Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Setting up TCPS )TCP With SSL) - Oracle Wallet Manager

Re: Setting up TCPS )TCP With SSL) - Oracle Wallet Manager

From: Frank van Bortel <frank.van.bortel_at_gmail.com>
Date: Mon, 21 Aug 2006 21:11:17 +0200
Message-ID: <ecd07p$2gq$1@news2.zwoll1.ov.home.nl>


dbaplusplus_at_hotmail.com schreef:
> I am using Oracle 9.2.0.5 with Advanced Security Option. I have Oracle
> 9i client installed on a Windows Server 2000 and my database runs on HP
> UNIX 11i. Versions for client and server are the same.
>

Odd - why install client-only s/w on a server?

> I setup Wallet using Oracle Wallet Manager with Auto Login feature.
> Everything works great as long as run Oracle's commands such as
> sqlplus using the same OS Login which I had used to create Oracle
> Wallet. When I logon as something else and connect to database, I get
> following error as.

With 'logon as something else' you mean the Windows account?
>
> ORA-28786: Decryption of encrypted private key failed Marker => 1.3

<sarcasm>
No problem, I looked it up for you:
[oracle9_at_csdb01 oracle9]$ oerr ORA 28786 28786, 00000, "Decryption of encrypted private key failed"

// *Cause:  Use of incorrect password for decryption.
// *Action: Type in the correct password.
</sarcasm>

Do you really think a wallet can be used by anybody?

> I have read various Oracle documents, they all seem to indicate that
> one should run Oracle commands from the same os login which was used to
> create wallet. This is really annoying because I have many os logins
> who want to use tcps. I have several questions:

Ah - you seem to get the idea...
Oh no you don't - now you are mixing up secure tcp and os logins.

>
> 1.Instead of using Auto Login, is there a way to supply a wallet
> password as environment variable, then I can set environment variable
> in .profile (UNIX) or environments setting (on Windows). If it is
> possible, will this solution work? I am not using Oracle's http
> server or application server. I am only using Oracle Database Server
> and Oracle Client.

Ehm... I think, what you want is many people to log on to your server, using the same account, taken from one and the same wallet.

If so, use one logon for your server. If not, create wallets for every account. You could script that.

>
> 2. If I were to set Oracle Wallet's for multiple users, I am assuming
> I have to set them in different directories/folders and then set
> different sqlnet.ora and tnsnames.ora, so different TNS_ADMIN which is
> really really annoying. Is there an easier way?

Nothing annoying about that - where do you think logon scripts are for? Use that to set the individual environments for Oracle as well.

>
> 3. On Windows I ran Oracle Wallet Manager using my admin account (e.g
> myadmin) which is a member of Administrators group. But when, I try to
> connect to database using tcps from applications which run using
> LocalSystem account, they all give ORA-28786 error. I know applications
> which run as services, one can change them to run as myadmin, but I
> have some applications which do not run as services.

How many times must it be repeated: Oracle installations on Windows should be done, using a *local* account. [OT] Bob Dylan pops to mind:

   the answer is blowowowowing in the wind. [/OT]
If you read the answers above, do you still think the error is unreasonable?

>
> How I do install (run Oacle Wallet Manager in particular), so wallet is
> created for LocalSystem account. Which Windows Os Login I have to logon
> as to run Oracle Wallet Manager commands.

BSOFH: That's #4
>
> Thanks a lot. Please answer all the three questions.
>

How about giving all your clients a secure 9i client install, and forget about the man-in-the-middle Win server? I hope you at least tunnel VPN into that Windows server?

-- 
Regards,
Frank van Bortel

Top-posting is one way to shut me up...
Received on Mon Aug 21 2006 - 14:11:17 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US