Pushing Encrypted Passwords In Oracle DB
Oct 13, 2010
We have over 200 different servers that are running Oracle and every 2 months, we have our passwords expire. Instead of having the DBA's go into every server to sync the passwords I would like to have some sort of way of pushing the encrypted password in the Oracle DB to other databases.
Two things to keep in mind.
1) Every user may not be in every DB so if the user does not exist, the code should not try to update that users password
2) I have all my DB's in a tnsnames.ora file or I can put into an easy to parse file, so I can connect to every DB.
View 3 Replies
ADVERTISEMENT
Sep 20, 2012
The following sequence of simple statements shows me how Analytics and Predicate Pushing appear to work. But when I go from constant tests to a join with the same data as a row instead of a constant value, the Predicate Pushing stops.
I have a table with 9 million rows in it. It takes about 90 seconds to scan.
13:25:11 SQL>
13:25:11 SQL> select count(*) thecount from lv_pln_usge_fact ;
THECOUNT
----------
8681388
1 row selected.
Elapsed: 00:00:32.28
If I run an analytic that counts all rows in the table I can see that easy enough. This exampe as I understand it, scans the table (I know this because if for no other reason, it take 90 seconds to get an answer), then after scanning all rows, counts them and adds the count to each row. There are in fact 9500 or so rows with the values of lv_rqst shown. Instead of seeing all 9500 rows, I distinct it to get only one. See how the count shows all rows in the table.
From this we see that the predicate is not pushed into the inner query to filter rows. If it had, the analytic would have produced a number like 9500 not 9 million. I have no issue with this as this is how Analytics are documented work.
13:25:43 SQL> select distinct *
13:25:43 2 from (
13:25:43 3 select LV_RQST
13:25:43 4 ,count(*) over () thecount
[code]..
We can see how filter does happen with an analytic. We push the predicate into the inner query and all of a sudden we get a count of only those rows for the specific request. Thus we see the basics of how analytics work, particularly with respect to predicate pushing. There is not real rocket science here. The filter removed rows before the analytic counted them. This too is how Analytics are documented to work.
13:27:02 SQL> select distinct *
13:27:02 2 from (
13:27:02 3 select lv_rqst,count(*) over () thecount
13:27:02 4 from lv_pln_usge_fact
13:27:02 5 where lv_rqst = '746780192'
[code]...
So far we have been doing "all rows" analytics. Now we use a PARTITION clause to group the data. Notice the rowcount. It is the count for just the lv_rqst. Do not be fooled. This is because the PARTITION column says to synchronize the analytic count to the data for its associated row. Thus the counts will be grouped by LV_RQST. Whether we had the predicate on the outside of the query or not, for this specific lv_rqst shown we would still get this count. This is not proof that we did any filtering with the predicate lv_rqst = '746780192'.
However, notice the speed of the query. It gets done so fast, that there is no way it is scanning the table. I know there is an index that starts with LV_RQST so I conclude that the index was used which I believe means the predicate was in fact PUSHED into the inner query. Thus I think we did in fact filter the rows to just this single LV_RQST value and we also accessed the table using the predicate as well which became an index range scan instead of full table scan. My biggest point is we were able to use the index to get the data we want, not scan the table and this was made so because we added the LV_RQST column to the OVER clause as part of the PARTITION BY expression.
13:27:03 SQL> select distinct *
13:27:03 2 from (
13:27:03 3 select LV_RQST
13:27:03 4 ,count(*) over (partition by lv_rqst) thecount
[code]...
Now I add an additional column to the inner query, and an additional predicate against that column to the outer query. We know that 9539 is the count of all rows where LV_RQST='746780192' as we have seen that before above. I also know the data and know about half say Y and half say N for this indicator column. This query gives the right answer. I just put it here are additional demonstration of the way analytics work. It demonstrates that the new predicate is not pushed into the innser query to filter rows. Again this is how Analytics are documented to work.
It used the index to range scan only the rows where LV_RQST='746780192'. So only those predicates that have their columns in the anlytics OVER clause are allowed to be pushed into the query for filtering and accessing purposes.
13:27:03 SQL> col LV_PLN_USGE_DEL_IND format a20 trunc
13:27:03 SQL> select distinct *
13:27:03 2 from (
13:27:03 3 select LV_RQST
[code]...
This next query shows a little more clarity. If we add the indicator column to our OVER clause then the rowcount changes to be the number of rows where LV_RQST='746780192' AND lv_pln_usge_del_ind = 'N'. So by putting the column into the OVER expression, Oracle decides to push the predicate down into the inner query and filter the data before the analytic count is done. Again this just demonstrates for clarity how it works. I think I am describing it right anyway.
And once again the speed clearly indicates that an index range scan was done using LV_RQST='746780192'. Recall I said there is an index that starts with this column.
13:27:03 SQL> select distinct *
13:27:03 2 from (
13:27:03 3 select LV_RQST
13:27:03 4 ,LV_PLN_USGE_DEL_IND
[code]...
NOW WE COME TO MY PROBLEM.Instead of using the constant value '746780192' we are going to create a one column one row table that has this value in it. We are then going to join to the the analytic subquery instead of doing a contant test against it.
13:27:03 SQL> create table kevt1
13:27:03 2 (
13:27:03 3 lv_rqst varchar2(10) not null
13:27:03 4 )
13:27:03 5 /
Table created.
Elapsed: 00:00:00.06
13:27:03 SQL>
13:27:03 SQL> insert into kevt1 values ('746780192')
13:27:03 2 /
1 row created.
Elapsed: 00:00:00.00
13:27:03 SQL>
13:27:03 SQL> commit
13:27:03 2 /
Commit complete.
Elapsed: 00:00:00.00
This query is in my mind the same query we did before but we loose the use of the index and go back to doing a FULL TABLE SCAN.
13:27:03 SQL> select distinct x.*
13:27:03 2 from (
13:27:03 3 select LV_RQST
[code]...
For a little bit more clarity, two more queries. Pay attention to how long it takes, and to how the additional joins affect things. Notice, particularly with the last statement, that the join criteria is being pushed into the inner query with the analytics. Otherwise how did it get that count?
14:55:21 SQL> select distinct x.*
14:56:16 2 from (
14:56:16 3 select LV_RQST
14:56:16 4 ,LV_PLN_USGE_DEL_IND
[code]...
So after looking at all this, here is my question: How do I get Oracle the use the index and nested loop join to the table lv_pln_usge_fact. We know Oracle pushes the predicates down when the columns are referenced in the OVER expression because we see that in several places. We also know the CBO can do a nested loop join with index access on LV_RQST because it does it when we use a constant test. But it won't use the index and nested loop when we do a join to a table with the same data, no matter how much rewriting or hinting I do.
I tested this in 9i/10g/11g and got same behavior in all three places.
View 18 Replies
View Related
Nov 28, 2012
I'm using the java API to select from Oracle using encrypted login credentials like:
${JAVA_HOME}/bin/java -classpath ${EXECUTEQUERY_CLASSPATH} -Djava.security.egd=file:/dev/urandom -Ddbname=${
DATABASE} -Duser=$DBowner -Dencrypted=true -Dpassword=$_PWD ExecuteSelect " ${sttmsql}"
In some cases I get an Error like:
Query(-1,-1):null
Sometimes I can restart the script and it runs perfectly (with the same Query!). Are there some limitations?
View 1 Replies
View Related
Oct 13, 2010
how to encrypt 9i database-link passwords? In 10g when we browse the link it show **** but in 9i it shows the actual password.
View 5 Replies
View Related
Feb 3, 2013
I want to create a procedure that will be checking passwords. A password should contain numbers and letters and be at least 8 characters long.
View 1 Replies
View Related
Aug 28, 2013
Oracle Database 11g Enterprise Edition Release 11.1.0.6.0 - 64bit
PL/SQL Release 11.1.0.6.0 - CORE 11.1.0.6.0
TNS for Linux: Version 11.1.0.6.0 - NLSRTL Version 11.1.0.6.0
When I checked the status of $emctl status dbconsole. I got this error OC4J Configuration issue.
