Page History

Notes:

We have numerous scripts, web applications and programs that access Oracle databases. This includes scripts/programs written in Java,C++,Python,perl,ASP and probably others. We use 3 glast specific oracle databases (and for historic reasons also still use some general SLAC oracle instances). Many of these programs are or will be under change control, so cannot be modified easily. Many of these programs deal with ongoing data processing, where the tolerance for downtime is very small. In some cases passwords may be in programs which for science processing reasons will need to be used for years, even if more recent versions of the programs subsequently become available.

In addition to programs the passwords are stored in web app configuration files, IDE configuration files and database access tools.

Many programs run as long lived deamons with no kerberos tokens. These scripts are stored in Unix (AFS and NFS), windows, CVS. Probably OsX as well in future.

Password are mostly not encrypted. There is little point in encrypting the passwords, since our programs would need to be able to decrypt the password before using it (at least as we do things now), and since anyone can read and modify our programs anyone could use them to decrypt the passwords.

There is logging of web access and in some cases more detailed logging in the applications

If we are to adopt a policy of changing these passwords every six months we need a way to do it cost effectively, and with no downtime of our essential programs. We do not currently know of a technical solution to this problem, nor have we budgeted time or manpower to find and adopt one. If the password policy for Oracle passwords is changed we will need extensive help from the database and security groups to implement a plan for handling these passwords.

All these issues apply not only to Oracle accounts but also to MYSQL and any other service accounts e.g. email access.
In developing solutions we should find a solutions for all these areas simultaneously. I

Unis: Logging and archive of mail deliver. Windows: IIS Web server logging
Windows

ACCOUNT	INSTANCE	OWNER	USE APPLICATION NAME	LOCATION	APPLICATION BUSINESS USE	MITIGATION PRIVILEGES	ACCESS TO PII	PASSWORD ENCRYPTION	LOGGING	OTHER MITIGATIONS
GLASTDEV	SLAC_TCP	K.HEIDENREICH	defunct*	EXAMPLE
GLASTGEN	SLAC_TCP	K.HEIDENREICH	defunct*					BFMAIL	SLAC_TCP	CRANE	BFMAIL	Windows; www-internal/database/oracle/pepqry/	1) BFMAILL mail didtribution for Babar collaboration 2)Uses modified Majordomo code	BFMAILWEB has limited read/select for web application display	None	None	None
GLASTDEV	SLAC_TCP	KAREN
GLASTGEN	SLAC_TCP	KAREN
GLASTGEN	GLASTDEV	KAREN	GLAST GROUND GROUPS	UNIX	GLASTGROUND ACCESS LEVELS	None	None		None

