12 Creating and Managing Oracle Wallet
- What is Oracle Wallet
Wallet provides a simple and easy method to manage database credentials across multiple domains. It allows you to update database credentials by updating the Wallet instead of having to change individual data source definitions. Updates are accomplished by using a database connection string in the data source definition that is resolved by an entry in the Wallet. - Where to Keep Your Wallet
Oracle recommends that you create and manage the location of the Wallet in the database environment. The database environment provides all the necessary commands and libraries, including the$ORACLE_HOME/oracle_common/bin/mkstore
command. Often the storage of the Wallet is managed by a database administrator and provided for use by the client. A configured Wallet consists of two files,cwallet.sso
andewallet.p12
stored in a secure Wallet directory. - How to Create an External Password Store
Wallet has an automatic login feature that allows the client to access the Wallet contents without supplying a password. Use of this feature prevents exposing a clear text password on the client. Learn how to create an Wallet at the desired location and provide credentials in the Wallet file. - Defining a WebLogic Server Data Source using the Wallet
To configure a WebLogic Server data source to use a Wallet you need to copy the Wallet files to the secure directory on the client machine and update the data source configuration files. - Using a TNS Alias instead of a DB Connect String
Instead of specifying a matching database connection string in the URL and in the Oracle Wallet, you can create an alias to map the URL information. The connection string information is stored intnsnames.ora
file with an associated alias name. The alias name is then used both in the URL and the Wallet.
What is Oracle Wallet
This is accomplished by using a database connection string in the data source definition that is resolved by an entry in the Wallet.
This feature can be taken a step further by also using the Oracle TNS (Transparent Network Substrate) administrative file to hide the details of the database connection string (host name, port number, and service name) from the data source definition and instead use an alias. If the connection information changes, it is simply a matter of changing the tnsnames.ora file instead of potentially many data source definitions.
The wallet can be used to have common credentials between different domains. That includes two different WebLogic Server domains or sharing credentials between WebLogic Server and the database. When used correctly, it makes having passwords in the data source configuration unnecessary.
Parent topic: Creating and Managing Oracle Wallet
Where to Keep Your Wallet
$ORACLE_HOME/oracle_common/bin/mkstore
command. Often the storage of the Wallet is managed by a database administrator and provided for use by the client. A configured Wallet consists of two files, cwallet.sso
and ewallet.p12
stored in a secure Wallet directory.
Note:
You can also install the Oracle Client Runtime package to provide the necessary commands and libraries to create and manage Wallet.
Parent topic: Creating and Managing Oracle Wallet
How to Create an External Password Store
Create a Wallet on the client by using the following syntax at the command line:
mkstore -wrl <wallet_location> -create
where wallet_location
is the path to the directory where you want to create and store the Wallet.
This command creates a Wallet with the autologin feature enabled at the location specified. Autologin enables the client to access the Wallet contents without supplying a password and prevents exposing a clear text password on the client.
The mkstore
command prompts for a password that is used for subsequent commands. Passwords must have a minimum length of eight characters and contain alphabetic characters combined with numbers or special characters. For example:
mkstore -wrl /tmp/wallet –create Enter password: mysecret PKI-01002: Invalid password. Enter password: mysecret1 (not echoed) Enter password again: mysecret1 (not echoed)
Note:
Using Wallet moves the security vulnerability from a clear text password in the data source configuration file to an encrypted password in the Wallet file. Make sure the Wallet file is stored in a secure location.
You can store multiple credentials for multiple databases in one client Wallet. You cannot store multiple credentials (for logging in to multiple schemas) for the same database in the same Wallet. If you have multiple login credentials for the same database, then they must be stored in separate Wallets.
To add database login credentials to an existing client Wallet, enter the following command at the command line:
mkstore -wrl <wallet_location> -createCredential <db_connect_string> <username> <password>
where:
-
The
wallet_location
is the path to the directory where you created the Wallet. -
The
db_connect_string
must be identical to the connection string that you specify in the URL used in the data source definition (the part of the string that follows the@
). It can be either the short form or the long form of the URL. For example:myhost:1521/myservice
or(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=myhost-scan)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=myservice)))
Note:
You should enclose this value in quotation marks to escape any special characters from the shell. Since this name is generally a long and complex value, an alternative is to use TNS aliases. See Using a TNS Alias instead of a DB Connect String.
-
The
username
andpassword
are the database login credentials. -
Repeat for each database you want to use in a WebLogic data source.
See the Oracle Database Advanced Security Administrator's Guide for more information about using autologin and maintaining Wallet passwords.
Parent topic: Creating and Managing Oracle Wallet
Defining a WebLogic Server Data Source using the Wallet
To configure a WebLogic Server data source to use a Wallet you need to copy the Wallet files to the secure directory on the client machine and update the data source configuration files.
Use the following procedures to configure a WebLogic Server data source to use Wallet:
Parent topic: Creating and Managing Oracle Wallet
Copy the Wallet Files
Copy the Wallet files, cwallet.sso
and ewallet.p12
, from the database machine to the client machine and locate it in a secure directory.
Parent topic: Defining a WebLogic Server Data Source using the Wallet
Update the Data Source Configuration
Use the following steps to configure a WebLogic data source to use Oracle Wallet:
Parent topic: Defining a WebLogic Server Data Source using the Wallet
Using a TNS Alias instead of a DB Connect String
tnsnames.ora
file with an associated alias name. The alias name is then used both in the URL and the Wallet.Once created, it should not be necessary to modify the alias or the data source definition again. To change the user credential, update the Wallet. To change the connection information, update the tnsnames.ora
file. In either case, the data source must be re-deployed. The simplest way to redeploy a data source is to untarget and target the data source in the WebLogic Server Administration Console. This configuration is supported for Oracle release 10.2 and higher drivers.
Parent topic: Creating and Managing Oracle Wallet