...
...
SCCS security team has mandated that Oracle passwords be changed every six months. Before now oracle passwords at the lab have never been changed, and as a result have been commonly "baked in" to hundreds of scripts and programs.
Our goals were threefold
After discussion with the SCCS database group we attempted to adopt two methodologies to address these goals:
We have succeeded in getting our tomcat and other servers to run using oracle wallet. (The tomcat servers are in production, the other servers are running in DEV and need CCB approval to move to prod). This indeed makes it possible to change the password in the database and (quickly) update the credentials stored in Oracle wallet. This took much more time than expected because of many quirks in oracle wallet, and because oracle wallet is not supported in the oracle "thin" JDBC driver we have been using up to now.
...
In conclusion we have spent a considerable amount of time on setting up oracle wallet and experimenting with roles etc. This effort will enable us to change oracle passwords in the future without downtime for our critical servers, but has resulted in a system which is currently considerable less secure than before. This has taken a considerable amount of manpower which should have been directed to more pressing needs.
In future we should ensure that the for similar security teammandates
Oracle wallet gives the appearance of having been written by a high-school student on their first programming assignment. In particular:
...