9 Secure External Password Store

Password credentials for connecting to databases can now be stored in a client-side Oracle wallet, a secure software container used to store authentication and signing credentials.

This wallet usage can simplify large-scale deployments that rely on password credentials for connecting to databases. When this feature is configured, application code, batch jobs, and scripts no longer need embedded user names and passwords. Risk is reduced because such passwords are no longer exposed in the clear, and password management policies are more easily enforced without changing application code whenever user names or passwords change.

This feature is explained in the following sections:

See Also:

Oracle Database Advanced Security Administrator's Guide for general information about Oracle wallets

Note:

The external password store of the wallet is separate from the area where public key infrastructure (PKI) credentials are stored. Consequently, you cannot use Oracle Wallet Manager to manage credentials in external password store of the wallet. Instead, the command-line utility, mkstore, is provided to manage these credentials.

How Does the External Password Store Work?

Typically, users (including applications, batch jobs, and scripts) connect to databases by using a standard CONNECT statement that specifies a database_connect_string. This string can include a user name and password, and an Oracle Net service name identifying the database on an Oracle network. For example, the service name could be the URL that uniquely identifies that database, or a TNS alias you entered in the tnsnames.ora file in the database. Another possibility is a host:port:sid string.

The following examples are standard CONNECT statements that could be used for a client that is not configured to use the external password store:

  • connect salesapp/2Ip6Cg8@sales_db.us.acme.com
    or
    connect salesapp/2Ip6Cg8@ORASALES
    or
    connect salesapp/2Ip6Cg8@ourhost37:1527:DB17
    

In these examples, salesapp is the user name and 2Ip6Cg8 is the password, with the unique connect string for the database shown as specified in three different ways. You could use its URL sales_db.us.acme.com, or its TNS alias ORASALES from the tnsnames.ora file, or its host:port:sid string.

However, when clients are configured to use the secure external password store, applications can connect to a database with the following CONNECT statement syntax, without specifying database login credentials:

connect /@db_connect_string

where db_connect_string is a valid connect string to access the intended database, such as the service name, URL, or alias as illustrated in the earlier examples.

In this case, the database credentials, username and password, are securely stored in an Oracle wallet created for this purpose. The autologin feature of this wallet is turned on so the system does not need a password to open the wallet. From the wallet, it gets the credentials to access the database for the user they represent.

See Also:

Refer to Oracle Database Advanced Security Administrator's Guide for information about autologin wallets.

Configuring Clients to Use the External Password Store

If your client is already configured to use external authentication, such as Windows native authentication or Secure Sockets Layer (SSL), then that authentication method will be used. The same credentials used for such authentication are typically also used to log in to the database.

For clients not using such authentication methods or wanting to override them for database authentication, a new parameter (SQLNET.WALLET_OVERRIDE) in sqlnet.ora can be set to TRUE. The default value for SQLNET.WALLET_OVERRIDE is FALSE, allowing standard use of authentication credentials as before.

If you want a client to use the secure external password store feature, then perform the following configuration tasks.

To enable clients to use the external password store:

  1. Create a wallet on the client by using the following syntax at the command line:

    mkstore -wrl <wallet_location> -create
    

    wallet_location is the path to the directory where you want to create and store the wallet. This command creates an Oracle wallet with the autologin feature enabled at the location you specify. The autologin feature enables the client to access the wallet contents without supplying a password. Refer to Oracle Database Advanced Security Administrator's Guide for information about autologin wallets.

  2. Create database connection credentials in the wallet by using the following syntax at the command line:

    mkstore -wrl <wallet_location> -createCredential <db_connect_string> <username> <password>
    

    wallet_location is the path to the directory where you created the wallet in Step 1. The db_connect_string can be the TNS alias you use to specify the database in the tnsnames.ora file or any service name you use to identify the database on an Oracle network. The username and password are the database login credentials.

    Repeat this step for each database you want accessible using the CONNECT /@db_connect_string syntax.

    Note:

    The db_connect_string used in the CONNECT /@db_connect_string statement must be identical to the db_connect_string specified in the -createCredential command.
  3. In the client sqlnet.ora file, enter the WALLET_LOCATION parameter and set it to the directory location of the wallet you created in Step 1.

