Re: unix Ksh script variable
- From: De DBA <dedba@xxxxxxxxxx>
- To: Niall Litchfield <niall.litchfield@xxxxxxxxx>
- Date: Wed, 02 Feb 2011 18:43:28 +1000
Hi Niall,
I think that the "secure external password store feature", which is what
I alluded to, is free to use based on this paragraph in the 11g
Licensing Information guide, page 1-9 (my underscoring):
*Oracle Wallet*
An Oracle Wallet is a PKCS#12 container used to store authentication
and encryption
keys. _The database secure external password store feature stores
passwords in an
Oracle Wallet for authentication to the Oracle database._ Oracle
Advanced Security uses
the Oracle Wallet to store credentials for PKI authentication to the
Oracle database,
network encryption, and transparent data encryption. Oracle Wallet
Manager is an
application that wallet owners can use to manage and edit Oracle
wallets. _Oracle
Wallets can be deployed on clients, middle tiers, and database
servers free of charge._
However, the following features that use an Oracle Wallet in turn
require licensing of
the Oracle Advanced Security Option: PKI credentials for
authentication to Oracle
Database, network encryption (SSL/TLS) to the Oracle database from
middle tiers and
database clients, and transparent data encryption master keys.
Oracle Advanced
Security option is not required when configuring wallets to secure
communication
between the Oracle database and Oracle Internet Directory as part of
the enterprise
user security feature of Oracle Database
Of course I may misinterpret this piece of legalistic prose. English
never was my forte... :)
Cheers,
Tony
Niall Litchfield wrote:
Hi
I'm pretty sure that Oracle Wallet requires the advanced security
option to be licensed. So a great solution if its already there, but
somewhat overkill compared to parsing a protected text file if it
isn't. I wonder these days how big the security risk of storing
passwords in scripts is (not the convenience of only storing them
once). Time was when we had real users logging onto the db server able
to read scripts and sniff command lines. Those days pretty much died
with client server though.
(p.s my phone adaptive auto correct changed "command lin" to "named
pipes" as I was typing . I should get out more)
On 2 Feb 2011 05:42, "De DBA" <dedba@xxxxxxxxxx
<mailto:dedba@xxxxxxxxxx>> wrote:
Have you considered using Oracle Wallets? It takes a bit of effort to
setup, but is quite resilient. We have used it for years to great
satisfaction. You store just the credential's db_connect_string in a
plain-text configuration file, which the script then picks up and
uses to connect.
see e.g.:
http://askdba.org/weblog/2009/09/using-oracle-wallet-to-execute-shell-scriptcron-without-hard-coded-oracle-database-password/
There used to be an Oracle Whitepaper as well which showed how to set
this up with the sys account, but I cannot find it any more on the
Oracle website. The actual topic of the whitepaper was "Using Oracle
Recovery Manager (RMAN) with Database Vault", published in 2006.
Basically you just create a credential as demonstrated in the link
above and pass the connect string with "as sysdba" as per usual.
Hth,
Tony
A Joshi wrote:
>
> hi
> I have a script which is to be executed on many databases and
different da...
Other related posts: