Database Software

Hi All,

My application reads a configuration file to connect to the ORACLE database. The values defined for password are clear text as given below:

user: 'mh'
password='abcd1234'

Is there is any way I can give an encrypted password in the configuration file instead of a clear text file and at the time of login ORACLE decrypts it. I am using ORACLE 11g Database.

My company have a requirement that passwords are not stored in the clear in properties files. the reason being I suppose that if the password is stored in plaintext someone could hit the property file directly, get the password and then connect to the database with it.

For a regular user connecting through an Oracle client or SQL Developer they would need to have the plaintext password in order to connect.

its based on the requirements of

International Standards Organization Guidance

ISO 17799 � 9.5.4 requires password management systems to:
� enforce the use of individual passwords
� allow users to select and change their own passwords if appropriate
� enforce a choice of quality passwords
� force regular changes of passwords
� maintain a record of previous user passwords to prevent re-use
� not display passwords when they are being entered
� store password files separately from application system data
� store passwords in encrypted form using a one way encryption algorithm
� alter default vendor passwords following installation of software

So if I can store the password encrypted using a one way algorithm then hacker/user couldn't decrypt it and then access the database.

I have feeling there is a way of configuring this in Oracle advanced Security, but just can't quite get it to work.

Edited by: user5568473 on 20-May-2013 00:05