| Oracle® Retail Advanced Inventory Planning Installation Guide Release 14.1.1 E63027-01 |
|
 Previous |
 Next |
| Oracle® Retail Advanced Inventory Planning Installation Guide Release 14.1.1 E63027-01 |
|
Previous |
Next |
As part of an application installation, administrators must setup password stores for database user accounts using Oracle Wallet. These password stores must be installed on the application database side. While the installer handles much of this process, the administrators must perform some additional steps.
A password store for the application and application server user accounts must also be installed; however, the installer takes care of this entire process.
Oracle databases have allowed other users on the server to see passwords in case database connect strings (user name/password@db) were passed to programs. In the past, users could navigate to ps -ef|grep <username> and see the password if the password was supplied in the command line when calling a program.
To make passwords more secure, sensitive information such as user credentials now must be encrypted and stored in a secure location. This location is called password stores or wallets. These password stores are secure software containers that store the encrypted user credentials.
Users can retrieve the credentials using aliases that were set up when encrypting and storing the user credentials in the password store. For example, if username/password@db is entered in the command line argument and the alias is called db_username, then the argument to a program would be the following: sqlplus /@db_username
This would connect to the database as it did previously, but it would hide the password from any system user. After this is configured, as in the previous example, the application installation and the other relevant scripts are no longer need to use embedded usernames and passwords. This reduces any security risks that may exist because usernames and passwords are no longer exposed.
When the installation starts, all the necessary user credentials are retrieved from the Oracle Wallet based on the alias name associated with the user credentials. There are two different types of password stores or wallets. One type is for database connect strings used in program arguments (such as sqlplus /@db_username). The other type is for java application installation and application use.
After the database is installed and the default database user accounts are set up, administrators must set up a password store using the Oracle Wallet. This involves assigning an alias for the username and associated password for each database user account. The alias is used later during the application installation. This password store must be created on the system where the application server and database client are installed.
This section describes the steps you must take to set up a wallet and the aliases for the database user accounts. For more information on configuring authentication and password stores, refer to the Oracle Database Security Guide.
|
Note: In this section,<wallet_location> is a placeholder text for illustration purposes. Before running the command, ensure that you specify the path to the location where you want to create and store the wallet. |
Steps to Set Up a Password Store
To set up a password store for the database user accounts, perform the following steps:
Create a wallet using the following command:
mkstore -wrl <wallet_location> -create
After you run the command, a prompt appears. Enter a password for the Oracle Wallet in the prompt.
|
Note: Themkstore utility is included in the Oracle Database Client installation. |
The wallet is created with the auto-login feature enabled. This feature enables the database client to access the wallet contents without using the password. For more information, refer to the Oracle Database Advanced Security Administrator's Guide.
Create the database connection credentials in the wallet using the following command:
mkstore -wrl <wallet_location> -createCredential <alias-name> <database-user-name>
After you run the command, a prompt appears. Enter the password associated with the database user account in the prompt.You are the prompted to re-enter the password. Then you are prompted for the wallet password used in Step 1.
Repeat step 2 for all the database user accounts.
Update the sqlnet.ora file to include the following statements:
WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = <wallet_location>)))
SQLNET.WALLET_OVERRIDE = TRUE
SSL_CLIENT_AUTHENTICATION = FALSE
Update the tnsnames.ora file to include the following entry for each alias name to be set up.
<alias-name> =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP) (HOST = <host>) (PORT = <port>))
)
(CONNECT_DATA =
(SERVICE_NAME = <service>)
)
)
|
Note: In the previous example, <alias-name>, <host>, <port>, and <service> are placeholder text for illustration purposes. Ensure that you replace these with the relevant values. |
The following examples show how to set up wallets for database user accounts for the following applications:
Follow this procedure to set up wallets for database user accounts for the applications, RMS, RWMS, RPM Batch, RETL, RMS, RWMS, and ARI:
Create a new directory called wallet under your folder structure.
cd /projects/rms14.1.0/dev/
mkdir .wallet
|
Note: The default permissions of the wallet allow only the owner to use it, ensuring the connection information is protected. If you want other users to be able to use the connection, you must adjust permissions appropriately to ensure only authorized users have access to the wallet. |
Create a sqlnet.ora in the wallet directory with the following content.
WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /projects/rms14.1.0/dev/.wallet)) )
SQLNET.WALLET_OVERRIDE=TRUE
SSL_CLIENT_AUTHENTICATION=FALSE
|
Note: WALLET_LOCATION must be on line 1 in the file. |
Set up a tnsnames.ora in the wallet directory. This tnsnames.ora includes the standard tnsnames.ora file. Then, add two custom tns_alias entries that are only for use with the wallet. For example: sqlplus /@dvols29_rms01user.
ifile = /u00/oracle/product/11.2.0.1/network/admin/tnsnames.ora
dvols29_rms01user =
(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = tcp)
(host = mspdv311.us.oracle.com) (Port = 1521)))
(CONNECT_DATA = (SID = dvols29) (GLOBAL_NAME = dvols29)))
dvols29_rms01user.world =
(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = tcp)
(host = mspdv311.us.oracle.com) (Port = 1521)))
(CONNECT_DATA = (SID = dvols29) (GLOBAL_NAME = dvols29)))
|
Note: It is important to not copy thetnsnames.ora file because it can quickly become out of date. The ifile clause (shown previously) is key. |
Create the wallet files. These are empty initially.
Ensure you are in the intended location.
$ pwd
/projects/rms14.1.0/dev/.wallet
Create the wallet files.
$ mkstore -wrl . -create
Enter the wallet password you want to use. It is recommended that you use the same password as the UNIX user you are creating the wallet on.
Enter the password again.
Two wallet files are created from the previous command: ewallet.p12 and cwallet.sso.
Create the wallet entry that associates the username and password to the custom tns alias that was setup in the wallet's tnsnames.ora file.
mkstore -wrl . -createCredential <tns_alias> <username> <password>
Example: mkstore -wrl . -createCredential dvols29_rms01user rms01user passwd
Test the connectivity. The ORACLE_HOME used with the wallet must be the same version or higher then what the wallet was created with.
$ export TNS_ADMIN=/projects/rms14.1.0/dev/.wallet /* This is very import to use wallet to point at the alternate tnsnames.ora created in this example */
$ sqlplus /@dvols29_rms01user
SQL*Plus: Release 11
Connected to:
Oracle Database 12c
SQL> show userUSER is "rms01user"
Running batch programs or shell scripts would be similar:
Ex: dtesys /@dvols29_rms01user
script.sh /@dvols29_rms01user
Set the UP unix variable to help with some compiles :
export UP=/@dvols29_rms01user
for use in RMS batch compiles, and RMS, RWMS, and ARI forms compiles.
As shown in the previous example, users can ensure that passwords remain invisible.
The following is a list of additional database wallet commands.
Delete a credential on wallet
mkstore -wrl . -deleteCredential dvols29_rms01user
Change the password for a credential on wallet
mkstore -wrl . -modifyCredential dvols29_rms01user rms01user passwd
List the wallet credential entries
mkstore -wrl . -list
This command returns values such as
oracle.security.client.connect_string1
oracle.security.client.user1
oracle.security.client.password1
View the details of a wallet entry
mkstore -wrl . -viewEntry oracle.security.client.connect_string1
Returns the value of the entry:
dvols29_rms01user
mkstore -wrl . -viewEntry oracle.security.client.user1
Returns value of the entry:
rms01user
mkstore -wrl . -viewEntry oracle.security.client.password1
Returns value of the entry:
passwd
For Java application, consider the following:
For database user accounts, ensure that you set up the same alias names between the password stores (database wallet and Java wallet). You can provide the alias name during the installer process.
