We have Oracle Enterprise 19 Databases installed on Linux and using job notification via smtp with **Oracle dbms_scheduler** for quite a long time. Defining jobs like this and having all the needed settings like SMTP server, ports etc defined in dbms_scheduler attributes:

dbms_scheduler.add_job_email_notification(
  job_name   =>  'J1',
  recipients =>  'jobowner@example.com',
  events     =>  'job_all_events');

That worked fine. Now for obvious reasons our mail environment got encrypted and we need to use SSL to communicate with the SMTP server. A certificate is required and placed into a wallet. We did that using orapki and put the wallet in the filesystem location documented by Oracle $ORACLE_HOME/scheduler/wallet/

orapki wallet create -wallet /orasoft/oracle/product/19.0.0/world/scheduler/wallet/5 -pwd password -auto_login
orapki wallet add -wallet /orasoft/oracle/product/19.0.0/world/scheduler/wallet/5 -trusted_cert -cert ~/MailRootCA.cer

Inside the DB we changed dbms_scheduler settings accordingly:

DBMS_SCHEDULER.SET_SCHEDULER_ATTRIBUTE (
attribute => 'EMAIL_SERVER_ENCRYPTION',
value => 'STARTTLS');  --thats what our mailserver expects

Added the correct ports to host ace's and also a wallet ace:

DBMS_NETWORK_ACL_ADMIN.append_WALLET_ACE(
  wallet_path => 'file:/orasoft/oracle/product/19.0.0/world/scheduler/wallet/5/',
  ace     => xs$ace_type(
           privilege_list => xs$name_list('use_client_certificates', 'use_passwords'),
           principal_name => 'SYS',
           principal_type => xs_acl.ptype_db
          )

But somehow it is not working anymore. A trace file is generated each time a mail should be sent with ORA-29106: Cannot import PKCS #12 wallet. Has anyone else encountered this issue? And how to get around it? Thanks.

