DBA Tips Archive for Oracle

Secure Database Passwords in an Oracle Wallet by Jeff Hunter, Sr. Database Administrator

Contents

Introduction Create Oracle Wallet Store Database Credentials Test Database Credentials ana!e Database Credentials in Wallet Command"#ine Pro$y Aut%entication About t%e Aut%or

Introduction
T%e &ractice of writin! scri&ts to automate routine database tas's is common&lace. T%is can include database bac'u&s, (T# )obs, or any ty&e of batc% &rocessin! t%at re*uires database access wit%out user interaction. T%ese scri&ts are ty&ically %eld on t%e filesystem w%ic% de&end on OS file &ermissions to &rotect t%e security credentials needed to lo! in to t%e database. T%e c%allen!e %as been %ow to ade*uately %ide or obfuscate t%e username and &assword and not e$&ose t%em in clear te$t and causin! a &otential security breac%. A widely used &ractice %as been to rely on OS Aut%entication, but startin! wit% Oracle Database +,g -elease ., a more sim&lified and scalable solution would be to use a Secure External Password Store. T%is a&&roac% &ro/ides a secure met%od to store database credentials and reduces ris' to security &olicies because t%e usernames and &asswords no lon!er need to be e$&osed in clear te$t. T%is also a/oids t%e need for t%e D0A or ot%er security administrators to s%are &asswords wit% de/elo&ers and ot%er non administrator users needin! access to t%e database. T%e secure e$ternal &assword store uses a client"side Oracle Wallet to store one or more user name1&assword combinations. T%e wallet is encry&ted usin! t%e 2D(S al!orit%m so t%e contents of t%e wallet are not readable. If t%e wallet is e/er com&romised, t%e database &assword for t%e

user can be c%an!ed and a new wallet can be !enerated t%us renderin! t%e &re/ious wallet unusable. T%e best way to en/ision t%e &assword store is as a table wit% t%ree columns3 TNSALIAS, USERNAME, and PASSWORD. T%e TNSALIAS is basically t%e &rimary 'ey t%at ma&s to a sin!le user name1&assword combination. In most de&loyment scenarios, t%is means creatin! a new TNSALIAS entry for eac% stored credential.
TNSALIAS (PK) --------------TESTDB1 ERPDB_APPS ERPDB_GL ... USERNAME ---------SCOTT APPS GL PASSWORD ----------TIGER APPL3PWD GL3XPWD

Consider t%e followin! e$am&le w%ere a s%ell scri&t includes a call to S4#5Plus usin! traditional username1&assword aut%entication3
sqlpl s s!"##$#%&'()#*s+l%+s

#ac' of ade*uate file system &ermissions in &lace for t%e scri&t e$&oses t%e database credentials in clear te$t and creates a ma)or security breac%. Wit% a secure e$ternal &assword store in &lace, t%e abo/e S4#5Plus call could be re&laced wit%3
sqlpl s $)#*s+l%+s

In t%e abo/e e$am&le, t%e T6S connect strin!, alon! wit% t%e username and &assword are e$tracted from t%e &assword store 7a client"side Oracle wallet8 based on #*s+l%+s. It s%ould be noted t%at #*s+l%+s in t%e abo/e sqlpl s call s%ould not be t%ou!%t of as an actual entry in t%e #*s*+,'s."(+ file, but rat%er as a loo'u& 'ey in t%e &assword store. T%at 'ey /alue in t%e &assword store s%ould, %owe/er, be a resol/able entry in t%e #*s*+,'s."(+ file. Alt%ou!% t%e #*s+l%+s /alue used for t%e database lo!in 7$)#*s+l%+s8 and t%e entry in t%e &assword store must be t%e same, it is im&ortant to distin!uis% between t%e two.

Create Oracle Wallet

A client"side Oracle Wallet will be created in t%is section w%ic% will be used for t%e secure e$ternal &assword store. Alt%ou!% t%e e$am&les &ro/ided in t%is !uide will be &erformed on a #inu$ client mac%ine, t%e same &rocedures could be used on a icrosoft Windows client mac%ine, anot%er database ser/er, or e/en from t%e database ser/er %ostin! t%e tar!et database.

About Oracle Wallet

An Oracle Wallet is not%in! more t%an a &rotected lo!ical container 7a sin!le file named '-+ll'#.p1.8 t%at is used for t%e secure e$ternal &assword store. ulti&le wallets may be created on a mac%ine9 %owe/er, eac% wallet s%ould be contained in its own directory. :sin! a wallet for t%e secure e$ternal &assword store is not t%e only use of an Oracle wallet. T%e wallet can also be used to store encry&ted 'eys needed by t%e Oracle database in order to access SS# sites as well as many of t%e more ad/anced security o&tions in Oracle li'e Trans&arent Data (ncry&tion 7TD(8 or P;I Credentials. T%ese ad/anced o&tions are &art of Oracle<s Ad/anced Security O&tion 7ASO8 and are only a/ailable w%en usin! Oracle (nter&rise (dition. 6ote t%at creatin! an Oracle wallet for t%e secure e$ternal &assword store 7and im&ortin! 'eys to access SS# sites8 can be done usin! Oracle Standard (dition. It is only w%en usin! t%e ad/anced features li'e TD( or P;I credentials t%at re*uire t%e Ad/anced Security O&tion and (nter&rise (dition.

Oracle Wallet Location

T%e first ste& is to decide on t%e location of t%e Oracle wallet. In t%is e$am&le, t%e wallet will be created in t%e ORACLE_/OME$*'#-"(0$+1,%* directory on a #inu$ a&&lication ser/er wit% t%e Oracle Client software installed. Anot%er &o&ular location for t%e wallet is ORACLE_/OME$-+ll'#s9 %owe/er, t%e wallet can be located anyw%ere on t%e file system t%at is accessible by Oracle. Startin! wit% Oracle Database ++g -elease . 7++...,..8 on #inu$, if t%e wallet is bein! created on a database ser/er, it is recommended to store t%e Oracle Wallet in Oracle AC=S 7i.e. $ 2.$+pp$"(+!l'$-+ll'#$8 w%en AC=S is a/ailable. T%is a&&lies to sin!le instance, -AC one node, multi"node -AC, but not ($adata >. confi!urations. Oracle AC=S is cluster file system on to& of AS and &ro/ides new Security features li'e e$cellent wallet &rotection and se&aration of duties. AC=S is not confi!ured for t%e e$am&le described in t%is !uide and t%erefore will not be used for t%e Oracle wallet. Add t%e followin! entry to t%e sql*'#."(+ on your client mac%ine so t%at Oracle 6et 'nows w%ere to loo' for t%e wallet. T%e location directory for t%e wallet must be an absolute &at%, end wit% ri!%t &arent%eses, and be an e$istin! directory. a'e certain t%at t%ere are no s&aces or in/isible c%aracters at t%e end of t%e directory &at% as t%is may cause Oracle to not reco!ni?e t%e directory.
WALLET_LOCATION 3 (SOURCE 3 (MET/OD 3 4ILE) (MET/OD_DATA 3 (DIRECTOR5 3 $ 21$+pp$"(+!l'$p("1 !#$11...2$167",'_1$*'#-"(0$+1,%*) ) ) S8LNET.WALLET_O9ERRIDE 3 TRUE SSL_CLIENT_AUT/ENTICATION 3 4ALSE

ADR_BASE 3 $ 21$+pp$"(+!l' NAMES.DIRECTOR5_PAT/3 (TNSNAMES) NAMES.DE4AULT_DOMAIN 3 IDE9ELOPMENT.IN4O

In addition to t%e wallet location, s&ecify t%e followin!3

1. (nter t%e S8LNET.WALLET_O9ERRIDE &arameter and set it to TRUE in order to o/erride t%e

current aut%entication met%ods and use t%e secure e$ternal &assword store feature. =or e$am&le, settin! S8LNET.WALLET_O9ERRIDE 3 TRUE causes all @CONNECT $)16_!"**'!#_s#(%*&@ statements to use t%e information in t%e wallet at t%e s&ecified location to aut%enticate to databases. T%e default /alue for S8LNET.WALLET_O9ERRIDE is 4ALSE, allowin! standard use of aut%entication credentials li'e Windows nati/e aut%entication or Secure Soc'ets #ayer 7SS#8 and disablin! t%e secure e$ternal &assword store feature. 6ote3 If an a&&lication uses SS# for encry&tion, t%en t%e sql*'#."(+ &arameter, S8LNET.AUT/ENTICATION_SER9ICES, s&ecifies SS# and an SS# wallet is created. If t%is a&&lication wants to use secret store credentials to aut%enticate to databases 7instead of t%e SS# certificate8, t%en t%ose credentials must be stored in t%e SS# wallet. After SS# aut%entication, if S8LNET.WALLET_O9ERRIDE 3 TRUE, t%en t%e user names and &asswords from t%e wallet are used to aut%enticate to databases. If S8LNET.WALLET_O9ERRIDE 3 4ALSE, t%en t%e SS# certificate is used.
2. T%e SSL_CLIENT_AUT/ENTICATION &arameter is used to s&ecify w%et%er or not a client is

aut%enticated usin! t%e Secure Soc'ets #ayer 7SS#8. T%e default /alue is TRUE.
3. Alt%ou!% not re*uired for a secure e$ternal &assword store, I s&ecify a default domain in

t%e sql*'#."(+ for all T6S entries 7NAMES.DE4AULT_DOMAIN 3 IDE9ELOPMENT.IN4O8.

Create Oracle Wallet

Create a new Oracle wallet in t%e &re/iously s&ecified location by e$ecutin! t%e ,0s#"(' command wit% t%e -!('+#' o&tion.
: mkstore -wrl "/u01/app/oracle/product/11.2.0/dbhome_1/network/admin" -create O(+!l' S'!('# S#"(' T""l ; 9'(s%"* 11...2.3.2 - P("1 !#%"* C"p<(%&7# (!) .22=> .211> O(+!l' +*1$"( %#s +??%l%+#'s. All (%&7#s ('s'(@'1. E*#'( p+ss-"(1; ********** E*#'( p+ss-"(1 +&+%*; **********

Alt%ou!% t%e wallet created abo/e is &assword &rotected, it is defined wit% t%e @Auto #o!in@ &ro&erty enabled so t%at any connection attem&t by t%e user w%o created t%e wallet is not re*uired to su&&ly t%e &assword.

About Auto Login Property W%en t%e auto lo!in &ro&erty is enabled, it creates an obfuscated co&y of t%e wallet and enables access to ser/ices 7P;I, &assword store, etc.8 wit%out a &assword. W%en auto lo!in is enabled for a wallet, it is only a/ailable to t%e o&eratin! system user w%o created t%at wallet. T%e auto lo!in feature for a wallet can be enabled or disabled usin! Oracle Wallet ana!er. Somet%in! to note about an Oracle wallet is t%at it can be co&ied to a different mac%ine w%ic% im&oses a serious ris' to security. A user could create an account on t%eir wor'station wit% t%e same username as t%e wallet owner and obtain access to any of t%e database credentials stored in t%e wallet wit%out a &assword. In Oracle Database ++g -elease ., you can &re/ent t%e auto lo!in functionality from wor'in! if it is co&ied to anot%er mac%ine by creatin! a 7local8 wallet usin! t%e "(+p0% command, instead of t%e ,0s#"(' command.
: orapki wallet create -wallet "/u01/app/oracle/product/11.2.0/dbhome_1/network/admin" -pwd "myPassword" -auto_login_local O(+!l' PKI T""l ; 9'(s%"* 11...2.3.2 - P("1 !#%"* C"p<(%&7# (!) .22=> .211> O(+!l' +*1$"( %#s +??%l%+#'s. All (%&7#s ('s'(@'1.

Aerify t%e wallet was created. T%e same wallet file names will be created w%et%er t%ey were created usin! ,0s#"(' or t%e "(+p0% command.
: ls -l /u01/app/oracle/product/11.2.0/dbhome_1/network/admin #"#+l =A -(-------- 1 "(+!l' "%*s#+ll 3BC3 D l .2 ..;EE !-+ll'#.ss" -(-------- 1 "(+!l' "%*s#+ll 3ABF D l .2 ..;EE '-+ll'#.p1. -(--(--(-- 1 "(+!l' "%*s#+ll 3B. 4'6 12 .2;31 l%s#'*'(."(+ 1(-G(-G(-G . "(+!l' "%*s#+ll =2BF 4'6 12 .2;.3 s+,pl's$ -(--(--(-- 1 "(+!l' "%*s#+ll .2E M+< 11 .211 s7('p#.ls# -(--(--(-- 1 "(+!l' "%*s#+ll .2CF2 D l .2 1A;2. sql*'#."(+ -(--(--(-- 1 "(+!l' "%*s#+ll 333C D l .2 ..;=3 #*s*+,'s."(+

Since t%e wallet was created wit% t%e auto lo!in functionality, t%e wallet will be e$&orted into a file named !-+ll'#.ss". Also, since t%e wallet is &rotected by a &assword, two files will be created9 namely '-+ll'#.p1. and !-+ll'#.ss".

Oracle RAC
If a wallet is bein! created on t%e nodes in an Oracle -AC confi!uration, t%e wallet s%ould be confi!ured on all nodes in t%e sql*'#."(+ file for t%e Database %ome and not t%e Brid Infrastructure %ome. Alt%ou!% it is &ossible to s&ecify t%e location for t%e wallet in t%e sql*'#."(+ for Brid %ome and e/en /erify t%at t%e database credentials wor' from Brid %ome, t%e cluster database will fail to start3

: sr ctl start database -d racdb PRCR-12CB ; 4+%l'1 #" s#+(# ('s" (!' "(+.(+!16.16 ORA-1.ECA; TNS;-+ll'# "p'* ?+%l'1 CRS-E21C; T7' ('s" (!' +!#%"* H"(+.(+!16.16 s#+(#H '*!" *#'('1 #7' ?"ll"-%*& '(("(; ORA-1.ECA; TNS;-+ll'# "p'* ?+%l'1 . 4"( 1'#+%ls ('?'( #" H(;CLSN2212C;)H %* H$ 21$+pp$11...2$&(%1$l"&$(+!*"1'.$+&'*#$!(s1$"(++&'*#_"(+!l'$"(++&'*#_"(+!l'. l"&H. CRS-.FC=; S#+(# "? I"(+.(+!16.16I "* I(+!*"1'.I ?+%l'1 ORA-1.ECA; TNS;-+ll'# "p'* ?+%l'1 CRS-E21C; T7' ('s" (!' +!#%"* H"(+.(+!16.16 s#+(#H '*!" *#'('1 #7' ?"ll"-%*& '(("(; ORA-1.ECA; TNS;-+ll'# "p'* ?+%l'1 . 4"( 1'#+%ls ('?'( #" H(;CLSN2212C;)H %* H$ 21$+pp$11...2$&(%1$l"&$(+!*"1'1$+&'*#$!(s1$"(++&'*#_"(+!l'$"(++&'*#_"(+!l'. l"&H. CRS-.FC=; S#+(# "? I"(+.(+!16.16I "* I(+!*"1'1I ?+%l'1 ORA-1.ECA; TNS;-+ll'# "p'* ?+%l'1 CRS-.F3.; T7'(' +(' *" ,"(' s'(@'(s #" #(< #" pl+!' ('s" (!' I"(+.(+!16.16I "* #7+# -" l1 s+#%s?< %#s pl+!','*# p"l%!< ORA-1.ECA; TNS;-+ll'# "p'* ?+%l'1

