Skip to Main Content

Breadcrumb

Question and Answer

Tom Kyte

Thanks for the question.

Asked: February 04, 2005 - 12:53 pm UTC

Last updated: May 24, 2010 - 7:30 am UTC

Version: 9205

Viewed 10K+ times! This question is

You Asked

Tom,

We have a requirement in which we need to connect to database from application server through sqlnet without supplying the password for connection or storing/encrpting the password on the app server.

I searched your website and was able to find Oracle Wallet manager.
Is this the only way of authenticating the app server to db or there is some alternative solution.

Tom if you recommend OWM, could you please point me to the link[I am being lazy here :-)]

Thanks.

and Tom said...

David Knox, Chief Security Engineer for Oracle North America, provided this response. More details can be found in Effective Oracle Database 10g Security By Design:

There are two ways. Using SSL and Oracle Wallet Manager (see
</code> http://docs.oracle.com/cd/B14117_01/network.101/b10772/asowalet.htm#1006084 
you can setup Oracle Advanced Security which uses the wallet to establish an SSL connection. 

A better solution would be to use the feature Oracle built to do precisely what you are asking - Proxy Authentication. A proxy connection allows you to connect to the database as the end user without requiring the user's password. Refer to the book above or
http://docs.oracle.com/cd/B14117_01/network.101/b10773/apdvprxy.htm#1010289 <code>
for more details.


Rating

  (10 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

A reader, February 06, 2005 - 10:53 am UTC

David, thanks for your reply, will look into your book as well.

Tom thanks for your time as well.

Asif.

A reader, February 16, 2005 - 7:56 pm UTC

David/Tom,

We have a similar requirement in which we want to authenticate user without password, I went through the links and book your mentioned above.

I did not see any code or examples on how to connect user from app server to database without password.

On Page 96 the code that you have, has a password in it, nor do the docs have examples.

Can any of you guys please demonstrate with a example.

Thanks.



Tom Kyte
February 17, 2005 - 7:19 am UTC

what would you like the middle tier to use precisely?

the client can authenticate to the middle tier, the middle tier (man in the middle) must authenticate to the database. It can do this with its own credentials (not the clients) and connect on behalf of the client -- but it must itself be authenticated.

so, what would you like to use from the middle tier.

A reader, February 17, 2005 - 9:53 am UTC

Tom,

Sorry if I wasn't clear enough. On the mid tier we have a vendor software(written in C++), that connects to the d/b with a d/b userid and password, the password is stored in a property(text) file in clear text, I want the user to be authenticated without password or encrypt the password or whichever method suits best.

How can I acheive that?

Thanks.

Tom Kyte
February 17, 2005 - 10:53 am UTC

talk to the mid tier vendor -- they need to change their way of connecting -- nothing magical we can do there. They would still expect that file to be there, they would still expect to connect to Oracle using them. Until they expect to do it differently that will be a fact of life.

Tell that vendor "you need to fix this"

A reader, February 17, 2005 - 11:43 am UTC

Tom,

"It can do this with its own credentials (not the clients) and connect on behalf of the client -- but it must
itself be authenticated"

Can you please elaborate(example) how can the midtier be authenticated without password.

Thanks.


Tom Kyte
February 17, 2005 - 1:47 pm UTC

OS authentication for example.... connect /

A reader, February 17, 2005 - 10:20 pm UTC

How about SSL authentication?

Thanks.

Tom Kyte
February 18, 2005 - 7:25 am UTC

sure, the first link on this page is to that.

Forms, Application Server, Proxy Authentication

Mike Friedman, February 25, 2005 - 12:20 am UTC

Actually, the place where this would be really valuable would be for Oracle Forms and Application Server.

But I don't think it is possible.

The current implementation is really not very good - you have to store Oracle DB passwords for each Forms account in plain text in the Oracle Internet Directory repository.

Proxy Authentication with Oracle Forms 10g

Adam Ham, April 13, 2005 - 11:22 am UTC

I wanted to refer to Mike Friedman's question above.

1) Is proxy authentication available for Oracle Forms 10g?

2a) Is there an alternative, Lets say you would like to use SSO with your Forms application but you would also like to have the username in the database so that you could perform auditing and grants for that specific user.

2b) Would the only alternative be, to create an SSO user and Database user to each individual and use RAD (Resource Access Descriptors) to link the SSO user to the Database user? In this case, where would you store all the Databse user passwords?

3) Is there a best practices on this subject?

Thanks, Adam.

Tom Kyte
April 13, 2005 - 11:44 am UTC

1) forms questions best asked on otn.oracle.com. not sure, don't use it myself.

2a) I don't see why proxy auth would defeat SSO? the goal of proxy auth is to pass the true identity into the database so you can use auditing and grants...



David Knox has written a book I think to be pretty good on security in Oracle in general. see the links i like in the tab bar up top for a link to it

client ssl authentication

radino, March 08, 2007 - 7:29 am UTC

I use package utl_http to call webservice. WS provider will require client ssl authentication. Is there any support for client ssl auhentication in PL/SQL?
here is java example: http://forums.oracle.com/forums/thread.jspa?threadID=458074&tstart=0#1647181
I'd like to accomplish this in PL/SQL

Tom Kyte
March 08, 2007 - 10:51 am UTC

sure, the client would be the database however, is that what you mean to do?

You cannot put a man in the middle with ssl/pki authentication - so if your goal is to use the original clients certificate - that won't work for obvious reasons - the original client needs to perform the operation.

But, we can do https with utl_http.

client ssl authentication

radino, March 09, 2007 - 4:53 am UTC

yes, my database is client for ws provider..

Which certificate will oracle db use if client authentication is required? I am not sure if I understand it correctly.
Is this going to work (DB - client, WS provider-server, client authentication required)?:
1) I will create new certificate request in oracle wallet
2) I will export certificate made in step 1) and send it to certification authority (which is trusted for WS profider) to sign it.
3) I will import signed certificate to wallet
4) I will import trusted certificate of certification authority, which signed certificate of WS provider, to wallet
5) I will set wallet using utl_http.set_wallet()
6) I will use utl_http methods to send and receive data.

Should be ssl handshake successful in this scenario?

thank you.
Tom Kyte
March 09, 2007 - 11:12 am UTC

yes, you use the wallet to store the certificate and then utl_http can use that to authenticate and converse in SSL.

Oracle Wallet for JDBC thin connections

Dan, May 16, 2010 - 12:24 pm UTC

Tom

Can i use Oracle wallet implementation for JDBC thin driver (java app connections to DB) to secure the password (hide the password).

I was told that i will have to use oci for java application.

Thanks.
Tom Kyte
May 24, 2010 - 7:30 am UTC

as far as I know, that would be correct - there are a few features (client result set caching for example) that are only available with the oci drivers.
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's channel and Chris's channel from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.