I was told by the forums to drop and recreate the repos. But I noticed the moment you drop the repos you will loose the passwords of SYSMAN and DBSNMP. emca -deconfig dbcontrol db -repos dropemca -config dbcontrol db -repos createI tried default passwords does not worked. it looks like the only option I have is to reset the passwords. but my main concerns is this impact the DB in generally or its common. or is there any other way we can get the OEM back(I already dropped the repos).
View 2 Replies
View Related
Jul 11, 2013
we got more that 50 apex apps, Deploying it through apex console is becoming pain.we won't get sys or schema passwords. etc as databases are controlled by DBA's, We only get apex_public_user password, internal, workspace admin passwords.If there is any need of schema association for any applications/workspace, We login to internal workspace and map schema to workspace. I read couple of blogs which discussed about automating the deployments through sqlplusconnecting as sys or schema user, will not work for us. Want to know if there is anyway I can import deployments without logging into workspace. We already have workspaces and applications. The deployments will be for updating existing application or deploying new application in existing workspaces. Oracle Application Express 4.1.
View 1 Replies
View Related
Mar 29, 2013
I created an encrypted tablespace for testing. I later dropped it but don't remember if I specified "including contents and datafiles". The tablespace was empty and there are no datafiles for it. However, the information for this dropped tablespace still shows up in v$encrypted_tablespaces. How do I get that lingering information removed?
View 3 Replies
View Related
Feb 7, 2012
for creating a db link, How to get the encrypted passwordhere is an example
create public database link "TEST1.UNIX.190.ORG"
connect to "scott" identified by values '053E6879854B7744F64396350297E1D6EF191163AE35216E64'
using '(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.30.20.20)(PORT=1521))(CONNECT_D
ATA=(SID=SID1)))';
where or how to get the encrypted password(Pink colored above) to create db link.
View 2 Replies
View Related
Jun 29, 2011
Using Golden Gate to replicate a database (Encrypted Tablespace, Oracle 11.2.0.1, Windows 2008) to a different database server (No Encrypted Tablespace Oracle 11.1 Linux)
Following error goldengate report
ERROR OGG-01771 DBOPTIONS DECRYPTPASSWORD must be used to decrypt TSE data. Use TRANLOGOPTION IGNORETSERECORDS if you do not need to capture any tables that are in an encrypted tablespace.
How use it
GGSCI> ENCRYPT PASSWORD "shared key"
Add an entry to the Extract parameter file to decrpt the new shared password
DBOPTIONS DECRYPTPASSWORD "SHARED KEY"
View 2 Replies
View Related
Dec 19, 2012
"All data you create in this tablespace will be encrypted using an AES256 encryption key. You cannot encrypt an existing tablespace. To encrypt data, first create an encrypted tablespace, then use alter table move, CTAS or datapump import to move your data into the encrypted space. Remember to drop the old tablespace BUT not including datafiles. Use an OS schred program to remove the old datafile. If you are on ASM you may use the including datafiles option since you can’t schred files from the OS inside an ASM instance."
But i want to know why we should NOT drop the including datafiles, when dropping tablespace (so 'drop tablespace my_tbs including contents and datafiles'). So what option should we use when dropping tablespace?
Why we should use OS capabilities to remove the datafiles?
What happens if i remove the datafile when i drop the tablespace?
View 13 Replies
View Related
Apr 1, 2009
I have a table in my oracle database named user_details in which i have two fields
a) username varchar(30),
b) userpass varchar(30)
i have inserted some data in it
i want my values in user pass to be in encrypted form .
View 1 Replies
View Related
Nov 9, 2010
We are exporting from a 9i db to an 11g. During the migration, we are changing our character set from USASCII7 to AL32UTF8 so that the "extended" characters that our users like to put in text fields are stored and retrieved properly.
However, we've found a problem, and i'm not sure if Oracle has a method of dealing with. Searching this site and Oracle docs got me nowhere.
We store account #'s and credit card info in the DB encrypted with the dbms_obsfucation_tookit. We have an encryption key cross reference table that we use to store the key to un encrypt the data.
However, what we've found is that by importing these keys into our new character set database, the keys are no longer valid and can't be used with the DES3DECRYPT function to get the correct numbers out.
Is there a conversion utility or any tool that Oracle provides to maintain the encrypted datas "decrypt ability"? Worse comes to worse, we will have to write a script/procedure to decrypt everything on the 9i, import it to 11g, and then re-encrypt it.
