Newsletters Archive - 2012

If you would like to know more about the Newsletter, please email me.

  Secure Database Passwords in an Oracle Wallet — (26-July-2012)

The practice of writing scripts to automate routine database tasks is 
commonplace. This can include database backups, ETL jobs, or any type of batch 
processing that requires database access without user interaction. These 
scripts are typically held on the filesystem which depend on OS file 
permissions to protect the security credentials needed to log in to the 
database. The challenge has been how to adequately hide or obfuscate the 
username and password and not expose them in clear text and causing a potential 
security breach. A widely used practice has been to rely on OS Authentication, 
but starting with Oracle Database 10g Release 2, a more simplified and scalable 
solution would be to use a Secure External Password Store. This approach 
provides a secure method to store database credentials and reduces risk to 
security policies because the usernames and passwords no longer need to be 
exposed in clear text. This also avoids the need for the DBA or other security 
administrators to share passwords with developers and other non administrator 
users needing access to the database.

The secure external password store uses a client-side Oracle Wallet to store 
one or more user name/password combinations. The wallet is encrypted using the 
3DES algorithm so the contents of the wallet are not readable. If the wallet is 
ever compromised, the database password for the user can be changed and a new 
wallet can be generated thus rendering the previous wallet unusable.

The following guide demonstrates how to configure and make use of an Oracle Secure External Password Store:

Jeffrey M. Hunter, OCP
Sr. Database Administrator