Connect to Oracle (Autonomous) Database using Secure External Password Store (SEPS)

Scripts, batch jobs, and application code need to provide a database username and password to connect to the database. Using wallets risk is reduced because such passwords are no longer exposed in plain text, and password management policies are more easily enforced without changing application code whenever user names or passwords change.

Connect using the connect /@TNS_ALIAS command instead of specifying a user name and password explicitly. This simplifies the maintenance of the scripts and secures the password management for the applications.

Preparation: we are using the following variable values as an example


Step 1:

A) For Autonomous Database: download Client Credentials (Wallet) using the console or OCI CLI command:

oci db autonomous-database generate-wallet --autonomous-database-id $ADB_OCID --file $WALLET_FILE --password $WALLET_PW --region $OCI_REGION
and unzip the wallet file:

B) for non Autonomous Database: create a wallet using the mkstore utility:

mkstore -wrl $WALLET_DIR -create

You will be prompted to choose a password (in this example MyWalletPW11__).

You can also choose to create a local auto login wallet. Local auto login wallets cannot be moved to another server. They must be used on the host on which they are created.

orapki wallet create -wallet $WALLET_DIR -pwd $WALLET_PW -auto_login_local

Step 2: change/add the WALLET_LOCATION in sqlnet.ora to the current directory where you unzipped/created the wallet and add SQLNET.WALLET_OVERRIDE = TRUE

Step 3: create a new TNS alias in tnsnames.ora

Step 4: add username and password to the wallet

USERPW=MyAdminPW22__ (this is the password of the database user ADMIN)
mkstore -wrl $WALLET_DIR -createCredential $TNS_ALIAS $USERNAME $USERPW

You will be prompted to enter the wallet password. This is the password you provided when downloading/creating the wallet (in this example MyWalletPW11__)

Step 5: check the credentials in the wallet file

mkstore -wrl $WALLET_DIR -listCredential

Step 6: connect to (autonomous) database without providing username and password

sqlplus /@$TNS_ALIAS

It works in the same way for data pump export and import utility:

expdp /@$TNS_ALIAS

Step 7: to modify or delete the credentials from the wallet file

mkstore -wrl $WALLET_DIR -modifyCredential $TNS_ALIAS $USERNAME $USERPW
mkstore -wrl $WALLET_DIR -deleteCredential $TNS_ALIAS

Step 8: to view the values of the connection string, username, and password

mkstore -wrl $WALLET_DIR -viewEntry
Enter wallet password: = ADBALIAS

mkstore -wrl $WALLET_DIR -viewEntry
Enter wallet password: = ADMIN

mkstore -wrl $WALLET_DIR -viewEntry
Enter wallet password: = MyAdminPW22__

Where to get mkstore and orapki utilities?

mkstore and orapki are part of the Oracle Database Client installation.


Storing the credentials in the wallet provides an easy way to connect to the database without providing a username and password in clear text. Anyway, for each database user we need to create a dedicated TNS alias.

Would you like to get notified when the next post is published?