Please see my other blog for Oracle EBusiness Suite Posts - EBMentors

Search This Blog

Note: All the posts are based on practical approach avoiding lengthy theory. All have been tested on some development servers. Please don’t test any post on production servers until you are sure.

Sunday, February 07, 2016

Client-side Oracle wallet

Users are expected to provide the password when they connect to the database, but applications, middle-tier systems, and batch jobs cannot depend on a human to type the password. Earlier, a common way to provide passwords was to embed user names and passwords in the code or in scripts. This increased the attack surface and people had to make sure that their scripts were not exposed to anyone else. Also, if passwords were ever changed, changes to the scripts were required. Now you can store password credentials by using a client-side Oracle wallet. This reduces risks because the passwords are no longer exposed on command-line history, and password management policies are more easily enforced without changing application code whenever user names or passwords change.

1- First, decide on the location of the Oracle wallet. In this example I will use the "/u01/app/oracle/wallet" directory. Add the following entries into the client "sqlnet.ora" file, with your preferred wallet location.

#####Following added to test Wallet client side
   (SOURCE =
     (METHOD = FILE)
       (DIRECTORY = /u01/app/oracle/wallet)
SQLNET.WALLET_OVERRIDE = TRUE   ###allows this method to override any existing OS authentication configuration

2- Create an Oracle wallet which is password protected with the "Auto Login" property enabled so connection attempts by the OS user who created the wallet do not require a password.

[oracle@bigdatalite bin]$ $ORACLE_HOME/bin/mkstore -wrl "/u01/app/oracle/wallet" -create
Oracle Secret Store Tool : Version
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Enter password:   
PKI-01002: Invalid password:Passwords must have a minimum length of eight characters and contain alphabetic characters combined with numbers or special characters. 
Enter password:     
Enter password again:   

3- Now Add the password credentials to the wallet using the db alias (orcl in our example) in tnsnames.ora.

[oracle@bigdatalite bin]$ $ORACLE_HOME/bin/mkstore -wrl "/u01/app/oracle/wallet" -createCredential orcl scott tiger
Oracle Secret Store Tool : Version
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:   
Create credential
[oracle@bigdatalite bin]$ 

4- Verify credentials present in the wallet 

oracle@bigdatalite bin]$ $ORACLE_HOME/bin/mkstore -wrl "/u01/app/oracle/wallet" -listCredential
Oracle Secret Store Tool : Version
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:   
List credential (index: connect_string username)
1: orcl scott
[oracle@bigdatalite bin]$ 

5- Test connection with user 
[oracle@bigdatalite bin]$ sqlplus /@orcl

SQL*Plus: Release Production on Sun Feb 7 03:15:06 2016

Copyright (c) 1982, 2014, Oracle.  All rights reserved.

Last Successful login time: Sun Feb 07 2016 02:13:43 -05:00

Connected to:
Oracle Database 12c Enterprise Edition Release - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

SQL> show user

If you want to add credentials for mulitple users just create the db alias in tnsnames.ora with different name.

6-  You can test the credential with other oracle utilities also.

$ expdp /@orcl tables=EMP,DEPT directory=TEST_DIR dumpfile=EMP_DEPT.dmp logfile=expdpEMP_DEPT.log

You can use the same wallet for java application 
Connection conn = DriverManager.getConnection ("jdbc:oracle:oci:/@orcl"); 

7- You can modify or remove the credential as below.

mkstore -wrl <wallet_location> -modifyCredential <dbase_alias> <username> <password>
mkstore -wrl "/u01/app/oracle/wallet" -modifyCredential orcl scott tiger1

mkstore -wrl <wallet_location> -deleteCredential <db_alias>
mkstore -wrl "/u01/app/oracle/wallet" -deleteCredential orcl


Friedhold Matz said...
This comment has been removed by the author.
Friedhold Matz said...

Many thanks,
very clear and helpful.

Vertie Martin said...

Wow! You are lucky indeed! thanks for sharing a lot

technode said...

Great stuff , thanks for sharing , very informative and presented well , keep updating morelinux certification courses in chennai|linux class in chennai|linux admin training in chennai|linux training courses in chennai|linux training cost in chennai|chennai linux training