I'm connecting to an external Oracle Database with the example function that can be found here
const oracledb = require('oracledb');
const connection = await oracledb.getConnection(
{
user : "hr",
password : mypw, // mypw contains the hr schema password
connectString : "mydbmachine.example.com/orclpdb1"
}
);
So, as you can see, my credentials would be 'exposed' to everyone who can access the code (maybe github repository or something).
Is there any way of hiding my username and password or making them confidential, or I just shouldn't worry about it?
Note: I'm using the oracledb node module
You could use .env, and access to it with process.env.
check here: https://nodejs.org/dist/latest-v8.x/docs/api/process.html#process_process_env
Store your database secrets encrypted in Secrets Manager or Parameter Store and have your app read them at runtime. Be sure to update the IAM role that your app uses so that it has IAM permissions to retrieve the credentials.
Note: for certain databases, Secrets Manager supports auto-rotation of credentials.
Choices include:
prompt for the password at runtime
pass the password in an environment variable
use kerberos and then use 'external' authentication in node-oracledb. All this is configured and enabled in code layers below node-oracledb, see the Oracle Database Security Guide.
use an Oracle Wallet and then use 'external' authentication in node-oracledb.
Related
I am developing a backend in node with express, passport-azure-ad and oracledb, using this library to connect to Oracle, in the front end I use angular with the msal library to authenticate and obtain a token, is there any way to connect to a Oracle XE/Enteprise database with this same token?
I need to maintain data traceability with registered users
You can't use that token to authenticate. However once you have connected, you can set one or more of the 'end-to-end' tracing attributes shown in the node-oracledb doc End-to-end Tracing, Mid-tier Authentication, and Auditing to maintain data traceability, for example:
const connection = await oracledb.getConnection(
{
user : "mygenericuser",
password : mypw,
connectString : "localhost/orclpdb1"
}
);
connection.clientId = "myactualname"; // This gets recorded in audit trails etc
The old article PHP Web Auditing, Authorization and Monitoring with Oracle Database may also be useful background.
I have an instance of Db2 on IBM Cloud. I would like to use my local CLP to connect to it. I set everything up to be able to connect using a username and password. Now, however, I would like to make use of either an APIKEY or ACCESSTOKEN as documented.
My attempts result in either
SQL30082N Security processing failed with reason "25" ("CONNECTION
DISALLOWED"). SQLSTATE=08001
or
SQL30082N Security processing failed with reason "24" ("USERNAME
AND/OR PASSWORD INVALID"). SQLSTATE=08001
I have successfully create an APIKEY and also was able to generate an access token using that API key. But what is needed to connect?
connect to clouddb ACCESSTOKEN "my long token here"
It was a matter of the right setup and correct steps:
IAM support only works with SSL connections
for SSL, I had to use the right port number (50001) and keywords (security ssl) when cataloging the node and database
my Db2 client required additional setup for GSKit and encryption key database
I wrote up a blog post with all the steps and a collection of error message on how to setup a Db2 client to authenticate using either API key or access token. Basically, it is to catalog the server:
db2 catalog tcpip node Db2oCfra remote db2host-fra02-xxx.services.eu-de.bluemix.net
server 50001 security ssl
Then catalog the database:
db2 catalog db bludb as fradb at node db2ocfra
Thereafter, connect:
db2 connect to fradb APIKEY myIBMCloudplatformApiKey
There might be additional steps in order to install GSKit and properly configure SSL support.
I am using the CredRead() and CredWrite() functions from the Windows Credential Manager API to store and retrieve user passwords, as outlined in this StackOverflow answer.
However, I have read that it is possible to disable the Credential Manager by setting a Group Policy, or simply by stopping/disabling the Credential Manager service. In this case, I would like to update my application's UI to reflect that Credential storage is not currently available.