T%e test abo/e was from on Oracle -AC confi!ured usin! Job -ole Se&aration and t%at may %a/e been w%y it failed. In any case, I see no reason w%y a secure e$ternal &assword store would be re*uired from Brid %ome. In order for t%e cluster database to start, t%e wallet location 7and ot%er wallet &arameters8 will need to be remo/ed from t%e sql*'#."(+ file in Brid Infrastructure %ome w%ile allowed to remain in t%e Database %ome.

tore Database Credentials

T! !a"es #ntry
0efore storin! database lo!in credentials for a user in t%e wallet, create or modify an entry in your #*s*+,'s."(+ for t%e tar!et database. =or e$am&le, I want to create lo!in credentials for t%e current re&ortin! tools user 7REPORT_USER8 connectin! to t%e tar!et database TESTDB1. T%e database connect strin! 7T6S alias8 will be named REPORTING_TOOL.
REPORTING_TOOL.IDE9ELOPMENT.IN4O 3 (DESCRIPTION 3 (ADDRESS 3 (PROTOCOL 3 TCP)(/OST 3 #'s#*"1'1.%1'@'l"p,'*#.%*?")(PORT 3 1E.1)) (CONNECT_DATA 3 (SER9ER 3 DEDICATED)

(SER9ICE_NAME 3 #'s#161.%1'@'l"p,'*#.%*?") ) )

Test t%e new alias.

: tnsping reporting_tool TNS P%*& U#%l%#< ?"( L%* G; 9'(s%"* 11...2.3.2 - P("1 !#%"* "* .2-DUL-.21. ..;=F;1C C"p<(%&7# (!) 1BBC> .211> O(+!l'. All (%&7#s ('s'(@'1.

Us'1 p+(+,'#'( ?%l's; $ 21$+pp$"(+!l'$p("1 !#$11...2$167",'_1$*'#-"(0$+1,%*$sql*'#."(+ Us'1 TNSNAMES +1+p#'( #" ('s"l@' #7' +l%+s A##',p#%*& #" !"*#+!# (DESCRIPTION 3 (ADDRESS 3 (PROTOCOL 3 TCP) (/OST 3 #'s#*"1'1.%1'@'l"p,'*#.%*?")(PORT 3 1E.1)) (CONNECT_DATA 3 (SER9ER 3 DEDICATED) (SER9ICE_NAME 3 #'s#161.%1'@'l"p,'*#.%*?"))) OK (2 ,s'!)

Add Database Credentials to Wallet

After creatin! t%e Oracle wallet 7usin! eit%er ,0s#"(' or "(+p0%8 and /erifyin! t%e database connect strin!, e$ecute t%e ,0s#"(' command wit% t%e -!('+#'C('1'*#%+l o&tion to add your database credentials.
: mkstore -wrl "/u01/app/oracle/product/11.2.0/dbhome_1/network/admin" -create!redential reporting_tool report_user report_user_pwd O(+!l' S'!('# S#"(' T""l ; 9'(s%"* 11...2.3.2 - P("1 !#%"* C"p<(%&7# (!) .22=> .211> O(+!l' +*1$"( %#s +??%l%+#'s. All (%&7#s ('s'(@'1. E*#'( -+ll'# p+ss-"(1; ********** C('+#' !('1'*#%+l "(+!l'.s'! (%#<.!l%'*#.!"**'!#_s#(%*&1

T%e T6S alias, in t%is case @('p"(#%*&_#""l@, will be t%e identifier used in t%e @$)#*s+l%+s@ synta$, and must %a/e a matc%in! entry in t%e #*s*+,'s."(+ file.

Test Database Credentials

6ow t%at t%e wallet %as been created and t%e &assword credentials are stored in t%e wallet, use S4#5Plus, Toad, Ja/a, or any ot%er client a&&lication to test t%e secure e$ternal &assword store.