Document all aliases that you have set up. During the application installation, you must enter the alias names for the application installer to connect to the database and application server.
Passwords are not used to update entries in Java wallets. Entries in Java wallets are stored in partitions, or application-level keys. In each retail application that has been installed, the wallet is located in <WEBLOGIC_DOMAIN_HOME>/retail/<appname>/config
Example:
mspdv351:[1036_WLS] /u00/webadmin/product/12.1.3/WLS/user_projects/
domains/141_mck_soa_domain/retail/reim14/config
Application installers should create the Java wallets for you, but it is good to know how this works for future use and understanding.
Scripts are located in <WEBLOGIC_DOMAIN_HOME>/retail/<appname>/retail-public-security-api/bin for administering wallet entries.
Example:
mspdv351:[1036_WLS] /u00/webadmin/product/12.1.3/WLS/user_projects/
domains/141_mck_soa_domain/retail/reim14/retail-public-security-api/bin
In this directory is a script to help you update each alias entry without having to remember the wallet details. For example, if you set the RPM database alias to rms01user, you will find a script called update-RMS01USER.sh.
|
Note: These scripts are available only with application installed by way of an installer. |
Two main scripts are related to this script in the folder for more generic wallet operations: dump_credentials.sh and save_credential.sh.
If you have not installed the application yet, you can unzip the application zip file and view these scripts in <app>/application/retail-public-security-api/bin.
Example:
mspdv351:[1036_WLS] /u00/webadmin/reim/application/retail-public-security-api/bin
update-<ALIAS>.sh updates the wallet entry for this alias. You can use this script to change the user name and password for this alias. Because the application refers only to the alias, no changes are needed in application properties files.
Usage:
update-<username>.sh <myuser>
Example:
mspdev71:[1036WLS] /u00/webadmin/product/12.1.3/WLS/user_projects/domains/java_domain/retail/rpm141test/retail-public-security-api/bin> ./update-RMS01USER.sh usage: update-RMS01USER.sh <username> <username>: the username to update into this alias. Example: update-RMS01USER.sh myuser Note: this script will ask you for the password for the username that you pass in. mspdev71:[1036WLS] /u00/webadmin/product/12.1.3/WLS/user_projects/domains/java_domain/retail/rpm141test/retail-public-security-api/bin>
dump_credentials.sh is used to retrieve information from wallet. For each entry found in the wallet, the wallet partition, the alias, and the username are displayed. Note that the password is not displayed. If the value of an entry is uncertain, run save_credential.sh to resave the entry with a known password.
dump_credentials.sh <wallet location>
Example:
dump_credentials.sh:/u00/webadmin/product/12.1.3/WLS/user_projects/domains/141_mck_soa_domain/retail/sim14/config
=============================================
Retail Public Security API Utility
=============================================
Following are the credentials found in the wallet at the location:
/u00/webadmin/product/12.1.3/WLS/user_projects/domains/141_mck_soa_domain/retail/sim14/config
Application level key partition name:reim14 User Name Alias:WLS-ALIAS User Name:weblogic User Name Alias:RETAIL-ALIAS User Name:retail.user User Name Alias:LDAP-ALIAS User Name:RETAIL.USER User Name Alias:RMS-ALIAS User Name:rms141mock User Name Alias:REIMBAT-ALIAS User Name:reimbat
save_credential.sh is used to update the information in wallet. If you are unsure about the information that is currently in the wallet, use dump_credentials.sh as indicated previously.
save_credential.sh -a <alias> -u <user> -p <partition name> -l <path of the wallet file location where credentials are stored>
Example:
mspdv351:[1036_WLS] /u00/webadmin/mock141_testing/rtil/rtil/application/retail-public-security-api/bin> save_credential.sh -l wallet_test -a myalias -p mypartition -u myuser
=============================================
Retail Public Security API Utility
=============================================
Enter password:
Verify password:
|
Note: -p in the previous command is for partition name. You must specify the proper partition name which is used in application code for each Java application.
save_credential.sh and dump_credentials.sh scripts are the same for all applications. If using save_credential.sh to add a wallet entry or to update a wallet entry, bounce the application/managed server so that your changes are visible to the application. Also, save a backup copy of your cwallet.sso file in a location outside of the deployment path, because redeployment or reinstallation of the application will wipe the wallet entries you made after installation of the application. To restore your wallet entries after a redeployment/reinstallation, copy the backed up cwallet.sso file over the cwallet.sso file. Then bounce the application/managed server. |
Usage:
============================================= Retail Public Security API Utility ============================================= usage: save_credential.sh -au[plh] E.g. save_credential.sh -a rms-alias -u rms_user -p rib-rms -l ./ -a,--userNameAlias <arg> alias for which the credentials needs to be stored -h,--help usage information -l,--locationofWalletDir <arg> location where the wallet file is created.If not specified, it creates the wallet under secure-credential-wallet directory which is already present under the retail-public-security-api/ directory. -p,--appLevelKeyPartitionName <arg> application level key partition name -u,--userName <arg> username to be stored in secure credential wallet for specified alias*
The ORACLE Retail Java applications include the wallet alias information you create in an <app-name>.properties file. Below is a sample from the reim.properties file. Database information and the user are presented below. The property called datasource.credential.alis=RMS-ALIAS uses the ORACLE wallet with the argument of RMS-ALIAS that is at the csm.wallet.path (Java wallet) with the csm.wallet.partition.name of reim14 to retrieve the password for application use.
Reim.properties code sample:
datasource.url=jdbc:oracle:thin:@mspdv349.us.oracle.com:1521:pkols07 datasource.schema.owner=rms141mock datasource.credential.alias=RMS-ALIAS # ================================================================= # ossa related Configuration # # These settings are for ossa configuration to store credentials. # ================================================================= csm.wallet.path=/u00/webadmin/product/12.1.3/WLS/user_projects/domains/141_mck_soa_domain/retail/reim14/config csm.wallet.partition.name=reim
Some of the ORACLE Retail Java batch applications have an alias to use when running Java batch programs. For example, alias REIMBAT-ALIAS maps through the wallet to dbuser reimbat, already on the database. To run a ReIM batch program, the format would be: reimbatchpgmname REIMBAT-ALIAS <other arguments as needed by the program in question>
RETL creates a wallet under $RFX_HOME/etc/security, with the following files:
cwallet.sso
jazn-data.xml
jps-config.xml
README.txt
To setup RETL wallets, perform the following steps:
Set the following environment variables:
ORACLE_SID=retaildb
RFX_HOME=/u00/rfx/rfx-13.2.5
RFX_TMP=/u00/rfx/rfx-13.2.5/tmp
JAVA_HOME=/usr/jdk1.7
LD_LIBRARY_PATH=$ORACLE_HOME
PATH=$RFX_HOME/bin:$JAVA_HOME/bin:$PATH
Change directory to $RFX_HOME/bin.
Run setup-security-credential.sh.
Enter 1 to add a new database credential.
Enter the dbuseralias. For example, retl_java_rms01user.
Enter the database username. For example, rms01user.
Enter the database password.
Reenter the database password.
Enter D to exit the setup script.
Update your RETL environment variable script to reflect the names of both the Oracle Networking wallet and the Java wallet.
For example, to configure RETLforRPAS, modify the following entries in $MMHOME/RETLforRPAS/rfx/etc/rmse_rpas_config.env
The RETL_WALLET_ALIAS should point to the Java wallet entry:
export RETL_WALLET_ALIAS="retl_java_rms01user"
The ORACLE_WALLET_ALIAS should point to the Oracle network wallet entry:
export ORACLE_WALLET_ALIAS="dvols29_rms01user"
The SQLPLUS_LOGON should use the ORACLE_WALLET_ALIAS:
export SQLPLUS_LOGON="/@${ORACLE_WALLET_ALIAS}"
To change a password later, run setup-security-credential.sh.
Enter 2 to update a database credential.
Select the credential to update.
Enter the database user to update or change.
Enter the password of the database user.
Re-enter the password.
Table B-1 Quick Guide for Retail Wallets
| Retail app | Wallet type | Wallet loc | Wallet partition | Alias name | User name | Use | Create by | Alias Example | Notes |
|---|---|---|---|---|---|---|---|---|---|
|
RMS batch |
DB |
<RMS batch install dir (MMHOME)>/.wallet |
n/a |
<Database SID>_<Database schema owner> |
<rms schema owner> |
Compile, execution |
Installer |
n/a |
Alias hard-coded by installer |
|
RMS forms |
DB |
<forms install dir>/base/.wallet |
n/a |
<Database SID>_<Database schema owner> |
<rms schema owner> |
Compile |
Installer |
n/a |
Alias hard-coded by installer |
|
ARI forms |
DB |
<forms install dir>/base/.wallet |
n/a |
<Db_Ari01> |
<ari schema owner> |
Compile |
Manual |
ari-alias |
|
|
RMWS forms |
DB |
<forms install dir>/base/.wallet |
n/a |
<Database SID>_<Database schema owner> |
<rwms schema owner> |
Compile forms, execute batch |
Installer |
n/a |
Alias hard-coded by installer |
|
RPM app |
DB |
<RPM batch install dir>/.wallet |
n/a |
<rms schema owner alias> |
<rms schema owner> |
Execute batch |
Manual |
rms-alias |
|
|
RWMS auto-login |
JAVA |
<forms install dir>/base/.javawallet |
<RWMS Installation name> |
<RWMS database user alias> |
<RWMS schema owner> |
RWMS forms app to avoid dblogin window |
Installer |
rwms14inst |
|
|
<RWMS Installation name> |
BI_ALIAS |
<BI Publisher administrative user> |
RWMS forms app to connect to BI Publisher |
Installer |
n/a |
Alias hard-coded by installer |
|||
|
AIP app |
JAVA |
<weblogic domain home>/retail/<deployed aip app name>/config |
aip13 |
<AIP weblogic user alias> |
App use |
Installer |
aip-weblogic-alias |
Each alias must be unique |
|
|
aip13 |
<AIP database schema user alias> |
App use |
Installer |
aip01user-alias |
|||||
|
aip13 |
<rib-aip weblogic user alias> |
<rib-aip weblogic user name> |
App use |
Installer |
rib-aip-weblogic-alias |
||||
|
RPM app |
JAVA |
<weblogic domain home>/retail/<deployed rpm app name>/config |
rpm13 |
<rpm weblogic user alias> |
<rpm weblogic user name> |
App use |
Installer |
rpm-weblogic-alias |
Each alias must be unique |
|
rpm13 |
<rms shema user alias> |
<rms shema user name> |
App, batch use |
Installer |
rms01user-alias |
||||
|
rpm13 |
<rpm application user one alias> |
<rpm application user one name> |
App use |
Installer |
user1-alias |
||||
|
rpm13 |
<rpm application user two alias> |
<rpm application user two name> |
App use |
Installer |
user2-alias |
||||
|
rpm13 |
<rpm batch user alias> |
<rpm batch user name> |
App, batch use |
Installer |
rpmbatch-alias |
||||
|
rpm13 |
<rib-rpm weblogic user alias> |
<rib-rpm weblogic user name> |
App use |
Installer |
rib-rpm-weblogic-alias |
||||
|
ReIM app |
JAVA |
<weblogic domain home>/retail/<deployed reim app name>/config |
<installed app name> |
<reim weblogic user alias> |
<reim weblogic user name> |
App use |
Installer |
weblogic-alias |
Each alias must be unique |
|
<installed app name> |
<rms shema user alias> |
<rms shema user name> |
