Please see my other blog for Oracle EBusiness Suite Posts - EBMentors

Search This Blog

Note: All the posts are based on practical approach avoiding lengthy theory. All have been tested on some development servers. Please don’t test any post on production servers until you are sure.

Sunday, February 07, 2016

Client-side Oracle wallet

Users are expected to provide the password when they connect to the database, but applications, middle-tier systems, and batch jobs cannot depend on a human to type the password. Earlier, a common way to provide passwords was to embed user names and passwords in the code or in scripts. This increased the attack surface and people had to make sure that their scripts were not exposed to anyone else. Also, if passwords were ever changed, changes to the scripts were required. Now you can store password credentials by using a client-side Oracle wallet. This reduces risks because the passwords are no longer exposed on command-line history, and password management policies are more easily enforced without changing application code whenever user names or passwords change.


1- First, decide on the location of the Oracle wallet. In this example I will use the "/u01/app/oracle/wallet" directory. Add the following entries into the client "sqlnet.ora" file, with your preferred wallet location.

#####Following added to test Wallet client side
WALLET_LOCATION =
   (SOURCE =
     (METHOD = FILE)
     (METHOD_DATA =
       (DIRECTORY = /u01/app/oracle/wallet)
     )
   )
SQLNET.WALLET_OVERRIDE = TRUE   ###allows this method to override any existing OS authentication configuration
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_VERSION = 0   

2- Create an Oracle wallet which is password protected with the "Auto Login" property enabled so connection attempts by the OS user who created the wallet do not require a password.


[oracle@bigdatalite bin]$ $ORACLE_HOME/bin/mkstore -wrl "/u01/app/oracle/wallet" -create
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Enter password:   
PKI-01002: Invalid password:Passwords must have a minimum length of eight characters and contain alphabetic characters combined with numbers or special characters. 
Enter password:     
Enter password again:   


3- Now Add the password credentials to the wallet using the db alias (orcl in our example) in tnsnames.ora.

[oracle@bigdatalite bin]$ $ORACLE_HOME/bin/mkstore -wrl "/u01/app/oracle/wallet" -createCredential orcl scott tiger
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:   
Create credential oracle.security.client.connect_string1
[oracle@bigdatalite bin]$ 

4- Verify credentials present in the wallet 

oracle@bigdatalite bin]$ $ORACLE_HOME/bin/mkstore -wrl "/u01/app/oracle/wallet" -listCredential
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:   
List credential (index: connect_string username)
1: orcl scott
[oracle@bigdatalite bin]$ 

5- Test connection with user 
[oracle@bigdatalite bin]$ sqlplus /@orcl

SQL*Plus: Release 12.1.0.2.0 Production on Sun Feb 7 03:15:06 2016

Copyright (c) 1982, 2014, Oracle.  All rights reserved.

Last Successful login time: Sun Feb 07 2016 02:13:43 -05:00

Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

SQL> show user
USER is "SCOTT"
SQL> 

If you want to add credentials for mulitple users just create the db alias in tnsnames.ora with different name.

6-  You can test the credential with other oracle utilities also.

$ expdp /@orcl tables=EMP,DEPT directory=TEST_DIR dumpfile=EMP_DEPT.dmp logfile=expdpEMP_DEPT.log

You can use the same wallet for java application 
Connection conn = DriverManager.getConnection ("jdbc:oracle:oci:/@orcl"); 

7- You can modify or remove the credential as below.


mkstore -wrl <wallet_location> -modifyCredential <dbase_alias> <username> <password>
mkstore -wrl "/u01/app/oracle/wallet" -modifyCredential orcl scott tiger1

mkstore -wrl <wallet_location> -deleteCredential <db_alias>
mkstore -wrl "/u01/app/oracle/wallet" -deleteCredential orcl



11 comments:

Friedhold Matz said...
This comment has been removed by the author.
Friedhold Matz said...

Many thanks,
very clear and helpful.
Regards

Vertie Martin said...

Wow! You are lucky indeed! thanks for 123essay.org sharing a lot

eTechno Soft Solutions said...

We really feel very happy about the blog you have shared. the explanation is very clear and valuable information. it improves my development skill in SCN and checkpoints. please share the blog like this...

eTechno Soft Solutions is a leading training institute for all kind of the Oracle Training in Bangalore with real-time experienced trainers with 100% Placement Assistance.

Keerthi said...

360DigiTMG, a data science institute in indore, is a leading solutions provider of Training and Consulting to assist students, professionals by delivering top-notch, world-class classroom and online training.


360digitmgas said...

Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!
digital marketing course in coimbatore

Jayalakshmi said...

This is excellent information. It is amazing and wonderful to visit your site.Thanks for sharing this information,this is useful to me.
angular js training in chennai

angular js training in tambaram

full stack training in chennai

full stack training in tambaram

php training in chennai

php training in tambaram

photoshop training in chennai

photoshop training in tambaram

deiva said...

We really feel very happy about the blog you have shared. the explanation is very clear and valuable information.
angular js training in chennai

angular js training in omr

full stack training in chennai

full stack training in omr

php training in chennai

php training in omr

photoshop training in chennai

photoshop training in omr

360digitmgas said...

Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work! best software training

Realtime Experts said...

Nice reading, This is an informative information, thanks for sharing this blog.
Exadata Training in Bangalore

Prwatech said...

Excellent and very cool idea and great content of different kinds of the valuable information's.

Hadoop Training in bangalore
Hadoop Training Institute In Bangalore