View 8 Replies
View Related
Mar 27, 2013
note we need to decrypt the data which is encrypted using dbms_crypto.hash algorithm. it is possible to decrypt dbms_crypt.hash
eg
SQL> select DBMS_CRYPTO.hash(utl_raw.cast_to_raw('Foo'), 3) FROM dual;
DBMS_CRYPTO.HASH(UTL_RAW.CAST_TO_RAW('FOO'),3)
--------------------------------------------------------------------------------
201A6B3053CC1422D2C3670B62616221D2290929
View 2 Replies
View Related
Feb 9, 2013
is there any way to find is rman backup sets are encrypted or not.
View 1 Replies
View Related
Aug 25, 2013
i am using 11.2.0.3.0 version of oracle. We are planning to move some ~40 tables/indexes to new encrypted tablespace as a part of TDE(transparent data encryption). Currently three tables are having size ~30GB and one having ~800GB other have <2GB in size. And tables/indexes are altogether placed in different tablespaces.
whether i should create as many no of encrypted table spaces as it was before as unencrypted tablespace? or I should create one encrypted tablespace and move all the tables/indexes into that?
View 2 Replies
View Related
Jul 25, 2013
We have a primary and a standby (Physical Dataguard) site.
1. How do i check if the database is encrypted or not on primary as well as standby ?
2. If primary and standby are encrypted, does the data that gets replicated from primary to standby also in encrypted form ? If not, does it make sense to encrypt that ?
View 2 Replies
View Related
Jan 5, 2011
Our product needs to use SecureMag Encrypted MagStripe Reader to get the credit card info in POS.After adding the code in every module, most of them work well now. But one of them does not. We met the error FRM-41344.This module is called from another(using call_form) that could also have this functionality(it works well in this module).
the code in WHEN-NEW-FORM-INSTANCE trigger:
go_item('CONTROL.CODE');
:global.msrDevice := :ITEM('CONTROL.opos').interface;
The error raise in this code. The global variable is assigned a value in each module.I got some info from the internet. But I still get error after I did the following operation.When using Oracle Forms, you might receive this run-time error:
FRM-41344: OLE object not defined for object in current record.
which can occur for either of these reasons: The OLE container has lost the definition of the Oracle Video Custom Control. To fix this problem, go into the Forms Designer, and re-insert the Oracle Video Custom Control by clicking the right mouse button inside the OLE container and choosing Insert Object
The Oracle Video Custom Control has not been initialized. To fix this problem, modify the form so that it can navigate to the block that contains the Oracle Video Custom Control. You can either make this block the first block on the form or add a GO_BLOCK command in the WHEN-NEW-FORM-INSTANCE script to navigate to that block. If necessary, you can add a GO_BLOCK command followed by SYNCHRONIZE before any commands that access the Oracle Video Control. (You can tell if the Oracle Video Control has been initialized because the video control buttons will be visible.)
View 1 Replies
View Related
Jul 3, 2013
I'm looking for a way to store an encypted numeric value in one field in a table (so that it appears encrypted even to a DBA) and to display the unencypted value in Apex forms and interactive reports for some users but not others.
View 4 Replies
View Related
Dec 11, 2012
How to configure Oracle EM with newly created Oracle Instance on Oracle 10g DB,which is Single Instance DB but not RAC ,when I start the Oracle EM it is starting the default DB which created during Oracle Server Installation.
View 0 Replies
View Related
May 17, 2011
But i do a lot of work-arounds to make sure the installation does not make corrupt my OracleAgent,OracleService and OracleDataGatherer. If i just let the installation do its thing i have problems with my libraries, and can't start anything.
The errors are : Procedure entry point 'BlaBla' could not be located in the Dynamic Link library 'AnyName'.
I notice that i have 2 versions of the libraries in OracleHomeBIN (one version 8, one version 11). The programs that start the OracleAgent,Service and DataGatherer call the old libraries but expect to find values that can be found only in new libraries.
View 1 Replies
View Related
Jun 13, 2012
I have a requirement to put together a Oracle SQL template to create re-usable DDL/DML Scripts for Oracle databases.Only the Oracle DBA will be running the scripts so permissions is not an issue.
