Dear Readers,
My name is Franz Devantier, creator of this blog. I am an Oracle Certified
Professional (OCP DBA 11g) Security DBA.
I will be sharing with you the basic duties of an Oracle DBA, and also
some of the undocumented, and not so well known tasks.
I will make a deal with you: If you refer me to a company that needs
database support, from a few hours per week to full time, and I am able to sign
a contract with them.
Then I will give you 10% of the monthly
contract or deal price every month. When
the contract ends, and we re-sign the contract, I will again give you 10% of
the monthly contract price. This will go
on until the company no longer employs or contracts me or my agents to look
after their databases.
I can do this, because that 10% is my
marketing budget. When we re-sign the
contract, in the future, it may depend on you giving the thumbs up again, and
that is worth 10% of the monthly contract price, to be given to you as
commission.
Security
Secure External Password Store - Part 3
of 3
Managing External Password Store Credentials
There are a few functions that can be performed with the
mkstore command line utility. In the
previous article we created the external password store, and we created a
credential in the external password store.
We also set up the sqlnet.ora file with the necessary parameters, so
that we could connect to a database as CONNECT /@<Alias>.
The functions that we can do in addition with the mkstore
command line utility are:
-> List external password store contents
-> Add credentials to an external password store
-> Modify credentials in an external password store
-> Delete credentials from an external password store
Listing External Password Store Contents
On a regular basis you may want to view the contents of a
client wallet external password store, or you may need to check specific
credentials by viewing them. mkstore
will show you the connect alias and username, but not the password. You may like to view the store contents, so
that you can decide whether you need to add or delete credentials to or from
the store.
#mkstore –wrl <wallet location> -listCredential
<wallet location> specifies the directory or path
that was specified when the wallet was created.
This command will list all of the creadential database service names or
aliases, with the corresponding username or schema name for that database. Passwords are not listed. You will be prompted for the wallet password
before it will display the contents for you.
Adding Credentials to an External Password Store
You can store multiple credentials in on client-side
wallet. If you need to connect to many
databases from the one client machine then you can define all of the login
credentials in the same client-side wallet.
However if you try to store multiple credentials for logging into the
same database with different schemas, then you have a problem. There are two workarounds here that you can
use. Firstly you can store the alternate
logins with a different schema in a different client-side wallet. The second workaround is to create an
alternate TNS alias for the same database in the client side tnsnames.ora
file. You can then create another login
credential with a different alias, but connecting to the same database, with a
different schema name.
#mkstore –wrl <wallet location> -createCredential
<db alias> <username> <password>
<wallet location> is the path to the directory where
the client wallet is located.
<db alias> can be the TNS alias that you specify in
the tnsnames.ora file or any service name that you use to identify the database
on an Oracle network. The <db
alias> description must be unique to the client-side wallet.
<username and password>, are the database login credentials
for the schema to which your application connects
Modifying Credentials in an External Password Store
It is common in most installations, that from time to time
the database login credentials will change.
Mainly it will be the password that changes, or a business decision to
use an alternate schema to run the same batch processes etc.
# mkstore –wrl <wallet location>
-modifyCredential <db alias>
<username> <password>
<wallet location> is the path to the directory where
the client wallet is located.
<db alias> is the same, new or different alias that
you wish to identify the database with.
<username and password>, are the database login
credentials for the schema to which your application connects
Deleting Credentials from an External Password Store
If the database no longer exists, or for whatever reason
you want to disable connections to a specific database, then you can delete all
login credentials for that database from the client-side wallet.
# mkstore –wrl <wallet location> =deleteCredential
<db alias>
<wallet location>, is the path to the directory where
the wallet is located.
<db alias>, is the alias that is used to identify the
database on an Oracle network.
Franz Devantier,
Need a database health check, or a security audit?
devantierf@gmail.com
Classifieds
No comments:
Post a Comment