• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 904
  • Last Modified:

RMAN Script Suppress Password from showing in ps -ef

Hi - I have a script that issues an RMAN backup command with an embedded password in the command. When a ps -ef is done, the password shows up in plain text, eg:

rman catalog $CAT_USER/$CAT_PASS@$CATALOG_SID target / cmdfile=${RMAN_COMMAND_SCRIPT} log=${LOGFILE}

The variables are set before the command is issued, including the "CAT_PASS" - the RMAN command shows up in a ps -ef in clear text. Is there another approach or some other way to suppress the password from showing in ps -ef ?
0
dhite99
Asked:
dhite99
  • 3
  • 3
1 Solution
 
woolmilkporcCommented:
Hi,
use Oracle Secure External Password Store.

Here are the steps to achieve this, taken from ORACLE docs:

1.Edit tnsnames.ora - add a second copy of database entry to connect to, and rename it$cd $ORACLE_HOME/network/admin$vi tnsnames.oraORACLESCOTT =(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = <full host name>)(PORT = 1521))(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = <database service name>)))RMANSYS =(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = <full host name>)(PORT = 1521))(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = <database service name>)))2.Create wallet.$mkstore -wrl $ORACLE_HOME/network/admin -create$cd $ORACLE_HOME/network/adminYou will be prompted to enter password and re-enter the password again. This is the wallet password.You can choose any password you want.Enter password: <choose a password for the wallet>Enter password again: <re-enter the wallet password>This will create the two files ewallet.p12 and cwallet.ssoOracle Database 10g Release 2 - Database Vault3.Add the RMAN connect string you created in step 1 to the wallet$mkstore -wrl $ORACLE_HOME/network/admin -createCredential <db_connect_string> <username><db_password>Enter Password: <enter wallet password here>So for our example the command will look like:$mkstore -wrl $ORACLE_HOME/network/admin RMANSYS SYS <sys password>The message will appear: Create credential oracle.security.client.connect_string14.Edit sqlnet.ora file, add the following entries to it, then save and exit itWALLET_LOCATION =(SOURCE =(METHOD = FILE)(METHOD_DATA =(DIRECTORY = <full wallet location path>)))SQLNET.WALLET_OVERRIDE = TRUESSL_CLIENT_AUTHENTICATION = FALSE5.Restart the database listener$lsnrctl stop <listener name>$lsnrctl start <listener name>6.Now you can use the wallet credentials to login as SYS as follows. We will use the example in step 3 here.sqlplus /@RMANSYS as sysdba

This is explained in detail in the Oracle Database Security Guide -

http://download.oracle.com/docs/cd/B19306_01/network.102/b14266/cnctslsh.htm#i1006413

wmp
0
 
dhite99Author Commented:
That is a good answer - thank you. I would hate to have to implement this solution on all of the servers that I have to put these scripts on. I guess there is no way to suppress the printing of any "command" from ps -ef ... ?
0
 
dhite99Author Commented:
While I'm sure what you've answered is the "right" way to address this, it sure will be painful to implement in our environment - we have 100's of database servers. What I really need is just (what I would think would be simple, but maybe it does not exist) is a way to suppress parts of a command that show up in ps -ef. Thanks for the answer tho.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
woolmilkporcCommented:
I never tried it (but will do asap) -
why not put  "catalog $CAT_USER/$CAT_PASS@$CATALOG_SID target / " into the cmdfile?
 
0
 
woolmilkporcCommented:
... of course with expanded variables!
0
 
dhite99Author Commented:
Yep - good call - I'll bet that will work - I just need to add a line from the korn script to "inject" the catalog statement in the command file - will update once I try it...
0

Featured Post

Take Control of Web Hosting For Your Clients

As a web developer or IT admin, successfully managing multiple client accounts can be challenging. In this webinar we will look at the tools provided by Media Temple and Plesk to make managing your clients’ hosting easier.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now