During my work as an Consultant I’ve seen some Forms applications, where developers made their lifes easier by using the Oracle connect string to directly connect to the database when starting Forms application. The problem is that the password in most cases is entered in plain text as part of the formsweb.cfg. In this blog post I am going to show an Oracle database feature that enables you to combine comfort and security. This is most properly only a problem for forms applications without SSO.

Purpose for using the userid

In most cases the connect string was utilized in the formsweb.cfg parameter userid. Here you are able to specify a complete connect string, e.g. userid=user/pw@mydatabase. Why would connect that way to your application? Often it was a way to perform a connect to the database and have a user login afterwards. Some developers say it would be to complicated for the users to first type in the credentials for the db and then connect with their personal user. But this usage of the userid is not feasible. Which DBA wants to have a unencrypted database production password in any configuration file?

Oracle Database Wallet

To be able to use the connect string in a secure way – not also to login to the application but also to enable batch processing etc. you can use the oracle wallet. This is a feature from the oracle database.capture

There are quite some guides in the web on how to set up a wallet and add credentials to it. I found the following guide as most helpful:
http://www.dba-resources.com/oracle/a-guide-to-oracle-wallet/

After you have set up the wallet correctly, you are able to connect to the database without entering the username and password. Those information are now stored encrypted in the wallet. With /@TNS_NAMES_ALIAS you can directly connect to the database.

Using wallet in configuration

So if you really need to use the parameter userid (which I normally do not recommend) incapture2

your formsweb.cfg you can now use the wallet instead of unencrypted password. Add userid=/@TNS_NAMES_ALIAS to directly connect to the application on startup. As mentioned in the linked blog above, the wallet is slightly safer – keep in mind that you have to ensure OS security.