Question: I want to
secure an external UNIX password file on my Oracle server for a
batch job executing a shell script from a crontab. What are
the options for locking-down an external password file in Oracle?
Can Oracle wallet lock down a file?
Answer: You can use
UNIX permissions to
secure any file with the "740" permission, and you can also use the
Oracle wallet in 10g release 2 and beyond.
Step 1: Update the sqlnet.ora
file for Oracle wallet to point to a directory for secure files:
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = u01/app/oracle/secure)
)
)
SQLNET.WALLET_OVERRIDE = TRUE
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_VERSION = 0
Step 2: Issue the mkstore command to
password protect the secure file directory:
oracle> mkstore -wrl "u01/app/oracle/secure"
-create
Enter password:
Enter password again:
Step 3: Add the wallet password
credentials (alias, user ID, password) to the wallet with the
mkstore command and the -createCredential option:
oracle> mkstore -wrl "u01/app/oracle/secure"
-createCredential mydb11g myuser mypass
Enter password:
In this example, we pass the user ID of myuser and the
password mypass.
In this case, our wallet
alias will be called mydb11g, such that we would connect
using select from customer@mydb11g_test, just as-if it was
a database link.
Step 4: Add your mydb11g alias to
your tnsnanems.ora file
mydb11g_test =
(DESCRIPTION =
(SDU=4202)
(TDU=4202)
(ADDRESS =
(PROTOCOL = TCP)
(HOST = fu.bar)
(PORT = 1521)
)
(CONNECT_DATA = (server=dedicated) (service_name = mydb11g.world))
)
Step 5: Test the secure connection. In
this case, specifying the mydb11g TNS alias signs us on
using the myuser ID and supplies the hidden wallet password
of mypass:
oracle>sqlplus /@mydb11g_test
connected.
SQL> show user
USER is "MYUSER"
Here we see that using our TNS mydb11g alias
automatically sign us on with the myuser user ID and
supplies the password from the secure wallet file.
Alternatively, you can connect using Java with a JDBC OCI command
like this:
Connection conn =
DriverManager.getConnection ("jdbc:oracle:oci:/@mydb11g_test");
To override external authentication, such as Windows
native authentication or Secure Sockets Layer (SSL), in the client
sqlnet.ora file:
SQLNET.WALLET_OVERRIDE = TRUE
Managing External Password Store Credentials
To list the contents of the external password store:
mkstore -wrl <wallet_location>
-listCredential
To add database login credentials to an existing
client wallet:
mkstore -wrl <wallet_location>
-
createCredential <db_alias> <username>
<password>
To modify database login credentials in a wallet:
mkstore -wrl <wallet_location>
-
modifyCredential <dbase_alias> <username>
<password>
To delete database login credentials from a wallet:
mkstore -wrl <wallet_location>
-
deleteCredential <db_alias>
|
|
Get the Complete
Oracle SQL Tuning Information
The landmark book
"Advanced Oracle
SQL Tuning The Definitive Reference" is
filled with valuable information on Oracle SQL Tuning.
This book includes scripts and tools to hypercharge Oracle 11g
performance and you can
buy it
for 30% off directly from the publisher.
|