GLASTGEN	GLASTDEV	K.HEIDENREICH	develop & test envrionment		data access control;various data information systems	full privileges	no	no	none	none
GLASTGEN	GLASTP	K.HEIDENREICH	production version		data access control;various data information system	full privileges	no	No	none	none
GLASTSYS	GLASTDEV	K.HEIDENREICH	read access to Oracle Grid Control for oracle-glast02	SCCS DB Group control	view db instance statistice	read only	no	no	none	none
GLASTSYS	GLASTP	K.HEIDENREICH	read access to Oracle Grid Control for oracle-glast01	SCCS DB Group control	view db instance statistice	read only	no	no	none	none
GLASTSYSADMIN	GLASTDEV	K.HEIDENREICH	read access to all db tables in GLASTDEV instance		set up to view all db tables automatically when tables created	read only	no	no	none	none
GLASTSYSADMIN	GLASTP	K.HEIDENREICH	read access to all db tables in GLASTP instance		set up to view all db tables automatically when tables created	read only	no	no	none	none
GLASTUSER	SLAC_TCP	K.HEIDENREICH	read access to various GLAST @SLAC_TCP data tables	glast iis web server/ asp files	view data in glast slac_tcp instances	read only	no	no	none	none
GLAST_CAL	GLASTDEV	K.HEIDENREICH	I&T Web Elogbook				no	no	none	none
GLAST_CAL	GLASTP	K.HEIDENREICH	I&T Web Elogbook				no	no	none	none
GLAST_CAL_RO	GLASTDEV	K.HEIDENREICH	read access to data in ISOC/Trending databases			read only	no	no	none	none
GLAST_CAL_RO	GLASTP	K.HEIDENREICH	read access to data in ISOC/Trending databases			read only	no	no	none	none
GLAST_DATA	SLAC_TCP	K.HEIDENREICH	inital GLAST data tracking database				no	no	none	none
GLAST_DOC	SLACDEV	K.HEIDENREICH	GLAST-LAT document management database	SCCS DB Group control	-------	-------	-------	-------	-------	-------
GLAST_DOC	SLAC_TCP	K.HEIDENREICH	GLAST-LAT document management database	SCCS DB Group control	-------	-------	-------	-------	-------	-------
GLAST_DP	GLASTDEV	K.HEIDENREICH	GLAST data processing pipeline & display catalog	tomcat server			no	no	none	none
GLAST_DP	GLASTP	K.HEIDENREICH	GLAST data processing pipeline & display catalog	tomcat server			no	no	none	none
GLAST_DP	SLACDEV	K.HEIDENREICH	defunct * (original GLAST data processing pipeline & display catalog)	tomcat server			no	no	none	none
GLAST_MASTER	SLAC_TCP	K.HEIDENREICH	GLAST tracking databases risk,assembly,people	glast iis web server/ asp files			no	no	none	none
GLAST_SYSTEST	SLAC_TCP	K.HEIDENREICH	GLAST system test records	glast iis web server/ asp files/..?			no	no	none	none
LAT	GLASTDEV	K.HEIDENREICH	read data tables			read only	no	no	none	none
LAT	GLASTP	K.HEIDENREICH	read data tables			read only	no	no	none	none
LAT	SLACDEV	K.HEIDENREICH	defunct *
GLASTGEN	GLASTP	KAREN
GLASTSYS	GLASTDEV	KAREN
LAT	SLACPROD GLASTSYS	GLASTP	K.HEIDENREICH	defunct * KAREN
LAT	GLASTSYSADMIN	GLASTDEV	SLAC_TCP	K.HEIDENREICH	defunct * KAREN
	GLASTSYSADMIN	GLASTP		KAREN								GLASTUSER
GLAST_ISOC	SLAC_TCP	KAREN	B. LEE	defunct *
GLAST_CAL	GLASTDEV	ISOC	SLACPROD	B. LEE	defunct * KAREN
GLAST_ISOC	GLASTDEV	B. LEE	used for experimenting, testing schemae, etc.		Telemetry Trending Calibration Trending Logging FASTCopy Monitoring Mission Planning Web Viewer		no	no	none	none
GLAST_CAL ISOC	GLASTP	B. LEE	stores I&T trending data & operates the I&T FASTCopy automation.		Telemetry Trending Calibration Trending Logging FASTCopy Monitoring Mission Planning Web Viewer		no	no	none	none
GLAST_ISOC	SLACDEV	B. LEE	stores MOC-delivered data from e.g. GRT's, ETE's, FASTCopy, etc.		Telemetry Trending Calibration Trending Logging FASTCopy Monitoring Mission Planning Web Viewer		no	no	none	none
GLAST_BT	GLASTDEV	C.CHEE	shift informaton		GLAST and GLAST Beamtest Log BooK		no	no	none	none
GLAST_BT	GLASTP	C.CHEE	shift informaton		GLAST and GLAST Beamtest Log Book	GLASTP	KAREN
GLAST_CAL_RO BT	GLASTDEV SLACDEV KAREN	C.CHEE
GLAST_CALBT_RO	GLASTDEV GLASTP KAREN	C.CHEE				read only
GLAST_BT_DATA RO	SLAC_TCP	GLASTP	C.CHEE KAREN				read only
GLAST_DOC GLASTTREND	SLACDEV GLASTDEV KAREN	C.CHEE
GLASTTREND	GLAST_DO	SLAC_TCP	GLASTP	C.CHEE KAREN
GLAST_DP J2EE	GLASTDEV KAREN	R.WONG	?
GLAST_DP J2EE	GLASTP	KAREN		R.WONG	?
GLAST_DP ST	SLACDEV GLASTDEV KAREN	R.WONG	?
GLAST_MASTER ST	SLAC_TCP	KAREN	GLASTP	R.WONG	?								GLAST_SYSTEST	SLAC_TCP	KAREN
GLASTRO	GLASTDEV	none	provides read access to all tables created on GLASTDEV			read only	no
GLASTRO	LAT GLASTP	GLASTDEV	none	provides read access to all tables created on GLASTP KAREN			read only	no					LAT	GLASTP
GLAST_DP_TEST	GLASTSTG	R.WONG	PIPELINE II KAREN				no					LAT	SLACDEV
GLAST_DP_TEST	GLASTP	R.WONG	PIPELINE II KAREN				no					LAT	SLACPROD
GLAST_DP_TEST	GLASTDEV	R.WONG	PIPELINE II KAREN				no					LAT	SLAC_TCP
GLAST_DP_TEST	SLACDEV	R.WONG	defunct * KAREN				no

* defunct database accounts should be locked - if no problems occur remove database from instance SLAC_TCP /SLACDEV instances only

Space shortcuts

Child pages

Versions Compared

Old Version 1

New Version Current

Key