Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Securing isqlplus

Re: Securing isqlplus

From: Daniel Morgan <damorgan_at_exxesolutions.com>
Date: Wed, 21 May 2003 08:35:51 -0700
Message-ID: <3ECB9CD7.808958FE@exxesolutions.com>


Alison Holloway wrote:

> Daniel Morgan wrote:
> >
> > You also said that after purchasing Oracle software one must separately negotiate the purchase
> > of a certificate from a CA company. Which I translate into meaning that you are selling an
> > insecure product in the same way that IBM's DB/2 requires Tivoli or similar third-party
> > products.
> >
> > Have I misunderstood? And if not why can't Oracle bundle what I need onto the CD? I can tell
> > you with little hesitation of being contradicted that if my original interpretation is correct
> > it does not bode well for the future.
> > --
> > Daniel Morgan
> > http://www.outreach.washington.edu/extinfo/certprog/oad/oad_crs.asp
> > damorgan_at_x.washington.edu
> > (replace 'x' with a 'u' to reply)
> >
> >
>
> I'm not sure that you fully understand how CAs/certificates work. A certificate shouldn't
> be issued by a company such as Oracle, but by a certification authority (CA). Oracle is
> not a CA and does not want to become one. A CA is a member of a trusted hierarchy, and
> issues a certificate to authenticate the server/company/person. Oracle supplies a
> temporary certificate for you to use to test your environment. Before you go production,
> you should set up the security levels for your environment, including getting a proper
> certificate to authenticate your server. This is pretty standard stuff, and not unusual in
> any way.
>
> How would you suggest we authenticate users who download Oracle9i from OTN, or borrow a CD
> from someone else?
>
> Alison

What I would suggest is exactly what Stu Charlton alludes to when he states:

"The free alternative is to generate your own certificate that's not signed by a well-known CA, i.e. your company becomes its own CA."

A tool/wizard that does this should be part of the distribution just as there is a tool for configuring SQL*Net.

Not every Oracle customer is a Fortune 500 with a security department (something Stu seems to believe when he writes "I really doubt IT security departments would want to buy their company's certificate from their database vendor.").

Another alternative would be to build in a piece of the database installation/configuration that would take the user to a web site where they could select a CA vendor.

A major part of my objection here is the implicit assumption that anyone that buys from Oracle has web servers and a need, or desire, to be on the internet with their databases. In most cases databases are used internally for such purposes as providing the backbone for an accounting system like PeopleSoft, SAP, etc. and the occassional access through iSQL*Plus should not risk the integrity of the system.

Somehow I expect Microsoft will solve this problem without requiring its customers to do business with a third-party vendor and leave dollars on the table. Anyone want to take the bet?

Oracle can do better ... and should!

--
Daniel Morgan
http://www.outreach.washington.edu/extinfo/certprog/oad/oad_crs.asp
damorgan_at_x.washington.edu
(replace 'x' with a 'u' to reply)
Received on Wed May 21 2003 - 10:35:51 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US