One of the features I haven’t seen blogged about is the option to provide SYS and SYSTEM passwords (among other parameters) to dbca via a wallet. This is documented in chapter 2 of the Database Administration Guide 19c.
[oracle@server1 ~]$ dbca -silent -createDatabase -help
...
[-useWalletForDBCredentials Specify true to load database credentials from wallet]
-dbCredentialsWalletLocation
...
I was curious how to use this feature as it might provide slightly better security when deploying new databases via dbca. It turned out it wasn’t too hard in the end, and I decided to briefly put my efforts into this short article.
Prepare the wallet
Before you can use a wallet toghether with dbca, it has to be available. So the first step is obvious: create the wallet. I’m using /home/oracle/wallet as the wallet location. The mkstore utility lives in $ORACLE_HOME/bin, this is a 19.7.0 installation by the way.
[oracle@server1 ~]$ which mkstore /u01/app/oracle/product/19.0.0/dbhome_1/bin/mkstore [oracle@server1 ~]$ mkstore -wrl ~/wallet -create Oracle Secret Store Tool Release 20.0.0.0.0 - Production Version 21.0.0.0.0 Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved. Enter password: Enter password again: [racle@server1 ~]$
Once the wallet is created, a few keys have to be added. These are documented in section 2.14.3 in the chapter I linked to before. Since I’m deliberately keeping things simply by not creating a Container Database or register the database with directory services, all I need to populate are:
- oracle.dbsecurity.sysPassword: SYS user password
- oracle.dbsecurity.systemPassword: SYSTEM user password
This works by invoking mkstore with the -createEntry flag, as shown in this example:
[oracle@server1 ~]$ mkstore -wrl ~/wallet -createEntry oracle.dbsecurity.sysPassword Oracle Secret Store Tool Release 20.0.0.0.0 - Production Version 21.0.0.0.0 Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved. Your secret/Password is missing in the command line Enter your secret/Password: Re-enter your secret/Password: Enter wallet password: [oracle@server1 ~]$ [oracle@server1 ~]$ mkstore -wrl ~/wallet -createEntry oracle.dbsecurity.systemPassword Oracle Secret Store Tool Release 20.0.0.0.0 - Production Version 21.0.0.0.0 Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved. Your secret/Password is missing in the command line Enter your secret/Password: Re-enter your secret/Password: Enter wallet password: [oracle@server1 ~]$
I tend to check the wallet’s contents before invoking dbca just to make sure all the necessary keys are present:
[oracle@server1 ~]$ mkstore -wrl ~/wallet -list Oracle Secret Store Tool Release 20.0.0.0.0 - Production Version 21.0.0.0.0 Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved. Enter wallet password: Oracle Secret Store entries: oracle.dbsecurity.sysPassword oracle.dbsecurity.systemPassword [oracle@server1 ~]$
That should be it! Remember to use strong passwords and follow any other security guidelines and industry best practices.
Create the database
The next and final step is to create the database. Instead of passing -sysPassword and -systemPassword on the command line, you provide the wallet. Here is the example from my lab (I use custom templates, and martins_db is one of them; don’t let that put you off):
[oracle@server1 ~]$ dbca -silent -createDatabase -gdbName WALLET -templateName martins_db.dbc \ > -useWalletForDBCredentials true -dbCredentialsWalletLocation ~/wallet \ > -datafileDestination /u02/oradata -useOMF true \ > -memoryMgmtType AUTO_SGA -createAsContainerDatabase false \ > -recoveryAreaDestination /u03/fast_recovery_area \ > -totalMemory 4096 Prepare for db operation 10% complete Copying database files 40% complete Creating and starting Oracle instance 42% complete 46% complete ... 70% complete Executing Post Configuration Actions 100% complete Database creation complete. For details check the logfiles at: /u01/app/oracle/cfgtoollogs/dbca/WALLET. Database Information: Global Database Name:WALLET System Identifier(SID):WALLET Look at the log file "/u01/app/oracle/cfgtoollogs/dbca/WALLET/WALLET.log" for further details. [oracle@server1 ~]$
Voila! I have a new working database, WALLET. I didn’t specify a single password on the command line. To me that’s a step in the right direction. Yet this isn’t where it stops, you can use the -useWalletForDBCredentials with many other dbca sub-commands!
Happy automating
