Skip links

Updating HashiCorp Vault Plug-in for Oracle

When you have an HashiCorp Vault environment up and running, you will eventually need to update the plug-ins that are being used.  In my case, I’ve been using HashiCorp Vault Enterprise to do some static password changes against Oracle Databases.  The benefit to doing this is that I can quickly change passwords for any user account in the Oracle Database and keep it secure at the same time.

For the Oracle, the plug-in for HashiCorp Vault is located here.  Initially when I setup HashiCorp Vault, I used plug-in 0.2.1.  There were some limitations to the plug-in for Oracle, items like Password Policy didn’t work.  After consulting with HashiCorp Sales Engineers, they told me that additional features were release in version 0.3.0.  This leads to the need of upgrading the plug-in.

In order to upgrade the plug-in, download the latest plug-in and store it in a location where you plug-ins run from.  In my case, I put all my plug-ins in /opt/app/hashicorp/plugins.  The new plug-in I put into /opt/app/hashicorp/plugins/3.0.  This is due to the plug-in being named the same as the previous version.

To upgrade the plug-in the following needs to be done.  You can also find a brief explanation of the plug-in upgrade here.

1. Identify the SHA256 key for the current plugin

vault plugin info database oracle-database

2. Gather the new SHA256 key for the new plugin.

shasum -a 256 /opt/app/hashicorp/plugin/3.0/vault-plugin-database-oracle | sed 's/\s.*$//' > /opt/app/hashicorp/plugin/3.0/oracle-plugin.sha256

3. Write the new plugin to the HashiCorp Vault system register.  This will be named the same as the existing plugin.  The plugin will not take effect until the plugin backend has been reloaded.

vault write sys/plugins/catalog/database/oracle-database sha256=$(cat /opt/app/hashicorp/plugin/3.0/oracle-plugin.sha256) command=vault-plugin-database-oracle

4. Reload the plugin backend.  This has to be done using the API backend within Vault.

curl -L -X PUT 'http://localhost:8200/v1/sys/plugins/reload/backend' \
-H 'X-Vault-Token: s.RXf3xAMgeb0ph7BUaA3xEE8f' \
-H 'Content-Type: application/json' \
--data-raw '{
"plugin": "oracle-database"
}'

5. Validate the plugin has been upgraded (hint: SHA256 value will have changed).

vault plugin info database oracle-database
Key        Value
--- -----
args []
builtin false
command vault-plugin-database-oracle
name oracle-database
sha256 4625dd52e5c97e87d6b7366b12c419b155df71cfdc23bff44f05fbbf4caa9b3c

With the plug-in updated, you will still be able to maintain your security with the static/dynamic rotation of password while enabling new features for the Oracle platform.

Enjoy!!

Leave a comment