Wednesday, June 1, 2016

Secure External Password Store and Oracle Restart with Role Separation

Oracle secure external password store allows storing of password needed for database connection in a client side Oracle wallet. It allows password-less connection to the database and useful in running scripts without having to put the password in them. A secure external password store could be setup as below.
Create a wallet (usually in TNS_ADMIN but could be different location as well)
cd $ORACLE_HOME/network/admin/

orapki wallet create -wallet . -pwd "welcome1" -auto_login_local
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

[oracle@rhel7 admin]$ ls
cwallet.sso  ewallet.p12  samples  shrept.lst  tnsnames.ora
The option "auto_login_local" prevents the wallet being moved to another host and used (1114599.1). It also ties the wallet to the operating system user preventing other users in the same host using the wallet as well (1505040.1). Create a credential, in this case std11g2 is a TNS entry that exists in tnsnames.ora file and asanga and asa are username and password
mkstore -wrl . -createCredential std11g2 asanga asa
Oracle Secret Store Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
Create credential oracle.security.client.connect_string1
Add the wallet location to sqlnet.ora file and set WALLET_OVERRIDE to true which makes user names and passwords from the wallet to be used for authentication.
more sqlnet.ora
WALLET_LOCATION =
    (SOURCE =
       (METHOD = FILE)
       (METHOD_DATA = (DIRECTORY = /opt/app/oracle/product/11.2.0/dbhome_4/network/admin))
)

SQLNET.WALLET_OVERRIDE = TRUE
The existing credentials could be listed with the following command
mkstore -wrl . -listCredential
Oracle Secret Store Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
List credential (index: connect_string username)
1: std11g2 asanga
With the external secure password store now setup, one could connected to the database without specifying the password as show below
[oracle@rhel7 orawallet]$ sqlplus  /@std11g2

SQL> show user
USER is "ASANGA"
Problem is that when secure external password store is setup for a Oracle restart (Single instance with ASM) database that has role separation (GI installed grid user and DB installed as oracle), the database fails to start during restarts and when srvctl is used. Below for a 11.2.0.4 setup
srvctl start database -d std11g2
PRCR-1079 : Failed to start resource ora.std11g2.db
CRS-5017: The resource action "ora.std11g2.db start" encountered the following error:
ORA-01078: failure in processing system parameters
. For details refer to "(:CLSN00107:)" in "/opt/app/oracle/product/11.2.0/grid_4/log/rhel6m1/agent/ohasd/oraagent_grid//oraagent_grid.log".

CRS-2674: Start of 'ora.std11g2.db' on 'rhel6m1' failed
Below for a 12.1.0.2 setup
srvctl start database -d se2db
PRCR-1079 : Failed to start resource ora.se2db.db
CRS-5017: The resource action "ora.se2db.db start" encountered the following error:
ORA-01078: failure in processing system parameters
ORA-01565: error in identifying file '+DATA/se2db/spfilese2db.ora'
ORA-17503: ksfdopn:10 Failed to open file +DATA/se2db/spfilese2db.ora
ORA-12578: TNS:wallet open failed
. For details refer to "(:CLSN00107:)" in "/opt/app/oracle/diag/crs/rhel7/crs/trace/ohasd_oraagent_grid.trc".

CRS-2674: Start of 'ora.se2db.db' on 'rhel7' failed
MOS notes 1612712.1,1383938.1 says to set the permission to 750 for this issue but it didn't work.



During further investigation of the issue following observations were made.
1. The problem doesn't happen when both grid home and oracle home are installed under one user (usually as oracle user).
2. Problem doesn't happen in RAC environments even if grid home and oracle home are installed as different users (grid home as grid user and oracle home as oracle user)
3. Problem only happens in single instance environments (tested on 12c and 11.2.0.4) where grid home is owned by grid user and oracle home is owned by oracle user.
Looking at the trace file shows that srvctl fails to connect to idle instance to start the database
2016-03-30 11:11:12.474778 :CLSDYNAM:2930841344: [ora.se2db.db]{0:0:45668} [start] clsnInstConnection::makeConnectStr UsrOraEnv ,ORACLE_BASE= m_oracleHome /opt/app/oracle/product/12.1.0/dbhome_2 Crshome /opt/app/oracle/product/12.1.0/grid
2016-03-30 11:11:12.474822 :CLSDYNAM:2930841344: [ora.se2db.db]{0:0:45668} [start] makeConnectStr = (DESCRIPTION=(ADDRESS=(PROTOCOL=beq)(PROGRAM=/opt/app/oracle/product/12.1.0/dbhome_2/bin/oracle)(ARGV0=oraclese2db)(ENVS='ORACLE_HOME=/opt/app/oracle/product/12.1.0/dbhome_2,ORACLE_SID=se2db,LD_LIBRARY_PATH=,ORACLE_BASE=')(ARGS='(DESCRIPTION=(LOCAL=YES)(ADDRESS=(PROTOCOL=beq)))')(CONNECT_DATA=(SID=se2db))))
2016-03-30 11:11:12.475460 :CLSDYNAM:2930841344: [ora.se2db.db]{0:0:45668} [start] InstAgent::stop non pool pConnxn 1 9434f9e0
2016-03-30 11:11:12.475519 :CLSDYNAM:2930841344: [ora.se2db.db]{0:0:45668} [start] InstConnection::connectInt: server not attached
2016-03-30 11:11:13.498240 :CLSDYNAM:2930841344: [ora.se2db.db]{0:0:45668} [start] InstConnection:connectInt connected
2016-03-30 11:11:13.498315 :CLSDYNAM:2930841344: [ora.se2db.db]{0:0:45668} [start] InstConnection::shutdown mode 4
2016-03-30 11:11:13.499364 :CLSDYNAM:2930841344: [ora.se2db.db]{0:0:45668} [start] ORA-01034: ORACLE not available
Process ID: 0
Session ID: 0 Serial number: 0

