Database Credentials in Oracle Wallet

When managing Oracle Databases, storing user credentials in plain text inside scripts is a major security risk. Oracle provides a secure solution with Oracle Wallet, which allows you to store database credentials in an encrypted location. Once configured, applications and utilities like Data Pump or JDBC can connect without requiring a clear-text password.

This blog walks through the step-by-step procedure to store database credentials in Oracle Wallet and use it securely.

---

Overview

The Oracle Wallet securely stores database credentials, eliminating the need to expose passwords in scripts.

• Multiple credentials can be stored in a single wallet.

• Supports auto-login, meaning applications don’t need a password to access it.

• OS file permissions ensure security.

In this example, a non-Oracle binary owner OS user (bidhan) is used to create the wallet.

Example usage:

Data Pump with Wallet

nohup expdp /@BSA1EP directory=DUMP_DIR dumpfile=scott_%U.dmp logfile=EXP_SCOTT.log schemas=scott parallel=4 &

JDBC with Wallet

Connection conn = DriverManager.getConnection("jdbc:oracle:oci:/@BSA1EP");

---

Step 1: Create Oracle Wallet Directory

Check wallet status:

SET LINES 180
COL wrl_type FORMAT a12
COL wrl_parameter FORMAT a35
COL status FORMAT a30
SELECT * FROM v$encryption_wallet;

If not present, create directory:

[root@dg1 ~]# mkdir -p /u01/admin/BSA1EP/wallet
[root@dg1 ~]# chown -R bidhan:bidhan /u01/admin/BSA1EP/wallet

---

Step 2: Create TNS ADMIN Directory (for bidhan)

[root@dg1 ~]# mkdir -p /u01/admin/BSA1EP/wallet/TNS_ADMIN
[root@dg1 ~]# chown -R bidhan:bidhan /u01/admin/BSA1EP/wallet/TNS_ADMIN

---

Step 3: Add TNS Entry (for oracle)

Update sqlnet.ora and tnsnames.ora:

sqlnet.ora

SQLNET.WALLET_OVERRIDE = FALSE
WALLET_LOCATION = (SOURCE = (METHOD = FILE)(METHOD_DATA = (DIRECTORY = /u01/admin/BSA1EP/wallet)))

tnsnames.ora

BSA1EP =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = TCP)(HOST = dg1.bidhan.com)(PORT = 1622))
    )
    (CONNECT_DATA =
      (SERVICE_NAME = BSA1EP)
    )
  )

---

Step 4: Export Oracle Variables

For OS user bidhan:

export ORACLE_SID=BSA1EP
export ORACLE_HOME=/oracle/1900
export PATH=$ORACLE_HOME/bin:$PATH
export TNS_ADMIN=/u01/admin/BSA1EP/wallet/TNS_ADMIN

---

Step 5: Create Password-Protected Oracle Wallet

[bidhan@dg1 wallet]$ orapki wallet create -wallet /u01/admin/BSA1EP/wallet -auto_login

After success, check files:

ls -ltr /u01/admin/BSA1EP/wallet
cwallet.sso
ewallet.p12

---

Step 6: Add Database Credentials to Wallet

[bidhan@dg1 ~]$ mkstore -wrl /u01/admin/BSA1EP/wallet -createCredential BSA1EP test
Enter your secret/Password: *****
Re-enter your secret/Password: *****
Enter wallet password: *****

---

Step 7: Verify Database Connection

[bidhan@dg1 ~]$ sqlplus /@BSA1EP
SQL> show user
USER is "TEST"

---

Step 8: List Credentials in Wallet

mkstore -wrl /u01/admin/BSA1EP/wallet -listCredential

Output:

1: BSA1EP test

---

Step 9: Modify Credentials in Wallet

After DB password change:

mkstore -wrl /u01/admin/BSA1EP/wallet -modifyCredential BSA1EP test newpassword

---

Step 10: View Wallet Contents

orapki wallet display -wallet /u01/admin/BSA1EP/wallet

---

Step 11: Change Wallet Password

orapki wallet change_pwd -wallet /u01/admin/BSA1EP/wallet

---

Step 12: Delete Credentials from Wallet

mkstore -wrl /u01/admin/BSA1EP/wallet -deleteCredential BSA1EP

---

Step 13: Delete Oracle Wallet

Remove wallet files:

rm -f /u01/admin/BSA1EP/wallet/*wallet*

---

Key Takeaways

• Oracle Wallet eliminates password exposure in scripts.

• Supports auto-login for seamless integration.

• Credentials can be securely added, updated, listed, or deleted.

• Works perfectly with Data Pump, RMAN, JDBC, and batch jobs.