Re: Encrypt password in JDBC connection string

• From: Job Miller <jobmiller@xxxxxxxxx>
• To: goran00@xxxxxxxxx, xwu@xxxxxxxxxxxxxxxxx
• Date: Wed, 22 Aug 2007 11:58:44 -0700 (PDT)

is it a web app?  if so, use a JDBC data source defined by the app server.  i 
think all the app servers i have seen have some form/mechanism to encrypt or 
use indirection for the password in the data-sources.xml file that defines the 
connection url.

For oc4j:
Using Password Indirection The data-sources.xml file requires passwords for 
authentication. Embedding these passwords without some kind of obfuscation 
poses a security risk. To avoid this problem, OC4J supports password 
indirection.
 An indirect password is made up of a special indirection symbol (->) and a 
user name (or user name and realm). When OC4J encounters an indirect password, 
it retrieves the password associated with the specified user from the security 
store provided by a user manager.
 For more information on creating users and passwords, and working with a user 
manager, see the section on password management in the Oracle Containers for 
J2EE Security Guide.
 For example, if the native data source entry looks like:
 
<native-data-source
   name="nativeDataSource"
   jndi-name="jdbc/nativeDS"
   data-source-class="com.acme.DataSourceImpl"
   user="frank"
   password="frankpw"
   url="jdbc:acme:@localhost:5500:acme" />
 

 You can replace the password, "frankpw", with the indirection symbol (->) and 
a user name (frank) as follows: password="->frank". This assumes that a user 
named frank with the password frankpw has been created in a user manager.
 You can configure password indirection in the Application Server Control 
Console.
 To configure an indirect password for a data source directly in the 
data-sources.xml file and change the value of the password attribute so that 
its value is "->", followed either by the username or by the realm and user 
separated by a slash ("/"). For example:
 
<native-data-source
   name="nativeDataSource"
   jndi-name="jdbc/nativeDS"
   data-source-class="com.acme.DataSourceImpl"
   user="frank"
   password="->frank"
   url="jdbc:acme:@localhost:5500:acme" />


 There is also a password attributes for <managed-data-source> and 
<connection-factory> elements
goran bogdanovic <goran00@xxxxxxxxx> wrote: 
You may consider to use Oracle Secure External Password Store...

 
 Wu, Michael wrote:    
Hello,

Our technical auditors require we encrypt the schema password in the JDBC 
connection string. Can you please provide some advice? What's the best practice 
to handle those application schema password in Oracle?


Thanks,
Michael 


 

       
---------------------------------
Ready for the edge of your seat? Check out tonight's top picks on Yahoo! TV. 

• References:
  • Re: Encrypt password in JDBC connection string
    • From: goran bogdanovic

Other related posts:

• » Encrypt password in JDBC connection string
• » Re: Encrypt password in JDBC connection string
• » Re: Encrypt password in JDBC connection string
• » Re: Encrypt password in JDBC connection string

1. Home
2. oracle-l
3. Archive
4. 08-2007

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---