FAQ
Is it possible to use OS authenticated accounts ( i.e. identified externally ) between two servers?


I have a linux box with with an oracle client install and an aix server with EE installed.


The external account was originally on the aix server. We want to move the 3rd party app and the account to a linux box.


thanks.


Shed those extra pounds with MSN and The Biggest Loser!
http://biggestloser.msn.com/

Search Discussions

  • Maxim Demenko at Mar 4, 2008 at 6:05 am

    Joe Smith schrieb:
    Is it possible to use OS authenticated accounts ( i.e. identified
    externally ) between two servers?

    I have a linux box with with an oracle client install and an aix
    server with EE installed.

    The external account was originally on the aix server. We want to
    move the 3rd party app and the account to a linux box.

    thanks.


    ------------------------------------------------------------------------
    Shed those extra pounds with MSN and The Biggest Loser! Learn more.
    <http://biggestloser.msn.com/>
    You may look on the external users identified by ssl certificates (if
    you are on 10g onwards).
    Not sure about additional licensing costs (i.e. whether it is part of
    ASO or not).

    Best regards

    Maxim
  • QuijadaReina, Julio C at Mar 4, 2008 at 2:51 pm
    Yes, it is possible.
    The following parameters on your database init.ora relating to this are (if my memory serves me correctly):
    remote_os_authent=true
    os_authent_prefix=ops$

    Create the account you will use on your Linux box. Then create the externally identified account on your database. From your Linux client you should be able to connect by issuing 'sqlplus /' after setting the client environment.

    A word of caution: anyone knowing your database tnsnames and the name of the account could potentially connect to your database. That sounds pretty bad! You might want to look into tcp.validnode_checking and tcp.invited_nodes pars on your server's sqlnet.ora and/or have the OS firewall setting that opens the listener port only to your linux client.

    Julio

    -----Original Message-----
    From: oracle-l-bounce_at_freelists.org On Behalf Of Maxim Demenko
    Sent: Tuesday, March 04, 2008 1:05 AM
    To: joe_dba_at_hotmail.com
    Cc: oracle-l_at_freelists.org
    Subject: Re: os authenticated accounts

    Joe Smith schrieb:
    Is it possible to use OS authenticated accounts ( i.e. identified
    externally ) between two servers?

    I have a linux box with with an oracle client install and an aix
    server with EE installed.

    The external account was originally on the aix server. We want to
    move the 3rd party app and the account to a linux box.

    thanks.


    ------------------------------------------------------------------------
    Shed those extra pounds with MSN and The Biggest Loser! Learn more.
    <http://biggestloser.msn.com/>
    You may look on the external users identified by ssl certificates (if
    you are on 10g onwards).
    Not sure about additional licensing costs (i.e. whether it is part of
    ASO or not).

    Best regards

    Maxim
  • Powell, Mark D at Mar 4, 2008 at 7:02 pm


    I have always preferred to set the os_authent_prefix='' rather than
    OPS$.

    I am not sure if trying to limit the node access is practical since I do
    not think the node checking can be associated to usernames in the sqlnet
    layer. You might need to resort to checking the IP for any OS
    authenticated accounts in an after logon database event trigger.

    Mark D Powell --
    Phone (313) 592-5148

    -----Original Message-----
    From: oracle-l-bounce_at_freelists.org
    On Behalf Of QuijadaReina, Julio
    C
    Sent: Tuesday, March 04, 2008 9:52 AM
    To: 'mdemenko_at_gmail.com'; joe_dba_at_hotmail.com
    Cc: oracle-l_at_freelists.org
    Subject: RE: os authenticated accounts

    Yes, it is possible.
    The following parameters on your database init.ora relating to this are
    (if my memory serves me correctly):
    remote_os_authent=true
    os_authent_prefix=ops$

    Create the account you will use on your Linux box. Then create the
    externally identified account on your database. From your Linux client
    you should be able to connect by issuing 'sqlplus /' after setting the
    client environment.

