Database Reference
In-Depth Information
incumbent on the OS permissions, but that is not reliable—what if a legitimate user e-mails the files to a
hacker posing as a computer support technician?
Another concern is just a practical one that has to do with file distribution, management, and
updates. Possibly you already have a system for that, but getting the files to each user's home directory
and keeping them updated is not a trivial concern.
Finally, a concern that is not mentioned in regard to client wallets and security but follows logically
from an examination of the files used to configure wallet authentication is the disconnect of the
password from the host/Oracle database instance specification. A user might try substituting other
Oracle instances for the one you have specified in the tnsnames.ora file; thereby testing a specific wallet
user and password against every instance. For example, if a hacker changes the tnsnames.ora file on his
machine so that the
orcl_appusr
entry points to
(SID=TestOrcl)
, he can attempt to connect to that
instance as
appusr
with this same command:
sqlplus /@orcl_appusr
Caution
With the Oracle client wallet files, an attacker can connect as the specified user you configured on any
instance where that user exists and has the same password.
Perhaps your users only exist on one instance, or have only the exact same privileges on each
instance; however, it is more likely that a user may have extended privileges on lower priority (sandbox,
development, or acceptance) regions than on production. Those extended privileges on any instance
may provide additional attack vectors.
Trace Oracle Client Code
Often you will have the experience during development that things are not working, and your
application can't tell you what's wrong. The error is happening in the underlying protocol somewhere,
and is hidden or obscured. You may even see misleading error messages.
At that point, you may have to call in the reserves, asking your network administrators to put a
network sniffer on your subnet and capture packets to analyze; hopefully, you'll spot the problem.
However, before it comes to that, you have some options yourself, when dealing with Oracle
database. You can turn on trace in your client to see that underlying protocol dialog between the client
and the Oracle database. Simply set the trace level in the client
sqlnet.ora
file. A value of 16 is the
maximum detail trace; you can also choose less detail in levels 8, 4, 2, and 1.
TRACE_LEVEL_CLIENT=4
Caution
When you are done troubleshooting your current problem, be sure to disable trace logging. It generates
lots of files with potentially lots of data that can be both a hog of disk space and revealing in a security sense. At
higher levels of trace logging, the data returned from a query is also presented in the trace file.
One of the default locations for trace files (there are several) is a folder named like this:
