Beruflich Dokumente
Kultur Dokumente
Secure Database Passwords in an Oracle Wallet by Jeff Hunter, Sr. Database Administrator
Contents
Introduction Create Oracle Wallet Store Database Credentials Test Database Credentials ana!e Database Credentials in Wallet Command"#ine Pro$y Aut%entication About t%e Aut%or
Introduction
T%e &ractice of writin! scri&ts to automate routine database tas's is common&lace. T%is can include database bac'u&s, (T# )obs, or any ty&e of batc% &rocessin! t%at re*uires database access wit%out user interaction. T%ese scri&ts are ty&ically %eld on t%e filesystem w%ic% de&end on OS file &ermissions to &rotect t%e security credentials needed to lo! in to t%e database. T%e c%allen!e %as been %ow to ade*uately %ide or obfuscate t%e username and &assword and not e$&ose t%em in clear te$t and causin! a &otential security breac%. A widely used &ractice %as been to rely on OS Aut%entication, but startin! wit% Oracle Database +,g -elease ., a more sim&lified and scalable solution would be to use a Secure External Password Store. T%is a&&roac% &ro/ides a secure met%od to store database credentials and reduces ris' to security &olicies because t%e usernames and &asswords no lon!er need to be e$&osed in clear te$t. T%is also a/oids t%e need for t%e D0A or ot%er security administrators to s%are &asswords wit% de/elo&ers and ot%er non administrator users needin! access to t%e database. T%e secure e$ternal &assword store uses a client"side Oracle Wallet to store one or more user name1&assword combinations. T%e wallet is encry&ted usin! t%e 2D(S al!orit%m so t%e contents of t%e wallet are not readable. If t%e wallet is e/er com&romised, t%e database &assword for t%e
user can be c%an!ed and a new wallet can be !enerated t%us renderin! t%e &re/ious wallet unusable. T%e best way to en/ision t%e &assword store is as a table wit% t%ree columns3 TNSALIAS, USERNAME, and PASSWORD. T%e TNSALIAS is basically t%e &rimary 'ey t%at ma&s to a sin!le user name1&assword combination. In most de&loyment scenarios, t%is means creatin! a new TNSALIAS entry for eac% stored credential.
TNSALIAS (PK) --------------TESTDB1 ERPDB_APPS ERPDB_GL ... USERNAME ---------SCOTT APPS GL PASSWORD ----------TIGER APPL3PWD GL3XPWD
Consider t%e followin! e$am&le w%ere a s%ell scri&t includes a call to S4#5Plus usin! traditional username1&assword aut%entication3
sqlpl s s!"##$#%&'()#*s+l%+s
#ac' of ade*uate file system &ermissions in &lace for t%e scri&t e$&oses t%e database credentials in clear te$t and creates a ma)or security breac%. Wit% a secure e$ternal &assword store in &lace, t%e abo/e S4#5Plus call could be re&laced wit%3
sqlpl s $)#*s+l%+s
In t%e abo/e e$am&le, t%e T6S connect strin!, alon! wit% t%e username and &assword are e$tracted from t%e &assword store 7a client"side Oracle wallet8 based on #*s+l%+s. It s%ould be noted t%at #*s+l%+s in t%e abo/e sqlpl s call s%ould not be t%ou!%t of as an actual entry in t%e #*s*+,'s."(+ file, but rat%er as a loo'u& 'ey in t%e &assword store. T%at 'ey /alue in t%e &assword store s%ould, %owe/er, be a resol/able entry in t%e #*s*+,'s."(+ file. Alt%ou!% t%e #*s+l%+s /alue used for t%e database lo!in 7$)#*s+l%+s8 and t%e entry in t%e &assword store must be t%e same, it is im&ortant to distin!uis% between t%e two.
