{"id":1836,"date":"2014-07-22T12:41:07","date_gmt":"2014-07-22T10:41:07","guid":{"rendered":"http:\/\/www.oradba.ch\/?p=1836"},"modified":"2014-07-22T13:25:35","modified_gmt":"2014-07-22T11:25:35","slug":"secure-external-password-store-for-rman","status":"publish","type":"post","link":"https:\/\/www.oradba.ch\/wordpress\/2014\/07\/secure-external-password-store-for-rman\/","title":{"rendered":"Secure External Password Store for RMAN"},"content":{"rendered":"<p>The draft version of this blog post is lying around for some time in my inbox. I&#8217;ve never found time to finish it. But due to a task in a project it&#8217;s about time to finish my notes on Oracle&#8217;s Secure External Password Store. Ludovico, a work colleague has already written a blog post about <a href=\"http:\/\/www.ludovicocaldara.net\/dba\/wallets-and-proxy-users\/\" target=\"_blank\">Removing passwords from Oracle scripts<\/a> earlier this year. I would like to complement the topic and discuss a few points specifically in connection with RMAN Backup&#8217;s and a central RMAN catalog. The goal remains the same, getting rid of passwords with a minimal operational effort. The key element is the Oracle Wallet and the Secure External Password Store functionality. <\/p>\n<h3>Oracle Wallet<\/h3>\n<p>The Oracle Wallet is a <a href=\"http:\/\/en.wikipedia.org\/wiki\/PKCS_12\" title=\"Wikipedia PKCS#12\" target=\"_blank\">PKCS#12<\/a> container used to store different kinds authentication and encryption keys. The wallet can thereby be used to store one or multiple of the following information:<\/p>\n<ul>\n<li>Credentials for PKI authentication to the Oracle Database<\/li>\n<li>Certificates for network encryption (SSL\/TLS)<\/li>\n<li>Oracle Advanced Security transparent data encryption (TDE) master encryption keys<\/li>\n<li>Passwords for Oracle Database Secure External Password Store<\/li>\n<\/ul>\n<p>Depending on the application there is one or more wallet. A wallet for an oracle client, a global wallet on the server, one wallet per database instance, a wallet for a database instance acting as a client or a wallet containing all information at once. It doesn&#8217;t really get easier when everyone is talking about Oracle Wallets without specifying what they are used for. For this reason, it is advisable to use different Oracle wallets for the various application cases. But more on that later. Oracle Secure External Password Store uses a client-side Oracle Wallet to store the password credentials.<\/p>\n<h3>The Secure External Password Store<\/h3>\n<h4>Concept<\/h4>\n<p>With Secure External Password Store, Oracle stores the database credentials, ie username and password, securely in an Oracle Wallet. When initiating a database connection Oracle accesses the wallet and reads the credentials depending on the connect string. Since auto login is configured, no password is required to open the wallet and read the credentials. A password is only required to add, change, or delete credentials in the wallet.<\/p>\n<p>The connect string is unique in the Wallet. Only one credential can be stored per connect string. Different credentials for the same database must be distinct by a different connect string.<\/p>\n<h4>Configuration<\/h4>\n<p>Create some directories for the SQLNet configuration and the wallet:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\">\r\nmkdir -p \/u00\/app\/oracle\/admin\/$ORACLE_SID\/network\r\nmkdir -p \/u00\/app\/oracle\/admin\/$ORACLE_SID\/network\/admin\r\nmkdir -p \/u00\/app\/oracle\/admin\/$ORACLE_SID\/network\/wallet\r\n<\/pre>\n<p>Define a TNS Alias in tnsnames.ora file for the catalog conection:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\">\r\nvi \/u00\/app\/oracle\/admin\/$ORACLE_SID\/network\/admin\/tnsnames.ora\r\n\r\nCATALOG =\r\n (DESCRIPTION =\r\n   (ADDRESS = (PROTOCOL = TCP)(HOST = urania1)(PORT = 1521))\r\n     (CONNECT_DATA =\r\n       (SERVER = DEDICATED)\r\n    (SERVICE_NAME = TCAT01)\r\n  )\r\n )\r\n<\/pre>\n<p>Create a wallet for Secure External Password Store:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\">\r\nmkstore -wrl \/u00\/app\/oracle\/admin\/$ORACLE_SID\/network\/wallet -create\r\nEnter password:         Manager01\r\nEnter password again:  \tManager01\r\n<\/pre>\n<p>Create database connection credentials in the wallet:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\">\r\nmkstore -wrl \/u00\/app\/oracle\/admin\/$ORACLE_SID\/network\/wallet -createCredential catalog rman manager\r\nOracle Secret Store Tool : Version 11.2.0.3.0 - Production\r\nCopyright (c) 2004, 2011, Oracle and\/or its affiliates. All rights reserved.\r\n\r\nEnter wallet password:            \r\n   \r\nCreate credential oracle.security.client.connect_string1\r\n<\/pre>\n<p>Modify the sqlnet.ora and add the WALLET_LOCATION and SQLNET.WALLET_OVERRIDE parameter to start using the Secure External Password Store:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\">\r\nvi \/u00\/app\/oracle\/admin\/$ORACLE_SID\/network\/admin\/sqlnet.ora\r\n\r\nWALLET_LOCATION = \r\n   (SOURCE = \r\n      (METHOD = FILE) \r\n      (METHOD_DATA = (DIRECTORY = \/u00\/app\/oracle\/admin\/$ORACLE_SID\/network\/wallet))\r\n)\r\nSQLNET.WALLET_OVERRIDE = TRUE\r\n\r\n<\/pre>\n<h4>Use<\/h4>\n<p>Since we put the tnsnames.ora, sqlnet.ora and the wallet in an alternativ directories we have to set TNS_ADMIN before being able to use it.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\">\r\nexport TNS_ADMIN=\/u00\/app\/oracle\/admin\/$ORACLE_SID\/network\/admin\r\n\r\noracle@urania:~\/ [TDB11] sqlplus \/@catalog\r\n\r\nSQL*Plus: Release 11.2.0.3.0 Production on Mon Jul 14 22:13:30 2014\r\n\r\nCopyright (c) 1982, 2011, Oracle.  All rights reserved.\r\n\r\nConnected to:\r\nOracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production\r\nWith the Partitioning, OLAP, Data Mining and Real Application Testing options\r\n\r\nSQL&gt; show user\r\nUSER is &quot;RMAN&quot;\r\n\r\noracle@urania:~\/ [TDB11] rman\r\n\r\nRecovery Manager: Release 11.2.0.3.0 - Production on Mon Jul 14 22:13:09 2014\r\n\r\nCopyright (c) 1982, 2011, Oracle and\/or its affiliates.  All rights reserved.\r\n\r\nRMAN&gt; connect catalog \/@catalog\r\n\r\nconnected to recovery catalog database\r\n\r\nRMAN&gt;\r\n<\/pre>\n<h4>Maintenance<\/h4>\n<p>The mkstore utility provide a bunch of commands to maintain the credentials within a wallet. Below you find some examples. More are available in MOS Note  <a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=340559.1\" target=\"_blank\">340559.1<\/a>.<\/p>\n<p>Liste the contents of the external password store: <\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\">\r\noracle@urania:~\/ [TDB11] mkstore -wrl \/u00\/app\/oracle\/admin\/$ORACLE_SID\/network\/wallet -listCredential\r\nOracle Secret Store Tool : Version 11.2.0.3.0 - Production\r\nCopyright (c) 2004, 2011, Oracle and\/or its affiliates. All rights reserved.\r\n\r\nEnter wallet password:            \r\n\r\nList credential (index: connect_string username)\r\n1: catalog rman\r\n<\/pre>\n<p>Modifying database login credentials in a wallet : <\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\">\r\noracle@urania:~\/ [TDB11] mkstore -wrl \/u00\/app\/oracle\/admin\/$ORACLE_SID\/network\/wallet -modifyCredential CATALOG rman manager\r\nOracle Secret Store Tool : Version 11.2.0.3.0 - Production\r\nCopyright (c) 2004, 2011, Oracle and\/or its affiliates. All rights reserved.\r\n\r\nEnter wallet password:            \r\n\r\nModify credential \r\nModify 1\r\n<\/pre>\n<h3>A few use and special cases<\/h3>\n<p>There are a whole lot of cases where you can not save or share passwords. A few examples:<\/p>\n<ul>\n<li>General applications where you want to authenticate &#8220;password free&#8221;, without setting up a PKI infrastructure.<\/li>\n<li>Avoid RMAN Catalog passwords in backup scripts.<\/li>\n<li>Avoid SYSDBA \/ SYSDG account passwords in an Oracle DataGuard environment.<\/li>\n<li>Regular DBA batch jobs scheduled by cron. Remove passwords in shell and SQL scripts.<\/li>\n<li>Simplify end-user experience. Use Secure External Password Store to save passwords instead of saving them in TOAD or SQL Developer.<\/li>\n<li>Configure Application and Web server to use Secure External Password Store rather than save and maintain database credentials in the Application.<\/li>\n<li>Application batch jobs scheduled by cron. Remove passwords in shell and SQL scripts.<\/li>\n<\/ul>\n<h4>Multiple RMAN Catalog Schemas<\/h4>\n<p>In my example above I did use the user RMAN to connect to the catalog. To be honest this user does only have a CREATE SESSION privilege. There are two RMAN Catalog Schema in my Catalog Database, RMAN11203 for 11.2.0.3.0 respectively RMAN12101 for 12.1.0.1.0.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"sql\">\r\nSQL&gt; select * from RMAN11203.RCVER;\r\n\r\nVERSION\r\n------------\r\n11.02.00.03\r\n\r\nSQL&gt; select * from RMAN12101.RCVER;\r\n\r\nVERSION\r\n------------\r\n12.01.00.01\r\n<\/pre>\n<p>Instead of adding each credential for any RMAN Catalog to the wallet one can use the proxy authentication. In this case you just have to grant the appropriate privileges to the user RMAN. Instead of distributing all RMAN catalog credentials in each Oracle Wallet, you need to maintain only one account and additionally a few proxy privileges in the RMAN catalog. This does of course also work for other applications.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"sql\">\r\nSQL&gt; alter user RMAN11203 grant connect through RMAN;\r\n\r\nUser altered.\r\n\r\nSQL&gt; alter user RMAN12101 grant connect through RMAN;\r\n\r\nUser altered.\r\n<\/pre>\n<p>As you can see below, it is now possible to specify the user or schema in the connect string. The authentication is done as user RMAN. Credentials are read from the Secure External Password Store.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\">\r\n\r\nexport TNS_ADMIN=\/u00\/app\/oracle\/admin\/$ORACLE_SID\/network\/admin\r\n\r\noracle@urania:~\/ [TDB11] sqlplus [RMAN12101]\/@catalog\r\n\r\nSQL*Plus: Release 11.2.0.3.0 Production on Mon Jul 14 22:13:30 2014\r\n\r\nCopyright (c) 1982, 2011, Oracle.  All rights reserved.\r\n\r\nConnected to:\r\n\r\nOracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production\r\nWith the Partitioning, OLAP, Data Mining and Real Application Testing options\r\n\r\nSQL&gt; show user\r\nUSER is &quot;RMAN12101&quot;\r\n\r\nSQL&gt; SELECT SYS_CONTEXT (&#039;USERENV&#039;,&#039;SESSION_USER&#039;) FROM DUAL;\r\n\r\nSYS_CONTEXT(&#039;USERENV&#039;,&#039;SESSION_USER&#039;)\r\n------------------------------------------------\r\nRMAN12101\r\n\r\nSQL&gt; SELECT SYS_CONTEXT (&#039;USERENV&#039;,&#039;PROXY_USER&#039;) FROM DUAL;\r\n\r\nSYS_CONTEXT(&#039;USERENV&#039;,&#039;PROXY_USER&#039;)\r\n-------------------------------------------------\r\nRMAN\r\n\r\noracle@urania:~\/ [TDB11] rman\r\n\r\nRecovery Manager: Release 11.2.0.3.0 - Production on Mon Jul 14 22:13:09 2014\r\n\r\nCopyright (c) 1982, 2011, Oracle and\/or its affiliates.  All rights reserved.\r\n\r\nRMAN&gt; connect catalog \u00a8[RMAN12101]\/@catalog\r\n\r\nconnected to recovery catalog database\r\n\r\nRMAN&gt;\r\n<\/pre>\n<p>Data dictionary view about all proxy connections.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"sql\">\r\ncol proxy for a6\r\ncol client for a10\r\ncol role for a5\r\nset linesize 120\r\nselect * from DBA_PROXIES;\r\n\r\nPROXY CLIENT    AUT AUTHORIZATION_CONSTRAINT            ROLE PROXY_AUT\r\n----- --------- --- ----------------------------------- ---- ---------\r\nRMAN  RMAN11203 NO  PROXY MAY ACTIVATE ALL CLIENT ROLES      DATABASE\r\nRMAN  RMAN12101 NO  PROXY MAY ACTIVATE ALL CLIENT ROLES      DATABASE\r\n<\/pre>\n<h4>Oracle Transparent Data Encryption<\/h4>\n<p>Oracle Transparent Data Encryption use as well an Oracle Wallet to store the TDE master keys. Unlike the Oracle wallet used for SSL for encryption or Secure External Password Store, this wallet is defined in the sqlnet.ora with the parameters ENCRYPTION_WALLET_LOCATION. But if the parameter ENCRYPTION_WALLET_LOCATION is not set Oracle will use WALLET_LOCATION to locate the wallet used for TDE. If both parameter are omitted Oracle will fallback to the default location. If the $ORACLE_BASE is set, this is <em>&#8220;$ORACLE_BASE\/admin\/DB_UNIQUE_NAME\/wallet&#8221;<\/em>, otherwise it is <em>&#8220;$ORACLE_HOME\/admin\/DB_UNIQUE_NAME\/wallet&#8221;<\/em>. In general it is a good practice to set both parameters in sqlnet.ora.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\">\r\n\r\nENCRYPTION_WALLET_LOCATION = \r\n   (SOURCE = \r\n      (METHOD = FILE) \r\n      (METHOD_DATA = (DIRECTORY = \/u00\/app\/oracle\/admin\/$ORACLE_SID\/wallet))\r\n)\r\n\r\nWALLET_LOCATION = \r\n   (SOURCE = \r\n      (METHOD = FILE) \r\n      (METHOD_DATA = (DIRECTORY = \/u00\/app\/oracle\/local\/tvdbackup\/network\/wallet))\r\n)\r\nSQLNET.WALLET_OVERRIDE = TRUE\r\n\r\n<\/pre>\n<p>There are the following combinations depending on how you use TDE together with the External Password Store.:<\/p>\n<ul>\n<li>If TDE is not used you only have to set WALLET_LOCATION in sqlnet.ora used by RMAN.<\/li>\n<li>If TDE is used for tablespace or column encryption, you have to set at least ENCRYPTION_WALLET_LOCATION in sqlnet.ora used by the database. The parameter WALLET_LOCATION is only required in sqlnet.ora used by RMAN. But if RMAN is used to open the database (eg. offline backup, restore etc), it will also require a correct ENCRYPTION_WALLET_LOCATION parameter. Otherwise the database respectively the encrypted tablespaces cannot be opened.<\/li>\n<li>If TDE is used for transparent backup encryption, you will need in any case a correct setting of ENCRYPTION_WALLET_LOCATION and WALLET_LOCATION in sqlnet.ora used by RMAN.<\/li>\n<\/ul>\n<p>See also MOS Note <a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=1228046.1\" target=\"_blank\">1228046.1<\/a> <em>Master Note For Transparent Data Encryption ( TDE )<\/em> and <a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=1504783.1\" target=\"_blank\">1504783.1<\/a> <em>Setting ENCRYPTION_WALLET_LOCATION For Wallets Of Multiple Instances Sharing The Same Oracle Home<\/em><\/p>\n<h4>Oracle SSL Authentication<\/h4>\n<p>A further special case is when an application uses SSL for encryption. Setting the sqlnet.ora parameter, SQLNET.AUTHENTICATION_SERVICES, specifies SSL and an SSL wallet is created. If this application wants to use secret store credentials to authenticate to databases (instead of the SSL certificate), then those credentials must be stored in the SSL wallet. After SSL authentication, if SQLNET.WALLET_OVERRIDE = TRUE, then the user names and passwords from the wallet are used to authenticate. If SQLNET.WALLET_OVERRIDE = FALSE the SSL certificate is used.<\/p>\n<p>Possible solutions or workarounds:<\/p>\n<ul>\n<li>Store the credentials in the SSL wallet and set SQLNET.WALLET_OVERRIDE accordingly.<\/li>\n<li>Define a separate TNS_ADMIN and a sqlnet.ora for the user, application respectively OS environment, which wants to use secret store credentials.<\/li>\n<\/ul>\n<p>See also MOS Note <a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=340559.1\" target=\"_blank\">340559.1<\/a> <em>Using The Secure External Password Store<\/em>.<\/p>\n<h4>Oracle Instant Client<\/h4>\n<p>Although the Oracle Instant Client does not contain tools to create or modify Oracle Wallets, it is able to access the wallet and read the required credentials. The wallet can be prepared on the database server and copied to the instant client. Thus no credential have to be stored in an application. But be aware, anybody who can access the wallet can also log into the database. The access to the wallet must be limited with the corresponding OS access privileges. See as well MOS Note <a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=1441745.1\" target=\"_blank\">1441745.1<\/a> <em>Using a Secure External Password Store with the JDBC Thin Driver<\/em>.<\/p>\n<h4>Wallet deploy option<\/h4>\n<p>Depending on the use of the Oracle wallets, there are different ways to deploy them. In general it is a good practice to define a wallet for each database, regardless of whether TDE is used or not. The wallet location is defined with the sqlnet.ora parameter ENCRYPTION_WALLET_LOCATION. In addition, a generic wallet can be defined for Secure External Password Store with sqlnet.ora parameter WALLET_LOCATION. Alternatively you can create a specific wallet, which is only used by RMAN to lookup database credentials. This specific wallet is part of the RMAN backup scripts and will be activeted by setting an alternative TNS_ADMIN when executing the backup scripts. Such a wallet could be distributed with the backup scripts on all servers. Various RMAN catalog schema can easily be accessed by using proxy privileges.<\/p>\n<p>A possible scenario with Trivadis TVD-Backup\u2122:<\/p>\n<ol>\n<li>Configure default sqlnet.ora. eg. set ENCRYPTION_WALLET_LOCATION to <em>\/u00\/app\/oracle\/admin\/$ORACLE_SID\/wallet<\/em> and WALLET_LOCATION to <em>\/u00\/app\/oracle\/network\/wallet<\/em><\/li>\n<li>Use the instance specific wallet in <em>\/u00\/app\/oracle\/admin\/$ORACLE_SID\/wallet<\/em> for TDE<\/li>\n<li>Use the generic wallet in <em>\/u00\/app\/oracle\/network\/wallet<\/em> for SSL, Password Store etc<\/li>\n<li>Configure your backup scripts eg. <em>TVDBACKUP_BASE=\/u00\/app\/oracle\/local\/tvdbackup<\/em><\/li>\n<li>Create a dedicated network and wallet directory for your backup tool eg. <em>$TVDBACKUP_BASE\/network\/admin<\/em> respectively $TVDBACKUP_BASE\/network\/wallet<\/li>\n<li>Set RMAN specific TNS_ADMIN before executing the backup script eg. export TNS_ADMIN=$TVDBACKUP_BASE\/network; rman_exec.ksh -t TDB11 -s bck_inc0 <\/li>\n<li>Deploy your backup script.<\/li>\n<\/ol>\n<h3>Licensing<\/h3>\n<p>The licensing of Oracle Secure External Password Store is at first sight somewhat obscure. Depending on which version of Oracle Documentation or Metalink Notes you&#8217;re reading, different kind of information are available. According to old documentation or Metalink Notes like <a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=465460.1\" target=\"_blank\">465460.1<\/a>, <a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=1084132.1\" target=\"_blank\">1084132.1<\/a> or <a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=1628809.1\" target=\"_blank\">1628809.1<\/a> Oracle Secure External Password Store is limited to Oracle Enterprise Edition. This limitation has been removed from all available online Oracle documentation. Secure External Password Store can be used on all production editions. Therefore do not hesitate to use it. \ud83d\ude42<\/p>\n<p>Quote from MOS Note <a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=340559.1\" target=\"_blank\">340559.1<\/a> Using The Secure External Password Store:<\/p>\n<blockquote><p>The feature Secure External Password Store can be used without any restriction in all product editions, you do not require a license for the Advanced Security Option (ASO).<\/p><\/blockquote>\n<h3>Conclusion<\/h3>\n<p>Oracle Secure External Password Store is a simple and secure solution to increase database security and to avoid clear text password in any kind of scripts or applications. Although Secure External Password Store is available for several Oracle releases, it is actually far too little used. The biggest challenge in connection with Oracle Secure external password store is the uniform distribution and configuration of sqlnet.ora. This blog post should give some ideas how Oracle Secure External Password Store could be used in conjunction with RMAN. Whether on the database server, application server or Oracle client, saving passwords is a thing of the past.<\/p>\n<h3>References<\/h3>\n<p>Although I haven&#8217;t seen many customers using Oracle Secure External Password Store, there are a lot of information, white papers and Metalink notes on this topic available.<\/p>\n<ul>\n<li>Using The Secure External Password Store [<em><a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=340559.1\" target=\"_blank\">340559.1<\/a><\/em>]<\/li>\n<li>Using a Secure External Password Store with the JDBC Thin Driver [<em><a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=1441745.1\" target=\"_blank\">1441745.1<\/a><\/em>]<\/li>\n<li>How To Configure The Secure External Password Store To Allow The Connection To RMAN Catalog? [<em><a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=1383938.1\" target=\"_blank\">1383938.1<\/a><\/em>]<\/li>\n<li>How To Hide Usernames And Passwords In RMAN Logfile [<em><a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=246192.1\" target=\"_blank\">246192.1<\/a><\/em>]<\/li>\n<li>Oracle White Paper November 2008 <a href=\"http:\/\/www.oracle.com\/technetwork\/database\/security\/twp-db-security-secure-ext-pwd-stor-133399.pdf\" target=\"_blank\">Secure External Password Store<\/a><\/li>\n<li>How To Change The Wallet Password For A Secure External Password Store? [<em><a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=557382.1\" target=\"_blank\">557382.1<\/a><\/em>]<\/li>\n<li>How to Use an External Password Store with the OCI JDBC Driver [<em><a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=403744.1\" target=\"_blank\">403744.1<\/a><\/em>]<\/li>\n<li>The Impact of the Sqlnet Settings on Database Security (sqlnet.ora Security Parameters and Wallet Location) [<em><a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=1240824.1\" target=\"_blank\">1240824.1<\/a><\/em>]<\/li>\n<li>Ora-12534 With Secure External Password Store (Wallet) [<em><a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=1189272.1\" target=\"_blank\">1189272.1<\/a><\/em>]<\/li>\n<li>Setting ENCRYPTION_WALLET_LOCATION For Wallets Of Multiple Instances Sharing The Same Oracle Home [<em><a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=1504783.1\" target=\"_blank\">1504783.1<\/a><\/em>]<\/li>\n<li>Master Note For Transparent Data Encryption ( TDE ) [<em><a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=1228046.1\" target=\"_blank\">1228046.1<\/a><\/em>]<\/li>\n<li>Oracle\u00ae Database Security Guide 10g Release 2 (10.2) <br \/><a href=\"http:\/\/docs.oracle.com\/cd\/B19306_01\/network.102\/b14266\/cnctslsh.htm\" target=\"_blank\">Secure External Password Store<\/a><\/li>\n<li>Oracle\u00ae Database Security Guide 11g Release 2 (11.2) <br \/><a href=\"http:\/\/docs.oracle.com\/cd\/E11882_01\/network.112\/e36292\/authentication.htm#DBSEG99815\" target=\"_blank\">Managing the Secure External Password Store for Password Credentials<\/a><\/li>\n<li>Oracle\u00ae Database Security Guide 12c Release 1 (12.1) <br \/><a href=\"http:\/\/docs.oracle.com\/cd\/E16655_01\/network.121\/e17607\/authentication.htm#DBSEG99815\" target=\"_blank\">Managing the Secure External Password Store for Password Credentials<\/a><\/li>\n<li>Oracle\u00ae Database Licensing Information 12c Release 1 (12.1) <a href=\"http:\/\/docs.oracle.com\/cd\/E16655_01\/license.121\/e17614\/editions.htm#DBLIC129 target=\"_blank\">Oracle Wallet<\/a><\/li>\n<li>Differences Between Enterprise, Standard and Standard One Editions on Oracle 11.2 [<em><a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=1084132.1\" target=\"_blank\">1084132.1<\/a><\/em>]<\/li>\n<li>ORACLE-BASE Article <a href=\"http:\/\/www.oracle-base.com\/articles\/10g\/secure-external-password-store-10gr2.php\" target=\"_blank\">Secure External Password Store<\/a><\/li>\n<li>DBA survival BLOG <a href=\"http:\/\/www.ludovicocaldara.net\/dba\/wallets-and-proxy-users\/\" target=\"_blank\">Removing passwords from Oracle scripts: Wallets and Proxy Users<\/a><\/li>\n<li>Trivadis AG <a href=\"http:\/\/www.trivadis.com\/uploads\/tx_cabagdownloadarea\/Praktische_Anwendungen_Wallet_mit_DataGuard_und_RMAN_01.pdf\" target=\"_blank\">Unsichtbare Passw\u00f6rter \u2013 Oracle Wallet sei Dank<\/a><\/li>\n<li>Oracle Deutschsprachige DBA Community <a href=\"http:\/\/www.oracle.com\/webfolder\/technetwork\/de\/community\/dbadmin\/tipps\/eps\/index.html\" target=\"_blank\">Sicher einloggen ohne Benutzername und Passwort<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>The draft version of this blog post is lying around for some time in my inbox. I&#8217;ve never found time to finish it. But due to a task in a project it&#8217;s about time to finish my notes on Oracle&#8217;s Secure External Password Store. Ludovico, a work colleague has already written a blog post about Removing passwords from Oracle scripts earlier this year. I would like to complement the topic and discuss a few points specifically in connection with RMAN Backup&#8217;s and a central RMAN catalog. The goal remains the same, getting rid of passwords with a minimal operational effort.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"#oracle Secure External Password Store for RMAN http:\/\/wp.me\/p1aErb-tC #trivadis #oraclesecurity","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[8,83,5,10,11],"tags":[122,18,111],"class_list":["post-1836","post","type-post","status-publish","format-standard","hentry","category-11gr2","category-12cr1","category-oracle-database","category-rman","category-security","tag-howto","tag-trivadiscontent","tag-tvdsecexpert"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1aErb-tC","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":1615,"url":"https:\/\/www.oradba.ch\/wordpress\/2014\/06\/oracle-passwords-and-special-characters\/","url_meta":{"origin":1836,"position":0},"title":"Oracle passwords and special characters","author":"Stefan","date":"12. June 2014","format":false,"excerpt":"As commonly known passwords should have a certain complexity. Thereby it is common to use special characters, numbers, lower and uppercase characters. Depending on the type of special characters Oracle require that the password is enclosed in double quotation marks. Oracle does provide a guideline for Securing Passwords in the\u2026","rel":"","context":"In &quot;11gR2&quot;","block_context":{"text":"11gR2","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/11gr2\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":7707,"url":"https:\/\/www.oradba.ch\/wordpress\/2020\/11\/oracle-security-eus-snippets-setup-proxy-user-privileges\/","url_meta":{"origin":1836,"position":1},"title":"Oracle Security EUS Snippets &#8211; Setup Proxy User Privileges","author":"Stefan","date":"5. November 2020","format":false,"excerpt":"Since I'm always short of time for a longer blog post, I'll just try a short one. Intended as a mini-series, I will show different configuration examples for Oracle Enterprise User Security. Today I\u2019ll start with the configuration of EUS based proxy privileges. The environment I use is DOE, my\u2026","rel":"","context":"In &quot;12R2&quot;","block_context":{"text":"12R2","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/12r2\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":600,"url":"https:\/\/www.oradba.ch\/wordpress\/2011\/09\/tablespace-point-in-time-recovery-and-oracle-11-2-0-2\/","url_meta":{"origin":1836,"position":2},"title":"Tablespace point in time recovery and Oracle 11.2.0.2","author":"Stefan","date":"1. September 2011","format":false,"excerpt":"Tablespace point in time recovery (TSPITR) in particular, the fully automatic TSPITR is not a 11g new feature. It is likely that this can be used without any problem. But it looks like that a bug has been introduced with the latest patchset (11.2.0.2). What is the problem and how\u2026","rel":"","context":"In &quot;11gR2&quot;","block_context":{"text":"11gR2","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/11gr2\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/TSPITR-300x278.jpg?