?
Solved

Oracle Wallet

Posted on 2014-11-29
7
Medium Priority
?
677 Views
Last Modified: 2016-10-05
Can you please assist/direct me to the best practices for implementing & then managing Oracle Wallet (11gR2), need to do this first time, looking for some step by step guidance.

Thanks in advance.
0
Comment
Question by:mkhandba
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 40472224
For a starter, you can check out this blog and FAQ to understand key points of the wallet.
The use of a centralized LDAP-compliant directory to store wallets allows users access them from multiple locations or devices, thus ensuring consistent and reliable user authentication while providing for centralized wallet management throughout the wallet life cycle.
Blog - http://www.dba-oracle.com/t_wallet_manager.htm
Oracle FAQ - http://www.oracle.com/technetwork/database/security/tde-faq-093689.html#A13016

The wallet is prime to safeguard the key for deployment of Oracle TDE or PKI Credentials. E.g.  'ewallet.p12' is the file which required manual opening prior to db startup or before TDE access the encrypted store. Note that besides that, there is another type such as auto-open wallet ('cwallet.sso'). As a whole, the wallet can be a local file or shared repository or media or even an external secure device commonly termed as hardware-security module (HSM).

The typical crypto key lifecycle from its creation to operation to revoking to decommissioning applies. This is about TDE RAC which uses wallet and take note of the recommendations stated too in term of wallet storage esp for shared access to a key use case
https://docs.oracle.com/cd/B28359_01/rac.111/b28254/design.htm#CEGIHBCH

There are further reading in best practices in TDE - see section on "TDE Wallet Management", and some worthy note include
It is highly recommended to always backup the wallet at the same time when backing up your database, but do not include the wallet on the same media as the database backup. Also, backup the wallet before any manipulation of its content, whether performing a master key re-key operation, or changing the wallet password.
http://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-130696.pdf

Having said that the wallet can be used at the client side for secure database password storage as well. Meaning create a wallet with Oracle Wallet Manager instead.
Note that creating an Oracle wallet for the secure external password store (and importing keys to access SSL sites) can be done using Oracle Standard Edition. It is only when using the advanced features like TDE or PKI credentials that require the Advanced Security Option and Enterprise Edition.
http://www.idevelopment.info/data/Oracle/DBA_tips/Security/SEC_15.shtml
0
 

Author Comment

by:mkhandba
ID: 40485538
Thanks btan, we are in the process of evaluating.

Please do share if you have anything else or anyone else can chip in too ... thanks.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 2000 total points
ID: 40485956
the two useful guides are good references to add in. importantly always include backup and recovery in case crypto key are corrupted or wallet is not accessible (forget password, file system corrupted etc). And do enforce password policy and leverage on provider auditing and policy recommendation as baseline to further enhance and align it with your business context.

Using the Oracle Wallet - https://docs.oracle.com/cd/B19306_01/network.102/b14268/asowalet.htm
- Good to check out "Creating a Wallet to Store Hardware Security Module Credentials" for higher assurance for your critical and sensitive internal DB services which you likely enforced it on the super admin or privileged admin or users

Secure External Password Store - https://docs.oracle.com/cd/B19306_01/network.102/b14266/cnctslsh.htm

    How Does the External Password Store Work?
    Configuring Clients to Use the External Password Store
    Managing External Password Store Credentials
0
WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

 

Author Comment

by:mkhandba
ID: 40486192
Thank you Sir :)
0
 

Expert Comment

by:Dan O'Connell
ID: 41828920
Hi

Does the Oracle Wallet trusted certificate always have to be called ewallet.p12?

D.
0
 
LVL 64

Expert Comment

by:btan
ID: 41829003
That is the system default and you should not change it

Notes:
You must copy the third-party PKCS #12 wallet file name to a directory expected by Oracle Wallet Manager and change the name; the UNIX/NT wallet file name is ewallet.p12.
Since browsers typically do not export trusted certificates under PKCS #12 (other than the signer's own certificate), you may need to add trust points to authenticate the other party in the SSL connection. You can use Oracle Wallet Manager to do this.
https://docs.oracle.com/cd/B10501_01/network.920/a96573/asowalet.htm#1007719
0
 

Expert Comment

by:Dan O'Connell
ID: 41829739
Thanks for that btan, that helps!
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This video shows how to Export data from an Oracle database using the Datapump Export Utility.  The corresponding Datapump Import utility is also discussed and demonstrated.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses
Course of the Month9 days, 11 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question