- 最新
- 最多得票
- 最多評論
Use oracle wallet
Login as the os user you want to authenticate on oracle (AWS RDS)
[ec2-user@ip-172-xx-xx-xx ~]$ su - oracle
Password:
Last login: Tue Sep 1 07:21:17 UTC 2020 on pts/2
[oracle@ip-172-xx-xx-xx ~]$ mkstore -wrl /opt/oracle/ -create
Oracle Secret Store Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
Enter password:
Enter password again:
[oracle@ip-172-xx-xx-xx ~]$mkstore -wrl /opt/oracle/ -createCredential ORCL username password
sqlplus /@ORCL
Where ORCL is the host string in your tnsnames.ora file
Add the following entries in your sqlnet.ora
WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /opt/oracle) ) )
SQLNET.WALLET_OVERRIDE = TRUE
Moving an on-premises database that uses OS Authentication to AWS RDS where OS_AUTHENT_PREFIX
and remote_os_authent
are not modifiable does present a challenge, especially if you want to avoid using clear text passwords in scripts.
Here are some potential workarounds:
-
AWS Secrets Manager: You can store your database credentials securely in AWS Secrets Manager and modify your scripts to retrieve the credentials at runtime. This avoids hardcoding credentials in your scripts.
-
IAM Database Authentication: For Amazon RDS, you can use IAM Database Authentication. This allows authentication to the database using IAM roles and policies, which means you don't have to use passwords within your scripts.
-
Oracle Wallet: Oracle Wallet can be used to store database credentials securely. This is similar to using AWS Secrets Manager but is specific to Oracle. Check if RDS for Oracle supports integration with Oracle Wallet or a similar feature.
-
Environment Variables: If you are running your scripts on EC2 instances or containers, you might consider injecting environment variables at runtime that contain your credentials.
-
Parameter Store: Similar to AWS Secrets Manager, AWS Systems Manager Parameter Store allows you to store configuration data and secrets. You can then modify your scripts to dynamically retrieve the credentials.
Each of these methods has its own set of configurations and considerations, so you'll need to evaluate which option best fits your architecture, security requirements, and operational workflows.
相關內容
- 已提問 6 個月前
- 已提問 1 年前