Oracle Analytics Cloud and Server

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

How to manage the frequent change of database passwords

Accepted answer
128
Views
5
Comments

As per security recommendation, the policy in our organization is to change the passwords of database users every 60 days.

The challenge is to update below manually every 60 days:

  • RCU database schemas
  • RPD connection pools
  • BIP JDBC Data source connections

If any one has the same requirement, how you are doing it? Is there a way to automate this?

Best Answer

  • Gianni Ceresa
    edited October 21 Answer ✓

    Hi @User_JKVJZ ,

    No need to ask in a different forum, you are in the right one, and your question isn't a purely DB one.: the previous reply doesn't apply to you…

    First, I would challenge the person who decided to implement such a random inefficient policy…

    As per security recommendation, the policy in our organization is to change the passwords of database users every 60 days.

    Any real database is configured with various roles, there is a policy to apply to humans accounts, and then there is a policy that apply to technical accounts.

    All humans account can enforce a 60 days password rotation, that's up to your company. But technical account like those used by the OBIEE/OAS application should not expire every 60 days because that's just, sorry for the word, stupid. It's technical accounts, no humans should have them and should be allowed to use them, they are only for the application. If a password rotation is required for technical account, it should be every 12-18 months at maximum.

    You will probably have little chance to explain that to your company, mostly if they decided it is 60 days for everybody, it shows they have little knowledge of a corporate IT environment…

    How to handle it?

    Try to script all of it. In MOS (https://support.oracle.com/) you find documents describing how the various password can be changed. When a change is in a file, it's easy to script. When a change is in WebLogic, you can script it with WebLogic Scripting Tool (WLST). You can even enable "recording" in WebLogic when you do it once manually and it should give you the piece of code to replicate it in an automated way.

    It should works quite well for the RCU schemas.

    For the RPD connection pools, there is a command line utility that allows you to perform a mass update inside the running RPD (it's also the same used for example when you migrate your RPD from dev to prod, you mass update the connection pool to point to the prod database etc.).

    For the BIP data sources I don't know to be fair, if you can't find anything in the doc or MOS, you could ask in https://community.oracle.com/products/oracleanalytics/categories/bi-publisher explicitly just for that piece (to not be told that you should ask somewhere else).

    But get ready, it will be a painful script to write to handle everything. Still worth try to educate the people who decided that technical accounts should change password every 60 days.

Answers