Re: unix Ksh script variable

  • From: Niall Litchfield <niall.litchfield@xxxxxxxxx>
  • To: De DBA <dedba@xxxxxxxxxx>
  • Date: Thu, 3 Feb 2011 16:35:36 +0000

Thanks Tony

You learn something every day on this list.

On Wed, Feb 2, 2011 at 8:43 AM, De DBA <dedba@xxxxxxxxxx> wrote:

>  Hi Niall,
> I think that the "secure external password store feature", which is what I
> alluded to, is free to use based on this paragraph in the 11g Licensing
> Information guide, page 1-9 (my underscoring):
> *Oracle Wallet*
> An Oracle Wallet is a PKCS#12 container used to store authentication and
> encryption
> keys. *The database secure external password store feature stores
> passwords in an
> Oracle Wallet for authentication to the Oracle database.* Oracle Advanced
> Security uses
> the Oracle Wallet to store credentials for PKI authentication to the Oracle
> database,
> network encryption, and transparent data encryption. Oracle Wallet Manager
> is an
> application that wallet owners can use to manage and edit Oracle wallets.
> *Oracle
> Wallets can be deployed on clients, middle tiers, and database servers free
> of charge.*
> However, the following features that use an Oracle Wallet in turn require
> licensing of
> the Oracle Advanced Security Option: PKI credentials for authentication to
> Oracle
> Database, network encryption (SSL/TLS) to the Oracle database from middle
> tiers and
> database clients, and transparent data encryption master keys. Oracle
> Advanced
> Security option is not required when configuring wallets to secure
> communication
> between the Oracle database and Oracle Internet Directory as part of the
> enterprise
> user security feature of Oracle Database
> Of course I may misinterpret this piece of legalistic prose. English never
> was my forte... :)
> Cheers,
> Tony
> Niall Litchfield wrote:
> Hi
> I'm pretty sure that Oracle Wallet requires the advanced security option to
> be licensed. So a great solution if its already there, but somewhat overkill
> compared to parsing a protected text file if it isn't. I wonder these days
> how big the security risk of storing passwords in scripts is (not the
> convenience of only storing them once). Time was when we had real users
> logging onto the db server able to read scripts and sniff command lines.
> Those days pretty much died with client server though.
> (p.s my phone adaptive auto correct changed "command lin" to "named pipes"
> as I was typing . I should get out more)
> On 2 Feb 2011 05:42, "De DBA" <dedba@xxxxxxxxxx> wrote:
> Have you considered using Oracle Wallets? It takes a bit of effort to
> setup, but is quite resilient. We have used it for years to great
> satisfaction. You store just the credential's db_connect_string in a
> plain-text configuration file, which the script then picks up and uses to
> connect.
> see e.g.:
> There used to be an Oracle Whitepaper as well which showed how to set this
> up with the sys account, but I cannot find it any more on the Oracle
> website. The actual topic of the whitepaper was "Using Oracle Recovery
> Manager (RMAN) with Database Vault", published in 2006. Basically you just
> create a credential as demonstrated in the link above and pass the connect
> string with "as sysdba" as per usual.
> Hth,
> Tony
> A Joshi wrote:
> >
> > hi
> > I have a script which is to be executed on many databases and different
> da...

Niall Litchfield
Oracle DBA

Other related posts: