A more secure connection to a pdb with the Oracle Wallet

A more secure connection to a pdb with the Oracle Wallet

Wallets are cool! Since 9i oracle is pushing us towards services for connecting to a database. Since pdb’s have arrived, you get less and less choice to connect without a service. Recently I discovered passwords stored in environment variables in order to connect to the pdb. A short talk to the author of the script learned me that he just wants to connect to a pdb, so I offered the solution to store the password in the oracle wallet. Here is how I did it on my lab.

So an empty cdb:

As you can see, this is a very new, clean cdb. So first step is to create a pdb:

And then check:

 

the pdb must still be opened:

and then you can log into it:

Then I created a tnsnames.ora entry and I specified the name of the service to which the pdb will listen to:

so that means that we have to teach the pdb to listen to this service as well. If you are connected to the pdb, and then create the service, then the service is associated to that pdb:

Don’t forget to start the service and check it in the listener:

 

Then we can configure the wallet. First step is to create one. This is done by creating a directory and storing the wallet in it. I created the directory /home/oracle/wallet. To create the wallet in this location:

make sure the password is complex enough! Then the client sqlnet.ora (the one hosting the wallet) must be updated to teach oracle where the wallet is:

the last line is important if you are dealing with a client wallet. Basically it’s only one line which needs to be adapted if you stored the wallet in another location and that’s the directory path.

So that’s almost it, we’re almost done. Now we can store the user which we want to let login without a password in the wallet. This can be done using mkstore as well:

the createCredential option needs 2 things. The tnsnames.ora alias from the pdb and the user you want to connect to that alias. In our case we are connecting to the mypdbsrv entry using the pdbadm user.

And then it’s time to test!

So, as you can see, it is fairly easy to get rid of hard coded passwords. Only 2 things to mention.
The wallet uses the tns-alias to store his data. Suppose that you want to store a second user, you need to specify a second tns-alias. Maybe there are workarounds, but I did not find them yet.
Second important thing. Manage your TNS_ADMIN variable. So if you’re not using a default location of sqlnet.ora, make sure tns_admin is pointing to the directory where the sqlnet.ora containing the reference to the wallet directory can be found.

More information can also be found in the oracle documentation.

As always, questions, remarks? find me on twitter @vanpupi

 

Leave a Reply

Your email address will not be published. Required fields are marked *

one × two =

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: