Forum Stats

  • 3,740,538 Users
  • 2,248,269 Discussions
  • 7,861,320 Comments

Discussions

One client needing multiple wallets and/or multiple SQLNET.ORA files - (Solved/workaround)

John_in_Florida_5646
John_in_Florida_5646 Member Posts: 4 Green Ribbon
edited Feb 1, 2020 1:00PM in Database Security - General

This applies to CLIENT machines rather than Servers, and to two situations that can be related; Perhaps you need more than one Wallet (more and more common nowadays), or perhaps you have some servers with conflicting settings to the others, so you need more than one SQLNET.ORA.

The documentation on this is harder to come by than you'd think.  Most articles pertaining to multiple wallets are written from the Server perspective, not the client.   I spent more time on this than I care to admit.

The answer: (buried in the Database Security Guide, in my case, 12.2, so here (https://docs.oracle.com/en/database/oracle/oracle-database/12.2/dbseg/database-security-guide.pdf, but yours may vary)

  • Oracle calls these "dynamic parameters" down in Appendix C of (in my case) the 12.2 Database Security Guide.  (Nowhere in the guide does it spend a moment to describe the concept of Dynamic Parameters, nor is there (that I can find) a definitive list of which parameters are supported as dynamic parameters, it just refers to them as if we all knew anyway.  The concept "dynamic parameters" also has a different meaning in other contexts too.)
  • So where normally you'd have an SQLNET.ORA file with entries such as WALLET_LOCATION, SSL_VERSION, SSL_CLIENT_AUTHENTICATION, and others, you can also embed these within the TNSNAMES.ORA entry too, most of the time.
  • So, what you might have had in your SQLNET.ORA might be...
    WALLET_LOCATION =
       (SOURCE =
         (METHOD = FILE)
         (METHOD_DATA =
           (DIRECTORY = C:/Oracle/Wallet)
         )
        )
    SSL_VERSION = 1.2
    SSL_CLIENT_AUTHENTICATION = FALSE
    SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_GCM_SHA384)
  • The workaround/alternative when you need more than one Wallet and/or SQLNET.ORA, is that you can (when possible) NOT put the commands in your SQLNET.ORA file (so it would be largely empty), but instead put them in your TNSNAMES.ORA file as "dynamic parameters":: 
    NameOfTNSEntry =
      (DESCRIPTION=
        (ADDRESS_LIST =
          (ADDRESS=(PROTOCOL=tcps)(HOST=xyz.somewhere.c0m)(PORT=12345678))
        )
      (CONNECT_DATA=(SERVICE_NAME=NameOfService))
      (SECURITY =
         (MY_WALLET_DIRECTORY = C:\Oracle_Wallets\Specific_Wallet_Folder)   
         (SSL_VERSION = 1.2)
         (SSL_CLIENT_AUTHENTICATION = FALSE)
      )
    )
    • In my particular case needed the SSL_RSA_WITH_AES_GCM_SHA384 setting for SSL_CIPHER_SUITES, but that specific value wasn't available (per the documentation) as a dynamic parameter, so in my case, I had to keep a one-line SQLNET.ORA containing just that line.  Your situation/needs may vary.

Technically, I suppose this answer can be labelled as being in plain sight, although it's more a case that it's hidden in plain sight.  I Hope this helps someone out there.  I now can properly connect to two different remote/cloud databases that required different wallets.  Check the documentation for your version and needs, and if you're lucky, the parameters you need are available as dynamic parameters.

Tagged:
pmdbaFrancesco GregoriAish13Andor Imre-Oraclejkstill

Comments

Sign In or Register to comment.