- 최신
- 최다 투표
- 가장 많은 댓글
Use oracle wallet
Login as the os user you want to authenticate on oracle (AWS RDS)
[ec2-user@ip-172-xx-xx-xx ~]$ su - oracle
Password:
Last login: Tue Sep 1 07:21:17 UTC 2020 on pts/2
[oracle@ip-172-xx-xx-xx ~]$ mkstore -wrl /opt/oracle/ -create
Oracle Secret Store Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
Enter password:
Enter password again:
[oracle@ip-172-xx-xx-xx ~]$mkstore -wrl /opt/oracle/ -createCredential ORCL username password
sqlplus /@ORCL
Where ORCL is the host string in your tnsnames.ora file
Add the following entries in your sqlnet.ora
WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /opt/oracle) ) )
SQLNET.WALLET_OVERRIDE = TRUE
Moving an on-premises database that uses OS Authentication to AWS RDS where OS_AUTHENT_PREFIX
and remote_os_authent
are not modifiable does present a challenge, especially if you want to avoid using clear text passwords in scripts.
Here are some potential workarounds:
-
AWS Secrets Manager: You can store your database credentials securely in AWS Secrets Manager and modify your scripts to retrieve the credentials at runtime. This avoids hardcoding credentials in your scripts.
-
IAM Database Authentication: For Amazon RDS, you can use IAM Database Authentication. This allows authentication to the database using IAM roles and policies, which means you don't have to use passwords within your scripts.
-
Oracle Wallet: Oracle Wallet can be used to store database credentials securely. This is similar to using AWS Secrets Manager but is specific to Oracle. Check if RDS for Oracle supports integration with Oracle Wallet or a similar feature.
-
Environment Variables: If you are running your scripts on EC2 instances or containers, you might consider injecting environment variables at runtime that contain your credentials.
-
Parameter Store: Similar to AWS Secrets Manager, AWS Systems Manager Parameter Store allows you to store configuration data and secrets. You can then modify your scripts to dynamically retrieve the credentials.
Each of these methods has its own set of configurations and considerations, so you'll need to evaluate which option best fits your architecture, security requirements, and operational workflows.
관련 콘텐츠
- AWS 공식업데이트됨 2년 전