Get rid of clear passwords from your shell scripts with Oracle Secure External Password Store

As a DBA (or developer), you often need to make connection to your Oracle database from shell scripts.

That’s not a big deal if you connect locally to the database through the Linux/Unix account that owns the instance with “/ a sysdba”. But what if you need to connect to a remote database or a local database with a specific user?

Here are the solutions I have most often seen:

  • Clear password in the shell script
  • Clear password in a parameter file loaded from the shell script
  • Environnement variable with clear password
  • Function which decrypt a encrypted password, stored in a parameter file loaded from the shell script (more secure but easily breakable)

As you might have guessed, none of these solutions is secure!

Fortunately, Oracle provides us a free feature that allows you to get rid of clear passwords from your shell scripts:Secure external password store (also known as “SEPS” or “Oracle Wallets”).

The only prerequisite is to use Oracle 10gR2 or onward.

Continue reading “Get rid of clear passwords from your shell scripts with Oracle Secure External Password Store”