Back in 2000, (dot com!) I’d attended a team meeting where they were trying to address the practice of using hidden files to store passwords used for batch scripts. I was still exclusively a Windows user at the time so that concept escaped me, however, the dangers of storing passwords in clear text did not.
Over the years I’ve run across many ridiculous schemes for trying to obfuscate passwords and all of them fall short because either the code to decrypt these passwords is stored right next to the same code that encrypted them or you can just call the decrypt code to see the password anyway.
Enter Oracle Wallets, keeping in mind that these wallets have been around forever! Common uses of wallets is to store certificates and Transparent Data Encryption keys, however, users (and batch script developers) are welcome to store database account usernames and passwords in them too. The benefit is that most Oracle utilities (like say, SQLPLUS) have wallet usage baked right into them.
Notable facts about passwords:
- I hate passwords
- I hate remembering passwords
- I hate typing passwords
- Passwords should be long and vary greatly
- Passwords should be changed often
- (Repeat)
Oracle Wallets take all of this into account, with the exception of point 5 which isn’t the wallets fault, but rather the user’s and we’ll get to that.
So, simply put. If you use SQLPLUS (or anything really) to connect to the database then you should be using wallets. Here’s how:
Start by modifying your sqlnet.ora (lives in your $ORACLE_HOME/network/admin directory or wherever you are pointing $TNS_ADMIN to)
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = C:\app\oracle\wallet)
)
)
SQLNET.WALLET_OVERRIDE = TRUE
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_VERSION = 0
Now, let’s create a wallet and add a database credential. This step requires either a full Oracle installation or non-instant client software installed.
C:\> mkstore -wrl "C:\oracle\wallet" -create Oracle Secret Store Tool : Version 12.1.0.1 Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved. Enter password: Enter password again:
Next, to add a database user credential.
Usage: mkstore [-wrl wrl] [-createCredential connect_string username password]
For example,
ora12c << tnsname entry scott << username tiger << user password
C:\>mkstore -wrl "C:\app\oracle\wallet" -createCredential ora12c scott tiger Oracle Secret Store Tool : Version 12.1.0.1 Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved. Enter wallet password:
Once that is in place now all that is need to connect as SCOTT is to use the following syntax:
C:\>sqlplus /@dbname SQL*Plus: Release 12.1.0.1.0 Production on Thu Sep 1 16:39:45 2016 Copyright (c) 1982, 2013, Oracle. All rights reserved. Last Successful login time: Thu Sep 01 2016 14:24:54 -04:00 Connected to: Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP, Advanced Analytics and Real Application Testing options SQL> sho user USER is "SCOTT"
Later on, I’ll demonstrate a method to easily manage wallets so you don’t have to enter the wallet password for every update to your credentials.