I read Oracle Database Administrator's Guide,chapter
"Establishing Security policy" and I am concerned about encrypted password.
My environment:Oracle 8.1.7 on Win2000.
I red that I have to configure both ORA_ENCRYPT_LOGIN and DBLINK_ENCRYPT_LOGIN for really encrypted password.
As a DBA,I am responsible for my Oracle server.Also,I can write document where I tell my operators:You HAVE to configure
As a DBA,I am responsible for setting DBLINK_ENCRYPT_LOGIN=TRUE.
When my operaters finish instalation and they set
ORA_ENCRYPT_LOGIN=TRUE they are not responsible for machines(there are dislocated machines).
So,they cannot stop somebody(malicious user) for set
ORA_ENCRYPT_LOGIN=FALSE;it means passwords will be sent clear:if I configure my "sniffer" on "the right place" I can find REAL password.
Let me talk about my experiance with DB2.
Of course,same things you can configure on DB2 by set
AUTHENTICATION=SERVER_ENCRYPT (or DCS_ENCRYPT) on client and server side.
So,on the server side i set (in Oracle terminology)
DBLINK_ENCRYPT_LOGIN=TRUE and I changed only ORA_ENCRYPT_LOGIN .Of course,I was configured my "sniffer".
If I set ORA_ENCRYPT_LOGIN =true passwords is encrypted immediately
and encrypted sent to server.
If I set ORA_ENCRYPT_LOGIN=false,I noticed that client and server communicate both BEFORE sending password.
If my server has DBLINK_ENCRYPT_LOGIN=TRUE password is encrypted.If I have DBLINK_ENCRYPT_LOGIN=FALSE my password is sent "clear".
It means,if I set on server side TRUE,passwords are EVER encrypted.
My qestion(after veery long and boring story) may I configure my server that encrypted password is not depend about client side?
Of course,maybe I red wrong,so please correct me.
I will be very greatfull for your advice.