![\"CapturePass0\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/CapturePass0.png\")
<\/a><\/p>\nYou have to define the ‘administrator password’ which will be used for SYS ans SYSTEM (the -sysPassword and -systemPassword parameters of DBCA). This password must obey the <\/p>\n
When I provide a password, I don’t want it to be exposed, even within the system that is protected by this password. I may use the same password, or same pattern, for different systems and I don’t want any user to see my password in clear. In the database, the password is not stored. It is immediately hashed and password verification is done with the hashed value. In the orapw file, it is encrypted. If it has to be used by some programs, I expect to use a wallet.<\/p>\n I want to be sure that the password I’ve provided is not stored anywhere, let’s check:<\/p>\n That’s bad. Really bad. The most important database password is exposed in configuration files, script files and log files, and some of them are readable by everybody:<\/p>\n The scripts and logs used at creation can be removed. The script that starts observer should use a wallet. But more worrying is that creg.ini because this is where are all our service attributes. And if we change or remove the password there, the service is broken. Here is an example when I initiate a switchover from the CLOUD My Services interface after having removed the password there: <\/p>\n Of course, you can still do a switchover from DGMGRL command line, but this defeats the whole purpose of a managed service.<\/p>\n When you want to change the SYS password, you must use the DBaaS tool. You must run ‘dbaascli database changepassword’. In Data Guard, you must run it from the primary site and it takes care of everything, including the copy of orapw file, because in 12.1 (not talking about Next Generation of Oracle Database here) you have to do it manually.<\/p>\n Humm.. let’s try with SYS in lowercase…<\/p>\n Okay, users must be lower case here… Good to know… And from the message SYS and SYSTEM have been changed…<\/p>\n You wonder why the password is in clear text in the configuration file? So do I. I would expect the use of external password file here. But wait… there is one:<\/p>\n and this wallet has credentials for SYS:<\/p>\n and those are entries to connect as SYS to each site:<\/p>\n So this is a nice way to connect without providing the password, and without the password being visible… or is it?<\/p>\n Arghhh… password plain visible here from the oracle user. But if you want more information about -createALO you have to check documentation. Well, is it documented?<\/a><\/p>\nWhere is the password?<\/h3>\n
\n[oracle@CDB-dg01 ~]$ grep -R Ach1z0 \/var\/opt\/oracle 2>\/dev\/null\n\/var\/opt\/oracle\/dg\/observer.sh:connect sys\/Ach1z0#d\n\/var\/opt\/oracle\/ocde\/assistants\/dg\/tmp\/18267.odgda.json:{\"Standby\":[{\"dg\":{\"fsfo_enabled\":null,\"vmpresent\":\"yes\",\"spfile\":{\"db_unique_name\":\"CDB_02\"},\"protection_mode\":null},\"dborch\":{\"db_sid\":\"CDB\",\"vm_sshkeys\":\"\/home\/oracle\/.ssh\/id_rsa\",\"vm_name\":\"CDB-dg02-nat\"}}],\"Primary\":{\"dg\":{\"fsfo_enabled\":null,\"vmpresent\":\"yes\",\"spfile\":{\"db_unique_name\":\"CDB_01\"},\"protection_mode\":null},\"dborch\":{\"db_version\":\"12102\",\"db_sid\":\"CDB\",\"vm_sshkeys\":\"\/home\/oracle\/.ssh\/id_rsa\",\"vm_name\":\"CDB-dg01-nat\",\"db_passwd\":\"Ach1z0#d\"}},\"tool_defaults\":{\"octl_cmd\":\"\",\"tmpdir\":\"\/var\/opt\/oracle\/ocde\/assistants\/dg\/tmp\/\",\"dborch_cmd\":\"\",\"tools_dir\":\"..\"}}\n\/var\/opt\/oracle\/log\/dgcc\/dgcc.log: 'db_passwd' => 'Ach1z0#d',\n\/var\/opt\/oracle\/log\/dgcc\/dgcc_2016-05-20_06:49:28.log: 'db_passwd' => 'Ach1z0#d',\n\/var\/opt\/oracle\/log\/ocde\/ocde-cmd.log: 'db_passwd' => 'Ach1z0#d',\n\/var\/opt\/oracle\/log\/ocde\/ocde_2016-05-20_06:31:45.log: 'db_passwd' => 'Ach1z0#d',\n\/var\/opt\/oracle\/log\/ocde\/ocde.log: 'db_passwd' => 'Ach1z0#d',\n\/var\/opt\/oracle\/log\/ocde\/ocde-cmd_2016-05-20_06:31:45.log: 'db_passwd' => 'Ach1z0#d',\n\/var\/opt\/oracle\/log\/creg\/creg.ini.CDB-dg02-nat:passwd=Ach1z0#d\n\/var\/opt\/oracle\/creg.ini:passwd=Ach1z0#d\n<\/code><\/pre>\nSYS password is exposed to everybody on the server!<\/h3>\n
