Securing Credentials
CAKM for Oracle TDE allows you to use obfuscated credentials.
The obfuscated value is set in the properties file. The PassPhraseSecure
utility allows the user to give different parameters to generate the obfuscated credentials.
• Characters supported in credentials: + , - . / = [ ] ^ _ ~ ’ # " @ ?
• Characters not supported in credentials: ( ) ! & \ | ;` < > ${ }
• Colon (:) is used as a field separator, and should not be part of credentials.
The credentials must be provided in one of the following forms:
With domain:
domain:user:password
Without domain:
user:password
With domain and persistent cache password:
domain:user:password:pcachepass
With persistent cache password:
user:password:pcachepass
Here, domain, user, and password are related to the CipherTrust Manager.
Credential Parameters
The following parameters are used:
./PassPhraseSecure -txt <TextToBeObfuscated>
This parameter allows the user to provide input as text and display the obfuscated value.
If the text to be obfuscated contains whitespaces, then it must be provided within double quotes (" ").
Example 1:
./PassPhraseSecure -txt "domain:user:password"
Output:
5B7D6329356A0D0153B0A0CB7B3ACB626320A48D6D9B31E0F03856650E88C922
Example 2:
./PassPhraseSecure -txt "domain:user:password:pcachepass"
Output:
5B7D6329356A0D0153B0A0CB7B3ACB622DB1B005DA70CA56324E7218CCC626DD
PassPhraseSecure -file <FileName>
This parameter allows the user to provide input from a file and display the obfuscated value. The file name could be the name and path of the file from which the text is to be obfuscated.
Example:
./PassPhraseSecure -file test.txt 66A09CF4974DB15B1E3C22F89912338E
There is no restriction on length of the file. However, only the first line from the file is obfuscated irrespective of the file length.
PassPhraseSecure –help
This parameter displays the help, to use this utility, on the console. For example:
./PassPhraseSecure –help
If you do not provide any parameter with the utility, the same -help parameter output is displayed.