Ben the DBA

Ben the DBA

About Me Portfolio Blog Contact

Secure Oracle Wallet Configuration Guide

Oracle Wallet provides a secure method to manage credentials for database connections, reducing the risk of exposing passwords in plain text. This guide walks you through setting up an Oracle Wallet, adding credentials, and configuring your environment to use the wallet securely.

Create a Directory for the Wallet

The wallet directory can be placed anywhere, provided Oracle can access it. Here's how to create the directory: 


mkdir /home/oracle/wallet -p

Set the Wallet Directory Environment Variable

Specify the wallet directory using the WALLET_DIR environment variable: 


export WALLET_DIR=/home/oracle/wallet

Create the Wallet

Use the mkstore utility to create the wallet in the specified directory: 


mkstore -wrl $WALLET_DIR -create

Add a Credential Entry

Add a credential to the wallet. For example, to add credentials for the user john: 


mkstore -wrl $WALLET_DIR -createCredential john SYS

You will be prompted to enter the password for the user. Note that the password is not stored in the shell history, making this method more secure.

List Wallet Entries

To list all the entries in the wallet: 


mkstore -wrl $WALLET_DIR -listCredential

Modify the sqlnet.ora File

Edit the sqlnet.ora file to configure Oracle to use the wallet. Add the following configuration: 


WALLET_LOCATION =
   (SOURCE =
     (METHOD = FILE)
     (METHOD_DATA =
       (DIRECTORY = /home/oracle/wallet)
     )
    )
 
SQLNET.WALLET_OVERRIDE = TRUE

Test the Connection

Test the connection using sqlplus to ensure that it uses the wallet credentials: 


sqlplus /@john

Enhance Security

To ensure that only the user oracle can access the wallet, it's crucial to set the appropriate permissions. With these settings, only the user will have read and write access to the wallet files. 


chmod 700 $WALLET_DIR
chmod 600 $WALLET_DIR/*

Directory Permissions

The directory should be set with rwx------ (700) permissions, meaning only the owner can read, write, and execute within this directory. This prevents other users and groups from accessing the directory. 


chmod 700 $WALLET_DIR

File Permissions

The files within the directory should have rw------- (600) permissions, ensuring only the owner can read and write the files. This level of security ensures that no one else can access or modify the wallet files. 


chmod 600 $WALLET_DIR/*

Optional: Group Read Access

If there is a need for the group to have read access to the wallet files, you can modify the file permissions to rw-r----- (640). This allows the owner to read and write the files, and the group to read the files. 


chmod 740 $WALLET_DIR
chmod 640 $WALLET_DIR/*

TOC

Create a Directory for the Wallet
Set the Wallet Directory Environment Variable
Create the Wallet
Add a Credential Entry
List Wallet Entries
Test the Connection
Enhance Security
Directory Permissions
File Permissions
Optional: Group Read Access