Protecting passwords with Oracle Wallet

Someone on dba-Village forum asked about how to protect username and password for connecting to RMAN catalog database. Since I’m strongly against using remote os authentication (remote_os_auth=true) in real life production environment, I would probably choose Oracle Wallet for storing credentials for connecting to rman catalog.

Note: With Oracle Wallet implementation we’re relying on file system permissions that protects our wallet; it’s not perfect but I’m happy to trade this “risk” with (in my humble opinion) much riskier approach of using remote os authentication. Anyone with access to the wallet that has auto-login feature turned On, can connect as user stored in the wallet without a password! Approach described in this post should be used seldom and with care.

Here is a mini How-to (I was using Windows 2003 and Oracle11g):


###########################################
1) Create Oracle wallet
- the result of this step is directory D:\oracle\rmancat_wallet 
  with two files: cwallet.sso and ewallet.p12 . 
###########################################

cmd> mkstore -wrl D:\oracle\rmancat_wallet -create
Enter password: mysecret

PASSWORD_POLICY : Passwords must have a minimum length of eight characters and
contain alphabetic characters combined with numbers or special characters.
Enter password: mysecret1

Enter password again: mysecret1


####################################################
2) Adding database user credentials to this wallet
ORA11   .... TNS alias for RMAN catalog database
rmancat .... database user 
test    .... password for rmancat
####################################################

mkstore -wrl D:\oracle\rmancat_wallet -createCredential ora11 rmancat test

Enter wallet password:

Create credential oracle.security.client.connect_string1


#######################################
3) Configure sqlnet.ora at client side
#######################################

WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=D:\oracle\rmancat_wallet)))
SQLNET.WALLET_OVERRIDE = TRUE

########################################
4) Test connection
########################################

D:\ORACLE>sqlplus /@ora511

SQL*Plus: Release 11.1.0.6.0 - Production on ╚et Jul 10 13:58:00 2008

Copyright (c) 1982, 2007, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.6.0 - Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining,
Oracle Database Vault and Real Application Testing options

SQL> show user
USER is "RMANCAT"

########################################
5) Additional security checks
########################################

I would recommend to save sqlnet.ora and tnsnames.ora separately
from the common oracle home, for example we can copy both files to
the wallet directory (in our example D:\ORACLE\rmancat_wallet).
Make sure that only user executing rman backup has read permissions on this 
directory. By default Oracle changes permissions only on files
cwallet.sso and ewallet.p12, leaving directory permission to be inhereted from
the parent (at least that's the case on Windows, I'm not sure about Linux/Unix)!
  
Don't forget to setup environment variable TNS_ADMIN pointing
to your wallet directory at the beggining of backup script.


##############################
6) Various handy commands 
##############################

>> ------------------------------
>> List the content of the Wallet
>> ------------------------------

cmd> mkstore -wrl D:\oracle\rmancat_wallet -listCredential

Enter wallet password:

List credential (index: connect_string username)
1: ora11 rmancat

>> -------------------------------------------------
>> Modify credential stored in the wallet
>> -------------------------------------------------

cmd> mkstore -wrl D:\oracle\rmancat_wallet -modifyCredential ora11 rmancat newpassword

Enter wallet password: mysecret1

Modify credential
Modify 1

>> -----------------------------------
>> Deleting credential from the wallet
>> -----------------------------------

cmd> mkstore -wrl D:\oracle\rmancat_wallet -deleteCredential ora11

Enter wallet password:

Delete credential
Delete 1

>> ------------------------------------
>> Adding credential
>> ------------------------------------

Remember, you can have only ONE user per TNS alias stored in the wallet. If you need to store
two users (schemas) for one TNS, then you'll have to use two wallets!

For example, this is possible:

> mkstore -wrl D:\oracle\rmancat_wallet -createCredential ora11 rmancat test
> mkstore -wrl D:\oracle\rmancat_wallet -createCredential ora12 scott tiger

If you try to add second account for the same TNS alias, you'll get error:

> mkstore -wrl D:\oracle\rmancat_wallet -createCredential ora12 scott2 tiger

Create credential Secret Store error occured: 
oracle.security.pki.OracleSecretStoreException: Credential already exists

In this case you'll need to create new wallet for scott2.

##################
7) References
##################

Metalink Note:340559.1 "Using The Secure External Password Store"

Chapter 9 Secure External Password Store:
http://download.oracle.com/docs/cd/B19306_01/network.102/b14266/cnctslsh.htm#g1033548

Posted on 10.07.2008, in Oracle and tagged . Bookmark the permalink. Comments Off on Protecting passwords with Oracle Wallet.

Comments are closed.