If your client is already configured to use external authentication, such as Windows native authentication or Secure Sockets Layer (SSL), then that authentication method will be used. The same credentials used for such authentication are typically also used to log in to the database.
For clients not using such authentication methods or wanting to override them for database authentication, a new parameter (SQLNET.WALLET_OVERRIDE) in sqlnet.ora can be set to TRUE. The default value for SQLNET.WALLET_OVERRIDE is FALSE, allowing standard use of authentication credentials as before.
If you want a client to use the secure external password store feature, then perform the following configuration tasks.
- Create a wallet on the client by using the following syntax at the command
line:
mkstore -wrl <wallet_location> -create
wallet_location is the path to the directory where you want to create and store the wallet. This command creates an Oracle wallet with the auto login feature enabled at the location you specify. The auto login feature enables the client to access the wallet contents without supplying a password. Refer to Oracle Database Advanced Security Administrator’s Guide for information about auto login wallets.
Create an Oracle wallet in the previously specified location using the mkstore utility with the -create option. The wallet is password protected, but is defined with the “Auto Login” property enabled so connection attempts by the user who created the wallet do not require a password.
- Create database connection credentials in the wallet by using the following
syntax at the command line:
mkstore -wrl <wallet_location> -createCredential <db_connect_string>
<username> <password>
wallet_location is the path to the directory where you created the wallet in Step 1. The db_connect_string can be the TNS alias you use to specify the database in the tnsnames.ora file or any service name you use to identify the database on an Oracle network. The username and password are the database login credentials.
Repeat this step for each database you want accessible using the CONNECT /@db_connect_string syntax.
Note: The db_connect_string used in the CONNECT /@db_connect_string statement must be identical to the db_connect_string specified in the -createCredential command. In the client sqlnet.ora file, enter the WALLET_LOCATION parameter and set it to the directory location of the wallet you created in Step 1.
For example, if you created the wallet in $ORACLE_HOME/network/admin and your Oracle home is set to /private/ora102, then you need to enter the following into your client sqlnet.ora file:WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = = /private/ora102/network/admin) ) )
- In the client sqlnet.ora file, enter the
SQLNET.WALLET_OVERRIDE parameter and set it to TRUE as
follows:
SQLNET.WALLET_OVERRIDE = TRUE
This setting causes all CONNECT /@db_connect_string statements to use the information in the wallet at the specified location to authenticate to databases.
When external authentication is in use, an authenticated user with such a wallet can use the CONNECT /@db_connect_string syntax to access the previously specified databases without providing a user name and password. However, if a user fails that external authentication, then these connect statements also fail.
Note: Multiple wallets may be created on a machine; however, each wallet should be contained in its own directory.
Following example shows a sample sqlnet.ora file with the WALLET_LOCATION and the SQLNET.WALLET_OVERRIDE parameters set as described in Steps 3 and 4.
Example SQLNET.ORA File with Wallet Parameters Set:
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /private/ora102/network/admin)
)
)
SQLNET.WALLET_OVERRIDE = TRUE
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_VERSION = 0