Solved

Oracle Wallet

Posted on 2014-11-29
7
614 Views
Last Modified: 2016-10-05
Can you please assist/direct me to the best practices for implementing & then managing Oracle Wallet (11gR2), need to do this first time, looking for some step by step guidance.

Thanks in advance.
0
Comment
Question by:mkhandba
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 40472224
For a starter, you can check out this blog and FAQ to understand key points of the wallet.
The use of a centralized LDAP-compliant directory to store wallets allows users access them from multiple locations or devices, thus ensuring consistent and reliable user authentication while providing for centralized wallet management throughout the wallet life cycle.
Blog - http://www.dba-oracle.com/t_wallet_manager.htm
Oracle FAQ - http://www.oracle.com/technetwork/database/security/tde-faq-093689.html#A13016

The wallet is prime to safeguard the key for deployment of Oracle TDE or PKI Credentials. E.g.  'ewallet.p12' is the file which required manual opening prior to db startup or before TDE access the encrypted store. Note that besides that, there is another type such as auto-open wallet ('cwallet.sso'). As a whole, the wallet can be a local file or shared repository or media or even an external secure device commonly termed as hardware-security module (HSM).

The typical crypto key lifecycle from its creation to operation to revoking to decommissioning applies. This is about TDE RAC which uses wallet and take note of the recommendations stated too in term of wallet storage esp for shared access to a key use case
https://docs.oracle.com/cd/B28359_01/rac.111/b28254/design.htm#CEGIHBCH

There are further reading in best practices in TDE - see section on "TDE Wallet Management", and some worthy note include
It is highly recommended to always backup the wallet at the same time when backing up your database, but do not include the wallet on the same media as the database backup. Also, backup the wallet before any manipulation of its content, whether performing a master key re-key operation, or changing the wallet password.
http://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-130696.pdf

Having said that the wallet can be used at the client side for secure database password storage as well. Meaning create a wallet with Oracle Wallet Manager instead.
Note that creating an Oracle wallet for the secure external password store (and importing keys to access SSL sites) can be done using Oracle Standard Edition. It is only when using the advanced features like TDE or PKI credentials that require the Advanced Security Option and Enterprise Edition.
http://www.idevelopment.info/data/Oracle/DBA_tips/Security/SEC_15.shtml
0
 

Author Comment

by:mkhandba
ID: 40485538
Thanks btan, we are in the process of evaluating.

Please do share if you have anything else or anyone else can chip in too ... thanks.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 500 total points
ID: 40485956
the two useful guides are good references to add in. importantly always include backup and recovery in case crypto key are corrupted or wallet is not accessible (forget password, file system corrupted etc). And do enforce password policy and leverage on provider auditing and policy recommendation as baseline to further enhance and align it with your business context.

Using the Oracle Wallet - https://docs.oracle.com/cd/B19306_01/network.102/b14268/asowalet.htm
- Good to check out "Creating a Wallet to Store Hardware Security Module Credentials" for higher assurance for your critical and sensitive internal DB services which you likely enforced it on the super admin or privileged admin or users

Secure External Password Store - https://docs.oracle.com/cd/B19306_01/network.102/b14266/cnctslsh.htm

    How Does the External Password Store Work?
    Configuring Clients to Use the External Password Store
    Managing External Password Store Credentials
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 

Author Comment

by:mkhandba
ID: 40486192
Thank you Sir :)
0
 

Expert Comment

by:Dan O'Connell
ID: 41828920
Hi

Does the Oracle Wallet trusted certificate always have to be called ewallet.p12?

D.
0
 
LVL 64

Expert Comment

by:btan
ID: 41829003
That is the system default and you should not change it

Notes:
You must copy the third-party PKCS #12 wallet file name to a directory expected by Oracle Wallet Manager and change the name; the UNIX/NT wallet file name is ewallet.p12.
Since browsers typically do not export trusted certificates under PKCS #12 (other than the signer's own certificate), you may need to add trust points to authenticate the other party in the SSL connection. You can use Oracle Wallet Manager to do this.
https://docs.oracle.com/cd/B10501_01/network.920/a96573/asowalet.htm#1007719
0
 

Expert Comment

by:Dan O'Connell
ID: 41829739
Thanks for that btan, that helps!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

From implementing a password expiration date, to datatype conversions and file export options, these are some useful settings I've found in Jasper Server.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This video shows, step by step, how to configure Oracle Heterogeneous Services via the Generic Gateway Agent in order to make a connection from an Oracle session and access a remote SQL Server database table.
This video shows how to configure and send email from and Oracle database using both UTL_SMTP and UTL_MAIL, as well as comparing UTL_SMTP to a manual SMTP conversation with a mail server.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question