HPE Community
Operating System - HP-UX
1753481 Members
4040 Online
108794 Solutions
New Discussion юеВ

Re: Connect to remote database from HPUX without cleartext

 
SOLVED
Go to solution
Paul Maglinger
Regular Advisor

тАО09-21-2007 04:13 AM

тАО09-21-2007 04:13 AM

Connect to remote database from HPUX without cleartext

Can anyone provide suggestions for connecting HPUX to a remote Oracle database without the username and password being passed along as cleartext? On our Tru64 system we were able to get around it by using sqlplus /, but this method is not working on the HPUX system. And we do not want to use Oracle single signon. Anyone?
0 Kudos
10 REPLIES 10
Ben Dehner
Trusted Contributor

тАО09-21-2007 04:28 AM

тАО09-21-2007 04:28 AM

Re: Connect to remote database from HPUX without cleartext

OracleNET protocol is clear-text. If you want an encrypted client communication channel you need to have the Oracle Advanced Security option. There are no other options that I know of for using password hash or other password-hiding mechanism.

Trust me, I know what I'm doing
0 Kudos
larsoncu
Advisor

тАО09-21-2007 04:47 AM

тАО09-21-2007 04:47 AM

Re: Connect to remote database from HPUX without cleartext

you could use something like ipsec to encrypt all the communications between the systems (you'd need ipsec on both systems)

how about with vpn software?

could use ssh port forwarding
0 Kudos
Sandman!
Honored Contributor

тАО09-21-2007 06:52 AM

тАО09-21-2007 06:52 AM

Re: Connect to remote database from HPUX without cleartext

First set the TWO_TASK environment variable to the Oracle instance you want to connect to and then try the /NOLOG login method viz.

# export TWO_TASK=""
# sqlplus /nolog
0 Kudos
Paul Maglinger
Regular Advisor

тАО09-21-2007 06:56 AM

тАО09-21-2007 06:56 AM

Re: Connect to remote database from HPUX without cleartext

I appreciate the replies. Yeah, we batted around those suggestions. We were just fishing around for other ideas.
0 Kudos
TwoProc
Honored Contributor

тАО09-21-2007 07:08 AM

тАО09-21-2007 07:08 AM

Re: Connect to remote database from HPUX without cleartext

Paul, I don't believe it's that bad. Turn on a sniffer and watch - you won't see the password as clear text. Oracle doesn't do that. I've tried it myself way back when. You'll see everything else though, and for that reason you should purchase and install the encrypter tool regardless.

I've heard from others (can't remember where, maybe here) that what I'm saying is correct.

So just fire up a sniffer and watch the traffic from your computer to the destination; unless anything new has happened from several revs back which makes me mistaken, or I just missed it totally back when I checked for the same issue - I don't think you're going see a password in clear text. But seriously, don't rely just on my word, check for yourself and make sure.
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Paul Maglinger
Regular Advisor

тАО09-21-2007 10:18 AM

тАО09-21-2007 10:18 AM

Re: Connect to remote database from HPUX without cleartext

We don't need a sniffer. If we do a ps -ef command, we can see the password being passed along as part of the process. This is what we're trying to prevent.
0 Kudos
TwoProc
Honored Contributor

тАО09-21-2007 10:57 AM

тАО09-21-2007 10:57 AM

Re: Connect to remote database from HPUX without cleartext

I see what you're asking. It has nothing to do with cleartext being read over sqlnet, you just don't want to see the password from the ps command. It was unclear because you mentioned "remote connections" and "cleartext" which is all nomenclature/verbage one would use to discuss whether a network conversation is encrypted or not.

Actually your question has nothing to do with a connection being remote or not, it's just that you're using sqlplus and passing the username/password on the command line. Local database, remote database, the problem is the same. To either or a local or remote database, the Unix box originating the sqlplus command can see the username/password from "ps" if you pass it on the command line.

The solution is actually quite simple. You just need to the "/nolog" switch from sqlplus and then issue the connect command from inside of sqlplus.

$ sqlplus /nolog
then from inside sqlplus...
> connect username/password
or
> connect username/password@urdbname

If you need it in a script:

sqlplus /nolog << SCRIPTEOF
connect username/password@urdb
select * from ....;
do your commands...;
exit;
SCRIPTEOF

Where is a tab character stored in the script. Just make sure that you keep permissions on the script where no one else can read it.
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Sandman!
Honored Contributor

тАО09-21-2007 11:25 AM

тАО09-21-2007 11:25 AM

Solution

Re: Connect to remote database from HPUX without cleartext

Paul,

My earlier post talked about supplying the /nolog token on the SQL*Plus cmd line and thereafter connecting to the desired user by supplying the password. Infact the procedure can be scripted using the shell's "here document" utility i.e.

sqlplus /nolog <connect scott/tiger@Oracle_SID
select * from dual;
exit
EOF
0 Kudos
Paul Maglinger
Regular Advisor

тАО09-24-2007 02:48 AM

тАО09-24-2007 02:48 AM

Re: Connect to remote database from HPUX without cleartext

Sandman,

That's what we ended up doing. We were hoping for other alternatives, but based on current environment we'll go that route.

Thanks everyone!
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.