Received: (qmail 9043 invoked from network); 2 Feb 2011 10:42:44 -0600 Received: from freelists-180.iquest.net (HELO turing.freelists.org) (206.53.239.180) by static-ip-85-25-126-90.inaddr.intergenia.de with SMTP; 2 Feb 2011 10:42:36 -0600 Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 4E8FAD64884; Wed, 2 Feb 2011 11:42:25 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=freelists.org; s=turing; t=1296664945; bh=nzWt/nFxMNhsViGy+1lU2Loyli8te1qp+c5up450 2y0=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject: From:To:Cc:Content-Type:Sender:Reply-To:List-help:List-unsubscribe: List-Id:List-subscribe:List-owner:List-post:List-archive; b=aGN1EK e6JP4EtWeQuz+iFg90SIjlfuu/keAe5gH/aa2l0GM7lGo1Qm6Zy6FpO6spjRLyN4Pjr Gam5sWnExP1aW5vMryPfA2y8sh17prswjBZi6DomvRpLLUrNZMolUagjtsKBVCcLuRp WBSlqPvVd5KftCqgigixCwPrGqQuKkI= X-Virus-Scanned: Debian amavisd-new at localhost.localdomain Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v1Qdy3HgkDCP; Wed, 2 Feb 2011 11:42:24 -0500 (EST) Received: from turing.freelists.org (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 75BEBD64736; Wed, 2 Feb 2011 11:41:41 -0500 (EST) Received: with ECARTIS (v1.0.0; list oracle-l); Wed, 02 Feb 2011 11:40:59 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id A77A5D646CE for ; Wed, 2 Feb 2011 11:40:59 -0500 (EST) Authentication-Results: turing.freelists.org; dkim=pass (1024-bit key) header.i=@gmail.com Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id adwkC80Y-0Bf for ; Wed, 2 Feb 2011 11:40:59 -0500 (EST) Received: from mail-vw0-f51.google.com (mail-vw0-f51.google.com [209.85.212.51]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 381ABD63845 for ; Wed, 2 Feb 2011 11:40:40 -0500 (EST) Received: by vws20 with SMTP id 20so77140vws.10 for ; Wed, 02 Feb 2011 08:40:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=80qbEjJZSGTxMM2nKBAYP0W2+VZocd74IeYRXFGKUzI=; b=udCL6ZZY56Y7A4/FgEPog+NwScbBERwCbrg++Lil8HnfGDPcg4y/dA4fQ53oVtEGcu zbF3dX6BaLDGxVMquk2F9QCS6eg/DMBqVPGHRREz+1jkR2Y6CXNMTx/ViWvQ16VA+4qC Xi7kCsLlsFI2QOs0d6cjkh9iYQazJSMTqn1CI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=RLh7tvWZamuPqng+zMpcz9s4rcXFGaC2vEKEs3J3ktxs/E5G9bta3DtjB6/9mc2sGc qST9D49N8qZF60EfjWgkoJpNJQqrshtI60DeWTafIaWALei9cvT7BcedtILqP1vAfADy QNyv2dSjPzh5Gv+7H0QFA9czWK3sSFRuEStq0= MIME-Version: 1.0 Received: by 10.229.81.11 with SMTP id v11mr6026055qck.152.1296631809158; Tue, 01 Feb 2011 23:30:09 -0800 (PST) Received: by 10.229.91.15 with HTTP; Tue, 1 Feb 2011 23:30:09 -0800 (PST) Received: by 10.229.91.15 with HTTP; Tue, 1 Feb 2011 23:30:09 -0800 (PST) In-Reply-To: References: <770572.52317.qm@web57505.mail.re1.yahoo.com> <4D48EE4D.5010808@tpg.com.au> Date: Wed, 2 Feb 2011 07:30:09 +0000 Message-ID: Subject: Re: unix Ksh script variable From: Niall Litchfield To: dedba@tpg.com.au Cc: oracle-l@freelists.org, ajoshi977@yahoo.com Content-Type: multipart/alternative; boundary=0016364274d963ae8e049b479efc X-archive-position: 34086 X-ecartis-version: Ecartis v1.0.0 Sender: oracle-l-bounce@freelists.org Errors-to: oracle-l-bounce@freelists.org X-original-sender: niall.litchfield@gmail.com Precedence: normal Reply-To: niall.litchfield@gmail.com List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: oracle-l X-List-ID: oracle-l List-subscribe: List-owner: List-post: List-archive: X-list: oracle-l --0016364274d963ae8e049b479efc Content-Type: text/plain; charset=ISO-8859-1 Hi I'm pretty sure that Oracle Wallet requires the advanced security option to be licensed. So a great solution if its already there, but somewhat overkill compared to parsing a protected text file if it isn't. I wonder these days how big the security risk of storing passwords in scripts is (not the convenience of only storing them once). Time was when we had real users logging onto the db server able to read scripts and sniff command lines. Those days pretty much died with client server though. (p.s my phone adaptive auto correct changed "command lin" to "named pipes" as I was typing . I should get out more) On 2 Feb 2011 05:42, "De DBA" wrote: Have you considered using Oracle Wallets? It takes a bit of effort to setup, but is quite resilient. We have used it for years to great satisfaction. You store just the credential's db_connect_string in a plain-text configuration file, which the script then picks up and uses to connect. see e.g.: http://askdba.org/weblog/2009/09/using-oracle-wallet-to-execute-shell-scriptcron-without-hard-coded-oracle-database-password/ There used to be an Oracle Whitepaper as well which showed how to set this up with the sys account, but I cannot find it any more on the Oracle website. The actual topic of the whitepaper was "Using Oracle Recovery Manager (RMAN) with Database Vault", published in 2006. Basically you just create a credential as demonstrated in the link above and pass the connect string with "as sysdba" as per usual. Hth, Tony A Joshi wrote: > > hi > I have a script which is to be executed on many databases and different da... --0016364274d963ae8e049b479efc Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

Hi
I'm pretty sure that Oracle Wallet requires the advanced security optio= n to be licensed. So a great solution if its already there, but somewhat ov= erkill compared to parsing a protected text file if it isn't. I wonder = these days how big the security risk of storing passwords in scripts is (no= t the convenience of only storing them once). Time was when we had real use= rs logging onto the db server able to read scripts and sniff command lines.= Those days pretty much died with client server though.

(p.s my phone adaptive auto correct changed "command lin" to &= quot;named pipes" as I was typing . I should get out more)

On 2 Feb 2011 05:42, "De DBA" <dedba@tpg.com.au> wrote:

Ha= ve you considered using Oracle Wallets? It takes a bit of effort to setup, = but is quite resilient. We have used it for years to great satisfaction. Yo= u store just the credential's db_connect_string in a plain-text configu= ration file, which the script then picks up and uses to connect.

see e.g.: http://askdba.org/weblog/2009/09/using-oracle-wallet-to-exe= cute-shell-scriptcron-without-hard-coded-oracle-database-password/

There used to be an Oracle Whitepaper as well which showed how to set this = up with the sys account, but I cannot find it any more on the Oracle websit= e. The actual topic of the whitepaper was "Using Oracle Recovery Manag= er (RMAN) with Database Vault", published in 2006. Basically you just = create a credential as demonstrated in the link above and pass the connect = string with "as sysdba" as per usual.

Hth,
Tony



A Joshi wrote:
>
> hi> I have a script which is to be executed on many databases and differe= nt da...

--0016364274d963ae8e049b479efc-- -- http://www.freelists.org/webpage/oracle-l