Solved

RMAN Script Suppress Password from showing in ps -ef

Posted on 2009-05-04
6
888 Views
Last Modified: 2013-12-20
Hi - I have a script that issues an RMAN backup command with an embedded password in the command. When a ps -ef is done, the password shows up in plain text, eg:

rman catalog $CAT_USER/$CAT_PASS@$CATALOG_SID target / cmdfile=${RMAN_COMMAND_SCRIPT} log=${LOGFILE}

The variables are set before the command is issued, including the "CAT_PASS" - the RMAN command shows up in a ps -ef in clear text. Is there another approach or some other way to suppress the password from showing in ps -ef ?
0
Comment
Question by:dhite99
  • 3
  • 3
6 Comments
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 24300069
Hi,
use Oracle Secure External Password Store.

Here are the steps to achieve this, taken from ORACLE docs:

1.Edit tnsnames.ora - add a second copy of database entry to connect to, and rename it$cd $ORACLE_HOME/network/admin$vi tnsnames.oraORACLESCOTT =(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = <full host name>)(PORT = 1521))(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = <database service name>)))RMANSYS =(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = <full host name>)(PORT = 1521))(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = <database service name>)))2.Create wallet.$mkstore -wrl $ORACLE_HOME/network/admin -create$cd $ORACLE_HOME/network/adminYou will be prompted to enter password and re-enter the password again. This is the wallet password.You can choose any password you want.Enter password: <choose a password for the wallet>Enter password again: <re-enter the wallet password>This will create the two files ewallet.p12 and cwallet.ssoOracle Database 10g Release 2 - Database Vault3.Add the RMAN connect string you created in step 1 to the wallet$mkstore -wrl $ORACLE_HOME/network/admin -createCredential <db_connect_string> <username><db_password>Enter Password: <enter wallet password here>So for our example the command will look like:$mkstore -wrl $ORACLE_HOME/network/admin RMANSYS SYS <sys password>The message will appear: Create credential oracle.security.client.connect_string14.Edit sqlnet.ora file, add the following entries to it, then save and exit itWALLET_LOCATION =(SOURCE =(METHOD = FILE)(METHOD_DATA =(DIRECTORY = <full wallet location path>)))SQLNET.WALLET_OVERRIDE = TRUESSL_CLIENT_AUTHENTICATION = FALSE5.Restart the database listener$lsnrctl stop <listener name>$lsnrctl start <listener name>6.Now you can use the wallet credentials to login as SYS as follows. We will use the example in step 3 here.sqlplus /@RMANSYS as sysdba

This is explained in detail in the Oracle Database Security Guide -

http://download.oracle.com/docs/cd/B19306_01/network.102/b14266/cnctslsh.htm#i1006413

wmp
0
 

Author Comment

by:dhite99
ID: 24303615
That is a good answer - thank you. I would hate to have to implement this solution on all of the servers that I have to put these scripts on. I guess there is no way to suppress the printing of any "command" from ps -ef ... ?
0
 

Author Closing Comment

by:dhite99
ID: 31577791
While I'm sure what you've answered is the "right" way to address this, it sure will be painful to implement in our environment - we have 100's of database servers. What I really need is just (what I would think would be simple, but maybe it does not exist) is a way to suppress parts of a command that show up in ps -ef. Thanks for the answer tho.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24303753
I never tried it (but will do asap) -
why not put  "catalog $CAT_USER/$CAT_PASS@$CATALOG_SID target / " into the cmdfile?
 
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24303760
... of course with expanded variables!
0
 

Author Comment

by:dhite99
ID: 24307184
Yep - good call - I'll bet that will work - I just need to add a line from the korn script to "inject" the catalog statement in the command file - will update once I try it...
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I remember the day when someone asked me to create a user for an application developement. The user should be able to create views and materialized views and, so, I used the following syntax: (CODE) This way, I guessed, I would ensure that use…
How to Unravel a Tricky Query Introduction If you browse through the Oracle zones or any of the other database-related zones you'll come across some complicated solutions and sometimes you'll just have to wonder how anyone came up with them.  …
This video explains at a high level with the mandatory Oracle Memory processes are as well as touching on some of the more common optional ones.
This video shows syntax for various backup options while discussing how the different basic backup types work.  It explains how to take full backups, incremental level 0 backups, incremental level 1 backups in both differential and cumulative mode a…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now