I had the pleasure to load a wallet (secure external password store) with around 180 credentials. Faced with a repeating task, I always try to automate things as much as possible or at least to the level I deem sensible. In this case my urge not to waste an afternoon typing in the same stuff over and over was overwhelming.
Unfortunately, the “mkstore” utility does not have a command switch to provide the wallet password. No problem, on Linux/Unix I would have just piped in the wallet password:
echo MyWallet-Password | mkstore -wrl /u01/app/oracle/etc/wallet/auth -createCredential DEV1.localdomain SYSTEM manager
Working on Windows using batch scripts piping does not work with “mkstore”. Here’s what I came up with:
echo | set /p="MyWallet-Password" > C:\Temp\walletpwd.txt mkstore -wrl D:\app\oracle\etc\wallet\auth -createCredential DEV1.localdomain SYSTEM manager < C:\Temp\walletpwd.txt ... ... ...
Since we were generating new passwords the service account on all databases I went over the Enterprise Manager repository to generate the “mkstore” calls:
select
'mkstore -wrl "D:\app\oracle\etc\wallet\auth" -createCredential '
|| tgt.target_name
|| ' srvacc "'
|| gen_pwd
|| '" < C:\Temp\walletpwd.txt'
from sysman.mgmt_targets tgt
join sysman.mgmt_target_properties tgsid on (tgsid.target_guid = tgt.target_guid)
where tgt.target_type = 'oracle_database'
and tgsid.property_name = 'SID'
order by tgsid.property_value
;
Now I could just copy & paste the query output into a command line window. DONE.
Please remember to delete the temporary file containing the wallet password:
del /F /S /Q C:\Temp\walletpwd.txt
Although it saved me a lot of typing I’m not quite happy with the solution. The reason is I do temporarily write the wallet password to a file in plain text. I do not like that at all. And in some environments this might be considered a security breach, even if the file is only there for a couple of minutes.
If you come up with a solution that works without storing the wallet password in a file to redirect it to STDIN I’ll be happy to know about.
Worked perfectly! Thanks 🙂
Hi Neeru,
Thanks for leaving a comment. Glad it helped!
Hi,
I also want to automate tasks around Oracle wallets. Especially I want to find a way to automate the creation of a wallet by mkstore. This doesn’t work the way you gave in your post by piping the password to the command because the tool asks to confirm the password by retyping.
Any idea how to solve that issue?
Thanks in advance,
Markus
Hi Markus,
To create and manage the wallet itself I recommend using “orapki” tool. E.g.
orapki wallet create -wallet … -pwd YourWalletPwd
-pwd lets you pass the wallet password on the command line without further user interaction.
Use mkstore only to manage wallet content (e.g. adding credentials).
Hope that helps…
You can create or change existing wallet to auto-login enabled to avoid the need to enter wallet password repeatedly with -createALO parameter of mkstore.
After finishing maintenance (adding entries etc) secure / convert it back again to SSO with -createSSO.
Hi Piotr,
Thanks for your input. I’ve tried “-createALO” and it in fact does not prompt for a password to insert entries. Unfortunately, I have not been able to “convert” it back to a .p12 file. Whatever I do I end up with an empty .p12.
C:\Temp\wallet>mkstore -wrl . -createALO
Oracle Secret Store Tool Release 19.0.0.0.0 – Production
Version 19.4.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
C:\Temp\wallet>dir
Volume in drive C has no label.
Volume Serial Number is 26C9-8907
Directory of C:\Temp\wallet
26.01.2020 13:57
26.01.2020 13:57
26.01.2020 13:57 573 cwallet.sso
26.01.2020 13:57 0 cwallet.sso.lck
2 File(s) 573 bytes
2 Dir(s) 113’365’159’936 bytes free
C:\Temp\wallet>mkstore -wrl . -createCredential tns user pwd
Oracle Secret Store Tool Release 19.0.0.0.0 – Production
Version 19.4.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
C:\Temp\wallet>
Would you mind sharing how you do it?
Thanks!
Sorry, it was my mistake during testing. I think I just enabled SSO for old pkcs12 wallet already containing tested entry. Below shows what really happens (using same wallet pwd).
It seems currently there is no possibility to convert auto-login only wallet (.sso) to password-protected one with regard to credential entries. I tried the pkcs12_to_jks / jks_to_pkcs12 approach, but looks like it does not carry that information (only certificates), and it doesn’t work at all in 19.x…
So your solution is still most straightforward one.
c:\tmp>mkstore -wrl . -create -nologo
Enter password:
Enter password again:
c:\tmp>mkstore -wrl . -listCredential -nologo
Enter wallet password:
List credential (index: connect_string username)
c:\tmp>mkstore -wrl . -createCredential tns1 user1 pwd1 -nologo
Enter wallet password:
Create credential oracle.security.client.connect_string1
c:\tmp>mkstore -wrl . -listCredential -nologo
Enter wallet password:
List credential (index: connect_string username)
1: tns1 user1
c:\tmp>mkstore -wrl . -createALO -nologo
c:\tmp>mkstore -wrl . -listCredential -nologo
List credential (index: connect_string username)
c:\tmp>mkstore -wrl . -createCredential tns2 user2 pwd2 -nologo
Create credential oracle.security.client.connect_string1
c:\tmp>mkstore -wrl . -listCredential -nologo
List credential (index: connect_string username)
1: tns2 user2
c:\tmp>mkstore -wrl . -createSSO -nologo
Enter wallet password:
c:\tmp>mkstore -wrl . -listCredential -nologo
Enter wallet password:
List credential (index: connect_string username)
1: tns1 user1
Thanks for the simple solution!
Instead of creating the password in a temp file (or having it in the script at all) I store it in cleartext in a folder with guarded permissions. The file contains the same password on two separate lines, so it works just as well for the initial call for mkstore to create the wallet.