How does QC use Project/Schema Passwords in Oracle, can we manage them outside of QC and Oracle?
Question ID: 108239
0
0

We want to see if you have heard of anyone that has successfully integrated (database password management tools) with Quality Center. Our Security Team is mandating passwords (even for service accounts and database users) be changed every 90 days. With over 280 QC projects using Oracle, this will be a large amount of manual effort to change our "schema-user" passwords used in Oracle by QC.

Let us know if you have ideas about implementing this and if you have any best practices or advice.

Marked as spam
Posted by (Questions: 193, Answers: 14)
Asked on April 18, 2018 5:08 pm
83 views
Answers (2)
0
Private answer

You are referring to the ''schema-user'' password used in ORACLE by QC to get into the project schemas.

So, the way it works with QC and Oracle is to have one project schema for each project, AND an Oracle user with the same name for each of those schemas.

When you install QC for the first time, it asks for the ''schema-user'' password to use when creating the qcsiteadmin_db schema. This password becomes the default one used for any newly created project's schema-user in Oracle and generally is expected to remain STATIC. -- Meaning that ALL Schema-users in Oracle used by QC have the SAME password and it is expected to never expire. -- this makes management much easier.

In the qcsiteadmin_db schema, there is a PROJECTS table where it keeps track of all of the projects you see in the site projects list in Site Admin.
It stores pretty much everything seen in the DBID.XML file, including the schema password. The schema password is stored in an encrypted form.

Since this encrypted password is used, you cannot just ''hack'' in another one -- it must be encrypted and the only way to get the hash is to change the password with the GUI of Site Admin, so, a 3rd party tool would never be able to manage them for you.

Marked as spam
Posted by (Questions: 0, Answers: 15)
Answered on April 18, 2018 5:11 pm
0
Private answer

Let me double check on our end as it's been a while. I know we went through something similar to this but all of our password controls fall under Active Directory and of course SSO. Basically when your password changes in AD it trickles down through the rest of everything you have access to. Unless they don't have your Oracle database set up to take advantage of AD and SSO, then it could be a hassle.

In regards to service accounts, I think there's usually different rules surrounding that because it would be a nightmare to manage those accounts and potentially disabling applications (having them go offline) just because a password wasn't updated in time or if the app owner is on vacation that week.

In the meantime, I would check with your security group and discuss how their proposal works and express your concerns if you haven't already. My guess is this is a new requirement and they haven't gotten all the info on impact yet?

Marked as spam
Posted by (Questions: 1, Answers: 6)
Answered on April 18, 2018 5:20 pm
EyeOnTesting

Welcome back to "EyeOnTesting" brought to you by Orasi Software, Inc.

X
Scroll to Top