Re: Alternatives to RMAN cleartext password in batch file for backups?
From: Nuno Souto <dbvision_at_iinet.net.au>
Date: Mon, 25 Apr 2011 15:09:42 +1000
Message-ID: <4DB50216.50409_at_iinet.net.au>
(heavily snipped to protect my sanity)
Date: Mon, 25 Apr 2011 15:09:42 +1000
Message-ID: <4DB50216.50409_at_iinet.net.au>
(heavily snipped to protect my sanity)
You know what rattles me with this problem?
I've been hearing variations of it for decades now.
First with ufi/sql+, after with just about anything cli driven.
And Oracle still hasn't listened or provided a workable solution besides
"purchase yet another extra option"...
The solution is simple but no one seems to be listening. As usual.
-- Cheers Nuno Souto in sunny Sydney, Australia dbvision_at_iinet.net.au Mark W. Farnham wrote,on my timestamp of 25/04/2011 4:30 AM:Received on Mon Apr 25 2011 - 00:09:42 CDT
> Or you can echo the password in as the start of a pipeline.
>
> -----Original Message-----
> From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org]
> On Behalf Of D'Hooge Freek
> Sent: Sunday, April 24, 2011 2:21 PM
> To: cicciuxdba_at_gmail.com; troach_at_gmail.com
> Cc: bwmyers_at_gmail.com; oracle-l_at_freelists.org
> Subject: RE: Alternatives to RMAN cleartext password in batch file for
> backups?
>
> Alan,
>
> I think that if you start rman with the password on the command line like
> below, the password will be visible via the process list (ps or pargs).
> To avoid this, you should modify the script so that the connection to the
> database or repository is done in the rman script itself.
>
> I have not had the chance to test it, so I reserve the right to be mistaken.
> Sent: zondag 24 april 2011 17:52
> To: troach_at_gmail.com
> Cc: bwmyers_at_gmail.com; oracle-l_at_freelists.org
> Subject: Re: Alternatives to RMAN cleartext password in batch file for
> backups?
>
> Well, you must use a decryptable encryption for this to work, but you could
> always call RMAN like this:
>
> $!/bin/bash
> CATALOG_PASSWORD=`decrypt_command encrypted_password_file`
>
> rman target / catalog catalog_user/${CATALOG_PASSWORD}_at_SID script ...
>
> Where the decrypt_command is a command that returns a cleartext password
> from the 'encrypted_password_file'. It's not the best solution as anyone
> with execute permissions on decrypt_command and/or read permissions on
> encrypted_password_file would be able to access the cleartext password. But
> then again,in several cases security guidelines are not about security, but
> about compliance.
>
> On Sun, Apr 24, 2011 at 12:27 AM, Thomas Roach<troach_at_gmail.com> wrote:
> Why don't you encrypt your shell script?
>
>
> set oracle_sid=mydatadb
> rman target / catalog mycatusr/mycatpwd_at_mycatdb script Daily_Backup>>
> backup.log
>
> My organization requires the catalog password (mycatpwd) above to be
> encrypted and not stored as clear text in any other file or environment
> variable. How can I still use this batch file for scheduled backups without
> providing a clear text password?
>
> The only option I can think of is to compile the commands into a binary
> executable. Any other ideas besides that?
>
-- http://www.freelists.org/webpage/oracle-l