An Oracle Wallet is a file that contains encrypted credentials for databases. This prevents the use of hardcoded passwords in scripts and/or on the command line.
When using an Oracle Wallet the username and password are retrieved from this file on setting up the connection.
The goal of using a wallet is to increase security. There were scripting in small companies usually contain plain-text passwords, the use of an Oracle Wallet can change this, when e.g. a company increases and more employees are using these scripts.
A small disadvantage of using an Oracle Wallet is that the wallet can contain only one set of credentials per database name.
Since it however uses TNS entries to connect to a database, one can store this one set of credentials per TNS name.
So in the case that you have a database called ORADB, TNS entries for each user group can be created in tnsnames.ora and thus credentials for each group.
Using e.d. credentials for batch jobs and other credentials for an application, two entries in tnsnames.ora would be sufficient to support his, e.g. ORADB_BATCH & ORADB_APP.
Setting up the use of a Wallet is easy. First of course a wallet has to be created. Use the following command to do so:
mkstore -wrl /u01/oradata/wallet -create
The entered location is a directory where the wallet is created. Make sure the directory used exists.
The command will ask you to enter a password. This password is used to encrypt the Wallet. Store this Wallet password somewhere on a safe place. It is needed every time when adding/removing or changing entries in the wallet.
Adding/Deleting or changing entries in a wallet uses a similar syntax. Every type of action you perform on a wallet uses the "mkstore" command.
Adding an entry is done like this:
mkstore -wrl /u01/oradata/wallet -createCredential TNS_NAME USER PASSWORD
Example:
mksore -wrl /u01/oradata/wallet -createCredential ORADB_APP scott tiger
But now how do scripts use the wallet?
First we need to setup sqlnet.ora This file is usually found in the location defined by $TNS_ADMIN. IF it is not present, then create a new file and add the following contents to it:
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/oradata/wallet)
)
)
SQLNET.WALLET_OVERRIDE = TRUE
The WALLET_LOCATION part is self-explaining.
The WALLET_OVERRIDE parameter allows this method to override any existing OS authentication configuration.
When adding an sqlnet.ora file or making changes to it, a listener restart is required to activate it.
This means that switching to the use of a wallet, requires a brief unavailability of the database for the business.
Using the wallet is now easy.
Any connections to the database not using a credential, will use the stored credential in the wallet, e.g.:
sqlplus /@ORADB_APP
will succesfully login to the database.
To manage the wallet over time, the following commands can be needed:
1. List all wallet entries
mkstore -wrl /u01/oradata/wallet -listCredential
2. Show password for specific entry
mkstore -wrl /u01/oradata/wallet -listCredential
Using presented list, use the INDEXnumber , e.g.:
mkstore -wrl /u01/oradata/wallet -viewEntry oracle.security.client.password13
3. Manual entry creation (TNS connection name must be unique) within wallet
mkstore -wrl /u01/oradata/wallet -createCredential TNS_NAME USER PASSWORD
Example:
mkstore -wrl /u01/oradata/wallet -createCredential oradb_app scott tiger
4. Manual entry deletion
mkstore -wrl /u01/oradata/wallet -deleteCredential TNS_NAME
This will delete "all", entries for this TNS_NAME, but since a wallet can store only one credential per TNS_NAME, it will delete that credential
5. Wallet deletion
mkstore -wrl /u01/oradata/wallet -delete
Note that this will delete the complete wallet. All entries are lost !!
6. Modifying an Entry:
mkstore -wrl /u01/oradata/wallet -modifyCredential TNS_NAME USER PASSWORD
The wallet is also usable for e.g. RMAN in combination with a catalog database, like:
$ORACLE_HOME/bin/rman target / catalog /@RMANCAT
