You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Use of Oracle Wallet for GLAST

SCCS security team has mandated that Oracle passwords be changed every six months. Before now oracle passwords at the lab have never been changed, and as a result have been commonly "baked in" to hundreds of scripts and programs.

Goals

Our goals were threefold

  1. Remove passwords baked in to existing programs and store them somewhere where they can be maintained securely.
  2. Ensure that passwords can be changed in the future without disruption of the GLAST data processsing including long running servers.
  3. Avoid the necessity of sharing all the oracle passwords with all the developers in the group.

Techniques

After discussion with the SCCS database group we attempted to adopt two methodologies to address these goals:

  1. Use Oracle wallet to securely store passwords.
  2. Use Oracle roles so that developers can use their own personal accounts, and service accounts can be created specifically for use by servers and similar processes.

Status

We have succeeded in getting our tomcat and other servers to run using oracle wallet. (The tomcat servers are in production, the other servers are running in DEV and need CCB approval to move to prod). This indeed makes it possible to change the password in the database and (quickly) update the credentials stored in Oracle wallet. This took much more time than expected because of many quirks in oracle wallet, and because oracle wallet is not supported in the oracle "thin" JDBC driver we have been using up to now.

We have not so far succeeded in getting user programs (pipeline client and datacat client) to use oracle wallet. The passwords for theses programs are currently stored in plain text in the script itself readable by anyone at SLAC, and in the most obvious place for a hacker to look for them. There are two reasons for needing to do this:

  • Oracle wallet is currently only usable with Oracle 10.2. The only installation of oracle 10.2 at SLAC is a 64 bit version, but SLAC has many machines (especially batch machines) still running 32 bit OS. We would need a 32 bit oracle installation to use oracle wallet for end-user programs. <b>This needs to be checked with Ian<b>.
  • Whether we use oracle wallet or some other mechanism we have no way to give read access only to GLAST collaborators. We need an AFS or NFS group which is maintained and contains all GLAST collaborators/users. <b>Tom says we are working on creating an AFS group</b>

We have not succeeded in using oracle roles. There are currently two reasons for this:

  • All of our
  • No labels