Using wallets with dbca in Oracle 19c

One of the features I haven’t seen blogged about is the option to provide SYS and SYSTEM passwords (among other parameters) to dbca via a wallet. This is documented in chapter 2 of the Database Administration Guide 19c.

[oracle@server1 ~]$ dbca -silent -createDatabase -help
...
        [-useWalletForDBCredentials  Specify true to load database credentials from wallet]
            -dbCredentialsWalletLocation 
...

I was curious how to use this feature as it might provide slightly better security when deploying new databases via dbca. It turned out it wasn’t too hard in the end, and I decided to briefly put my efforts into this short article.

Prepare the wallet

Before you can use a wallet toghether with dbca, it has to be available. So the first step is obvious: create the wallet. I’m using /home/oracle/wallet as the wallet location. The mkstore utility lives in $ORACLE_HOME/bin, this is a 19.7.0 installation by the way.

[oracle@server1 ~]$ which mkstore
/u01/app/oracle/product/19.0.0/dbhome_1/bin/mkstore

[oracle@server1 ~]$ mkstore -wrl ~/wallet -create
Oracle Secret Store Tool Release 20.0.0.0.0 - Production
Version 21.0.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter password:   
Enter password again:  
[racle@server1 ~]$

Once the wallet is created, a few keys have to be added. These are documented in section 2.14.3 in the chapter I linked to before. Since I’m deliberately keeping things simply by not creating a Container Database or register the database with directory services, all I need to populate are:

  • oracle.dbsecurity.sysPassword: SYS user password
  • oracle.dbsecurity.systemPassword: SYSTEM user password

This works by invoking mkstore with the -createEntry flag, as shown in this example:

[oracle@server1 ~]$ mkstore -wrl ~/wallet -createEntry oracle.dbsecurity.sysPassword
Oracle Secret Store Tool Release 20.0.0.0.0 - Production
Version 21.0.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Your secret/Password is missing in the command line 
Enter your secret/Password:   
Re-enter your secret/Password:   
Enter wallet password:   
[oracle@server1 ~]$ 

[oracle@server1 ~]$ mkstore -wrl ~/wallet -createEntry oracle.dbsecurity.systemPassword
Oracle Secret Store Tool Release 20.0.0.0.0 - Production
Version 21.0.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Your secret/Password is missing in the command line 
Enter your secret/Password:   
Re-enter your secret/Password:   
Enter wallet password:   
[oracle@server1 ~]$  

I tend to check the wallet’s contents before invoking dbca just to make sure all the necessary keys are present:

[oracle@server1 ~]$ mkstore -wrl ~/wallet -list
Oracle Secret Store Tool Release 20.0.0.0.0 - Production
Version 21.0.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:   
Oracle Secret Store entries: 
oracle.dbsecurity.sysPassword
oracle.dbsecurity.systemPassword
[oracle@server1 ~]$  

That should be it! Remember to use strong passwords and follow any other security guidelines and industry best practices.

Create the database

The next and final step is to create the database. Instead of passing -sysPassword and -systemPassword on the command line, you provide the wallet. Here is the example from my lab (I use custom templates, and martins_db is one of them; don’t let that put you off):

[oracle@server1 ~]$ dbca -silent -createDatabase -gdbName WALLET -templateName martins_db.dbc \
> -useWalletForDBCredentials true -dbCredentialsWalletLocation ~/wallet \
> -datafileDestination /u02/oradata -useOMF true \
> -memoryMgmtType AUTO_SGA -createAsContainerDatabase false \
> -recoveryAreaDestination /u03/fast_recovery_area  \
> -totalMemory 4096 
Prepare for db operation
10% complete
Copying database files
40% complete
Creating and starting Oracle instance
42% complete
46% complete

...


70% complete
Executing Post Configuration Actions
100% complete
Database creation complete. For details check the logfiles at:
 /u01/app/oracle/cfgtoollogs/dbca/WALLET.
Database Information:
Global Database Name:WALLET
System Identifier(SID):WALLET
Look at the log file "/u01/app/oracle/cfgtoollogs/dbca/WALLET/WALLET.log" for further details.
[oracle@server1 ~]$  

Voila! I have a new working database, WALLET. I didn’t specify a single password on the command line. To me that’s a step in the right direction. Yet this isn’t where it stops, you can use the -useWalletForDBCredentials with many other dbca sub-commands!

Happy automating