Wallet / ACL / Network Access

From dbawiki
Jump to: navigation, search

Nice, clear example found on AskTOM

Create a wallet[edit]

mkdir /home/oracle/wallet
orapki wallet create -wallet /home/oracle/wallet -pwd MyWallePassword999 -auto_login
orapki wallet add    -wallet /home/oracle/wallet -trusted_cert -cert /tmp/cert1.cer -pwd MyWallePassword999
orapki wallet add    -wallet /home/oracle/wallet -trusted_cert -cert /tmp/cert2.cer -pwd MyWallePassword999
orapki wallet add    -wallet /home/oracle/wallet -trusted_cert -cert /tmp/cert3.cer -pwd MyWallePassword999

Create an ACL[edit]

begin
    dbms_network_acl_admin.create_acl ( acl          => 'utl_http.xml'
                                      , description  => 'my acl'
                                      , principal    => 'MCDONAC'
                                      , is_grant     => TRUE
                                      , privilege    => 'connect'
                                      , start_date   => null
                                      , end_date     => null
                                      );
    commit;
end;
/

Add privilege to ACL[edit]

begin
    dbms_network_acl_admin.add_privilege ( acl         => 'utl_http.xml'
                                         , principal   => 'MCDONAC'
                                         , is_grant    => false
                                         , privilege   => 'connect'
                                         , position    => null
                                         , start_date  => null
                                         , end_date    => null
                                         );

    commit;
end;
/

Open the wallet and use UTL_HTTP to retrieve a web page[edit]

set serverout on
declare
    l_url            varchar2(100) := 'https://www.litle.com/';
    l_req            utl_http.req;
    l_result         utl_http.resp;
    l_data           varchar2(32767);
begin
    utl_http.set_wallet('file:/home/oracle/wallet', 'MyWallePassword999');
    l_req    := utl_http.begin_request(l_url);
    l_result := utl_http.get_response(l_req);

    begin
        loop
            utl_http.read_text(l_result, l_data, 1000);
            dbms_output.put_line (l_data);
        end loop;
    exception
    when utl_http.end_of_body then
        utl_http.end_response(l_result);
    end;
end;
/

Configure Fine-Grained Access to External Network Services[edit]

Oracle Database 11g Release 1 (11.1) includes fine-grained access control to the UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP, or UTL_INADDR packages using Oracle XML DB.
If you have applications that use one of these packages, you must install Oracle XML DB if it is not already installed.
You must also configure network access control lists (ACLs) in the database before these packages can work as they did in prior releases.

The following example first looks for any ACL currently assigned to host_name.
If one is found, then the example grants user_name the CONNECT privilege in the ACL only if that user does not already have it.
If no ACL exists for host_name, then the example creates a new ACL called ACL_name, grants the CONNECT privilege to user_name, and assigns the ACL to host_name. 

DECLARE
    acl_path  VARCHAR2(4000);
BEGIN
    SELECT acl INTO acl_path 
    FROM   dba_network_acls
    WHERE  host       = 'host_name'
    AND    lower_port IS NULL
    AND    upper_port IS NULL;
    IF DBMS_NETWORK_ACL_ADMIN.CHECK_PRIVILEGE(acl_path, 'user_name', 'connect') IS NULL THEN
        DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(acl_path, 'user_name', TRUE, 'connect');
    END IF;
EXCEPTION
WHEN no_data_found THEN
    DBMS_NETWORK_ACL_ADMIN.CREATE_ACL('ACL_name.xml', 'ACL description', 'user_name', TRUE, 'connect');
    DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL('ACL_name.xml','host_name');
END;
COMMIT;
Retrieved from "https://mailnest.com/dbawiki/index.php?title=Wallet_/_ACL_/_Network_Access&oldid=2719"