    A word of caution: anyone knowing your database tnsnames and the name of
    the account could potentially connect to your database. That sounds
    pretty bad! You might want to look into tcp.validnode_checking and
    tcp.invited_nodes pars on your server's sqlnet.ora and/or have the OS
    firewall setting that opens the listener port only to your linux client.

    Julio

    -----Original Message-----
    From: oracle-l-bounce_at_freelists.org
    On Behalf Of Maxim Demenko
    Sent: Tuesday, March 04, 2008 1:05 AM
    To: joe_dba_at_hotmail.com
    Cc: oracle-l_at_freelists.org
    Subject: Re: os authenticated accounts

    Joe Smith schrieb:
    Is it possible to use OS authenticated accounts ( i.e. identified
    externally ) between two servers?

    I have a linux box with with an oracle client install and an aix
    server with EE installed.

    The external account was originally on the aix server. We want to
    move the 3rd party app and the account to a linux box.

    thanks.


    ----------------------------------------------------------------------
    -- Shed those extra pounds with MSN and The Biggest Loser! Learn more.
    <http://biggestloser.msn.com/>
    You may look on the external users identified by ssl certificates (if
    you are on 10g onwards).
    Not sure about additional licensing costs (i.e. whether it is part of
    ASO or not).

    Best regards

    Maxim
  • Mark Brinsmead at Mar 5, 2008 at 5:18 am
    Is checking the source IP in a trigger reliable?

    I do not recall the source, but I had the impression that that information
    is provided (directly) by the client, not by the TNS listener, and can
    (relatively) easily be spoofed. Also, the method would break down -- or be
    tricked -- when using "proxied" connections, e.g., port-forwarding through
    SSH, or possibly Oracle Connection Manager. (Never used the latter
    myself.) It would also be problematic if there are NAT-enabled firewalls
    anywhere along your network route.

    Every case needs to be judged on its own merits, but basically it is my
    practice to award REMOTE_OS_AUTHENTICATION=TRUE an *automatic* "Fail" on any
    security review, even (or especially) where there are no EXTERNALLY
    IDENTIFIED accounts present in the database. While I have never actually
    attempted to "hack" or "spoof" it, my understanding is that it is all too
    easy.

    For those who can afford it, though, the Advanced Security Option and/or
    Database Vault offer secure alternatives, I believe. I have stumbled across
    these options myself while answering similar questions, but it has been so
    many years since I've been at a site with pockets deep enough (or business
    needs serious enough) to actually consider these expensive options, I have
    never really investigated them in any real depth.

    *sigh* Working for regulated utilities *did* have its advantages... :-)

    Of course, the O.P. only asked "is this possible?", and the answer is "yes,
    it certainly is". What a shame he did not ask instead "is this wise?".

    :-)
    On Tue, Mar 4, 2008 at 12:02 PM, Powell, Mark D wrote:


    I have always preferred to set the os_authent_prefix='' rather than
    OPS$.
    I am not sure if trying to limit the node access is practical since I do
    not think the node checking can be associated to usernames in the sqlnet
    layer. You might need to resort to checking the IP for any OS
    authenticated accounts in an after logon database event trigger.


    -- Mark D Powell --
    Phone (313) 592-5148


    -----Original Message-----
    From: oracle-l-bounce_at_freelists.org
    On Behalf Of QuijadaReina, Julio
    C
    Sent: Tuesday, March 04, 2008 9:52 AM
    To: 'mdemenko_at_gmail.com'; joe_dba_at_hotmail.com
    Cc: oracle-l_at_freelists.org
    Subject: RE: os authenticated accounts

    Yes, it is possible.
    The following parameters on your database init.ora relating to this are
    (if my memory serves me correctly):
    remote_os_authent=true
    os_authent_prefix=ops$

    Create the account you will use on your Linux box. Then create the
    externally identified account on your database. From your Linux client
    you should be able to connect by issuing 'sqlplus /' after setting the
    client environment.

    A word of caution: anyone knowing your database tnsnames and the name of
    the account could potentially connect to your database. That sounds
    pretty bad! You might want to look into tcp.validnode_checking and
    tcp.invited_nodes pars on your server's sqlnet.ora and/or have the OS
    firewall setting that opens the listener port only to your linux client.

    Julio

    -----Original Message-----
    From: oracle-l-bounce_at_freelists.org
    On Behalf Of Maxim Demenko
    Sent: Tuesday, March 04, 2008 1:05 AM
    To: joe_dba_at_hotmail.com
    Cc: oracle-l_at_freelists.org
    Subject: Re: os authenticated accounts

    Joe Smith schrieb:
    Is it possible to use OS authenticated accounts ( i.e. identified
    externally ) between two servers?

    I have a linux box with with an oracle client install and an aix
    server with EE installed.

    The external account was originally on the aix server. We want to
    move the 3rd party app and the account to a linux box.

    thanks.


    ----------------------------------------------------------------------
    -- Shed those extra pounds with MSN and The Biggest Loser! Learn more.
    <http://biggestloser.msn.com/>
    You may look on the external users identified by ssl certificates (if
    you are on 10g onwards).
    Not sure about additional licensing costs (i.e. whether it is part of
    ASO or not).

    Best regards

    Maxim
    --
    http://www.freelists.org/webpage/oracle-l


    --
    http://www.freelists.org/webpage/oracle-l


    --
    http://www.freelists.org/webpage/oracle-l

    --
    Cheers,
    -- Mark Brinsmead
    Senior DBA,
    The Pythian Group
    http://www.pythian.com/blogs

    --
    http://www.freelists.org/webpage/oracle-l
  • QuijadaReina, Julio C at Mar 5, 2008 at 3:01 pm
    Mark,

    You bring out excellent points. I agree about the security concern here. I believe Metalink 401251.1 shows one of those secure alternatives. One would actually need the Oracle Wallet Manager and orapki and avoid having to use a Certifcate Authority.

    Julio

    From: oracle-l-bounce_at_freelists.org [oracle-l-bounce_at_freelists.org] On Behalf Of Mark Brinsmead [pythianbrinsmead_at_gmail.com]
    Sent: Wednesday, March 05, 2008 12:18 AM
    To: mark.powell_at_eds.com
    Cc: oracle-l_at_freelists.org
    Subject: Re: os authenticated accounts

    Is checking the source IP in a trigger reliable?

    I do not recall the source, but I had the impression that that information is provided (directly) by the client, not by the TNS listener, and can (relatively) easily be spoofed. Also, the method would break down -- or be tricked -- when using "proxied" connections, e.g., port-forwarding through SSH, or possibly Oracle Connection Manager. (Never used the latter myself.) It would also be problematic if there are NAT-enabled firewalls anywhere along your network route.

    Every case needs to be judged on its own merits, but basically it is my practice to award REMOTE_OS_AUTHENTICATION=TRUE an automatic "Fail" on any security review, even (or especially) where there are no EXTERNALLY IDENTIFIED accounts present in the database. While I have never actually attempted to "hack" or "spoof" it, my understanding is that it is all too easy.

    For those who can afford it, though, the Advanced Security Option and/or Database Vault offer secure alternatives, I believe. I have stumbled across these options myself while answering similar questions, but it has been so many years since I've been at a site with pockets deep enough (or business needs serious enough) to actually consider these expensive options, I have never really investigated them in any real depth.

    *sigh* Working for regulated utilities did have its advantages... :-)

    Of course, the O.P. only asked "is this possible?", and the answer is "yes, it certainly is". What a shame he did not ask instead "is this wise?".

    :-)

    On Tue, Mar 4, 2008 at 12:02 PM, Powell, Mark D > wrote:

    I have always preferred to set the os_authent_prefix='' rather than
    OPS$.

    I am not sure if trying to limit the node access is practical since I do
    not think the node checking can be associated to usernames in the sqlnet
    layer. You might need to resort to checking the IP for any OS
    authenticated accounts in an after logon database event trigger.

    Mark D Powell --
    Phone (313) 592-5148

    -----Original Message-----
    From: oracle-l-bounce_at_freelists.org
    [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of QuijadaReina, Julio
    C
    Sent: Tuesday, March 04, 2008 9:52 AM
    To: 'mdemenko_at_gmail.com'; joe_dba_at_hotmail.com
    Cc: oracle-l_at_freelists.org
    Subject: RE: os authenticated accounts

    Yes, it is possible.
    The following parameters on your database init.ora relating to this are
    (if my memory serves me correctly):
    remote_os_authent=true
    os_authent_prefix=ops$

    Create the account you will use on your Linux box. Then create the
    externally identified account on your database. From your Linux client
    you should be able to connect by issuing 'sqlplus /' after setting the
    client environment.

    A word of caution: anyone knowing your database tnsnames and the name of
    the account could potentially connect to your database. That sounds
    pretty bad! You might want to look into tcp.validnode_checking and
    tcp.invited_nodes pars on your server's sqlnet.ora and/or have the OS
    firewall setting that opens the listener port only to your linux client.

    Julio

    -----Original Message-----
    From: oracle-l-bounce_at_freelists.org
    [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Maxim Demenko
    Sent: Tuesday, March 04, 2008 1:05 AM
    To: joe_dba_at_hotmail.com
    Cc: oracle-l_at_freelists.org
    Subject: Re: os authenticated accounts

    Joe Smith schrieb:
    Is it possible to use OS authenticated accounts ( i.e. identified
    externally ) between two servers? >
    I have a linux box with with an oracle client install and an aix
    server with EE installed. >
    The external account was originally on the aix server. We want to
    move the 3rd party app and the account to a linux box. >
    thanks.

    ----------------------------------------------------------------------
    -- Shed those extra pounds with MSN and The Biggest Loser! Learn more.
    <http://biggestloser.msn.com/>
    You may look on the external users identified by ssl certificates (if
    you are on 10g onwards).
    Not sure about additional licensing costs (i.e. whether it is part of
    ASO or not).

    Best regards

    Maxim
  • Oracle-l-bounce_at_freelists.org at Mar 5, 2008 at 3:33 pm


    There are issues with using a database event logon trigger but my view
    is if you must allow remote OS authenticated accounts you want to make
    use of all available no cost features to help protect your database from
    unauthorized access.

    Part of the security is not advertising the fact the logon trigger
    exists or what it keys on. Besides using the client IP address you
    might also use the machine name. Only usernames created as identified
    externally can use the feature so if these users have to come though a
    specific application server or a short list of local IP's you can edit
    on machine name and maybe also the program. The more information you
    can edit on the harder it is for someone to break it. Spoofing the IP
    takes more knowledge than your average user has and would require a
    serious attacker. Keying on additional information could well be enough
    to defeat the spoofed since he or she probably did not think to identify
    this.

    Add this to your network security arrangement, sqlnet security, and
    normal database user privileges. Make use of everything you can. Limit
    the Oracle privileges to OS authenticated accounts to a few privileges
    as possible.

    Mark D Powell --
    Phone (313) 592-5148

    -----Original Message-----
    From: QuijadaReina, Julio C
    Sent: Wednesday, March 05, 2008 10:02 AM
    To: pythianbrinsmead_at_gmail.com; Powell, Mark D
    Cc: oracle-l_at_freelists.org
    Subject: RE: os authenticated accounts

    Mark,

    You bring out excellent points. I agree about the security concern here.
    I believe Metalink 401251.1 shows one of those secure alternatives. One
    would actually need the Oracle Wallet Manager and orapki and avoid
    having to use a Certifcate Authority.

