How to connect to an Oracle database without using passwords

Scope

• Usually a user name and password are specified when connecting to a database.

• Such configurations are considered being insecure as the passwords are stored in clear text in external files or in job parameters.
• The Oracle Wallet® provides a means to connect to a database without specifying user and password.

Oracle Wallet

Documentation

The Oracle Wallet® configuration is described in the Oracle documentation:

• Configuring clients to use the External Password Store e.g. in http://docs.oracle.com/cd/B19306_01/network.102/b14266/cnctslsh.htm#CBHEHGCE
• Or in a bit more condensed version on Oracle-Base web site e.g. in https://oracle-base.com/articles/10g/secure-external-password-store-10gr2
• The location of the docs depend on the specific Oracle version in use.

Using Oracle Wallet® for JobScheduler Master and JOC Cockpit

Delimitation

Consider that before JobScheduler release 1.13.9 you cannot use Oracle Wallet® when installing JobScheduler Master and JOC Cockpit, you can use it at run-time.

• For installation a user/password has to be used.
• Apply below changes after installation to the respective hibernate files.
• Future releases will improve this behavior. However, the current behavior fits to a situation where you want to use a different DBMS accounts for installation and at run-time with different privileges.

Usage

JobScheduler Master and JOC Cockpit connect to the Oracle database without specifying a database account and password, instead the run-time account of the component is used.

• Consider to update the hibernate files for Master and JOC Cockpit: 
  • Master
    • $SCHEDULER_DATA/config/hibernate.cfg.xml
    • $SCHEDULER_DATA/config/reporting.hibernate.cfg.xml
  • JOC Cockpit
    • $JETTY_BASE/resources/joc/jobscheduler.hibernate.cfg.xml
    • $JETTY_BASE/resources/joc/reporting.hibernate.cfg.xml
  • The hibernate configuration should look like this:
    • <?xml version="1.0" encoding="UTF-8" standalone="no"?>
<hibernate-configuration>
<session-factory>
<property name="hibernate.connection.driver_class">oracle.jdbc.driver.OracleDriver</property>
<property name="hibernate.connection.password"></property>
<property name="hibernate.connection.url">jdbc:oracle:thin:/@jobscheduler</property>
<property name="hibernate.connection.username"></property>
<property name="hibernate.dialect">org.hibernate.dialect.Oracle10gDialect</property>
<property name="hibernate.show_sql">false</property>
<property name="hibernate.connection.autocommit">false</property>
<property name="hibernate.format_sql">true</property>
<property name="hibernate.temp.use_jdbc_metadata_defaults">false</property>
</session-factory>
</hibernate-configuration>
  • Consider that empty elements are used for the account and password. Do not delete the respective elements from the hibernate configuration file.
  • The above example specifies the URL jdbc:oracle:thin:/@jobscheduler that indicates that the database alias name jobscheduler is configured with your tnsnames.ora file.
  • Alternatively the database connect string can be specified directly with the URL like this:
    • jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=minos.sos)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=jobscheduler)))
    • The above connect string specifies the database host minos.sos listening on port 1521 running a database jobscheduler.
    • When using the above URL syntax then no tnsnames.ora file is used.
• Configure the location of the Oracle Wallet® by use of a Java define like this: 
  -Doracle.net.wallet_location=/home/jobscheduler/wallet. This setting should point to the directory where the wallet files of the JobScheduler's run-time account are stored.
  • For JobScheduler Master
    • specify the Java define with the environment variable JAVA_OPTIONS before running the installer, e.g.
      JAVA_OPTIONS="-Doracle.net.wallet_location=/home/jobscheduler/wallet"
    • alternatively activate/modify the options setting in the [java] section of the ./config/factory.ini file like this:
      [java]
options = ... -Doracle.net.wallet_location=/home/jobscheduler/wallet
  • For JOC Cockpit
    • specify the Java define with the jettyOptions setting of the installer response file joc_install_xml like this:
      <entry key="jettyOptions" value="-Doracle.net.wallet_location=/home/jobscheduler/wallet"/>
      
    • alternatively create/modify the /etc/default/joc file to include the JAVA_OPTIONS environment variable like this:
      JAVA_OPTIONS="-Doracle.net.wallet_location=/home/jobscheduler/wallet"
      

Prerequisites

• No Oracle Client installation is used, however, you might need an Oracle Client to set up and to configure the Oracle Wallet®.
  • Typical commands to create a wallet include e.g.:
    • # create wallet in a directory that is accessible to the JobScheduler run-time account assumed to be "jobscheduler"
mkstore -wrl /home/jobscheduler/wallet -create
# add credentials to wallet; specify entry key, database account and password
mkstore -wrl /home/jobscheduler/wallet/ -createCredential jobscheduler some_account some_password
  • Consider that the mkstore command might add the location of the wallet to your sqlnet.ora configuration file.
    • This file is used e.g. by SQL*Plus and therefore allows e.g. to execute: sqlplus /@jobscheduler by specifying the entry key for tnsnames.ora and sqlnet.ora
    • This file is not considered when using the Oracle JDBC Driver, therefore the above Java define -Doracle.net.wallet_location has to be used.
• JobScheduler makes use of the Oracle JDBC Driver:
  • Check the Oracle JDBC Driver version that ships with the JobScheduler release, see Which Database Management Systems are supported by JobScheduler? A newer Oracle JDBC Driver might be available for download as the Open Source JobScheduler might not be bundled with the latest Oracle JDBC Driver.
  • Oracle JDBC Drivers that ship for release 18c of the DBMS are reported to work. Previous JDBC Driver releases as e.g. 12c are reported not to work with Oracle Wallet® when used by JobScheduler.
• The following Oracle Java libraries are required that should match the version of the Oracle JDBC Driver.
  • The .jar files are available from an Oracle Client installation and that are offered by Oracle for download:
    • $ORACLE_HOME/jlib/oraclepki.jar
    • $ORACLE_HOME/jlib/osdt_cert.jar
    • $ORACLE_HOME/jlib/osdt_core.jar
  • Store the libraries in the ./lib/user_lib directory of our JobScheduler Master and JOC Cockpit installation path respectively.

Using Oracle Wallet® for Jobs

See How to make JITL Jobs connect to an Oracle database using Wallet®