To prevent someone gaining access to a file they weren’t intended to, it’s a good idea to not hard code usernames and passwords in files. This will minimize maintenance issues when you change your Oracle database account passwords. Consider creating concurrent requests for scripts that you might normally run outside of the applications. By running your programs through the concurrent manager, you won’t need to include usernames and passwords in your programs. If you must pass usernames and passwords in files, use your operating system’s security controls to limit who can read the files and have your scripts read an encrypted password file to get the account password.

Oracle and other third-party software providers also sometime put accounts passwords in OS files as well. Files such as datasources.xml, app.properties, cgicmd.dat, jazn.xml, system-jazn-data.xml, jazn-data.xml, ra.xml, rmi.xml, jms.xml are just some examples.

Also, be sure to limit the occurrences of sensitive passwords in log files. To prevent adpatch from writing password information in the log files, use the ‘flags=hidepw’ option on the adpatch call. For example:

$ adpatch flags=hidepw

In order to make sure that this option is always added to the adpatch command, you may wish to create your own ‘adpatch wrapper’ script that adds the ‘flags=hidepw’ option (as well as any others that you may wish) on the adpatch call. Place this wrapper script in a directory and make sure that the directory is included in you PATH statement before $FND_TOP/bin, and you should be set to go next time you want to ‘adpatch’.

> back to list