Chapter 4. External Password Storage

Table of Contents

Oracle Wallet
Password store file

Depending on the type of store deployment, there are two ways passwords can be externally stored. For Enterprise Edition (EE) deployments, Oracle Wallet is used. For Community Edition (CE) deployments, a simple read protected clear-text password file is used.

In the most basic mode of operation, external passwords are used only by the server to track the keystore password. User passwords, which are stored securely within the database, can also be supplied during client authentication.

When a password store is used as a component of a login file, the alias that is used for either password store type should be the username to which the password applies. For example, for a user named root, the password should be stored under the alias root.

When a password store is used as part of the server, the alias keystore is used. The user password store should be a completely different file than the one in the security directory located under KVROOT.

Oracle Wallet

The following commands provide functionality to manipulate Oracle wallet stores within the securityconfig tool. These commands are available in EE only. For more information on the securityconfig tool, see Configuring Security with Securityconfig.

To create a new auto-login wallet, run the wallet create command:

wallet create 
-dir <wallet directory> 

Auto-login wallets store passwords in an obfuscated state. Access to the wallet is secured against reading by unauthorized users using the OS-level login.

To manipulate secrets (passwords), which are associated with a name (alias), run the wallet secret command:

wallet secret 
-dir <wallet directory> 
{-set | -delete} -alias <alias>

If the -set option is specified, the user is prompted for a new password for the specified alias and required to verify the new secret.

If the -delete option is specified, the secret is deleted from the store.

Special considerations should be taken if Oracle wallet is used to hold a user password and you are deploying your Oracle NoSQL Database. For more information, see Guidelines for Deploying Secure Applications.