Oracle® Database Security Guide 10g Release 2 (10.2) Part Number B14266-08 |
|
|
PDF · Mobi · ePub |
Password credentials for connecting to databases can now be stored in a client-side Oracle wallet, a secure software container used to store authentication and signing credentials.
This wallet usage can simplify large-scale deployments that rely on password credentials for connecting to databases. When this feature is configured, application code, batch jobs, and scripts no longer need embedded user names and passwords. Risk is reduced because such passwords are no longer exposed in the clear, and password management policies are more easily enforced without changing application code whenever user names or passwords change.
This feature is explained in the following sections:
See Also:
Oracle Database Advanced Security Administrator's Guide for general information about Oracle walletsNote:
The external password store of the wallet is separate from the area where public key infrastructure (PKI) credentials are stored. Consequently, you cannot use Oracle Wallet Manager to manage credentials in external password store of the wallet. Instead, the command-line utility,mkstore
, is provided to manage these credentials.Typically, users (including applications, batch jobs, and scripts) connect to databases by using a standard CONNECT
statement that specifies a database_connect_string
. This string can include a user name and password, and an Oracle Net service name identifying the database on an Oracle network. For example, the service name could be the URL that uniquely identifies that database, or a TNS alias you entered in the tnsnames.ora
file in the database. Another possibility is a host:port:sid
string.
The following examples are standard CONNECT
statements that could be used for a client that is not configured to use the external password store:
connect salesapp/2Ip6Cg8@sales_db.us.acme.com or connect salesapp/2Ip6Cg8@ORASALES or connect salesapp/2Ip6Cg8@ourhost37:1527:DB17
In these examples, salesapp
is the user name and 2Ip6Cg8
is the password, with the unique connect string for the database shown as specified in three different ways. You could use its URL sales_db.us.acme.com
, or its TNS alias ORASALES
from the tnsnames.ora
file, or its host:port:sid
string.
However, when clients are configured to use the secure external password store, applications can connect to a database with the following CONNECT
statement syntax, without specifying database login credentials:
connect /@db_connect_string where db_connect_string is a valid connect string to access the intended database, such as the service name, URL, or alias as illustrated in the earlier examples.
In this case, the database credentials, username and password, are securely stored in an Oracle wallet created for this purpose. The autologin feature of this wallet is turned on so the system does not need a password to open the wallet. From the wallet, it gets the credentials to access the database for the user they represent.
See Also:
Refer to Oracle Database Advanced Security Administrator's Guide for information about autologin wallets.If your client is already configured to use external authentication, such as Windows native authentication or Secure Sockets Layer (SSL), then that authentication method will be used. The same credentials used for such authentication are typically also used to log in to the database.
For clients not using such authentication methods or wanting to override them for database authentication, a new parameter (SQLNET.WALLET_OVERRIDE
) in sqlnet.ora
can be set to TRUE
. The default value for SQLNET.WALLET_OVERRIDE
is FALSE
, allowing standard use of authentication credentials as before.
If you want a client to use the secure external password store feature, then perform the following configuration tasks.
To enable clients to use the external password store:
Create a wallet on the client by using the following syntax at the command line:
mkstore -wrl <wallet_location> -create
wallet_location
is the path to the directory where you want to create and store the wallet. This command creates an Oracle wallet with the autologin feature enabled at the location you specify. The autologin feature enables the client to access the wallet contents without supplying a password. Refer to Oracle Database Advanced Security Administrator's Guide for information about autologin wallets.
Create database connection credentials in the wallet by using the following syntax at the command line:
mkstore -wrl <wallet_location> -createCredential <db_connect_string> <username> <password>
wallet_location
is the path to the directory where you created the wallet in Step 1. The db_connect_string
can be the TNS alias you use to specify the database in the tnsnames.ora
file or any service name you use to identify the database on an Oracle network. The username
and password
are the database login credentials.
Repeat this step for each database you want accessible using the CONNECT /@
db_connect_string
syntax.