\n[oracle@CDB-dg01 ~]$ ls -l $(grep -lR Ach1z \/var\/opt\/oracle 2>\/dev\/null)\n-rw------- 1 oracle oinstall 2381 May 20 21:35 \/var\/opt\/oracle\/creg.ini\n-rwxr-xr-- 1 oracle oinstall 139 May 20 07:03 \/var\/opt\/oracle\/dg\/observer.sh\n-rw------- 1 oracle oinstall 2353 May 20 06:49 \/var\/opt\/oracle\/log\/creg\/creg.ini.CDB-dg02-nat\n-rw-r--r-- 1 oracle oinstall 3395 May 20 07:07 \/var\/opt\/oracle\/log\/dgcc\/dgcc_2016-05-20_06:49:28.log\nlrwxrwxrwx 1 oracle oinstall 53 May 20 06:49 \/var\/opt\/oracle\/log\/dgcc\/dgcc.log -> \/var\/opt\/oracle\/log\/dgcc\/dgcc_2016-05-20_06:49:28.log\n-rw-r--r-- 1 oracle oinstall 152448 May 20 07:11 \/var\/opt\/oracle\/log\/ocde\/ocde_2016-05-20_06:31:45.log\n-rw-r--r-- 1 oracle oinstall 82856 May 20 07:11 \/var\/opt\/oracle\/log\/ocde\/ocde-cmd_2016-05-20_06:31:45.log\nlrwxrwxrwx 1 oracle oinstall 57 May 20 06:34 \/var\/opt\/oracle\/log\/ocde\/ocde-cmd.log -> \/var\/opt\/oracle\/log\/ocde\/ocde-cmd_2016-05-20_06:31:45.log\nlrwxrwxrwx 1 oracle oinstall 53 May 20 06:31 \/var\/opt\/oracle\/log\/ocde\/ocde.log -> \/var\/opt\/oracle\/log\/ocde\/ocde_2016-05-20_06:31:45.log\n-rw-r--r-- 1 oracle oinstall 581 May 20 06:49 \/var\/opt\/oracle\/ocde\/assistants\/dg\/tmp\/18267.odgda.json\n<\/code><\/pre>\n<\/a><\/p>\nChanging SYS password<\/h3>\n
\n[oracle@CDB-dg02 ~]$ dbaascli database changepassword\nDBAAS CLI version 1.0.0\nExecuting command database changepassword\nEnter username whose password change is required: SYS\nEnter new password:\nRe-enter new password:\nUnable to change password for sys\n<\/code><\/pre>\n\n[oracle@CDB-dg02 ~]$ dbaascli database changepassword\nDBAAS CLI version 1.0.0\nExecuting command database changepassword\nEnter username whose password change is required: sys\nEnter new password:\nRe-enter new password:\nDataguard is enabled\nWarning: Permanently added 'cdb-dg02-nat,140.86.4.51' (RSA) to the list of known hosts.\nDataguard is enabled\nDataguard is enabled\nDataguard is enabled\nSuccessfully changed the password for user sys\/system\n<\/code><\/pre>\nWallet<\/h3>\n
\n[oracle@CDB-dg01 ~]$ grep WALLET $ORACLE_HOME\/network\/admin\/sqlnet.ora\nENCRYPTION_WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=\/u01\/app\/oracle\/admin\/CDB\/tde_wallet)))\nSQLNET.WALLET_OVERRIDE = FALSE\nWALLET_LOCATION = (SOURCE=(METHOD_DATA=(DIRECTORY=\/u01\/app\/oracle\/admin\/CDB\/db_wallet))(METHOD=FILE))\n<\/code><\/pre>\n\n[oracle@CDB-dg01 db_wallet]$ mkstore -wrl \/u01\/app\/oracle\/admin\/CDB\/db_wallet -listCredential\nOracle Secret Store Tool : Version 12.1.0.2\nCopyright (c) 2004, 2014, Oracle and\/or its affiliates. All rights reserved.\n \nList credential (index: connect_string username)\n3: CDB_02 sys\n2: CDB_01 sys\n1: CDB sys\n<\/code><\/pre>\n\n[oracle@CDB-dg01 db_wallet]$ for i in CDB CDB_01 CDB_02 ; do tnsping $i ; done | grep DESC\nAttempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP) (HOST = CDB-dg01) (PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = CDB.may.oraclecloud.internal)))\nAttempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP) (HOST = CDB-dg01-nat) (PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SID = CDB)))\nAttempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP) (HOST = CDB-dg02-nat) (PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SID = CDB)))\n<\/code><\/pre>\n\n[oracle@CDB-dg01 db_wallet]$ mkstore -wrl \/u01\/app\/oracle\/admin\/CDB\/db_wallet -viewEntry oracle.security.client.password1\nOracle Secret Store Tool : Version 12.1.0.2\nCopyright (c) 2004, 2014, Oracle and\/or its affiliates. All rights reserved.\n \noracle.security.client.password1 = Ach1z0#d\n[oracle@CDB-dg01 db_wallet]$ mkstore -wrl \/u01\/app\/oracle\/admin\/CDB\/db_wallet -viewEntry oracle.security.client.password2\nOracle Secret Store Tool : Version 12.1.0.2\nCopyright (c) 2004, 2014, Oracle and\/or its affiliates. All rights reserved.\n \noracle.security.client.password2 = Ach1z0#d\n<\/code><\/pre>\n
\nWhen I create a wallet, I provide a password. And without the password we can use the credential but not display it. But here it seems that the wallet was created as ‘auto login’ with the ‘-createALO’ option. Want to know more about that option? You can see it in online help:<\/p>\n\n[oracle@CDB-dg01 db_wallet]$ mkstore\nOracle Secret Store Tool : Version 12.1.0.2\nCopyright (c) 2004, 2014, Oracle and\/or its affiliates. All rights reserved.\n \nmkstore [-wrl wrl] [-create] [-createSSO] [-createLSSO] [-createALO] [-delete] [-deleteSSO] [-list] [-createEntry alias secret] [-viewEntry alias] [-modifyEntry alias secret] [-deleteEntry alias] [-createCredential connect_string username password] [-listCredential] [-modifyCredential connect_string username password] [-deleteCredential connect_string] [-help] [-nologo]\n<\/code><\/pre>\n
\nYou need to wait that Bug 21152979 : PROVIDE EXPLANATION FOR EACH OPTION OF MKSTORE UTILITY<\/a> is fixed…<\/p>\nConclusion<\/h3>\n