Saturday, November 9, 2013

Configuring Clients to Use the External Password Store

Hardcoding passwords in shell scripts is a bad practice. The source code may be shared by many developers, may resides on unsecure servers (CVS), may be printed, etc... The passwords may change often too.

So without Hardcoding passwords how to connect to database server? Its all possible by means of storing password in a Client side wallet.  If you want a client to use the secure external password store feature, then perform the following configuration task:

Step#1 Create a wallet on the client by using the following syntax at the command

D:\app\179818\product\11.2.0>mkstore -wrl d:\app\179818\product\11.2.0 -create
Oracle Secret Store Tool : Version 12.1.0.1
Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.
Enter password:
Enter password again:
D:\app\179818\product\11.2.0>


d:\app\179818\product\11.2.0  - is the path to the directory where you want to create and store the wallet

Step#2 Create database connection credentials in the wallet by using the following syntax at the command line

D:\app\179818\product\11.2.0>mkstore -wrl D:\app\179818\product\11.2.0 -createCredential iradsnvl rajesh
Oracle Secret Store Tool : Version 12.1.0.1
Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.
Your secret/Password is missing in the command line
Enter your secret/Password:
Re-enter your secret/Password:
Enter wallet password:
Create credential oracle.security.client.connect_string1
D:\app\179818\product\11.2.0>

Step#3 In the client sqlnet.ora file, enter the WALLET_LOCATION parameter and set it to the directory location of the wallet you created in Step#1 and enter the SQLNET.WALLET_OVERRIDE parameter and set it to TRUE as follows

D:\app\client\179818\product\12.1.0\client_1\network\admin>type sqlnet.ora
# sqlnet.ora Network Configuration File: D:\app\client\179818\product\12.1.0\client_1\network\admin\sqlnet.ora
# Generated by Oracle configuration tools.
# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.
SQLNET.AUTHENTICATION_SERVICES= (NTS)
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SQLNET.WALLET_OVERRIDE = TRUE
WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
  (DIRECTORY = D:\app\179818\product\11.2.0)
  )
 )

Once done with the above steps, you can connect to database without providing credentials. all those details will be available from Wallet.

C:\Users\179818>sqlplus /@iradsnvl
SQL*Plus: Release 12.1.0.1.0 Production on Sat Nov 9 13:23:41 2013
Copyright (c) 1982, 2013, Oracle.  All rights reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
rajesh@ORA10GR2>

No comments:

Post a Comment