Database Link Password Security
When using sqldeveloper it is possible to view passwords associated with database links. This is not possible to view when querying db_links or using Toad. How to view database link passwords do the following.
connections>your-connection>database links> click on a defined db_link > view the "sql tab" to see the source that creates the db_link
The database user can only view the database links that user owns. This is an issue if a production database is cloned to a test/dev instance and the db_links are not dropped or changed.
Listed below is an example of a user named 'APPS' and a db_link that user owns.
REM APPS APPS_TO_APPS.SOMEWHERE.COM
CREATE DATABASE LINK "APPS_TO_APPS.SOMEWHERE.COM"
CONNECT TO "APPS" IDENTIFIED BY "SOMEPASSWORD"
USING 'SOMEDATABASE';
------------
While it is a security hole, it doesn't mean it is a bug. It is documented behaviour that existed in prior versions. It also goes down to the data files, so it isn't a matter of just patching the server software but changing (upgrading) the database (and in such a way that an unpatched set of software -maybe- couldn't work with a patched database).
This change is definately in the realms of UPGRADE rather than PATCH. While it probably could have been done as part of a dot release (eg 9.2.0.7 to 9.2.0.8) I think 9.2.0.8 is the terminal release for 9iR2 so if you want this, you're going to have to go a full version upgrade.
Similar Messages
-
Special characters in password for "create database link"
It seems that one cannot create a DB link if the password has a special character in it (like '!')?
create database link MYLINK connect to SOURCE identified by mypwd! using 'MYDB'
- returns "ORA-00933: Command not properly ended"
create database link MYLINK connect to SOURCE identified by values 'mypwd!' using 'MYDB'
- returns "ORA-00988: missing or invalid password(s). This is the syntax that works in "create user".
Nikolai1* create database link MYLINK connect to SOURCE identified by "mypwd!" using 'MYDB'
SQL> /
Database link created.
SQL>
Joel Pérez -
ORA-01017: invalid username/password; logon denied - Database Link
Hi Guys,
Could you help me, I have a problem connecting to another database using the database link:
*1. I added in tnsnanes.ora of "client" database DEV2*
DEV =
+(DESCRIPTION =+
+(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.100.85)(PORT = 1521))+
+(CONNECT_DATA =+
+(SID = DEVDB)+
+)+
+)+
*2. I tested my connection using tnsping*
oracle@dev> tnsping dev
TNS Ping Utility for Linux: Version 10.2.0.1.0 - Production on 10-JUL-2010 14:35:35
Copyright (c) 1997, 2005, Oracle. All rights reserved.
Used parameter files:
+/opt/oracle/product/10.2/db_1/network/admin/sqlnet.ora+
Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.100.85)(PORT = 1521)) (CONNECT_DATA = (SID = DEVDB)))
OK (0 msec)
oracle@dev>
*3. In SQLPLUS of DEV2 I connect to my database using the tnsnames entry*
SQL> conn devuser/pwd001@dev
Connected.
*4. I then create a database link.*
SQL> Create Database Link dev_Link
+2 Connect to devuser+
+3 identified by pwd001+
+4 using 'DEV';+
Database link created.
SQL>
*5. When I try to connect to the database using the database link I get an error, but I am very sure the username ans password are ok.*
SQL> select * from global_name@dev_link;
select * from global_name@dev_link
*+
ERROR at line 1:
ORA-01017: invalid username/password; logon denied
ORA-02063: preceding line from DEV_LINK
SQL>
What could be wrong......??4. I then create a database link.
SQL> Create Database Link dev_Link
2 Connect to devuser
3 identified by pwd001
4 using 'DEV';create DATABASE LINK USING <connect-string>
your sid is DEVDB so create dblink using oracle_sid
If you specify only the database name, then Oracle Database implicitly appends the database domain to the connect string to create a complete service name. Therefore, if the database domain of the remote database is different from that of the current database, then you must specify the complete service name.
Edited by: rajeysh on Jul 10, 2010 7:28 PM -
How to recover password from Database link in Oracle 10G
Hi guys,
How can I get a user password from DBLink in Oracle 10G?
