Differences between revisions 10 and 11
Revision 10 as of 2019-11-18 18:23:35
Size: 5836
Editor: sigdba
Comment:
Revision 11 as of 2019-11-18 18:24:51
Size: 5948
Editor: sigdba
Comment:
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:
Skiring is a utility developed by Strata Information Group for storing passwords in an obfuscated format and retrieving them when needed for use in shell scripts. Skiring is a utility developed by Strata Information Group for storing passwords in an obfuscated format and retrieving them when needed for use in shell scripts.  The purpose for using skiring is to reduce or eliminate the storage of database passwords in plain text files.

Skiring

Skiring is a utility developed by Strata Information Group for storing passwords in an obfuscated format and retrieving them when needed for use in shell scripts. The purpose for using skiring is to reduce or eliminate the storage of database passwords in plain text files.

Installation

The software is installed by executing

yum install -y http://r.sigcorp.com/skiring/master/skiring-0.2-1.x86_64.rpm

The installation creates the skiring user in the OS, and initializes the password safe.

Use

If a script requires a password from the safe, it may request it using the banpass command. As an example, scripts that formerly requested a password like so:

BANINST1_PASS=`grep -w BANINST1 $BANNER_HOME/.siboleth | awk -F/ '{print $1}'`

will now request it like so:

BANINST1_PASS=`banpass BANINST1`

If a script requires a user/password string from the safe, it may request it using the banidpw command. As an example, scripts that formerly requested the string like so:

SCHEDULER_IDPW=`grep -w SCHEDULER $BANNER_HOME/.siboleth`

will now request it like so:

SCHEDULER_IDPW=`banidpw SCHEDULER`

You can also call the safe directly by entering the skiring get <key> command (e.g. skiring get bansecr@test).

You must have access to the key in order to get it from the safe. Key names are NOT case-sensitive.

Maintenance

Maintenance of the password safe must be done while logged in as the skiring user. You may use sudo or xsu to become the skiring user if you have sudo access.

To add a new key, simply enter skiring put <key> (for example, skiring put system@test). You will be prompted for the password. Keys are NOT case-sensitive. Please note that we are using the convention <username>@<oracle_sid> for the keys; this is because there is only one password safe to serve all of the database instances that might be available.

When a new key is created, only the skiring user can access it. Access to the key must be granted to all operating system users that require it. To do so:

  • Enter dbagrant <key> (for example, dbagrant system@test or dbagrant system). If only the username portion of the key is supplied (e.g. system), the SID portion of the key is obtained from the current value of $ORACLE_SID. This command will grant access to all Banner service accounts (e.g. appmgr, banjobs, banner, &c.), and to all users who belong to the dba group in the operating system.

  • Enter skiring grant <key> <user> (for example, skiring grant system@test oracle). The key must be spelled out completely. This would need to be repeated for each operating system user that requires access. If you ran the dbagrant <key> command above, but need to add access to other individuals, you would use this command.

Access to a key may be revoked from individual users using the command skiring revoke <key> <user> (for example, skiring revoke system@test devuser). The key name must be spelled out completely.

Add-ons

The following shell scripts were added to facilitate use of Skiring in Oakland University's environment:

  • /home/skiring/bin/importkeys - This script imports the $BANNER_HOME/.siboleth for the current $ORACLE_SID into the password safe. In order to use it, the banner user must first grant access to the .siboleth file to the skiring user by entering setfacl -m user:skiring:rwx $BANNER_HOME/.siboleth. Keys from .siboleth are created in the safe using the format "USER@ORACLE_SID" (e.g. BANSECR@TEST, SYS@PROD, &c.). The script also grants access to the new keys to operating system accounts for the DBAs as identified in /etc/group. as well as the various Banner service accounts (e.g. appmgr, bjobtest, &c.).

  • /home/skiring/bin/dbagrant - This script grants access to a given key to operating system accounts for the DBAs as identified in /etc/group. as well as the various Banner service accounts (e.g. appmgr, bjobtest, &c.).

  • /usr/local/bin/banpass - This script returns the password for a given key (Banner account) in the current ORACLE_SID, provided the OS user has access to the key.

  • /usr/local/bin/banidpw - This script returns the user and password for a given key (Banner account) in the current ORACLE_SID, provided the OS user has access to the key. The format of the response is "user/password".

Still to do

  • All scripts that use $BANNER_HOME/.siboleth would need to be modified to use banpass, banidpw, or a skiring command. Some of these scripts may reside on remote servers. Remote servers would need to use an SSH call to a user on the jobsub server which has access to the safe. The $BANNER_HOME/.siboleth file should not be deleted until all Banner jobs have been modified to use the skiring.
  • The jobsub server was chosen as the most ideal location for the safe, since the majority of calls to the safe will come from there. It is not advisable to have safes for the same database on multiple servers, because then you would need to keep them synchronized.
  • The database servers can currently access the $BANNER_HOME file system via an NFS share. They currently read the $BANNER_HOME/.siboleth file directly. Without a .siboleth file, they would also need to use an SSH call to the server where the safe is located. However, we have also created "dummy" $BANNER_HOME directories for non-Banner databases such as Automic, Degree Works, &c. For such databases, we would either need to install skiring directly on the database server, or create keys on the jobsub server for non-Banner databases as needed.

  • Skiring has been installed on banjobs6 and banjobs5.
  • Skiring cannot be used to replace passwords that are hard-coded in configuration files.


DataAdminHowTo

DB_Administration