Comments on: Oracle 10.2 Migrations – Account LOCKED(TIMED) and FAILED_LOGIN_ATTEMPTS http://www.pythian.com/news/284/oracle-102-migrations-%e2%80%93-account-lockedtimed-and-failed_login_attempts/ News and views from Pythian DBAs Fri, 10 Feb 2012 13:01:25 +0000 hourly 1 http://wordpress.org/?v=3.0.4 By: Laurent Schneider http://www.pythian.com/news/284/oracle-102-migrations-%e2%80%93-account-lockedtimed-and-failed_login_attempts/#comment-6494 Laurent Schneider Fri, 10 Nov 2006 09:16:04 +0000 http://www.pythian.com/blogs/284/oracle-102-migrations-%e2%80%93-account-lockedtimed-and-failed_login_attempts#comment-6494 yes, that's why I wrote that it is a bad practice to suppose the dbsnmp password is dbsnmp (well, the 10g agent works with 9i databases where it was default). So I guess the OEM team should update their security practices to be conform with the newest db releases ! yes, that’s why I wrote that it is a bad practice to suppose the dbsnmp password is dbsnmp (well, the 10g agent works with 9i databases where it was default). So I guess the OEM team should update their security practices to be conform with the newest db releases !

]]> By: Alex Gorbachev http://www.pythian.com/news/284/oracle-102-migrations-%e2%80%93-account-lockedtimed-and-failed_login_attempts/#comment-6376 Alex Gorbachev Thu, 09 Nov 2006 13:36:05 +0000 http://www.pythian.com/blogs/284/oracle-102-migrations-%e2%80%93-account-lockedtimed-and-failed_login_attempts#comment-6376 Well, I don't recall that in 10g you have a default password, at least, in the installer. In fact, if I remember correctly, OUI does not allow setting it to DBSNMP manually (if I don't mistake it for something else). Well, I don’t recall that in 10g you have a default password, at least, in the installer. In fact, if I remember correctly, OUI does not allow setting it to DBSNMP manually (if I don’t mistake it for something else).

]]> By: Laurent Schneider http://www.pythian.com/news/284/oracle-102-migrations-%e2%80%93-account-lockedtimed-and-failed_login_attempts/#comment-6358 Laurent Schneider Thu, 09 Nov 2006 08:38:04 +0000 http://www.pythian.com/blogs/284/oracle-102-migrations-%e2%80%93-account-lockedtimed-and-failed_login_attempts#comment-6358 Alex, I could even say, it is a miserable strategy from Oracle to suppose the dbsnmp password could be dbsnmp, Oracle should not even allow this! as you install the agent, you should be forced to set the password for each target, the current approach <i>well, it is easier to set it to dbsnmp for auto-discovery</i> is simply a huge security hole. YMMV Alex, I could even say, it is a miserable strategy from Oracle to suppose the dbsnmp password could be dbsnmp, Oracle should not even allow this! as you install the agent, you should be forced to set the password for each target, the current approach well, it is easier to set it to dbsnmp for auto-discovery is simply a huge security hole.

YMMV

]]> By: Alex Gorbachev http://www.pythian.com/news/284/oracle-102-migrations-%e2%80%93-account-lockedtimed-and-failed_login_attempts/#comment-6293 Alex Gorbachev Wed, 08 Nov 2006 18:51:35 +0000 http://www.pythian.com/blogs/284/oracle-102-migrations-%e2%80%93-account-lockedtimed-and-failed_login_attempts#comment-6293 Laurent, Good idea, Merci. But it should retry sooner or later anyway. Otherwise, it's a manual action. Pete, Thanks for your input. Fully agree with you and that why I mentioned reviewing security policies (or at least introduce some as there is often nothing to review). However, I believe that <i>migration projects should not include any additional tasks but bare minimum</i>. Otherwise, it's too much troubles to troubleshoot what's going wrong during migration. What has more priority for the company - migration or security is another question. Often I see it's not in favor of security. :-( Cheers guys. Laurent,
Good idea, Merci. But it should retry sooner or later anyway. Otherwise, it’s a manual action.

Pete,
Thanks for your input. Fully agree with you and that why I mentioned reviewing security policies (or at least introduce some as there is often nothing to review). However, I believe that migration projects should not include any additional tasks but bare minimum. Otherwise, it’s too much troubles to troubleshoot what’s going wrong during migration. What has more priority for the company – migration or security is another question. Often I see it’s not in favor of security. :-(

Cheers guys.

]]> By: Pete Finnigan http://www.pythian.com/news/284/oracle-102-migrations-%e2%80%93-account-lockedtimed-and-failed_login_attempts/#comment-6272 Pete Finnigan Wed, 08 Nov 2006 12:07:33 +0000 http://www.pythian.com/blogs/284/oracle-102-migrations-%e2%80%93-account-lockedtimed-and-failed_login_attempts#comment-6272 Hi Alex, I would not recommend setting it back to unlimited. In fact I disagree with Oracle's very conservative value of 10. I would recommend creating different profiles for differnet groups of users, ie PROD accounts, DBA's, power users, users (if they connect directly), default accounts.... Each should have their own profile and differnt values. For instance failed_login_attempts should be much lower for accounts that are rarely directly accessed. Also the lock time for these should be much higher for the same reason. Even though Oracle have strengthened their default security position no one should rely on it. The security design should suit the application/ regulatory issues / internal policies always. cheers Pete Hi Alex,

I would not recommend setting it back to unlimited. In fact I disagree with Oracle’s very conservative value of 10. I would recommend creating different profiles for differnet groups of users, ie PROD accounts, DBA’s, power users, users (if they connect directly), default accounts….

Each should have their own profile and differnt values. For instance failed_login_attempts should be much lower for accounts that are rarely directly accessed. Also the lock time for these should be much higher for the same reason. Even though Oracle have strengthened their default security position no one should rely on it. The security design should suit the application/ regulatory issues / internal policies always.

cheers

Pete

]]> By: Laurent Schneider http://www.pythian.com/news/284/oracle-102-migrations-%e2%80%93-account-lockedtimed-and-failed_login_attempts/#comment-6262 Laurent Schneider Wed, 08 Nov 2006 10:12:38 +0000 http://www.pythian.com/blogs/284/oracle-102-migrations-%e2%80%93-account-lockedtimed-and-failed_login_attempts#comment-6262 the fact that the OEM 10g agent is trying to log with DBSNMP/DBSNMP until the account is lock is a pity. After one invalid password, Oracle should figure out we are NOT using the password DBSNMP for the account DBSNMP. the fact that the OEM 10g agent is trying to log with DBSNMP/DBSNMP until the account is lock is a pity. After one invalid password, Oracle should figure out we are NOT using the password DBSNMP for the account DBSNMP.

]]> By: vidya http://www.pythian.com/news/284/oracle-102-migrations-%e2%80%93-account-lockedtimed-and-failed_login_attempts/#comment-6209 vidya Tue, 07 Nov 2006 18:30:06 +0000 http://www.pythian.com/blogs/284/oracle-102-migrations-%e2%80%93-account-lockedtimed-and-failed_login_attempts#comment-6209 this is useful information - since I am on my way to a 10g Migration this is useful information – since I am on my way to a 10g Migration

]]>