Database Reference
In-Depth Information
Note
These commands can be found in the file
Chapter11/apver/NewAppSec.sql.
Execute the command in Listing 11-49 to create the database link we need to attach to the
orcl
instance (substitute the password for
appsec
user on
orcl
instance into this command).
Listing 11-49.
Create Database Link as appsec User
CREATE DATABASE LINK orcl_link
CONNECT TO appsec
IDENTIFIED BY password
USING 'orcl';
Test the new database link by selecting from a table that is available to
appsec
on the
orcl
instance:
SELECT * FROM hr.v_emp_mobile_nos@orcl_link;
We are returning to the
SYS
user now in order to accomplish much of the rest of this installation of
our Application Security structures on the new
apver
instance.
Now that we have created the database link as
appsec
, we will no longer need to log in as our
appsec
user, so we will want to disable logins. The quickest way to do that is to expire the password for
appsec
.
To do that, execute the following command as
SYS
user:
ALTER USER appsec PASSWORD EXPIRE;
You will want to remember that you did this so you don't worry when you cannot connect to
apver
as
appsec
. In effect, you can only connect to
apver
instance as
SYS
. You could connect as
appver
user, but
the logon trigger and other security will prevent or limit what you can do.
Grant Access for APPSEC User to Reach out of the JVM Security Sandbox
In order to accomplish two-factor authentication, our
appsec
user will need to send e-mail and open
connections to web servers. These abilities require that
appsec
be able to reach out from the Oracle JVM,
outside the standard security sandbox. We will grant the privilege to do that here in Listing 11-50, as we
did for the
orcl
instance in Chapter 9.
Listing 11-50.
Grant Oracle JVM Security Sandbox Permissions
BEGIN
DBMS_NETWORK_ACL_ADMIN.CREATE_ACL (
acl => 'smtp_acl_file.xml',
description => 'Using SMTP server',
principal => 'APPSEC',
is_grant => TRUE,
privilege => 'connect',
start_date => SYSTIMESTAMP,
end_date => NULL);
COMMIT;
END;