Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Encrypt password in JDBC connection string

Re: Encrypt password in JDBC connection string

From: Job Miller <jobmiller_at_yahoo.com>
Date: Wed, 22 Aug 2007 11:58:44 -0700 (PDT)
Message-ID: <313648.58092.qm@web53911.mail.re2.yahoo.com> 





is it a web app?  if so, use a JDBC data source defined by the app server.  i think all the app servers i have seen have some form/mechanism to encrypt or use indirection for the password in the data-sources.xml file that defines the connection url.



For oc4j:


Using Password Indirection The data-sources.xml file requires passwords for authentication. Embedding these passwords without some kind of obfuscation poses a security risk. To avoid this problem, OC4J supports password indirection.
 An indirect password is made up of a special indirection symbol (->) and a user name (or user name and realm). When OC4J encounters an indirect password, it retrieves the password associated with the specified user from the security store provided by a user manager.
 For more information on creating users and passwords, and working with a user manager, see the section on password management in the Oracle Containers for J2EE Security Guide.
 For example, if the native data source entry looks like:
 


<native-data-source



   name="nativeDataSource"


   jndi-name="jdbc/nativeDS"


   data-source-class="com.acme.DataSourceImpl"
   user="frank"


   password="frankpw"


   url="jdbc:acme:@localhost:5500:acme" />
 



 You can replace the password, "frankpw", with the indirection symbol (->) and a user name (frank) as follows: password="->frank". This assumes that a user named frank with the password frankpw has been created in a user manager.
 You can configure password indirection in the Application Server Control Console.
 To configure an indirect password for a data source directly in the data-sources.xml file and change the value of the password attribute so that its value is "->", followed either by the username or by the realm and user separated by a slash ("/"). For example:
 


<native-data-source



   name="nativeDataSource"


   jndi-name="jdbc/nativeDS"


   data-source-class="com.acme.DataSourceImpl"
   user="frank"


   password="->frank"


   url="jdbc:acme:@localhost:5500:acme" />




 There is also a password attributes for <managed-data-source> and <connection-factory> elements
goran bogdanovic <goran00_at_gmail.com> wrote: 
You may consider to use Oracle Secure External Password Store...

 


 Wu, Michael wrote:    


Hello,



Our technical auditors require we encrypt the schema password in the JDBC connection string. Can you please provide some advice? What's the best practice to handle those application schema password in Oracle?




Thanks,


Michael 


 

       




Ready for the edge of your seat? Check out tonight's top picks on Yahoo! TV. 

--
http://www.freelists.org/webpage/oracle-l


Received on Wed Aug 22 2007 - 13:58:44 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US