Someone on dba-Village forum asked about how to protect username and password for connecting to RMAN catalog database. Since I’m strongly against using remote os authentication (remote_os_auth=true) in real life production environment, I would probably choose Oracle Wallet for storing credentials for connecting to rman catalog.

Note: With Oracle Wallet implementation we’re relying on file system permissions that protects our wallet; it’s not perfect but I’m happy to trade this “risk” with (in my humble opinion) much riskier approach of using remote os authentication. Anyone with access to the wallet that has auto-login feature turned On, can connect as user stored in the wallet without a password! Approach described in this post should be used seldom and with care.
Here is a mini How-to (I was using Windows 10 and Oracle12c):

---

########################################### 1) Create Oracle wallet - the result of this step is directory D:\oracle\rmancat_wallet   with two files: cwallet.sso and ewallet.p12 . ###########################################   cmd> mkstore -wrl D:\oracle\rmancat_wallet -create Enter password: mysecret   PASSWORD_POLICY : Passwords must have a minimum length of eight characters and contain alphabetic characters combined with numbers or special characters. Enter password: mysecret1   Enter password again: mysecret1     #################################################### 2) Adding database user credentials to this wallet ORA11   .... TNS alias for RMAN catalog database rmancat .... database user test    .... password for rmancat ####################################################   mkstore -wrl D:\oracle\rmancat_wallet -createCredential ora11 rmancat test   Enter wallet password:   Create credential oracle.security.client.connect_string1     ####################################### 3) Configure sqlnet.ora at client side #######################################   WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=D:\oracle\rmancat_wallet))) SQLNET.WALLET_OVERRIDE = TRUE   ######################################## 4) Test connection ########################################   D:\ORACLE>sqlplus /@ora511   SQL*Plus: Release 11.1.0.6.0 - Production on ╚et Jul 10 13:58:00 2008   Copyright (c) 1982, 2007, Oracle.  All rights reserved.     Connected to: Oracle Database 11g Enterprise Edition Release 11.1.0.6.0 - Production With the Partitioning, Oracle Label Security, OLAP, Data Mining, Oracle Database Vault and Real Application Testing options   SQL> show user USER is "RMANCAT"   ######################################## 5) Additional security checks ########################################   I would recommend to save sqlnet.ora and tnsnames.ora separately from the common oracle home, for example we can copy both files to the wallet directory (in our example D:\ORACLE\rmancat_wallet). Make sure that only user executing rman backup has read permissions on this directory. By default Oracle changes permissions only on files cwallet.sso and ewallet.p12, leaving directory permission to be inhereted from the parent (at least that's the case on Windows, I'm not sure about Linux/Unix)!     Don't forget to setup environment variable TNS_ADMIN pointing to your wallet directory at the beggining of backup script.     ############################## 6) Various handy commands ##############################   >> ------------------------------ >> List the content of the Wallet >> ------------------------------   cmd> mkstore -wrl D:\oracle\rmancat_wallet -listCredential   Enter wallet password:   List credential (index: connect_string username) 1: ora11 rmancat   >> ------------------------------------------------- >> Modify credential stored in the wallet >> -------------------------------------------------   cmd> mkstore -wrl D:\oracle\rmancat_wallet -modifyCredential ora11 rmancat newpassword   Enter wallet password: mysecret1   Modify credential Modify 1   >> ----------------------------------- >> Deleting credential from the wallet >> -----------------------------------   cmd> mkstore -wrl D:\oracle\rmancat_wallet -deleteCredential ora11   Enter wallet password:   Delete credential Delete 1   >> ------------------------------------ >> Adding credential >> ------------------------------------   Remember, you can have only ONE user per TNS alias stored in the wallet. If you need to store two users (schemas) for one TNS, then you'll have to use two wallets!   For example, this is possible:   > mkstore -wrl D:\oracle\rmancat_wallet -createCredential ora11 rmancat test > mkstore -wrl D:\oracle\rmancat_wallet -createCredential ora12 scott tiger   If you try to add second account for the same TNS alias, you'll get error:   > mkstore -wrl D:\oracle\rmancat_wallet -createCredential ora12 scott2 tiger   Create credential Secret Store error occured: oracle.security.pki.OracleSecretStoreException: Credential already exists   In this case you'll need to create new wallet for scott2.