Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Securing isqlplus
Daniel Morgan <damorgan_at_exxesolutions.com> wrote in
news:3EC9CF44.D684FF03_at_exxesolutions.com:
> Alison Holloway wrote:
>
>> > I can not come up with a single reason why the Oracle installation >> > must provide a temporary certificate. Provide what is necessary to >> > permanently secure the connection or buy yourself a flack jacket. >> >> Oracle is not a CA, and therefore cannot issue certificates. Oracle >> can, however, issue temporary certificates that aren't 'certified' to >> the user/company/server. These can be used for testing, but a real >> certificate is need for production servers. There are professional CA >> companies that you should contact to buy a certificate. >> >> Alison
This is a tough issue. Nobody wants to have to purchase a certificate from a CA just to connect to their databases securely. But then again, imagine the fallout if you did continue to use the temporary certificate (which does not authenticate that you are really connecting to the server you think you're connecting to), and someone hijcacked your server's address. How many passwords would most people try before giving up? In this scenario without even knowing it, they would have just given all their passwords to some hacker who also knows the real IP address of the database server. That's scarey.
-- ChuckReceived on Tue May 20 2003 - 11:12:27 CDT