Wednesday, June 8, 2011

Oracle 10gR2 Secure External Password Store

Secure External Password Store is an Oracle 10g Release 2 feature that gives you the capability to encrypt password used from client scripts (sqlplus , shell , expdp/impdp exp/imp)  that connects to the database, using an Oracle Wallet.

The configuration is very simple so just follow these steps (Unix/Linux):

1) First verify that you have an entry in the tnsnames.ora for your Database by creating a valid db_tns_alias

2) Create the Oracle Wallet
    mkstore -wrl /your_wallet_store_dir -create (It will ask to enter a password twice)

3) Create the database credentials inside the wallet
    mkstore -wrl /your_wallet_store_dir -createCredential tns_alias username password

4)  Add the following lines on $ORACLE_HOME/network/admin/sqlnet.ora (or create it if not exists)


WALLET_LOCATION =
  (SOURCE = (METHOD = FILE)
   (METHOD_DATA =
    (DIRECTORY = /your_wallet_store_dir)))


SQLNET.WALLET_OVERRIDE = TRUE
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_VERSION = 0

5) Just use the /@db_tns_alias when you want to connect to the specified user
    sqlplus /@db_tns_alias
    expdp /@tns_alias parfile=/mydir/mypar.par

6) You have commands to delete, list , and modify the credentials using the mkstore utility
    mkstore -wrl /your_wallet_store_dir -listCredential
    mkstore -wrl /your_wallet_store_dir -deleteCredential db_tns_alias
    mkstore -wrl /your_wallet_store_dir -modifyCredential db_tns_alias username newpassword (Must have been changed on the database side first)

References


Oracle Support Note : Using The Secure External Password Store [ID 340559.1]
Oracle Secure External Password Store White Paper