By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Operating system authentication on AWS RDS

0

I am trying to move a on-prem database to aws rds. I currently have automated scripts running on the database. The authentication for the scripts on the database happens through OS Authentication.

The parameter currently

OS_AUTHENT_PREFIX=OPS$

remote_os_authent=TRUE

The parameter is not modifiable in AWS RDS as per the below documentation

https://forums.aws.amazon.com/thread.jspa?threadID=118221

If I change the authentication line in the script

from

sqlplus -s / >> test.log <<EOF

to

sqlplus -s username/password@hoststring >> test.log <<EOF

The scripts will work but I don't want to use clear text password in scripts.

I was checking the Advanced security module but that requires the above parameters to be set as well.

https://docs.oracle.com/cd/E11882_01/network.112/e40393/asokerb.htm#ASOAG9651

Is there a workaround for this

Topics
Migration & ModernizationAnalyticsDatabase
Tags
Amazon Relational Database Service
Language
English
sharmaremuk
asked 4 years ago369 views
3 Answers
0

Use oracle wallet
Login as the os user you want to authenticate on oracle (AWS RDS)
[ec2-user@ip-172-xx-xx-xx ~]$ su - oracle
Password:
Last login: Tue Sep 1 07:21:17 UTC 2020 on pts/2
[oracle@ip-172-xx-xx-xx ~]$ mkstore -wrl /opt/oracle/ -create
Oracle Secret Store Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Enter password:
Enter password again:
[oracle@ip-172-xx-xx-xx ~]$mkstore -wrl /opt/oracle/ -createCredential ORCL username password

sqlplus /@ORCL

Where ORCL is the host string in your tnsnames.ora file

Add the following entries in your sqlnet.ora
WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /opt/oracle) ) )
SQLNET.WALLET_OVERRIDE = TRUE

sharmaremuk
answered 4 years ago
0

Moving an on-premises database that uses OS Authentication to AWS RDS where OS_AUTHENT_PREFIX and remote_os_authent are not modifiable does present a challenge, especially if you want to avoid using clear text passwords in scripts.

Here are some potential workarounds:

  1. AWS Secrets Manager: You can store your database credentials securely in AWS Secrets Manager and modify your scripts to retrieve the credentials at runtime. This avoids hardcoding credentials in your scripts.

  2. IAM Database Authentication: For Amazon RDS, you can use IAM Database Authentication. This allows authentication to the database using IAM roles and policies, which means you don't have to use passwords within your scripts.

  3. Oracle Wallet: Oracle Wallet can be used to store database credentials securely. This is similar to using AWS Secrets Manager but is specific to Oracle. Check if RDS for Oracle supports integration with Oracle Wallet or a similar feature.

  4. Environment Variables: If you are running your scripts on EC2 instances or containers, you might consider injecting environment variables at runtime that contain your credentials.

  5. Parameter Store: Similar to AWS Secrets Manager, AWS Systems Manager Parameter Store allows you to store configuration data and secrets. You can then modify your scripts to dynamically retrieve the credentials.

Each of these methods has its own set of configurations and considerations, so you'll need to evaluate which option best fits your architecture, security requirements, and operational workflows.

profile picture
ObiJan
answered 5 months ago
0

Have your thought about using DMS to migrate database from on prem to AWS?

profile picture
EXPERT
Gary Mclean
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content