In this blog, I’ll be giving a tutorial on an Oracle hidden gem using an Oracle tool to securely allow you to run RMAN without passing the password in cleartext. The Oracle Database Secure External Password Store feature, which does not require any additional license to use, will allow you to set up a wallet to enable user credentials to be stored within it. Therefore, allowing the Oracle OS user to use an alias to connect to the database without the need to enter the username or password.<\/p>\n\n\n\n
Scenario:<\/strong> You want to connect to RMAN to run backups as the Oracle OS user. You are using an RMAN recovery catalog, so you must connect to both the CATALOG and the TARGET database. You are currently passing in the user and password for both. You need a solution where users and passwords are not stored in plain text files on the OS or passed on the Linux command line where it could be stored in .bash_history.<\/p>\n\n\n\n Here is the test environment used for this tutorial:<\/p>\n\n\n\n Linux 6<\/p>\n\n\n\n Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 – 64bit<\/p>\n\n\n\n The present connection you use looks somewhat like the following below (note: this is just a test system). You are currently passing the following syntax manually on the command line, or you have a shell script with the user\/password hardcoded in a text file. CDB is the database as defined in the tnsnames.ora file:<\/p>\n\n\n The first step in using a secure wallet is to create the wallet and directory where the wallet files reside:<\/strong><\/p>\n\n\n\n Create a new directory for the ‘wallet’ in the ORACLE_HOME\/network directory (or any directory you choose):<\/p>\n\n\n You have now created the wallet directory, and now need to edit the sqlnet.ora to tell the Oracle NET connections where to look for the wallet information.<\/p>\n\n\n Modify the sqlnet.ora and add the WALLET_LOCATION and SQLNET.WALLET_OVERRIDE parameter to start using the Secure External Password Store:<\/p>\n\n\n The sqlnet.ora parameter, SQLNET.WALLET_OVERRIDE=TRUE<\/strong>, is how we tell the Oracle client to use the wallet manager opposed to the standard OS Authentication.<\/p>\n\n\n\n Your sqlnet.ora may now look similar to the following. If you didn’t already have a sqlnet.ora file, then you must create it and add the wallet location information.<\/p>\n\n\n\n Next, you will add a new entry in the tnsnames.ora file for the RMAN catalog connection. Note: only one user\/password credential can be stored per connect string. In this TNS entry, we are only storing the RMAN recovery catalog user credential.<\/p>\n\n\n\n Note: only one password may be stored in the wallet per TNS alias. This works fine in our example because we only need one user to connect to the RMAN catalog and one user to connect to the target database (sys) that we will use to backup or restore the database.<\/p>\n\n\n Verify the new connection string works<\/p>\n\n\n\n tnsping catalog<\/p>\n\n\n\n TNS Ping Utility for Linux: Version 12.1.0.2.0 – Production on 14-JUL-2020 12:40:12<\/p>\n\n\n\n Copyright (c) 1997, 2014, Oracle. All rights reserved.<\/p>\n\n\n\n Used parameter files:<\/p>\n\n\n\n \/u01\/app\/oracle\/product\/12.1.0.2\/dbhome_1\/network\/admin\/sqlnet.ora<\/p>\n\n\n\n Used TNSNAMES adapter to resolve the alias<\/p>\n\n\n\n Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = rmancat) (SID = rmancat)))<\/p>\n\n\n\n OK (0 msec)<\/p>\n\n\n\n Now, you are ready to create the secure wallet for the RMAN recovery catalog user and password.<\/strong><\/p>\n\n\n\n The first step is to create the wallet, using the “-create command.” This command will prompt you for the “wallet password,” which is only for the wallet and not the user password in the database.<\/p>\n\n\n\n mkstore -wrl \/u01\/app\/oracle\/product\/12.1.0.2\/dbhome_1\/network\/wallet -create<\/p>\n\n\n\n Oracle Secret Store Tool : Version 12.1.0.2<\/p>\n\n\n\n Copyright (c) 2004, 2014, Oracle and\/or its affiliates. All rights reserved.<\/p>\n\n\n\n Enter password:<\/p>\n\n\n\n Enter password again:<\/p>\n\n\n\n (My test wallet password in this tutorial was “welcome1.” On your production system, you will want a much more secure password. You will then need to remember this password for future maintenance.)<\/strong><\/p>\n\n\n\n Next, you will create the RMAN recovery catalog user “rmansys,” which is my example credentials in the wallet, using the “-createCredential” command. You’ll need to include three parameters: 1) connection string (catalog), 2) user (rmansys), and 3) password (welcome1). Again, you will be prompted to enter the main wallet password, which you created in the previous step.<\/p>\n\n\n\n mkstore -wrl \/u01\/app\/oracle\/product\/12.1.0.2\/dbhome_1\/network\/wallet -createCredential catalog rmansys welcome1<\/p>\n\n\n\n Oracle Secret Store Tool : Version 12.1.0.2<\/p>\n\n\n\n Copyright (c) 2004, 2014, Oracle and\/or its affiliates. All rights reserved.<\/p>\n\n\n\n Enter wallet password:<\/p>\n\n\n\n Create credential oracle.security.client.connect_string1<\/p>\n\n\n\n Now, we can connect to the RMAN recovery catalog without passing in the catalog credentials. However, we also want to hide the target database credentials.<\/strong><\/p>\n\n\n\n [oracle@bigdatalite admin]$ rman catalog \/@catalog target sys\/welcome1@cdb<\/p>\n\n\n\n Recovery Manager: Release 12.1.0.2.0 – Production on Wed Jun 19 17:49:34 2019<\/p>\n\n\n\n Copyright (c) 1982, 2014, Oracle and\/or its affiliates. All rights reserved.<\/p>\n\n\n\n connected to target database: CDB (DBID=2127236908)<\/p>\n\n\n\n connected to recovery catalog database<\/p>\n\n\n\n RMAN> exit<\/p>\n\n\n\n Once again, we will add a connect string to the tnsnames.ora file for the “target” database user and password. As you see in this example, I am naming the tns alias “target.” This is because that is how I am referring to the alias in the RMAN connection string. In the tnsnames.ora, the sid and service_name is defined as the actual database name for the target database that will be backed up by RMAN. Along with the appropriate host and port for the actual target database.<\/p>\n\n\n Verify the new connection string works<\/p>\n\n\n\n tnsping target<\/p>\n\n\n\n TNS Ping Utility for Linux: Version 12.1.0.2.0 – Production on 14-JUL-2020 12:57:14<\/p>\n\n\n\n Copyright (c) 1997, 2014, Oracle. All rights reserved.<\/p>\n\n\n\n Used parameter files:<\/p>\n\n\n\n \/u01\/app\/oracle\/product\/12.1.0.2\/dbhome_1\/network\/admin\/sqlnet.ora<\/p>\n\n\n\n Used TNSNAMES adapter to resolve the alias<\/p>\n\n\n\n Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = cdb) (SID = cdb)))<\/p>\n\n\n\n OK (0 msec)<\/p>\n\n\n\n Then, we will add another credential to the wallet that already exists. This time we will include “target” as the connect string, “sys” as the sys user in the target database, and the appropriate sys password.<\/strong><\/p>\n\n\n\n mkstore -wrl \/u01\/app\/oracle\/product\/12.1.0.2\/dbhome_1\/network\/wallet -createCredential target sys welcome1<\/p>\n\n\n\n Oracle Secret Store Tool : Version 12.1.0.2<\/p>\n\n\n\n Copyright (c) 2004, 2014, Oracle and\/or its affiliates. All rights reserved.<\/p>\n\n\n\n Enter wallet password:<\/p>\n\n\n\n Create credential oracle.security.client.connect_string2<\/p>\n\n\n\n There you have it! You can now securely log into the RMAN catalog and connect to the target database as sys without displaying the passwords.<\/strong><\/p>\n\n\n\n rman catalog \/@catalog target \/@target<\/p>\n\n\n\n Recovery Manager: Release 12.1.0.2.0 – Production on Wed Jun 19 17:53:46 2019<\/p>\n\n\n\n Copyright (c) 1982, 2014, Oracle and\/or its affiliates. All rights reserved.