An Oracle Wallet is not%in! more t%an a &rotected lo!ical container 7a sin!le file named '-+ll'#.p1.8 t%at is used for t%e secure e$ternal &assword store. ulti&le wallets may be created on a mac%ine9 %owe/er, eac% wallet s%ould be contained in its own directory. :sin! a wallet for t%e secure e$ternal &assword store is not t%e only use of an Oracle wallet. T%e wallet can also be used to store encry&ted 'eys needed by t%e Oracle database in order to access SS# sites as well as many of t%e more ad/anced security o&tions in Oracle li'e Trans&arent Data (ncry&tion 7TD(8 or P;I Credentials. T%ese ad/anced o&tions are &art of Oracle<s Ad/anced Security O&tion 7ASO8 and are only a/ailable w%en usin! Oracle (nter&rise (dition. 6ote t%at creatin! an Oracle wallet for t%e secure e$ternal &assword store 7and im&ortin! 'eys to access SS# sites8 can be done usin! Oracle Standard (dition. It is only w%en usin! t%e ad/anced features li'e TD( or P;I credentials t%at re*uire t%e Ad/anced Security O&tion and (nter&rise (dition.
current aut%entication met%ods and use t%e secure e$ternal &assword store feature. =or e$am&le, settin! S8LNET.WALLET_O9ERRIDE 3 TRUE causes all @CONNECT $)16_!"**'!#_s#(%*&@ statements to use t%e information in t%e wallet at t%e s&ecified location to aut%enticate to databases. T%e default /alue for S8LNET.WALLET_O9ERRIDE is 4ALSE, allowin! standard use of aut%entication credentials li'e Windows nati/e aut%entication or Secure Soc'ets #ayer 7SS#8 and disablin! t%e secure e$ternal &assword store feature. 6ote3 If an a&&lication uses SS# for encry&tion, t%en t%e sql*'#."(+ &arameter, S8LNET.AUT/ENTICATION_SER9ICES, s&ecifies SS# and an SS# wallet is created. If t%is a&&lication wants to use secret store credentials to aut%enticate to databases 7instead of t%e SS# certificate8, t%en t%ose credentials must be stored in t%e SS# wallet. After SS# aut%entication, if S8LNET.WALLET_O9ERRIDE 3 TRUE, t%en t%e user names and &asswords from t%e wallet are used to aut%enticate to databases. If S8LNET.WALLET_O9ERRIDE 3 4ALSE, t%en t%e SS# certificate is used.
2. T%e SSL_CLIENT_AUT/ENTICATION &arameter is used to s&ecify w%et%er or not a client is
aut%enticated usin! t%e Secure Soc'ets #ayer 7SS#8. T%e default /alue is TRUE.
3. Alt%ou!% not re*uired for a secure e$ternal &assword store, I s&ecify a default domain in
Alt%ou!% t%e wallet created abo/e is &assword &rotected, it is defined wit% t%e @Auto #o!in@ &ro&erty enabled so t%at any connection attem&t by t%e user w%o created t%e wallet is not re*uired to su&&ly t%e &assword.
About Auto Login Property W%en t%e auto lo!in &ro&erty is enabled, it creates an obfuscated co&y of t%e wallet and enables access to ser/ices 7P;I, &assword store, etc.8 wit%out a &assword. W%en auto lo!in is enabled for a wallet, it is only a/ailable to t%e o&eratin! system user w%o created t%at wallet. T%e auto lo!in feature for a wallet can be enabled or disabled usin! Oracle Wallet ana!er. Somet%in! to note about an Oracle wallet is t%at it can be co&ied to a different mac%ine w%ic% im&oses a serious ris' to security. A user could create an account on t%eir wor'station wit% t%e same username as t%e wallet owner and obtain access to any of t%e database credentials stored in t%e wallet wit%out a &assword. In Oracle Database ++g -elease ., you can &re/ent t%e auto lo!in functionality from wor'in! if it is co&ied to anot%er mac%ine by creatin! a 7local8 wallet usin! t%e "(+p0% command, instead of t%e ,0s#"(' command.
: orapki wallet create -wallet "/u01/app/oracle/product/11.2.0/dbhome_1/network/admin" -pwd "myPassword" -auto_login_local O(+!l' PKI T""l ; 9'(s%"* 11...2.3.2 - P("1 !#%"* C"p<(%&7# (!) .22=> .211> O(+!l' +*1$"( %#s +??%l%+#'s. All (%&7#s ('s'(@'1.
Aerify t%e wallet was created. T%e same wallet file names will be created w%et%er t%ey were created usin! ,0s#"(' or t%e "(+p0% command.
