Bright DBA

ORACLE DBA – Tips and Techniques

Skip to content
  • Home
  • DBA Monitor
    • Scripts
      • DBA Sheet v6.1
      • DBA Sheet v7.0
      • DBA Daily Report
      • Generate INSERT statements from the SELECT query
      • Generate INSERT statements to a flat file using a PL/SQL query
    • OS
    • DATABASE
    • NETWORK
    • STORAGE
  • DB-Generic
    • DB-Install
      • Install 10g
      • Install Oracle Software in silent mode 11gR2
      • Deinstall Oracle 11gR2 Database binaries
      • Uninstall Oracle Client on Windows
      • Create database -DBCA silent mode
      • Delete database -DBCA silent mode
      • Drop Database
      • Patch Terminology
    • DB-Admin
      • How to change SQL  prompt to show connected user and database name
      • Change Archive Dest
      • Enable Archivelog
      • How to Recover Loss of DATA – (Without a Backup!)
      • Configure OEM DBConsole manually
      • Proxy User
      • Database Link
      • DBMS_SCHEDULER
      • Enable/Disable JOBS during Maintenance
      • ORA-00054
      • Blocking Sessions
      • Create Service using DBMS_SERVICE
      • Error TNS-12543
      • Store DB credentials in Oracle Wallet
      • Under Edit
  • BACKUP
    • BACKUP ORACLE HOME AND INVENTORY
    • Datapump
      • SCHEMA REFRESH FROM 11G TO 12C PDB
    • RMAN
      • CATALOG
      • RMAN Database Restore RAC – RAC
      • RMAN Database Restore ASM – ASM
      • RMAN Database Restore from ASM to File System
      • RMAN ACTIVE DUPLICATION ASM TO ASM
      • Backup Based RMAN Duplicate Database
  • PT
    • Tuning Stage 1
      • Statistics
      • Oracle Histograms
      • Export/Import schema statistics
      • CONTROL MANAGEMENT PACK ACCESS
      • Generate Explain Plan
      • SQL Query is really hanged or not
    • Tuning Stage 2
      • STATSPACK
      • ASH
      • AWR
      • Colored SQL_ID
      • SYSAUX Tablespace
    • Tuning Stage 3
      • Troubleshooting Long Running Queries
      • SQL Tuning Advisor
      • SQLT
        • How to Install SQLT
        • How to Run SQLT
        • How to Create Custom SQL Profile
        • Uninstall SQLT
      • Tracing
      • TRCA – Trace Analyzer
  • HA
    • DG 11g
      • CONFIGURATION
        • Active Dataguard on Non-ASM
        • Active Dataguard on ASM
        • Convert Physical Standby Database to Snapshot Standby Database
        • Convert Snapshot Standby database to Physical Standby database
        • Configure Cascading Standby Database
        • DG Broker Configuration
        • DG Broker Error – ORA-16714
        • Disable DG Broker
      • SWITCHOVER
        • Switchover Manual No-Broker
        • Switchover with Broker
      • FAILOVER
        • Failover with Broker(No Flashback)
        • Failover with No Broker (No Flashback)
        • Failover with Broker using Flashback
        • Failover with No Broker using Flashback
      • Enable Real-Time Apply
      • Apply DB PSU on Standby
      • Refresh Standby Database using RMAN Incremental SCN Backup
      • Resetlogs on Primary where Standby in place
      • Drop SRL
    • DG 12c
      • 12.2 Active Dataguard in CDB on Non-ASM
      • Create Physical Standby using RMAN Backup Without Duplicate Command
      • Create Physical Standby using RMAN Backup with Duplicate Command
      • 12c DG Broker Configuration
      • Upgrade Database to 12.2 with Physical Standby
    • ASM
      • Move ASM Spfile to diff. DiskGroup
      • ASM Commands
      • Instantiating disk: failed
      • CSSD won’t start automatically
  • RAC
    • Create users, groups and Paths for Oracle RAC
    • Configure ASMLib for Oracle ASM