Environment: - Oracle Enterprise Manager Cloud Control 13.4 - OMS console with third party certificate - Secured My situation is the following: 1. I am new in this client and apparently the former DBA added a third party certificate in the OMS console, which is near to expire. 2. I've been reading the documentation but I can't find the keystore or the wallet associated to this certificate. So far, I checked the following [oracle@hcbae2p01ora022 bin]$ $OMS_HOME/bin/emctl status oms -details Oracle Enterprise Manager Cloud Control 13c Release 4 Copyright (c) 1996, 2020 Oracle Corporation. All rights reserved. Enter Enterprise Manager Root (SYSMAN) Password : Console Server Host : hcbae2p01ora022.hcbe.corp HTTP Console Port : 7788 HTTPS Console Port : 7803 HTTP Upload Port : 4889 HTTPS Upload Port : 4903 EM Instance Home : /u01/app/oracle_em/gc_inst/em/EMGC_OMS1 OMS Log Directory Location : /u01/app/oracle_em/gc_inst/em/EMGC_OMS1/sysman/log OMS is not configured with SLB or virtual hostname Agent Upload is locked. OMS Console is locked. Active CA ID: 1 Console URL: https://hcbae2p01ora022.hcbe.corp:7803/em Upload URL: https://hcbae2p01ora022.hcbe.corp:4903/empbs/upload WLS Domain Information Domain Name : GCDomain Admin Server Host : hcbae2p01ora022.hcbe.corp Admin Server HTTPS Port: 7102 Admin Server is RUNNING Oracle Management Server Information Managed Server Instance Name: EMGC_OMS1 Oracle Management Server Instance Host: hcbae2p01ora022.hcbe.corp WebTier is Up Oracle Management Server is Up JVMD Engine is Up BI Publisher Server Information BI Publisher Managed Server Name: BIP BI Publisher Server is Up BI Publisher HTTP Managed Server Port : 9701 BI Publisher HTTPS Managed Server Port : 9803 BI Publisher HTTP OHS Port : 9788 BI Publisher HTTPS OHS Port : 9851 BI Publisher is locked. BI Publisher Server named 'BIP' running at URL: https://hcbae2p01ora022.hcbe.corp:9851/xmlpserver/servlet/home BI Publisher Server Logs: /u01/app/oracle_em/gc_inst/user_projects/domains/GCDomain/servers/BIP/logs/ BI Publisher Log : /u01/app/oracle_em/gc_inst/user_projects/domains/GCDomain/servers/BIP/logs/bipublisher/bipublisher.log As you can see for the information above, the console is secured in port 7803. I thought that the certificates should be stored in a wallet, but I can't find the wallet anywhere. I neither was able to find any command in emctl or in emcli that can show me where this certificate is stored. What I know is that the certificate is there, as I used the secdiag option of emctl [oracle@hcbae2p01ora022 bin]$ $OMS_HOME/bin/emctl secdiag openurl -url https://hcbae2p01ora022.hcbe.corp:7803/em Oracle Enterprise Manager Cloud Control 13c Release 4 Copyright (c) 1996, 2020 Oracle Corporation. All rights reserved. Log file: /tmp/OpenPage_2023_02_21_13_45_115472876152891123503.log Opening page: https://hcbae2p01ora022.hcbe.corp:7803/em Using non-validating trust manager; all certificates will be blindly accepted. Proxy server is not set Using protocol: TLSv1 Negotiated protocol: TLSv1 Getting the certificate chain Details of cert# 1 in chain: Subject: EMAILADDRESS=xxxxxxx, CN=hcbae2p01ora022.hcbe.corp, OU=xxxxxxx, O=xxxxxxxxxx, L=xxxxxxxxxxxxxx, ST=xxxxxxxx, C=xx Issuer: CN=XXXXX CA, DC=cloud, DC=corp Valid from: Tue Mar 23 13:54:18 UTC 2021 Valid till: Thu Mar 23 13:54:18 UTC 2023 Serial#: 914345119400343461451536535824392411922746991 Public key: Sun RSA public key, 2048 bits modulus: 231855705770066152570314131577369954637603242446759578989206803754751294824351565914129743732110994827544588460966543883605976172129693569117661509357921588815183478850378089638600314229871995314771805178017341640817875936605315833364302707372595554647453833532393376815757155001416722179412428142624866504902792330046510191621551136336433918248638504659645288726326144907300691458403587891238454297424723893811783631933359920866785373444400398845738032568684675766778615996191586165668755883030522959798859689120112193205210100146390085495955132802650583693008692078856106184239283369895227655357520072938286 public exponent: 65537 Signature algorithm: SHA256withRSA Following headers are present in the response: Date : Tue, 21 Feb 2023 13:45:12 GMT Vary : Accept-Encoding Adf-Context-Id : fd3875f9-7da2-4e9a-bbe1-cdbc60ba6af8-00000002 X-Frame-Options : sameorigin X-ORCL-EMOA : true X-ORACLE-DMS-RID : 0:3:1 X-Content-Type-Options : nosniff, nosniff X-XSS-Protection : 1; mode=block, 1; mode=block X-ORACLE-DMS-ECID : fd3875f9-7da2-4e9a-bbe1-cdbc60ba6af8-00000002 Adf-View-Id : %2Flogon%2Fcore-uifwk-console-login Content-Type : text/html;charset=UTF-8 Cache-Control : no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0 Response saved at : /tmp/hcbae2p01ora022.hcbe.corp_7803_2023_02_21_13_45_134697786630783685089.html [oracle@hcbae2p01ora022 bin]$ As you can see above, the certificate that allows me to access by https to the OMS console is stored somehow in OMS. But I can't find where exactly. I have tried to check all wallets in the server, but I could not find anything. I'd like to know how can I update this certificate with a new one that I have already in my hands. Is there a way to identify whether this certificate was included using emctl secure createca ? if so, how can I update the certificate stored there ? **UPDATE** Thanks to @Balazs Papp, I was able to find the wallet used by the OMS Console [oracle@hcbae2p01ora022 console]$ pwd /u01/app/oracle_em/gc_inst/user_projects/domains/GCDomain/config/fmwconfig/components/OHS/instances/ohs1/keystores/console [oracle@hcbae2p01ora022 console]$ orapki wallet display -wallet pwd Oracle PKI Tool Release 19.0.0.0.0 - Production Version 19.4.0.0.0 Copyright (c) 2004, 2020, Oracle and/or its affiliates. All rights reserved. Requested Certificates: User Certificates: Subject: EMAIL=xxxxxxxxxxxxx,CN=hcbae2p01ora022.hcbe.corp,OU=xxxxxx,O=xxxxxx,L=xxxxxxxxx,ST=xxx,C=xx Trusted Certificates: [oracle@hcbae2p01ora022 console]$ What I don't get is why it does not appear as a Trusted certificate ? If I copy this wallet to a different location, then I can use orapki to import the new certificate into the wallet, and then use emctl secure console -wallet to renew the certificate ? I have read somewhere that if there is a change in the certificate, such as the email address, you have to do it from scratch. Is that so ?

