Wednesday, June 8, 2011

Oracle 10gR2 Secure External Password Store

Secure External Password Store is an Oracle 10g Release 2 feature that gives you the capability to encrypt password used from client scripts (sqlplus , shell , expdp/impdp exp/imp)  that connects to the database, using an Oracle Wallet.

The configuration is very simple so just follow these steps (Unix/Linux):

1) First verify that you have an entry in the tnsnames.ora for your Database by creating a valid db_tns_alias

2) Create the Oracle Wallet
    mkstore -wrl /your_wallet_store_dir -create (It will ask to enter a password twice)

3) Create the database credentials inside the wallet
    mkstore -wrl /your_wallet_store_dir -createCredential tns_alias username password

4)  Add the following lines on $ORACLE_HOME/network/admin/sqlnet.ora (or create it if not exists)


WALLET_LOCATION =
  (SOURCE = (METHOD = FILE)
   (METHOD_DATA =
    (DIRECTORY = /your_wallet_store_dir)))


SQLNET.WALLET_OVERRIDE = TRUE
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_VERSION = 0

5) Just use the /@db_tns_alias when you want to connect to the specified user
    sqlplus /@db_tns_alias
    expdp /@tns_alias parfile=/mydir/mypar.par

6) You have commands to delete, list , and modify the credentials using the mkstore utility
    mkstore -wrl /your_wallet_store_dir -listCredential
    mkstore -wrl /your_wallet_store_dir -deleteCredential db_tns_alias
    mkstore -wrl /your_wallet_store_dir -modifyCredential db_tns_alias username newpassword (Must have been changed on the database side first)

References


Oracle Support Note : Using The Secure External Password Store [ID 340559.1]
Oracle Secure External Password Store White Paper

2 comments:

  1. We have an application that creates and manages the wallet for the user. The Oracle version is 11.2.0.2. We have other applications that require Oracle 10.2.0.5 and also want to use the wallet so as to connect as the user without requiring password. Testing has revealed that Oracle 10.2.0.5 cannot use a wallet that was created in Oracle 11.2.0.2. Can anyone verify? Is this a feature or bug?

    ReplyDelete
  2. Hi Thomas ,

    I have not tested your case. Please if you have any updates post the results here.

    Thanks

    ReplyDelete