ADVERTISEMENT

How to Set Up Oracle Wallet for Passwordless Login (19c/21c)

4 min read

Oracle Wallet allows secure storage of database login credentials and enables passwordless authentication for scripts, applications, and command-line tools. Instead of exposing clear-text passwords, a wallet stores encrypted credentials that can be used automatically when connecting to the database.

This guide provides a complete and generalized step-by-step process for configuring Oracle Wallet in Oracle Database 19c and 21c.

Table of Contents

  1. Overview
  2. Wallet Types and Tools
  3. Create Wallet Directory
  4. Create TNS_ADMIN Directory
  5. Add TNS Entry
  6. Configure SQLNET.ORA
  7. Set Oracle Environment Variables
  8. Create Oracle Wallet
  9. Add Credentials to Wallet
  10. Test Passwordless Connection
  11. List Credentials
  12. Modify Stored Credentials
  13. View Wallet Contents
  14. Change Wallet Password
  15. Delete Credentials
  16. Delete Oracle Wallet
  17. Recommended Directory Layout
  18. Security Best Practices
  19. Troubleshooting
  20. Summary

1. Overview

Oracle Wallet provides a secure mechanism to store authentication credentials so that jobs, applications, or users do not need to embed usernames and passwords in scripts.
Multiple database credentials can be stored in a single wallet, and auto-login wallets allow Oracle tools to access credentials without requiring a wallet password.

This guide uses a generic non-database OS user to demonstrate a clean and safe configuration.

2. Wallet Types and Tools

Types of Oracle Wallets

  • Password-protected wallet (ewallet.p12)
    Access requires entering the wallet password.
  • Auto-login wallet (cwallet.sso)
    Opens automatically without password (recommended for scheduled jobs).
  • Auto-login local wallet
    Auto-login wallet restricted to the local host.

Tools

  • mkstore – Add, view, update, delete stored credentials.
  • orapki – Create wallet, change password, view wallet contents.

3. Create Wallet Directory

Create a secure folder for wallet files:

mkdir -p /opt/oracle/wallet_store
chmod 700 /opt/oracle/wallet_store

4. Create TNS_ADMIN Directory

Wallet-based TNS files should be isolated:

mkdir -p /opt/oracle/wallet_store/network
chmod 700 /opt/oracle/wallet_store/network

5. Add TNS Entry

Create or edit tnsnames.ora:

MYDB =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = dbserver.example.com)(PORT = 1521))
    (CONNECT_DATA =
      (SERVICE_NAME = mydbservice)
    )
  )

Save as:

/opt/oracle/wallet_store/network/tnsnames.ora

6. Configure SQLNET.ORA

Create the wallet configuration file:

SQLNET.WALLET_OVERRIDE = TRUE
SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
 (SOURCE =
   (METHOD = FILE)
   (METHOD_DATA = (DIRECTORY = /opt/oracle/wallet_store))
 )

Save as:

/opt/oracle/wallet_store/network/sqlnet.ora

7. Set Oracle Environment Variables

export ORACLE_HOME=/path/to/oracle/home
export PATH=$ORACLE_HOME/bin:$PATH
export ORACLE_SID=mydb
export TNS_ADMIN=/opt/oracle/wallet_store/network

Test connectivity:

tnsping MYDB

8. Create Oracle Wallet (Password + Auto-login)

orapki wallet create -wallet /opt/oracle/wallet_store -auto_login

Enter the new wallet password when prompted.

Verify wallet files:

ewallet.p12
cwallet.sso

9. Add Credentials to Wallet

Syntax:

mkstore -wrl <wallet_path> -createCredential <TNS_ALIAS> <USERNAME>

Example:

mkstore -wrl /opt/oracle/wallet_store -createCredential MYDB appuser

You will be prompted for:

  • Database password
  • Wallet password

10. Test Passwordless Connection

sqlplus /@MYDB

If configured correctly, the connection succeeds without prompting for credentials.

11. List Credentials in Wallet

mkstore -wrl /opt/oracle/wallet_store -listCredential

12. Modify Stored Credentials

(When database password changes)

mkstore -wrl /opt/oracle/wallet_store -modifyCredential MYDB appuser newpassword

13. View Wallet Contents

orapki wallet display -wallet /opt/oracle/wallet_store

14. Change Wallet Password

orapki wallet change_pwd -wallet /opt/oracle/wallet_store

15. Delete Stored Credentials

mkstore -wrl /opt/oracle/wallet_store -deleteCredential MYDB

16. Delete Oracle Wallet

Delete wallet files:

rm -f /opt/oracle/wallet_store/*wallet*

Or delete entire directory:

rm -rf /opt/oracle/wallet_store

17. Recommended Directory Layout

/opt/oracle/wallet_store/
    ewallet.p12
    cwallet.sso
    network/
        sqlnet.ora
        tnsnames.ora

This separation simplifies configuration and improves manageability.

18. Security Best Practices

  1. Restrict permissions
chmod 600 ewallet.p12 cwallet.sso
chmod 700 wallet_directory
  1. Do not place wallet inside ORACLE_HOME (patching may remove it).
  2. Use auto_login_local for added security.
  3. Always back up wallet files before changes.
  4. Document wallet location and credential policies.
  5. Regularly rotate wallet and database passwords.

19. Troubleshooting

Password prompt appears

  • Incorrect wallet path
  • Wrong TNS_ADMIN
  • Missing SQLNET.WALLET_OVERRIDE
  • TNS alias mismatch

tnsping works but sqlplus fails

SQLNET.ORA might not be in the active TNS_ADMIN path.

Wallet shows OPEN_NO_MASTER_KEY

Normal if Transparent Data Encryption (TDE) is not enabled.
Does not affect wallet-based credential access.

Permission denied errors

Ensure OS user has read access to wallet files.

20. Summary

Oracle Wallet provides a secure mechanism to store credentials and enable passwordless authentication for Oracle Database 19c and 21c environments. This guide covered:

  • Creating wallet directories
  • Configuring TNS entries
  • Setting up SQLNET.ORA
  • Creating and managing wallets
  • Adding, modifying, and deleting credentials
  • Security best practices
  • Troubleshooting

With this configuration, scripts, jobs, and applications can connect securely without exposing plain-text passwords.

Close ✖