Do not display oracle schema password in the application

We are exploring alternatives to using passwords for authenticating the servers, scripts and SQLLDR. Database is on Oracle 10g Enterprise Edition. The application code and scripts all use common accounts/schemas. With current authentication, Scripts and sqlldr uses TNS names. All programs that run non-java SQL scripts or use SQLLDR pass along the passwords to the SQLPLUS or SQLLDR; Java code uses direct JDBC connections. Password is in the JDBC connectionstring. Should password change, application server configuration takes care of updating password in all Java connections. Our goal is to remove the password from any configuration file or code that is easily accessible to developers We'd like something that can be configured on the server (Oracle server or an independent authentication server like Kerberos/LDAP). Any suggestion is appreciated.
liuh2Asked:
Who is Participating?
 
slightwv (䄆 Netminder) Commented:
Probably the easiest is OS authentication:
http://www.oracle-base.com/articles/misc/os-authentication.php

Since you mentioned LDAP:
http://docs.oracle.com/javase/jndi/tutorial/ldap/security/ldap.html

There are other methods.  The online docs are the best place to start:
http://docs.oracle.com/cd/E11882_01/network.112/e16543/authentication.htm
0
 
DavidSenior Oracle Database AdministratorCommented:
A low-cost approach I've used is to store the password in a very, very well protected file (acl access).  cat the file into a variable, and you have a single source password.  If you have a multi-server environment, scp can be used to push changes from one script.
0
 
Sanjeev LabhDatabase ConsultantCommented:
Since you are calling through java and using application server, you can try and use connection pools. Connection pools are created on apps server level where oracle user details are used in the apps server configurations wherein the developer need not worry about it and hard code it. Whenever any changes are there the administrator themselves change in the configuration which gets reflected automatically.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Guy Hengel [angelIII / a3]Billing EngineerCommented:
I've requested that this question be closed as follows:

Accepted answer: 500 points for slightwv's comment #a38311364

for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
 
DavidSenior Oracle Database AdministratorCommented:
Angel, my answer ( #a38308555 provided a specific answer (use a variable), met criteria (hide from developers), and could be configured on the one server without requiring additional LDAP setup.

If I were grading the abandoned question I'd split the points.  Would you agree to that?
0
 
Sanjeev LabhDatabase ConsultantCommented:
I agree with dvz. I think all three answers have a dealt with different approach which are correct in their own way. So I also think the points should be split appropriately.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.