Oracle® Enterprise Manager Policy Reference Manual 10g Release 2 (10.2) Part Number B16231-01 |
|
|
View PDF |
This chapter provides the following information for the Oracle Application Server Containers for J2EE (OC4J) policy:
Brief description of the policy
Summary of the policy's main properties
Default values for the policy: parameters with their default values and objects excluded by default
Impact of the policy violation
Action to perform when the violation occurs
This policy verifies that password indirection is used in OC4J XML configuration and deployment files.
Policy Summary
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | OC4J | Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x | The underlying metric has a collection frequency of once every 24 hours. | Yes | Password indirection is not used in configuration file %FILE_NAME%. |
Defaults
Parameters and Their Default Values
None
Objects Excluded by Default
None
Impact of Violation
Embedding these passwords into deployment and configuration files poses a security risk, especially if the permissions on the files allow them to be read by any user.
Action
To avoid this problem, OC4J provides password indirection and password obfuscation.