Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

RMAN Script Suppress Password from showing in ps -ef

Posted on 2009-05-04
6
Medium Priority
?
902 Views
Last Modified: 2013-12-20
Hi - I have a script that issues an RMAN backup command with an embedded password in the command. When a ps -ef is done, the password shows up in plain text, eg:

rman catalog $CAT_USER/$CAT_PASS@$CATALOG_SID target / cmdfile=${RMAN_COMMAND_SCRIPT} log=${LOGFILE}

The variables are set before the command is issued, including the "CAT_PASS" - the RMAN command shows up in a ps -ef in clear text. Is there another approach or some other way to suppress the password from showing in ps -ef ?
0
Comment
Question by:dhite99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 1500 total points
ID: 24300069
Hi,
use Oracle Secure External Password Store.

Here are the steps to achieve this, taken from ORACLE docs:

1.Edit tnsnames.ora - add a second copy of database entry to connect to, and rename it$cd $ORACLE_HOME/network/admin$vi tnsnames.oraORACLESCOTT =(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = <full host name>)(PORT = 1521))(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = <database service name>)))RMANSYS =(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = <full host name>)(PORT = 1521))(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = <database service name>)))2.Create wallet.$mkstore -wrl $ORACLE_HOME/network/admin -create$cd $ORACLE_HOME/network/adminYou will be prompted to enter password and re-enter the password again. This is the wallet password.You can choose any password you want.Enter password: <choose a password for the wallet>Enter password again: <re-enter the wallet password>This will create the two files ewallet.p12 and cwallet.ssoOracle Database 10g Release 2 - Database Vault3.Add the RMAN connect string you created in step 1 to the wallet$mkstore -wrl $ORACLE_HOME/network/admin -createCredential <db_connect_string> <username><db_password>Enter Password: <enter wallet password here>So for our example the command will look like:$mkstore -wrl $ORACLE_HOME/network/admin RMANSYS SYS <sys password>The message will appear: Create credential oracle.security.client.connect_string14.Edit sqlnet.ora file, add the following entries to it, then save and exit itWALLET_LOCATION =(SOURCE =(METHOD = FILE)(METHOD_DATA =(DIRECTORY = <full wallet location path>)))SQLNET.WALLET_OVERRIDE = TRUESSL_CLIENT_AUTHENTICATION = FALSE5.Restart the database listener$lsnrctl stop <listener name>$lsnrctl start <listener name>6.Now you can use the wallet credentials to login as SYS as follows. We will use the example in step 3 here.sqlplus /@RMANSYS as sysdba

This is explained in detail in the Oracle Database Security Guide -

http://download.oracle.com/docs/cd/B19306_01/network.102/b14266/cnctslsh.htm#i1006413

wmp
0
 

Author Comment

by:dhite99
ID: 24303615
That is a good answer - thank you. I would hate to have to implement this solution on all of the servers that I have to put these scripts on. I guess there is no way to suppress the printing of any "command" from ps -ef ... ?
0
 

Author Closing Comment

by:dhite99
ID: 31577791
While I'm sure what you've answered is the "right" way to address this, it sure will be painful to implement in our environment - we have 100's of database servers. What I really need is just (what I would think would be simple, but maybe it does not exist) is a way to suppress parts of a command that show up in ps -ef. Thanks for the answer tho.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24303753
I never tried it (but will do asap) -
why not put  "catalog $CAT_USER/$CAT_PASS@$CATALOG_SID target / " into the cmdfile?
 
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24303760
... of course with expanded variables!
0
 

Author Comment

by:dhite99
ID: 24307184
Yep - good call - I'll bet that will work - I just need to add a line from the korn script to "inject" the catalog statement in the command file - will update once I try it...
0

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Note: this article covers simple compression. Oracle introduced in version 11g release 2 a new feature called Advanced Compression which is not covered here. General principle of Oracle compression Oracle compression is a way of reducing the d…
Exception Handling is in the core of any application that is able to dignify its name. In this article, I'll guide you through the process of writing a DRY (Don't Repeat Yourself) Exception Handling mechanism, using Aspect Oriented Programming.
This video explains at a high level with the mandatory Oracle Memory processes are as well as touching on some of the more common optional ones.
Via a live example, show how to restore a database from backup after a simulated disk failure using RMAN.

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question