2016-03-30 11:11:13.499453 :CLSDYNAM:2930841344: [ora.se2db.db]{0:0:45668} [start] InstConnection::disassociateEdition OCI error 1034
Then the start of the database was tested a wallet created without the "local" option. As mentioned earlier local option prevents wallet being used in another host and is tied to the OS user. On 11.2.0.4
orapki wallet create -wallet . -pwd "welcome1" -auto_login
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

srvctl start database -d std11g2
srvctl status database -d std11g2
Database is running.
On 12.1.0.2
orapki wallet create -wallet . -pwd "welcome1" -auto_login
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

srvctl start database -d se2db
srvctl status database -d se2db
Database is running.
So it appears the problem seem to be use of auto_login_local since there's no issue when using auto_login. Since wallet wasn't moved to a different server, the only reason that could prevent DB from starting with a wallet created with auto_login_local option is if the starting command is executed by a user other than the user tied to the wallet. Right now the wallet has been created as Oracle user and srvctl start was executed as oracle user. So it appears that grid user gets involved in starting the DB even when srvctl is run as oracle user (why the same is not happening in RAC role separated config is under SR)
So the solution in this case was to create an empty wallet as grid user and set permission to 750.
[grid@rhel7 wallet]$ orapki wallet create -wallet . -pwd "welcome1" -auto_login_local
[grid@rhel7 wallet]$ chmod 750 cwallet.sso ewallet.p12
[grid@rhel7 wallet]$ ls -lrt
-rw-rw-rw-. 1 grid   oinstall     0 Apr 15 17:35 ewallet.p12.lck
-rwxr-x---. 1 grid   oinstall    75 Apr 15 17:35 ewallet.p12
-rw-rw-rw-. 1 grid   oinstall     0 Apr 15 17:35 cwallet.sso.lck
-rwxr-x---. 1 grid   oinstall   120 Apr 15 17:35 cwallet.sso
No credentials are added to this wallet as such nothing to list
[grid@rhel7 wallet]$  mkstore -wrl . -listCredential
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
List credential (index: connect_string username)
Used a non-default location to this wallet file and this was added to $ORACLE_HOME/network/admin/sqlnet.ora file(not to $GI_HOME/network/admin/sqlnet.ora)
pwd
/opt/app/oracle/product/12.1.0/dbhome_2/network/admin

more sqlnet.ora
WALLET_LOCATION =
    (SOURCE =
       (METHOD = FILE)
       (METHOD_DATA = (DIRECTORY = /usr/local/wallet))
)

SQLNET.WALLET_OVERRIDE = TRUE
With this setup in place srvctl works fine and database get started automatically after restarts. However password-less access fails as the wallet is owned by grid user
[oracle@rhel7 orawallet]$ sqlplus  /@se2db

ERROR:
ORA-12578: TNS:wallet open failed
To fix this, create another wallet at a different location as Oracle user.
ls /usr/local/wallet/orawallet

-rwxrwx---. 1 oracle oinstall 528 Apr 15 17:20 ewallet.p12
-rwxrwx---. 1 oracle oinstall 573 Apr 15 17:20 cwallet.sso
Create another sqlnet.ora file in the same directory (orawallet). Add this directory path as the wallet location
WALLET_LOCATION =
    (SOURCE =
       (METHOD = FILE)
       (METHOD_DATA = (DIRECTORY = /usr/local/wallet/orawallet))
)

SQLNET.WALLET_OVERRIDE = TRUE
Whenever password-less access using external password store is needed export this location as the TNS_ADMIN and connect.
export TNS_ADMIN=/usr/local/wallet/orawallet
sqlplus  /@se2db

SQL> show user
USER is "ASANGA"
If any database scripts require password-less access before running export the TNS_ADMIN to location where second sqlnet.ora file was set.
Why the auto_login_local fails this way in Oracle restart with role separation is still under SR.

Useful metalink notes
Using a Secure External Password Store with the JDBC Thin Driver [ID 1441745.1]
Using The Secure External Password Store [ID 340559.1]
How To Avoid Expdp And Impdp Passwords Being Visible By "ps" Unix Command? [ID 869825.1]
How To Prevent The Secure Password Store Wallet From Being Moved to Another Host [ID 1114599.1]
Oracle Cluster failed to start with ASM instance getting ORA-00443 [ID 2000868.1]
Database Failed To Start [ID 1922401.1]
Oracle Restart: srvctl fails to start database with error CRS-5010 if RDBMS and Grid under different users [ID 1335607.1]
How to configure SEPS for the pluggable databases [ID 1980698.1]
Bug 11706168 - ORA-00000 during STARTUP with SQLNET.WALLET_OVERRIDE=TRUE [ID 11706168.8]
How To Configure The Secure External Password Store To Allow The Connection To RMAN Catalog? [ID 1383938.1]
ORA-15055 and ORA-12578 on database startup with external wallet store [ID 1612712.1]
How To Check Whether The Wallet Is A Local Auto Login Wallet [ID 1505040.1]