We have move to Exacc , using OS authentication for application user was challenge and we have to arrange other Secure External Password Store .
Thanks to Oracle Doc 340559.1 that shared steps on using Oracle wallet on client side .
When clients are configured to use the secure external password store, applications can connect to a database with the following CONNECT statement syntax, without specifying database login credentials:
connect /@db_connect_string
where db_connect_string is a valid connect string to access the intended database. In this case, the database credentials, username and password,
are securely stored in an Oracle wallet created for this purpose. The autologin feature of this wallet is turned on so the system does not need a password to open the wallet.
From the wallet, it gets the credentials to access the database for the user they represent.
Configuring Clients to Use the External Password Store
1) Create a wallet on the client by using the following syntax at the command line:
$ORACLE_HOME/oracle_common/bin/mkstore -wrl <wallet_location> -create ( need to input wallet password once asked )
2) Create database connection credentials in the wallet by using the following syntax at the command line:
mkstore -wrl <wallet_location> -createCredential <db_connect_string> <username> <password>
example:
("N102" in the following example is a connect descriptor located in the tnsnames.ora.)
mkstore -wrl /home/mseibt/pstore -createCredential N102 <user> <password>
Enter password: welcome1
3) In the client sqlnet.ora file, enter the WALLET_LOCATION parameter and set it to the directory location of the wallet you created in Step 1.
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA = (DIRECTORY = /home/mseibt/pstore))
)
SQLNET.WALLET_OVERRIDE = TRUE
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_VERSION = 0
4) In the client sqlnet.ora file, enter the SQLNET.WALLET_OVERRIDE parameter and set it to TRUE
SQLNET.WALLET_OVERRIDE = TRUE
5) With the external password store configured, connect as <user>:
sqlplus /@N102
--Datapump using wallet
nohup expdp /@BSA1EP directory=DUMP_DIR dumpfile=scott_%U.dmp logfile=EXP_SCOTT.log schemas=scott parallel=4 &
-- JDBC using wallet
Connection conn = DriverManager.getConnection ("jdbc:oracle:oci:/@BSA1EP");
-- sqlplus
sqlplus /@BSA1EP
Managing External Password Store Credentials
1) Listing the contents of the external password store:
mkstore -wrl /home/mseibt/pstore -listCredential
2) Adding database login credentials to an existing client wallet:
mkstore -wrl /home/mseibt/pstore -createCredential N101 <user><password>
3) Modifying database login credentials in a wallet:
mkstore -wrl /home/mseibt/pstore -modifyCredential N102 <user> newpassword
4) Deleting database login credentials from a wallet:
mkstore -wrl /home/mseibt/pstore -deleteCredential N101
5) Listing wallet entries:
mkstore -wrl /home/mseibt/pstore -list
6) Listing entry values:
The name will be something like oracle.wallet.passwordn where n is the entry number, Finally, open the entry using this:
mkstore -wrl /home/mseibt/pstore -viewEntry oracle.security.client.connect_string1 ( <name obtained> in step 5)
7) Modifying entry values:
mkstore -wrl /home/mseibt/pstore -modifyEntry oracle.security.client.password1 newpass
Known Issues:
Issues 1 : Oracle Wallet Cannot Be Created using mkstore (Doc ID 951276.1)
SOLUTION
1. Stop the Database
2. cd $ORACLE_HOME/bin
3. relink all
4. mkstore -wrl $ORACLE_HOME/admin/wallet -create
Reference :
Using The Secure External Password Store (Doc ID 340559.1)
No comments:
Post a Comment