$L%Plus

:sin! S4#5Plus, connect to t%e tar!et database usin! t%e @$)#*s+l%+s@ synta$.
: s"lplus /#reporting_tool S8LJPl s; R'l'+s' 11...2.3.2 P("1 !#%"* "* 4(% D l .2 .3;=C;EB .21. C"p<(%&7# (!) 1BA.> .211> O(+!l'. All (%&7#s ('s'(@'1.

C"**'!#'1 #"; O(+!l' D+#+6+s' 11& E*#'(p(%s' E1%#%"* R'l'+s' 11...2.3.2 - F=6%# P("1 !#%"* W%#7 #7' P+(#%#%"*%*&> O(+!l' L+6'l S'! (%#<> OLAP> D+#+ M%*%*& +*1 R'+l Appl%!+#%"* T's#%*& "p#%"*s S8LK show user USER %s HREPORT_USERH S8LK

T%e @$)#*s+l%+s@ synta$ uses t%e wallet to loo'u& t%e username and &assword for t%e matc%in! #*s+l%+s and t%en &asses t%ose to t%e database for aut%entication. If you want to connect to t%e same database, but as a different database user, ma'e anot%er T6S alias in your #*s*+,'s."(+ file and add a new entry to t%e wallet. =or e$am&le3
TESTDB1_SCOTT.IDE9ELOPMENT.IN4O 3 (DESCRIPTION 3 (ADDRESS 3 (PROTOCOL 3 TCP)(/OST 3 #'s#*"1'1.%1'@'l"p,'*#.%*?")(PORT 3 1E.1)) (CONNECT_DATA 3 (SER9ER 3 DEDICATED) (SER9ICE_NAME 3 #'s#161.%1'@'l"p,'*#.%*?") ) ) : cd /u01/app/oracle/product/11.2.0/dbhome_1/network/admin : mkstore -wrl . -create!redential testdb1_scott scott tiger O(+!l' S'!('# S#"(' T""l ; 9'(s%"* 11...2.3.2 - P("1 !#%"* C"p<(%&7# (!) .22=> .211> O(+!l' +*1$"( %#s +??%l%+#'s. All (%&7#s ('s'(@'1. E*#'( -+ll'# p+ss-"(1; ********** C('+#' !('1'*#%+l "(+!l'.s'! (%#<.!l%'*#.!"**'!#_s#(%*&1 : s"lplus /#testdb1_scott S8LJPl s; R'l'+s' 11...2.3.2 P("1 !#%"* "* S+# D l .1 22;E2;EF .21. C"p<(%&7# (!) 1BA.> .211> O(+!l'. All (%&7#s ('s'(@'1.

C"**'!#'1 #"; O(+!l' D+#+6+s' 11& E*#'(p(%s' E1%#%"* R'l'+s' 11...2.3.2 - F=6%# P("1 !#%"* W%#7 #7' P+(#%#%"*%*&> O(+!l' L+6'l S'! (%#<> OLAP> D+#+ M%*%*&

+*1 R'+l Appl%!+#%"* T's#%*& "p#%"*s S8LK show user USER %s HSCOTTH S8LK

&ava Application
W%en usin! t%e secure e$ternal &assword store in a Ja/a a&&lication, you must use t%e OCI 7t%ic'8 JD0C dri/er w%ic% also means you need to install t%e Oracle client software. :se a :-# similar to t%e followin! w%en connectin! to t%e database3
C"**'!#%"* !"** 3 D(%@'(M+*+&'(.&'#C"**'!#%"* (HL16!;"(+!l';"!%;$)#'s#161_s!"##H)M

'anage Database Credentials in Wallet

:se t%e ,0s#"(' command wit% t%e -l%s#C('1'*#%+l o&tion to list t%e credentials &resent in t%e wallet.
: mkstore -wrl "/u01/app/oracle/product/11.2.0/dbhome_1/network/admin" -list!redential O(+!l' S'!('# S#"(' T""l ; 9'(s%"* 11...2.3.2 - P("1 !#%"* C"p<(%&7# (!) .22=> .211> O(+!l' +*1$"( %#s +??%l%+#'s. All (%&7#s ('s'(@'1. E*#'( -+ll'# p+ss-"(1; ********** L%s# !('1'*#%+l (%*1'G; !"**'!#_s#(%*& .; #'s#161_s!"## s!"## 1; ('p"(#%*&_#""l ('p"(#_ s'( s'(*+,')

