Categories
- All Categories
- 70 Oracle Analytics News
- 7 Oracle Analytics Videos
- 13.9K Oracle Analytics Forums
- 5.2K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 38 Oracle Analytics Trainings
- 56 Oracle Analytics Data Visualizations
- 2 Oracle Analytics Data Visualizations Challenge
- 2 Oracle Analytics Career
- 4 Oracle Analytics Industry
- Find Partners
- For Partners
How to manage the frequent change of database passwords
As per security recommendation, the policy in our organization is to change the passwords of database users every 60 days.
The challenge is to update below manually every 60 days:
- RCU database schemas
- RPD connection pools
- BIP JDBC Data source connections
If any one has the same requirement, how you are doing it? Is there a way to automate this?
Best Answer
-
Hi @User_JKVJZ ,
No need to ask in a different forum, you are in the right one, and your question isn't a purely DB one.: the previous reply doesn't apply to you…
First, I would challenge the person who decided to implement such a random inefficient policy…
As per security recommendation, the policy in our organization is to change the passwords of database users every 60 days.
Any real database is configured with various roles, there is a policy to apply to humans accounts, and then there is a policy that apply to technical accounts.
All humans account can enforce a 60 days password rotation, that's up to your company. But technical account like those used by the OBIEE/OAS application should not expire every 60 days because that's just, sorry for the word, stupid. It's technical accounts, no humans should have them and should be allowed to use them, they are only for the application. If a password rotation is required for technical account, it should be every 12-18 months at maximum.
You will probably have little chance to explain that to your company, mostly if they decided it is 60 days for everybody, it shows they have little knowledge of a corporate IT environment…
How to handle it?
Try to script all of it. In MOS (https://support.oracle.com/) you find documents describing how the various password can be changed. When a change is in a file, it's easy to script. When a change is in WebLogic, you can script it with WebLogic Scripting Tool (WLST). You can even enable "recording" in WebLogic when you do it once manually and it should give you the piece of code to replicate it in an automated way.
It should works quite well for the RCU schemas.
For the RPD connection pools, there is a command line utility that allows you to perform a mass update inside the running RPD (it's also the same used for example when you migrate your RPD from dev to prod, you mass update the connection pool to point to the prod database etc.).
For the BIP data sources I don't know to be fair, if you can't find anything in the doc or MOS, you could ask in
explicitly just for that piece (to not be told that you should ask somewhere else).But get ready, it will be a painful script to write to handle everything. Still worth try to educate the people who decided that technical accounts should change password every 60 days.
2
Answers
-
Hi @User_JKVJZ
This is an Pure DB question,
You can refer below -
Password Change Life Cycle During a Gradual Database Password Rollover
Regards,
Arjun
0 -
@User_JKVJZ I've pre-emptively marked Gianni's answer as "correct" so that it immediately appears underneath your question and the inapplicable response gets pushed lower.
2 -
To add to previous answers, for the rpd connection pool part, you can set connection pool to use DSS connection (the connection defined in data > connection). This way you dont have to modify rpd, you can just update the credentials in data > connections.
1 -
Thank you Mr.Gianni, will follow you suggestions in coming up with scripts to accomplish this.
0