12 Creating and Managing Oracle Wallet

Oracle Wallet allows you to store database credentials for WebLogic JDBC data source definitions.

What is Oracle Wallet

Wallet provides a simple and easy method to manage database credentials across multiple domains. It allows you to update database credentials by updating the Wallet instead of having to change individual data source definitions. Updates are accomplished by using a database connection string in the data source definition that is resolved by an entry in the Wallet.

This is accomplished by using a database connection string in the data source definition that is resolved by an entry in the Wallet.

This feature can be taken a step further by also using the Oracle TNS (Transparent Network Substrate) administrative file to hide the details of the database connection string (host name, port number, and service name) from the data source definition and instead use an alias. If the connection information changes, it is simply a matter of changing the tnsnames.ora file instead of potentially many data source definitions.

The wallet can be used to have common credentials between different domains. That includes two different WebLogic Server domains or sharing credentials between WebLogic Server and the database. When used correctly, it makes having passwords in the data source configuration unnecessary.

Where to Keep Your Wallet

Oracle recommends that you create and manage the location of the Wallet in the database environment. The database environment provides all the necessary commands and libraries, including the $ORACLE_HOME/oracle_common/bin/mkstore command. Often the storage of the Wallet is managed by a database administrator and provided for use by the client. A configured Wallet consists of two files, cwallet.sso and ewallet.p12 stored in a secure Wallet directory.

Note:

You can also install the Oracle Client Runtime package to provide the necessary commands and libraries to create and manage Wallet.

How to Create an External Password Store

Wallet has an automatic login feature that allows the client to access the Wallet contents without supplying a password. Use of this feature prevents exposing a clear text password on the client. Learn how to create an Wallet at the desired location and provide credentials in the Wallet file.

Create a Wallet on the client by using the following syntax at the command line:

mkstore -wrl <wallet_location> -create

where wallet_location is the path to the directory where you want to create and store the Wallet.

This command creates a Wallet with the autologin feature enabled at the location specified. Autologin enables the client to access the Wallet contents without supplying a password and prevents exposing a clear text password on the client.

The mkstore command prompts for a password that is used for subsequent commands. Passwords must have a minimum length of eight characters and contain alphabetic characters combined with numbers or special characters. For example:

mkstore -wrl /tmp/wallet –create 
Enter password: mysecret 
PKI-01002: Invalid password. 
Enter password: mysecret1  (not echoed) 
Enter password again: mysecret1 (not echoed)

Note:

Using Wallet moves the security vulnerability from a clear text password in the data source configuration file to an encrypted password in the Wallet file. Make sure the Wallet file is stored in a secure location.

You can store multiple credentials for multiple databases in one client Wallet. You cannot store multiple credentials (for logging in to multiple schemas) for the same database in the same Wallet. If you have multiple login credentials for the same database, then they must be stored in separate Wallets.

To add database login credentials to an existing client Wallet, enter the following command at the command line:

mkstore -wrl <wallet_location> -createCredential <db_connect_string> <username> <password>

where:

  • The wallet_location is the path to the directory where you created the Wallet.

  • The db_connect_string must be identical to the connection string that you specify in the URL used in the data source definition (the part of the string that follows the @). It can be either the short form or the long form of the URL. For example:

    myhost:1521/myservice or

    (DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=myhost-scan)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=myservice)))

    Note:

    You should enclose this value in quotation marks to escape any special characters from the shell. Since this name is generally a long and complex value, an alternative is to use TNS aliases. See Using a TNS Alias instead of a DB Connect String.

  • The username and password are the database login credentials.

  • Repeat for each database you want to use in a WebLogic data source.

See the Oracle Database Advanced Security Administrator's Guide for more information about using autologin and maintaining Wallet passwords.

Defining a WebLogic Server Data Source using the Wallet

To configure a WebLogic Server data source to use a Wallet you need to copy the Wallet files to the secure directory on the client machine and update the data source configuration files.

Use the following procedures to configure a WebLogic Server data source to use Wallet:

Copy the Wallet Files

Copy the Wallet files, cwallet.sso and ewallet.p12, from the database machine to the client machine and locate it in a secure directory.

Update the Data Source Configuration

Use the following steps to configure a WebLogic data source to use Oracle Wallet:

  1. Do not enter a user or password in the WebLogic Server Administration Console when creating a data source or deleting them from an existing data source. If a user, password, or encrypted password appear in the configuration, it overrides the Oracle wallet values.
  2. Add the value oracle.net.wallet_location=wallet_directory to Connection Properties.

    where wallet_directory is the secure directory location in Step 1 of Copy the Wallet Files. An alternative method is use the -Doracle.net.wallet_location system property and add it to JAVA_OPTIONS. Oracle recommends using the connection property.

Using a TNS Alias instead of a DB Connect String

Instead of specifying a matching database connection string in the URL and in the Oracle Wallet, you can create an alias to map the URL information. The connection string information is stored in tnsnames.ora file with an associated alias name. The alias name is then used both in the URL and the Wallet.
Use the following steps to create an TNS alias:
  1. Specify the system property -Doracle.net.tns_admin=tns_directory where tns_directory is the directory location of the tnsnames.ora file.

    Note:

    Do not use the tns_directory location as a connection property.

  2. Create or modify a tnsnames.ora file in the directory location specified by tns_directory. The entry has the form:

    alias=(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=host)(PORT=port))(CONNECT_DATA=(SERVICE_NAME=service)))

    Where host is URL of a database listener, port is the port a database listener, and service is the service name of the database you would like to connect to.

    There are additional attributes that can be configured, see Local Naming Parameters (tnsnames.ora) in the Database Net Services Reference. Oracle recommends that the string be entered on a single line.

  3. Use the alias in the data source definition URL by replacing the connection string with the alias. For example, change the URL attribute in the Connection Pool tab of the Administrative Console to jdbc:oracle:thin:@alias.

Once created, it should not be necessary to modify the alias or the data source definition again. To change the user credential, update the Wallet. To change the connection information, update the tnsnames.ora file. In either case, the data source must be re-deployed. The simplest way to redeploy a data source is to untarget and target the data source in the WebLogic Server Administration Console. This configuration is supported for Oracle release 10.2 and higher drivers.