    • Configure UDEV Rules for Oracle ASM
    • RAC Install
      • RAC Install 11.2.0.3
      • Upgrade GI to 11.2.0.4
      • Downgrade GI to 11.2.0.3
      • root.sh failed with ORA-29783 on RAC
      • Delete Node
      • Add Node
      • Delete Node without remove software
      • Add Node Back which was DELETED without remove software
    • RAC Admin
      • How to take OCR backup on 11.2.0.4
      • Cluster Name
      • Move/Relocate OCR
      • Restore loss of all VOTE disk
      • Cluster Startup issues
      • Add SCAN
    • RAC Tools
      • CLUVFY
      • OSWatcher
    • RAC Standby 12.2
    • Create ACFS File System on RAC
  • GG
    • GG 11g
      • GoldenGate Installation
      • Unidirectional DML Replication
      • Zero Downtime Migration
      • DDL Replication
    • GG 12C
      • GoldenGate 12C Installation
      • Integrated Capture
      • Oracle GoldenGate Heterogeneous Replication
      • Credential Store
      • ADD NEW TABLE TO AN EXISTING GOLDENGATE CONFIGURATION
    • GG 19C
      • Install Oracle GoldenGate 19C for Database 12C
      • Install Oracle GoldenGate 19C for Database 19C
  • 12c/18c/19c
    • Install 12.2 Database Binaries in silent mode
    • Upgrade DB Manually 11.2.0.4 to 12.2.0.1
    • Upgrade DB using DBUA from 11.2.0.4 to 12.2.0.1
    • CREATE PDB USING SEED
    • CREATE NEW PDB BY CLONING AN EXISTING PDB
    • CREATE PDB USING DBCA
    • DROP PDB MANUALLY
    • Configure OEM Express 12c
    • CREATE NON-CDB ON ORACLE 12C IN SILENT MODE
    • Create Non-CDB on Oracle 12c using DBCA (GUI)
    • Convert Non-CDB to PDB with DBMS_PDB
    • SCHEMA REFRESH FROM 11G TO 12C PDB
    • STARTUP/SHUTDOWN CDB AND PDB
    • Apply RU on DATABASE 12.2
    • ROLLBACK RU from DATABASE 12.2
    • How to Change MAX_STRING_SIZE on Physical Standby Environment
    • 18C
      • Install 18c
      • Deinstall Oracle 18c Database Binaries
      • 18c DB Patching
    • Install 19c GUI
    • Install 19c in silent mode
    • Oracle 19c Deinstall
    • Create DB 19C – DBCA-GUI
    • Create DB 19C – DBCA-SILENT
    • Apply Patch RU on Database 19c
    • Upgrade Oracle Database from 12.2.0.1 to 19c using DBUA
    • Upgrade Oracle Database Manually from 12.2.0.1 to 19c
    • Rolling Upgrade With an Existing Physical Standby Database
    • Upgrade TIMEZONE Version
  • EM
    • Install OEM 13.2
    • Install OEM 13.3
    • Add Targets Manually on EM Cloud Control 13c
    • Upgrade OMSPatcher
    • Apply Patch on OMS 13.1
    • Apply Patch on Agent 13.1
  • MS SQL
  • MySQL/MariaDB
  • PostgreSQL
    • Install PostgreSQL 13 using yum Repository on Linux
    • Install PostgreSQL Using Source Code
    • How to START/STOP PostgreSQL 13 on Linux
    • Create Database in PostgreSQL
    • PostgreSQL User Management
    • PostgreSQL pg_hba.conf
    • Change Data Directory
    • WAL Files (Redo log files)
    • Change WAL Directory Location (pg_wal)
    • Enable Archive Mode (WAL Archiving)
    • Disable ARCHIVELOG Mode
    • PostgreSQL Tablespace
    • pg_dump & pg_restore
    • Backup and Restore Using pg_dumpall
    • pg_basebackup
    • Clone PostgreSQL Cluster (No Archive Mode)
    • Backup and Restore on Same Host Using pg_basebackup
    • PostgreSQL Backup & Restore+Recover to New Host with WAL Archive files
    • PostgreSQL Point-in-Time Recovery (PITR)
    • Incremental backups in PostgreSQL 17
    • Streaming Replication (Active Dataguard)
    • Failover Streaming Replication
    • Synchronous Replication in PostgreSQL
  • DB2
    • Install DB2 V10.5 using GUI
    • DB2 STOP and START
    • DB2 Troubleshooting Guide

Store DB credentials in Oracle Wallet

Using the Oracle Wallet to store database credentials

Table of Contents
___________________________________________________________________________________________________

Step 0: Overview
Step 1: Create Oracle Wallet Directory
Step 2: Create TNS ADMIN Directory (For OS user raj)
Step 3: Add TNS Entry (For OS user oracle)
Step 4: Export Oracle Variables
Step 5: Create password protected Oracle Wallet in secured location using orapki
Step 6: Add database login credentials to the wallet using mkstore
Step 7: Verify DB connection
Step 8: List Credential stored in a wallet
Step 9: Modify credential stored in wallet
Step 10: To view an Oracle wallet
Step 11: To change an Oracle wallet password
Step 12: Delete Credential stored in wallet
Step 13: Delete Oracle Wallet
___________________________________________________________________________________________________


Step 0: Overview

The Oracle Wallet can be used to store the user's credentials, so instead of exposing passwords in clear text format in a shell script. Multiple credentials for multiple database can be stored in a single wallet file.

This procedure stores a database user's credentials inside the Wallet. This features uses the auto login feature, so it is not required to provide the Wallet password to access to the user's credentials, the OS file permissions regulate access to the Wallet.

In this demo i have created wallet on same database server, but used different os user "raj" which is NOT oracle binary owner.

I have created two separate directories for wallet creation which is owned by os user "raj"

1. Oracle Wallet Directory
2. Oracle TNS ADMIN directory for OS user "raj"

The status of the auto-login wallet is shows as OPEN_NO_MASTER_KEY in V$ENCRYPTION_WALLET even after the database is restarted.

--Datapump using wallet
nohup expdp /@BSA1EP directory=DUMP_DIR dumpfile=scott_%U.dmp logfile=EXP_SCOTT.log schemas=scott parallel=4 &
-- JDBC using wallet
Connection conn = DriverManager.getConnection ("jdbc:oracle:oci:/@BSA1EP");


Step 1: Create Oracle Wallet Directory

SET LINES 180
COL wrl_type FORMAT a12
COL wrl_parameter FORMAT a35
COL status FORMAT a30
select * from v$encryption_wallet;

WRL_TYPE     WRL_PARAMETER                       STATUS          WALLET_TYPE          WALLET_OR KEYSTORE FULLY_BAC     CON_ID
------------ ----------------------------------- --------------- -------------------- --------- -------- --------- ----------
FILE         /oracle/admin/BSA1EP/wallet         NOT_AVAILABLE   UNKNOWN              SINGLE    NONE     UNDEFINED          0

SQL>
SQL> exit
Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
[oracle@dg1 ~]$ cd /oracle/admin/BSA1EP/wallet
-bash: cd: /oracle/admin/BSA1EP/wallet: No such file or directory
[oracle@dg1 ~]$ 
[root@dg1 ~]# mkdir -p /u01/admin/BSA1EP/wallet
[root@dg1 ~]# chown -R raj:raj /u01/admin/BSA1EP/wallet


Step 2: Create TNS ADMIN Directory (For OS user raj)

[root@dg1 ~]# mkdir -p /u01/admin/BSA1EP/wallet/TNS_ADMIN
[root@dg1 ~]# chown -R raj:raj /u01/admin/BSA1EP/wallet/TNS_ADMIN


Step 3: Add TNS Entry (For OS user oracle)

[oracle@dg1 admin]$ cat /oracle/1900/network/admin/sqlnet.ora
# sqlnet.ora Network Configuration File: /oracle/1900/network/admin/sqlnet.ora
# Generated by Oracle configuration tools.

NAMES.DIRECTORY_PATH= (TNSNAMES)
SQLNET.WALLET_OVERRIDE = FALSE
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_VERSION = 0
WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/admin/BSA1EP/wallet)))
[oracle@dg1 admin]$

[oracle@dg1 admin]$ cat /oracle/1900/network/admin/tnsnames.ora
# tnsnames.ora Network Configuration File: /oracle/1900/network/admin/tnsnames.ora
# Generated by Oracle configuration tools.

BSA1EP =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = TCP)(HOST = dg1.rajasekhar.com)(PORT = 1622))
    )
    (CONNECT_DATA =
      (SERVICE_NAME = BSA1EP)
    )
  )

[oracle@dg1 admin]$


Step 4: Export Oracle Variables

[raj@dg1 ~]$ export ORACLE_SID=BSA1EP
[raj@dg1 ~]$ export ORACLE_HOME=/oracle/1900
[raj@dg1 ~]$ export PATH=$ORACLE_HOME/bin:$PATH
[raj@dg1 ~]$ export TNS_ADMIN=/u01/admin/BSA1EP/wallet/TNS_ADMIN
[raj@dg1 ~]$ export DB_LOGIN_ID=test

[OR]

[raj@dg1 ~]$ . oraenv
ORACLE_SID = [BSA1EP] ?
ORACLE_BASE environment variable is not being set since this
information is not available for the current user ID raj.
You can set ORACLE_BASE manually if it is required.
Resetting ORACLE_BASE to its previous value or ORACLE_HOME
The Oracle base remains unchanged with value /oracle/1900
[raj@dg1 ~]$
[raj@dg1 ~]$ export TNS_ADMIN=/u01/admin/BSA1EP/wallet/TNS_ADMIN
[raj@dg1 ~]$


Step 5: Create password protected Oracle Wallet in secured location using orapki

[raj@dg1 wallet]$ pwd
/u01/admin/BSA1EP/wallet
[raj@dg1 wallet]$ ls -ltr
total 0
drwxr-xr-x 2 raj raj 44 Feb  5 23:15 TNS_ADMIN
[raj@dg1 wallet]$

[raj@dg1 ~]$ id
uid=1000(raj) gid=1000(raj) groups=1000(raj),10(wheel)
[raj@dg1 ~]$

[raj@dg1 wallet]$ orapki wallet create -wallet /u01/admin/BSA1EP/wallet -auto_login
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter password:
Enter password again:
Operation is successfully completed.
[raj@dg1 wallet]$


[raj@dg1 wallet]$ ls -ltr /u01/admin/BSA1EP/wallet
total 8
drwxr-xr-x 2 raj raj  44 Feb  5 23:15 TNS_ADMIN
-rw------- 1 raj raj   0 Feb  5 23:57 ewallet.p12.lck
-rw------- 1 raj raj 149 Feb  5 23:57 ewallet.p12
-rw------- 1 raj raj   0 Feb  5 23:57 cwallet.sso.lck
-rw------- 1 raj raj 194 Feb  5 23:57 cwallet.sso
[raj@dg1 wallet]$

[raj@dg1 wallet]$ chmod 644 *wallet*

[raj@dg1 wallet]$ ll
total 8
-rw-r--r-- 1 raj raj 581 Feb  6 02:14 cwallet.sso
-rw-r--r-- 1 raj raj   0 Feb  5 23:57 cwallet.sso.lck
-rw-r--r-- 1 raj raj 536 Feb  6 02:11 ewallet.p12
-rw-r--r-- 1 raj raj   0 Feb  5 23:57 ewallet.p12.lck
drwxr----- 2 raj raj  44 Feb  5 23:15 TNS_ADMIN
[raj@dg1 wallet]$


[oracle@dg1 admin]$ id oracle
uid=54321(oracle) gid=54321(oinstall) groups=54321(oinstall),54322(dba),54331(asmadmin),54332(asmdba)
[oracle@dg1 admin]$

[oracle@dg1 admin]$ sqlplus / as sysdba

SQL*Plus: Release 19.0.0.0.0 - Production on Sun Feb 6 00:19:59 2022
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.


Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0

SQL> set lines 190
SQL> COL wrl_type FORMAT a12
SQL> COL wrl_parameter FORMAT a35
SQL> COL status FORMAT a30
SQL> select * from v$encryption_wallet;

WRL_TYPE     WRL_PARAMETER                       STATUS                         WALLET_TYPE          WALLET_OR KEYSTORE FULLY_BAC     CON_ID
------------ ----------------------------------- ------------------------------ -------------------- --------- -------- --------- ----------
FILE         /u01/admin/BSA1EP/wallet/           OPEN_NO_MASTER_KEY             UNKNOWN              SINGLE    NONE     UNDEFINED          0

SQL>


Step 6: Add database login credentials to the wallet using mkstore

Enter user-name: / as sysdba

Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0

SQL> alter user test identified by test123;

User altered.

SQL> grant connect to test;

Grant succeeded.

SQL>

[raj@dg1 ~]$ id
uid=1000(raj) gid=1000(raj) groups=1000(raj),10(wheel)
[raj@dg1 ~]$
[raj@dg1 ~]$ mkstore -wrl /u01/admin/BSA1EP/wallet -createCredential BSA1EP test
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Your secret/Password is missing in the command line
Enter your secret/Password:
Re-enter your secret/Password:
Enter wallet password:
[raj@dg1 ~]$
[raj@dg1 ~]$


Step 7: Verify DB connection

[raj@dg1 ~]$ id
uid=1000(raj) gid=1000(raj) groups=1000(raj),10(wheel)
[raj@dg1 ~]$
[raj@dg1 ~]$ export TNS_ADMIN=/u01/admin/BSA1EP/wallet/TNS_ADMIN
[raj@dg1 ~]$
[raj@dg1 ~]$ sqlplus /@BSA1EP

SQL*Plus: Release 19.0.0.0.0 - Production on Sun Feb 6 00:40:23 2022
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.

Last Successful login time: Sat Feb 05 2022 20:15:40 +08:00

Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0

SQL> show user
USER is "TEST"
SQL>


Step 8: List Credential stored in a wallet

[raj@dg1 ~]$ id
uid=1000(raj) gid=1000(raj) groups=1000(raj),10(wheel)
[raj@dg1 ~]$
[raj@dg1 ~]$ mkstore -wrl /u01/admin/BSA1EP/wallet -listCredential
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
List credential (index: connect_string username)
1: BSA1EP test
[raj@dg1 ~]$


Step 9: Modify credential stored in wallet (Update DB user password)

[oracle@dg1 ~]$ sqlplus / as sysdba

SQL*Plus: Release 19.0.0.0.0 - Production on Sun Feb 6 00:45:36 2022
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.


Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0

SQL> alter user test identified by test999;

User altered.

SQL>

[raj@dg1 ~]$ id
uid=1000(raj) gid=1000(raj) groups=1000(raj),10(wheel)
[raj@dg1 ~]$
[raj@dg1 ~]$ mkstore -wrl /u01/admin/BSA1EP/wallet -modifyCredential BSA1EP test test999
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
[raj@dg1 ~]$
[raj@dg1 ~]$
[raj@dg1 ~]$ export TNS_ADMIN=/u01/admin/BSA1EP/wallet/TNS_ADMIN
[raj@dg1 ~]$
[raj@dg1 ~]$ sqlplus /@BSA1EP

SQL*Plus: Release 19.0.0.0.0 - Production on Sun Feb 6 00:48:03 2022
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.

Last Successful login time: Sun Feb 06 2022 00:40:24 +08:00

Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0

SQL> show user
USER is "TEST"
SQL>


Step 10: To view an Oracle wallet

[raj@dg1 ~]$ orapki wallet display -wallet /u01/admin/BSA1EP/wallet
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Oracle Secret Store entries:
oracle.security.client.connect_string1
oracle.security.client.password1
oracle.security.client.username1
Trusted Certificates:
[raj@dg1 ~]$


Step 11: To change an Oracle wallet password

orapki wallet change_pwd -wallet /u01/admin/BSA1EP/wallet [-oldpwd password ] [-newpwd password]

orapki wallet change_pwd -wallet /u01/admin/BSA1EP/wallet -oldpwd "Oracle@123" -newpwd "oracle123"

[raj@dg1 ~]$ orapki wallet change_pwd -wallet /u01/admin/BSA1EP/wallet
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
Enter New Wallet Password:
Confirm Wallet Password:
Wallet password has been changed.
[raj@dg1 ~]$


Step 12: Delete Credential stored in wallet

[raj@dg1 ~]$ mkstore -wrl /u01/admin/BSA1EP/wallet -deleteCredential BSA1EP
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
[raj@dg1 ~]$
[raj@dg1 ~]$


[raj@dg1 ~]$ mkstore -wrl /u01/admin/BSA1EP/wallet -listCredential
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
List credential (index: connect_string username) <--- no output
[raj@dg1 ~]$


Step 13: Delete Oracle Wallet

To delete an Oracle wallet, we can directly delete the wallet direectory and files

[raj@dg1 ~]$ ls -ltr /u01/admin/BSA1EP/wallet
total 8
drwxr-xr-x 2 raj raj  44 Feb  5 23:15 TNS_ADMIN
-rw------- 1 raj raj   0 Feb  5 23:57 ewallet.p12.lck
-rw------- 1 raj raj   0 Feb  5 23:57 cwallet.sso.lck
-rw------- 1 raj raj 149 Feb  6 01:06 ewallet.p12
-rw------- 1 raj raj 194 Feb  6 01:06 cwallet.sso
[raj@dg1 ~]$
[raj@dg1 ~]$ rm -f /u01/admin/BSA1EP/wallet/*wallet*

Caution: Your use of any information or materials on this website is entirely at your own risk. It is provided for educational purposes only. It has been tested internally, however, we do not guarantee that it will work for you. Ensure that you run it in your test environment before using.

Thank you,
Rajasekhar Amudala
Email: br8dba@gmail.com
WhatsApp : +
Linkedin: https://www.linkedin.com/in/rajasekhar-amudala/

Reference:

About me - Rajasekhar Amudala