My Oracle Support Banner

PKCS 11 Wallet doesn't read Smartcard (CAC Card) from reader - ORA-43013 (pkcs11 Failed to change certC provider) (Doc ID 2742193.1)

Last updated on JANUARY 17, 2021

Applies to:

Advanced Networking Option - Version 12.1.0.2 and later
Information in this document applies to any platform.

Symptoms

DoD customer trying to create a PKCS11 wallet so that they can read a DoD CAC (smartcard) certificate for sqlplus login.


The card reader software is HID Global/ActivIdentity and the dll is acpkcs211.dll.




C:\temp>orapki wallet display -wallet owm
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
PKCS11 token information:
Library:C:\Program Files (x86)\<XXX> \ActivClient\acpkcs211.dll
Token label:ActivID ActivClient 0
Token passphrase:
Requested Certificates:
User Certificates:
Trusted Certificates:
Subject: CN=DoD Root <>
Subject: CN=DOD ID <>




Now try to do a p11_verify to test that the wallet is reading the certificate from the smartcard.

orapki just sits for a few seconds and returns a blank screen without any errors.




C:\temp>orapki wallet p11_verify -wallet owm
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:



Then if you try to use the wallet with sqlplus, you get the following error: ORA-43013 (pkcs11 Failed to change certC provider)

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.