Problem Description
When running Oracle database backups using Druva Enterprise Workloads, Recovery Manager (RMAN) connections fail if wallet-based authentication is configured with a TNS alias.
The failure occurs during initialization when executing RMAN using the following syntax:
rman target /@<TNS_ALIAS>
RMAN fails to connect to the target database and aborts immediately.
Traceback
The following error stack is observed in the logs:
RMAN-00554: initialization of internal recovery manager package failed RMAN-04005: error from target database: ORA-01017: invalid username/password; logon denied
Cause
The issue is driven by an Oracle wallet misconfiguration, insufficient privileges within the wallet entry, or desynchronized credentials.
When a TNS alias is explicitly passed (/@<alias>), Oracle overrides standard OS authentication and forces wallet-based authentication. The connection fails due to one or more of the following factors:
Insufficient Privileges: The Oracle wallet contains credentials for a low-privileged user (e.g., a monitoring user). RMAN strictly requires
SYSorSYSDBA-level access to initialize its internal recovery manager packages.Path Misconfiguration: The wallet directory path is incorrectly specified in the
sqlnet.orafile, preventing RMAN from locating the credentials entirely.Outdated Credentials: The
SYSpassword was recently changed in the database, but the Oracle wallet was not updated to reflect the change.Missing TNS Entry: The specific TNS alias being used by the backup script does not have a corresponding credential entry inside the wallet.
Resolution
Follow the steps below to correctly configure the Oracle Wallet and restore RMAN backup functionality.
Step 1: Correct the Wallet Directory Configuration
Verify that the wallet location configured in sqlnet.ora points to the exact directory housing your wallet files, and ensure the Druva backup agent user has read/write permissions to it.
Check the
WALLET_LOCATIONorENCRYPTION_WALLET_LOCATIONparameters insqlnet.ora.Ensure proper OS-level permissions on the wallet directory.
Step 2: Store SYSDBA Credentials in the Wallet
Because RMAN requires administrative privileges, ensure the wallet contains the SYS user credentials for the specified TNS alias.
Update or add the credentials using the Oracle mkstore utility:
Bash
mkstore -wrl <wallet_path> -modifyCredential <TNS_ALIAS> sys <SYS_password>
[!NOTE] Repeat this command for every distinct TNS alias utilized across your RMAN backup scripts.
Step 3: Keep Wallet Credentials Synchronized
Multi-Node/RAC Environments: Ensure the wallet contents (
cwallet.ssoandewallet.p12) are identical and replicated across all cluster nodes. Avoid partial or node-specific wallet updates.Password Rotations: Immediately update the wallet credentials using
mkstorewhenever the databaseSYSpassword is changed.
Step 4: Validate RMAN Connectivity
Test the connection manually from the command line to verify that the wallet is working as expected:
rman target /@<TNS_ALIAS>
If the connection initializes successfully without prompting for a password, the configuration is correct and Druva backups will proceed.
Recommendations & Best Practices
Using wallet-based authentication for RMAN is highly recommended for enterprise workloads as it:
Eliminates the exposure of cleartext passwords in backup scripts and process arguments.
Enforces secure, centralized TNS-based authentication.
Aligns with strict corporate Oracle security and compliance standards.