Cou can also use t%e ,0s#"(' command to modify or delete &assword credentials for e$istin! wallet entries.
,0s#"(' --(l N-+ll'#_l"!+#%"*K -,"1%?<C('1'*#%+l N#*s+l%+sK N s'(*+,'K Np+ss-"(1K ,0s#"(' --(l N-+ll'#_l"!+#%"*K -1'l'#'C('1'*#%+l N#*s+l%+sK

Co""and(Line Pro)y Authentication

Anot%er e$am&le for t%e secure e$ternal &assword store is t%e followin! scenario3 A routine batc% &ro!ram runnin! on a bac'"end ser/er needs ni!%tly access to t%e H- a&&lication sc%ema, but new security &olicies %a/e restricted direct access to t%e H- a&&lication sc%ema. Accordin! to t%e new &olicy, t%e H- &assword will not be distributed and a&&lications will not be allowed to lo! in directly as t%e H- a&&lication sc%ema. How can t%e &ro!ram aut%enticate to t%e

database usin! credentials ot%er t%an t%e a&&lication owner but still %a/e t%e same le/el of accessD Solution3 Create a se&arate database account for t%e &ro!ram t%at uses command"line &ro$y aut%entication wit% t%e secure e$ternal &assword store. :sin! t%is met%od, a&&lications can use traditional &ro$y aut%entication to aut%enticate as an end user 7H-P-OC in t%is e$am&le8 and t%e &ro$y to t%e H- user. 6ote t%at &rior to Oracle Database +,g -elease ., Oracle &ro$y aut%entication only wor'ed wit% t%ic' or t%in JD0C connections. In Oracle Database +,! -elease ., Oracle introduced command line &ro$y functionality as demonstrated in t%is section. Start by creatin! t%e database &ro$y user and !rantin! CREATE SESSION &ri/ile!es.
S8LK grant create session to hrproc identi$ied by hrproc_password% G(+*# s !!''1'1.

Alter t%e user H- to enable access t%rou!% t%e new database account.
S8LK alter user hr grant connect through hrproc% Us'( +l#'('1.

Confi!ure t%e wallet and t%e #*s*+,'s."(+ file startin! wit% t%e T6S alias entry. Add an entry to t%e #*s*+,'s."(+ file for t%e &ro$y user.
/RPROC.IDE9ELOPMENT.IN4O 3 (DESCRIPTION 3 (ADDRESS 3 (PROTOCOL 3 TCP)(/OST 3 #'s#*"1'1.%1'@'l"p,'*#.%*?")(PORT 3 1E.1)) (CONNECT_DATA 3 (SER9ER 3 DEDICATED) (SER9ICE_NAME 3 #'s#161.%1'@'l"p,'*#.%*?") ) )

Add t%e credentials for t%e &ro$y user to your wallet.

: cd /u01/app/oracle/product/11.2.0/dbhome_1/network/admin : mkstore -wrl . -create!redential hrproc hrproc hrproc_password O(+!l' S'!('# S#"(' T""l ; 9'(s%"* 11...2.3.2 - P("1 !#%"* C"p<(%&7# (!) .22=> .211> O(+!l' +*1$"( %#s +??%l%+#'s. All (%&7#s ('s'(@'1. E*#'( -+ll'# p+ss-"(1; &&&&&&&& C('+#' !('1'*#%+l "(+!l'.s'! (%#<.!l%'*#.!"**'!#_s#(%*&3

T%e batc% &ro!ram can now aut%enticate as H-P-OC usin! t%e secure e$ternal &assword store and is allowed to &ro$y t%rou!% t%e H- user3
: s"lplus '()*/#hrproc S8LJPl s; R'l'+s' 11...2.3.2 P("1 !#%"* "* T ' D l .= 1=;EC;32 .21. C"p<(%&7# (!) 1BA.> .211> O(+!l'. All (%&7#s ('s'(@'1.