When accessing external webservices via HTTPS via the Oracle database you need to add the corresponding certificate to a database wallet to prevent a certificate validation error. When one creates an account at apex.oracle.com, one is able to access any external HTTPS webservice without the need to add certificates. So, Oracle seems to have some automated process in place to add the certificates when they are needed. My question is: How would you go about to do that? Or am I missing some "auto-add" feature?

I have implemented oracle wallet using orapki utility following this guide : https://stackoverflow.com/questions/63834638/how-to-change-protocol-for-oracle-database-connection-in-asp-net-core However, when I try to connect from the App Server to the database using the TCPS Protocol on non-default port 1531, I am getting the following error :

SQL*Plus: Release 12.1.0.2.0 Production on Fri Dec 23 10:30:23 2022
Copyright (c) 1982, 2014, Oracle.  All rights reserved.
Enter password:
ERROR:
ORA-28759: failure to open file
Enter user-name:

Is it the database user that I am trying to connect as need the permission on the db server wallet files? Does it need permission on the entire wallet folder or something else? I found nothing in the trace folder currently oracle user own the wallet folder: /oracle/apps/product/19.3.0.0/db/owm/wallets/oracle

Database :
Oracle 19c on Linux 7

App Server :
Windows Server 2016 with Oracle Client 12.1

Following a video tutorial on oracle wallets: https://youtu.be/LLZzUNb9ALU The db server is run from oracle's official docker container. The steps I have done are as follows: 1. On server shell, ran sql plus as sysdba:

$ sqlplus / as sysdba

2. Created a user:

SQL> alter session set "_ORACLE_SCRIPT"=true;
SQL> CREATE USER fred identified by flintstone;
SQL> GRANT CONNECT, RESOURCE, DBA to fred;

3. Tested logon:

$ sqlplus fred/flintstone

SQL> show user;
User is "fred"

4. Created a wallet at default location: $ORACLE_BASE/admin/$ORACLE_SID/wallet

$ orapki wallet create -wallet $ORACLE_BASE/admin/$ORACLE_SID/wallet -auto_login -pwd MyWalletPass

5. Created a wallet profile for user fred:

$ mkstore -wrl $ORACLE_BASE/admin/$ORACLE_SID/wallet -createCredential $ORACLE_SID fred flintstone

6. Tried to login sqlplus:

$ sqlplus /@$ORACLE_SID

This fails. Got the error ORA-01017: invalid username/password; logon denied Not able to understand whats wrong. The final goal is to use this wallet for a nodejs application with external auth (node-oracledb). But I think if I can fix step 6 I should be able to use from nodejs.

I'm trying to connect to a Oracle Autonomous Data Warehouse database with Jetbrains DataGrip. Oracle provides me with a wallet file (a zip), with contains tnsnames.ora, a keystore, ojdbc.properties, and some other files. I'm having a lot of trouble using this information to connect to the database using DataGrip. I found a thread on the DataGrip support forums, but I'm not having any luck with that either. Jetbrains support thread: https://intellij-support.jetbrains.com/hc/en-us/community/posts/360001792539-Connect-with-Oracle-Cloud Relevant Oracle documentation: https://docs.oracle.com/en/cloud/paas/autonomous-data-warehouse-cloud/adwud/connect-using-client-application.html **What I did:** 1. Created the 'TNS_ADMIN' environment variable and set it to: C:\\Users\\xxx\\Documents\\[folder with wallet files] 2. Added the Oracle JDBC driver files (ojdbc8.jar, osdt_cert.jar, oraclepki.jar, osdt_core.jar) to the standard Oracle driver in DataGrip 3. edited the 'sqlnet.ora' file to include the path to the wallet files 4. Added the following to the Data Source VM Options: -Doracle.net.tns_admin=C:\\Users\\xxx\\Documents\\[folder with wallet files] -Djavax.net.ssl.trustStore=truststore.jks -Djavax.net.ssl.trustStorePassword=[password] -Djavax.net.ssl.keyStore=keystore.jks -Djavax.net.ssl.keyStorePassword=[password] -Doracle.net.ssl_server_dn_match=true -Doracle.net.ssl_version=1.2 5. Set connection type to URL only 6. Tried different connection strings in the URL field:

