15 Managing Online and Offline Secrets
You can store and manage credential files in Oracle Key Vault as opaque objects that an endpoint can retrieve when needed.
- Uploading and Downloading Credential Files
Theokvutil upload
andokvutil download
commands can upload and download credential files. - Managing Secrets and Credentials for SQL*Plus
To manage passwords in SQL*Plus scripts for a large number of Oracle databases, you can upload the passwords to Oracle Key Vault. - Managing Secrets and Credentials for SSH
You can perform public key authentication with private keys that are protected in Oracle Key Vault. - Integrating Oracle Key Vault with SSH Public Key Authentication
You can use Oracle Key Vault to store your public and private keys for SSH. - Centrally Managing Passwords in Oracle Key Vault
You can centrally manage passwords in Oracle Key Vault by using external keystores or adding them to shared virtual wallets as secrets.
15.1 Uploading and Downloading Credential Files
The okvutil upload
and okvutil download
commands can upload and download credential files.
- About Uploading and Downloading Credential Files
You use theokvutil
utility to upload and download credential files. - Uploading a Credential File
Theokvutil upload
command can upload credential files. - Downloading a Credential File
Theokvutil download
command can download credential files. - Guidelines for Uploading and Downloading Credential Files
Oracle provides recommendations for when you upload and download credential files.
Parent topic: Managing Online and Offline Secrets
15.1.1 About Uploading and Downloading Credential Files
You use the okvutil
utility to upload and download credential files.
Credential files are uploaded and stored as opaque objects in Oracle Key Vault, which means that Oracle Key Vault does not parse the contents of the file like an Oracle wallet or Java keystore. The upload process does not alter the credential file.
Examples of opaque objects are as follows:
-
Files that contain X.509 certificates
-
Kerberos keytabs
-
Files containing passwords
-
Files containing SSH keys
Uploading these credential files provides a central, secure location for long-term retention. After you have uploaded a credential file, you can download it in the same server location or share it with other trusted servers. Oracle Key Vault supports credential files up to 128 KB in size.
You can place the credential file anywhere in your server infrastructure (which includes database servers and application servers) that is accessible by an Oracle Key Vault endpoint.
Parent topic: Uploading and Downloading Credential Files
15.1.3 Downloading a Credential File
The okvutil download
command can download credential files.
Related Topics
Parent topic: Uploading and Downloading Credential Files
15.1.4 Guidelines for Uploading and Downloading Credential Files
Oracle provides recommendations for when you upload and download credential files.
-
After you complete the upload, upload the credential file again the next time it is changed. Otherwise, the uploaded (and subsequent downloaded version) file will be outdated. Periodically, you should compare the last modification date of the credential file with the timestamp of the uploaded version.
-
Use care if you use the
okvutil upload
andokvutil download
commands, which provide an overwrite (-o
) option. This option overwrites the uploaded credential file. You may want to create backups of the credential files before beginning the upload and download processes. -
You can share one credential file among multiple server endpoints. Add the credential file as an opaque object to a virtual wallet using the
-g
option of theokvutil upload
command. Grant access of that virtual wallet to all the server endpoints. Optionally, define an endpoint group and then make all the server endpoints members of that endpoint group. Grant this endpoint group access to that virtual wallet. Afterward, all the members of the group will have access to that wallet.
Related Topics
Parent topic: Uploading and Downloading Credential Files
15.2 Managing Secrets and Credentials for SQL*Plus
To manage passwords in SQL*Plus scripts for a large number of Oracle databases, you can upload the passwords to Oracle Key Vault.
Many large sites use automated scripts to log in to Oracle databases to perform regular maintenance activities such as Oracle Recovery Manager (Oracle RMAN) backups, batch loading into an Oracle Database data warehouse, and similar tasks. Usually these scripts must connect as a highly privileged user. Logging in as a highly privileged user means that the scripts must have access to the user's password. Hard-coding a clear-text password into a script is, of course, very poor security. And if the user's password changes, then none of the scripts can work. One solution to avoiding the use of clear-text passwords in scripts is to put the passwords into an auto-open wallet (called the secure external password store) and then instruct the client application to retrieve the password from there. However, this idea only works if you only have a few databases. But if you have hundreds of databases, then the passwords are difficult to manage and require an update for each secure external password store.
If you have a large number of Oracle databases, you can store passwords centrally and then retrieve them securely for database connections. This capability has the following advantages:
- Eliminates clear-text passwords from your maintenance scripts
- Simplifies password changes
- Does not require extra entries in the
sqlnet.ora
file - Makes the secure external password store obsolete
Related Topics
Parent topic: Managing Online and Offline Secrets
15.3 Managing Secrets and Credentials for SSH
You can perform public key authentication with private keys that are protected in Oracle Key Vault.
