Recently I’ve setup Oracle Enterprise User Security (EUS) with Oracle Unified Directory (OUD) on my favorite linux test system. Among regular 11.2.0.4 and 12.1.0.2 databases I do also have a 12.1.0.2 Container Database. EUS work like a charm on the regular databases but not on the PDB.
SQL> conn soe Enter password: ERROR: ORA-28305: WALLET_LOCATION in sqlnet.ora file for container database is not supported. Warning: You are no longer connected to ORACLE.
The error seems to be a bit weird. So fare I’ve explicitly set the wallet location to make sure the wallet it somewhere I decided. I have a shared sqlnet.ora
file, where I use $ORACLE_SID
in the path for the different instances. An excerpt from my sqlnet.ora
file
... WALLET_LOCATION = (SOURCE = (METHOD = File) (METHOD_DATA = (DIRECTORY = /u00/app/oracle/admin/$ORACLE_SID/wallet))) ENCRYPTION_WALLET_LOCATION= (SOURCE= (METHOD=FILE) (METHOD_DATA= (DIRECTORY=/u00/app/oracle/admin/$ORACLE_SID/tde_wallet/))) ...
The action described for the Oracle Error Message ORA-28305 is clear. Remove WALLET_LOCATION from sqlnet.ora
to use EUS also for Container Databases.
SQL> conn soe Enter password: Connected. SQL> @sousrinf Database Information -------------------- - DB_NAME : TDB12C - DB_DOMAIN : - INSTANCE : 1 - INSTANCE_NAME : TDB12C - SERVER_HOST : o-sec - Authentification Information ---------------------------- - SESSION_USER : C##SOE - PROXY_USER : - AUTHENTICATION_METHOD : PASSWORD - IDENTIFICATION_TYPE : GLOBAL SHARED - NETWORK_PROTOCOL : - OS_USER : oracle - AUTHENTICATED_IDENTITY: SOE - ENTERPRISE_IDENTITY : cn=soe,cn=Users,dc=trivadistraining,dc=com - Other Information ----------------- - ISDBA : FALSE - CLIENT_INFO : - PROGRAM : sqlplus@o-sec (TNS V1-V3) - MODULE : SQL*Plus - IP_ADDRESS : - SID : 39 - SERIAL# : 47117 - SERVER : DEDICATED - TERMINAL : pts/6 PL/SQL procedure successfully completed.
The corresponding Oracle Bug 17758886 has been rejected as “not a Bug”. Oracle® Database Net Services Reference 12c Release 1 (12.1) WALLET_LOCATION does not mention PDB’s. There is only some information in the Oracle® Database Reference 12c Release 1 (12.1) Using LDAP_DIRECTORY_ACCESS with PDBs.
Conclusion
It seems, that with PDB’s it is not possible to explicitly set a wallet location. If the default location is not appropriate for your database environment, you have to use soft links use an alternative location for your wallet.
By the way, the wallet for TDE or for Secure External Password Store (SEPS) is not affected. You may still set WALLET_LOCATION for SEPS or ENCRYPTION_WALLET_LOCATION for TDE.
References
Some links related to this topic.
- Oracle® Database Error Messages 12c Release 1 (12.1) ORA-28305
- Oracle® Database Reference 12c Release 1 (12.1) Using LDAP_DIRECTORY_ACCESS with PDBs
- Bug 17758886 ENABLING EUS FOR PDB BREAKS SSL CLIENT-SERVER CONNECTIVITY
- How to configure SEPS for the pluggable databases [1980698.1]
If time permits, I’ll write a few blog post about setting up and configuring EUS with OUD.