Re: Encrypt sensitive passwords in shell script - Which one do you prefer ?
From: Sreejith S Nair <Sreejith.Sreekantan_at_ibsplc.com>
Date: Tue, 17 May 2011 09:37:16 +0530
Message-ID: <OF56C70707.1ABFBDA4-ON65257893.001659BB-65257893.0016A48B_at_ibsplc.com>
Nial,PG all,
Date: Tue, 17 May 2011 09:37:16 +0530
Message-ID: <OF56C70707.1ABFBDA4-ON65257893.001659BB-65257893.0016A48B_at_ibsplc.com>
Nial,PG all,
Thanks much for your advice.
Let me clear the situation well.
The SQL scripts prepared by developer is being run by DBAs and this is going to be a head ache for DBAs. But I believe we can automate the script running someway. The reason why DBA is asked to run the script is for ciompliance audit in which application user password is only visible to DBAs. So the audits compliance has to be met. So I was thinking about a process in which a developer can just submit a script and some process ( instead of dba) can execute it transparently in the application schema.
With Regards,
Sreejith
-- Sreejith S Nair Associate Systems Architect | AOS DBA Team From: Niall Litchfield <niall.litchfield_at_gmail.com> To: "D'Hooge Freek" <Freek.DHooge_at_uptime.be> Cc: ORACLE-L <oracle-l_at_freelists.org> Date: 05/16/2011 08:25 PM Subject: Re: Encrypt sensitive passwords in shell script - Which one do you prefer ? Sent by: oracle-l-bounce_at_freelists.org That's my understanding as well - hence my question to the OP. Sreejith - see http://www.oracle-base.com/articles/10g/SecureExternalPasswordStore_10gR2.php for a how to. On Mon, May 16, 2011 at 3:38 PM, D'Hooge Freek <Freek.DHooge_at_uptime.be> wrote: Pete, X-archive-position: 36300 X-ecartis-version: Ecartis v1.0.0 Sender: oracle-l-bounce_at_freelists.org Errors-to: oracle-l-bounce_at_freelists.org X-original-sender: Freek.DHooge_at_uptime.be Precedence: normal Reply-To: Freek.DHooge_at_uptime.be List-help: <mailto:ecartis_at_freelists.org?Subject=help> List-unsubscribe: <oracle-l-request_at_freelists.org?Subject=unsubscribe> List-software: Ecartis version 1.0.0 List-Id: oracle-l <oracle-l.freelists.org> X-List-ID: oracle-l <oracle-l.freelists.org> List-subscribe: <oracle-l-request_at_freelists.org?Subject=subscribe> List-owner: <mailto:steve.adams_at_ixora.com.au> List-post: <mailto:oracle-l_at_freelists.org> List-archive: <http://www.freelists.org/archives/oracle-l> X-list: oracle-l Am I correct in thinking that the Oracle Wallet solution can be used without needing advanced security as long as the authentication is password based? Following links seem to suggest so, but I'm not certain: http://download.oracle.com/docs/cd/B19306_01/license.102/b14199/editions.htm#sthref32 http://download.oracle.com/docs/cd/B19306_01/license.102/b14199/options.htm#sthref40 Kind regards, Freek D'Hooge Uptime Oracle Database Administrator email: freek.dhooge_at_uptime.be tel +32(0)3 451 23 82 http://www.uptime.be disclaimer: www.uptime.be/disclaimer -----Original Message----- From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Pete Finnigan Sent: maandag 16 mei 2011 15:48 To: Sreejith.Sreekantan_at_ibsplc.com Cc: oracle-l_at_freelists.org Subject: Re: Encrypt sensitive passwords in shell script - Which one do you prefer ? Have a look at Oracle secure external password store - http://www.oracle-base.com/articles/10g/SecureExternalPasswordStore_10gR2.php or if you want a free solution look at OPR - http://opr.sourceforge.net cheers Pete Sreejith S Nair wrote:Received on Mon May 16 2011 - 23:07:16 CDT
> Hi List,
>
> I am looking for various options to encrypt a sensitive password in a
> unix shell script. After a bit of googling, I learned about 'shc'.
> Can you please advice on what things you use for this purpose, if any ?
>
> My requirement / idea is
>
> A .sql file will have to be executed by a shell script in SQLPLUS as
> USER/XXXX . The .sql file will be prepared by developer and will be put
> to a directory to which their osuser - say 'user1' will have write
> access. I will have 'oracle' user in the server , who is the DBA user. I
> want them to run this SQL like, *runthis.sh test.sql *where runthis.sh
> is owned by oracle user and will reside in some directory owned by DBA
> user. I am planning to configure schema password (USER/XXXX) in
> runthis.sh , which a developer is not supposed to know.
> But if I give execute permission for 'user1' to runthis.sh, it becomes
> readable and all can read the password. Is there anyway , I can store
> encrypted password in SQLPLUS connect string in this file / encrypt
> shell script as such ?
>
> Thanks in Advance.
>
>
> With Regards,
> Sreejith
>
> --
> Sreejith S Nair
> Associate Systems Architect | AOS DBA Team
>
>
>
>
>
>
>
> DISCLAIMER:
>
> "The information in this e-mail and any attachment is intended only for
> the person to whom it is addressed and may contain confidential and/or
> privileged material. If you have received this e-mail in error, kindly
> contact the sender and destroy all copies of the original communication.
> IBS makes no warranty, express or implied, nor guarantees the accuracy,
> adequacy or completeness of the information contained in this email or
> any attachment and is not liable for any errors, defects, omissions,
> viruses or for resultant loss or damage, if any, direct or indirect."
>
>
>
>
-- Pete Finnigan Director PeteFinnigan.com Limited Specialists in database security. Makers of PFCLScan the database security auditing tool. If you need help to audit or secure an Oracle database, please ask for details of our training courses and consulting services Phone: +44 (0)1904 791188 Fax : +44 (0)1904 791188 Mob : +44 (0)7742 114223 email: pete_at_petefinnigan.com site : http://www.petefinnigan.com Registered Office: 9 Beech Grove, Acomb, York, YO26 5LD, United Kingdom Company No : 4664901 VAT No. : 940668114 Please note that this email communication is intended only for the addressee and may contain confidential or privileged information. The contents of this email may be circulated internally within your organisation only and may not be communicated to third parties without the prior written permission of PeteFinnigan.com Limited. This email is not intended nor should it be taken to create any legal relations, contractual or otherwise. -- http://www.freelists.org/webpage/oracle-l -- http://www.freelists.org/webpage/oracle-l -- Niall Litchfield Oracle DBA http://www.orawin.info DISCLAIMER: "The information in this e-mail and any attachment is intended only for the person to whom it is addressed and may contain confidential and/or privileged material. If you have received this e-mail in error, kindly contact the sender and destroy all copies of the original communication. IBS makes no warranty, express or implied, nor guarantees the accuracy, adequacy or completeness of the information contained in this email or any attachment and is not liable for any errors, defects, omissions, viruses or for resultant loss or damage, if any, direct or indirect." -- http://www.freelists.org/webpage/oracle-l