Re: unix Ksh script variable

From: Niall Litchfield <niall.litchfield_at_gmail.com>
Date: Thu, 3 Feb 2011 16:35:36 +0000
Message-ID: <AANLkTinUJH_FyA204t6AudR3YokVFEB4Bc7WvOH3h=_=_at_mail.gmail.com>

Thanks Tony

You learn something every day on this list.

On Wed, Feb 2, 2011 at 8:43 AM, De DBA <dedba_at_tpg.com.au> wrote:

> Hi Niall,
>
> I think that the "secure external password store feature", which is what I
> alluded to, is free to use based on this paragraph in the 11g Licensing
> Information guide, page 1-9 (my underscoring):
>
> *Oracle Wallet*
> An Oracle Wallet is a PKCS#12 container used to store authentication and
> encryption
> keys. *The database secure external password store feature stores
> passwords in an
> Oracle Wallet for authentication to the Oracle database.* Oracle Advanced
> Security uses
> the Oracle Wallet to store credentials for PKI authentication to the Oracle
> database,
> network encryption, and transparent data encryption. Oracle Wallet Manager
> is an
> application that wallet owners can use to manage and edit Oracle wallets.
> *Oracle
> Wallets can be deployed on clients, middle tiers, and database servers free
> of charge.*
>
> However, the following features that use an Oracle Wallet in turn require
> licensing of
> the Oracle Advanced Security Option: PKI credentials for authentication to
> Oracle
> Database, network encryption (SSL/TLS) to the Oracle database from middle
> tiers and
> database clients, and transparent data encryption master keys. Oracle
> Advanced
> Security option is not required when configuring wallets to secure
> communication
> between the Oracle database and Oracle Internet Directory as part of the
> enterprise
> user security feature of Oracle Database
>
>
> Of course I may misinterpret this piece of legalistic prose. English never
> was my forte... :)
>
> Cheers,
> Tony
>
>
> Niall Litchfield wrote:
>
> Hi
> I'm pretty sure that Oracle Wallet requires the advanced security option to
> be licensed. So a great solution if its already there, but somewhat overkill
> compared to parsing a protected text file if it isn't. I wonder these days
> how big the security risk of storing passwords in scripts is (not the
> convenience of only storing them once). Time was when we had real users
> logging onto the db server able to read scripts and sniff command lines.
> Those days pretty much died with client server though.
>
> (p.s my phone adaptive auto correct changed "command lin" to "named pipes"
> as I was typing . I should get out more)
>
> On 2 Feb 2011 05:42, "De DBA" <dedba_at_tpg.com.au> wrote:
>
> Have you considered using Oracle Wallets? It takes a bit of effort to
> setup, but is quite resilient. We have used it for years to great
> satisfaction. You store just the credential's db_connect_string in a
> plain-text configuration file, which the script then picks up and uses to
> connect.
>
> see e.g.:
> http://askdba.org/weblog/2009/09/using-oracle-wallet-to-execute-shell-scriptcron-without-hard-coded-oracle-database-password/
>
> There used to be an Oracle Whitepaper as well which showed how to set this
> up with the sys account, but I cannot find it any more on the Oracle
> website. The actual topic of the whitepaper was "Using Oracle Recovery
> Manager (RMAN) with Database Vault", published in 2006. Basically you just
> create a credential as demonstrated in the link above and pass the connect
> string with "as sysdba" as per usual.
>
> Hth,
> Tony
>
>
>
> A Joshi wrote:
> >
> > hi
> > I have a script which is to be executed on many databases and different
> da...
>
>
>

-- 
Niall Litchfield
Oracle DBA
http://www.orawin.info

--
http://www.freelists.org/webpage/oracle-l

Received on Thu Feb 03 2011 - 10:35:36 CST

This message: [ Message body ]
Next message: Andrew Kerber: "Re: 11gr2 Clusterware config (or: does anyone know what an endpoint is?)"
Previous message: Jared Still: "Re: unix Ksh script variable"
In reply to: De DBA: "Re: unix Ksh script variable"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message