Tuesday, October 12, 2021

Oracle Wallet Manager - External Password Store

 

Configuring catalog user to Use the External Password Store




This era of security is a major concern , organization use various password management to meet the safety compliance requirements. Protecting database schema and password is very important for any organization. In this article I'm going to focus on securing the RMAN catalog user password and login.

  Oracle wallet is a really user-friendly option which enables autologin feature without supplying a password. It is no longer a part of Oracle Advanced Security. This feature is available in all licensed editions of all supported releases of the Oracle database.

Below link provide more information for oracle wallet manager as external password store.

https://docs.oracle.com/middleware/1213/wls/JDBCA/oraclewallet.htm#JDBCA596


This explanation will be useful for who are new to oracle wallet . 

What is Oracle wallet used for?

Oracle Wallet provides a simple and easy method to manage database credentials across multiple domains. It allows you to update database credentials by updating the Wallet instead of having to change individual data source definitions. This is accomplished by using a database connection string in the data source definition that is resolved by an entry in the wallet.

This feature allows to take a step further by also using the Oracle TNS (Transparent Network Substrate) administrative file to hide the details of the database connection string (host name, port number, and service name) from the data source definition and instead use an alias. If the connection information changes, it is simply a matter of changing the tnsnames.ora file instead of potentially change many data source definitions.

The wallet can be used to have common credentials between different domains. That includes two different WLS domains or sharing credentials between WLS and the database. When used correctly, it makes having passwords in the data source configuration unnecessary.


Step to create wallet and add user credential to wallet.

Create wallet


mkstore -wrl /u01/app/oracle/admin/wallet -create

Wallet password : 0racle123#

[oracle@crs01 wallet]$ mkstore -wrl /u01/app/oracle/admin/wallet -create
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter password:
PKI-01002: Invalid password. Passwords must have a minimum length of eight characters and contain alphabetic characters combined with numbers or special characters.
Enter password:
Enter password again:
[oracle@crs01 wallet]$ ls -lrth
total 8.0K
-rw-------. 1 oracle oinstall   0 Sep 29 14:32 ewallet.p12.lck
-rw-------. 1 oracle oinstall 149 Sep 29 14:32 ewallet.p12
-rw-------. 1 oracle oinstall   0 Sep 29 14:32 cwallet.sso.lck
-rw-------. 1 oracle oinstall 194 Sep 29 14:32 cwallet.sso

Setup sqlnet.ora to use wallet files

We identify the wallet files need to set the sqlnet.ora file with WALLET_LOCATION and SQLNET.WALLET_OVERRIDE = TRUE parameters.


[oracle@crs01 admin]$ cat sqlnet.ora
WALLET_LOCATION =
   (SOURCE =
        (METHOD = FILE)
        (METHOD_DATA = (DIRECTORY=/u01/app/oracle/admin/wallet/))
    )
SQLNET.WALLET_OVERRIDE = TRUE
[oracle@crs01 admin]$

Add user to wallet and verify


[oracle@crs01 admin]$ mkstore -wrl /u01/app/oracle/admin/wallet -createCredential RMAN_CAT_PDB  RMAN_TWHSE rman_twhse
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
[oracle@crs01 admin]$  mkstore -wrl /u01/app/oracle/admin/wallet -listCredential
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
List credential (index: connect_string username)
2: RMAN_CAT_PDB RMAN_TWHSE
1: TWHSE_PDB CHANAKA
[oracle@crs01 admin]$

Login to catalog database



[oracle@crs01 admin]$ sqlplus /@rman_cat_pdb

SQL*Plus: Release 19.0.0.0.0 - Production on Tue Oct 12 16:00:11 2021
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.

Last Successful login time: Tue Oct 12 2021 15:55:17 -04:00

Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0

SQL> show user
USER is "RMAN_TWHSE"
SQL>

Login rman catalog without specifying the password


[oracle@crs01 admin]$ rman target / catalog /@rman_cat_pdb

Recovery Manager: Release 19.0.0.0.0 - Production on Tue Oct 12 16:02:14 2021
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle and/or its affiliates.  All rights reserved.

connected to target database: TWHSE01 (DBID=3636451434)
connected to recovery catalog database

RMAN> create catalog tablespace RMAN_TWHSE_TBS;

recovery catalog created

RMAN> register database;

database registered in recovery catalog
starting full resync of recovery catalog
full resync complete

RMAN>

Modify catalog user password


mkstore -wrl /u01/app/oracle/scripts/tns -modifyCredential RMAN_CAT_PDB  RMAN_TWHSE rman_twhse_123

No comments:

Post a Comment

Exacs database creation using dbaascli

  Intro OCI (Oracle Cloud Infrastructure) provides robust automation capabilities for routine maintenance tasks such as patching, ...