: ls -l /u01/app/oracle/product/11.2.0/dbhome_1/network/admin #"#+l =A -(-------- 1 "(+!l' "%*s#+ll 3BC3 D l .2 ..;EE !-+ll'#.ss" -(-------- 1 "(+!l' "%*s#+ll 3ABF D l .2 ..;EE '-+ll'#.p1. -(--(--(-- 1 "(+!l' "%*s#+ll 3B. 4'6 12 .2;31 l%s#'*'(."(+ 1(-G(-G(-G . "(+!l' "%*s#+ll =2BF 4'6 12 .2;.3 s+,pl's$ -(--(--(-- 1 "(+!l' "%*s#+ll .2E M+< 11 .211 s7('p#.ls# -(--(--(-- 1 "(+!l' "%*s#+ll .2CF2 D l .2 1A;2. sql*'#."(+ -(--(--(-- 1 "(+!l' "%*s#+ll 333C D l .2 ..;=3 #*s*+,'s."(+
Since t%e wallet was created wit% t%e auto lo!in functionality, t%e wallet will be e$&orted into a file named !-+ll'#.ss". Also, since t%e wallet is &rotected by a &assword, two files will be created9 namely '-+ll'#.p1. and !-+ll'#.ss".
Oracle RAC
If a wallet is bein! created on t%e nodes in an Oracle -AC confi!uration, t%e wallet s%ould be confi!ured on all nodes in t%e sql*'#."(+ file for t%e Database %ome and not t%e Brid Infrastructure %ome. Alt%ou!% it is &ossible to s&ecify t%e location for t%e wallet in t%e sql*'#."(+ for Brid %ome and e/en /erify t%at t%e database credentials wor' from Brid %ome, t%e cluster database will fail to start3
: sr ctl start database -d racdb PRCR-12CB ; 4+%l'1 #" s#+(# ('s" (!' "(+.(+!16.16 ORA-1.ECA; TNS;-+ll'# "p'* ?+%l'1 CRS-E21C; T7' ('s" (!' +!#%"* H"(+.(+!16.16 s#+(#H '*!" *#'('1 #7' ?"ll"-%*& '(("(; ORA-1.ECA; TNS;-+ll'# "p'* ?+%l'1 . 4"( 1'#+%ls ('?'( #" H(;CLSN2212C;)H %* H$ 21$+pp$11...2$&(%1$l"&$(+!*"1'.$+&'*#$!(s1$"(++&'*#_"(+!l'$"(++&'*#_"(+!l'. l"&H. CRS-.FC=; S#+(# "? I"(+.(+!16.16I "* I(+!*"1'.I ?+%l'1 ORA-1.ECA; TNS;-+ll'# "p'* ?+%l'1 CRS-E21C; T7' ('s" (!' +!#%"* H"(+.(+!16.16 s#+(#H '*!" *#'('1 #7' ?"ll"-%*& '(("(; ORA-1.ECA; TNS;-+ll'# "p'* ?+%l'1 . 4"( 1'#+%ls ('?'( #" H(;CLSN2212C;)H %* H$ 21$+pp$11...2$&(%1$l"&$(+!*"1'1$+&'*#$!(s1$"(++&'*#_"(+!l'$"(++&'*#_"(+!l'. l"&H. CRS-.FC=; S#+(# "? I"(+.(+!16.16I "* I(+!*"1'1I ?+%l'1 ORA-1.ECA; TNS;-+ll'# "p'* ?+%l'1 CRS-.F3.; T7'(' +(' *" ,"(' s'(@'(s #" #(< #" pl+!' ('s" (!' I"(+.(+!16.16I "* #7+# -" l1 s+#%s?< %#s pl+!','*# p"l%!< ORA-1.ECA; TNS;-+ll'# "p'* ?+%l'1
T%e test abo/e was from on Oracle -AC confi!ured usin! Job -ole Se&aration and t%at may %a/e been w%y it failed. In any case, I see no reason w%y a secure e$ternal &assword store would be re*uired from Brid %ome. In order for t%e cluster database to start, t%e wallet location 7and ot%er wallet &arameters8 will need to be remo/ed from t%e sql*'#."(+ file in Brid Infrastructure %ome w%ile allowed to remain in t%e Database %ome.
(SER9ICE_NAME 3 #'s#161.%1'@'l"p,'*#.%*?") ) )
Us'1 p+(+,'#'( ?%l's; $ 21$+pp$"(+!l'$p("1 !#$11...2$167",'_1$*'#-"(0$+1,%*$sql*'#."(+ Us'1 TNSNAMES +1+p#'( #" ('s"l@' #7' +l%+s A##',p#%*& #" !"*#+!# (DESCRIPTION 3 (ADDRESS 3 (PROTOCOL 3 TCP) (/OST 3 #'s#*"1'1.%1'@'l"p,'*#.%*?")(PORT 3 1E.1)) (CONNECT_DATA 3 (SER9ER 3 DEDICATED) (SER9ICE_NAME 3 #'s#161.%1'@'l"p,'*#.%*?"))) OK (2 ,s'!)
T%e T6S alias, in t%is case @('p"(#%*&_#""l@, will be t%e identifier used in t%e @$)#*s+l%+s@ synta$, and must %a/e a matc%in! entry in t%e #*s*+,'s."(+ file.
$L%Plus
:sin! S4#5Plus, connect to t%e tar!et database usin! t%e @$)#*s+l%+s@ synta$.
: s"lplus /#reporting_tool S8LJPl s; R'l'+s' 11...2.3.2 P("1 !#%"* "* 4(% D l .2 .3;=C;EB .21. C"p<(%&7# (!) 1BA.> .211> O(+!l'. All (%&7#s ('s'(@'1.
C"**'!#'1 #"; O(+!l' D+#+6+s' 11& E*#'(p(%s' E1%#%"* R'l'+s' 11...2.3.2 - F=6%# P("1 !#%"* W%#7 #7' P+(#%#%"*%*&> O(+!l' L+6'l S'! (%#<> OLAP> D+#+ M%*%*& +*1 R'+l Appl%!+#%"* T's#%*& "p#%"*s S8LK show user USER %s HREPORT_USERH S8LK
T%e @$)#*s+l%+s@ synta$ uses t%e wallet to loo'u& t%e username and &assword for t%e matc%in! #*s+l%+s and t%en &asses t%ose to t%e database for aut%entication. If you want to connect to t%e same database, but as a different database user, ma'e anot%er T6S alias in your #*s*+,'s."(+ file and add a new entry to t%e wallet. =or e$am&le3
TESTDB1_SCOTT.IDE9ELOPMENT.IN4O 3 (DESCRIPTION 3 (ADDRESS 3 (PROTOCOL 3 TCP)(/OST 3 #'s#*"1'1.%1'@'l"p,'*#.%*?")(PORT 3 1E.1)) (CONNECT_DATA 3 (SER9ER 3 DEDICATED) (SER9ICE_NAME 3 #'s#161.%1'@'l"p,'*#.%*?") ) ) : cd /u01/app/oracle/product/11.2.0/dbhome_1/network/admin : mkstore -wrl . -create!redential testdb1_scott scott tiger O(+!l' S'!('# S#"(' T""l ; 9'(s%"* 11...2.3.2 - P("1 !#%"* C"p<(%&7# (!) .22=> .211> O(+!l' +*1$"( %#s +??%l%+#'s. All (%&7#s ('s'(@'1. E*#'( -+ll'# p+ss-"(1; ********** C('+#' !('1'*#%+l "(+!l'.s'! (%#<.!l%'*#.!"**'!#_s#(%*&1 : s"lplus /#testdb1_scott S8LJPl s; R'l'+s' 11...2.3.2 P("1 !#%"* "* S+# D l .1 22;E2;EF .21. C"p<(%&7# (!) 1BA.> .211> O(+!l'. All (%&7#s ('s'(@'1.
C"**'!#'1 #"; O(+!l' D+#+6+s' 11& E*#'(p(%s' E1%#%"* R'l'+s' 11...2.3.2 - F=6%# P("1 !#%"* W%#7 #7' P+(#%#%"*%*&> O(+!l' L+6'l S'! (%#<> OLAP> D+#+ M%*%*&
+*1 R'+l Appl%!+#%"* T's#%*& "p#%"*s S8LK show user USER %s HSCOTTH S8LK
&ava Application
W%en usin! t%e secure e$ternal &assword store in a Ja/a a&&lication, you must use t%e OCI 7t%ic'8 JD0C dri/er w%ic% also means you need to install t%e Oracle client software. :se a :-# similar to t%e followin! w%en connectin! to t%e database3
C"**'!#%"* !"** 3 D(%@'(M+*+&'(.&'#C"**'!#%"* (HL16!;"(+!l';"!%;$)#'s#161_s!"##H)M
Cou can also use t%e ,0s#"(' command to modify or delete &assword credentials for e$istin! wallet entries.
