Re: Securing isqlplus

Daniel Morgan wrote:
>
> You also said that after purchasing Oracle software one must separately negotiate the purchase
> of a certificate from a CA company. Which I translate into meaning that you are selling an
> insecure product in the same way that IBM's DB/2 requires Tivoli or similar third-party
> products.
>
> Have I misunderstood? And if not why can't Oracle bundle what I need onto the CD? I can tell
> you with little hesitation of being contradicted that if my original interpretation is correct
> it does not bode well for the future.
> --
> Daniel Morgan
> http://www.outreach.washington.edu/extinfo/certprog/oad/oad_crs.asp
> damorgan_at_x.washington.edu
> (replace 'x' with a 'u' to reply)
>
>

I'm not sure that you fully understand how CAs/certificates work. A certificate shouldn't be issued by a company such as Oracle, but by a certification authority (CA). Oracle is not a CA and does not want to become one. A CA is a member of a trusted hierarchy, and issues a certificate to authenticate the server/company/person. Oracle supplies a temporary certificate for you to use to test your environment. Before you go production, you should set up the security levels for your environment, including getting a proper certificate to authenticate your server. This is pretty standard stuff, and not unusual in any way.

How would you suggest we authenticate users who download Oracle9i from OTN, or borrow a CD from someone else?

Alison Received on Tue May 20 2003 - 22:30:34 CDT