Thanks Tony You learn something every day on this list. On Wed, Feb 2, 2011 at 8:43 AM, De DBA <dedba@xxxxxxxxxx> wrote: > Hi Niall, > > I think that the "secure external password store feature", which is what I > alluded to, is free to use based on this paragraph in the 11g Licensing > Information guide, page 1-9 (my underscoring): > > *Oracle Wallet* > An Oracle Wallet is a PKCS#12 container used to store authentication and > encryption > keys. *The database secure external password store feature stores > passwords in an > Oracle Wallet for authentication to the Oracle database.* Oracle Advanced > Security uses > the Oracle Wallet to store credentials for PKI authentication to the Oracle > database, > network encryption, and transparent data encryption. Oracle Wallet Manager > is an > application that wallet owners can use to manage and edit Oracle wallets. > *Oracle > Wallets can be deployed on clients, middle tiers, and database servers free > of charge.* > > However, the following features that use an Oracle Wallet in turn require > licensing of > the Oracle Advanced Security Option: PKI credentials for authentication to > Oracle > Database, network encryption (SSL/TLS) to the Oracle database from middle > tiers and > database clients, and transparent data encryption master keys. Oracle > Advanced > Security option is not required when configuring wallets to secure > communication > between the Oracle database and Oracle Internet Directory as part of the > enterprise > user security feature of Oracle Database > > > Of course I may misinterpret this piece of legalistic prose. English never > was my forte... :) > > Cheers, > Tony > > > Niall Litchfield wrote: > > Hi > I'm pretty sure that Oracle Wallet requires the advanced security option to > be licensed. So a great solution if its already there, but somewhat overkill > compared to parsing a protected text file if it isn't. I wonder these days > how big the security risk of storing passwords in scripts is (not the > convenience of only storing them once). Time was when we had real users > logging onto the db server able to read scripts and sniff command lines. > Those days pretty much died with client server though. > > (p.s my phone adaptive auto correct changed "command lin" to "named pipes" > as I was typing . I should get out more) > > On 2 Feb 2011 05:42, "De DBA" <dedba@xxxxxxxxxx> wrote: > > Have you considered using Oracle Wallets? It takes a bit of effort to > setup, but is quite resilient. We have used it for years to great > satisfaction. You store just the credential's db_connect_string in a > plain-text configuration file, which the script then picks up and uses to > connect. > > see e.g.: > http://askdba.org/weblog/2009/09/using-oracle-wallet-to-execute-shell-scriptcron-without-hard-coded-oracle-database-password/ > > There used to be an Oracle Whitepaper as well which showed how to set this > up with the sys account, but I cannot find it any more on the Oracle > website. The actual topic of the whitepaper was "Using Oracle Recovery > Manager (RMAN) with Database Vault", published in 2006. Basically you just > create a credential as demonstrated in the link above and pass the connect > string with "as sysdba" as per usual. > > Hth, > Tony > > > > A Joshi wrote: > > > > hi > > I have a script which is to be executed on many databases and different > da... > > > -- Niall Litchfield Oracle DBA http://www.orawin.info