Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Oracle client security

RE: Oracle client security

From: MacGregor, Ian A. <ian_at_slac.stanford.edu>
Date: Fri, 6 Aug 2004 15:27:03 -0700
Message-ID: <26E3EC48949D134C94A1574B2C89466113A9E1@exchange2.slac.stanford.edu>


Yes, but these parameters are obsolete as of 9i.

-----Original Message-----
From: Jared.Still_at_radisys.com [mailto:Jared.Still_at_radisys.com] Sent: Friday, August 06, 2004 1:40 PM
To: oracle-l_at_freelists.org
Subject: Re: Oracle client security

> More than a year ago, we had problems with a Perl::DBI program
> connecting to the Oracle DB using the WE8ISO8859P1 charset. It always
> failed the first time and secretly and automagically attempted and
> succeeded the connection a second time. I was able to verify this by
> using AUDIT in the DB, while running the program.
>
>From the fine manual:

By setting the following values, you can require that the password used to verify a connection always be encrypted: Set the ORA_ENCRYPT_LOGIN environment variable to TRUE on the client machine. Set the DBLINK_ENCRYPT_LOGIN server initialization parameter to TRUE. If enabled at both the client and server, passwords will not be sent across the network "in the clear", but will be encrypted using a modified DES (Data Encryption Standard) algorithm. The DBLINK_ENCRYPT_LOGIN initialization parameter is used for connections between two Oracle servers (for example, when performing distributed queries). If you are connecting from a client, Oracle checks the ORA_ENCRYPT_LOGIN environment variable. Whenever you attempt to connect to a server using a password, Oracle encrypts the password before sending it to the server. If the connection fails and auditing is enabled, the failure is noted in the audit log. Oracle then checks the appropriate DBLINK_ENCRYPT_LOGIN or ORA_ENCRYPT_LOGIN value. If it set to FALSE, Oracle attempts the connection again using an unencrypted version of the password. If the connection is successful, the connection replaces the previous failure in the audit log, and the connection proceeds. To prevent malicious users from forcing Oracle to re-attempt a connection with an unencrypted version of the password, you must set the appropriate values to TRUE.



Please see the official ORACLE-L FAQ: http://www.orafaq.com

To unsubscribe send email to: oracle-l-request_at_freelists.org put 'unsubscribe' in the subject line.
--
Archives are at http://www.freelists.org/archives/oracle-l/
FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to:  oracle-l-request_at_freelists.org
put 'unsubscribe' in the subject line.
--
Archives are at http://www.freelists.org/archives/oracle-l/
FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
Received on Fri Aug 06 2004 - 17:23:43 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US