Dear Readers,
My name is Franz Devantier, creator of this blog. I am an Oracle Certified
Professional (OCP DBA 11g) Security DBA.
I will be sharing with you the basic duties of an Oracle DBA, and also
some of the undocumented, and not so well known tasks.
I will make a deal with you: If you refer me to a company that needs
database support, from a few hours per week to full time, and I am able to sign
a contract with them.
Then I will give you 10% of the monthly
contract or deal price every month. When
the contract ends, and we re-sign the contract, I will again give you 10% of
the monthly contract price. This will go
on until the company no longer employs or contracts me or my agents to look
after their databases.
I can do this, because that 10% is my
marketing budget. When we re-sign the
contract, in the future, it may depend on you giving the thumbs up again, and
that is worth 10% of the monthly contract price, to be given to you as
commission.
Contact:
Franz
Security
Secure External Password Store - Part 2
Configuring Clients to Use the External Password Store
First you must check to see if the client is already
configured to use external authentication, for example Windows native authentication
or Secure Sockets Layer (SSL). If this
is configured, then that method of authentication can be used. The credentials used to authenticate to the
operating system can also be used to logon to the database.
If the client is not set up with such authentication, or
you want to override the default authentication, then there is a new parameter
in the sqlnet.ora file that you can set.
SQLNET.WALLET_OVERRIDE=TRUE. The
default value is FALSE, which allows the standard authentication to be used.
If you want the client to use the secure external password
store features, then there are some configurations tasks to perform.
To enable clients to use the external password store:
1. Firstly you will need to create a
wallet on the client.
# mkstore –wrl <wallet
location> -create
“wallet location” is the path or
the directory where you want to create and store the wallet. This command will create an Oracle wallet at
the location that you specified, and will also be configured with the autologin
feature.
The autologin feature enables the
client to access the wallet contents without supplying a password.
2. Secondly, you will need to create
the database connection credentials in the wallet. You can do this by invoking mkstore from the
command line.
# mkstore –wrl <wallet
location> -createCredential <db connect string> <username>
<password>
“wallet location” is the
directory or the path where the wallet is stored. This is where you created the wallet in step
1.
“db connect string” This is the
TNS alias that you use to specify the database in the tnsnames.ora file, or any
other service name that you use to identify the database on an Oracle network.
“username and password” are the
database login credentials.
For each database that you want
accessible using the syntax
SQL> CONNECT /@<db connect
string>
The “db connect string” used with
CONneCT /@<db connect string>, must be identical to the “db connect
string” that you specified in the –createCredential command.
3. In the client-side
sqlnet.ora file, enter the WALLET_LOCATION parameter, and set it to the
directory or location of the wallet you created in step 1.
For example let’s say that you created the wallet in
$ORACLE_HOME/network/admin, and you $OARCLE_HOME is set to /u02/ora102. Then the full path to the wallet is:
/u02/ora102/network/admin
In your client-side sqlnet.ora file you need to enter the
following entry.
WALLET_LOCATION=
(SOURCE=
(METHOD=FILE)
(METHOD_DATA=
(DIRECTORY=/u02/ora102/network/admin)
)
)
4. The forth step is
to also in the client-side sqlnet.ora file.
Enter the SQLNET.WALLET_OVERRIDE parameter and set it to TRUE.
SQLNET.WALLET_OVERRIDE=TRUE
The setting in the client-side sqlnet.ora file causes all CONNECT
/@<db connect string> statements to use the information in the wallet at
the specified WALLET_LOCATION to authenticate users to the database.
When external authentication is being used, then an
authenticated user with such a wallet can use the CONNECT /@<db connect
string> syntax to access the specified databases without providing a
username and password. If a user fails
that external authentication, then these connect statements to the database
will also fail.
If an application uses SSL for encryption, then the
sqlnet.ora parameter
SQLNET.AUTHENTICATION_SERVICES=SSL, and subsequently a SSL
wallet is created. If the application
wants to use secret store credentials to authenticate to databases, instead of
the SSL certificate, then those credentials must be stored in the SSL wallet.
If SQLNET.WALLET_OVERRIDE=TRUE, then usernames and
passwords from the wallet are used to authenticate to the databases.
You can also add this sqlnet.ora parameter.
SSL_CLIENT_AUTHENTICATION = FALSE
If SQLNET.WALLET_OVERRIDE=FALSE, then the SSL certificate
is used.
Franz Devantier,
Need a database health check, or a security audit?
devantierf@gmail.com
Classifieds
No comments:
Post a Comment