Confluence will be unusable 23-July-2024 at 06:00 due to a Crowd upgrade.
SCCS security team has mandated that Oracle passwords be changed every six months. Before now oracle passwords at the lab have never been changed, and as a result have been commonly "baked in" to hundreds of scripts and programs.
Our goals were threefold
After discussion with the SCCS database group we attempted to adopt two methodologies to address these goals:
We have succeeded in getting our tomcat and other servers to run using oracle wallet. (The tomcat servers are in production, the other servers are running in DEV and need CCB approval to move to prod). This indeed makes it possible to change the password in the database and (quickly) update the credentials stored in Oracle wallet. This took much more time than expected because of many quirks in oracle wallet, and because oracle wallet is not supported in the oracle "thin" JDBC driver we have been using up to now.
We have not so far succeeded in getting user programs (pipeline client and datacat client) to use oracle wallet. The passwords for theses programs are currently stored in plain text in the script itself readable by anyone at SLAC, and in the most obvious place for a hacker to look for them. There are two reasons for needing to do this:
We have not succeeded in using oracle roles. There are currently two reasons for this: