Solved

RMAN Script Suppress Password from showing in ps -ef

Posted on 2009-05-04
6
897 Views
Last Modified: 2013-12-20
Hi - I have a script that issues an RMAN backup command with an embedded password in the command. When a ps -ef is done, the password shows up in plain text, eg:

rman catalog $CAT_USER/$CAT_PASS@$CATALOG_SID target / cmdfile=${RMAN_COMMAND_SCRIPT} log=${LOGFILE}

The variables are set before the command is issued, including the "CAT_PASS" - the RMAN command shows up in a ps -ef in clear text. Is there another approach or some other way to suppress the password from showing in ps -ef ?
0
Comment
Question by:dhite99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 24300069
Hi,
use Oracle Secure External Password Store.

Here are the steps to achieve this, taken from ORACLE docs:

1.Edit tnsnames.ora - add a second copy of database entry to connect to, and rename it$cd $ORACLE_HOME/network/admin$vi tnsnames.oraORACLESCOTT =(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = <full host name>)(PORT = 1521))(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = <database service name>)))RMANSYS =(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = <full host name>)(PORT = 1521))(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = <database service name>)))2.Create wallet.$mkstore -wrl $ORACLE_HOME/network/admin -create$cd $ORACLE_HOME/network/adminYou will be prompted to enter password and re-enter the password again. This is the wallet password.You can choose any password you want.Enter password: <choose a password for the wallet>Enter password again: <re-enter the wallet password>This will create the two files ewallet.p12 and cwallet.ssoOracle Database 10g Release 2 - Database Vault3.Add the RMAN connect string you created in step 1 to the wallet$mkstore -wrl $ORACLE_HOME/network/admin -createCredential <db_connect_string> <username><db_password>Enter Password: <enter wallet password here>So for our example the command will look like:$mkstore -wrl $ORACLE_HOME/network/admin RMANSYS SYS <sys password>The message will appear: Create credential oracle.security.client.connect_string14.Edit sqlnet.ora file, add the following entries to it, then save and exit itWALLET_LOCATION =(SOURCE =(METHOD = FILE)(METHOD_DATA =(DIRECTORY = <full wallet location path>)))SQLNET.WALLET_OVERRIDE = TRUESSL_CLIENT_AUTHENTICATION = FALSE5.Restart the database listener$lsnrctl stop <listener name>$lsnrctl start <listener name>6.Now you can use the wallet credentials to login as SYS as follows. We will use the example in step 3 here.sqlplus /@RMANSYS as sysdba

This is explained in detail in the Oracle Database Security Guide -

http://download.oracle.com/docs/cd/B19306_01/network.102/b14266/cnctslsh.htm#i1006413

wmp
0
 

Author Comment

by:dhite99
ID: 24303615
That is a good answer - thank you. I would hate to have to implement this solution on all of the servers that I have to put these scripts on. I guess there is no way to suppress the printing of any "command" from ps -ef ... ?
0
 

Author Closing Comment

by:dhite99
ID: 31577791
While I'm sure what you've answered is the "right" way to address this, it sure will be painful to implement in our environment - we have 100's of database servers. What I really need is just (what I would think would be simple, but maybe it does not exist) is a way to suppress parts of a command that show up in ps -ef. Thanks for the answer tho.
0
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24303753
I never tried it (but will do asap) -
why not put  "catalog $CAT_USER/$CAT_PASS@$CATALOG_SID target / " into the cmdfile?
 
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24303760
... of course with expanded variables!
0
 

Author Comment

by:dhite99
ID: 24307184
Yep - good call - I'll bet that will work - I just need to add a line from the korn script to "inject" the catalog statement in the command file - will update once I try it...
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cursors in Oracle: A cursor is used to process individual rows returned by database system for a query. In oracle every SQL statement executed by the oracle server has a private area. This area contains information about the SQL statement and the…
In this post we will learn different types of Android Layout and some basics of an Android App.
Via a live example show how to connect to RMAN, make basic configuration settings changes and then take a backup of a demo database
This video shows setup options and the basic steps and syntax for duplicating (cloning) a database from one instance to another. Examples are given for duplicating to the same machine and to different machines

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question