External password stores are useful in situations in which you want to prevent the connection credentials from being exposed in scripts or application code. In this recipe, we will create a password store that will contain the password for the HR
user.
The steps in this recipe will be performed on the HACKDB
database and the client node nodeorcl5
.
During this recipe, we will use the mkstore
utility for wallet management:
mkstore
utility. Use ly8T%QX;r
for the wallet password as follows:mkstore -wrl /security/wallets/pass_store -create Oracle Secret Store Tool : Version 11.2.0.3.0 - Production Copyright (c) 2004, 2011, Oracle and /or its affiliates. All rights reserved. Enter password: Enter password again:
HACKDB_PASS_STORE = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = nodeorcl1)(PORT = 1521)) ) (CONNECT_DATA = (SERVICE_NAME = HACKDB) ) )
HR
to the password wallet using the net alias and user, as follows:mkstore -wrl /security/wallets/pass_store -createCredential HACKDB_PASS_STORE HR Oracle Secret Store Tool : Version 11.2.0.3.0 - Production Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. Your secret/Password is missing in the command line Enter your secret/Password: Re-enter your secret/Password: Enter wallet password: Create credential oracle.security.client.connect_string1
sqlnet.ora
and set the SQLNET.WALLET_OVERRIDE
parameter, as follows:WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /security/wallets/pass_store) ) )
SQLNET.WALLET_OVERRIDE = TRUE
SSL_CLIENT_AUTHENTICATION
to FALSE
, as follows:SSL_CLIENT_AUTHENTICATION = FALSE
HR
without a password, as follows:Sql> conn /@HACKDB_PASS_STORE Connected
The authentication method on the server side remains the same. On the client side when the connection is initiated, the credentials are extracted from the password store and sent over the network.
The SQLNET.WALLET_OVERRIDE
parameter should be set to TRUE
if you are using SSL or Windows native authentication in parallel, to allow the client to use external stores.
Let's take a look at some additional command options that help us to get information or modify stores:
mkstore -wrl /security/wallets/pass_store -listCredential
C:Usersorcl>mkstore -wrl /security/wallets/pass_store -modifyCredential HACKDB_PASS_STORE HR
3.15.34.39