Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Securing isqlplus
Alison Holloway wrote:
> Thanks Daniel. I answered Chuck in a separate email, but just for the
> benefit of everyone reading this newsgroup, here was my answer.
>
> You need to set up SSL (HTTPS) to secure iSQL*Plus. When you install
> iSQL*Plus out of the box, all passwords are transmitted over HTTP,
> unencrypted. You may not see the passwords in the URL, but they are
> there if you look at the HTTP transmission as they are sent with a POST
> command. This is a limitation of HTTP.
>
> Oracle strongly suggests setting up SSL if you want to secure iSQL*Plus.
> This is the primary reason that we do not enable the iSQL*Plus DBA URL
> by default. We could not set up SSL out of the box as you need to use
> your own certificate.
>
> I hope this helps.
>
> Alison
>
> Daniel Morgan wrote:
>
>
> <snip>
>
>> You read correctly but interpret incorrectly. >> >> All iSQL*Plus connections are secure. Oracle does not expose passwords >> except for one type of database link. >> >> If you have specific questions I would suggest that you address them to: >> alison.holloway_at_oracle.com >> >> There is no more qualified person on the planet when it comes to >> iSQL*Plus. >> -- >> Daniel Morgan >> http://www.outreach.washington.edu/extinfo/certprog/oad/oad_crs.asp >> damorgan_at_x.washington.edu >> (replace 'x' with a 'u' to reply) >> >>
Sorry - you don't need a Verisign certificate to use SSL.
9iAS come with an Oracle Demo certificate, whcih will encrypt
data sent just as well.
If you insist on a certificate, you can generate your own. All
Verisign will add is the 'proof' you are actually talking to
a server from ... yourself (c.q. your company).
As a side comment: don't use Verisign certificates in a Java environment (I've had some 'problems' with Portal/SSO in https mode...), as the certificates are not complete. That is, the certificates point to other ones, that come pre-installed in many browsers. No good for a java based environment...
-- Regards, Frank van BortelReceived on Wed May 21 2003 - 14:15:50 CDT