C"**'!#'1 #"; O(+!l' D+#+6+s' 11& E*#'(p(%s' E1%#%"* R'l'+s' 11...2.3.2 - F=6%# P("1 !#%"* W%#7 #7' P+(#%#%"*%*&> O(+!l' L+6'l S'! (%#<> OLAP> D+#+ M%*%*& +*1 R'+l Appl%!+#%"* T's#%*& "p#%"*s S8LK show user USER %s H/RH S8LK

Alt%ou!% t%e secure e$ternal &assword store was used in t%e &re/ious e$am&le, it is still &ossible to use t%e traditional username1&assword met%od wit% t%e &ro$y aut%entication functionality. =or e$am&le3
: s"lplus hrproc'()*/hrproc_password#hrproc S8LJPl s; R'l'+s' 11...2.3.2 P("1 !#%"* "* T ' D l .= 1E;.F;33 .21. C"p<(%&7# (!) 1BA.> .211> O(+!l'. All (%&7#s ('s'(@'1.

C"**'!#'1 #"; O(+!l' D+#+6+s' 11& E*#'(p(%s' E1%#%"* R'l'+s' 11...2.3.2 - F=6%# P("1 !#%"* W%#7 #7' P+(#%#%"*%*&> O(+!l' L+6'l S'! (%#<> OLAP> D+#+ M%*%*& +*1 R'+l Appl%!+#%"* T's#%*& "p#%"*s S8LK show user USER %s H/RH S8LK

About the Author

Jeffrey Hunter is an Oracle Certified Professional, Ja/a De/elo&ment Certified Professional, Aut%or, and an Oracle AC(. Jeff currently wor's as a Senior Database Administrator for T%e D0A Eone, Inc. located in Pittsbur!%, Pennsyl/ania. His wor' includes ad/anced &erformance tunin!, Ja/a and P#1S4# &ro!rammin!, de/elo&in! %i!% a/ailability solutions, ca&acity &lannin!, database security, and &%ysical 1 lo!ical database desi!n in a :6I>, #inu$, and Windows ser/er en/ironment. Jeff<s ot%er interests include mat%ematical encry&tion t%eory, &ro!rammin! lan!ua!e &rocessors 7com&ilers and inter&reters8 in Ja/a and C, #DAP, writin! web"based database administration tools, and of course #inu$. He %as been a Sr. Database

Administrator and Software (n!ineer for o/er +F years and maintains %is own website site at3 %tt&311www.iDe/elo&ment.info. Jeff !raduated from Stanislaus State :ni/ersity in Turloc', California, wit% a 0ac%elor<s de!ree in Com&uter Science.

Copyright *c+ ,--.(/0,1 &effrey '2 3unter2 All rights reserved2

All articles, scri&ts and material located at t%e Internet address of %tt&311www.ide/elo&ment.info is t%e co&yri!%t of Jeffrey . Hunter and is &rotected under co&yri!%t laws of t%e :nited States. T%is document may not be %osted on any ot%er site wit%out my e$&ress, &rior, written &ermission. A&&lication to %ost any of t%e material elsew%ere can be made by contactin! me at )%unterGide/elo&ment.info. I %a/e made e/ery effort and ta'en !reat care in ma'in! sure t%at t%e material included on my web site is tec%nically accurate, but I disclaim any and all res&onsibility for any loss, dama!e or destruction of data or any ot%er &ro&erty w%ic% may arise from relyin! on it. I will in no case be liable for any monetary dama!es arisin! from suc% loss, dama!e or destruction. #ast modified on Tuesday, ,H"Se&".,+. ,,3.H3,, (DT Pa!e Count3 +,IJH