Configuring catalog user to Use the External Password Store
This era of security is a major concern , organization use various password management to meet the safety compliance requirements. Protecting database schema and password is very important for any organization. In this article I'm going to focus on securing the RMAN catalog user password and login.
Oracle wallet is a really user-friendly option which enables autologin feature without supplying a password. It is no longer a part of Oracle Advanced Security. This feature is available in all licensed editions of all supported releases of the Oracle database.
What is Oracle wallet used for?
Oracle Wallet provides a simple and easy method to manage database credentials across multiple domains. It allows you to update database credentials by updating the Wallet instead of having to change individual data source definitions. This is accomplished by using a database connection string in the data source definition that is resolved by an entry in the wallet.
This feature allows to take a step further by also using the Oracle TNS (Transparent Network Substrate) administrative file to hide the details of the database connection string (host name, port number, and service name) from the data source definition and instead use an alias. If the connection information changes, it is simply a matter of changing the tnsnames.ora file instead of potentially change many data source definitions.
The wallet can be used to have common credentials between different domains. That includes two different WLS domains or sharing credentials between WLS and the database. When used correctly, it makes having passwords in the data source configuration unnecessary.
Below link provide more information for oracle wallet manager as external password store.
https://docs.oracle.com/middleware/1213/wls/JDBCA/oraclewallet.htm#JDBCA596
This explanation will be useful for who are new to oracle wallet .
Oracle Wallet provides a simple and easy method to manage database credentials across multiple domains. It allows you to update database credentials by updating the Wallet instead of having to change individual data source definitions. This is accomplished by using a database connection string in the data source definition that is resolved by an entry in the wallet.
This feature allows to take a step further by also using the Oracle TNS (Transparent Network Substrate) administrative file to hide the details of the database connection string (host name, port number, and service name) from the data source definition and instead use an alias. If the connection information changes, it is simply a matter of changing the tnsnames.ora file instead of potentially change many data source definitions.
The wallet can be used to have common credentials between different domains. That includes two different WLS domains or sharing credentials between WLS and the database. When used correctly, it makes having passwords in the data source configuration unnecessary.
Step to create wallet and add user credential to wallet.
Create wallet
mkstore -wrl /u01/app/oracle/admin/wallet -create Wallet password : 0racle123# [oracle@crs01 wallet]$ mkstore -wrl /u01/app/oracle/admin/wallet -create Oracle Secret Store Tool Release 19.0.0.0.0 - Production Version 19.3.0.0.0 Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved. Enter password: PKI-01002: Invalid password. Passwords must have a minimum length of eight characters and contain alphabetic characters combined with numbers or special characters. Enter password: Enter password again: [oracle@crs01 wallet]$ ls -lrth total 8.0K -rw-------. 1 oracle oinstall 0 Sep 29 14:32 ewallet.p12.lck -rw-------. 1 oracle oinstall 149 Sep 29 14:32 ewallet.p12 -rw-------. 1 oracle oinstall 0 Sep 29 14:32 cwallet.sso.lck -rw-------. 1 oracle oinstall 194 Sep 29 14:32 cwallet.ssoSetup sqlnet.ora to use wallet files
We identify the wallet files need to set the sqlnet.ora file with WALLET_LOCATION and SQLNET.WALLET_OVERRIDE = TRUE parameters.
[oracle@crs01 admin]$ cat sqlnet.ora WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY=/u01/app/oracle/admin/wallet/)) ) SQLNET.WALLET_OVERRIDE = TRUE [oracle@crs01 admin]$Add user to wallet and verify
[oracle@crs01 admin]$ mkstore -wrl /u01/app/oracle/admin/wallet -createCredential RMAN_CAT_PDB RMAN_TWHSE rman_twhse Oracle Secret Store Tool Release 19.0.0.0.0 - Production Version 19.3.0.0.0 Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved. Enter wallet password: [oracle@crs01 admin]$ mkstore -wrl /u01/app/oracle/admin/wallet -listCredential Oracle Secret Store Tool Release 19.0.0.0.0 - Production Version 19.3.0.0.0 Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved. Enter wallet password: List credential (index: connect_string username) 2: RMAN_CAT_PDB RMAN_TWHSE 1: TWHSE_PDB CHANAKA [oracle@crs01 admin]$Login to catalog database
[oracle@crs01 admin]$ sqlplus /@rman_cat_pdb SQL*Plus: Release 19.0.0.0.0 - Production on Tue Oct 12 16:00:11 2021 Version 19.3.0.0.0 Copyright (c) 1982, 2019, Oracle. All rights reserved. Last Successful login time: Tue Oct 12 2021 15:55:17 -04:00 Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Version 19.3.0.0.0 SQL> show user USER is "RMAN_TWHSE" SQL>Login rman catalog without specifying the password
[oracle@crs01 admin]$ rman target / catalog /@rman_cat_pdb
Recovery Manager: Release 19.0.0.0.0 - Production on Tue Oct 12 16:02:14 2021
Version 19.3.0.0.0
Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved.
connected to target database: TWHSE01 (DBID=3636451434)
connected to recovery catalog database
RMAN> create catalog tablespace RMAN_TWHSE_TBS;
recovery catalog created
RMAN> register database;
database registered in recovery catalog
starting full resync of recovery catalog
full resync complete
RMAN>
Modify catalog user password
mkstore -wrl /u01/app/oracle/scripts/tns -modifyCredential RMAN_CAT_PDB RMAN_TWHSE rman_twhse_123
No comments:
Post a Comment