Re: Securing isqlplus

Alison Holloway wrote:
> Thanks Daniel. I answered Chuck in a separate email, but just for the
> benefit of everyone reading this newsgroup, here was my answer.
>
> You need to set up SSL (HTTPS) to secure iSQL*Plus. When you install
> iSQL*Plus out of the box, all passwords are transmitted over HTTP,
> unencrypted. You may not see the passwords in the URL, but they are
> there if you look at the HTTP transmission as they are sent with a POST
> command. This is a limitation of HTTP.
>
> Oracle strongly suggests setting up SSL if you want to secure iSQL*Plus.
> This is the primary reason that we do not enable the iSQL*Plus DBA URL
> by default. We could not set up SSL out of the box as you need to use
> your own certificate.
>
> I hope this helps.
>
> Alison
>
> Daniel Morgan wrote:
>
>
> <snip>
>

>> You read correctly  but interpret incorrectly.
>>
>> All iSQL*Plus connections are secure. Oracle does not expose passwords
>> except for one type of database link.
>>
>> If you have specific questions I would suggest that you address them to:
>> alison.holloway_at_oracle.com
>>
>> There is no more qualified person on the planet when it comes to 
>> iSQL*Plus.
>> -- 
>> Daniel Morgan
>> http://www.outreach.washington.edu/extinfo/certprog/oad/oad_crs.asp
>> damorgan_at_x.washington.edu
>> (replace 'x' with a 'u' to reply)
>>
>>

Sorry - you don't need a Verisign certificate to use SSL. 9iAS come with an Oracle Demo certificate, whcih will encrypt data sent just as well.
If you insist on a certificate, you can generate your own. All Verisign will add is the 'proof' you are actually talking to a server from ... yourself (c.q. your company).

As a side comment: don't use Verisign certificates in a Java environment (I've had some 'problems' with Portal/SSO in https mode...), as the certificates are not complete. That is, the certificates point to other ones, that come pre-installed in many browsers. No good for a java based environment...

-- 
Regards, Frank van Bortel