Home > Oracle > securing passwords with Oracle Wallet

securing passwords with Oracle Wallet

To prevent hard coding passwords in any script is not a good idea, specially for rman backup scripts as the account bring used need sysdba privileges

steps to store the password in a wallet

1. create a wallet

Wallets can be copied to different machines, which can represent a security risk. In 11g Release 2, you can prevent the auto login functionality of the wallet from working if it is copied to another machine by creating a local wallet using the “orapki” command, instead of the “mkstore” command.

orapki wallet create -wallet "/u02/wallet" -pwd "mypassword" -auto_login_local

Once the wallet is created , it can be modified using the “mkstore” command

2. Add database connection ( including connection_string, username and password )

mkstore -wrl -createCredential <db_connection_string> <username> <password>

E.g.
mkstore -wrl /u01/app/wallet -createCredential rmancpr  rman rmanpwd

3. Add the following code to your sqlnet.ora


SQLNET.WALLET_OVERRIDE=TRUE
WALLET_LOCATION =
  (SOURCE =
   (METHOD = FILE)
    (METHOD_DATA =
     (DIRECTORY = /u01/app/wallet)
    )
  )

If you are using RAC make sure that the sqlnet.ora is updated on all nodes

WALLET_LOCATION: points to the directory where the wallet resides.
SQLNET.WALLET_OVERRIDE: will force all connections as /@db_connection_string to use the information being stored on the wallet to authenticate to databases.

4. test the connection

we can replace
rman/rmanpwd@rmancpr

by

/@rmancpr

Other options that wallet offer

1.- list the content being stored on the wallet:
mkstore -wrl /u01/app/wallet -listCredential

2.- Add credentials:
mkstore -wrl /u01/app/wallet -createCredential <db_connection_string> <username> <password>

3.- Modify credentials:
mkstore -wrl /u01/app/wallet -modigyCredential <db_connection_string> <username> <password>

4.- Delete credentials:
mkstore -wrl /u01/app/wallet -deleteCredential <db_connection_string>

Advertisements
Categories: Oracle
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: