redoblog

March 14, 2010

Oracle Wallet

Filed under: Connectivity — redoblog @ 10:31 pm

Introduction:

In my last posting I described a method used to hide passwords. A better description would be to obscure passwords. Methods relying on the passwords existing in plain text on a file system seem prone to eventual, accidental or even deliberate discovery by a user. The problem remains of how to distribute passwords securely to end users and client applications. To solve this problem one option is to use an Oracle Wallet external password store.

An Oracle Wallet is as the name implies. Just as you would store credentials in a wallet, you store your username and password in an Oracle Wallet. The advantage however is that the contents of the wallet are not readable. If the wallet is stolen, you can simply change your user password and generate a new wallet thus rendering the stolen wallet unusable.

Wallet Creation – mkstore:

To create an Oracle Wallet the “mkstore” utility is used which can be found under your $ORACLE_HOME/bin directory:

[oracle@magneto ~]$ echo $ORACLE_HOME
/u01/oracle/11201

[oracle@magneto ~]$ which mkstore
/u01/oracle/11201/bin/mkstore

The options to mkstore under 11.2.0.1 are plentiful, we'll be looking at:

    [-wrl wrl]
    [-create]
    [-delete]
    [-list]
    [-createEntry alias secret]
    [-viewEntry alias]
    [-modifyEntry alias secret]
    [-deleteEntry alias]
    [-help]

Wallet Directory:

Multiple wallets may be created, however each should be in it's own directory. I like to create one parent directory named "wallets" with sub-directories beneath for each wallet. A symlink is then used to point to the wallet of interest. I can then easily move between wallets by changing my symlink.

[oracle@magneto wallets]$ pwd
/home/oracle/wallets

[oracle@magneto wallets]$ ls -al
total 20
drwxr-xr-x 5 oracle dba 4096 Mar 14 11:32 .
drwx------ 22 oracle dba 4096 Mar 14 11:31 ..
lrwxrwxrwx 1 oracle dba 8 Mar 14 11:32 current -> redoblog
drwxr-xr-x 2 oracle dba 4096 Mar 14 11:32 redoblog
drwxr-xr-x 2 oracle dba 4096 Feb 16 11:31 wallet1
drwxr-xr-x 2 oracle dba 4096 Feb 16 11:32 wallet2

A simple wrapper script could be written that points the symlink to the desired wallet directory.

Initial Wallet Creation:

To create a wallet, use "mkstore" with the "-wrl" option to point to your directory and the "-create" option to create the wallet. You will be prompted for a password for the wallet.

[oracle@magneto wallets]$ mkstore -wrl ~/wallets/redoblog -create
Oracle Secret Store Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

Enter password: *******************

Enter password again: *******************

#You can see that the wallet files now exist:
[oracle@magneto wallets]$ ls -al ~/wallets/redoblog
total 16
drwxr-xr-x 2 oracle dba 4096 Feb 16 11:37 .
drwxr-xr-x 5 oracle dba 4096 Feb 16 11:32 ..
-rw------- 1 oracle dba 3589 Feb 16 11:37 cwallet.sso
-rw------- 1 oracle dba 3512 Feb 16 11:37 ewallet.p12

Add Default Wallet Entries:

We now add a default username and default user password to the wallet. The default username and password are used whenever the wallet is used. To do this we use the "-wrl" and "-createEntry" options.

# Create the default username entry

[oracle@magneto wallets]$ mkstore -wrl ~/wallets/redoblog -createEntry oracle.security.client.default_username SCOTT;
Oracle Secret Store Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

Enter wallet password: *********************

# Create the default username password entry

[oracle@magneto wallets]$ mkstore -wrl ~/wallets/redoblog -createEntry oracle.security.client.default_password TIGER;
Oracle Secret Store Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

Enter wallet password: *********************

List Wallet Entries:

We now list the entries in the wallet using the mkstore "-list" option:

[oracle@magneto wallets]$ mkstore -wrl ~/wallets/redoblog -list
Oracle Secret Store Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

Enter wallet password: ********************

Oracle Secret Store entries:
oracle.security.client.default_password
oracle.security.client.default_username

Configure the Wallet for use - sqlnet.ora:

Now that we have a wallet, we need to configure it for use. The following entries are added to the sqlnet.ora file:

# sqlnet.ora wallet reference
# Note the use of the symlink directory which I can re-direct to any desired wallet
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =(DIRECTORY = /home/oracle/wallets/current))
)
SQLNET.WALLET_OVERRIDE = TRUE

Connect using the wallet:

We are now ready to connect using the wallet, connections of the form USER@TNS_ENTRY/PASSWORD are now changed to /@TNS_ENTRY. The default username and password in the wallet are used in the connection.

# Traditional connection:

[oracle@magneto sqlnet]$ sqlplus scott@fsfodb/tiger

SQL*Plus: Release 11.2.0.1.0 Production on Tue Feb 16 11:52:51 2010
Copyright (c) 1982, 2009, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining,
Oracle Database Vault and Real Application Testing options

SQL> show user
USER is "SCOTT"

# Wallet connection

[oracle@magneto sqlnet]$ sqlplus /@fsfodb

SQL*Plus: Release 11.2.0.1.0 Production on Tue Feb 16 11:53:21 2010
Copyright (c) 1982, 2009, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining,
Oracle Database Vault and Real Application Testing options

SQL> show user
USER is "SCOTT"

About these ads

2 Comments »

  1. nicee ;)

    Comment by oracle wallet — April 7, 2010 @ 6:24 am

  2. If you’re using Wallet you might as well use certificates so you completely eliminate password management overhead. You need a CA to sign your cert however which requires some PKI.

    Set your sqlnet.ora with:
    SQLNET.AUTHENTICATION_SERVICES=(TCPS)
    SSL_CLIENT_AUTHENTICATION=TRUE

    Then ALTER USER foo IDENTIFIED EXTERNALLY AS ‘CN=Some Subject’;

    Now when the client has a certificate in their Wallet with the DN of ‘CN=Some Subject’ they can login without password

    Comment by Chris — May 20, 2010 @ 6:34 am


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Shocking Blue Green Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: