Discussions
Categories
- 382.6K All Categories
- 2.1K Data
- 212 Big Data Appliance
- 1.9K Data Science
- 448.4K Databases
- 221.1K General Database Discussions
- 3.7K Java and JavaScript in the Database
- 25 Multilingual Engine
- 541 MySQL Community Space
- 469 NoSQL Database
- 7.8K Oracle Database Express Edition (XE)
- 2.9K ORDS, SODA & JSON in the Database
- 499 SQLcl
- 3.9K SQL Developer Data Modeler
- 186.3K SQL & PL/SQL
- 21.1K SQL Developer
- 293.8K Development
- 9 Developer Projects
- 130 Programming Languages
- 290.5K Development Tools
- 96 DevOps
- 3K QA/Testing
- 645.6K Java
- 24 Java Learning Subscription
- 36.9K Database Connectivity
- 151 Java Community Process
- 104 Java 25
- 22.1K Java APIs
- 137.9K Java Development Tools
- 165.3K Java EE (Java Enterprise Edition)
- 17 Java Essentials
- 146 Java 8 Questions
- 85.9K Java Programming
- 79 Java Puzzle Ball
- 65.1K New To Java
- 1.7K Training / Learning / Certification
- 13.8K Java HotSpot Virtual Machine
- 94.2K Java SE
- 13.8K Java Security
- 200 Java User Groups
- 24 JavaScript - Nashorn
- Programs
- 292 LiveLabs
- 36 Workshops
- 10.2K Software
- 6.7K Berkeley DB Family
- 3.5K JHeadstart
- 5.8K Other Languages
- 2.3K Chinese
- 168 Deutsche Oracle Community
- 1.2K Español
- 1.9K Japanese
- 234 Portuguese
How to make it more secured connection using hash key
Dear sir,
User name and password are known by the second person in the organization since the user name and password are in plain text form in the CONNECTION string.
Please kindly let me know whether my expected feature is possible or not in the ORACLE.
- I will create a user with a password like 'pass123'
- I will use the hash value of 'pass123' in the connection string. The password which is used for any type of connection is hash value only. I may use any type of encryption for the hash value.
- Oracle will take the hash value in the connection string and connect it to the database user.
Will this kind of feature be possible in ORACLE connection so that my risk of knowing the password which is stored in the configuration files is restricted?
Thanking you
Regards
Best Answer
-
Implement security on the DB side, not the application. Then the sql connection will allow you to do exactly what is already available in the application.
Answers
-
You can create Oracle wallet and give read access to it just to authorized OS users. Passwords inside the wallet are hashed. Wallet itself is password protected, so only user who knows wallet password can make wallet changes.
SY.
-
since the user name and password are in plain text form in the CONNECTION string
Password is not needed to pass in the connection string. For example, jdbc accepts separate parameters for url (connection string), user and password:
public static Connection getConnection(String url, String user, String password) throws SQLExceptionAside this, you can configure OS authentication or external password store (encrypted password file). Read the Security guide.
-
If everybody knows your username and hash and you can use those to login to Oracle, how would that make things more secure? See Connection shortcuts with a wallet – Learning is not a spectator sport (connor-mcdonald.com) for a better solution
-
Depends why the password is being used from outside the database in the first place.
I've commonly seen it where people are writing scripts as files to be executed with sqlplus and they schedule up processes on the server to call sqlplus and end up providing the password to connect in plain text.
In that case, the better alternative is to keep all your "processing" inside the database (i.e. packages/procedures/functions) and use the database scheduling (dbms_jobs/dbms_scheduler) to schedule the jobs from within the database, and then you're storing nothing in the clear on the server o/s at all. (it also makes monitoring and logging of the jobs easier as it can all be kept inside)
So, does your "second person" need to connect to the database from outside? If so, then it would be valid for them to know the password. If they shouldn't know the password to a particular schema, then create another database user/schema with the appropriate privileges/grants for that person and give them the password for that user instead.
As usual, the answer depends on what the actual circumstances are. You've explained how you think a solution should be implemented, but not actually explained to us what the actual issue is.
-
The issue is
I have an application which will connect the database. The credentials are stored in the web.config or hardcoded string in the .net program or some of the technology like java.
My concern is there is a possibility of knowing the database credentials other than the developer who got the access of .net or java program.
How do we control a second person accessing the database as explained in the above scenario.
regards.
-
Implement security on the DB side, not the application. Then the sql connection will allow you to do exactly what is already available in the application.
-
Thank you for your quick and useful response.
I need exactly what we implemented on application users for DB users.
Thanks & regards
Subbarao Dasari
-
Advise me any document available to implement what you said
Implement security on the DB side, not the application. Then the sql connection will allow you to do exactly what is already available in the application.
-
By using separate schemas and user specific grants to allow execution, select/insert/update/delete etc. against specific objects on the database, that's the first part of implementing the security on the database. You may even restrict a schema to just having some API calls to perform certain operations rather than being able to access the tables directly.
It really does depend on the actual requirements and the application/database in question, and involves a full scoping exercise to see what's needed and what's most appropriate (i.e. is it just for one user, a fixed number of users, multiple users, different roles or all the same role? etc.)
-
Documentation:
Security guide/Managing Security for Application Developers
To simplify the implementation of restricted access, a procedural API is usually used. In this case, the user has access only to the execution of procedures, either through the application or through sqlplus.