<\/p>\n\n\n\n connected to target database: CDB (DBID=2127236908)<\/p>\n\n\n\n connected to recovery catalog database<\/p>\n\n\n\n RMAN> sql select name from v$database;<\/p>\n\n\n\n NAME<\/p>\n\n\n\n ———<\/p>\n\n\n\n CDB<\/p>\n\n\n\n RMAN> sql select user from dual;<\/p>\n\n\n\n USER <\/p>\n\n\n\n ——————————<\/p>\n\n\n\n SYS<\/p>\n\n\n\n To list the contents of the wallet store, you just need to issue the following command:<\/strong><\/p>\n\n\n\n mkstore -wrl \/u01\/app\/oracle\/product\/12.1.0.2\/dbhome_1\/network\/wallet -listCredential<\/p>\n\n\n\n Oracle Secret Store Tool : Version 12.1.0.2<\/p>\n\n\n\n Copyright (c) 2004, 2014, Oracle and\/or its affiliates. All rights reserved.<\/p>\n\n\n\n Enter wallet password:<\/p>\n\n\n\n List credential (index: connect_string username)<\/p>\n\n\n\n 2: target sys<\/p>\n\n\n\n 1: catalog rmansys<\/p>\n\n\n\n Note: In version 12.1, I can still connect to sqlplus on the Linux command line as sysdba without passing in a password, thus using OS authentication.<\/strong><\/p>\n\n\n\n sqlplus \/ as sysdba<\/p>\n\n\n\n SQL*Plus: Release 12.1.0.2.0 Production on Tue Jul 14 13:00:00 2020<\/p>\n\n\n\n Copyright (c) 1982, 2014, Oracle. All rights reserved.<\/p>\n\n\n\n Connected to:<\/p>\n\n\n\n Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 – 64bit Production<\/p>\n\n\n\n With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options<\/p>\n\n\n\n SQL> select user from dual;<\/p>\n\n\n\n USER<\/p>\n\n\n\n ——————————<\/p>\n\n\n\n SYS<\/p>\n\n\n\n SQL> select name from v$database;<\/p>\n\n\n\n NAME<\/p>\n\n\n\n ———<\/p>\n\n\n\n CDB<\/p>\n\n\n\n I’d like to offer one final word to clarify how you can ensure not just any OS user can now access the databases by using the connection string “target” or “catalog.” The wallet location directory permissions should be set to ensure that only the Oracle OS user (and maybe the Oracle group, if so desired) has access to use the wallet. All other OS users will still need to enter a user and password to connect to the appropriate databases. By default, the wallet files only have read-write permissions for the Oracle OS user that created the wallet.<\/p>\n\n\n\n [oracle@bigdatalite ~]$ cd $ORACLE_HOME\/network\/wallet<\/p>\n\n\n\n -rw——-. 1 oracle oinstall 904 Jul 14 12:50 ewallet.p12<\/p>\n\n\n\n -rw——-. 1 oracle oinstall 949 Jul 14 12:50 cwallet.sso<\/p>\n\n\n\n In this example, the OS user “test” (this could be a developer on your server) has the same OS group as the Oracle user. However, the wallet location was secured, but taking away rights to the group oinstall. Therefore, an error occurs when the test OS user attempts to connect using the @catalog.<\/p>\n\n\n\n [test@bigdatalite ~]$ id test<\/p>\n\n\n\n uid=501(test) gid=54321(oinstall) groups=54321(oinstall)<\/p>\n\n\n\n [test@bigdatalite ~]$ sqlplus \/@catalog<\/p>\n\n\n\n SQL*Plus: Release 12.1.0.2.0 Production on Tue Jul 14 13:25:57 2020<\/p>\n\n\n\n Copyright (c) 1982, 2014, Oracle. All rights reserved.<\/p>\n\n\n\n ERROR:<\/p>\n\n\n\n ORA-12578: TNS:wallet open failed<\/p>\n\n\n\n Enter user-name:<\/p>\n\n\n\nrman catalog rmansys\/welcome1@rmancat target sys\/welcome1@cdb<\/code><\/p>\n\n\necho $ORACLE_HOME
\n\/u01\/app\/oracle\/product\/12.1.0.2\/dbhome_1
\ncd $ORACLE_HOME
\ncd network
\nmkdir wallet
\n<\/code><\/p>\n\n\ncd $ORACLE_HOME\/network\/admin<\/code><\/p>\n\n\nvi sqlnet.ora\nWALLET_LOCATION =\n (SOURCE =\n \t(METHOD = FILE)\n \t(METHOD_DATA = (DIRECTORY=\/u01\/app\/oracle\/product\/12.1.0.2\/dbhome_1\/network\/wallet))\n )\nSQLNET.WALLET_OVERRIDE = TRUE\n \n<\/code><\/pre>\n\n\nvi tnsnames.ora\n \ncatalog =\n (DESCRIPTION =\n\t(ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))\n\t(CONNECT_DATA =\n \t(SERVER = DEDICATED)\n \t(SERVICE_NAME = rmancat)\n \t(SID = rmancat)\n\t)\n )\n<\/code><\/pre>\n\n\nvi tnsnames.ora\n \ntarget =\n (DESCRIPTION =\n\t(ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))\n\t(CONNECT_DATA =\n \t(SERVER = DEDICATED)\n \t(SERVICE_NAME = cdb)\n \t(SID = cdb)\n\t)\n )\n<\/code><\/pre>\n\n\n