If you would like to know more about the iDevelopment.info Newsletter, please email me.
Secure Database Passwords in an Oracle Wallet (26-July-2012)
The practice of writing scripts to automate routine database tasks is commonplace. This can include database backups, ETL jobs, or any type of batch processing that requires database access without user interaction. These scripts are typically held on the filesystem which depend on OS file permissions to protect the security credentials needed to log in to the database. The challenge has been how to adequately hide or obfuscate the username and password and not expose them in clear text and causing a potential security breach. A widely used practice has been to rely on OS Authentication, but starting with Oracle Database 10g Release 2, a more simplified and scalable solution would be to use a Secure External Password Store. This approach provides a secure method to store database credentials and reduces risk to security policies because the usernames and passwords no longer need to be exposed in clear text. This also avoids the need for the DBA or other security administrators to share passwords with developers and other non administrator users needing access to the database. The secure external password store uses a client-side Oracle Wallet to store one or more user name/password combinations. The wallet is encrypted using the 3DES algorithm so the contents of the wallet are not readable. If the wallet is ever compromised, the database password for the user can be changed and a new wallet can be generated thus rendering the previous wallet unusable. The following guide demonstrates how to configure and make use of an Oracle Secure External Password Store: http://www.idevelopment.info/data/Oracle/DBA_tips/Security/SEC_15.shtml ---------------------------- Jeffrey M. Hunter, OCP Sr. Database Administrator firstname.lastname@example.org http://www.idevelopment.info ----------------------------