VMCD.ORG » Secure External Password Store using wallet

Oracle Wallet的使用

最近看到一封邮件，该网友提出了如下需求：

This is not exactly an Oracle question, but I am asking it here in case
someone has solved this. We have alot of jobs that log into our Oracle
databases. Some of them use ops$oracle accounts. In the future we are not
allowed to use ops$oracle and need to provide passwords. I am trying to
find a method, or program/script that allows us to do the following.
1. store oracle passwords in unix in a lock box
2. only given processes and users can access specific passwords
3. program/process/script has customizable logic that only lets specific jobs access the password.
4. We are mainly using Cron for our jobs, but may be using some other job schedulers in the future that have morefeatures.
5. you cannot access the passwords from a user account

这种需求用oracle wallet实现是一个不错的选择

oracle wallet是一个加密的RKCS#12文件

PKCS #12

An RSA Security, Inc., Public-Key Cryptography Standards (PKCS) specification that describes a transfer syntax for storing and transferring personal authentication credentials—typically in a format called a wallet.

创建wallet的方法分别有如下几种：

–> 手动调用OWM 进行GUI图形界面进行操作
–> 手工运行mkstore命令创建
–> alter system set encryption key identified by “xxxxx”;

现在我们用mkstroe的方法测试一下wallet

环境：服务器端11.2.0.2 ,client 端10.2.0.5

服务器端：

[oracle@testdb admin]$ cat sqlnet.ora

#SQLNET.INBOUND_CONNECT_TIMEOUT = 120
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /data/oracle/product/11202/db1/network/admin)
)
)

SQLNET.WALLET_OVERRIDE = TRUE
#SSL_CLIENT_AUTHENTICATION = FALSE
SSL_VERSION = 0

SQLNET.WALLET_OVERRIDE = TRUE设置将会使wallet认证优先于任何存在的os认证，下面我们来创建一个wallet

mkstore -wrl /data/oracle/product/11202/db1/network/admin -create
Oracle Secret Store Tool : Version 11.2.0.2.0 – Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter password:
PKI-01002: Invalid password.
Enter password:
PKI-01002: Invalid password.

这里提示密码格式错误,我们使用www.vmcd.blog作为password

[oracle@testdb admin]$ mkstore -wrl /data/oracle/product/11202/db1/network/admin -create
Oracle Secret Store Tool : Version 11.2.0.2.0 – Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter password:
Enter password again:

在11gR2中，可以通过下面command 使用auto login local属性，设置此属性后直接cp的wallet文件将无法远程登陆

orapki wallet create -wallet “/u01/app/oracle/…” -pwd “mypassword” -auto_login_local

The external security module can use wallets with the automatic login feature enabled. These wallets remain open all the time. The security administrator does not have to reopen the wallet after a database instance has been restarted. If your environment does not require the extra security provided by a wallet that must be explicitly opened for use, then you may use an auto login wallet.

You can also choose to create a local auto login wallet. Local auto login wallets cannot be moved to another computer. They must be used on the host on which they are created.

下面我们继续创建wallet连接用户

[oracle@testdb admin]$ cat tnsnames.ora
www238 =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.110.238)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(service = wwf238 )
)
)
wuxuan1 =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.110.238)(PORT = 1521))
)
(CONNECT_DATA =
(SERVER = DEDICATED)
(sid = wuxuan1)
)
)

huali =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.110.238)(PORT = 1521))
)
(CONNECT_DATA =
(SERVER = DEDICATED)
(sid = huali)
)
)

使用huali字符串连接liu的用户

[oracle@testdb admin]$ sqlplus ‘/as sysdba’

SQL*Plus: Release 11.2.0.2.0 Production on Thu Jan 5 09:31:43 2012

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 – 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> create user liu identified by liu account unlock;

User created.

SQL> grant dba to liu;

Grant succeeded.

SQL> !

mkstore -wrl $ORACLE_HOME/network/admin/ -createCredential huali liu “liu”
mkstore -wrl $ORACLE_HOME/network/admin/ -listCredential
Oracle Secret Store Tool : Version 11.2.0.2.0 – Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
List credential (index: connect_string username)
1: huali liu

连接目标数据库

[oracle@testdb admin]$ sqlplus /@huali

SQL*Plus: Release 11.2.0.2.0 Production on Thu Jan 5 10:47:11 2012

Error accessing PRODUCT_USER_PROFILE
Warning: Product user profile information not loaded!
You may need to run PUPBLD.SQL as SYSTEM

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 – 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> show user
USER is “LIU”
SQL>

注意：如果user修改了password 那么wallet里面的password 需要相应修改：

mkstore -wrl -modifyCredential mkstore -wrl -deleteCredential

对于wallet的管理我们可以使用owm图形工具，下图显示使用auto login登陆：

[oracle@testdb admin]$ owm
Done.

手动关闭和开启wallet

SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY “password”
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY “password”

客户端连接测试：

mkstore -wrl /data/oracle/product/10.2/db1/network/admin -create
Enter password:
Enter password again:

[oracle@testdb2 admin]$ mkstore -wrl $ORACLE_HOME/network/admin/ -createCredential huali liu “liu”
Enter wallet password:
Create credential oracle.security.client.connect_string1
You have new mail in /var/spool/mail/oracle

[oracle@testdb2 admin]$ mkstore -wrl $ORACLE_HOME/network/admin/ -listCredential
Enter wallet password:
List credential (index: connect_string username)
1: huali liu

[oracle@testdb2 admin]$ cat tnsnames.ora

huali =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.110.238)(PORT = 1521))
)
(CONNECT_DATA =
(SERVER = DEDICATED)
(sid = huali)
)
)

[oracle@testdb2 admin]$ sqlplus /@huali

SQL*Plus: Release 10.2.0.5.0 – Production on Thu Jan 5 10:17:09 2012

Error accessing PRODUCT_USER_PROFILE
Warning: Product user profile information not loaded!
You may need to run PUPBLD.SQL as SYSTEM

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 – 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> show user
USER is “LIU”
SQL>
SQL>
SQL> !