Is there a reliable way to determine programmably whether or not the Credential Manager has been disabled?
in windows exist VaultSvc (friendly name Credentials Service) which support different vault types. exist util VaultCmd.exe with which we can enumerate different credential schemas and loaded vaults. for example:
vaultcmd /listschema
Global Schemas
Credential schema: Windows Secure Note
Schema guid: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Credential schema: Windows Web Password Credential
Schema guid: 3CCD5499-87A8-4B10-A215-608888DD3B55
Credential schema: Windows Credential Picker Protector
Schema guid: 154E23D0-C644-4E6F-8CE6-5069272F999F
Currently loaded credentials schemas:
Vault: Web Credentials
Vault Guid:4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Credential schema: Windows Web Password Credential
Schema guid: 3CCD5499-87A8-4B10-A215-608888DD3B55
Vault: Windows Credentials
Vault Guid:77BC582B-F0A6-4E15-4E80-61736B6F3B29
Credential schema: Windows Domain Certificate Credential
Schema guid: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Credential schema: Windows Domain Password Credential
Schema guid: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Credential schema: Windows Extended Credential
Schema guid: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
and
vaultcmd /list
Currently loaded vaults:
Vault: Web Credentials
Vault Guid:4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Location: C:\Users\*\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Vault: Windows Credentials
Vault Guid:77BC582B-F0A6-4E15-4E80-61736B6F3B29
Location: C:\Users\*\AppData\Local\Microsoft\Vault
of course vaultcmd and most vaults, say Web Credentials (store passwords in ie) will be work only in case VaultSvc is running
but Windows Credentials (77BC582B-F0A6-4E15-4E80-61736B6F3B29) is built in credential, which is always running (inside lsass), even if VaultSvc not running (disabled). the CredRead, CredWrite, CredEnumerate, and other Cred* api will be always work. it can not be disabled
exist undocumented api Vault* api implemented in vaultcli.dll. all this api named in form Vault*. when we call it and in case VaultSvc is running - vaultsvc.dll is loaded in lsass and handled remote call :
vaultcli!VaultSomeApi -> rpc - > vaultsvc!VltSomeApi
for example when we call VaultEnumerateItems in client, VltEnumerateItems called in lsass (vaultsvc.dll). what is internally called inside VltEnumerateItems depend from concrete vault, on which it called. for Windows Credentials vault - CredEnumerateW called inside VltEnumerateItems
The name of the Credentials Service is VaultSvc.
You can find how to query the status of any service in this answer and just use the code whilst passing the "ValutSvc" string to the function.
I am having trouble logging in as admin when I switch to production. I get the following error:
BCryptPasswordEncoder - Encoded password does not look like BCrypt
I am guessing I would have to change the admin password directly in the database (table blc_admin_user), to an encrypted one? If so, what would it be?
Also I am hoping to use the same database created in development for production, I hope that is not an issue.
Note that I am using the default admin login (password: admin).
version 5.2.0-SNAPSHOT
Yes, you will need to encrypt the admin password with BCrypt and put that in the BLC_ADMIN_USER table. Here is the update script to do that:
UPDATE BLC_ADMIN_USER SET PASSWORD = '$2a$06$NtRCQoGXWEgBClwBO8b1AeBqIP1elvZNuZqR/57Yjfw4kV/M0vljG' WHERE LOGIN = 'admin';
I am trying to setup a local database in a windows 10 computer, and grant access to my local windows-user. But when I try to access the database through my node-application I get the following error-message: error: password authentication failed for user "windowsuser" using the following db-url: postgres://localhost:5432/testdb
I am using the module "pg" to connect to the database, and everything works when I specify a username and password in the URL - but I want to connect using my windows credentials.
I have setup a superuser with the same name as my windowsuser:
CREATE ROLE windowsuser LOGIN
SUPERUSER INHERIT CREATEDB CREATEROLE NOREPLICATION;
And setup a database windowsuser as owner:
CREATE DATABASE testdb
WITH OWNER = windowsuser
ENCODING = 'UTF8'
TABLESPACE = pg_default
LC_COLLATE = ''
LC_CTYPE = ''
CONNECTION LIMIT = -1;
GRANT ALL ON DATABASE testdb TO windowsuser;
The windows user has no password, and I want to be able to just login with the current system user. Am I missing something essential here to get proper access?
I believe you cannot simply authenticate without a password. Have a look at the PostgreSQL doc here:
PostgreSQL: Documentation: 9.4: Authentication Methods
You will need to setup "Trust Authentication" instead of "Password Authentication".
19.3.2. Password Authentication
"PostgreSQL database passwords are separate from operating system user passwords. The password for each database user is stored in the pg_authid system catalog. Passwords can be managed with the SQL commands CREATE USER and ALTER ROLE, e.g., CREATE USER foo WITH PASSWORD 'secret'. If no password has been set up for a user, the stored password is null and password authentication will always fail for that user."
Is there a specific reason why you are opting to use a Windows system account, as well as no password?