Database Credentials in Oracle Wallet

-

 

 Database Credentials in Oracle Wallet

When managing Oracle Databases, storing user credentials in plain text inside scripts is a major security risk. Oracle provides a secure solution with Oracle Wallet, which allows you to store database credentials in an encrypted location. Once configured, applications and utilities like Data Pump or JDBC can connect without requiring a clear-text password.

This blog walks through the step-by-step procedure to store database credentials in Oracle Wallet and use it securely.

Overview

The Oracle Wallet securely stores database credentials, eliminating the need to expose passwords in scripts.

  • Multiple credentials can be stored in a single wallet.

  • Supports auto-login, meaning applications don’t need a password to access it.

  • OS file permissions ensure security.

In this example, a non-Oracle binary owner OS user (bidhan) is used to create the wallet.

Example usage:

Data Pump with Wallet

nohup expdp /@BSA1EP directory=DUMP_DIR dumpfile=scott_%U.dmp logfile=EXP_SCOTT.log schemas=scott parallel=4 &

JDBC with Wallet

Connection conn = DriverManager.getConnection("jdbc:oracle:oci:/@BSA1EP");

Step 1: Create Oracle Wallet Directory

Check wallet status:

SET LINES 180
COL wrl_type FORMAT a12
COL wrl_parameter FORMAT a35
COL status FORMAT a30
SELECT * FROM v$encryption_wallet;

If not present, create directory:

[root@dg1 ~]# mkdir -p /u01/admin/BSA1EP/wallet
[root@dg1 ~]# chown -R bidhan:bidhan /u01/admin/BSA1EP/wallet

Step 2: Create TNS ADMIN Directory (for bidhan)

[root@dg1 ~]# mkdir -p /u01/admin/BSA1EP/wallet/TNS_ADMIN
[root@dg1 ~]# chown -R bidhan:bidhan /u01/admin/BSA1EP/wallet/TNS_ADMIN

Step 3: Add TNS Entry (for oracle)

Update sqlnet.ora and tnsnames.ora:

sqlnet.ora

SQLNET.WALLET_OVERRIDE = FALSE
WALLET_LOCATION = (SOURCE = (METHOD = FILE)(METHOD_DATA = (DIRECTORY = /u01/admin/BSA1EP/wallet)))

tnsnames.ora

BSA1EP =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = TCP)(HOST = dg1.bidhan.com)(PORT = 1622))
    )
    (CONNECT_DATA =
      (SERVICE_NAME = BSA1EP)
    )
  )

Step 4: Export Oracle Variables

For OS user bidhan:

export ORACLE_SID=BSA1EP
export ORACLE_HOME=/oracle/1900
export PATH=$ORACLE_HOME/bin:$PATH
export TNS_ADMIN=/u01/admin/BSA1EP/wallet/TNS_ADMIN

Step 5: Create Password-Protected Oracle Wallet

[bidhan@dg1 wallet]$ orapki wallet create -wallet /u01/admin/BSA1EP/wallet -auto_login

After success, check files:

ls -ltr /u01/admin/BSA1EP/wallet
cwallet.sso
ewallet.p12

Step 6: Add Database Credentials to Wallet

[bidhan@dg1 ~]$ mkstore -wrl /u01/admin/BSA1EP/wallet -createCredential BSA1EP test
Enter your secret/Password: *****
Re-enter your secret/Password: *****
Enter wallet password: *****

Step 7: Verify Database Connection

[bidhan@dg1 ~]$ sqlplus /@BSA1EP
SQL> show user
USER is "TEST"

Step 8: List Credentials in Wallet

mkstore -wrl /u01/admin/BSA1EP/wallet -listCredential

Output:

1: BSA1EP test

Step 9: Modify Credentials in Wallet

After DB password change:

mkstore -wrl /u01/admin/BSA1EP/wallet -modifyCredential BSA1EP test newpassword

Step 10: View Wallet Contents

orapki wallet display -wallet /u01/admin/BSA1EP/wallet

Step 11: Change Wallet Password

orapki wallet change_pwd -wallet /u01/admin/BSA1EP/wallet

Step 12: Delete Credentials from Wallet

mkstore -wrl /u01/admin/BSA1EP/wallet -deleteCredential BSA1EP

Step 13: Delete Oracle Wallet

Remove wallet files:

rm -f /u01/admin/BSA1EP/wallet/*wallet*

Key Takeaways

  • Oracle Wallet eliminates password exposure in scripts.

  • Supports auto-login for seamless integration.

  • Credentials can be securely added, updated, listed, or deleted.

  • Works perfectly with Data Pump, RMAN, JDBC, and batch jobs.

Comments

Post a Comment

Popular posts from this blog

Configure Oracle Database Vault Realms

-
Configure Oracle Database Vault Realms to Secure the HR Schema Oracle Database Vault (DV) is a powerful security feature that enables fine-grained access control by enforcing security policies that protect sensitive data. One of the most important components in Database Vault is the Realm , which creates a security boundary around database objects to prevent unauthorized access — even by highly privileged users. In this blog, we’ll walk through the step-by-step process of configuring a Realm to secure the HR schema in an Oracle Database 19c environment. You’ll learn how to: Create a Realm Add objects to it Restrict access Enable auditing for security tracking What is a Realm? A Realm in Oracle Database Vault defines a logical security boundary around one or more database objects. Once a Realm is in place, no one — not even privileged users like DBAs — can access the protected objects without being explicitly authorized. Realms are ideal for: Securing sensitive ap...
Read more

Configure Transparent Database Encryption (TDE) in Oracle CDB

-
   Configure Transparent Database Encryption (TDE) in Oracle CDB Transparent Data Encryption (TDE) is a vital Oracle feature used to secure sensitive data at rest by encrypting database files. In this guide, we'll walk through configuring TDE in a CDB (Container Database) environment and demonstrate its effectiveness with a test tablespace and HR schema. Prerequisites Oracle Database (12c and above, preferably 19c or later) File system access to create wallets Appropriate privileges to administer TDE and manage tablespaces Step 1: Create a New Tablespace in PDB Connect to the PDB and create a new tablespace: sql SQL > CREATE TABLE SPACE userstab DATAFILE '/opt/oracle/oradata/XE/XEPDB1/userstab01.dbf' SIZE 1 G; Tablespace created. Step 2:Install the Sample HR Schema Install the sample HR schema into the newly created userstab tablespace: sql SQL > @? / demo / schema / human_resources / hr_main.sql This will create and populate HR sc...
Read more

Cloning Oracle E-Business Suite 12.2.11: RMAN + Rapid Clone

-
Cloning Oracle E-Business Suite (EBS) environments is a critical part of managing development, testing, and DR landscapes. In this post, we walk through the process of cloning EBS 12.2.11 from a production environment to a non-production one using RMAN active duplication and Oracle Rapid Clone utilities . Clone Scenario Source Database CDB : PRODCDB Source PDB : prod Target Database CDB : RNDCDB Target PDB : RND Step 1: Prepare the Target Server Create Required Directories mkdir -p /u01/oracle/RNDCDB mkdir -p /u01/oracle/RND mkdir -p /u01/oracle/clone_logs Verify Swap Space (Must be ≥ 16GB) free -h Step 2: Run Pre-Clone on Source Database Tier cd $ORACLE_HOME/appsutil/scripts/prod_PRODCDB perl adpreclone.pl dbTier Application Tier cd $ADMIN_SCRIPTS_HOME perl adpreclone.pl appsTier  Step 3: Clone the CDB with RMAN 3.1: Startup Target CDB in NOMOUNT Mode export ORACLE_SID=RNDCDB sqlplus / as sysdba STARTUP NOMOUNT; 3.2: Run RMAN Active Duplicate rman target sys@PRODCDB auxiliary sy...
Read more