Strange
Narendra, July 01, 2021 - 8:29 am UTC
Hello Connor,
Thank you for looking into this.
It is really strange that such a feature has been documented and blogged about but doesn't work.
I first came across it in
https://blogs.oracle.com/dev2dev/whats-new-in-193-and-183-jdbc-and-ucp and got excited as we do have a use case for it.
I am unable to post any comments on that blog post too....if the feature does not work then I guess at least official blogs and documentation should be corrected accordingly.
Thanks
July 06, 2021 - 1:46 am UTC
I'll come back to this post if I get any updates from the security team
A reader, July 14, 2021 - 5:19 pm UTC
@narendra, was anything else in the original SQLNET.ORA? On windows, mind you, I successfully use MY_WALLET_DIRECTORY, the difference being that I also have SSL_VERSION and SSL_CLIENT_AUTHENTICATION parameters in my TNSNAMES as well, which I also migrated out of SQLNET.ORA into my TNSNAMES.ORA. (Also, my connection is with a database user account, not authenticating via Kerberos, AD, etc., that could be a difference too.)
I don't see documentation specifying exactly what parameters are required with respect to wallets, but it's a possible explanation that something else from the original SQLNET.ORA file (if indeed something else was there) is still required. Or that somehow, the assumed default value if omitted is a mismatch.
Other tests to eliminate the differences between my environment and yours: Do you maybe have database user account to test with? And/or a Windows machine?
Good luck!
July 15, 2021 - 3:38 am UTC
If you could post a sample, I am sure that would help others (and me!)
Re: MY_WALLET_DIRECTORY in TNSNAMES
Narendra, August 05, 2021 - 7:10 am UTC
Hello Connor,
Did you manage to hear anything on this one? (I know....you said you would respond if you hear and I am not being impatient...just asking in case you know anything more).
Would be a really useful feature if it works as advertised.
August 06, 2021 - 1:46 am UTC
Sorry - I should have updated the thread.
The current understanding is that the MY_WALLET_DIRECTORY *does* work for only related to SQLNet encryption activities, not for the storing of credentials.
(Investigation is ongoing but that has been our observations so far)
DBA
Mark Carton, February 17, 2022 - 1:48 pm UTC
I hit this issue too and found this thread.
I found a "fix" for the issue by creating a credential wallet in the $TNS_ADMIN directory.
mkstore -wrl /home/oracle/wallet -create
mkstore -wrl /home/oracle/wallet -createCredential conn1 user1 pass1
mkstore -wrl /home/oracle/wallet -createCredential conn2 user2 pass2
So in TNS_ADMIN I have sqlnet.ora with
WALLET_LOCATION = (SOURCE = (METHOD = file) (METHOD_DATA = (DIRECTORY="/home/oracle/wallet")))
then in tnsnames.ora on each connection string have
(MY_WALLET_DIRECTORY=/home/oracle/wallet/'<per connection>'/)
from this we can then use
sqlplus /@conn1 - works
sqlplus /@conn2 - works
Hope this helps.
February 24, 2022 - 7:17 am UTC
Nice detective work! Thanks for passing this on.
Re: Mark Carton
Narendra, February 25, 2022 - 4:52 pm UTC
Hello Mark/Connor,
Can you please elaborate how this solves my original question? My original question was about having the ability to point to different wallets or different directories containing (different) wallets, by using MY_WALLET_DIRECTORY in TNSNAMES.ORA but without having to rely on SQLNET.ORA for wallet location.
Your example appears to create single wallet and a SQLNET.ORA which points to the directory containing that single wallet.
What am I missing?
Jack, April 19, 2022 - 7:04 am UTC
Hello Narendra
were you able to find solution for same? I am facing exact same issue though few blogs suggest MY_WALLET_DIRECTORY should work, for me, I tried all possible configurations none seems to be working.
A reader, September 21, 2022 - 1:56 pm UTC
I was able to get it working. My situation is a bit different cause I'm making an app in C#, but I think the example will help others. The below settings will allow 2 different users to connect to the DB determined by the connection string.
<configSections>
<section name="oracle.manageddataaccess.client" type="OracleInternal.Common.ODPMSectionHandler, Oracle.ManagedDataAccess, Version=4.122.21.1, Culture=neutral, PublicKeyToken=89b483f429c47342" />
</configSections>
<connectionStrings>
<add name="connStr1" connectionString="Data Source=uSmFomName1;User ID=/;" providerName="System.Data.OracleClient" />
<add name="connStr2" connectionString="Data Source=uSmFomName2;User ID=/;" providerName="System.Data.OracleClient" />
</connectionStrings>
<oracle.manageddataaccess.client>
<version number="*">
<dataSources>
<dataSource alias="uSmFomName1" descriptor="
(DESCRIPTION=
(ADDRESS=
(PROTOCOL=TCPS)
(HOST=hostX)
(PORT=2484)
)(CONNECT_DATA=
(SERVICE_NAME=sidX)
)(SECURITY=
(MY_WALLET_DIRECTORY=C:\temp\OracleWallet_1)
)
)" />
<dataSource alias="uSmFomName2" descriptor="
(DESCRIPTION=
(ADDRESS=
(PROTOCOL=TCPS)
(HOST=hostX)
(PORT=2484)
)(CONNECT_DATA=
(SERVICE_NAME=sidX)
)(SECURITY=
(MY_WALLET_DIRECTORY=C:\temp\OracleWallet_2)
)
)" />
</dataSources>
<settings>
<setting name="SQLNET.AUTHENTICATION_SERVICES" value="(TCPS)" />
</settings>
</version>
</oracle.manageddataaccess.client>
September 26, 2022 - 10:26 am UTC
Thanks for passing this along
To: a reader
Narendra, September 26, 2022 - 10:32 am UTC
Thank you for this.
