Re: unix Ksh script variable
Date: Wed, 02 Feb 2011 18:43:28 +1000
Message-ID: <4D491930.9070508_at_tpg.com.au>
Hi Niall,
I think that the "secure external password store feature", which is what I alluded to, is free to use based on this paragraph in the 11g Licensing Information guide, page 1-9 (my underscoring):
*Oracle Wallet*
An Oracle Wallet is a PKCS#12 container used to store authentication
and encryption
keys. _The database secure external password store feature stores
passwords in an
Oracle Wallet for authentication to the Oracle database._ Oracle
Advanced Security uses
the Oracle Wallet to store credentials for PKI authentication to the
Oracle database,
network encryption, and transparent data encryption. Oracle Wallet
Manager is an
application that wallet owners can use to manage and edit Oracle
wallets. _Oracle
Wallets can be deployed on clients, middle tiers, and database
servers free of charge._
However, the following features that use an Oracle Wallet in turn
require licensing of
the Oracle Advanced Security Option: PKI credentials for
authentication to Oracle
Database, network encryption (SSL/TLS) to the Oracle database from
middle tiers and
database clients, and transparent data encryption master keys.
Oracle Advanced
Security option is not required when configuring wallets to secure
communication
between the Oracle database and Oracle Internet Directory as part of
the enterprise
user security feature of Oracle Database
Of course I may misinterpret this piece of legalistic prose. English never was my forte... :)
Cheers,
Tony
Niall Litchfield wrote:
>
> Hi
> I'm pretty sure that Oracle Wallet requires the advanced security
> option to be licensed. So a great solution if its already there, but
> somewhat overkill compared to parsing a protected text file if it
> isn't. I wonder these days how big the security risk of storing
> passwords in scripts is (not the convenience of only storing them
> once). Time was when we had real users logging onto the db server able
> to read scripts and sniff command lines. Those days pretty much died
> with client server though.
>
> (p.s my phone adaptive auto correct changed "command lin" to "named
> pipes" as I was typing . I should get out more)
>
>> On 2 Feb 2011 05:42, "De DBA" <dedba_at_tpg.com.au
>> <mailto:dedba_at_tpg.com.au>> wrote:
>>
>> Have you considered using Oracle Wallets? It takes a bit of effort to
>> setup, but is quite resilient. We have used it for years to great
>> satisfaction. You store just the credential's db_connect_string in a
>> plain-text configuration file, which the script then picks up and
>> uses to connect.
>>
>> see e.g.:
>> http://askdba.org/weblog/2009/09/using-oracle-wallet-to-execute-shell-scriptcron-without-hard-coded-oracle-database-password/
>>
>> There used to be an Oracle Whitepaper as well which showed how to set
>> this up with the sys account, but I cannot find it any more on the
>> Oracle website. The actual topic of the whitepaper was "Using Oracle
>> Recovery Manager (RMAN) with Database Vault", published in 2006.
>> Basically you just create a credential as demonstrated in the link
>> above and pass the connect string with "as sysdba" as per usual.
>>
>> Hth,
>> Tony
>>
>>
>>
>> A Joshi wrote:
>> >
>> > hi
>> > I have a script which is to be executed on many databases and
>> different da...
>>
-- http://www.freelists.org/webpage/oracle-lReceived on Wed Feb 02 2011 - 02:43:28 CST