The workflow for any DDL is as follows:-
1) New Table
a. Check if the table exists from the system/admin views.
b. If table exists then give message "Table Exists"
c. If table does not exist then execute DDL code
2) Add Column
a. Check if Column exists for a given table from system/admin views
b. If column exists in the specified table,
b1. backup table.
b2. alter table to make changes to the column
b3. verify data or execute dml script convert from backup to the new change.
c. If Column does not exist
c1. backup table
c2. alter table to add column
c3. execute dml to populate column with default value.
The DML scripts are for populating base tables with data required for business operations.
3) Add new row
a. check if row exists by comparing old values of each column with new values to be added for the new record.
b. If exists, give message row exists
c. If not exists, add new record.
4) Update existing record (We have createtime columns in these tables so changes can be tracked)
a. check if row exists using primary key.
b. If exists,
b1. deactivate the record using the "active" column of the table
b2. Add new record with the changes required.
c. If does not exist, add new record with the changes required.
View 17 Replies
View Related
Aug 8, 2012
We would be moving oracle 11g unix sun solaries to oracle 11g Linux readhat OS. what would be the disadvantage and what are the item needs to be verified. Basically advantage of oracle 11g Linux readhat OS.
View 2 Replies
View Related
Jun 27, 2013
I would like to update an XML element without using the function APPENDCHILDXML or INSERTCHILDXML because they are not available in Oracle 10GR1.
In my database, Oracle XDB is not installed.
The following query fail with the following error : ORA-00904: "INSERTCHILDXML" : identificateur non valide
update scl_profile
set profile_data =
insertChildXML(profile_data,'/exportImportMarcheCriteria','colonnesExport',
XMLType('<colonnesExport>ENTETE_GESTIONNAIRES_AUTORISES</colonnesExport>'))
where profile_xmltype =
'fr.mipih.marches.marche.criteres.ExportImportMarcheCriteria'
and profile_type =
'eMagh2.MRGS.AccesMarche.ListeMarche.Export.OptionsExportImport';
[code]........
If i try to use the package DBMS_XMLDOM, i have the following error :
ORA-06550: Ligne 3, colonne 11 :
PLS-00201: l'identificateur 'DBMS_XMLDOM.DOMDOCUMENT' doit etre declare
ORA-06550: Ligne 3, colonne 11 :
PL/SQL: Item ignored
I think it's because ORACLE XDB component is not installed in my database.
View 1 Replies
View Related
Aug 7, 2012
This time i am downloading the Oracle 11g and then the Oracle APEX...(they are not in one package...right ? i mean they both have to download separately)i really new in oracle / PL/SQL. I'm not a programmer but i interest about database programming.For now i still use Ms. Access to develop an aplication and i really suprised i found this Oracle APEX because it an RAD tool too same as Access but more powerfull i think.
View 2 Replies
View Related
Mar 7, 2007
I am trying to connect to Oracle from another server that does not have any Oracle applications on it.
I tried Perl, PHP, Java but each require parts of Oracle installed.
View 2 Replies
View Related
Jul 8, 2011
I am working on an application which is on Oracle forms and Reports 6i.It connects to a database which is Oracle 9i. My client wants to upgrade the Database to Oracle 10gR2 or Oracle 11g. I searched in many forums and also saw in Interoperability table which says it is not compatible. But some users are using it fine.
View 1 Replies
View Related
Feb 4, 2012
Can I directly upgrade Oracle 9.2.0.1.0 From RHEL-4 platform to Oracle 11g Rel 2 on RHEL -5 platform?I have the export dump and cold backup of Oracle 9.2.0.1.0 database.
View 11 Replies
View Related
Dec 3, 2012
I am getting "ORA-03114: not connected to ORACLE" while installing "Oracle Database 11GR2" on "Oracle RAC 11R2" cluster setup. I am getting this error at the time of "Oracle Database Configuration Assistant" configuration reaches till 39% on HP-UX 11.31 IA64 platform.
View 25 Replies
View Related
Jul 12, 2013
I have problems to log in to Oracle?What name should I use for log in?
View 1 Replies
View Related