Re: safe way to store passwords in unix OS
From: Pete Finnigan <pete_at_petefinnigan.com>
Date: Thu, 15 Dec 2011 18:31:59 +0000
Message-ID: <4EEA3D1F.6000300_at_petefinnigan.com>
The OPR is also an option by the Spit brothers; opr.sourceforge.net. The issue with both of these approaches is that if you use an autoopen wallet then anyone who has access to the OS account can connect to the database using Oracle's solution or the OPR one.
>> This is not exactly an Oracle question, but I am asking it here in case
>> someone has solved this. We have alot of jobs that log into our Oracle
>> databases. Some of them use ops$oracle accounts. In the future we are not
>> allowed to use ops$oracle and need to provide passwords. I am trying to
>> find a method, or program/script that allows us to do the following.
>> 1. store oracle passwords in unix in a lock box
>> 2. only given processes and users can access specific passwords
>> 3. program/process/script has customizable logic that only lets specific
>> jobs access the password.
>> 4. We are mainly using Cron for our jobs, but may be using some other job
>> schedulers in the future that have more features.
>> 5. you cannot access the passwords from a user account
>>
>>
>> basically you give the password to the script/program, etc and tell it
>> which jobs/users can retrieve it. Those jobs call the script/program and
>> the program can accurately decide which job gets which password.
>>
>> This is about all the requirements I have on this. Sorry if this is kind of
>> vague.
>>
>>
>> --
>> http://www.freelists.org/webpage/oracle-l
>>
>>
Date: Thu, 15 Dec 2011 18:31:59 +0000
Message-ID: <4EEA3D1F.6000300_at_petefinnigan.com>
The OPR is also an option by the Spit brothers; opr.sourceforge.net. The issue with both of these approaches is that if you use an autoopen wallet then anyone who has access to the OS account can connect to the database using Oracle's solution or the OPR one.
A good approach is to use a logon trigger to check where/when/what the connection is; also use a secure application role and only enable the role if the connection is the job that should run. Also look at disbaling the shell for the OS account if you can
cheers
Pete
Tim Hall wrote:
> Hi. > > Secure External Password Store sounds like the safest bet. > > http://www.oracle-base.com/articles/10g/SecureExternalPasswordStore_10gR2.php > > Cheers > > Tim... > > On Thu, Dec 15, 2011 at 5:30 PM, Dba DBA <oracledbaquestions_at_gmail.com> wrote:
>> This is not exactly an Oracle question, but I am asking it here in case
>> someone has solved this. We have alot of jobs that log into our Oracle
>> databases. Some of them use ops$oracle accounts. In the future we are not
>> allowed to use ops$oracle and need to provide passwords. I am trying to
>> find a method, or program/script that allows us to do the following.
>> 1. store oracle passwords in unix in a lock box
>> 2. only given processes and users can access specific passwords
>> 3. program/process/script has customizable logic that only lets specific
>> jobs access the password.
>> 4. We are mainly using Cron for our jobs, but may be using some other job
>> schedulers in the future that have more features.
>> 5. you cannot access the passwords from a user account
>>
>>
>> basically you give the password to the script/program, etc and tell it
>> which jobs/users can retrieve it. Those jobs call the script/program and
>> the program can accurately decide which job gets which password.
>>
>> This is about all the requirements I have on this. Sorry if this is kind of
>> vague.
>>
>>
>> --
>> http://www.freelists.org/webpage/oracle-l
>>
>>
> -- > http://www.freelists.org/webpage/oracle-l > > >
-- Pete Finnigan CEO and Founder PeteFinnigan.com Limited Specialists in database security. Makers of PFCLScan the database security auditing tool. Makers of PFCLObfuscate the tool to protect IPR in your PL/SQL If you need help to audit or secure an Oracle database, please ask for details of our training courses and consulting services Phone: +44 (0)1904 791188 Fax : +44 (0)1904 791188 Mob : +44 (0)7759 277220 email: pete_at_petefinnigan.com site : http://www.petefinnigan.com Registered Office: 9 Beech Grove, Acomb, York, YO26 5LD, United Kingdom Company No : 4664901 VAT No. : 940668114 Please note that this email communication is intended only for the addressee and may contain confidential or privileged information. The contents of this email may be circulated internally within your organisation only and may not be communicated to third parties without the prior written permission of PeteFinnigan.com Limited. This email is not intended nor should it be taken to create any legal relations, contractual or otherwise. -- http://www.freelists.org/webpage/oracle-lReceived on Thu Dec 15 2011 - 12:31:59 CST