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":7846,"url":"https:\/\/www.oradba.ch\/wordpress\/2020\/12\/security-best-practice-oracle-passwords-but-secure\/","url_meta":{"origin":1836,"position":3},"title":"Security Best Practice: Oracle passwords, but secure!","author":"Stefan","date":"1. December 2020","format":false,"excerpt":"Beach view in Brighton at the UKOUG Techfest 2019 Today I held my presentation about Oracle security best practice \"Oracle passwords, but secure!\u201d at the virtual UKOUG event. Unfortunately, this year the beautiful view of Brighton beach and the active exchange with colleagues was missing. Ok, on the other hand\u2026","rel":"","context":"In &quot;12R2&quot;","block_context":{"text":"12R2","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/12r2\/"},"img":{"alt_text":"Beach view in Brighton at the UKOUG Techfest 2019","src":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/31507FA5-AAFE-4D85-AB3A-3FF218CA4567.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/31507FA5-AAFE-4D85-AB3A-3FF218CA4567.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/31507FA5-AAFE-4D85-AB3A-3FF218CA4567.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/31507FA5-AAFE-4D85-AB3A-3FF218CA4567.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/31507FA5-AAFE-4D85-AB3A-3FF218CA4567.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/31507FA5-AAFE-4D85-AB3A-3FF218CA4567.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":2053,"url":"https:\/\/www.oradba.ch\/wordpress\/2015\/10\/wallet_location-in-sqlnet-ora-for-container-databases\/","url_meta":{"origin":1836,"position":4},"title":"WALLET_LOCATION in sqlnet.ora for Container Databases","author":"Stefan","date":"31. October 2015","format":false,"excerpt":"Recently I've setup Oracle Enterprise User Security (EUS) with Oracle Unified Directory (OUD) on my favorite linux test system. Among regular 11.2.0.4 and 12.1.0.2 databases I do also have a 12.1.0.2 Container Database. EUS work like a charm on the regular databases but not on the PDB. [cc lang=\"sql\"] SQL>\u2026","rel":"","context":"In &quot;12cR1&quot;","block_context":{"text":"12cR1","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/12cr1\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2185,"url":"https:\/\/www.oradba.ch\/wordpress\/2016\/09\/losing-the-oracle-wallet-for-enterprise-user-security\/","url_meta":{"origin":1836,"position":5},"title":"Losing the Oracle Wallet for Enterprise User Security","author":"Stefan","date":"14. September 2016","format":false,"excerpt":"Having a reliable backup solution for your Transparent Data Encryption (TDE) or Enterprise User Security (EUS) Wallets, is beyond discussion. Nevertheless it can happen that you lose or corrupt the Oracle Wallet. With Transparent Data Encryption (TDE), this is really bad luck, because you can not access your encrypted data.\u2026","rel":"","context":"In &quot;11gR2&quot;","block_context":{"text":"11gR2","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/11gr2\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/1836","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/comments?post=1836"}],"version-history":[{"count":14,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/1836\/revisions"}],"predecessor-version":[{"id":1850,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/1836\/revisions\/1850"}],"wp:attachment":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/media?parent=1836"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/categories?post=1836"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/tags?post=1836"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}