This chapter includes the following sections:
Oracle Wallet provides an simple and easy method to manage database credentials across multiple domains. It allows you to update database credentials by updating the Wallet instead of having to change individual datasource definitions. This is accomplished by using a database connection string in the datasource definition that is resolved by an entry in the wallet.
This feature can be taken a step further by also using the Oracle TNS (Transparent Network Substrate) administrative file to hide the details of the database connection string (host name, port number, and service name) from the datasource definition and instead use an alias. If the connection information changes, it is simply a matter of changing the tnsnames.ora file instead of potentially many datasource definitions.
The wallet can be used to have common credentials between different domains. That includes two different WLS domains or sharing credentials between WLS and the database. When used correctly, it makes having passwords in the datasource configuration unnecessary.
Oracle recommends that you create and manage the Wallet in a database environment. This environment provides all the necessary commands and libraries, including the $ORACLE_HOME/oracle_common/bin/mkstore
command. Often this task is completed by a database administrator and provided for use by the client. A configured Wallet consists of two files, cwallet.sso
and ewallet.p12
stored in a secure Wallet directory
Note:
You can also install the Oracle Client Runtime package to provide the necessary commands and libraries to create and manage Oracle Wallet.
Create a wallet on the client by using the following syntax at the command line:
mkstore -wrl <wallet_location> -create
where wallet_location
is the path to the directory where you want to create and store the wallet.
This command creates an Oracle Wallet with the autologin feature enabled at the location specified. Autologin enables the client to access the Wallet contents without supplying a password and prevents exposing a clear text password on the client.
The mkstore
command prompts for a password that is used for subsequent commands. Passwords must have a minimum length of eight characters and contain alphabetic characters combined with numbers or special characters. For example:
mkstore -wrl /tmp/wallet –create Enter password: mysecret PKI-01002: Invalid password. Enter password: mysecret1 (not echoed) Enter password again: mysecret1 (not echoed)
Note:
Using Oracle Wallet moves the security vulnerability from a clear text password in the datasource configuration file to an encrypted password in the Wallet file. Make sure the Wallet file is stored in a secure location.
You can store multiple credentials for multiple databases in one client wallet. You cannot store multiple credentials (for logging in to multiple schemas) for the same database in the same wallet. If you have multiple login credentials for the same database, then they must be stored in separate wallets.
To add database login credentials to an existing client wallet, enter the following command at the command line:
mkstore -wrl <wallet_location> -createCredential <db_connect_string> <username> <password>
where:
The wallet_location
is the path to the directory where you created the wallet.
The db_connect_string
must be identical to the connection string that you specify in the URL used in the datasource definition (the part of the string that follows the @
). It can be either the short form or the long form of the URL. For example:
myhost:1521/myservice
or
(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=myhost-scan)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=myservice)))
Note:
You should enclose this value in quotation marks to escape any special characters from the shell. Since this name is generally a long and complex value, an alternative is to use TNS aliases. See Using a TNS Alias instead of a DB Connect String.
The username
and password
are the database login credentials.
Repeat for each database you want to use in a WebLogic datasource.
See the Oracle Database Advanced Security Administrator's Guide for more information about using autologin and maintaining Wallet passwords.
Use the following procedures to configure a WebLogic Server datasource to use Oracle Wallet:
Copy the Wallet files, cwallet.sso
and ewallet.p12
, from the database machine to the client machine and locate it in a secure directory.
Instead of specifying a matching database connection string in the URL and in the Oracle Wallet, you can create an alias to map the URL information. The connection string information is stored in tnsnames.ora
file with an associated alias name. The alias name is then used both in the URL and the Wallet.
Once created, it should not be necessary to modify the alias or the datasource definition again. To change the user credential, update the Wallet. To change the connection information, update the tnsnames.ora
file. In either case, the datasource must be re-deployed. The simplest way to redeploy a datasource is to untarget and target the datasource in the WebLogic Server Administration Console. This configuration is supported for Oracle release 10.2 and higher drivers.