Comments on: Inspecting the default database under Oracle BPEL Process Manager – Querying Tasks & Processes

By: Orly Andico

Orly Andico — Fri, 01 May 2009 18:20:40 +0000

Is it possible to use *any* JDBC data source as the dehydration store?

For example using TimesTen as the store would pose some interesting performance possibilities..

By: Peter K

Peter K — Sat, 14 Oct 2006 02:01:40 +0000

Good to know…actually the consultant saw my comment and replied with an assurance that they are indeed using redirection to protect the password.

Just because someone has access to the server doesn’t mean that security has been breached. I like to think that we practise security by not assuming that our external firewall are the only line of protection. Everything is protected internally too so even if one server (area) was breached, there are still protection for the other servers/databases.

By: Lucas Jellema

Lucas Jellema — Tue, 10 Oct 2006 06:38:44 +0000

Well, several points on that remark:
- first of all: I am looking at a default installation on a stand-alone, development machine, so security is one of my least concerns right now
- secondly: the configuration file mentioned in this article is on the application server; if an undesired individual would gain access to that machine, security would already have been breached in a pretty major way
- thirdly, passwords can – and should – be stored encrypted in this file in any serious environment. See Declarative J2EE authentication and authorization with JAAS by Frank Nimphius and Duncan Mills, July , 2005 for more details.

From this article I quote: “This however can be achieved with the password indirection feature in OC4J that allows passwords used in the data-sources.xml to be stored encrypted in the jazn-data.xml file…” and “Password indirection in OC4J

For stronger protection, configure the J2EE data sources to use password indirection in OC4J. An indirect password is made up of a special indirection symbol, which is a hyphen directly followed by a greater than character (->), and a user name. When OC4J encounters an indirect password, it uses its privileged access to retrieve the password associated with the specified user from the OC4J jazn-data.xml file, which is located in the \j2ee\home\config directory.

To use password indirection, the value of the password attribute in the element is replaced by the “->PwdForScott” reference

PwdForScott”
url=”jdbc:oracle:thin:@localhost:1521:orcl”
inactivity-timeout=”30″
/>

The jazn-data.xml file in the \j2ee\home\config directory requires the following additional entry to make the password indirection work.

The database schema password in the jazn-data.xml example provided above is “tiger”. Because the password is specified with a leading “!” character, it gets encrypted after re-starting the OC4J instance. The encrypted password looks similar to “{903}ZECYw/3kJmhVjzXgbZhxFg1/F8mhpsrr”. The LoginModule usage of the data source does not need to be changed for using the password indirection feature.”

By: Peter K

Peter K — Sun, 08 Oct 2006 11:24:26 +0000

So, isn’t having the password in cleartext in the data-sources.xml file a concern? That seems to smack of very poor security design.

We just started using BPEL PM in our organization and I think I will have to take a closer look at how it was installed and configured (Installation/Configuration was done by consultants who are supposely “experts” in BPEL PM).