Skip to end of metadata
Go to start of metadata


  • Usually a user name and password are specified when connecting to a database.

  • Such configurations are considered being insecure as the passwords are stored in clear text in external files or in job parameters.
  • The Oracle Wallet® provides a means to connect to a database without specifying user and password.

Oracle Wallet


The Oracle Wallet® configuration is described in the Oracle documentation:

Using Oracle Wallet® for JobScheduler Master and JOC Cockpit


JobScheduler Master and JOC Cockpit connect to the Oracle database without specifying a database account and password, instead the run-time account of the components is used.

  • Consider to use hibernate files when running the installer instead of specifying the account/password with the installer response files jobscheduler_install.xml and joc_install.xml.
    • The hibernate configuration should look like this:
      • <?xml version="1.0" encoding="UTF-8" standalone="no"?>
        <property name="hibernate.connection.driver_class">oracle.jdbc.driver.OracleDriver</property>
        <property name="hibernate.connection.password"></property>
        <property name="hibernate.connection.url">jdbc:oracle:thin:/@jobscheduler</property>
        <property name="hibernate.connection.username"></property>
        <property name="hibernate.dialect">org.hibernate.dialect.Oracle10gDialect</property>
        <property name="hibernate.show_sql">false</property>
        <property name="hibernate.connection.autocommit">false</property>
        <property name="hibernate.format_sql">true</property>
        <property name="hibernate.temp.use_jdbc_metadata_defaults">false</property>
    • Consider that empty elements are used for the account and password. Do not delete the respective elements from the hibernate configuration file.
    • The above example specifies the URL jdbc:oracle:thin:/@jobscheduler that indicates that the database alias name jobscheduler is configured with your tnsnames.ora file.
    • Alternatively the database connect string can be specified directly with the URL like this:
      • jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=minos.sos)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=jobscheduler)))
      • The above connect string specifies the database host minos.sos listening on port 1521 running a database jobscheduler.
      • When using the above URL syntax then no tnsnames.ora file is used.
  • Configure the location of the Oracle Wallet® by use of a Java define like this: This setting should point to the directory where the wallet files of the JobScheduler's run-time account are stored.
    • For JobScheduler Master
      • specify the Java define with the environment variable JAVA_OPTIONS before running the installer, e.g.
      • alternatively activate/modify the options setting in the [java] section of the ./config/factory.ini file like this:
        options = ...
    • For JOC Cockpit
      • specify the Java define with the jettyOptions setting of the installer response file joc_install_xml like this:
        <entry key="jettyOptions" value=""/>
      • alternatively create/modify the /etc/default/joc file to include the JAVA_OPTIONS environment variable like this:


  • No Oracle Client installation is used, however, you might need an Oracle Client to set up and to configure the Oracle Wallet®.
    • Typical commands to create a wallet include e.g.:
      • # create wallet in a directory that is accessible to the JobScheduler run-time account assumed to be "jobscheduler"
        mkstore -wrl /home/jobscheduler/wallet -create
        # add credentials to wallet; specify entry key, database account and password
        mkstore -wrl /home/jobscheduler/wallet/ -createCredential jobscheduler some_account some_password
    • Consider that the mkstore command will add the location of the wallet to your sqlnet.ora configuration file.
      • This file is used e.g. by SQLPlus and therefore allows e.g. to execute: sqlplus /@jobscheduler by specifying the entry key for tnsnames.ora and sqlnet.ora
      • This file is not considered when using the Oracle JDBC Driver, therefore the above Java define has to be used.
  • JobScheduler makes use of the Oracle JDBC Driver:
    • Check the Oracle JDBC Driver version that ships with the JobScheduler release, see Which Database Management Systems are supported by JobScheduler? A newer Oracle JDBC Driver might be available for download as the Open Source JobScheduler might not be bundled with the latest Oracle JDBC Driver.
    • Oracle JDBC Drivers that ship for release 18c of the DBMS are reported to work. Previous JDBC Driver releases as e.g. 12c are reported not to work with Oracle Wallet® when used by JobScheduler.
  • The following Oracle Java libraries are required that should match the version of the Oracle JDBC Driver.
    • The .jar files are available from an Oracle Client installation and that are offered by Oracle for download:
      • $ORACLE_HOME/jlib/oraclepki.jar
      • $ORACLE_HOME/jlib/osdt_cert.jar
      • $ORACLE_HOME/jlib/osdt_core.jar
    • Store the libraries in the ./lib/user_lib directory of our JobScheduler Master and JOC Cockpit installation path respectively.

Using Oracle Wallet® for Jobs


Once Oracle Wallet® is configured for the account that will trigger the jobs, the account is able to connect to an Oracle database without password specification, e.g. by using sqlplus /@db11g


Prerequisites to execute SQL*Plus with Oracle Wallet® on Linux:

  1. Oracle client installed
  2. Environment variables being set: ORACLE_HOME, LD_LIBRARY_PATH=$ORACLE_HOME/lib, TNS_ADMIN

Prerequisites to execute shell scripts from JobScheduler Master that call SQL*Plus with Oracle Wallet®:

  1. Copy declaration and initialization with export of the environment variables to the script ./user_bin/
    • ORACLE_HOME=/some_location
    • This script is executed on JobScheduler start in the context of the user account that JobScheduler is operated for. The environment variables are forwarded to subsequent jobs.
  2. Restart JobScheduler


  • The Oracle Wallet® cannot be copied to other servers or to other accounts, it should be configured separately per each environment.
  • The same mechanism is available for JobScheduler Agent that allows to set and to export environment variables from its instance script.

  • No labels
Write a comment…