Solved

RMAN Script Suppress Password from showing in ps -ef

Posted on 2009-05-04
6
896 Views
Last Modified: 2013-12-20
Hi - I have a script that issues an RMAN backup command with an embedded password in the command. When a ps -ef is done, the password shows up in plain text, eg:

rman catalog $CAT_USER/$CAT_PASS@$CATALOG_SID target / cmdfile=${RMAN_COMMAND_SCRIPT} log=${LOGFILE}

The variables are set before the command is issued, including the "CAT_PASS" - the RMAN command shows up in a ps -ef in clear text. Is there another approach or some other way to suppress the password from showing in ps -ef ?
0
Comment
Question by:dhite99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 24300069
Hi,
use Oracle Secure External Password Store.

Here are the steps to achieve this, taken from ORACLE docs:

1.Edit tnsnames.ora - add a second copy of database entry to connect to, and rename it$cd $ORACLE_HOME/network/admin$vi tnsnames.oraORACLESCOTT =(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = <full host name>)(PORT = 1521))(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = <database service name>)))RMANSYS =(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = <full host name>)(PORT = 1521))(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = <database service name>)))2.Create wallet.$mkstore -wrl $ORACLE_HOME/network/admin -create$cd $ORACLE_HOME/network/adminYou will be prompted to enter password and re-enter the password again. This is the wallet password.You can choose any password you want.Enter password: <choose a password for the wallet>Enter password again: <re-enter the wallet password>This will create the two files ewallet.p12 and cwallet.ssoOracle Database 10g Release 2 - Database Vault3.Add the RMAN connect string you created in step 1 to the wallet$mkstore -wrl $ORACLE_HOME/network/admin -createCredential <db_connect_string> <username><db_password>Enter Password: <enter wallet password here>So for our example the command will look like:$mkstore -wrl $ORACLE_HOME/network/admin RMANSYS SYS <sys password>The message will appear: Create credential oracle.security.client.connect_string14.Edit sqlnet.ora file, add the following entries to it, then save and exit itWALLET_LOCATION =(SOURCE =(METHOD = FILE)(METHOD_DATA =(DIRECTORY = <full wallet location path>)))SQLNET.WALLET_OVERRIDE = TRUESSL_CLIENT_AUTHENTICATION = FALSE5.Restart the database listener$lsnrctl stop <listener name>$lsnrctl start <listener name>6.Now you can use the wallet credentials to login as SYS as follows. We will use the example in step 3 here.sqlplus /@RMANSYS as sysdba

This is explained in detail in the Oracle Database Security Guide -

http://download.oracle.com/docs/cd/B19306_01/network.102/b14266/cnctslsh.htm#i1006413

wmp
0
 

Author Comment

by:dhite99
ID: 24303615
That is a good answer - thank you. I would hate to have to implement this solution on all of the servers that I have to put these scripts on. I guess there is no way to suppress the printing of any "command" from ps -ef ... ?
0
 

Author Closing Comment

by:dhite99
ID: 31577791
While I'm sure what you've answered is the "right" way to address this, it sure will be painful to implement in our environment - we have 100's of database servers. What I really need is just (what I would think would be simple, but maybe it does not exist) is a way to suppress parts of a command that show up in ps -ef. Thanks for the answer tho.
0
MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24303753
I never tried it (but will do asap) -
why not put  "catalog $CAT_USER/$CAT_PASS@$CATALOG_SID target / " into the cmdfile?
 
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24303760
... of course with expanded variables!
0
 

Author Comment

by:dhite99
ID: 24307184
Yep - good call - I'll bet that will work - I just need to add a line from the korn script to "inject" the catalog statement in the command file - will update once I try it...
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
return value in based on value passed 6 49
why truncate is faster than delete in oracle ? 4 69
Performance Issue in Oracle 3 45
DB Shutdown Automatically 11 32
Checking the Alert Log in AWS RDS Oracle can be a pain through their user interface.  I made a script to download the Alert Log, look for errors, and email me the trace files.  In this article I'll describe what I did and share my script.
Using SQL Scripts we can save all the SQL queries as files that we use very frequently on our database later point of time. This is one of the feature present under SQL Workshop in Oracle Application Express.
This video shows setup options and the basic steps and syntax for duplicating (cloning) a database from one instance to another. Examples are given for duplicating to the same machine and to different machines
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question