Gluent Data Platform Oracle Wallet Authentication¶

Table of Contents

Introduction
Create Oracle Wallet
Add tnsnames.ora Entry
Add Admin Credential
Configure Oracle Wallet Location
Update Gluent Environment File
Configure Transport for Oracle Wallet
Documentation Feedback

Introduction ¶

By default user names and passwords used by Gluent Data Platform components to authenticate to Oracle Database instances are stored in clear-text in offload.env. These can be encrypted using Password Tool or they can be avoided completely by use of Oracle Wallet by use of USE_ORACLE_WALLET.

Note

Setting USE_ORACLE_WALLET to true automatically sets OFFLOAD_TRANSPORT_AUTH_USING_ORACLE_WALLET to true.

In the case of a split installation with Gluent Query Engine running on the Oracle Database server and Gluent Offload Engine commands executed from a separate server the Oracle Wallet and configuration must be made on both servers.

Create Oracle Wallet ¶

On the Oracle Database server create the Oracle Wallet and add the Gluent Data Platform credential:

$ . $OFFLOAD_HOME/conf/offload.env
$ mkdir -p $OFFLOAD_HOME/../gluent_wallet
$ orapki wallet create -wallet $OFFLOAD_HOME/../gluent_wallet -auto_login -pwd <password>
$ mkstore -wrl "$OFFLOAD_HOME/../gluent_wallet" -createCredential "$ORA_CONN" "$ORA_APP_USER" <ora_app_pass>

Enter wallet password: <password>
Create credential oracle.security.client.connect_string1

$ orapki wallet display -wallet $OFFLOAD_HOME/../gluent_wallet -pwd <password>

...
Oracle Secret Store entries:
oracle.security.client.connect_string1
oracle.security.client.password1
oracle.security.client.username1
...

The value for <password> should be replaced with a chosen password to protect the Oracle Wallet.

The value for <ora_app_pass> should be replaced with the unencrypted value of ORA_APP_PASS.

The Oracle Wallet needs to be propagated to all Oracle RAC servers on which Gluent Data Platform is installed.

Add tnsnames.ora Entry ¶

As Oracle Wallet relies on a distinct connection string for each entry a tnsnames.ora entry is generally required in order to create an Oracle Wallet entry for ORA_ADM_USER.

Update offload.env setting ORA_ADM_CONN to the relevant tnsnames.ora entry.

Add Admin Credential ¶

Add a credential to the Oracle Wallet for ORA_ADM_USER:

$ mkstore -wrl "$OFFLOAD_HOME/../gluent_wallet" -createCredential "$ORA_ADM_CONN" "$ORA_ADM_USER" <ora_adm_pass>

Enter wallet password: <password>
Create credential oracle.security.client.connect_string1

Configure Oracle Wallet Location ¶

Add the following to the sqlnet.ora file in $ORACLE_HOME/network/admin or $TNS_ADMIN as applicable:

SQLNET.WALLET_OVERRIDE=TRUE
WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=<path_to_oracle_wallet>)))

Update Gluent Environment File ¶

Set USE_ORACLE_WALLET to true in offload.env.

Configure Transport for Oracle Wallet ¶

As setting USE_ORACLE_WALLET to true also sets OFFLOAD_TRANSPORT_AUTH_USING_ORACLE_WALLET to true it is necessary to follow the outstanding steps for the relevant transport mechanism:

Sqoop: starting from the Oracle PKI Libraries section of Oracle Wallet on Sqoop Authentication
Spark: starting from the Oracle PKI Libraries section of Oracle Wallet on Spark Authentication

Documentation Feedback ¶

Send feedback on this documentation to: feedback@gluent.com