Bug 200406 - Keyring implementation based on Oracle Wallet
Keyring implementation based on Oracle Wallet
Status: RESOLVED FIXED
Product: platform
Classification: Unclassified
Component: Options&Settings
7.0
All All
: P3 (vote)
: 7.1
Assigned To: Jesse Glick
issues@platform
: PLAN
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-07-27 00:01 UTC by Jesse Glick
Modified: 2011-07-27 16:45 UTC (History)
1 user (show)

See Also:
Issue Type: ENHANCEMENT
:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jesse Glick 2011-07-27 00:01:44 UTC

    
Comment 1 Jesse Glick 2011-07-27 00:04:05 UTC
Will create a module for it in main, but will just put it in the experimental cluster to start with.
Comment 2 Jesse Glick 2011-07-27 00:08:40 UTC
core-main #1f41569f0c53
Comment 3 Quality Engineering 2011-07-27 14:07:18 UTC
Integrated into 'main-golden'
Changeset: http://hg.netbeans.org/main-golden/rev/1f41569f0c53
User: Jesse Glick <jglick@netbeans.org>
Log: #200406: Keyring implementation based on Oracle Wallet
Comment 4 Jesse Glick 2011-07-27 16:45:57 UTC
How to test:

1. Install JDeveloper 11g (11.1.1.5.0) Studio Edition and opt for a "complete" installation. Not sure if you need to include WebLogic, but I did. The relevant files are actually not in the JDev/ADF subdir but in "Common Infrastructure Engineering".

2. Run the IDE and install the "Oracle Wallet Integration" plugin from dev AU.

3. In Tools > Options > Miscellaneous > Oracle Wallet, enter the paths for "JPS Config File" and "JPS Implementation" according to the examples, to be found beneath the JDev root install dir.

4. Restart the IDE (in case you have accessed the standard OS keyring already).

5. Do something requiring keyring access, e.g. logging in to nb.org Bugzilla.

6. Shut down and start up again and verify that the password from the previous session was remembered.

I tried to at least view the resulting wallet using Oracle Wallet Manager (product/11.2.0/dbhome_1/bin/owm in an 11gR2 database installation), but it simply refused to open it, for no clear reason. It would only open the wallet in the default location (which I was unable to make JPS write to). 'sh oracle_common/bin/orapki wallet display -wallet oracle_common/modules/oracle.jps_11.1.1/domain_config/cwallet.sso' does however seem to work.

Regarding level of security: the cwallet.sso does not appear to contain any information in cleartext. However no password is required to read and write it using the JPS API (nor is there any apparent place in that API where a master password would be accepted). http://www.oracle.com/technetwork/database/focus-areas/security/tde-faq-093689.html#A13016 claims that "Oracle Database 11g Release 2 introduced the local auto-open wallet, which only opens automatically on the server it was created on"; a different kind of file "ewallet.p12" is apparently created when you do not use auto-login, but JPS appears to ignore these. When I ran 'chmod -R go+w oracle_common/modules/oracle.jps_11.1.1/domain_config' and ran the orapki display command using another user ID, it still succeeded; indeed that succeeded even without write permission, or from a Linux console with no environment variables from my regular login. While that command does not display actual passwords, it does display the keys, so apparently the wallet is merely obfuscated and can be opened just by using Unix read permissions, unlike OS keyrings which are tied to the login session. http://www.art2dec.com/documentation/docs/fmw11g1114documentation/core.1111/e10105/wallets.htm#CIHHAHHF backs up this assessment. Therefore I would not consider this keyring mode to provide an acceptable level of security for most users, unless some way can be found to access an encrypted wallet from JPS - unlocked either transparently from the login session, or via explicit password entry in the IDE (as with the existing fallback "master password encryption").


By use of this website, you agree to the NetBeans Policies and Terms of Use. © 2012, Oracle Corporation and/or its affiliates. Sponsored by Oracle logo