    Julio

    From: oracle-l-bounce_at_freelists.org [oracle-l-bounce_at_freelists.org] On
    Behalf Of Mark Brinsmead [pythianbrinsmead_at_gmail.com]
    Sent: Wednesday, March 05, 2008 12:18 AM
    To: mark.powell_at_eds.com
    Cc: oracle-l_at_freelists.org
    Subject: Re: os authenticated accounts

    Is checking the source IP in a trigger reliable?

    I do not recall the source, but I had the impression that that
    information is provided (directly) by the client, not by the TNS
    listener, and can (relatively) easily be spoofed. Also, the method
    would break down -- or be tricked -- when using "proxied" connections,
    e.g., port-forwarding through SSH, or possibly Oracle Connection
    Manager. (Never used the latter myself.) It would also be problematic
    if there are NAT-enabled firewalls anywhere along your network route.

    Every case needs to be judged on its own merits, but basically it is my
    practice to award REMOTE_OS_AUTHENTICATION=TRUE an automatic "Fail" on
    any security review, even (or especially) where there are no EXTERNALLY
    IDENTIFIED accounts present in the database. While I have never
    actually attempted to "hack" or "spoof" it, my understanding is that it
    is all too easy.

    For those who can afford it, though, the Advanced Security Option and/or
    Database Vault offer secure alternatives, I believe. I have stumbled
    across these options myself while answering similar questions, but it
    has been so many years since I've been at a site with pockets deep
    enough (or business needs serious enough) to actually consider these
    expensive options, I have never really investigated them in any real
    depth.

    *sigh* Working for regulated utilities did have its advantages... :-)

    Of course, the O.P. only asked "is this possible?", and the answer is
    "yes, it certainly is". What a shame he did not ask instead "is this
    wise?".

    :-)

    On Tue, Mar 4, 2008 at 12:02 PM, Powell, Mark D
    wrote:
    I have always preferred to set the os_authent_prefix='' rather than
    OPS$.

    I am not sure if trying to limit the node access is practical since I do
    not think the node checking can be associated to usernames in the sqlnet
    layer. You might need to resort to checking the IP for any OS
    authenticated accounts in an after logon database event trigger.

    Mark D Powell --
    Phone (313) 592-5148

    -----Original Message-----
    From:
    oracle-l-bounce_at_freelists.org
    [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of QuijadaReina, Julio C
    Sent: Tuesday, March 04, 2008 9:52 AM
    To: 'mdemenko_at_gmail.com';
    joe_dba_at_hotmail.com
    Cc: oracle-l_at_freelists.org
    Subject: RE: os authenticated accounts

    Yes, it is possible.
    The following parameters on your database init.ora relating to this are
    (if my memory serves me correctly):
    remote_os_authent=true
    os_authent_prefix=ops$

    Create the account you will use on your Linux box. Then create the
    externally identified account on your database. From your Linux client
    you should be able to connect by issuing 'sqlplus /' after setting the
    client environment.

    A word of caution: anyone knowing your database tnsnames and the name of
    the account could potentially connect to your database. That sounds
    pretty bad! You might want to look into tcp.validnode_checking and
    tcp.invited_nodes pars on your server's sqlnet.ora and/or have the OS
    firewall setting that opens the listener port only to your linux client.

    Julio

    -----Original Message-----
    From:
    oracle-l-bounce_at_freelists.org
    [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Maxim Demenko
    Sent: Tuesday, March 04, 2008 1:05 AM
    To: joe_dba_at_hotmail.com
    Cc: oracle-l_at_freelists.org
    Subject: Re: os authenticated accounts

    Joe Smith schrieb:
    Is it possible to use OS authenticated accounts ( i.e. identified
    externally ) between two servers?

    I have a linux box with with an oracle client install and an aix
    server with EE installed.

    The external account was originally on the aix server. We want to
    move the 3rd party app and the account to a linux box.

    thanks.


    ----------------------------------------------------------------------
    -- Shed those extra pounds with MSN and The Biggest Loser! Learn more.
    <http://biggestloser.msn.com/>
    You may look on the external users identified by ssl certificates (if
    you are on 10g onwards).
    Not sure about additional licensing costs (i.e. whether it is part of
    ASO or not).

