Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Securing isqlplus

Re: Securing isqlplus

From: Chuck <chuckh_at_softhome.net>
Date: 19 May 2003 18:10:24 GMT
Message-ID: <Xns9380902BC2079chuckhsofthomenet@130.133.1.4> 





Daniel Morgan <damorgan_at_exxesolutions.com> wrote in
news:3EC8F6E4.823903A2_at_exxesolutions.com: 



> Alison Holloway wrote:

> 


>> Thanks Daniel. I answered Chuck in a separate email, but just for the
>> benefit of everyone reading this newsgroup, here was my answer.
>>
>> You need to set up SSL (HTTPS) to secure iSQL*Plus. When you install
>> iSQL*Plus out of the box, all passwords are transmitted over HTTP,
>> unencrypted. You may not see the passwords in the URL, but they are
>> there if you look at the HTTP transmission as they are sent with a
>> POST command. This is a limitation of HTTP. 
>>
>> Oracle strongly suggests setting up SSL if you want to secure
>> iSQL*Plus. This is the primary reason that we do not enable the
>> iSQL*Plus DBA URL by default. We could not set up SSL out of the box
>> as you need to use your own certificate. 
>>
>> I hope this helps.
>>
>> Alison
>>
>> Daniel Morgan wrote:
>>
>> <snip>
>>
>> > You read correctly  but interpret incorrectly.
>> >
>> > All iSQL*Plus connections are secure. Oracle does not expose
>> > passwords except for one type of database link.
>> >
>> > If you have specific questions I would suggest that you address
>> > them to: alison.holloway_at_oracle.com
>> >
>> > There is no more qualified person on the planet when it comes to
>> > iSQL*Plus. --
>> > Daniel Morgan
>> > http://www.outreach.washington.edu/extinfo/certprog/oad/oad_crs.asp
>> > damorgan_at_x.washington.edu
>> > (replace 'x' with a 'u' to reply)
>> >
>> >




> 

> Thanks for your response.

> 

> Hopefully in 10i, or whatever the next version is called, the default

> installation will be HTTPS or we all know disaster will be reported in

> the computer press shortly thereafter if it is insecure. The standard

> installation should inlcude the HTTPS set-up for the major browsers. 

> 

> --

> Daniel Morgan

> http://www.outreach.washington.edu/extinfo/certprog/oad/oad_crs.asp

> damorgan_at_x.washington.edu

> (replace 'x' with a 'u' to reply)

> 

> 

> 




It looks like it does on NT. On unix, it turns out it was just a matter 
of starting apache with the "startssl" command intead of "start". 



The next question is how secure is it to use the demo certificate if all 
I want to do is encrypt data? I don't care about authentication at all 
since I am dialing in to a private network. I just want to be sure that 
if I am using a wireless device that passwords are encrypted all the way 
through so they are not compromised between the device and the provider. 
Anyone who understands SSL please chime in.
Received on Mon May 19 2003 - 13:10:24 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US