,0s#"(' --(l N-+ll'#_l"!+#%"*K -,"1%?<C('1'*#%+l N#*s+l%+sK N s'(*+,'K Np+ss-"(1K ,0s#"(' --(l N-+ll'#_l"!+#%"*K -1'l'#'C('1'*#%+l N#*s+l%+sK
database usin! credentials ot%er t%an t%e a&&lication owner but still %a/e t%e same le/el of accessD Solution3 Create a se&arate database account for t%e &ro!ram t%at uses command"line &ro$y aut%entication wit% t%e secure e$ternal &assword store. :sin! t%is met%od, a&&lications can use traditional &ro$y aut%entication to aut%enticate as an end user 7H-P-OC in t%is e$am&le8 and t%e &ro$y to t%e H- user. 6ote t%at &rior to Oracle Database +,g -elease ., Oracle &ro$y aut%entication only wor'ed wit% t%ic' or t%in JD0C connections. In Oracle Database +,! -elease ., Oracle introduced command line &ro$y functionality as demonstrated in t%is section. Start by creatin! t%e database &ro$y user and !rantin! CREATE SESSION &ri/ile!es.
S8LK grant create session to hrproc identi$ied by hrproc_password% G(+*# s !!''1'1.
Alter t%e user H- to enable access t%rou!% t%e new database account.
S8LK alter user hr grant connect through hrproc% Us'( +l#'('1.
Confi!ure t%e wallet and t%e #*s*+,'s."(+ file startin! wit% t%e T6S alias entry. Add an entry to t%e #*s*+,'s."(+ file for t%e &ro$y user.
/RPROC.IDE9ELOPMENT.IN4O 3 (DESCRIPTION 3 (ADDRESS 3 (PROTOCOL 3 TCP)(/OST 3 #'s#*"1'1.%1'@'l"p,'*#.%*?")(PORT 3 1E.1)) (CONNECT_DATA 3 (SER9ER 3 DEDICATED) (SER9ICE_NAME 3 #'s#161.%1'@'l"p,'*#.%*?") ) )
T%e batc% &ro!ram can now aut%enticate as H-P-OC usin! t%e secure e$ternal &assword store and is allowed to &ro$y t%rou!% t%e H- user3
: s"lplus '()*/#hrproc S8LJPl s; R'l'+s' 11...2.3.2 P("1 !#%"* "* T ' D l .= 1=;EC;32 .21. C"p<(%&7# (!) 1BA.> .211> O(+!l'. All (%&7#s ('s'(@'1.
C"**'!#'1 #"; O(+!l' D+#+6+s' 11& E*#'(p(%s' E1%#%"* R'l'+s' 11...2.3.2 - F=6%# P("1 !#%"* W%#7 #7' P+(#%#%"*%*&> O(+!l' L+6'l S'! (%#<> OLAP> D+#+ M%*%*& +*1 R'+l Appl%!+#%"* T's#%*& "p#%"*s S8LK show user USER %s H/RH S8LK
Alt%ou!% t%e secure e$ternal &assword store was used in t%e &re/ious e$am&le, it is still &ossible to use t%e traditional username1&assword met%od wit% t%e &ro$y aut%entication functionality. =or e$am&le3
: s"lplus hrproc'()*/hrproc_password#hrproc S8LJPl s; R'l'+s' 11...2.3.2 P("1 !#%"* "* T ' D l .= 1E;.F;33 .21. C"p<(%&7# (!) 1BA.> .211> O(+!l'. All (%&7#s ('s'(@'1.
C"**'!#'1 #"; O(+!l' D+#+6+s' 11& E*#'(p(%s' E1%#%"* R'l'+s' 11...2.3.2 - F=6%# P("1 !#%"* W%#7 #7' P+(#%#%"*%*&> O(+!l' L+6'l S'! (%#<> OLAP> D+#+ M%*%*& +*1 R'+l Appl%!+#%"* T's#%*& "p#%"*s S8LK show user USER %s H/RH S8LK
Administrator and Software (n!ineer for o/er +F years and maintains %is own website site at3 %tt&311www.iDe/elo&ment.info. Jeff !raduated from Stanislaus State :ni/ersity in Turloc', California, wit% a 0ac%elor<s de!ree in Com&uter Science.