What is Oracle Wallet
This is accomplished by using a database connection string in the data source definition that is resolved by an entry in the Wallet.
This feature can be taken a step further by also using the Oracle TNS (Transparent Network Substrate) administrative file to hide the details of the database connection string (host name, port number, and service name) from the data source definition and instead use an alias. If the connection information changes, it is simply a matter of changing the tnsnames.ora file instead of potentially many data source definitions.
The wallet can be used to have common credentials between different domains. That includes two different WebLogic Server domains or sharing credentials between WebLogic Server and the database. When used correctly, it makes having passwords in the data source configuration unnecessary.
Where to Keep Your Wallet
$ORACLE_HOME/oracle_common/bin/mkstorecommand. Often the storage of the Wallet is managed by a database administrator and provided for use by the client. A configured Wallet consists of two files,
ewallet.p12stored in a secure Wallet directory.
You can also install the Oracle Client Runtime package to provide the necessary commands and libraries to create and manage Wallet.
How to Create an External Password Store
Create a Wallet on the client by using the following syntax at the command line:
mkstore -wrl <wallet_location> -create
wallet_location is the path to the directory where you want to create and store the Wallet.
This command creates a Wallet with the autologin feature enabled at the location specified. Autologin enables the client to access the Wallet contents without supplying a password and prevents exposing a clear text password on the client.
mkstore command prompts for a password that is used for subsequent commands. Passwords must have a minimum length of eight characters and contain alphabetic characters combined with numbers or special characters. For example:
mkstore -wrl /tmp/wallet –create Enter password: mysecret PKI-01002: Invalid password. Enter password: mysecret1 (not echoed) Enter password again: mysecret1 (not echoed)
Using Wallet moves the security vulnerability from a clear text password in the data source configuration file to an encrypted password in the Wallet file. Make sure the Wallet file is stored in a secure location.
You can store multiple credentials for multiple databases in one client Wallet. You cannot store multiple credentials (for logging in to multiple schemas) for the same database in the same Wallet. If you have multiple login credentials for the same database, then they must be stored in separate Wallets.
To add database login credentials to an existing client Wallet, enter the following command at the command line:
mkstore -wrl <wallet_location> -createCredential <db_connect_string> <username> <password>
wallet_locationis the path to the directory where you created the Wallet.
db_connect_stringmust be identical to the connection string that you specify in the URL used in the data source definition (the part of the string that follows the
@). It can be either the short form or the long form of the URL. For example:
You should enclose this value in quotation marks to escape any special characters from the shell. Since this name is generally a long and complex value, an alternative is to use TNS aliases. See Using a TNS Alias instead of a DB Connect String.
passwordare the database login credentials.
Repeat for each database you want to use in a WebLogic data source.
See the Oracle Database Advanced Security Administrator's Guide for more information about using autologin and maintaining Wallet passwords.
Defining a WebLogic Server Data Source using the Wallet
To configure a WebLogic Server data source to use a Wallet you need to copy the Wallet files to the secure directory on the client machine and update the data source configuration files.
Use the following procedures to configure a WebLogic Server data source to use Wallet:
Copy the Wallet Files
Copy the Wallet files,
ewallet.p12, from the database machine to the client machine and locate it in a secure directory.
Update the Data Source Configuration
Use the following steps to configure a WebLogic data source to use Oracle Wallet:
- Do not enter a user or password in the WebLogic Server Administration Console when creating a data source or deleting them from an existing data source. If a user, password, or encrypted password appear in the configuration, it overrides the Oracle wallet values.
- Add the value
oracle.net.wallet_location=wallet_directoryto Connection Properties.
wallet_directoryis the secure directory location in Step 1 of Copy the Wallet Files. An alternative method is use the
-Doracle.net.wallet_locationsystem property and add it to
JAVA_OPTIONS. Oracle recommends using the connection property.
Using a TNS Alias instead of a DB Connect String
tnsnames.orafile with an associated alias name. The alias name is then used both in the URL and the Wallet.
- Specify the system property
tns_directoryis the directory location of the
Do not use the
tns_directorylocation as a connection property.
- Create or modify a
tnsnames.orafile in the directory location specified by
tns_directory. The entry has the form:
hostis URL of a database listener,
portis the port a database listener, and
serviceis the service name of the database you would like to connect to.
There are additional attributes that can be configured, see Local Naming Parameters (tnsnames.ora) in the Database Net Services Reference. Oracle recommends that the string be entered on a single line.
- Use the alias in the data source definition URL by replacing the connection string with the alias. For example, change the URL attribute in the Connection Pool tab of the Administrative Console to
Once created, it should not be necessary to modify the alias or the data source definition again. To change the user credential, update the Wallet. To change the connection information, update the
tnsnames.ora file. In either case, the data source must be re-deployed. The simplest way to redeploy a data source is to untarget and target the data source in the WebLogic Server Administration Console. This configuration is supported for Oracle release 10.2 and higher drivers.