Oracle Passwords, Note 2 (Oracle wallet)

Version 1 by Tony Johnson
on Jan 23, 2008 09:31.

 
compared with
Current by Tony Johnson
on Jan 23, 2008 09:42.

 
Key
These lines were removed. This word was removed.
These lines were added. This word was added.

View page history


There are 0 changes. View first change.

  
  
 -----Original Message-----
 From: MacGregor, Ian A.
 Sent: Friday, June 22, 2007 8:28 AM
 To: Ponton, Richard; Chan, Andrea; Larrieu, Heather; Cowles, Robert D.; Crane, George R.; Samineni, Venkata; Hutcherson, Jackie R.; Shab, Theodore; Johnson, Tony S.; Heidenreich, Karen A.; Rock, Judith E.; Denys, Ernest; Hee, Charlotte; Chestnut, Ronald P.; Pierre, Jean-Raymond; Gordon, Michael
 Subject: RE: Oracle password meeting notes 6/19/2007
  
 Oracle has introduced an external password store to deal with this problem. Passwords are stored in an SSL protected wallet. The file simply has /@database identifier. I have tried this on some Oracle servers themselves and it worked.
  
 There are issues such as how we get passwords into the wallet. How to handle databases which need more than one such password. I think hoiwever these can be worked around. See
  
 http://download-west.oracle.com/docs/cd/B19306_01/server.102/b14231/create.htm#sthref484
  
 -----Original Message-----
 From: Ponton, Richard
 Sent: Tuesday, June 19, 2007 4:19 PM
 To: Chan, Andrea; Larrieu, Heather; Cowles, Robert D.; Crane, George R.; MacGregor, Ian A.; Samineni, Venkata; Hutcherson, Jackie R.; Ponton, Richard; Shab, Theodore; Johnson, Tony S.; Heidenreich, Karen A.; Rock, Judith E.; Denys, Ernest; Hee, Charlotte; Chestnut, Ronald P.; Pierre, Jean-Raymond; Gordon, Michael
 Subject: Oracle password meeting notes 6/19/2007
  
 These are my notes on Heather and Bob's words. They may have revisions.
  
 Command Decision:
  
 We do not expire anything on July 2nd.
 Strongly suggest users comply by July 2nd.
 By mid August, come up with documentation on What accounts don't follow the policy.
 Where they're used.
 How the passwords are stored.
 Who has access to those accounts.
 What other steps have we taken to mitigate the risks of a 3rd party gaining access to that account's password.
 Does the account have access to any Business Sensitive or PII data.
  
 Require a plan for correction by 1st quarter 2008
  
 Moving forward, we have to come up with a good way of managing passwords
  
 encrypted
 not in plain text
  
  
 See also:
 https://slacspace.slac.stanford.edu/sites/appdevproj/SLACSoftware/Service%20Account%20Details/Meeting%20notes%202007-06-09.aspx