I had posted several years ago about about the virtues of using Oracle Wallets, but didn't really address the dangers. There is a false sense of security when you can't readily view the contents of a file, so this post is to clarify the purpose of wallets and their use, but also what they shouldn't be used for.
First, what is a wallet?
Oracle Wallets are Oracle's implementation of PKCS12 archive file format (ewallet.p12) for storing keys. Oracle uses them to store several kinds of keys and certificates, but one of the reasons it created its own wallet was to store user credentials. Credentials consist of a username, password, and the tnsname entry that is used as the unique key for accessing the credential. Typically a wallet is secured by a wallet password. If you want to create, access, modify, or remove a credential, you need to know the wallet password.
This is all well and good, but as I highlighted in my previous post, wallets shine when you want to seemlessly use wallets with Oracle tools like sqlplus. To do this, Oracle created an "auto-login" wallet. If the cwallet.sso file exists then Oracle will use the credential associated with the tnsname being referenced without having to specify the wallet password to retrieve the credential password. This is great for batch servers, scripts, and launching sqlplus (or other Oracle utilities).
What are the dangers?
There really aren't any if you understand what Oracle wallets can be used for and what they can't be used for. The real danger is that if you use auto-login (cwallet.sso) wallets to secure passwords from people. That is not their intent, and the documentation is a bit dubious in this regard.
"You can modify or delete the wallet without using a password. File system permissions provide the necessary security for such auto-login wallets."
Basically Oracle is saying (or should be), if you have file permssions to read the cwallet.sso file then you have access to the secrets (i.e. credential passwords, encryption keys, etc). Therefore, if your usecase for wallets is to hide database passwords from the people actually using the wallets, you are doing it wrong.
While putting together a little example for a developer to use a wallet for a Non-Oracle database I ran across this Java code to dump the contents of a wallet. It contained a nice way to extract the credential data from a cwallet.sso which I was able to show to the client:
import java.io.FileInputStream;
import java.io.IOException;
import oracle.security.crypto.asn1.ASN1FormatException;
import oracle.security.pki.OracleSSOKeyStoreSpi;
import oracle.security.pki.OracleSecretStore;
import oracle.security.pki.OracleWallet;
public class SSOPasswords {
public static void main(String[] argv) throws Exception {
OracleSSOKeyStoreSpi secretKeyStore = new OracleSSOKeyStoreSpi();
try {
secretKeyStore.engineLoad(new FileInputStream(argv[0]), null);
} catch (ASN1FormatException e) {
throw new IOException("Unable to load wallet");
}
for (int i = 1; secretKeyStore.secretStoreContainsAlias("oracle.security.client.connect_string" + i); ++i) {
System.out.println("connect_string: " + new String(secretKeyStore.secretStoreGetSecret("oracle.security.client.connect_string" + i)));
System.out.println("username: " + new String(secretKeyStore.secretStoreGetSecret("oracle.security.client.username" + i)));
System.out.println("password: " + " " + new String(secretKeyStore.secretStoreGetSecret("oracle.security.client.password" + i)));
}
}
}
Compile it and run it:
export ORACLE_HOME=<path of your Oracle home> java -classpath $ORACLE_HOME/lib/oraclepki.jar:$ORACLE_HOME/lib/osdt_core.jar:$ORACLE_HOME/lib/osdt_cert.jar:. SSOPasswords cwallet.sso connect_string: ora12c username: scott password: tiger
The implications of this are that anyone who has read permissions to your cwallet.sso file has all they need to get all the information contained in the wallet.
What can you do?
Definitely, keep using wallets. They are really good for what they were made to do. Just make sure you lock down the files and only provide access to people/groups that can know the passwords. Finally, use the -local flag. This makes it a bit harder for people who copy the wallet to another machine.