Overview: Using a Preconfigured Secure Oracle Database

You can preconfigure your Oracle database for the 3DOrchestrate Distribution Server application and then run the deployment utility for TomEE+ without giving the Oracle SYS/SYSDBA password.

See Also
Creating the Oracle Instance, Tablespace, Schema User, and Tables
Deploying the Application

There are two components of the 3DOrchestrate Distribution Server that require Oracle user credentials: the 3DOrchestrate deployment utility and the TomEE+ datasource definitions. The deployment utility needs one-time access to these credentials when it configures the application in TomEE+.

The TomEE+ datasource needs the schema user name and password each time it accesses the database but it does not require the SYSDBA password.

The 3DOrchestrate deployment utility runs in two modes: 1) when the Oracle SYSDBA password is provided and the deployment utility is allowed SYSDBA access to configure the database schema user, and 2) when you have preconfigured the database schema for 3DOrchestrate so that the SYSDBA password is not needed and the deployment utility only configures TomEE+. The default mode (1) requires that you enter both the SYSDBA password (to allow creation of a tablespace and a schema user) and the schema user password (to initialize the schema tables). The instructions in these topics describe mode 2.

The workflow for this process includes the following high-level steps:

  1. The database administrator (DBA) should follow the instructions in the Related Topics to preconfigure the schema user and tablespace manually, without using the deployment utility. Then the deployment utility should be run to configure TomEE+ only. In this case the SYSDBA password is not required by the deployment utility—only the schema username, schema password, SID, hostname of the Oracle server, and connection port number.
  2. The database administrator and system administrator work together to configure the 3DOrchestrate Distribution Server so that the DBA can keep the schema user password private. This security scenario allows two people ("two sets of eyes") to watch the database configuration actions. When the 3DOrchestrate deployment tool is run, the DBA can securely enter the schema password—i.e., only “********” is visible while typing. After the deployment completes, you can check the datasource configuration in the tomee.xml configuration file—the password for the schema user will be encrypted, not plain-text.

After the database configuration and TomEE+ application deployment are completed, a security audit will not be able to find any unencrypted passwords in any of the configuration or log files. Log files are contained in the directory <TomEE_deploy_dir>/logs/. All encrypted passwords are secure against all reasonable attempts to decrypt the password.

This technique has the following security limitations:

  • The password encryption is not hardened against attempts such as code decompilation or use of debuggers to inspect runtime code of the 3DOrchestrate system.
  • It is expected that the physical security of the 3DOrchestrate Distribution Server machine is sufficient to prevent malicious acts by untrusted individuals.