Client-side Oracle wallet

Users are expected to provide the password when they connect to the database, but applications, middle-tier systems, and batch jobs cannot depend on a human to type the password. Earlier, a common way to provide passwords was to embed user names and passwords in the code or in scripts. This increased the attack surface and people had to make sure that their scripts were not exposed to anyone else. Also, if passwords were ever changed, changes to the scripts were required. Now you can store password credentials by using a client-side Oracle wallet. This reduces risks because the passwords are no longer exposed on command-line history, and password management policies are more easily enforced without changing application code whenever user names or passwords change.

1- First, decide on the location of the Oracle wallet. In this example I will use the "/u01/app/oracle/wallet" directory. Add the following entries into the client "sqlnet.ora" file, with your preferred wallet location.

#####Following added to test Wallet client side

WALLET_LOCATION =

   (SOURCE =

     (METHOD = FILE)

     (METHOD_DATA =

       (DIRECTORY = /u01/app/oracle/wallet)

     )

   )

SQLNET.WALLET_OVERRIDE = TRUE   ###allows this method to override any existing OS authentication configuration

SSL_CLIENT_AUTHENTICATION = FALSE

SSL_VERSION = 0   

2- Create an Oracle wallet which is password protected with the "Auto Login" property enabled so connection attempts by the OS user who created the wallet do not require a password.

[oracle@bigdatalite bin]$ $ORACLE_HOME/bin/mkstore -wrl "/u01/app/oracle/wallet" -create
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Enter password:   
PKI-01002: Invalid password:Passwords must have a minimum length of eight characters and contain alphabetic characters combined with numbers or special characters. 
Enter password:     
Enter password again:   


3- Now Add the password credentials to the wallet using the db alias (orcl in our example) in tnsnames.ora.

[oracle@bigdatalite bin]$ $ORACLE_HOME/bin/mkstore -wrl "/u01/app/oracle/wallet" -createCredential orcl scott tiger
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:   
Create credential oracle.security.client.connect_string1
[oracle@bigdatalite bin]$ 

4- Verify credentials present in the wallet 

oracle@bigdatalite bin]$ $ORACLE_HOME/bin/mkstore -wrl "/u01/app/oracle/wallet" -listCredential

Oracle Secret Store Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:   

List credential (index: connect_string username)

1: orcl scott

[oracle@bigdatalite bin]$ 

5- Test connection with user 

[oracle@bigdatalite bin]$ sqlplus /@orcl

SQL*Plus: Release 12.1.0.2.0 Production on Sun Feb 7 03:15:06 2016

Copyright (c) 1982, 2014, Oracle.  All rights reserved.

Last Successful login time: Sun Feb 07 2016 02:13:43 -05:00

Connected to:

Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production

With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

SQL> show user

USER is "SCOTT"

SQL> 

If you want to add credentials for mulitple users just create the db alias in tnsnames.ora with different name.

6-  You can test the credential with other oracle utilities also.

$ expdp /@orcl tables=EMP,DEPT directory=TEST_DIR dumpfile=EMP_DEPT.dmp logfile=expdpEMP_DEPT.log

You can use the same wallet for java application 

Connection conn = DriverManager.getConnection ("jdbc:oracle:oci:/@orcl"); 

7- You can modify or remove the credential as below.

mkstore -wrl <wallet_location> -modifyCredential <dbase_alias> <username> <password>

mkstore -wrl "/u01/app/oracle/wallet" -modifyCredential orcl scott tiger1

mkstore -wrl <wallet_location> -deleteCredential <db_alias>

mkstore -wrl "/u01/app/oracle/wallet" -deleteCredential orcl