Use Oracle Wallet to store repository (Registry/SS/EAS) credentials?
I'm running EPM 11.1.2.2 on AIX, Oracle repository, already installed and configured.
The security team would prefer to have the repository credentials stored in an Oracle wallet as a matter of policy. I believe, from my limited research, that a JDBC driver can (theoretically) use wallet. But has anyone done it in the context of the EPM services (i.e. Foundation, EAS)?
Obviously, the password is encrypted already, so I'm not sure that this really provides much of a real security benefit - except that I think that the Oracle password could be changed by updating the wallet without having to re-run the EPM configuration utility.
Any input gratefully received. Thanks!
Nothing like wanting to add another layer of complexity to an already complex world , if security is the issue then SSL should be looked at but the passwords will still be stored in the database.
I have never heard of it being done with EPM but would be interested to know if it is actually supported.
Cheers
John
http://john-goodwin.blogspot.com/
Similar Messages
-
Can I use Oracle Wallet to store generic passwords?
I have an application that currently stores a uid and password in a configuration file. I would like to store the password in a wallet like Database credentials. Is there any way to get the password out of the wallet other than in a SQL PLUS script?
Message was edited by:
SteveAHi SteveA,<br>
I am working in the same issue. Have you found any solution?<br><br>
I have an Oracle 10g (10.2) on Linux as a DB server.<br>
And a Apache Tomcat machine running web applications.<br>
Tomcat machine uses JDBC Thin driver to connect to DB server.
<br><br>
I need to create a wallet with user/password information, enable auto-login wallet, and open the wallet from the Java code to extract the password information to make the connection.
<br><br>
I've found this<br>
Opening Oracle's Wallet
<br>where explains how to use wallets to store <b>certificates</b>. I think that it is not suitable for storing passwords, but I am not sure.
<br><br>
Can you give any information on how to extract the password information stored in the wallet from Java code?
<br><br>
Thanks -
Interconnect DB adapter Error when connecting to DB Using Oracle Wallet
Hi all,
I have installed multiple DB adapters on a unix m/c and when i am starting the DB adapter( name ex: B) i am getting the following error.
when i Hash (#)the passwd in adapter.ini without using oracle wallet my DB adapter gets connected if the same is removed i am getting the following Error.
"java.sql.SQLException: invalid arguments in call"
Oracle Wallet password have been set correctly and works fine with one of the DB adapter( name ex: A) and the same setting of A has been used in B.
Would be glad if someone could help to give solution to track oracle wallet and database connectivity.
Oailog.txt
~~~~~~~~~~
Initializing the Bridge oracle.oai.agent.adapter.database.DBBridge..
Initializing connection to the Repository...
Connected to the Repository.
B could not connect to the database
regards
yenyesThe issue was solved.The workaround involved synchronising the security folders the one below the /interconnect and one below /adapters.
-
Using Oracle Wallet for Java connection
Hi,
Can anyone tell me how to acces the Oracle wallet from my Java application without using the thin or oci drivers?No answer was found for this, we ended up using an OCI driver for the connection to the wallet. Code (in java) was as follows for reference:#
private static Connection walletconn() throws Exception{
String url = "jdbc:oracle:oci:/@DATABASE";
OracleDataSource ods = new OracleDataSource();
ods.setURL(url);
Connection conn = ods.getConnection();
return connl; -
Handshake_failure using Oracle Wallet as keystore
I am trying to use an Oracle Wallet as a keystore for my connection to a webservice over SSL. The proper certificates have been added to the truststore but when I call handshake() on the SSLSocket I get this error in my debug log:
main, WRITE: TLSv1 Handshake, length = 32
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, handshake_failure
Internet Explorer has successfully imported the certificate (ewallet.p12) and I can connect to the webservice through IE, FireFox is picky and generates an unknown error.
I suspect something is going on with the wallet so I am now in the process of generating a new certificate using openSSL, but I'd still like to know if any of this sounds familiar to any of you....Update:
After creating a certificate with openSSL I was successful in opening the connection to the webservice (with a testclass, using SSLSocket and calling cerateSocket() ). Unfortunately, my application would still not communicate with it. After a lot of testing and debugging I found out that in my standalone java class one single connection is created and maintained and used for the communication. In the embedded OC4J that comes with JDev 10.1.3.2 also one single (cached) connection is used, so that also works.
In iAS 10.1.3.0 the created session (the one with the certificate) is not used when trying to communicate with the webservice. The log simply said (no cached session) and a new one was created, with system parameters that did not point to any certificate, and so the handshake_failure occurred again.
After setting the system parameters of the OC4J to point to the keyStore to be used, i was able to communicate with the webserver.
Could anyone tell me if this is a known bug and if so, has it been fixed in 10.1.3.1?
FYI: the code I used was:
1) HTTPConnection.setDefaultSSLFactory() to initialize the session with trustStore and keyStore
2) SOAPConnectionFactory fc = SOAPConnectionFactory .newINstance();
SOAPConnection conn = fc.createConnection();
conn apparently does not use the HTTPConnection created in step 1. A new connection is made without certificates. This caused the error. -
Issues with using utl_http with Oracle Wallet
Hello Everyone,
We are experimenting with Oracle wallet and utl_http and are attempting to do an https transfer and we are facing some problems. I will appreciate your help greatly if you can advise on what could be wrong. We are on db version 10.2.0.1 and Unix HP-UX. The intention ping an https url and get a simple 200 response. Future development would include get/post XML documents from that url and other interesting stuff. I understand that utl_http with Oracle wallet can be used for this purpose.
The wallet has been created and the ewallet.p12 exists. We downloaded the SSL certificate from the url's website and uploaded into the wallet.
Everything works if I put in a url with plain http. However, it does not work with an HTTP*S* url.
With HTTPS when I run the below code I get the following error. Again, greatly appreciate your time and help because this is the first time we are using Oracle wallet manager and do not know where to go from here.
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1029
ORA-29268: HTTP client error
declare
url varchar2(225);
req utl_http.req;
resp utl_http.resp;
my_proxy BOOLEAN;
name varchar2(2000);
value varchar2(2000);
V_proxy VARCHAR2(2000);
v_n_proxy varchar2(2000);
v_msg varchar2(100);
v_len PLS_INTEGER := 1000;
BEGIN
-- Turn off checking of status code.
utl_http.set_response_error_check(FALSE);
--Set proxy server
utl_http.set_proxy('my-proxy');
utl_http.set_wallet('file:<full Unix path to the wallet on DB server>','wallet998');
req := utl_http.begin_request('https://service.ariba.com/service/transaction/cxml.asp');
--Set proxy authentication
utl_http.set_authentication(req, 'myproxyid', 'myproxypswd','Basic',TRUE); -- Use HTTP Basic
resp := utl_http.get_response(req);
FOR i IN 1..utl_http.get_header_count(resp) LOOP
utl_http.get_header(resp, i, name, value);
dbms_output.put_line(name || ': ' || value);
END LOOP;
utl_http.end_response(resp);
exception
when others then
dbms_output.put_line(sqlerrm);
END;I tried this using plsql ...
declare
SOAP_URL constant varchar2(1000) := 'http://125.21.166.27/cordys/com.eibus.web.soap.Gateway.wcp?organization=o=WIPRO,cn=cordys,o=itgi.co.in';
request UTL_HTTP.req;
begin
dbms_output.put_line('Begin Request');
request := UTL_HTTP.begin_request(SOAP_URL,'POST',UTL_HTTP.HTTP_VERSION_1_1);
dbms_output.put_line('After Request');
exception
when others then
dbms_output.put_line('Error : '||sqlerrm);
end;The output was ...
Begin Request
Error : ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1029
ORA-12535: TNS:operation timed outIt seems to be an issue with the webservice, plz check if its available & allowing requests. -
Is it posible to use openssl csr for oracle Wallet Manager?
Hi,
I have used openssl to create csr instead of using oracle Wallet Manager. I need to use certificate for OAS. I have sent csr to RapidSSL.com and they sent me the certificate with a fee. Now I release that it was a mistake and I should create the csr from Oracle Wallet Manger and send it to RapidSSL.com and import the user certificate to owm then no problem. My question are followings:
1- Can I use csr that generated from openssl to owm?
2- Can I import certificate that purchased from RapidSSL.com to owm?
3- What are the steps I have to follow?
Thank youHere are the answers inline for your questions.
1- Can I use csr that generated from openssl to owm?
Yes
2- Can I import certificate that purchased from RapidSSL.com to owm?
Yes
3- What are the steps I have to follow?
Check this link for step by step instructions.
http://download-west.oracle.com/docs/cd/B14099_19/core.1012/b13995/wallets.htm
http://www.thesslstore.com
http://www.rapidsslonline.com
Edited by: 794364 on Sep 12, 2010 11:56 PM -
I believe this topic has been discussed quite a bit in the past on this forum. Essentially I would like to be able to utilize utl_http to access an external website using https. Doing research on this, I've come to find out that:
a. You need to use Oracle Wallet Manager to import trusted certificates from these sites.
b. Oracle Wallet Manager is part of Oracle Advanced Security Module
c. Oracle Advanced Security Module is only applicable to Enterprise Edition Database.
d. The 'owm' binary does not come packaged with Oracle XE.
In my search, I also came across the following in the official Oracle Database Licensing Information document (http://download-west.oracle.com/docs/cd/B19306_01/license.102/b14199/editions.htm)
Oracle Wallet
Oracle Wallet is a password-protected container used to store authentication and signing credentials, including passwords, private keys, certificates, trusted certificates, and TDE master keys. Oracle Wallet Manager is an application that wallet owners can use to manage and edit the security credentials in their Oracle wallets. Oracle Wallets can be deployed on clients, middle tiers, and database servers free of charge. However, the following features that use an Oracle Wallet in turn require licensing of the Oracle Advanced Security Option: PKI credentials and transparent data encryption master keys. Oracle Advanced Security option is not required when configuring wallets to secure communication between the Oracle Database and Oracle Internet Directory.
Based on this description, my intended use of Oracle Wallet would not require the Oracle Advanced Security option as I just want to store certificates of those sites I'm accessing via https.
Does this mean that I could fire up owm on another database server, create the file and then use it in my XE application? Or does it mean that because I'm running XE and because owm did not come with the distribution, I have no right to utilize the functionality?
Thanks in advance for any input.The T in TDE stands for transparent, so your application shouldn't need to even be aware that any columns or tablespaces are encrypted. TDE is generally implemented in systems that were never designed to encrypt the data, so in theory it should be "perfectly safe" to develop unencrypted and have the client encrypt the columns during installation.
Of course, when marketing folks start talking about things that are "perfectly safe", that's always a sign of danger ahead. Even though I've never heard of a case where encrypting a column caused a problem for an application, I would be very dubious of doing development in an environment different than production. That includes the exact version of the database (I assume the client has installed the latest patchsets, so they're running 10.2.0.4, for example) as well as the edition. If you decide to rely on the fact that everything should go smoothly when you promote to a different version of a different edition of the database with a different schema definition, even though it normally should, you're pretty much guaranteeing that you will end up with a problem that will be a pain to resolve.
In your case, I wouldn't use XE for development. It would be much safer to develop against the personal edition. That isn't free, but that is the enterprise edition of the database licensed to be run on developer machines. It isn't free, but it's way less than an enterprise edition license.
Justin -
Hello ,
I am an oracle dba, i want to know what is use of oracle wallet in production dbs.
I have done some test. I created one wallet and then creted an encrypted tablespace. When wallet was closed, i can't create any table inside that encrypted tablespace.
But then i was stuck in export and import certificate.
So my question is -
- What is practical use of oracle wallet in productions dbs apart from an encrypted tablespace ?
- How can i export and import certificates for testing purpose?
Thanks861012 wrote:
So my question is -
- What is practical use of oracle wallet in productions dbs apart from an encrypted tablespace ?You can also use Oracle wallets to create Secure External Password Stores. This allows you to store database credentials in an encrypted format. It's much more secure than say storing application passwords in clear text. It also provides an additional layer of separation of duties.
- How can i export and import certificates for testing purpose?You can use the orapki utility. -
Replace a new wallet for Oracle Wallet Manager
Hi, all,
Here is my current situation.
We are using Oracle Wallet Manager (version 10.1.0.5) for Oracle 10.1.3.1 on Windows Server 2003. Currently our SSL certificate in the wallet is going to expired within a month. However, we forgot the password to the current wallet. So we have to create a new wallet and import the new certificates. The certificate shows Ready state. Then we moved the old wallet file to a different directory, and copied the new wallet file, ewallet.p12, to the default wallet location, C:\product\10.1.3.1\OracleAS_1\Apache\Apache\conf\ssl.wlt\default. We also rebooted the machine to make sure Apache will pick up the new wallet file. However, when we connected from a client browser, it still shows old certificate. I checked the ssl.conf, it still have the default value as follows:
SSLWallet file:C:\product\10.1.3.1\OracleAS_1\Apache\Apache\conf\ssl.wlt\default
The Auto Login and Use Windows Registry options are uncheck and there is no Oracle wallet entry in the Windows registry.
Does anyone have the similar problem? Any advice is highly appreciated.
Thank you very much in advance.Roberto,
Thanks a lot for your response. I have one more question.
Supposed the client browser has installed the old certificate which is still valid for another month, when the client browser hit the site again, as the old certificate is still valid, is it going to download the new certificate? If not, how do I remove the old certificate from browser, IE?
Thanks. -
Hi All,
Is Oracle Database Vault to be installed to install Oracle wallet ?
Is Database Vault is a prerequisite to use Oracle Wallet.Please help.No - Database Vault and Oracle Wallets are independent products.
Oracle Wallet is used to store certificates (and can be used with Database Vault).
Database Vault locks out the DBA from Tablespaces/Tables.
cu
Andreas -
Oracle wallet(oraclepki.jar) is not working with WLS 10.3.1
An external application is storing a password in oracle wallet i.e cwallet.sso and ewallet.p12 files using OracleWallet technology (oraclepki.jar).
I have an web application which uses this password stored in the wallet for internal use, this application works fine if we deploy it in OC4J, but if Install the same application in WLS 10.3.1 application is not able to get the password for wallet.
Oracle wallet require only oraclepki.jar file and this jar file is bundled in the ear file.
Can someone guide me so that we can use Oracle wallet with WLS.Hi
For me no error is showing. But the whitespace is not getting removed. But this is working fine in Tomcat6.1.
Any help is appreciated.
regards
jossy. -
Oracle State Session Store throws an Unhandled Exception with Xml
I wish to use the Oracle.Net Session Store to store a value to session. The value or object if you prefer is marked as serializable in order to be placed within the store.
Unfortunately, when running the code I get an unhandled exception error being displayed to the screen. The code itself does not fail at any point in debug. The actual error message in full is "An unhandled exception occurred 'Type 'System.Xml.XmlDocument' in Assembley 'System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' is not marked as serializable"
Now, we have xml fields in our classes, and we have tried all sorts things, but I would like to know whether there is a far simpler way of saving xml documents to session when using Oracle.Net Session Store. We have also tried saving sessions using the ASP.Net State Server and hit exactly the same error.
Does anyone have any good ideas/solutions?Hi Muthuraja,
The warning in error log is caused by the error you mentioned above. Based on my search, the error message can be caused by various reasons.
To troubleshooting the issue, please refer to the following steps:
Check the "Idle Time-out" option of the application pool, if its value is not zero, set it to a larger integer value such as 120.
Check the "Virtual Memory Limit" option of the application tool, if its value is not zero, set it to 0 instead.
Set the "Maximum Worker Processes" option of the application tool to 1.
In the web.config of the Web Application, set the “cookieless” to “true” like below:
<sessionState mode="InProc" cookieless="true" timeout="120"/>
Modify the httpRuntime settings like below:
<httpRuntime maxRequestLength="20000" executionTimeout="600"/>
Reference:
sessionState Element
httpRuntime Element
AspNetSessionExpiredException
If you have any more questions, please feel free to ask.
Thanks,
Wendy Fu
If you have any feedback on our support, please click
here. -
I am trying to connect SQL Server Integration Services to an Oracle database using Oracle Wallet. I have tested the wallet in both 32 and 64 bit modes on the machine and it works fine. I cannot get SSIS to connect though. I probably just need the syntax for and OleDB or .NET driver connection string but have not been able to find either on-line. Any help would be appreciated.
Thanks,
Brian.I have resolved the issue. For others that may run into this, here are the steps I took.
1. Use the driver “.Net Providers\OracleClient Data Provider”
2. Go to the “All” tab.
3. Data Source=”DATA_SOURCE”
4. Integrated Security=True
5. Press “Test Connection” and it should succeed. -
Some trusted certificate could not be installed , oracle wallet manager
Hi there,
I am using Oracle Wallet Manager 10.2.0.1
Oracle DB 10.2
when I try to import a certificate I have exported from the browser, I have such error,
that certificate is not something globally known, but it is for local communication,
as I understood that when I specify to import trusted certificate, that does not matter , does it?
please that I have successfully imported another "known" certificate exported with the same way,
what can the reason of such an error,
thanks in advance
rgrdsThe problem was in the certificate itself.
Regards.
Maybe you are looking for
-
Any ideas on how to keep the speed of computer up?
I have had my computer for about 6 months now, and notice my mac is starting to slow down. any ideas?
-
My ipod won't turn on and isn't recognized by iTunes or computer
My iPod Touch (2nd Generation) won't turn on at all. I tried charging it with different cables and in different outlets and it wouldn't charge. My computer (a mac) and iTunes won't recognize it and the sleep button is jammed so I can't restart it. Wh
-
Since I upgraded to the new iOS 7 operating system for my iphone, I can no longer adjust the volume on my alarm. No matter what setting the volume of my phone is my alarm is always full blast. Since I hate being startled awake, what can I do?
-
Releasing credit sales order confirmation
Hi We are using credit limit check. If the customer has credit issues, the sales order will get retained and the confirmation is lock. The issue is that after the released of the sales order the confirmation is not being unlock and the sales order is
-
Dell SX2210 webcam not working
Hi, I recently purchased a Mac Pro 8-core tower and am using a Dell SS210 display with it. I can't get any programs to recognize the monitor's built-in camera. Right now I'm trying to get Skype to recongize it, but under the pull-down for camera opti