I have to say I honestly believe there is something fundamentally wrong with the implementation of MY_WALLET_DIRECTORY.
How else does one explain different behaviour under different circumstances?
It is a shame that Oracle appears to have (again) released something as "cool new feature" that does not work as advertised.
Ivan Brezina, April 05, 2023 - 7:49 pm UTC
Does anybody have access to this note? Is it possible it did disapear from Metalink?
"The Impact of the Sqlnet Settings on Database Security (sqlnet.ora Security Parameters and Wallet Location) (Doc ID 1240824.1)"
All I can find about the subject is this comment on Python drivers site:
"Use Oracle Client libraries 19.17, or later, or use Oracle Client 21c. They contain important bug fixes for using multiple wallets in the one process."
April 06, 2023 - 6:45 am UTC
I only see what you can see on MOS.
Docs get removed if the information is no longer valid or is for no longer supported products.
Upgrade guide
A reader, April 06, 2023 - 1:10 pm UTC
MY_WALLET_DIRECTORY Connect String Deprecated
The connect string parameter MY_WALLET_DIRECTORY has been deprecated with Oracle Database 23c.
Oracle recommends that you use WALLET_LOCATION in the connect string to override the sqlnet.ora WALLET_LOCATION setting. WALLET_LOCATION has been updated for connect strings so that the same parameter can be used in sqlnet.ora and in tnsnames.ora This change simplifies the parameters that you need to remember. Oracle recommends that you change your client connect strings to use WALLET_LOCATION instead of MY_WALLET_DIRECTORY.
SEPS
Scot, May 25, 2023 - 7:55 pm UTC
I believe the OP was trying to use MY_WALLET_DIRECTORY for a SEPS (Secure External Password Store) authentication.
The MY_WALLET_DIRECTORY (and WALLET_LOCATION settings in the address) are only for the SSL/TLS/TCPS wallet location, not the SEPS wallet_location. ie, SEPS can only be specified via the sqlnet.ora wallet location.
May 29, 2023 - 3:38 am UTC
+1
It's working
Tejasbhai Darji, July 28, 2023 - 7:18 pm UTC
I have troubleshooting lot for the same. but, at the end of the day found that solution in sqlnet.ora file there is the parameter SSL_SERVER_DN_MATCH
eg.
SSL_SERVER_DN_MATCH=yes
So, make it no like below.
SSL_SERVER_DN_MATCH=no
August 04, 2023 - 5:41 am UTC
Thanks for the info
It worked for me for two different ATP databases
Rajeshwaran, Jeyabal, August 10, 2023 - 2:26 pm UTC
Hope this should help you.
SQL*Plus: Release 21.0.0.0.0 - Production on Thu Aug 10 19:45:36 2023
Version 21.3.0.0.0
Copyright (c) 1982, 2021, Oracle. All rights reserved.
idle> $ tnsping atp19c
TNS Ping Utility for 64-bit Windows: Version 21.0.0.0.0 - Production on 10-AUG-2023 19:45:43
Copyright (c) 1997, 2021, Oracle. All rights reserved.
Used parameter files:
C:\Oracle\TNSnames\sqlnet.ora
Used TNSNAMES adapter to resolve the alias
Attempting to contact (description= (retry_count=3) (retry_delay=3) (address=(protocol=tcps)(port=1522)(host=adb.us-ashburn-1.oraclecloud.com)) (connect_data=(service_name=g26be7c92912cdb_atpdemo19c_low.adb.oraclecloud.com)) (security= (MY_WALLET_DIRECTORY = C:\oracle\TNSnames\ATP19C_NEW) (ssl_server_dn_match=yes)))
OK (1220 msec)
idle> conn demo/******@atp19c
Connected.
demo@ATP19C>
demo@ATP19C> $ tnsping atp21c
TNS Ping Utility for 64-bit Windows: Version 21.0.0.0.0 - Production on 10-AUG-2023 19:46:24
Copyright (c) 1997, 2021, Oracle. All rights reserved.
Used parameter files:
C:\Oracle\TNSnames\sqlnet.ora
Used TNSNAMES adapter to resolve the alias
Attempting to contact (description = (retry_count = 3) (retry_delay = 3) (address = (protocol = tcps)(port = 1522)(host = adb.us-ashburn-1.oraclecloud.com)) (connect_data = (service_name = g26be7c92912cdb_atpdemo_low.adb.oraclecloud.com)) (security = (MY_WALLET_DIRECTORY = C:\oracle\TNSnames\ATP21C_NEW) (SSL_SERVER_DN_MATCH = yes)))
OK (1240 msec)
demo@ATP19C>
demo@ATP19C> conn demo/******@atp21c
Connected.
demo@ATP21C>
and the latest version of SQLCL named connections rocks too.
SQLcl: Release 23.2 Production on Thu Aug 10 19:51:04 2023
Copyright (c) 1982, 2023, Oracle. All rights reserved.
idle> connmgr list
demo_atp19c
demo_pdb1
demo_pdb2
idle>
idle> connmgr show demo_atp19c
Name: demo_atp19c
Connect String: (description= (retry_count=3)(retry_delay=3)(address=(protocol=tcps)(port=1522)(host=adb.us-ashburn-1.oraclecloud.com))(connect_data=(service_name=g26be7c92912cdb_atpdemo19c_low.adb.oraclecloud.com))(security=(MY_WALLET_DIRECTORY = C:\oracle\TNSnames\ATP19C_NEW)(ssl_server_dn_match=yes)))
User: demo
Password: ******
idle>
idle> connmgr test demo_atp19c
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Connection Test Successful
idle> conn -name demo_atp19c
Connected.
demo@ATP19C>