Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Securing isqlplus

Re: Securing isqlplus

From: Chuck <chuckh_at_softhome.net>
Date: 20 May 2003 16:12:27 GMT
Message-ID: <Xns93817C2DC874Achuckhsofthomenet@130.133.1.4> 





Daniel Morgan <damorgan_at_exxesolutions.com> wrote in
news:3EC9CF44.D684FF03_at_exxesolutions.com: 



> Alison Holloway wrote:

> 


>> > I can not come up with a single reason why the Oracle installation
>> > must provide a temporary certificate. Provide what is necessary to
>> > permanently secure the connection or buy yourself a flack jacket.
>>
>> Oracle is not a CA, and therefore cannot issue certificates. Oracle
>> can, however, issue temporary certificates that aren't 'certified' to
>> the user/company/server. These can be used for testing, but a real
>> certificate is need for production servers. There are professional CA
>> companies that you should contact to buy a certificate. 
>>
>> Alison




> 

> I understand what you have written but it is no substitute in the

> real-world. 

> 

> One of the major complaints about DB2 is that it is not secure without

> purchasing an additional product: For example Tivoli. What is being

> duplicated here appears to be an analogous situation. I spend hundred 

> of thousands or millions of dollars to purchase a product from Oracle

> and then have to go negotiate with someone else to purchase what I

> need to provide a secure environment. I hope I am misunderstanding but

> it appears that way from here. And if that is the case it is a

> marketing disaster waiting to happen. 

> 

> Oracle should go to a professional CA company and purchase what is

> required and then bundle it into the database or, given Oracle's

> assets, purchase the company itself. Anything less and you've

> surrendered a substantial piece of market-share to Bill Gates.

> 

> Expect substantial negative feedback in Redwood Shores beginning

> tomorrow morning unless my understanding is incorrect.

> 

> Thanks for stepping up to the plate and telling us what is happening.

> But it is important to remember that you are the one that stuck a

> knife into SQLPLUSW not us. You, as Oracle, made that decision. If

> your decision results in us having to purchase an additional product

> at additional expense you can expect a lot of very unhappy customers

> and that some of us will vigorously express our displeasure. 

> 

> I will look for your email off-line and here when I awake.

> --

> Daniel Morgan





This is a tough issue. Nobody wants to have to purchase a certificate 
from a CA just to connect to their databases securely. But then again, 
imagine the fallout if you did continue to use the temporary certificate 
(which does not authenticate that you are really connecting to the server 
you think you're connecting to), and someone hijcacked your server's 
address. How many passwords would most people try before giving up? In 
this scenario without even knowing it, they would have just given all 
their passwords to some hacker who also knows the real IP address of the 
database server. That's scarey.

--
Chuck


Received on Tue May 20 2003 - 11:12:27 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US