    For example, if you created the wallet in $ORACLE_HOME/network/admin and your Oracle home is set to /private/ora102, then you need to enter the following into your client sqlnet.ora file:

    WALLET_LOCATION =  (SOURCE =    (METHOD = FILE)    (METHOD_DATA =      (DIRECTORY = /private/ora102/network/admin)    )  )
    
  4. In the client sqlnet.ora file, enter the SQLNET.WALLET_OVERRIDE parameter and set it to TRUE as follows:

    SQLNET.WALLET_OVERRIDE = TRUE
    

    This setting causes all CONNECT /@db_connect_string statements to use the information in the wallet at the specified location to authenticate to databases.

    When external authentication is in use, an authenticated user with such a wallet can use the CONNECT /@db_connect_string syntax to access the previously specified databases without providing a user name and password. However, if a user fails that external authentication, then these connect statements also fail.

    Note:

    If an application uses SSL for encryption, then the sqlnet.ora parameter, SQLNET.AUTHENTICATION_SERVICES, specifies SSL and an SSL wallet is created. If this application wants to use secret store credentials to authenticate to databases (instead of the SSL certificate), then those credentials must be stored in the SSL wallet. After SSL authentication, if SQLNET.WALLET_OVERRIDE = TRUE, then the user names and passwords from the wallet are used to authenticate to databases. If SQLNET.WALLET_OVERRIDE = FALSE, then the SSL certificate is used.

Example 9-1 shows a sample sqlnet.ora file with the WALLET_LOCATION and the SQLNET.WALLET_OVERRIDE parameters set as described in Steps 3 and 4.

Example 9-1 Sample SQLNET.ORA File with Wallet Parameters Set

WALLET_LOCATION =
   (SOURCE =
     (METHOD = FILE)
     (METHOD_DATA =
       (DIRECTORY = /private/ora102/network/admin)
     )
    )

SQLNET.WALLET_OVERRIDE = TRUE
SSL_CLIENT_AUTHENTICATION = FALSESSL_VERSION = 0

Managing External Password Store Credentials

This section summarizes the following tasks you can perform to manage credentials in the external password store by using the mkstore command-line utility:

Listing External Password Store Contents

Periodically, you may want to view all contents of a client wallet external password store, or you may need to check specific credentials by viewing them. Listing the external password store contents provides information you can use to decide whether to add or delete credentials from the store.

To list the contents of the external password store, enter the following command at the command line:

mkstore -wrl <wallet_location> -listCredential

wallet_location specifies the path to the directory where the wallet, whose external password store contents you want to view, is located. This command lists all of the credential database service names (aliases) and the corresponding user name (schema) for that database. Passwords are not listed.

Adding Credentials to an External Password Store

You can store multiple credentials in one client wallet. For example, if a client batch job connects to hr_database and a script connects to sales_database, then you can store the login credentials in the same client wallet. You cannot, however, store multiple credentials (for logging in to multiple schemas) for the same database in the same wallet. If you have multiple login credentials for the same database, then they must be stored in separate wallets.

To add database login credentials to an existing client wallet, enter the following command at the command line:

mkstore -wrl <wallet_location> -createCredential <db_alias> <username> <password>

wallet_location is the path to the directory where the client wallet to which you want to add credentials is stored. db_alias can be the TNS alias you use to specify the database in the tnsnames.ora file or any service name you use to identify the database on an Oracle network. The username and password are the database login credentials for the schema to which your application connects.

Modifying Credentials in an External Password Store

If database connect strings change, then you can modify the database login credentials that are stored in the wallet.

To modify database login credentials in a wallet, enter the following command at the command line:

mkstore -wrl <wallet_location> -modifyCredential <dbase_alias> <username> <password>

wallet_location is the path to the directory where the wallet is located. The db_alias is a new or different alias you want to use to identify the database. It can be a TNS alias you use to specify the database in the tnsnames.ora file or any service name you use to identify the database on an Oracle network. The username and password are the new or different database login credentials.

Deleting Credentials from an External Password Store

If a database no longer exists or if you want to disable connections to a specific database, then you can delete all login credentials for that database from the wallet.

To delete database login credentials from a wallet, enter the following command at the command line:

mkstore -wrl <wallet_location> -deleteCredential <db_alias>

wallet_location is the path to the directory where the wallet is located. The db_alias can be the TNS alias you use to specify the database in the tnsnames.ora file, or any service name you use to identify the database on an Oracle network.