Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Security Products

Re: Security Products

From: Sylvie Bérubé <sberube_at_cam.org>
Date: 1997/02/25
Message-ID: <3313B5B5.C0@cam.org>#1/1 







Rosemary Fleming wrote:


> 

> Currently our unix scripts have the Oracle userid and password hard-coded in

> calls to SQLPLUS - for example "sqlplus system/manager". No kidding- the

> people who originally wrote the scripts did not even change the password for

> SYSTEM. As the DBA, I want the developers to change their scripts to use

> parameters for the userid and password and store the passwords in a password

> file which could only be read by root. This way, I could change the passwords

> whenever I wanted to without having to change every single script.

> 

> Our Unix administrator feels that this is not secure enough - that it would be

> easy to hack in. He would like a more complete solution. He would like to know

> if there are any 3rd party products which would handle this plus other other

> Oracle issues. Can anyone tell me if they currently use such tools and what

> their experiences have been.

> 

> We are running Oracle 7.2.2 on HP-UX  V9 (soon to be Oracle 7.3 on HP-UX V10).

> 

>                                                          Rosemary Fleming

Hello Rosemary,



Here's how we have been doing this security thing in our company.



We are using OPS$ login for all users needed to connect through Unix
(generally for batch processing).  This makes Oracle dependent on Unix
to control access to the database.  The users then code in their
batches:


sqlplus / @my_sql_script.


This ensures that no passwords are seen in the SQL script.



For all users connecting through SQL*Net they each have their own
userid/password controlled inside Oracle and they don't!!! have any
access to Unix to run batch.



A user of course could have both an account on Unix and one in Oracle
through SQL*Net.  He could then connect to Unix using its OS account and
execute a script connected to Oracle using the SQL*Net userid/password. 
But we audit that a person using SQL*Net userid is not connected through
Unix.  As those special users are only the programmers, not our
production users, we explained the scheme very well to them...   :-)



Hope this helps.



Sylvie Bérubé


ISM - Air Canada


sberube_at_cam.org


sberube_at_aircanada.ca
Received on Tue Feb 25 1997 - 00:00:00 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US