Note:
Thedb_connect_string
used in the CONNECT /@
db_connect_string
statement must be identical to the db_connect_string
specified in the -createCredential
command.In the client sqlnet.ora
file, enter the WALLET_LOCATION
parameter and set it to the directory location of the wallet you created in Step 1.
For example, if you created the wallet in $ORACLE_HOME/network/admin
and your Oracle home is set to /private/ora102
, then you need to enter the following into your client sqlnet.ora
file:
WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /private/ora102/network/admin) ) )
In the client sqlnet.ora
file, enter the SQLNET.WALLET_OVERRIDE
parameter and set it to TRUE
as follows:
SQLNET.WALLET_OVERRIDE = TRUE
This setting causes all CONNECT /@
db_connect_string
statements to use the information in the wallet at the specified location to authenticate to databases.
When external authentication is in use, an authenticated user with such a wallet can use the CONNECT /@
db_connect_string
syntax to access the previously specified databases without providing a user name and password. However, if a user fails that external authentication, then these connect statements also fail.
Note:
If an application uses SSL for encryption, then thesqlnet.ora
parameter, SQLNET.AUTHENTICATION_SERVICES
, specifies SSL and an SSL wallet is created. If this application wants to use secret store credentials to authenticate to databases (instead of the SSL certificate), then those credentials must be stored in the SSL wallet. After SSL authentication, if SQLNET.WALLET_OVERRIDE = TRUE
, then the user names and passwords from the wallet are used to authenticate to databases. If SQLNET.WALLET_OVERRIDE = FALSE
, then the SSL certificate is used.Example 9-1 shows a sample sqlnet.ora
file with the WALLET_LOCATION
and the SQLNET.WALLET_OVERRIDE
parameters set as described in Steps 3 and 4.
This section summarizes the following tasks you can perform to manage credentials in the external password store by using the mkstore
command-line utility:
Periodically, you may want to view all contents of a client wallet external password store, or you may need to check specific credentials by viewing them. Listing the external password store contents provides information you can use to decide whether to add or delete credentials from the store.
To list the contents of the external password store, enter the following command at the command line:
mkstore -wrl <wallet_location> -listCredential
wallet_location
specifies the path to the directory where the wallet, whose external password store contents you want to view, is located. This command lists all of the credential database service names (aliases) and the corresponding user name (schema) for that database. Passwords are not listed.
You can store multiple credentials in one client wallet. For example, if a client batch job connects to hr_database
and a script connects to sales_database
, then you can store the login credentials in the same client wallet. You cannot, however, store multiple credentials (for logging in to multiple schemas) for the same database in the same wallet. If you have multiple login credentials for the same database, then they must be stored in separate wallets.
To add database login credentials to an existing client wallet, enter the following command at the command line:
mkstore -wrl <wallet_location> -createCredential <db_alias> <username> <password>
wallet_location
is the path to the directory where the client wallet to which you want to add credentials is stored. db_alias
can be the TNS alias you use to specify the database in the tnsnames.ora
file or any service name you use to identify the database on an Oracle network. The username
and password
are the database login credentials for the schema to which your application connects.
If database connect strings change, then you can modify the database login credentials that are stored in the wallet.
To modify database login credentials in a wallet, enter the following command at the command line:
mkstore -wrl <wallet_location> -modifyCredential <dbase_alias> <username> <password>
wallet_location
is the path to the directory where the wallet is located. The db_alias
is a new or different alias you want to use to identify the database. It can be a TNS alias you use to specify the database in the tnsnames.ora
file or any service name you use to identify the database on an Oracle network. The username
and password
are the new or different database login credentials.
If a database no longer exists or if you want to disable connections to a specific database, then you can delete all login credentials for that database from the wallet.
To delete database login credentials from a wallet, enter the following command at the command line:
mkstore -wrl <wallet_location> -deleteCredential <db_alias>
wallet_location
is the path to the directory where the wallet is located. The db_alias
can be the TNS alias you use to specify the database in the tnsnames.ora
file, or any service name you use to identify the database on an Oracle network.