When migrating a SQL Script, the OA log shows the APPS password.
This should not be visible in the log.
Hotfix F didn't completely correct the issue.
Do you mean that the fix mentioned in HF-f
"EBS APPS password is visible in Stat OA log file addressed with # STAT-5749"
Is not correcting the issue at all?
If that is so, I will address this with our Dev Team, and also I would like you to share with me the repercussions of this issue:
- Risks depending on this password being revealed.
- Assets involved in this risk.
- Approximate number of people involved.
- What would happen if the password is revealed?
Historically, Stat Agents debug level was used and should still be used by Stat Agents Administrator or on Support request.
It is intended to track a more detailed level of what the Agents do in order to solve problematic issues.
On customer request, for Stat operational cycles (Test connection, archive, migration, etc), Dev hides the APPS password in Stat 6.3 HF-f (STAT-5749),
which is working as expected.
Differently and regardless of the Stat operational cycles, when the OA starts, Stat performs a full check on the configuration/connection,
and the APPS password will be ONLY visible if the OA returns an error because something is missed or wrong including a wrong password,
helping the Stat Administrator to identify and solve the issue quickly. Does it make sense?
Thanks for following up.
I understand the explanation, however I still don't agree with the reasoning. and would like to see the password removed from the debug log.
A couple points to note:
- When the password is incorrect, the debug error message already indicates the reason (ex. Please verify the APPS username and password and listener port and service name in Stat's configuration. Exception: ORA-01017: invalid username/password; logon denied).
- When submitting a ticket with Quest Support, the log in debug mode is regularly required. This continues to present a security issue.
- Internal to our company we have defined roles and the Stat Administrator is not allowed to know the Apps Database password.