Hi, Where you able to reproduce this on 11.2.0.3? I checked on two databases and eacht time the dmbs_crypto .decrypt function would give me an error. On 11.2.0.2 it did work however. Regards, Freek D'Hooge Uptime Oracle Database Administrator email: freek.dhooge@xxxxxxxxx tel +32(0)3 451 23 82 http://www.uptime.be disclaimer: www.uptime.be/disclaimer -----Original Message----- From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of oracle@xxxxxxxxxxxxx Sent: zondag 25 november 2012 21:19 To: oracle-l@xxxxxxxxxxxxx Subject: Database Link Security et al So, users can decrypt dblink passwords as the key is included in the ciphertext... --> SQL> select name, userid, utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)), 4353, (substr(passwordx,3,16)))) from sys.link$ where name='TEST_LINK'; NAME -------------------------------------------------------------------------------- USERID ------------------------------ PASSWORD -------------------------------------------------------------------------------- TEST_LINK DBLINK_ACCOUNT MYPW ..one saving grace is that we can now identify incoming db links using this.. select userid, terminal, comment$text from sys.aud$ where comment$text like 'DBLINK%'; USERID NTIMESTAMP# USERHOST COMMENT$TEXT ------------ ----------------- ------- -------------- DBLINK_ACCOUNT 19-NOV-12 01.42.16.305194000 orlin DBLINK_INFO: (SOURCE_GLOBAL_NAME=orcl.4294967295) -->could be too late though so best to take a few precautions in advance... preferably automated... ..Same with lack of profiles on SYS account. Sometimes easier to fix ourselves.. create or replace trigger sys_throttler.tra_servererror_ora1017 after servererror on database declare l_db_usr varchar2 (32); begin if (ora_is_servererror(1017)) then l_db_usr := upper (trim (sys_context ('userenv', 'authenticated_identity'))); if l_db_usr ='SYS' then dbms_lock.sleep (1); else NULL; end if; end if; end tra_servererror_ora1017; / More like this at UKOUG Monday, if you are in the area... Cheers, Paul M. Wright http://www.oraclesecurity.com http://2012.ukoug.org/default.asp?p=9339&dlgact=shwprs&prs_prsid=7736&day_dayid=62 -- //www.freelists.org/webpage/oracle-l -- //www.freelists.org/webpage/oracle-l