Using wllets to store database passwords credentials is considered as a secure method. Like any client application where we can secure the database credentials using SEPS password store, similarly we can implement it on ExaCS (Exadata Cloud Service) and VM DB Systems host. While running any custom scripts or data pump export/import jobs it’s possible to use credentilals stored in keystore wallet without exposing it to clear text by just providing credential name or alias. All the credentials stored in wallet will be by default encrypted. This way of securing passwords may helps to implement password management policies easily and effectively.

High level steps to secure DB Passwords using Keystore Wallets

1. Create a new folder on ExaCS/DBCS host to store wallets and TNS Files

2. Configure sqlnet.ora parameters to use password wallet

3. Create wallet and database connection credentials in wallet

4. Test the connection to the database using passowrd wallet

Detailed Implementation Steps

1. Create a new folder on ExaCS/DBCS host to store wallets and TNS Files

On ExaCS or DBCS VM we need to create a new folder to srote below files:

  • Password Wallet
  • TNSNAMES.ora
  • SQLNET.ora

To use credentials from wallet while running scripts or data pump export/import jobs, we need to set SQLNET.ora parameter – WALLET_OVERRIDE to TRUE. Default value of this parameter is FALSE and changing it to TRUE will allow database credentials authentication uing wallet method only. Other methods of credentials authentication won’t work like authentication using SSL certs. Workaround for this is to create a new SQLNET.ora file and modify parameter WALLET_OVERRIDE to TRUE.

Once new foled is created for storing wallets and TNS files, copy tnsnames.ora and sqlnet.ora file from current $TNS_ADMIN folder to new location:

screenshot-step1

2. Configure sqlnet.ora parameters to use password wallet

After copying sqlnet.ora file from default database $TNS_ADMIN location to new folder created in step1, we need to modify it as below:

  • Change the parameter WALLET_OVERRIDE to TRUE
  • Change the location in parameter WALLET_LOCATION to point new directory

Image_Screenshot_Step2

3. Create wallet and database connection credentials in wallet

A new wallet needs to be created to store the DB user credentials. We can either use existing DB user with sufficient grants on database objects depending upon the tasks it’s going to perform like running custom jobs or taking export backup of database schemas, tables etc. 

Use syntax as shown in below screenshot to create a new password wallet:

screenshot_image_step3

After creating a wallet, add credentials in it which will be uased later while running jobs or custom scripts from ExaCS or DBCS VM. AFter creating credentials, whenever we want to use those credentials, we can directly use the credential name instead of username and password. 

screenshot_image_steps3.2

Credentials can be viewed by using command as shown in below screenshot. 

screenshot_image_step3.3

4. Test the connection to the database using passowrd wallet

To use credentials stored in wallet, we need to set the TNS_ADMIN location to the folder in which we have stored password wallet, sqlnet.ora and tnsnames.ora.

We can connect to database without providing username and password. We just need to provide the credential name and it will authenticate the DB user credentials using password wallet automatically. Username and password won’t be exposed to clear text on database VM host.

 

screenshot_image_steps4

This way we will be able to secure database credentials without exposing it to clear text and also manage passwords easily and effectively.

To know more about managing Oracle database on OCI Exadata Cloud Infrastructure and VM DB Systems, please see following resources:

  • https://docs.oracle.com/en-us/iaas/exadatacloud/index.html
  • https://docs.oracle.com/en-us/iaas/dbcs/index.html