From sys.link$ the column "PASSWORD" is empty and the crypted data comming from the new column "PASSWORDX" does not work by using "... identified by values..."
Any idea?
Thanks...Why do you need to know the password? If you need to re-create the link in another database you can use dbms_metadata to generate the DDL for the database link and for a fixed database link the DDL will include an encrypted password that will match the remote database password.
select dbms_metadata.get_ddl('DB_LINK','Link_name','Owner') from sys.dual
On version 9.2 it extracts the actual visible plan text password. On 10g+ encrypted representation in values clause
HTH -- Mark D Powell -- -
Retrieve password from public database-link
In the past we have created a public database-link to another database. Unfortunately we forgot the password and want to have it back. Sice the database-link is public, the password can not be found in user_db_links.
Is it possible to retrieve a password from a public database-link?Hi,
I know resetting in an Option for you but in worst case. Coming to the point you can get from "sys.link$" But how far will work on 10g verison did not checked. Try and see
Ahh. sorry Why you try "select dbms_metadata.get_ddl(’DB_LINK’,’TEST’,user) from dual
it will give the script. If the password in encripted for 10g try with "link$" it will work.
- Pavan Kumar N
Edited by: Pavan Kumar on Nov 18, 2008 3:57 PM -
Could not initialize the Password Store Database Link value in Preference Store
I have 9iAS release 2, insfrastructure and midtier installed on the same Windows 2000 box...
I am trying to install and configure portal on remote machine (solaris) on RDBMS 9.0.1.4...
- Portal installation was no problem
- creating a new DAD was no problem
Now, I am trying to configure portal with MIDTIER mode...It falls over on STEP 1 for INSTALL_ACTION:assocPortalToExistingSSO() module with following error message:
"SQL> Could not initialize the Password Store Database Link value in Preference Store
ERROR: User-Defined Exception"
Database link is been created on my remote database by ptlasst.bat command...
How do I see whether that DB LINK is working properly ?
Any comment would be helpful...
JagdishI found the problem to the iTunes Music Store connectivity. When iTunes version 6 is installed, it places a configuration / preferences file in the following location:
"C:\Documents and Settings\<user>\Application Data\Apple Computer\iTunes\iTunes.pref"
This file contains several very large keys:
Preferences:129= (41,826 characters in length)
Music Store= (1,722 Characters in length)
Somewhere in these keys is stored are references to userid's, connections or other TCP/IP / internet connectivity objects that are being used when iTunes is installed. By deleting this file, these old setting appear to be cleared out.
In my case, one or more of the keys in this file appear to have been storing a property from my old dial-up ISP connection that was no longer valid for my new, Comcast cable modem connection.
Once I deleted this file, and re-started iTunes, it was as if I had never run the software before. I bypassed the option for searching for and importing .mp4's from My Music, and Itunes opened correctly, with full access to the music store. My library and playlists were intact and all is well.
Apple should re-write the protion of iTunes codes that stores anything pertaning to an internet connection that may change over time. Alternatively, iTunes should either A) Prompt for this information B) Enable user access to this parameter in a settings dialog C) Access this information dynamically at runtime.
Paul -
Can't create database link when password has special character
I'm trying to execute the following statement within sqlplus
create database link alpha connect to scott identified by tiger! using 'db_alpha'
note that the password for the account has an exclamation point in it. the command fails. I've tried placing the password in quotes (') and double-quotes ("). The double-quotes work, but then the link fails to function properly.
We are required to have a special character in our passwords... so how do I get that special character into the password for the database link?
Thanks in advance,
Darrenfor some weird reason, I can't post the reply I want. every time I try, the forum hangs and doesn't save the message. give me a sec...
I have put the password within double quotes... so I'm starting to think the problem is something else. I've been reading other posts regarding creating database links and I've obtained limited results. Here's what I've done, and the results I'm getting.
(names changed to protect the innocent)
My oracle database is on SYSA. I'm on SYSB. I set my TWO_TASK=SYSA and just use sqlplus to connect as user1.
I want to run a command on user2's tables. Normally I would just grant read access to user1 on user2's tables and use a command like
nert spaces to get this to save (weird forum bug here, I can't delete the text to the left)
SQL> sel{color:black}{color}ect * fr{color:black}{color}om u{color:black}{color}s{color:black}{color}e{color:black}{color}r{color:black}{color}2{color:black}{color}.{color:black}{color}m{color:black}{color}y{color:black}{color}_{color:black}{color}t{color:black}{color}a{color:black}{color}b{color:black}{color}l{color:black}{color}e{color:black}{color};
However, user2 is for test data and those tables get dropped and recreated often and it is cumbersome to try to remind everyone to recreate the grants. So I can't trust that user1 will have access to user2's tables. So my goal with the database link is to create a private (for user1 only) database link and access the tables that way, that way I bypass the grant issue. This works out better for me because we only change that password every 2 months. I just recreate the database link once every two months, rather than recreate grants multiple times every week. Well, that's the theory anyway.
Back to creating the database link, I thought my issue was the special character in the password because if I remove the exclamation point everyting works (except that the password is invalid). Below is what it looks like when I do this...
Attempt #1:
SQL> create database link BLAH connect to user2 identified by "tiger" using 'BLAH';
Database link created
SQL> sel{color:black}{color}ect * fr{color:black}{color}om my{color:black}{color}_{color:black}{color}table{color:black}{color}@{color:black}{color}BLAH;
sel{color:black}{color}ect * fr{color:black}{color}om my{color:black}{color}_{color:black}{color}ta{color:black}{color}ble{color:black}{color}@{color:black}{color}BLAH
ERROR at line 1:
ORA-01017: invalid username/password; logon denied
ORA-02063: preceding line from BLAH
So that looks like it's just a password issue. If I put in the correct password... the error changes to this...
Attempt #2:
SQL> create database link BLAH connect to user2 identified by "tiger!" using 'BLAH';
Database link created
SQL> sel{color:black}{color}ect {color:black}{color}* fr{color:black}{color}om my{color:black}{color}_{color:black}{color}table{color:black}{color}@BLAH;
sel{color:black}{color}ect * fr{color:black}{color}om my{color:black}{color}_ta{color:black}{color}ble{color:black}{color}@BLAH
ERROR at line 1:
ORA-02085: database link BLAH.AAA.BB.CCC.DDD connects to
DEVDB.AAA.BB.CCC.DDD
To me, that doesn't make sense. If the link isn't working... how did it get the "invalid username/password" in Attempt #1?
Anyway, in perusing other forum posts, one post said to put in the full text from the tnsnames.ora file instead of the alias. So I do a little cut/paste and try this...
Attempt #3:
SQL> create database link BLAH connect to user2 identified by "tiger!" using
2 '(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = server001.aaa.bb.ccc.ddd)(PORT = 9999)))
3 (CONNECT_DATA = (SERVICE_NAME = devdb)))';
Database link created.
SQL> sel{color:black}{color}ect {color:black}{color}* fro{color:black}{color}m my{color:black}{color}_{color:black}{color}tab{color:black}{color}le{color:black}{color}@BLAH;
sel{color:black}{color}ect {color:black}{color}* fr{color:black}{color}om {color:black}{color}my_{color:black}{color}tab{color:black}{color}le@B{color:black}{color}LAH
ERROR at line 1:
ORA-02085: database link BLAH.AAA.BB.CCC.DDD connects to
DEVDB.AAA.BB.CCC.DDD
Any ideas on what I'm doing wrong?
Darren -
Cann't Drop public database link
I am not able to drop public database link .
Oracle Version - 11.2.0.1.0 - 64bit Production
Os Version - Sun Solaris .
When I am going to drop a public database link it's give a error :
SQL Error: ORA-00604: error occurred at recursive SQL level 1
ORA-20000: Can not drop Object
ORA-06512: at line 2
00604. 00000 - "error occurred at recursive SQL level %s"
Can anyone help to resolve this problem? It is a Production Database and it's a Urgent .
Thanks,
Dip Sankar RanaYou say:
I already given syntax of creating Public database link.
But you should give real details (exact statements and exact results) to make it clear what you are attempting and what your problem is.
Please show:
- The CREATE PUBLIC DATABASE LINK statement (obscuring the password, of course) and its result (i.e. success or failure message)
- From each of schema1 (working) and schema2 (not working):
- - The result of SELECT USER FROM DUAL;
- - The result of SELECT USER FROM DUAL@DB_TST;
- - The result of SELECT COUNT(*) FROM ALL_OBJECTS@DB_TST WHERE OWNER = 'B1';
In the meantime, an observation.
You said:
I create a public db link from schema1 to other database using below command --
CREATE PUBLIC DATABASE LINK DB_TST
CONNECT TO B1 IDENTIFIED BY password
USING 'SPPROD'Note that any user (in caps: ANY USER) on this database can use this link to connect to database SPPROD as B1 without knowing the password - because you put the credentials in the link.
If you have a PUBLIC database link with credentials, like you do here, you have a serious, glaring security exposure. You really, REALLY should not do this. Use a private database link (available only to the user that created it) or do not put credentials on the link (so that any user using that link is using his own credentials to connect to the remote database).
Edited by: mtefft on Jan 14, 2011 4:14 AM -
Database Link question ! Please help me ....
Hi everybody,
I have some question about database link.
For example, I have 3 database, database 1 and database 2 connect together by database link db_link1, database 2 and database 3 connect together by database link db_link2.
I want to ask: Can I connect from database 1 to database 3 ? ( Of course don't use database link between database 1 and 3, just use database db_link1 and db_link2 )
Both db_link1 and db_link2 are public database link.
Can I restrict user access by 2 these public database link ?
Thanks a lot.A database link has directionality-- it connects from one database to another database. It is not a bi-directional link.
Assuming db_link1 exists in database 1 and connects to database 2 and db_link2 exists in database 2 and connects to database 3, it should be possible to read data that is in database 3 from database 1 without creating a new database link. But you'd need some sort of intermediate layer in database 2 (i.e. a view in database 2 that queries an object in database 3) because you can't nest database links in a single SQL statement. Of course, you would almost never actually do this for a variety of reasons. The only time I've ever heard of someone using this sort of setup is if database 1 is a very recent version of Oracle and database 3 is a very very old version of Oracle such that a database link between 1 and 3 is not possible.
If you create a public database link, you cannot restrict access to that link short of potentially doing something with VPD. If you're creating a database link using a fixed username & password that would create a security issue, it would make far more sense to create private database links.
Justin -
ERROR WHILE CREATING A DATABASE LINK USING HETEROGENEOUS SERVICES
I'm creating a database link with the Oracle Dataware Builder, and i get the following error:
Probando...
Fallo.
SQL Exception
Error del repositorio: Excepción SQL.
Nombre de la Clase: CacheMediator.
Nombre del Método: getDDEntryFromDB.
Mensaje de Error del Repositorio: ORA-28500: connection from ORACLE to a non-Oracle system returned this message:
[Generic Connectivity Using ODBC][Informix][Informix ODBC Driver][Informix]Incorrect password or user [email protected] is not known on the database server. (SQL State: 28000; SQL Code: -951)
ORA-02063: preceding 2 lines from PRUEBA_SEH
As you can see i'm using heterogeneus services to connect to a informix database. ALTIADM is a valid user for that database, i don't send my ip address 192.168.0.62, but the error says "[email protected] is not known in the database server". how can i solve it?????Right places to ask this question are
Heterogeneous Connectivity
Warehouse Builder -
ERROR WHILE CREATING A DATABASE LINK TO INFORMIX
I'm creating a database link with the Oracle Dataware Builder, and i get the following error:
Probando...
Fallo.
SQL Exception
Error del repositorio: Excepción SQL.
Nombre de la Clase: CacheMediator.
Nombre del Método: getDDEntryFromDB.
Mensaje de Error del Repositorio: ORA-28500: connection from ORACLE to a non-Oracle system returned this message:
[Generic Connectivity Using ODBC][Informix][Informix ODBC Driver][Informix]Incorrect password or user [email protected] is not known on the database server. (SQL State: 28000; SQL Code: -951)
ORA-02063: preceding 2 lines from PRUEBA_SEH
As you can see i'm using heterogeneus services to connect to a informix database. ALTIADM is a valid user for that database, i don't send my ip address 192.168.0.62, but the error says "[email protected] is not known in the database server". how can i solve it?????Right places to ask this question are
Heterogeneous Connectivity
Warehouse Builder -
Creation of Database link and access the same plus Snapshot creation
i want talk between two oracle server. i decided to go for snapshot creation with periodical refresh. For which i am having two oracle server's with different ip address located inside our office setup.
I have created a database link between two servers.
first server name global
userid scott
password tiger
second server name asil
userid scott
password tiger
both the user have been given dba rights.
in both the server the services and listners are all started. i gave the following command to create database link.
from asil server
create public database link global connect by scott identified by tiger using 'global'
the command was successful and the link was created. Now i tried to access a table of the scott user of the global server.
select * from emp@global;
now it is giving error. I want to know how the link can be created and how it can be accessed. i refered the 8i online documentation and done the things based on that. i expect valuble solution from all possible persons
nullA reason for this problem could be that your database is configured that a database link has to have exactly the same name like the global name of the database instance it should connect to.
Can you please provide the oracle error code / message ? With this information there might be more hints I can give you. -
HELP! FOR LOOP TO SCROLL THROUGH TABLE AND CREATE DATABASE LINK
Hi,
Here's the scenario, not much of a PL programmer, just basic SQL so really need some help people!
I have 2 tables. 1 contains list of DB's and the other contains rules to follow.
I need to create a loop that goes through the table containing the DB's and on each row a DB link is created (Only 1 link allowed!)
Once created, the schema currently logged in with also has an account on the linked DB in order to run scripts- The scripts are stored centrally hence the requirement for the link to the target DB.
There are numerous scripts that need to be executed and can all be called from 1 script, once executed the loop exists and the database link needs to be dropped.
Once dropped, the first loop continues, creating a DB link for the next DB listed in the table (and all the scripts are fired again)
This continues against all the DB's listed in the table.Hi BlueShadow,
Thanks again for the response, you've hit the nail on the head. SQL scripts on a unix server, a loop goes through a table 1 at a time. Each row gets a link created and then all the scripts stored on the server are executed against the db linked to. So I'm assuming this is a loop within a loop.
1 loop to go through the table to create the link and then another loop within once connected to execute all the scripts against the connected DB. Once the scripts are run, the loop exits and moves onto the next server and so on until all the servers have the scripts are run.
It's PL/SQL scripts we're after and not shell scripts as this would free us from the OS constraints.
We have to drop the links due to security. Any idea on o -
Execute procedure over database link
Hi,
I''m working on a package where you can select the required database, paste some query and with clicking on a button it will execute and create an explain plan for this query.
Therefore i've create a procedure on each database that put's the explain plan in the PLAN_TABLE.
To do this i need to execute this prodecure from the package. I use the following code:
DBA_OWNER.DB_PCD_EXPLAIN_PLAN@DBA_LINK_533.WORLD(p_query);
This is working fine as this database link allready exists to the required database. But i want to make the database link name variable. I've allready created the dynamic database link:
l_link varchar2(20) := 'DBA_LINK';
l_link_nr number(4) := dbms_random.value(0,1000);
l_db varchar2(20) := l_link||'_'||l_link_nr;
l_statement varchar2(4000);
begin
l_statement := 'create database link '||l_db||' connect to **** identified by ***** using '''||p_database||'.WORLD''';
execute immediate l_statement ;
So now i have the dynamic databaselink that is created each time i call the package.
now i want to use this databaselink to call the procedure. this is where it goes wrong.
The code i'm using:
DBA_OWNER.DB_PCD_EXPLAIN_PLAN@l_db(p_query);
is not acceoted when i build the package.
The follwoing error message is showed.
