Oracle Plugin

Rotate Oracle database passwords with Commander

Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

This plugin allows rotating a user's password in Oracle Database Server

Prerequisites

Oracle requires Instant Client setup to enable client applications.

Consult the following page: http://www.oracle.com/technetwork/database/features/instant-client/index-097480.html

Install cx_Oracle

pip3 install oracledb

Prepare Record for Rotation

Create a Record for Rotation

Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.

See the Troubleshooting section for more information on legacy vs typed records

Add the following Custom Fields to the record that you want to rotate within Keeper

To connect with DSN string:

Label
Value
Comment

cmdr:dsn

ex: "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=XE)))"

Oracle DSN string

To connect using database host and service name

If cmdr:dsn is used then cmdr:host and cmdr:db properties will be ignored.

Label
Value
Comment

cmdr:host

Hostname of your Oracle server

cmdr:db

Database service to connect to on Oracle server

The following optional plugin field can be added to enforce use of the Oracle rotation plugin

Label
Value
Comment

cmdr:plugin

oracle

(Optional) Tells Commander to use Oracle rotation. This should be either set to the record, or supplied to the rotation command

Commander will use the oracle plugin automatically for records with a hostname that starts with "oracle//"

The plugin will use the Login field as the username of the password command when rotating a password.

Record Example:

A Keeper Record setup for Oracle password rotation

Rotate

To rotate Oracle passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)

rotate "Oracle Example" --plugin oracle

The plugin can be supplied to the command as shown here, or added to a record field (see options above). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.

Output

After rotation is completed, the new password will be stored in the Password field of the record

Last updated