By William Sescu
I am not a big fan of having passwords in clear text laying around. This applies not only to application servers, but also for my Data Guard observer.
I do have a script for starting the observer that is reading a config file dgobserver.cfg, and this file contains the Username, Passwords and the Connectstring to my Primary and Standby database.
#************************************************************* # Connection string to the primary ConnectStringPrim="sys/Manager1@DBIT122_SITE1" #************************************************************* # Connection string to the Standby ConnectStringStdb="sys/Manager1@DBIT122_SITE2"
However, I don’t want to have these passwords in clear text anymore, so I setup wallets for that purpose on the observer host.
To setup the wallet connection we need to:
- Create a wallet directory
- Adjust the sqlnet.ora on the observer
- Create the wallet and the credentials
- Test the connections via wallets
- Adjust the dgobserver.cfg file
- Test a Fast Start Failover
Create a directory /u01/app/oracle/admin/wallets and add the following to your sqlnet.ora file
WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/admin/wallets)) ) SQLNET.WALLET_OVERRIDE = TRUE
Now, create the wallet and the credentials
oracle@dbidg03:/u01/app/oracle/network/admin/ [DBIT122] mkstore -wrl /u01/app/oracle/admin/wallets -create Oracle Secret Store Tool : Version 12.2.0.1.0 Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved. Enter password: Enter password again: oracle@dbidg03:/u01/app/oracle/admin/wallets/ [DBIT122] mkstore -wrl /u01/app/oracle/admin/wallets -createCredential DBIT122_SITE1 SYS Oracle Secret Store Tool : Version 12.2.0.1.0 Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved. Your secret/Password is missing in the command line Enter your secret/Password: Re-enter your secret/Password: Enter wallet password: oracle@dbidg03:/u01/app/oracle/admin/wallets/ [DBIT122] mkstore -wrl /u01/app/oracle/admin/wallets -createCredential DBIT122_SITE2 SYS Oracle Secret Store Tool : Version 12.2.0.1.0 Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved. Your secret/Password is missing in the command line Enter your secret/Password: Re-enter your secret/Password: Enter wallet password: oracle@dbidg03:/u01/app/oracle/admin/wallets/ [DBIT122] mkstore -wrl /u01/app/oracle/admin/wallets -listCredential Oracle Secret Store Tool : Version 12.2.0.1.0 Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved. Enter wallet password: List credential (index: connect_string username) 2: DBIT122_SITE2 SYS 1: DBIT122_SITE1 SYS oracle@dbidg03:/u01/app/oracle/admin/wallets/ [DBIT122] ls -l total 8 -rw------- 1 oracle oinstall 957 Jan 3 13:57 cwallet.sso -rw------- 1 oracle oinstall 0 Jan 3 13:56 cwallet.sso.lck -rw------- 1 oracle oinstall 912 Jan 3 13:57 ewallet.p12 -rw------- 1 oracle oinstall 0 Jan 3 13:56 ewallet.p12.lck
After everything was successfully setup, it is time to test the connection via wallets with sqlplus and with dgmgrl.
oracle@dbidg03:/u01/app/oracle/admin/wallets/ [DBIT122] sqlplus /@DBIT122_SITE1 as sysdba SQL*Plus: Release 12.2.0.1.0 Production on Tue Jan 3 13:59:07 2017 Copyright (c) 1982, 2016, Oracle. All rights reserved. Connected to: Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production SQL> exit Disconnected from Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production oracle@dbidg03:/u01/app/oracle/admin/wallets/ [DBIT122] sqlplus /@DBIT122_SITE2 as sysdba SQL*Plus: Release 12.2.0.1.0 Production on Tue Jan 3 13:59:12 2017 Copyright (c) 1982, 2016, Oracle. All rights reserved. Connected to: Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production SQL> exit Disconnected from Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production oracle@dbidg03:/u01/app/oracle/admin/wallets/ [DBIT122] oracle@dbidg03:/u01/app/oracle/admin/DBIT122/etc/ [DBIT122] dgh DGMGRL for Linux: Release 12.2.0.1.0 - Production on Tue Jan 3 14:00:05 2017 Copyright (c) 1982, 2016, Oracle and/or its affiliates. All rights reserved. Welcome to DGMGRL, type "help" for information. DGMGRL> connect /@DBIT122_SITE1 Connected to "DBIT122_SITE1" Connected as SYSDBA. DGMGRL> connect /@DBIT122_SITE2 Connected to "DBIT122_SITE2" Connected as SYSDBA. DGMGRL> exit
Looks good so far, now let’s adjust the dgobserver.cfg file and start the observer.
-- adjust the dgobserver.cfg file #************************************************************* # Connection string to the primary ConnectStringPrim="/@DBIT122_SITE1" #************************************************************* # Connection string to the Standby ConnectStringStdb="/@DBIT122_SITE2" -- start the observer oracle@dbidg03:/u01/app/oracle/admin/DBIT122/etc/ [DBIT122] dgobserver.ksh start DBIT122 2017-01-03_14:01:02::dgobserver.ksh::SetOraEnv ::INFO ==> Environment: DBIT122 (/u01/app/oracle/product/12.2.0/dbhome_1) 2017-01-03_14:01:03::dgobserver.ksh::StatusObserver ::INFO ==> Observer Stopped 2017-01-03_14:01:04::dgobserver.ksh::StartObserver ::INFO ==> Connection to the primary database 2017-01-03_14:01:04::dgobserver.ksh::DoCommand ::INFO ==> Start observer file='/u01/app/oracle/admin/DBIT122/etc/fsfo_DBIT122.dat 2017-01-03_14:01:06::dgobserver.ksh::StatusObserver ::INFO ==> Observer running 2017-01-03_14:01:07::dgobserver.ksh::CleanExit ::INFO ==> Program exited with ExitCode : 0 oracle@dbidg03:/u01/app/oracle/admin/DBIT122/etc/ [DBIT122] ps -ef | grep dgmgrl | grep -v grep oracle 9186 1 0 14:01 pts/0 00:00:00 dgmgrl -logfile /u01/app/oracle/admin/DBIT122/log/dgobserver.log -silent start observer file='/u01/app/oracle/admin/DBIT122/etc/fsfo_DBIT122.dat'
After everything is setup and done, it is time for the fun part. Let’s initiate a Fast start failover by shutting down the primary with abort.
SQL> shutdown abort ORACLE instance shut down. -- observer log ... 14:04:49.10 Tuesday, January 03, 2017 Initiating Fast-Start Failover to database "DBIT122_SITE2"... Performing failover NOW, please wait... Failover succeeded, new primary is "DBIT122_SITE2" 14:04:58.85 Tuesday, January 03, 2017 ... 14:07:39.04 Tuesday, January 03, 2017 Initiating reinstatement for database "DBIT122_SITE1"... Reinstating database "DBIT122_SITE1", please wait... Reinstatement of database "DBIT122_SITE1" succeeded 14:08:33.19 Tuesday, January 03, 2017 ...
Cool, Fast Start Failover and the Reinstante worked as expected.
Conclusion
With Oracle wallets, I can make my DataGuard observer a little bit more secure by eliminating the passwords in clear text.