:oracle:thin:@//adb.eu-frankfurt-1.oraclecloud.com:1522/xxxxxx_adw1_high.adwc.oraclecloud.com?TNS_ADMIN=C:\\Users\\xxx\\Documents\\[folder with wallet files]

:oracle:thin:@xxxxxx_adw1_high.adwc.oraclecloud.com?TNS_ADMIN=C:\\Users\\xxx\\Documents\\[folder with wallet files]

:oracle:thin:@//adb.eu-frankfurt-1.oraclecloud.com:1522/mnr6yzqr22jgywm_adw1_high.adwc.oraclecloud.com

**Result:** Connection to ADW1 failed. IO Error: Got minus one from a read call, connect lapse 32 ms., Authentication lapse 0 ms. I have also tried using the 'Service name' and 'TNS' connection types and filled in the info from tnsnames.ora. No dice, same error. Also tried explicitely setting the 'tcp.validnode_checking' parameter to null. (The connection works fine with sqldeveloper) What's the proper way to do this?

I'm trying to create a **carry-forward wallet system**. - Recharge part - I'm developing an app that has the carry forwarding token wallet concept. However, when an user recharge their wallet, an amount of the token will be credited to their wallet with an expiration date (suppose expiration date will be 1 month). - If the user recharges their wallet compared to the amount of the new token before the expiration of their current token, it will add to the amount of the old token and extend the expiration date as well. - In between that when ever an action performs that related to token deduction,code will check the expiration date before deduct the token. I've already designed a database structure. Please have a look. 1. Order Table to manage all token transactions.

token_order
+----+---------+------------+-----------+-----------+----------------+-------------+------------+--------+------------+-------------+
| id | user_id | order_date | sub_total | tax_total | discount_total | grand_total | ip_address | status | created_at | modified_at |
+----+---------+------------+-----------+-----------+----------------+-------------+------------+--------+------------+-------------+
| 1  | 20      | 2020-04-20 | 1000      | 100       | null           | 1100        | 127.0.0.1  | 1      | 2020-04-20 | 2020-04-20  |
+----+---------+------------+-----------+-----------+----------------+-------------+------------+--------+------------+-------------+

2. Token_order and token_order_details are linked to fetch order information.

token_order_details
+----+----------------+-------------+-----------+------------+----------------+-----------------+---------------+-------------+--------+------------+-------------+
| id | token_order_id | token_price | token_qty | tax_amount | tax_percentage | discount_amount | purchase_date | expiry_date | status | created_at | modified_at |
+----+----------------+-------------+-----------+------------+----------------+-----------------+---------------+-------------+--------+------------+-------------+
| 2  | 1              | 10          | 100       | 100        | 10             | null            | 2020-04-20    | 2020-05-20  | 1      | 2020-04-20 | 2020-04-20  |
+----+----------------+-------------+-----------+------------+----------------+-----------------+---------------+-------------+--------+------------+-------------+

3. This table connects the wallet with respective user.

token_wallet_details
+----+-----------+-----------+-----------+-------------------------+------------+--------------------+------------+-------------+
| id | wallet_id | action_id | token_qty | transaction_description | ip_address | transaction_status | created_at | modified_at |
+----+-----------+-----------+-----------+-------------------------+------------+--------------------+------------+-------------+
| 1  | 1         | 1         | 1.5       | dummy description       | 127.0.0.1  | success            | 2020-04-20 | 2020-04-20  |
+----+-----------+-----------+-----------+-------------------------+------------+--------------------+------------+-------------+

4. This table holds the token deduction details.

token_wallet_details
+----+-----------+-----------+-----------+-------------------------+------------+--------------------+------------+-------------+
| id | wallet_id | action_id | token_qty | transaction_description | ip_address | transaction_status | created_at | modified_at |
+----+-----------+-----------+-----------+-------------------------+------------+--------------------+------------+-------------+
| 1  | 1         | 1         | 1.5       | dummy description       | 127.0.0.1  | success            | 2020-04-20 | 2020-04-20  |
+----+-----------+-----------+-----------+-------------------------+------------+--------------------+------------+-------------+

Am I going to the right direction with this tables and their fields to handle these things mentioned above?

