| How to setup Password rotation [message #669521] |
Fri, 27 April 2018 00:38  |
 |
MeghaB
Messages: 22
Registered: April 2018
|
Junior Member |
|
|
Hi,
Please let me know is there any method to do password rotation without any downtime. If so, please let me the steps for doing that.
Thanks in advance.
|
|
|
|
|
|
|
|
|
|
|
|
| Re: How to setup Password rotation [message #669562 is a reply to message #669561] |
Mon, 30 April 2018 01:12  |
John Watson
Messages: 8962
Registered: January 2010
Location: Global Village
|
Senior Member |
|
|
Quote:I meant if someone is performing some action with old password, in middle of that if we change the password it will show the wrong credentials or else time out will happen. There is only one "action" that requires a password: logging in to create a session. If you change the password, you have to tell the user that it has been changed. That is all. Nothing to do with any roles.
This sounds like a non-existent problem. Are you projecting a problem that some other database has on to an Oracle database?
|
|
|
|
|
|
| Re: How to setup Password rotation [message #669565 is a reply to message #669564] |
Mon, 30 April 2018 02:36 |
John Watson
Messages: 8962
Registered: January 2010
Location: Global Village
|
Senior Member |
|
|
Quote:From the java/.net code there might have already connection happened with the old password, but in middle without keeping any downtime we are changing the password. After the password change if they are running any queries it will fail. The only way this can be a problem is if your application is disconnecting and reconnecting in the middle of the process. That is an application design issue, and I do not see how any Oracle supplied database facility can correct it. Can you not fix the code so that it uses persistent sessions, or perhaps a connection pool, correctly?
|
|
|
|
| Re: How to setup Password rotation [message #669566 is a reply to message #669565] |
Mon, 30 April 2018 04:20 |
Frank Naude
Messages: 4587
Registered: April 1998
|
Senior Member |
|
|
Quote:After the password change, if they are running any queries it will fail.
This is certainly not true! As explained, users that are logged in and querying the database will be unaffected.
They just need to use the new password when they want to log in again.
|
|
|
|
|
|
| Re: How to setup Password rotation [message #669573 is a reply to message #669571] |
Mon, 30 April 2018 07:08 |
cookiemonster
Messages: 13961
Registered: September 2008
Location: Rainy Manchester
|
Senior Member |
|
|
Unless your app is doing something highly unusual (like opening a new DB session anytime it does anything) no downtime is required.
As the others have said more than once the only time the password gets checked for a given oracle session is at logon.
|
|
|
|
|
|
|
|
|
|
| Re: How to setup Password rotation [message #669596 is a reply to message #669595] |
Wed, 02 May 2018 04:18 |
John Watson
Messages: 8962
Registered: January 2010
Location: Global Village
|
Senior Member |
|
|
Quote:The problem is that if we change the password for the user which has active connections to the database, future connections to the database will fail, until the application are updated with the new credentials.
So tell your users that you have changed their passwords. You could even be proactive, and tell them that you ARE GOING to change their passwords. Or even tell them to change the passwords for themselves. You can configure a timed password expiry that will force them to, you know.
Quote:Is there any way to create 2 users and do a password rotation between the users?
I don't understand this.
Are you sure that you are not inventing a problem that really doesn't exist?
|
|
|
|
| Re: How to setup Password rotation [message #669597 is a reply to message #669595] |
Wed, 02 May 2018 04:22 |
cookiemonster
Messages: 13961
Registered: September 2008
Location: Rainy Manchester
|
Senior Member |
|
|
How would rotating passwords between two users solve the problem?
And why is the problem a problem?
If you're going to change everyone's password why don't you just make them log in again?
|
|
|
|
|
|
|
|
|
|
|
|
| Re: How to setup Password rotation [message #669602 is a reply to message #669601] |
Wed, 02 May 2018 05:06 |
cookiemonster
Messages: 13961
Registered: September 2008
Location: Rainy Manchester
|
Senior Member |
|
|
We need a fair amount of clarification here.
You originally said you need to change the passwords of 200 schemas, now you are talking about just 2.
How do the 2 relate to the 200?
How do all the users actually login? Do they all have their own oracle account on the DB? Or are they all logging into the same account?
If the same account, how do you control that?
|
|
|
|
|
|
| Re: How to setup Password rotation [message #669693 is a reply to message #669603] |
Tue, 08 May 2018 04:20 |
Roachcoach
Messages: 1576
Registered: May 2010
Location: UK
|
Senior Member |
|
|
As I read it he wants to create two identical users with different credentials and let the application roll between them between password changes.
HOWEVER I'm unclear on how that fixes the purported "problem" because you'll still need to tell the app which to use.
@OP. You have an application issue, not a database one. Stop letting them make this your problem.*
*I say that, it's the story of my life...
|
|
|
|
| Re: How to setup Password rotation [message #669696 is a reply to message #669693] |
Tue, 08 May 2018 07:55 |
cookiemonster
Messages: 13961
Registered: September 2008
Location: Rainy Manchester
|
Senior Member |
|
|
Roachcoach wrote on Tue, 08 May 2018 10:20As I read it he wants to create two identical users with different credentials and let the application roll between them between password changes.
I assumed that too.
Roachcoach wrote on Tue, 08 May 2018 10:20
HOWEVER I'm unclear on how that fixes the purported "problem" because you'll still need to tell the app which to use.
Indeed. I can't see where it gets the OP either, hence the questions.
|
|
|
|
|
|
| Re: How to setup Password rotation [message #669716 is a reply to message #669715] |
Wed, 09 May 2018 04:42 |
cookiemonster
Messages: 13961
Registered: September 2008
Location: Rainy Manchester
|
Senior Member |
|
|
As far as oracle is concerned there is a simple way to change the password with zero downtime:
You just change the password.
That's it.
So if changing the password in your application causes problems then that is due to how your application handles connecting to the DB.
If you want help avoiding issues with password change then you need to explain to us how the application handles connecting to the DB and why that's a problem for you.
With that information we should be able to suggest work arounds.
|
|
|
|
|
|
| Re: How to setup Password rotation [message #669742 is a reply to message #669741] |
Thu, 10 May 2018 03:18 |
cookiemonster
Messages: 13961
Registered: September 2008
Location: Rainy Manchester
|
Senior Member |
|
|
It's still not at all clear how users log on.
But either:
1) User supplies password for DB account - in which case they need to be informed of the new password.
2) Application supplies password for DB account - in which case password the app holds needs updating when the password is changed.
There's no magic here and I'm still none the wiser as to why this is such a problem for you.
[Updated on: Thu, 10 May 2018 03:19] Report message to a moderator |
|
|
|
|
|
| Re: How to setup Password rotation [message #669744 is a reply to message #669743] |
Thu, 10 May 2018 04:14 |
Roachcoach
Messages: 1576
Registered: May 2010
Location: UK
|
Senior Member |
|
|
MeghaB wrote on Thu, 10 May 2018 10:00whenever db password in the application changes the app needs to redeploy to make the new password in effect which needs the downtime
WHY?
Existing sessions will not be affected.
|
|
|
|
| Re: How to setup Password rotation [message #669745 is a reply to message #669743] |
Thu, 10 May 2018 04:16 |
cookiemonster
Messages: 13961
Registered: September 2008
Location: Rainy Manchester
|
Senior Member |
|
|
If you change the password then you need to supply the new one.
If the app needs to be redeployed in order to do that then it needs to be redeployed.
And how is changing over the user the app uses going to help? Won't you need to redeploy to do that too? In which case why bother (is it because you've got multiple apps and don't want to change them all in one go?)
The problem here is nothing to do with oracle. It is everything to do with the app.
You need to look into ways to change the password the app uses without having to redeploy it.
|
|
|
|
| Re: How to setup Password rotation [message #669746 is a reply to message #669744] |
Thu, 10 May 2018 04:18 |
cookiemonster
Messages: 13961
Registered: September 2008
Location: Rainy Manchester
|
Senior Member |
|
|
Roachcoach wrote on Thu, 10 May 2018 10:14MeghaB wrote on Thu, 10 May 2018 10:00whenever db password in the application changes the app needs to redeploy to make the new password in effect which needs the downtime
WHY?
Existing sessions will not be affected.
Seems they need to redeploy the app to have it pick up the new password, so no new sessions can start till that's done.
|
|
|
|
|
|
|
|
| Re: How to setup Password rotation [message #669749 is a reply to message #669747] |
Thu, 10 May 2018 05:36 |
cookiemonster
Messages: 13961
Registered: September 2008
Location: Rainy Manchester
|
Senior Member |
|
|
MeghaB wrote on Thu, 10 May 2018 11:09yes we need to redeploy that, Which will take enough downtime. Whether we can keep some other user(with same password) in oracle where we can switch to that user while changing the password of the active user.
You can have some other user to connect to sure. And if you've got the privs and synonyms set right it'll work the same as the existing user (or you could use alter session set current_schema).
But how do you get the app to connect to a different user without redeploying it?
|
|
|
|
|
|
| Re: How to setup Password rotation [message #669753 is a reply to message #669746] |
Thu, 10 May 2018 07:51 |
Roachcoach
Messages: 1576
Registered: May 2010
Location: UK
|
Senior Member |
|
|
cookiemonster wrote on Thu, 10 May 2018 10:18Roachcoach wrote on Thu, 10 May 2018 10:14MeghaB wrote on Thu, 10 May 2018 10:00whenever db password in the application changes the app needs to redeploy to make the new password in effect which needs the downtime
WHY?
Existing sessions will not be affected.
Seems they need to redeploy the app to have it pick up the new password, so no new sessions can start till that's done.
Still not seeing a problem with a properly designed app tier tbh. Cycle one machine at a time, we do it all the time in here, albeit not for that reason.
|
|
|
|
|
|
|
|
|
|
] 
Blog
Search
Help
Members
Register
Login
Home
