Scribd Logo
Upload

Welcome to Scribd!

  • 44 views

    Hide Oracle Passwords: Useradd Passwd

    Uploaded by

    Tariq Malhi
    Oracle

    Copyright:

    © All Rights Reserved
    Download as ODT, PDF, TXT or read online from Scribd

    Hide Oracle Passwords: Useradd Passwd

    Uploaded by

    Tariq Malhi
    44 views4 pages
    Oracle

    Original Title

    Oracle Security

    Copyright

    © © All Rights Reserved

    Available Formats

    ODT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Oracle

    Copyright:

    © All Rights Reserved
    Download as ODT, PDF, TXT or read online from Scribd
    Download as odt, pdf, or txt
    44 views4 pages

    Hide Oracle Passwords: Useradd Passwd

    Uploaded by

    Tariq Malhi
    Oracle

    Copyright:

    © All Rights Reserved
    Download as ODT, PDF, TXT or read online from Scribd
    Download as odt, pdf, or txt
    of 4

    Hide Oracle Passwords

    You may be required to use passwords in scripts calling Oracle tools, like SQL*Plus,
    Export/Import and RMAN etc. One method to remove the credentials from the
    script itself is to create a credentials file to hold them. In this case I'm using
    "/home/oracle/.scottcred", which contains the following.

    scott/tiger

    Change the permissions to make sure the file is only visible to the owner.

    $ chmod 600 /home/oracle/.scottcred

    Now replace references to the credentials with the contents of the file.

    $ expdp < /home/oracle/.scottcred schemas=SCOTT directory=DATA_PUMP_DIR


    dumpfile=SCOTT.dmp logfile=expdpSCOTT.log

    OS Authentication
    OS authentication allows Oracle to pass control of user authentication to the OS.
    Non-priviliged OS authentication connections take the following form.

    sqlplus /

    sqlplus /@service

    When a connection is attempted from the local database server, the OS username
    is passed to the Oracle server. If the username is recognized, the Oracle the
    connection is accepted, otherwise the connection is rejected.

    This article presents the configuration steps necessary to set up OS authentication


    on UNIX/Linux and Windows platforms.

    First, create an OS user, in this case the user is called "tim_hall". In UNIX and
    Linux environments this is done using the useradd and passwd commands.

    # useradd tim_hall

    # passwd tim_hall

    Changing password for tim_hall.

    New password:

    Retype new password:


    Next, try to connect to Oracle as an OS authenticated user. We expect this to fail!
    It may be necessary to set up a few environment variables so that SQL*Plus works
    correctly. Under UNIX or Linux you would expect something like the following.

    # su - tim_hall

    $ export ORACLE_HOME=/u01/app/oracle/product/10.1.0/db_1

    $ export PATH=$PATH:$ORACLE_HOME/bin

    $ export ORACLE_SID=DEV1

    $ sqlplus /

    SQL*Plus: Release 10.1.0.3.0 - Production on Wed Jun 7 08:43:30 2006

    Copyright (c) 1982, 2004, Oracle. All rights reserved.

    ERROR:

    ORA-01017: invalid username/password; logon denied

    The connections failed because we have not told Oracle the users are OS
    authenticated. To do this, we must create an Oracle user, but first we must check
    the value of the Oracle OS_AUTHENT_PREFIX initialization parameter.

    SQL> SHOW PARAMETER os_authent_prefix

    NAME TYPE VALUE

    ------------------------------------ ----------- ------------------------------

    os_authent_prefix string ops$

    SQL>

    As you can see, the default value is "ops$". If this is not appropriate it can be
    changed using the ALTER SYSTEM command, but for now we will use this default
    value.

    Now we know the OS authentication prefix, we can create a database user to


    allow an OS authenticated connection. To do this, we create an Oracle user in the
    normal way, but the username must be the prefix value concatenated to the OS
    username. So for the OS user "tim_hall", we would expect an Oracle username of
    "ops$tim_hall" on a UNIX or Linux platform.

    -- UNIX

    CREATE USER ops$tim_hall IDENTIFIED EXTERNALLY;


    GRANT CREATE SESSION TO ops$tim_hall;

    With the configuration complete, we can repeat our OS authentication connection


    tests. First, in a UNIX or Linux environment.

    su - tim_hall

    export ORACLE_HOME=/u01/app/oracle/product/10.1.0/db_1

    export PATH=$PATH:$ORACLE_HOME/bin

    export ORACLE_SID=DEV1

    sqlplus /

    SQL*Plus: Release 10.1.0.3.0 - Production on Wed Jun 7 08:41:15 2006

    Copyright (c) 1982, 2004, Oracle. All rights reserved.

    Connected to:

    Oracle Database 10g Enterprise Edition Release 10.1.0.3.0 - Production

    With the Partitioning, Oracle Label Security, OLAP and Data Mining options

    SQL>

    As you can see, the database servers in both environments are now configured to
    allow the user "tim_hall" to connect using OS authentication.

    If you prefer to have no prefix for the oracle user you need to set the
    OS_AUTHENT_PREFIX parameter to null (empty string). The ALTER SYSTEM syntax
    doesn't cope well with zero length strings, so you have to make the change the
    long way.

    create pfile='/tmp/pfile.txt' from spfile;

    shutdown immediate;

    Add this to the "/tmp/pfile.txt" file.

    os_authent_prefix=''

    Recreate the pfile.

    sqlplus / as sysdba

    create spfile from pfile='/tmp/pfile.txt';


    startup

    show parameter os_authent_prefix

    NAME TYPE VALUE

    ------------------------------------ ----------- ------------------------------

    os_authent_prefix string

    SQL>

    You might also like