    Best regards

    Maxim
  • Roman Podshivalov at Mar 5, 2008 at 4:02 pm
    Joe,

    If you are using os authenticated account for the only reason they can
    connect like "connect /" and you are on 10g OCI client I would recommend you
    to review Oracle Secure External Password Store feature. It's covered by EE
    license. By implementing it you can hide password management from the
    application completely and provide functionality to connect to the database
    by issuing "connect /@" syntax. Here you can find more details
    about it.
    http://download.oracle.com/docs/cd/B19306_01/network.102/b14266/cnctslsh.htm#i1006413

    --romas
    On 3/3/08, Joe Smith wrote:

    Is it possible to use OS authenticated accounts ( i.e. identified
    externally ) between two servers?

    I have a linux box with with an oracle client install and an aix server
    with EE installed.

    The external account was originally on the aix server. We want to move
    the 3rd party app and the account to a linux box.

    thanks.


    ------------------------------
    Shed those extra pounds with MSN and The Biggest Loser! Learn more.<http://biggestloser.msn.com/>
    --
    http://www.freelists.org/webpage/oracle-l
  • Mark Brinsmead at Mar 6, 2008 at 4:50 am
    Are you *sure* that this is "included" with Enterprise Edition? I am almost
    certain that I looked into exactly this feature about 6 months ago, and
    arrived at the conclusion that it was part of an extra-cost option.

    On Wed, Mar 5, 2008 at 9:02 AM, Roman Podshivalov <
    roman.podshivalov_at_gmail.com> wrote:
    Joe,

    If you are using os authenticated account for the only reason they can
    connect like "connect /" and you are on 10g OCI client I would recommend you
    to review Oracle Secure External Password Store feature. It's covered by EE
    license. By implementing it you can hide password management from the
    application completely and provide functionality to connect to the database
    by issuing "connect /@" syntax. Here you can find more details
    about it.

    http://download.oracle.com/docs/cd/B19306_01/network.102/b14266/cnctslsh.htm#i1006413

    --romas


    ...
    --
    Cheers,
    -- Mark Brinsmead
    Senior DBA,
    The Pythian Group
    http://www.pythian.com/blogs

    --
    http://www.freelists.org/webpage/oracle-l
  • Roman Podshivalov at Mar 6, 2008 at 6:32 pm
    I got this information from Oracle support, but as usual I would recommend
    you to double check that. Oracle licensing is very murky subject;-)

    --romas
    On 3/5/08, Mark Brinsmead wrote:

    Are you *sure* that this is "included" with Enterprise Edition? I am
    almost certain that I looked into exactly this feature about 6 months ago,
    and arrived at the conclusion that it was part of an extra-cost option.

    On Wed, Mar 5, 2008 at 9:02 AM, Roman Podshivalov <
    roman.podshivalov_at_gmail.com> wrote:
    Joe,

    If you are using os authenticated account for the only reason they can
    connect like "connect /" and you are on 10g OCI client I would recommend you
    to review Oracle Secure External Password Store feature. It's covered by EE
    license. By implementing it you can hide password management from the
    application completely and provide functionality to connect to the database
    by issuing "connect /@" syntax. Here you can find more details
    about it.

    http://download.oracle.com/docs/cd/B19306_01/network.102/b14266/cnctslsh.htm#i1006413

    --romas


    ...


    --
    Cheers,
    -- Mark Brinsmead
    Senior DBA,
    The Pythian Group
    http://www.pythian.com/blogs
    --
    http://www.freelists.org/webpage/oracle-l
  • Mark Brinsmead at Mar 6, 2008 at 11:04 pm
    Definitely!

    Oracle Support is a *very* unreliable source for licensing answers. (In
    fact, they may have been among those who told me this feature *does* require
    separate licenses.) Usually, they refrain from commenting on the subject.

    I suspect the answer is buried in the Oracle 10g Licensing Manual; in all
    likelihood, I resorted to that myself when I last looked into this question,
    but I honestly don't remember.

    On Thu, Mar 6, 2008 at 1:32 PM, Roman Podshivalov <
    roman.podshivalov_at_gmail.com> wrote:
    I got this information from Oracle support, but as usual I would recommend
    you to double check that. Oracle licensing is very murky subject;-)

    --romas

    On 3/5/08, Mark Brinsmead wrote:

    Are you *sure* that this is "included" with Enterprise Edition? I am
    almost certain that I looked into exactly this feature about 6 months ago,
    and arrived at the conclusion that it was part of an extra-cost option.

    ...
    --
    Cheers,
    -- Mark Brinsmead
    Senior DBA,
    The Pythian Group
    http://www.pythian.com/blogs

    --
    http://www.freelists.org/webpage/oracle-l
  • Roman Podshivalov at Mar 7, 2008 at 2:18 pm
    Here it is. Scroll down to a security section.

    http://download.oracle.com/docs/cd/B28359_01/license.111/b28287/editions.htm#CJACGHEB

    --romas
    On 3/6/08, Mark Brinsmead wrote:

    Definitely!

    Oracle Support is a *very* unreliable source for licensing answers. (In
    fact, they may have been among those who told me this feature *does*require separate licenses.) Usually, they refrain from commenting on the
    subject.

    I suspect the answer is buried in the Oracle 10g Licensing Manual; in all
    likelihood, I resorted to that myself when I last looked into this question,
    but I honestly don't remember.


    On Thu, Mar 6, 2008 at 1:32 PM, Roman Podshivalov <
    roman.podshivalov_at_gmail.com> wrote:
    I got this information from Oracle support, but as usual I would
    recommend you to double check that. Oracle licensing is very murky subject
    ;-)

    --romas

    On 3/5/08, Mark Brinsmead wrote:

    Are you *sure* that this is "included" with Enterprise Edition? I am
    almost certain that I looked into exactly this feature about 6 months ago,
    and arrived at the conclusion that it was part of an extra-cost option.

    ...
    --
    Cheers,
    -- Mark Brinsmead
    Senior DBA,
    The Pythian Group
    http://www.pythian.com/blogs
    --
    http://www.freelists.org/webpage/oracle-l
  • Yechiel Adar at Mar 6, 2008 at 11:05 pm
    The trouble with this method is:
    If he can see your scripts on the server, he can do sqlplus
    /@production_database on the server, the same as you.
    The wallet does not care who use it and in effect it is like using the
    user name and password on the server.

    I am preparing some scripts for a new server and I would like advice how
    to overcome this problem.

    Adar Yechiel
    Rechovot, Israel

    Roman Podshivalov wrote:
  • Roman Podshivalov at Mar 7, 2008 at 2:27 pm
    Yes this is an issue but OS level privileges should take care of it. Wallet
    created with mkstore command has read/write permissions granted to owner
    only. Also you can use ACL on filesystems to grant read permissions to
    additional users. It's not perfect - I know, but still better than dot
    files.

    --romas
    On 3/6/08, Yechiel Adar wrote:

    The trouble with this method is:
    If he can see your scripts on the server, he can do sqlplus
    /@production_database on the server, the same as you.
    The wallet does not care who use it and in effect it is like using the
    user name and password on the server.

    I am preparing some scripts for a new server and I would like advice how
    to overcome this problem.

    Adar Yechiel
    Rechovot, Israel



    Roman Podshivalov wrote:
    Joe,

    Oracle Secure External Password Store feature.
    http://download.oracle.com/docs/cd/B19306_01/network.102/b14266/cnctslsh.htm#i1006413
    --
    http://www.freelists.org/webpage/oracle-l

    --
    http://www.freelists.org/webpage/oracle-l

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouporacle-l @
categoriesoracle
postedMar 4, '08 at 1:54a
activeMar 7, '08 at 2:27p
posts14
users8
websiteoracle.com

People

Translate

site design / logo © 2022 Grokbase