Oracle Secure External Password Store

Hi, Today I wanted to tell you what is the secure password store and how to use it. Before this article, you should look previously articles

Managing Online Redo Log Files



In this section, I will explain how to connect to the database without entering a user name and password.  The only thing to do is connect to the database with a connection name.


This connection name contains all the information necessary to connect to the database; it contains user code, password, and tns name.

The username and password are stored in a wallet because it is confidential information used to connect to the database.

This wallet is called Secure External Password Store.

Certificates are kept in the wallets, but Oracle can store the user codes and passwords of the databases with this hidden repository.

These pairs (username and password) are called the connection name.

Determines which database to connect to by matching the tns name on the client on which it is used.


Image result for oracle wallet

If you want to connect to the database from a Java code, you can install the necessary OCI drivers and connect to the database as follows,

Connection str = DriverManager.getConnection(“jdbc:oracle:oci:/@ConnectionName”);


Creating a Password Store

When creating the password store; first, the directory in which the password store will be created is determined, and this directory is put into sqlnet.ora with a certain syntax, so that the database can access the password store.

If a machine starts using the password store to access the database, it cannot use the connection to the database with the SSL protocol.

With the parameter SQLNET.WALLET_OVERRIDE = TRUE, the password store inside the wallet is used.

First let’s decide where to find the wallet directory or, if this directory already exists, we can use the existing directory.

find / -iname wallet


Definitions to be made in the sqlnet.ora file should be:






   (DIRECTORY = /u01/app/oracle/product/version/db_1/data/wallet)






Now we can create our password repository.

mkstore -wrl "/u01/app/oracle/product/version/db_1/data/wallet" -create

We create an Oracle wallet with the mkstore command.  During this process, a password is requested this is the password for the wallet we use as the password store.

We should never forget this password, if you forget it, there is no going back!

In the example, we will connect to the orclcdb database with the user1 connection name, we will access user1 user in the orclcdb database with this connection name.

If we did not use a password store, we would have to provide all the connection information as follows.

sqlplus userName/Password@Host:Port/ServiceName

When we use the password store,

sqlplus /@user1

First, we need to add the tns definitions in the tnsnames.ora file, which should be the same as the connection name.

user1 = 



       (ADDRESS = (PROTOCOL = TCP) (HOST = (PORT = 1521))



    (SERVICE_NAME = orclcdb)



We can add the information necessary to connect to the database into the password store.

mkstore -wrl "/u01/app/oracle/product/version/db_1/data/wallet" -createCredential user1 user1 welcome1

With Oracle Wallet Manager, we can open the password store and see the connection names we have created.

With Oracle Wallet Manager, we use the own command to access the password store.

From the Open menu, select the directory we originally specified and enter the wallet password.


Connecting to the Database with Password Store

sqlplus /@user1


Managing on Password Store

I have examined the options we can use in the mkstore command to manage the connection names in our password repository.

Use the -listCredential command to see definitions in the password store

mkstore -wrl "/u01/app/oracle/product/version/db_1/data/wallet" -listCredential

The -modifyCredential command is used to modify the definitions in the password store. Let’s change user1’s password in password store.

mkstore -wrl "/u01/app/oracle/product/version/db_1/data/wallet" -modifyCredential user1 user1

The -deleteCredential command is used to delete a record from the password store.

mkstore -wrl "/u01/app/oracle/product/version/db_1/data/wallet" -deleteCredential user1


Creating Password Store with Orapki Command

Using the Orapki command we can change the properties of the password store.  After using the Orapki command, operations can be performed on the password store with the mkstore command.

For example, we can create a wallet with no password by using the orapki command and add a password store with mkstore commands.

The wallet is protected only by the operating system.

orapki wallet create -wallet “/tmp/wallet” -auto_login_only

mkstore -wrl "/tmp/wallet" -createCredential user1 user1 welcome1

We have come to the end of this article, see you in the next article..

What is Index and Why Should We Use Index?




Do you want to learn Oracle Database for Beginners, then read the following articles.

About Deniz Parlak

Hi, i’m Security Data Scientist & Data Engineer at My Security Analytics. I have experienced Advance Python, Machine Learning and Big Data tools. Also i worked Oracle Database Administration, Migration and upgrade projects. For your questions [email protected]

Leave a Reply

Your email address will not be published. Required fields are marked *