App, batch use |
Installer |
rms01user-alias |
||||
|
<installed app name> |
<reim webservice validation user alias> |
<reim webservice validation user name> |
App use |
Installer |
reimwebservice-alias |
||||
|
<installed app name> |
<reim batch user alias> |
<reim batch user name> |
App, batch use |
Installer |
reimbatch-alias |
||||
|
Alloc app |
JAVA |
<weblogic domain home>/retail/<deployed alloc app name>/config |
<installed app name> |
<alloc weblogic user alias> |
<alloc weblogic user name> |
App use |
Installer |
weblogic-alias |
Each alias must be unique |
|
<installed app name> |
<rms shema user alias> |
<rms shema user name> |
App use |
Installer |
rms01user-alias |
||||
|
<installed app name> |
<rsl for rms weblogic user alias> |
<rsl for rms weblogic user name> |
App use |
Installer |
rsl-rms-weblogic-alias |
||||
|
RSL app |
JAVA |
<RSL INSTALL DIR>/rsl-rms/security/config |
rsl-rsm |
<rsl weblogic user alias> |
<rsl weblogic user name> |
App use |
Installer |
weblogic-alias |
Each alias must be unique |
|
rsl-rsm |
<rms shema user alias> |
<rms shema user name> |
App use |
Installer |
rms01user-alias |
||||
|
SIM app |
JAVA |
<weblogic domain home>/retail/<deployed sim app name>/config |
rpm |
<rpm weblogic user alias> |
<rpm weblogic user name> |
App use |
Installer |
rpm-weblogic-alias |
|
|
rms |
<rsl for rms weblogic user alias> |
<rsl for rms weblogic user name> |
App use |
Installer |
rsl-rms-weblogic-alias |
||||
|
rib-sim |
<rib-sim weblogic user alias> |
<rib-sim weblogic user name> |
App use |
Installer |
rib-sim-weblogic-alias |
||||
|
RETL |
JAVA |
<RETL home>/etc/security |
n/a |
<target application user alias> |
<target application db userid> |
App use |
Manual |
retl_java_rms01user |
User may vary depending on RETL flow's target application |
|
RETL |
DB |
<RETL home>/.wallet |
n/a |
<target application user alias> |
<target application db userid> |
App use |
Manual |
<db>_<user> |
User may vary depending on RETL flow's target application |
|
RIB |
JAVA |
<RIBHOME DIR>/deployment-home/conf/security |
<app> is one of aip, rfm, rms, rpm, sim, rwms, tafr |
||||||
|
JMS |
jms<1-5> |
<jms user alias> for jms<1-5> |
<jms user name> for jms<1-5> |
Integration use |
Installer |
jms-alias |
|||
|
WebLogic |
rib-<app>-app-server-instance |
<rib-app weblogic user alias> |
<rib-app weblogic user name> |
Integration use |
Installer |
weblogic-alias |
|||
|
Admin GUI |
rib-<app>#web-app-user-alias |
<rib-app admin gui user alias> |
<rib-app admin gui user name> |
Integration use |
Installer |
admin-gui-alias |
|||
|
Application |
rib-<app>#user-alias |
<app weblogic user alias> |
<app weblogic user name> |
Integration use |
Installer |
app-user-alias |
Valid only for aip, rpm, sim |
||
|
DB |
rib-<app>#app-db-user-alias |
<rib-app database schema user alias> |
<rib-app database schema user name> |
Integration use |
Installer |
db-user-alias |
Valid only for rfm, rms, rwms, tafr |
||
|
Error Hospital |
rib-<app>#hosp-user-alias |
<rib-app error hospital database schema user alias> |
<rib-app error hospital database schema user name> |
Integration use |
Installer |
hosp-user-alias |
