Forum Stats

  • 3,781,547 Users
  • 2,254,529 Discussions
  • 7,879,751 Comments

Discussions

How to make it more secured connection using hash key

Subbarao Dasari
Subbarao Dasari Member Posts: 17 Green Ribbon

Dear sir,

User name and password are known by the second person in the organization since the user name and password are in plain text form in the CONNECTION string.

Please kindly let me know whether my expected feature is possible or not in the ORACLE.

  1. I will create a user with a password like 'pass123'
  2. I will use the hash value of 'pass123' in the connection string. The password which is used for any type of connection is hash value only. I may use any type of encryption for the hash value.
  3. Oracle will take the hash value in the connection string and connect it to the database user.

Will this kind of feature be possible in ORACLE connection so that my risk of knowing the password which is stored in the configuration files is restricted?


Thanking you


Regards

Best Answer

«1

Answers

  • Solomon Yakobson
    Solomon Yakobson Member Posts: 19,009 Red Diamond
    edited Nov 19, 2021 12:28PM

    You can create Oracle wallet and give read access to it just to authorized OS users. Passwords inside the wallet are hashed. Wallet itself is password protected, so only user who knows wallet password can make wallet changes.

    SY.

  • User_H3J7U
    User_H3J7U Member Posts: 814 Gold Trophy

    since the user name and password are in plain text form in the CONNECTION string

    Password is not needed to pass in the connection string. For example, jdbc accepts separate parameters for url (connection string), user and password:

    public static Connection getConnection(String url,
                                           String user,
                                           String password)
                                    throws SQLException
    

    Aside this, you can configure OS authentication or external password store (encrypted password file). Read the Security guide.

  • Anton Scheffer
    Anton Scheffer Member Posts: 1,931 Gold Trophy
    edited Nov 19, 2021 12:42PM

    If everybody knows your username and hash and you can use those to login to Oracle, how would that make things more secure? See Connection shortcuts with a wallet – Learning is not a spectator sport (connor-mcdonald.com) for a better solution

  • BluShadow
    BluShadow Member, Moderator Posts: 41,615 Red Diamond

    Depends why the password is being used from outside the database in the first place.

    I've commonly seen it where people are writing scripts as files to be executed with sqlplus and they schedule up processes on the server to call sqlplus and end up providing the password to connect in plain text.

    In that case, the better alternative is to keep all your "processing" inside the database (i.e. packages/procedures/functions) and use the database scheduling (dbms_jobs/dbms_scheduler) to schedule the jobs from within the database, and then you're storing nothing in the clear on the server o/s at all. (it also makes monitoring and logging of the jobs easier as it can all be kept inside)

    So, does your "second person" need to connect to the database from outside? If so, then it would be valid for them to know the password. If they shouldn't know the password to a particular schema, then create another database user/schema with the appropriate privileges/grants for that person and give them the password for that user instead.

    As usual, the answer depends on what the actual circumstances are. You've explained how you think a solution should be implemented, but not actually explained to us what the actual issue is.

  • Subbarao Dasari
    Subbarao Dasari Member Posts: 17 Green Ribbon

    The issue is


    I have an application which will connect the database. The credentials are stored in the web.config or hardcoded string in the .net program or some of the technology like java.

    My concern is there is a possibility of knowing the database credentials other than the developer who got the access of .net or java program.

    How do we control a second person accessing the database as explained in the above scenario.

    regards.

  • User_H3J7U
    User_H3J7U Member Posts: 814 Gold Trophy
    Accepted Answer

    Implement security on the DB side, not the application. Then the sql connection will allow you to do exactly what is already available in the application.

  • Subbarao Dasari
    Subbarao Dasari Member Posts: 17 Green Ribbon

    Thank you for your quick and useful response.


    I need exactly what we implemented on application users for DB users.


    Thanks & regards

    Subbarao Dasari

  • Subbarao Dasari
    Subbarao Dasari Member Posts: 17 Green Ribbon

    Advise me any document available to implement what you said


    Implement security on the DB side, not the application. Then the sql connection will allow you to do exactly what is already available in the application.

  • BluShadow
    BluShadow Member, Moderator Posts: 41,615 Red Diamond

    By using separate schemas and user specific grants to allow execution, select/insert/update/delete etc. against specific objects on the database, that's the first part of implementing the security on the database. You may even restrict a schema to just having some API calls to perform certain operations rather than being able to access the tables directly.

    It really does depend on the actual requirements and the application/database in question, and involves a full scoping exercise to see what's needed and what's most appropriate (i.e. is it just for one user, a fixed number of users, multiple users, different roles or all the same role? etc.)

  • User_H3J7U
    User_H3J7U Member Posts: 814 Gold Trophy

    Documentation:

    Security guide/Managing Security for Application Developers

    Development guide/Security

    To simplify the implementation of restricted access, a procedural API is usually used. In this case, the user has access only to the execution of procedures, either through the application or through sqlplus.