Saturday, July 25, 2020

DBCA - useWalletForDBCredentials 19c

You can use Oracle wallet as a secure external password store for authenticating database users in DBCA silent mode commands. Oracle wallet is a secure software container external to Oracle Database, which can be used to store authentication credentials of Oracle Database users.
The configuration of the Oracle wallet as a secure external password store will be done by the mkstore command-line utility.

Database User Authentication in DBCA Commands Using Oracle Wallet

  • useWalletForDBCredentials
    Specify true to use Oracle wallet for database user authentication, else specify false.
    Default is false.
    • dbCredentialsWalletLocation
      Directory in which the Oracle wallet files are stored
      • (Optional) dbCredentialsWalletPasswordPassword for the Oracle wallet account user. If the Oracle wallet is auto-login enabled, then you need not specify this password

Which password keys can be stored into the wallet and using DBCA in silent mode for authenticating users:
  • oracle.dbsecurity.sysPassword: SYS user password
  • oracle.dbsecurity.systemPassword: SYSTEM user password
  • oracle.dbsecurity.pdbAdminPassword: Pluggable database (PDB) administrator password
  • oracle.dbsecurity.dbsnmpPassword: DBSNMP user password
  • oracle.dbsecurity.asmsnmpPassword: ASMSNMP user password
  • oracle.dbsecurity.lbacsysPassword: LBACSYS user password
  • oracle.dbsecurity.sysdbaUserPassword: SYSDBA role user password for the database that you are creating or configuring
  • oracle.dbsecurity.oracleHomeUserPassword: Oracle home user password
  • oracle.dbsecurity.dvUserPassword: Oracle Data Vault user password
  • oracle.dbsecurity.dvAccountManagerPassword: Oracle Data Vault account manager password
  • oracle.dbsecurity.emPassword: Enterprise Manager administrator password
  • oracle.dbsecurity.asmPassword: ASM user password
  • oracle.dbsecurity.asmsysPassword: ASMSYS user password
  • oracle.dbsecurity.walletPassword: Oracle wallet account user password for authenticating with a directory service
  • oracle.dbsecurity.userDNPassword: Directory service user password
  • oracle.dbsecurity.srcDBsysdbaUserPassword: SYSDBA role user password for the database that you are using as a source to perform certain operations, such as duplicating a database
  • oracle.dbsecurity.dbLinkUserPassword: Database link user password
  • oracle.dbsecurity.walletPassword:Oracle Unified Directory (OUD), then the OUD account passwords
  • oracle.dbsecurity.userDNPassword:Oracle Unified Directory (OUD), then the OUD account passwords 
How to use the wallet functionality is documented in chapter 2 of the Database Administration Guide 19c.

dbca -silent -createDatabase -help
...

    [-useWalletForDBCredentials] Specify true to load database credentials from wallet]
    [-dbCredentialsWalletLocation]
 
...

Configure the wallet

The mkstore utility lives in $ORACLE_HOME/bin. 

mkstore -wrl ~/wallet -create

Oracle Secret Store Tool Release 20.0.0.0.0 - Production
Version 21.0.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter password:
Enter password again:

This Wallets can be copied to different machines, which can represent a security risk.
prevent the auto login functionality of the wallet from working if it is copied to another machine by creating a local wallet using the "orapki" command, instead of the "mkstore" command.

orapki wallet create -wallet "/home/oracle/wallet" -pwd "MyPassword1" -auto_login_local

Add the following passwords to the wallet:

oracle.dbsecurity.sysPassword: SYS user password
oracle.dbsecurity.systemPassword: SYSTEM user password
oracle.dbsecurity.pdbAdminPassword: Pluggable database (PDB) administrator password

mkstore -wrl ~/wallet -createEntry oracle.dbsecurity.systemPassword
Oracle Secret Store Tool Release 20.0.0.0.0 - Production
Version 21.0.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Your secret/Password is missing in the command line
Enter your secret/Password:
Re-enter your secret/Password:
Enter wallet password:

mkstore -wrl ~/wallet -createEntry oracle.dbsecurity.systemPassword
 Oracle Secret Store Tool Release 20.0.0.0.0 - Production
Version 21.0.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Your secret/Password is missing in the command line
Enter your secret/Password:
Re-enter your secret/Password:
Enter wallet password:

mkstore -wrl ~/wallet -createEntry oracle.dbsecurity.pdbAdminPassword
Oracle Secret Store Tool Release 20.0.0.0.0 - Production
Version 21.0.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Your secret/Password is missing in the command line
Enter your secret/Password:
Re-enter your secret/Password:
Enter wallet password:

mkstore -wrl ~/wallet -list
Oracle Secret Store Tool Release 20.0.0.0.0 - Production
Version 21.0.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
Oracle Secret Store entries:
oracle.dbsecurity.sysPassword
oracle.dbsecurity.systemPassword
oracle.dbsecurity.pdbAdminPassword

Now lets create the database with a PDB

dbca -silent -createDatabase -gdbName WCDB -templateName joords_db.dbc \
  -useWalletForDBCredentials true -dbCredentialsWalletLocation ~/wallet \
  -datafileDestination /u02/data -useOMF true \
  -memoryMgmtType AUTO_SGA \
  -recoveryAreaDestination /u03/fra  \
  -totalMemory 4096 \
  -createAsContainerDatabase true \
  -numberOfPDBs 1 \
  -pdbName joords \
  -useLocalUndoForPDBs true


Prepare for db operation
10% complete
Copying database files
40% complete
Creating and starting Oracle instance
42% complete
....
Look at the log file "/u01/app/oracle/cfgtoollogs/dbca/WCDB/WCDB.log" for further details.
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)