The Password Of The Tuxedo User Connecting To Oracle Database Displayed In Plain Text In XA Trace. (Doc ID 1396101.1)

Last updated on JUNE 28, 2017

Applies to:

Oracle Tuxedo - Version 11.1.1.2.0 and later
Information in this document applies to any platform.

Symptoms

Consider a Tuxedo application connecting to Oracle Database using XA interface.

TUXEDO will act as transaction manager deciding when XA functions must be executed, in particular xa_open() to connect to Oracle database instance.

OPENINFO string is used by Tuxedo to define what string must be passed to xaoopen() function. But the content of its string does NOT depend on Tuxedo but depends on Oracle database. 

For a complete description of data passed in OPENINFO string, please refer to Oracle Database Advanced Application Developer's Guide :

Developing Applications with Oracle XA
This chapter explains how to use the Oracle XA library. Typically, you use this library in applications that work with transaction monitors. The XA features are most useful in applications in which transactions interact with multiple databases."

 

The user credentials are defined within OPENINFO string in Tuxedo ubb configuration file. On Tuxedo side, the user password passed into OPENINFO string is encrypted. When activating Oracle XA traces within OPENINFO string, the password is displayed in plain text.

Why is the user password written in plain text in Oracle XA trace log file ?

From a security standpoint, is there a way to prohibit the logging of the user credentials in the Oracle Database XA logs?

Changes

The password of the user connected to Oracle through xa_open() is in plain text in XA Oracle log file even if it has been encrypted in Tuxedo configuration file :

Excerpt from Oracle XA trace log file xa_NULL01182012.trc file stored in /home/test/oxa/log file :
123756.4120610.1.0:

xaoopen: xa_info=Oracle_XA+Acc=P/bankapp1/bankapp1+SqlNet=YAIO14+SesTm=300+LogDir=/home/test/oxa/log+DbgFl=0x7,rmid=0,flags=0x0



Excerpt from the matching Tuxedo ubb configuration file :

OPENINFO="ORACLE_XA:Oracle_XA+Acc=P/bankapp1/@@A097E47722D4@@+SqlNet=YAIO14+SesTm=300+LogDir=/home/test/oxa/log+DbgFl=0x7"



The "@@A097E47722D4@@ "substring within OPENINFO string proves the user password encryption works well on Tuxedo side. No password in plain text is passed.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms