Solved

Oracle Wallet

Posted on 2014-11-29
7
545 Views
Last Modified: 2016-10-05
Can you please assist/direct me to the best practices for implementing & then managing Oracle Wallet (11gR2), need to do this first time, looking for some step by step guidance.

Thanks in advance.
0
Comment
Question by:mkhandba
  • 3
  • 2
  • 2
7 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40472224
For a starter, you can check out this blog and FAQ to understand key points of the wallet.
The use of a centralized LDAP-compliant directory to store wallets allows users access them from multiple locations or devices, thus ensuring consistent and reliable user authentication while providing for centralized wallet management throughout the wallet life cycle.
Blog - http://www.dba-oracle.com/t_wallet_manager.htm
Oracle FAQ - http://www.oracle.com/technetwork/database/security/tde-faq-093689.html#A13016

The wallet is prime to safeguard the key for deployment of Oracle TDE or PKI Credentials. E.g.  'ewallet.p12' is the file which required manual opening prior to db startup or before TDE access the encrypted store. Note that besides that, there is another type such as auto-open wallet ('cwallet.sso'). As a whole, the wallet can be a local file or shared repository or media or even an external secure device commonly termed as hardware-security module (HSM).

The typical crypto key lifecycle from its creation to operation to revoking to decommissioning applies. This is about TDE RAC which uses wallet and take note of the recommendations stated too in term of wallet storage esp for shared access to a key use case
https://docs.oracle.com/cd/B28359_01/rac.111/b28254/design.htm#CEGIHBCH

There are further reading in best practices in TDE - see section on "TDE Wallet Management", and some worthy note include
It is highly recommended to always backup the wallet at the same time when backing up your database, but do not include the wallet on the same media as the database backup. Also, backup the wallet before any manipulation of its content, whether performing a master key re-key operation, or changing the wallet password.
http://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-130696.pdf

Having said that the wallet can be used at the client side for secure database password storage as well. Meaning create a wallet with Oracle Wallet Manager instead.
Note that creating an Oracle wallet for the secure external password store (and importing keys to access SSL sites) can be done using Oracle Standard Edition. It is only when using the advanced features like TDE or PKI credentials that require the Advanced Security Option and Enterprise Edition.
http://www.idevelopment.info/data/Oracle/DBA_tips/Security/SEC_15.shtml
0
 

Author Comment

by:mkhandba
ID: 40485538
Thanks btan, we are in the process of evaluating.

Please do share if you have anything else or anyone else can chip in too ... thanks.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 40485956
the two useful guides are good references to add in. importantly always include backup and recovery in case crypto key are corrupted or wallet is not accessible (forget password, file system corrupted etc). And do enforce password policy and leverage on provider auditing and policy recommendation as baseline to further enhance and align it with your business context.

Using the Oracle Wallet - https://docs.oracle.com/cd/B19306_01/network.102/b14268/asowalet.htm
- Good to check out "Creating a Wallet to Store Hardware Security Module Credentials" for higher assurance for your critical and sensitive internal DB services which you likely enforced it on the super admin or privileged admin or users

Secure External Password Store - https://docs.oracle.com/cd/B19306_01/network.102/b14266/cnctslsh.htm

    How Does the External Password Store Work?
    Configuring Clients to Use the External Password Store
    Managing External Password Store Credentials
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:mkhandba
ID: 40486192
Thank you Sir :)
0
 

Expert Comment

by:Dan O'Connell
ID: 41828920
Hi

Does the Oracle Wallet trusted certificate always have to be called ewallet.p12?

D.
0
 
LVL 62

Expert Comment

by:btan
ID: 41829003
That is the system default and you should not change it

Notes:
You must copy the third-party PKCS #12 wallet file name to a directory expected by Oracle Wallet Manager and change the name; the UNIX/NT wallet file name is ewallet.p12.
Since browsers typically do not export trusted certificates under PKCS #12 (other than the signer's own certificate), you may need to add trust points to authenticate the other party in the SSL connection. You can use Oracle Wallet Manager to do this.
https://docs.oracle.com/cd/B10501_01/network.920/a96573/asowalet.htm#1007719
0
 

Expert Comment

by:Dan O'Connell
ID: 41829739
Thanks for that btan, that helps!
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Distinct values from all columns in a table?? PL SQL 4 37
Oracle Listener Not Starting 11 44
Deleting Rows from an Oracle Database - Performance 19 46
PCI compliance 16 31
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
OfficeMate Freezes on login or does not load after login credentials are input.
This video shows syntax for various backup options while discussing how the different basic backup types work.  It explains how to take full backups, incremental level 0 backups, incremental level 1 backups in both differential and cumulative mode a…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question