In many IT departments, public key authentication is the default approach to securely log into remote servers without having an administrator having to remember the password, for both on-premise or cloud-based hosts. If you are using Oracle Cloud Infrastructure (Oracle OCI), then the password of the user opc
is unknown, so public key authentication is the only way to log into an OCI compute instance. This method is convenient, but not without risk. If the private key is lost, then remotely logging in is no longer possible. In addition, the process of provisioning a new public key is time consuming. Another problem is that because the private key uniquely identifies its owner, if it is stolen, copied, or compromised, then an intruder can easily cause a great deal of trouble, with the evidence pointing at the owner, not the intruder.
As a solution to these problems, consider uploading the SSH private keys into Oracle Key Vault by using the okvutil upload
command. The benefits are as follows:
- Because the SSH keys are not on your host computer, they cannot be copied or stolen, and furthermore, they are safe from disk or file corruptions.
- The SSH keys are included in Oracle Key Vault backup operations, so losing them is impossible.
- Oracle Key Vault provides continuous and fault-tolerant availability by allowing up to 16 Oracle Key Vault servers to connect to one multi-master cluster. Read-write pairs guarantee that highly sensitive information (such as encryption keys or passwords) are replicated to at least one or more Oracle Key Vault servers.
Related Topics
Parent topic: Managing Online and Offline Secrets
15.4 Integrating Oracle Key Vault with SSH Public Key Authentication
You can use Oracle Key Vault to store your public and private keys for SSH.
The Key Administrator or users with appropriate access can centrally manage the public or private key pairs for SSH public key authentication in Oracle Key Vault. When required, the key pairs can be rotated or revoked. As the keys are centrally managed, an authorized user can login to a remote machine without the private key existing on the local disk.
- Step 1: Creating and Uploading the Key Pair
Use an Oracle Key Vault endpoint to create and upload the key pair. - Step 2: Using an Endpoint to SSH a Remote Host
You can use an endpoint to SSH to a remote host. - Step 3: Incorporating an ssh-agent
You can incorporate an ssh-agent to prevent specifying the PKCS#11 library.
Parent topic: Managing Online and Offline Secrets
15.4.1 Step 1: Creating and Uploading the Key Pair
Use an Oracle Key Vault endpoint to create and upload the key pair.
OpenSSH must be at least at version 7.2p1 for endpoints that do not require a password and at version 8.1p1 for endpoints that do require a password.
15.4.2 Step 2: Using an Endpoint to SSH a Remote Host
You can use an endpoint to SSH to a remote host.
- being the endpoint that created the key pair
- being directly given access to the wallet in which the keys are located
- being added to an endpoint group that has been given access to the wallet in which the keys are located
OKV_HOME
must be set to the directory in which the endpoint software was deployed. As a result,
should point to the location of the OKV PKCS#11 library.$OKV_HOME/lib/liborapkcs.so
15.4.3 Step 3: Incorporating an ssh-agent
You can incorporate an ssh-agent to prevent specifying the PKCS#11 library.
You can use ssh-agent to prevent specifying the PKCS#11 library location and endpoint password each time you want to SSH into a remote host.
This requires having setup the key pair as described in,Step 2: Using an Endpoint to SSH a Remote Host.
15.5 Centrally Managing Passwords in Oracle Key Vault
You can centrally manage passwords in Oracle Key Vault by using external keystores or adding them to shared virtual wallets as secrets.
- About Centrally Managing Passwords in Oracle Key Vault
You can store passwords centrally in Oracle Key Vault and retrieve these passwords securely (for example, when logging into an Oracle database). - Creating and Sharing Centrally Managed Passwords
To create and share centrally managed passwords (external keystore passwords) for large database deployments, you first must use an Oracle Key Vault client and RESTful services utility commands. - Example: Script for Using External Keystore Passwords in SQL*Plus Operations
You can create a script that retrieves the UUID of uploaded passwords by the user name and then inserts the password into the SQL*Plus command. - Sharing Secrets with Other Databases
Sharing information in Oracle Key Vault requires a virtual wallet in Oracle Key Vault, and multiple databases connecting into their own endpoints that have access to the shared wallet. - Changing Passwords for a Large Database Deployment
For better security, on a regular basis, you should change passwords that are used by both humans and automated processes.
Parent topic: Managing Online and Offline Secrets
15.5.1 About Centrally Managing Passwords in Oracle Key Vault
You can store passwords centrally in Oracle Key Vault and retrieve these passwords securely (for example, when logging into an Oracle database).
Storing passwords centrally in Oracle Key Vault has the following benefits:
- It eliminates the need for clear text passwords in your maintenance scripts.
- It eliminates the need for the secure external password store.
- It simplifies password changes.
- It does not require changes to the
sqlnet.ora
file.
Database administrators often use automated scripts to perform regular maintenance such as Oracle Recovery Manager (Oracle RMAN) backups, loading data into Oracle Data Warehouse, or refreshing materialized views. These scripts log in to the Oracle Database with the passwords of highly privileged users, which unfortunately is a poor security practice in that it entails hard-coded clear-text passwords in the script. And of course if the password changes, then all the scripts must be changed as well. One way to remove the need for clear-text passwords is to put the passwords into an auto-open wallet (called the secure external password store) and instruct the client to retrieve the password from there. This practice works well for a few databases, but if you have hundreds of databases, it is difficult to manage. Furthermore, password changes require you to update every secure external password store. By storing passwords in a central location, you eliminate this problem.
Parent topic: Centrally Managing Passwords in Oracle Key Vault
15.5.2 Creating and Sharing Centrally Managed Passwords
To create and share centrally managed passwords (external keystore passwords) for large database deployments, you first must use an Oracle Key Vault client and RESTful services utility commands.
15.5.3 Example: Script for Using External Keystore Passwords in SQL*Plus Operations
You can create a script that retrieves the UUID of uploaded passwords by the user name and then inserts the password into the SQL*Plus command.
The benefit of this script is that no matter how many administrative or maintenance scripts log into that database, the script stays the same. For each new user account, you only upload the password and attributes file for the user, and then activate the secret.
For example, a script called log-me-in.sh
can be as follows:
#!/bin/bash
set +x
# ************************************************
# ** Read user name and connect string from ******
# ** command line into variables *****************
# ************************************************
export user="${1}"
export TWO_TASK="${2}"
export PRIV="${3}"
KMIP_ID=$(okv managed-object object locate --output_format text --custom-attribute '[{"name": "x-NAME", "value" : "'${user}'"}, {"name": "x-CONNECT-STRING", "value": "'${TWO_TASK}'"}]')
pwd='"'$(okv managed-object secret get --output_format text --uuid ${KMIP_ID})'"'
if [ "${PRIV}" == 'AS SYSBACKUP' ]; then
rman target ''"'${user}/${pwd}@${TWO_TASK} ${PRIV}'"''
else
sqlplus ${user}/${pwd}
fi
You can make this file immutable by applying extended attributes. For example, in Linux as the root
user, use the following chattr
command:
# chattr +i log-me-in.sh
To execute this script, use the following syntax:
$ ./log-me-in.sh user_name hostname:port/service 'AS privilege'
For example to log in the nightly_backup
user:
$ ./log-me-in.sh nightly_backup sales19c.us.example.com:1521/finpdb.us.example.com 'AS SYSBACKUP'
Output similar to the following appears:
Recovery Manager: Release 19.0.0.0.0 - Production on Fri Jun 26 12:22:04 2020
Version 19.7.0.0.0
Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved.
connected to target database: sales19c:finpdb (DBID=3200396863)
RMAN>
The following example command logs in as the refresh_dwh
user:
$ ./log-me-in.sh refresh_dwh sales19c.us.example.com:1521/finpdb.us.example.com
SQL> SHOW USER
REFRESH_DWH
If the owner of the target schema allows the refresh_dwh
account user to log in, then the schema owner must grant the CONNECT THROUGH
privilege to refresh_dwh
, as follows:
- In SQL*Plus, execute the
ALTER USER
statement to create the proxy. For example:ALTER USER HR GRANT CONNECT THROUGH refresh_dwh;
- In the script, change the last line (
sqlplus "${user}"/"${pwd}"
) to include the proxy. For example, to includeHR
:sqlplus "${user}"[HR]/"${pwd}"
Related Topics
Parent topic: Centrally Managing Passwords in Oracle Key Vault
15.5.4 Sharing Secrets with Other Databases
Sharing information in Oracle Key Vault requires a virtual wallet in Oracle Key Vault, and multiple databases connecting into their own endpoints that have access to the shared wallet.
15.5.5 Changing Passwords for a Large Database Deployment
For better security, on a regular basis, you should change passwords that are used by both humans and automated processes.
Related Topics
Parent topic: Centrally Managing Passwords in Oracle Key Vault