Oracle® Database Backup and Recovery Advanced User's Guide 10g Release 2 (10.2) Part Number B14191-02 |
|
|
View PDF |
If you create an RMAN command file which uses a CONNECT
command with database level credentials (user name and password), then anyone with read access to this file can learn the password. There is no secure way to incorporate a CONNECT
string with a password into a command file.
It is also possible, using the ps
command under Unix or some similar command under other operating systems, to view command lines and arguments entered into the shell or other host operating system command line interpreter. Therefore, it is risky to invoke RMAN with a command line like this example:
% rman TARGET sys/oracle@target
To connect to RMAN from the operating system command line and hide authentication information, you can start RMAN without connecting to databases, and then enter CONNECT
commands at the RMAN prompt. You can also start RMAN without a password in the connect string, as in this example:
% rman TARGET sys@target
RMAN will prompt for a password in such a case.
If you create an RMAN command file which uses a CONNECT
command that includes authentication information, RMAN does not echo the connect string when you run the command file with the "@" command. This prevents connect strings from appearing in any log files that contain RMAN output.
For example, create a command file listbkup.rman
which reads:
CONNECT target sys/oracle@target LIST BACKUP;
Then execute this script by running RMAN with the @ command line option:
% rman @listbkup.rman
When the command file executes, RMAN replaces the connection string with an asterisk, as shown in the following output:
Recovery Manager: Release 10.2.0.1.0 - Production Copyright (c) 1995, 2005, Oracle. All rights reserved. RMAN> connect target * 2> list backup; 3> connected to target database: RDBMS (DBID=771530996) using target database control file instead of recovery catalog List of Backup Sets =================== ...rest of output omitted