External password stores are useful in situations in which you want to prevent the connection credentials from being exposed in scripts or application code. In this recipe, we will create a password store that will contain the password for the HR user.
The steps in this recipe will be performed on the HACKDB database and the client node nodeorcl5.
During this recipe, we will use the mkstore utility for wallet management:
- Create the wallet by using the
mkstoreutility. Usely8T%QX;rfor the wallet password as follows:mkstore -wrl /security/wallets/pass_store -create Oracle Secret Store Tool : Version 11.2.0.3.0 - Production Copyright (c) 2004, 2011, Oracle and /or its affiliates. All rights reserved. Enter password: Enter password again:
- Create a net service name used for working with the password store, as follows:
HACKDB_PASS_STORE = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = nodeorcl1)(PORT = 1521)) ) (CONNECT_DATA = (SERVICE_NAME = HACKDB) ) )
- Next add the credentials for the user
HRto the password wallet using the net alias and user, as follows:mkstore -wrl /security/wallets/pass_store -createCredential HACKDB_PASS_STORE HR Oracle Secret Store Tool : Version 11.2.0.3.0 - Production Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. Your secret/Password is missing in the command line Enter your secret/Password: Re-enter your secret/Password: Enter wallet password: Create credential oracle.security.client.connect_string1
- Next configure the store location in
sqlnet.oraand set theSQLNET.WALLET_OVERRIDEparameter, as follows:WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /security/wallets/pass_store) ) )
- To use the external password store for authentication, set the following parameter as follows:
SQLNET.WALLET_OVERRIDE = TRUE - If you have a configured SSL authentication, set
SSL_CLIENT_AUTHENTICATIONtoFALSE, as follows:SSL_CLIENT_AUTHENTICATION = FALSE - Next connect as the user
HRwithout a password, as follows:Sql> conn /@HACKDB_PASS_STORE Connected
The authentication method on the server side remains the same. On the client side when the connection is initiated, the credentials are extracted from the password store and sent over the network.
The SQLNET.WALLET_OVERRIDE parameter should be set to TRUE if you are using SSL or Windows native authentication in parallel, to allow the client to use external stores.
Let's take a look at some additional command options that help us to get information or modify stores:
- For listing credentials contained in stores:
mkstore -wrl /security/wallets/pass_store -listCredential - Modify passwords in stores:
C:Usersorcl>mkstore -wrl /security/wallets/pass_store -modifyCredential HACKDB_PASS_STORE HR