Solved

Oracle Wallet

Posted on 2014-11-29
7
521 Views
Last Modified: 2016-10-05
Can you please assist/direct me to the best practices for implementing & then managing Oracle Wallet (11gR2), need to do this first time, looking for some step by step guidance.

Thanks in advance.
0
Comment
Question by:mkhandba
  • 3
  • 2
  • 2
7 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
For a starter, you can check out this blog and FAQ to understand key points of the wallet.
The use of a centralized LDAP-compliant directory to store wallets allows users access them from multiple locations or devices, thus ensuring consistent and reliable user authentication while providing for centralized wallet management throughout the wallet life cycle.
Blog - http://www.dba-oracle.com/t_wallet_manager.htm
Oracle FAQ - http://www.oracle.com/technetwork/database/security/tde-faq-093689.html#A13016

The wallet is prime to safeguard the key for deployment of Oracle TDE or PKI Credentials. E.g.  'ewallet.p12' is the file which required manual opening prior to db startup or before TDE access the encrypted store. Note that besides that, there is another type such as auto-open wallet ('cwallet.sso'). As a whole, the wallet can be a local file or shared repository or media or even an external secure device commonly termed as hardware-security module (HSM).

The typical crypto key lifecycle from its creation to operation to revoking to decommissioning applies. This is about TDE RAC which uses wallet and take note of the recommendations stated too in term of wallet storage esp for shared access to a key use case
https://docs.oracle.com/cd/B28359_01/rac.111/b28254/design.htm#CEGIHBCH

There are further reading in best practices in TDE - see section on "TDE Wallet Management", and some worthy note include
It is highly recommended to always backup the wallet at the same time when backing up your database, but do not include the wallet on the same media as the database backup. Also, backup the wallet before any manipulation of its content, whether performing a master key re-key operation, or changing the wallet password.
http://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-130696.pdf

Having said that the wallet can be used at the client side for secure database password storage as well. Meaning create a wallet with Oracle Wallet Manager instead.
Note that creating an Oracle wallet for the secure external password store (and importing keys to access SSL sites) can be done using Oracle Standard Edition. It is only when using the advanced features like TDE or PKI credentials that require the Advanced Security Option and Enterprise Edition.
http://www.idevelopment.info/data/Oracle/DBA_tips/Security/SEC_15.shtml
0
 

Author Comment

by:mkhandba
Comment Utility
Thanks btan, we are in the process of evaluating.

Please do share if you have anything else or anyone else can chip in too ... thanks.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
Comment Utility
the two useful guides are good references to add in. importantly always include backup and recovery in case crypto key are corrupted or wallet is not accessible (forget password, file system corrupted etc). And do enforce password policy and leverage on provider auditing and policy recommendation as baseline to further enhance and align it with your business context.

Using the Oracle Wallet - https://docs.oracle.com/cd/B19306_01/network.102/b14268/asowalet.htm
- Good to check out "Creating a Wallet to Store Hardware Security Module Credentials" for higher assurance for your critical and sensitive internal DB services which you likely enforced it on the super admin or privileged admin or users

Secure External Password Store - https://docs.oracle.com/cd/B19306_01/network.102/b14266/cnctslsh.htm

    How Does the External Password Store Work?
    Configuring Clients to Use the External Password Store
    Managing External Password Store Credentials
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:mkhandba
Comment Utility
Thank you Sir :)
0
 

Expert Comment

by:Dan O'Connell
Comment Utility
Hi

Does the Oracle Wallet trusted certificate always have to be called ewallet.p12?

D.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
That is the system default and you should not change it

Notes:
You must copy the third-party PKCS #12 wallet file name to a directory expected by Oracle Wallet Manager and change the name; the UNIX/NT wallet file name is ewallet.p12.
Since browsers typically do not export trusted certificates under PKCS #12 (other than the signer's own certificate), you may need to add trust points to authenticate the other party in the SSL connection. You can use Oracle Wallet Manager to do this.
https://docs.oracle.com/cd/B10501_01/network.920/a96573/asowalet.htm#1007719
0
 

Expert Comment

by:Dan O'Connell
Comment Utility
Thanks for that btan, that helps!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This video shows, step by step, how to configure Oracle Heterogeneous Services via the Generic Gateway Agent in order to make a connection from an Oracle session and access a remote SQL Server database table.
This video shows how to copy an entire tablespace from one database to another database using Transportable Tablespace functionality.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now