----Original Message----
From: MacGregor, Ian A.
Sent: Friday, June 22, 2007 8:28 AM
To: Ponton, Richard; Chan, Andrea; Larrieu, Heather; Cowles, Robert D.; Crane, George R.; Samineni, Venkata; Hutcherson, Jackie R.; Shab, Theodore; Johnson, Tony S.; Heidenreich, Karen A.; Rock, Judith E.; Denys, Ernest; Hee, Charlotte; Chestnut, Ronald P.; Pierre, Jean-Raymond; Gordon, Michael
Subject: RE: Oracle password meeting notes 6/19/2007

Oracle has introduced an external password store to deal with this problem. Passwords are stored in an SSL protected wallet. The file simply has /@database identifier. I have tried this on some Oracle servers themselves and it worked.

There are issues such as how we get passwords into the wallet. How to handle databases which need more than one such password. I think hoiwever these can be worked around. See

http://download-west.oracle.com/docs/cd/B19306_01/server.102/b14231/create.htm#sthref484

----Original Message----
From: Ponton, Richard
Sent: Tuesday, June 19, 2007 4:19 PM
To: Chan, Andrea; Larrieu, Heather; Cowles, Robert D.; Crane, George R.; MacGregor, Ian A.; Samineni, Venkata; Hutcherson, Jackie R.; Ponton, Richard; Shab, Theodore; Johnson, Tony S.; Heidenreich, Karen A.; Rock, Judith E.; Denys, Ernest; Hee, Charlotte; Chestnut, Ronald P.; Pierre, Jean-Raymond; Gordon, Michael
Subject: Oracle password meeting notes 6/19/2007

These are my notes on Heather and Bob's words. They may have revisions.

Command Decision:

We do not expire anything on July 2nd.
Strongly suggest users comply by July 2nd.
By mid August, come up with documentation on What accounts don't follow the policy.
Where they're used.
How the passwords are stored.
Who has access to those accounts.
What other steps have we taken to mitigate the risks of a 3rd party gaining access to that account's password.
Does the account have access to any Business Sensitive or PII data.

Require a plan for correction by 1st quarter 2008

Moving forward, we have to come up with a good way of managing passwords

encrypted
not in plain text

See also: https://slacspace.slac.stanford.edu/sites/appdevproj/SLACSoftware/Service%20Account%20Details/Meeting%20notes%202007-06-09.aspx

  • No labels

1 Comment

  1. Tony Johnson

    It seems that probably it is possible to use the oracle wallet with JDBC, see for example:

    http://download-uk.oracle.com/docs/cd/B19306_01/java.102/b14355/clntsec.htm

    It is not clear to me exactly how to set this up, or how you give the password to access the wallet, especially for service accounts.