I read about Oracle ACL, but on first sight, it doesn't look like it limits the access to a schema on terminal, program level. Is it even possible? I did experience such limitation once. I was connecting by sqlplus from unix box, the same box the application scripts were connecting from. Is it, perhaps, related to Oracle Wallet? Goal: I want to limit direct access to an application schema. I already enabled proxy access. However web application on localhost does access application schema, from the same host that I want to limit direct access through any IDE. Is it possible to limit connectivity to schema from the same machine, depending on what terminal, or program wants to connect?

I am running an Oracle DB update script that requires password. I have Oracle wallet installed. How to pass Oracle wallet to sh script so that I don't have to enter password when running the script? I have my sqlnet.ora sqlnet.expire_time=60 sqlnet.inbound_connect_timeout=300 sqlnet.allowed_logon_version_server=10 sqlnet.allowed_logon_version_client=10 WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /oracle/app/oracle/product/base19/19/network/admin/wallet) ) ) SQLNET.WALLET_OVERRIDE = TRUE SSL_CLIENT_AUTHENTICATION = TRUE Credentials are correctly installed: $ mkstore -wrl "/oracle/app/oracle/product/base19/19/network/admin/wallet" -listCredential Oracle Secret Store Tool Release 19.0.0.0.0 - Production Version 19.4.0.0.0 Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved. Enter wallet password: List credential (index: connect_string username) 1: SID USER PASSWORD I am running a script update_sql.sh: #!/bin/bash sqlplus cobrball @release.sql release.sql: spool release.log; exit;

I'm looking for more information about the utility MKSTORE that can be used for creating and modifying a Wallet. I would like to know things like what the -createALO option is and what the difference is between -createSSO and CreateLSSO. A link to the information would be fine or a document number on MOS. My goal is to script the Wallet creation and am wondering if these options can help me in any way.

I am building a website ( a platform ) which will have people communicate between each other and there is bound to be money transactions. The amount of money in each customers account will be kept in Database , This can be redeemed by the customer at any time ( ie: the website is liable to pay back whatever is the balance amount shown in the database ) Required Details: Database used : Mongodb How do i keep my database and the transactions secure ? Is there a problem with storing the account balance in database? Are there better and secure methods to store money in database Are there any concerns I should be worried about ? Are the any steps precautions to be implemented?

**Environment:** Running Red Hat 7.2, using Pacemaker 1.1.13-10.el7_2.2 and Corosync 2.3.4-7.el7_2.1 to implement cluster failover of an Oracle 12c Enterprise Edition Release 12.1.0.2.0 Database. **Background:** When I start the database outside the cluster, everything works correctly and outside queries from other hosts can execute. The database has an encryption wallet which is set to auto-open, and which worked seamlessly before this problem cropped up. **Problem:** When I add the oracle instance to the High Availability resource group, the instance starts up without any errors (that I can see). However, when outside connections are attempted from other hosts, the database responds ERROR at line 1: ORA-28365: wallet is not open If I connect to the database on the host server and execute any queries, no errors are reported at the console, and the queries from remote hosts suddenly start to succeed again. The cluster then works fine until the resource fails over to another node, then the problem reappears with the same symptoms / temporary solution. The rejected queries cause trace files to be generated for the database SID containing: kcbtse_get_tbskey: decrypting encrypted key for pdb 0 tablespace 6 without opening the wallet kcbtse_get_tbskey: wallet is not opened (ts 0/6) kcbtse_encdec_tbsblk: DIAG DUMP tsn 0/6 rdba 25165987, afn 6, mode 4 Has anyone seen this sort of issue before? What is missing from the HA environment that is present outside of HA?

I am having trouble setting up the Oracle Wallet on a new box connecting to a new database. I have added the following lines to my SQLNET.ORA: SQLNET.WALLET_OVERRIDE = TRUE WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=c:\oracle\Wallet)) The wallet is created without error, the credentials added, and I can list the credentials back from the wallet without a problem, but when I go to use them I get an ORA-12578 as follows: C:\oracle\Wallet>sqlplus /@MYDB SQL*Plus: Release 11.2.0.1.0 Production on Mon Oct 31 16:57:53 2011 Copyright (c) 1982, 2010, Oracle. All rights reserved. ERROR: ORA-12578: TNS:wallet open failed I am on a 64 bit box using the 32 bit 11.2 client to connect to an 64 bit 11.2 database. Logging in without the wallet works fine. The error message indicates that I should turn tracing on. I have done so, but don't see anything obvious. Does anyone have a suggestion before I contact Oracle support?

I have a oracle server installed in a machine and e oracle client on another machine. I have created a wallet using this commands C:\Users\MRBULL93>mkstore -wrl C:\VideoWallet -create C:\Users\MRBULL93>mkstore -wrl C:\VideoWallet -createCredential kejvidoko SYSTEM also changed the sqlnet.ora file as follows # sqlnet.ora Network Configuration File: C:\app\MRBULL93\product\11.2.0\client_1\network\admin\sqlnet.ora # Generated by Oracle configuration tools. # This file is actually generated by netca. But if customers choose to # install "Software Only", this file wont exist and without the native # authentication, they will not be able to connect to the database on NT. SQLNET.AUTHENTICATION_SERVICES= (NTS) NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT) WALLET_LOCATION = (SOURCE = (METHOD=FILE) (METHOD_DATA = (DIRECTORY =C:\VideoWallet) ) ) SQLNET.WALLET_OVERRIDE = TRUE ======================================================== I can modify the password using cmd and I can also open it with Wallet manager but when I call it SQLPLUS /@kejvidoko I get the following message > ERROR: ORA-12578: TNS:wallet open failed Can someone tell me how can i fix this .

A client fired their DBA. He used OWM to add a wallet to their Oracle database and secure a few necessary columns of tables that they need. I can see the walled using: orapki wallet display -wallet /opt/oracle/home/owm/root I do not know the password. The ex-employee will not divulge the password. With root access to the system, is it possible to remove the wallet or change the wallet's password? NOTE: Not part of this problem, but for reference... Oracle Support told the client they are out of luck. I told them they are out of luck. They want a third (and fourth (and fifth)) opinion.

Does anyone know how to configure it so that the Oracle wallet password can be authenticated with a web based Oracle application? I’m trying to make secure LDAP connections with an Oracle web based application with secure ports. This requires that the application’s source code be able to authenticate against the Oracle wallet password. I am using ONLY the HTTP portion of Oracle Fusion 11.1 to serve these Oracle web pages. The wallet has been created and the certificates are in place and working. When we used the Oracle 10g HTTP server we would just make an entry in the SSL.conf file; SSLWalletPassword encrypted or unencrypted Wallet password . But when I try it with Oracle Fusion 11.1, the HTTP server won’t start. I tried several versions of the above, but none worked. I also tried to solve the problem by modifying the opmn.xml file and changed the script to; But that didn’t work any either. When we try to authenticate with secure LDAP ports our web applications fail. Does anyone have any ideas how to enable this with the HTTP portion of Oracle Fusion 11.1? Thanks. Kirk > Edited to add more information per > [here](http://www.dba-village.com/village/dvp_forum.OpenThread?ThreadIdA=45555&DestinationA=RSS) > ~ Richard I'm quite certain that I created the wallet correctly and that the certificate are correct. I've done it before, though not with Fusion 11. I'm really starting to suspect there are network denial or port issues. I do a Utl_Http.Get_Detailed_Sqlerrm and will get an ORA-24247: network access denied by access control list (ACL)... message. But the system guys say that all necessary ports are opened and access is okay. But I can make an entry in the DADs.conf file to "point" to another schema on another server (though 10G) and I have no "can't open wallet" issues.

I have a Wallet configured and working fine for SQLPlus. Is there a way to make it work with SQL Developer?