How are you authenticating you applications?
Date: Wed, 9 Mar 2011 16:11:42 -0300
We have several application servers (mostly Tomcat) connecting to the Oracle Databases (jdbc) and we detected that there is a lot of people using the application accounts to connect to the databases using TOAD or such other tools. We are working on informing them that they should not do so, and that they car request access to the DB if there is a valid business reason for them to have such access.
Now comes the other side... I'd hate to have to add a logon trigger that kicks out anyone using TOAD (and an app account), as it would rely on blacklisting or whitelisting either modules, apps, machines or osusers... and would require manual maintenance which is something we are not really willing to do. So... here comes the question: How do you authenticate a Tomcat against Oracle without giving anyone the password (nor setting it up yourself on the tomcat, because the apps admins won't like that). Is there a way through certificates, wallets or something like that?
We are working on providing the hashed password, so all the non-dbas get is a hash... but I don't know how strong the eencryption really is... and I'd like to let my i7 have a go at cracking one and see how long it takes... still, a non-human-intervention approach would be appreciated :-)
thanks in advance