1 Reply Latest reply on Feb 1, 2020 6:00 PM by Jeroen Graafmans

    One client needing multiple wallets and/or multiple SQLNET.ORA files - (Solved/workaround)

    John_in_Florida_5646

      This applies to CLIENT machines rather than Servers, and to two situations that can be related; Perhaps you need more than one Wallet (more and more common nowadays), or perhaps you have some servers with conflicting settings to the others, so you need more than one SQLNET.ORA.

       

      The documentation on this is harder to come by than you'd think.  Most articles pertaining to multiple wallets are written from the Server perspective, not the client.   I spent more time on this than I care to admit.

       

      The answer: (buried in the Database Security Guide, in my case, 12.2, so here (https://docs.oracle.com/en/database/oracle/oracle-database/12.2/dbseg/database-security-guide.pdf, but yours may vary)

      • Oracle calls these "dynamic parameters" down in Appendix C of (in my case) the 12.2 Database Security Guide.  (Nowhere in the guide does it spend a moment to describe the concept of Dynamic Parameters, nor is there (that I can find) a definitive list of which parameters are supported as dynamic parameters, it just refers to them as if we all knew anyway.  The concept "dynamic parameters" also has a different meaning in other contexts too.)
      • So where normally you'd have an SQLNET.ORA file with entries such as WALLET_LOCATION, SSL_VERSION, SSL_CLIENT_AUTHENTICATION, and others, you can also embed these within the TNSNAMES.ORA entry too, most of the time.
      • So, what you might have had in your SQLNET.ORA might be...
        WALLET_LOCATION =
           (SOURCE =
             (METHOD = FILE)
             (METHOD_DATA =
               (DIRECTORY = C:/Oracle/Wallet)
             )
            )
        SSL_VERSION = 1.2
        SSL_CLIENT_AUTHENTICATION = FALSE
        SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_GCM_SHA384)
      • The workaround/alternative when you need more than one Wallet and/or SQLNET.ORA, is that you can (when possible) NOT put the commands in your SQLNET.ORA file (so it would be largely empty), but instead put them in your TNSNAMES.ORA file as "dynamic parameters":: 
        NameOfTNSEntry =
          (DESCRIPTION=
            (ADDRESS_LIST =
              (ADDRESS=(PROTOCOL=tcps)(HOST=xyz.somewhere.c0m)(PORT=12345678))
            )
          (CONNECT_DATA=(SERVICE_NAME=NameOfService))
          (SECURITY =
             (MY_WALLET_DIRECTORY = C:\Oracle_Wallets\Specific_Wallet_Folder)   
             (SSL_VERSION = 1.2)
             (SSL_CLIENT_AUTHENTICATION = FALSE)
          )
        )
        • In my particular case needed the SSL_RSA_WITH_AES_GCM_SHA384 setting for SSL_CIPHER_SUITES, but that specific value wasn't available (per the documentation) as a dynamic parameter, so in my case, I had to keep a one-line SQLNET.ORA containing just that line.  Your situation/needs may vary.

       

      Technically, I suppose this answer can be labelled as being in plain sight, although it's more a case that it's hidden in plain sight.  I Hope this helps someone out there.  I now can properly connect to two different remote/cloud databases that required different wallets.  Check the documentation for your version and needs, and if you're lucky, the parameters you need are available as dynamic parameters.