PACKAGE BODY DBA_OWNER.PCK_EXPLAIN_PLAN
On line: 66
PLS-00352: Unable to access another database 'L_DB'
Does someone know how to use this variable to execute the procedure on the remote db?Any procedures you call have to be accessible at compile time, so the database link must also exist at compile time.
You can get around this by putting your procedure call to DB_PCD_EXPLAIN_PLAN inside dynamic SQL, the same as you are doing to create the database link. Dynamic SQL is not checked until runtime.
Think about the risk if this procedure is exploited. You are creating a way for someone to run arbitrary code in an any database in your environment, with presumably a highly-privileged ID, if it can run an explain plan against any schema in any target database.
This is exposing some significant security issues. Read up on SQL injection, and have someone else review the code for security issues before deploying this. -
Problem with using database link from oracle 7 to oracle 9i
Hi To Every One
I have two oracle database oracle 7.3.4.0.1 and oracle 9i 9.2.0.1.0.
and the tns alias to connect to oracle 9i database is oracle9i and tns
alias to oracle 7 database is oracle7.I have no problem in connect to
these database using these tns aliases from either database.The tns
alias for oracle 7 is available in tnsnames.ora file of oracle9i and
tns alias for oracle 9i is available in tnsnames.ora file of oracle 7.
So there is no connection problem from each other.Connection is
working fine for each other but the problem with database links is
like this
Problem:
when i create database link from oracle9i user or public database link
from oracle9i for oracle7 user like this
SQL ORACLE9I >CREATE DATABASE LINK ORACLE7 CONNECT TO <ORACLE7USER>
IDENTIFIED BY <PASSWORD> USING 'ORACLE7';
OR
SQL ORACLE9I >CREATE PUBLIC DATABASE LINK ORACLE7 CONNECT TO <ORACLE7USER>
IDENTIFIED BY <PASSWORD> USING 'ORACLE7';
The links get created sucessfully but when i write command like
SQL ORACLE9I> DESC <ORACLE7USER_NAME>.<ORACLE7USER_TABLENAME>@ORACLE7
I RECEIVE A ORACLE ERROR LIKE
ORA-12663 SERVICE REQUIRED BY CLIENT IS NOT AVAILABLE ON THE SERVER.
OR IF MY COMMAND IS LIKE
SQL ORACLE9I> SELECT <FEILD_NAME> FROM
<ORACLE7USER_NAME>.<ORACLE7USER_TABLENAME>@ORACLE7;
I RECEIVE AN ORACLE ERROR LIKE
ORA-01002 FETCH OUT OF SEQUENCE.
ORA-02063: preceding line from ORACLE7
BUT IF I CREATE A LINK FROM ORACLE7 USER FOR ORACLE9I USER
IT WORKS FINE.
PLZ HELP ME WHAT IS THE PROBLEM THAT THE LINK FOR ORACLE 7 IS NOT WORKING WHEN
IT IS BEING CREATED FROM ORACLE9I.
Thank u.Oracle 9.2.0 does not support connectivity to Oracle 7. The newest version that will support this is 9.0.1.
Maybe you are looking for
-
Any input on how to move a library from your ipod classic when the original computer was stolen? Especially when there is large quantities of music that is not downloaded, but uploaded from cd.
-
I bought a MacBook Pro 6 months ago. This is my first Mac experience and needless to say, I'm never going back to windows. A week ago I went on a mission trip and left my computer at home. I turned it off which I usually don't do. I got back and I no
-
Embedded m4v, avi and mov did not load, when published to server
Hi there, today I created a new webpage, for the first time with iWeb. It work perfect on my mac including embedded movies. When I published it to my server, all pages loaded fine, but the movies did not. They started a bit and then everything ended
-
Service market place path to download TREX
Hi, Can some one please give me service market place path to download TREX ? I am tired of searching and cannot locate the media Thanks Jennifer
-
I need to make more room for backups on my system. I open the utility and go to where it says delete backups. I check one date and it deletes it. I reboot and that backup is there again. I've tried several times with the same result. Why would t