Re: Autostarting wallet question.

From: MARK BRINSMEAD <mark.brinsmead_at_gmail.com>
Date: Thu, 12 Mar 2015 17:16:51 -0400
Message-ID: <CAAaXtLAf018a65eF0TM5dJnBEV_JQsRrdy1ciU=kDPy0WNDatw_at_mail.gmail.com>

Hmmm...

How, exactly, does Oracle know whether or not you are on "the system where it was created"?

This is a problem I encountered with a many years ago with keyed security product (which will remain unnamed by design) where the software keys were meant to work only on a single computer.

Because this was a product meant to work with almost any UNIX platform, it could not rely on any hardware- or vendor-specific means of identifying a host.

Their solution was ti use the MAC-address of the "first" NIC on the server. After all, MAC addresses are assured to be unique, right? (Okay, they were back then -- this was years before anyone started running UNIX on virtual machines.)

Here was the problem though -- if for some reason you had to replace (or even disable) the component containing the "first" NIC on the computer, the computer would get a whole new identity, and the "security" software would stop working. When that happened, you would be unable to mount disks, open a database, or even read backup tapes!

What hardware components do I need to replace to make my "local wallet" stop working? Does this work with virtualized machines? Can it be *fooled* by virtual machines?

I'm not trying to "poke holes" here. I'm genuinely curious.

Cheers!

On Thu, Mar 12, 2015 at 3:40 PM, Alex Fatkulin <afatkulin_at_gmail.com> wrote:

> Just keep in mind that auto login wallet can be opened anywhere (on any
> system) without knowing the password. So if someone steals your wallet they
> can open it without a password and get access to all your encryption keys.
>
> If this is not desirable then auto login _local_ wallet might be a better
> choice - it can only be opened on the system where it was created.
>
> On Thu, Mar 12, 2015 at 3:34 PM, Charles Schultz <sacrophyte_at_gmail.com>
> wrote:
>
>> Having just tried this myself, I would echo what others have said about
>> using Tim Hall's blog. Here is the orapki command you can use to set up a
>> SSO auto-login wallet:
>>
>> orapki wallet create -wallet <full/path/to/your/existing/wallet>
>> -auto_login
>>
>> You will be prompted for the existing wallet pasword, although the
>> interface is a bit screwy.
>>
>> On Thu, Mar 12, 2015 at 2:26 PM, Marcos Colmenares H. <
>> mcolmenares_at_newtechsistemas.com.ve> wrote:
>>
>>> Good Day,
>>>
>>> I found a procedure to auto start the wallet when the DB starts up,
>>> using a wrapped procedure, but as oracle points out, "Wrapping is not a
>>> secure method for hiding passwords or table names.".
>>>
>>> Is there a proper way to auto start it with out the security problems?
>>>
>>> Link to procedure
>>> http://arjudba.blogspot.com/2010/12/how-to-open-encryption-wallet.html
>>>
>>>
>>> Best Regards,
>>>
>>> Marcos Colmenares H
>>>
>>> --
>>>
>>
>>
>>
>> --
>> Charles Schultz
>>
>
>
>
> --
> Alex Fatkulin,
> http://afatkulin.blogspot.com
>

--
http://www.freelists.org/webpage/oracle-l

Received on Thu Mar 12 2015 - 22:16:51 CET

This message: [ Message body ]
Next message: Stefan Koehler: "Oracle AWR - Time Model Statistics / background elapsed time < background cpu time"
Previous message: Paul Drake: "Typo in 12.1.0.1 upgrade script"
Maybe in reply to: Marcos Colmenares H.: "Autostarting wallet question."

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message