Blackpearl Oracle Connection String Security Issue?

R
Badge

I am evaluating K2 Blackpearl.  In the Oracle connection video:

 

https://www.youtube.com/watch?v=oqkQ0syZ9e8

 

There is a service instance configuration window where you have to put in the connection string.  Part of this connection string seems to be a hard coded username and password as part of the string.

 

Is this a security concern at all when connecting to Oracle?  Our company is extremely security sensitive because of the data we house so I am trying to ensue I have a good understanding.  

 

Thanks!

 

Ryan

2 replies

A
Badge +9

I don't know what you consider a security concern, but the connection credentials are stored in the connection string.

O
Badge +1

Hi Ryan_B,

 

Hopefully this isnt too late a response!

 

I've had the same issues with security and, you're right, the connection string does contain the username and password in clear text.

 

I'd suggest...

 

1. install ipsec on your network (http://en.wikipedia.org/wiki/IPsec) and encrypt every packet.

2. Alter your firewall settings to only allow communications between your Oracle Server and K2 Server on a specific port.

3. You may also want to create a separate Oracle schema with limited access and a "middleman" between K2 and your actual core schema.

 

I've raised this issue with K2 in the past and they're aware of it. I'm hopefull that they may upgrade the Oracle service broker in the future to handle encrypted passwords.

 

Hope this helps.

 

David Drewette

OraPro Ltd

 

 

 

 

Reply


View our Community Site Map

Nintex Community Sitemap
Terms & ConditionsCookie settings