RE: Alternatives to RMAN cleartext password in batch file for backups?

From: Mark W. Farnham <mwf_at_rsiz.com>
Date: Sun, 24 Apr 2011 14:30:18 -0400
Message-ID: <0ea201cc02ad$aa4295f0$fec7c1d0$_at_rsiz.com>

Or you can echo the password in as the start of a pipeline.

-----Original Message-----

From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of D'Hooge Freek
Sent: Sunday, April 24, 2011 2:21 PM
To: cicciuxdba_at_gmail.com; troach_at_gmail.com Cc: bwmyers_at_gmail.com; oracle-l_at_freelists.org Subject: RE: Alternatives to RMAN cleartext password in batch file for backups?

Alan,

I think that if you start rman with the password on the command line like below, the password will be visible via the process list (ps or pargs). To avoid this, you should modify the script so that the connection to the database or repository is done in the rman script itself.

I have not had the chance to test it, so I reserve the right to be mistaken.

Regards,

Freek D'Hooge
Uptime
Oracle Database Administrator
email: freek.dhooge_at_uptime.be
tel +32(0)3 451 23 82
http://www.uptime.be
disclaimer: www.uptime.be/disclaimer
---

From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Guillermo Alan Bort
Sent: zondag 24 april 2011 17:52
To: troach_at_gmail.com
Cc: bwmyers_at_gmail.com; oracle-l_at_freelists.org Subject: Re: Alternatives to RMAN cleartext password in batch file for backups?

Well, you must use a decryptable encryption for this to work, but you could always call RMAN like this:

$!/bin/bash
CATALOG_PASSWORD=`decrypt_command encrypted_password_file`

rman target / catalog catalog_user/${CATALOG_PASSWORD}_at_SID script ...

Where the decrypt_command is a command that returns a cleartext password from the 'encrypted_password_file'. It's not the best solution as anyone with execute permissions on decrypt_command and/or read permissions on encrypted_password_file would be able to access the cleartext password. But then again,in several cases security guidelines are not about security, but about compliance.

hth
Alan.-

On Sun, Apr 24, 2011 at 12:27 AM, Thomas Roach <troach_at_gmail.com> wrote: Why don't you encrypt your shell script?

http://linux.koolsolutions.com/2009/01/20/howto-encrypting-a-shell-script-on
-a-linux-or-unix-based-system/

On Sat, Apr 23, 2011 at 9:05 PM, Bill Myers <bwmyers_at_gmail.com> wrote: Hi all,
I have the following commands in a batch file scheduled for daily execution:

set oracle_sid=mydatadb
rman target / catalog mycatusr/mycatpwd_at_mycatdb script Daily_Backup >> backup.log

My organization requires the catalog password (mycatpwd) above to be encrypted and not stored as clear text in any other file or environment variable. How can I still use this batch file for scheduled backups without providing a clear text password?

The only option I can think of is to compile the commands into a binary executable. Any other ideas besides that?

Thanks in advance.
Bill

--

Thomas Roach
813-404-6066
troach_at_gmail.com

--

http://www.freelists.org/webpage/oracle-l

--

http://www.freelists.org/webpage/oracle-l Received on Sun Apr 24 2011 - 13:30:18 CDT

This message: [ Message body ]
Next message: Jamey Johnston: "Fwd: Alternatives to RMAN cleartext password in batch file for backups?"
Previous message: D'Hooge Freek: "RE: Alternatives to RMAN cleartext password in batch file for backups?"
In reply to: D'Hooge Freek: "RE: Alternatives to RMAN cleartext password in batch file for backups?"
Next in thread: Nuno Souto: "Re: Alternatives to RMAN cleartext password in batch file for backups?"
Reply: Nuno Souto: "Re: Alternatives to RMAN cleartext password in batch file for backups?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message