Solved

Oracle Wallet

Posted on 2014-11-29
7
589 Views
Last Modified: 2016-10-05
Can you please assist/direct me to the best practices for implementing & then managing Oracle Wallet (11gR2), need to do this first time, looking for some step by step guidance.

Thanks in advance.
0
Comment
Question by:mkhandba
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40472224
For a starter, you can check out this blog and FAQ to understand key points of the wallet.
The use of a centralized LDAP-compliant directory to store wallets allows users access them from multiple locations or devices, thus ensuring consistent and reliable user authentication while providing for centralized wallet management throughout the wallet life cycle.
Blog - http://www.dba-oracle.com/t_wallet_manager.htm
Oracle FAQ - http://www.oracle.com/technetwork/database/security/tde-faq-093689.html#A13016

The wallet is prime to safeguard the key for deployment of Oracle TDE or PKI Credentials. E.g.  'ewallet.p12' is the file which required manual opening prior to db startup or before TDE access the encrypted store. Note that besides that, there is another type such as auto-open wallet ('cwallet.sso'). As a whole, the wallet can be a local file or shared repository or media or even an external secure device commonly termed as hardware-security module (HSM).

The typical crypto key lifecycle from its creation to operation to revoking to decommissioning applies. This is about TDE RAC which uses wallet and take note of the recommendations stated too in term of wallet storage esp for shared access to a key use case
https://docs.oracle.com/cd/B28359_01/rac.111/b28254/design.htm#CEGIHBCH

There are further reading in best practices in TDE - see section on "TDE Wallet Management", and some worthy note include
It is highly recommended to always backup the wallet at the same time when backing up your database, but do not include the wallet on the same media as the database backup. Also, backup the wallet before any manipulation of its content, whether performing a master key re-key operation, or changing the wallet password.
http://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-130696.pdf

Having said that the wallet can be used at the client side for secure database password storage as well. Meaning create a wallet with Oracle Wallet Manager instead.
Note that creating an Oracle wallet for the secure external password store (and importing keys to access SSL sites) can be done using Oracle Standard Edition. It is only when using the advanced features like TDE or PKI credentials that require the Advanced Security Option and Enterprise Edition.
http://www.idevelopment.info/data/Oracle/DBA_tips/Security/SEC_15.shtml
0
 

Author Comment

by:mkhandba
ID: 40485538
Thanks btan, we are in the process of evaluating.

Please do share if you have anything else or anyone else can chip in too ... thanks.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points
ID: 40485956
the two useful guides are good references to add in. importantly always include backup and recovery in case crypto key are corrupted or wallet is not accessible (forget password, file system corrupted etc). And do enforce password policy and leverage on provider auditing and policy recommendation as baseline to further enhance and align it with your business context.

Using the Oracle Wallet - https://docs.oracle.com/cd/B19306_01/network.102/b14268/asowalet.htm
- Good to check out "Creating a Wallet to Store Hardware Security Module Credentials" for higher assurance for your critical and sensitive internal DB services which you likely enforced it on the super admin or privileged admin or users

Secure External Password Store - https://docs.oracle.com/cd/B19306_01/network.102/b14266/cnctslsh.htm

    How Does the External Password Store Work?
    Configuring Clients to Use the External Password Store
    Managing External Password Store Credentials
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 

Author Comment

by:mkhandba
ID: 40486192
Thank you Sir :)
0
 

Expert Comment

by:Dan O'Connell
ID: 41828920
Hi

Does the Oracle Wallet trusted certificate always have to be called ewallet.p12?

D.
0
 
LVL 63

Expert Comment

by:btan
ID: 41829003
That is the system default and you should not change it

Notes:
You must copy the third-party PKCS #12 wallet file name to a directory expected by Oracle Wallet Manager and change the name; the UNIX/NT wallet file name is ewallet.p12.
Since browsers typically do not export trusted certificates under PKCS #12 (other than the signer's own certificate), you may need to add trust points to authenticate the other party in the SSL connection. You can use Oracle Wallet Manager to do this.
https://docs.oracle.com/cd/B10501_01/network.920/a96573/asowalet.htm#1007719
0
 

Expert Comment

by:Dan O'Connell
ID: 41829739
Thanks for that btan, that helps!
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Checking the Alert Log in AWS RDS Oracle can be a pain through their user interface.  I made a script to download the Alert Log, look for errors, and email me the trace files.  In this article I'll describe what I did and share my script.
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
This video shows syntax for various backup options while discussing how the different basic backup types work.  It explains how to take full backups, incremental level 0 backups, incremental level 1 backups in both differential and cumulative mode a…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question