  3. The reverse proxy solution works perfect!

    Just added this to httpd.conf:

    SSLProxyEngine on
    ProxyPass /my-selected-merchant-site
    ProxyPassReverse /my-selected-merchant-site

    *make sure that you have mod_ssl installed (with default options) and “ProxyRequests Off”

    Aftar that, I change the package from this:


    to this:


    And forget about the wallet.


  4. Hello

    My oracle express edition version is and
    In your example you solve the https problem in oracle XE and i have performed same steps but i also got error of
    ORA-29273: HTTP request failed
    ORA-06512: at “SYS.UTL_HTTP”, line 1722
    ORA-28857: Unknown SSL error
    ORA-06512: at line 1

    so how can i solve this ?
    please help me
    thanks in advance

  5. HI!

    You wrote:
    1. “You First, grab the certificate and all the certificates in its chain by using a browser:

    So I understand, we need to grab = certificate + all the certificates.
    2. “Select the certificate at the bottom of the chain ( and click ‘Export…”. and “Change the ‘Save as type’ to ‘X.509 Certificate with chain (PEM)’ and save the certificates to a file.”

    So, the question is: How many certs we have to grab and how many files to create for further final step with openssl command? If many, should we combine the grabbed certs to the single file? Please, explain!

    1. Soap url failing with below error from 11g DB using wallet

      ERROR at line 1:
      ORA-29273: HTTP request failed
      ORA-06512: at “SYS.UTL_HTTP”, line 1720
      ORA-12541: TNS:no listener
      ORA-06512: at line 1

  6. ORA-29273: HTTP request failed
    ORA-06512: at “SYS.UTL_HTTP”, line 1722
    ORA-29106: Cannot import PKCS #12 wallet.
    ORA-06512: at line 1
    29273. 00000 – “HTTP request failed”
    *Cause: The UTL_HTTP package failed to execute the HTTP request.
    *Action: Use get_detailed_sqlerrm to check the detailed error message.
    Fix the error and retry the HTTP request.

  7. In your example of connecting to, you say to export the “bottom” server certificate and import/add it into the wallet.
    This is wrong, you should not add the site’s server certificate to a truststore.
    When creating a truststore you should only add the root CA certificate, i.e. the “top” one “GeoTrust Global CA”.
    Hope this helps…

Leave a Reply

Your email address will not be published. Required fields are marked *