A Note About Oracle Wallets

Did you know if the auto-login feature is enabled for an Oracle wallet, only the user who saved the wallet can re-open it?

It's a documented security feature.

I discovered this while upgrading a customer from Oracle Application Server 10g 9.0.4 to 10.1.2. I needed to open the existing wallet to add trusted root certificates for our smart-card login module (more about DOD smart cards and root certificates in the next post).

The user account we used to create and save the wallet over a year ago no longer existed due to a Windows Active Directory reorganization on the customer's network.

The only solution was to order new certificates for the application servers. Luckily, the DOD PKI folks developed an easy to use web site that turns around authorized requests in less than an hour (finding the person who can authorize the request for an organization is an other matter).

To prevent this happening again, we saved a copy of the wallet with the auto-login feature disabled in a safe location outside of the Oracle home (since most Oracle Application Server upgrades require a complete wipe of the old version and a fresh installation of the new version this also prevents the accidental deletion of a wallet.)

I don't know what a commercial certificate costs, but I bet they're not cheap. Hope this saves somebody some money down the road.