I’m currently doing some work around CyberArk and using it for privilege password management for the Oracle estate. Once of the things CyberArk can be configured for is to use SQL-Plus ‘pass through’ connections out of the box. What this means is that you can login to CyberArk, select a database and then click ‘connect’. This will then launch a SQL-Plus session without having to release the password.
The launching of SQL-Plus is done using a combination of things, Java Script, CyberArk Database Settings and an Oracle Instant Client. CyberArk stores the following information; SQL Plus Instant Client Location, Address, Database and Port. The Oracle Instant Client is installed locally to your desktop and laptop. The java scripts takes the information stored in CyberArk and then launches the SQL Plus session.
When we initially configured this and launched SQL Plus we got the following TNS Error, ORA-12504. The error specifies that the listener wasn’t given the service name as part of the connection string. This is odd as the field for the database name was definitely configured and saved.
A bit of head scratching led to me to this listener.ora parameter:
This parameter can be used to allow a TNS connection to specify just a host and nothing else, why you would want to do such a thing is a bit of a mystery, but it allowed the SQL Plus pass through connection to work as the service name was provided by the listener and not the client. Have a look at MOS 556996.1 for more details.
Getting this to work generally was a result but the workaround of setting this parameter across the estate wasn’t acceptable. So I decided to have a look at the Java Script. Probably like most DBAs I have debugged enough code, shell scripts, perl scripts, pizza menus to be able to at least have a crack at Java script.
Here is an excerpt from the script.
var sCommand = "\"" + SQLPlusPath + "\" " + username + "/" + password + "@" + address;
So it seems that the default connection string for SQL Plus CyberArk pass through connections uses only the address field from the CyberArk application. This really means that the database and port information are basically irrelevant in forming the database connection string. So in CyberArk you would think you would specify this:
Address: ldnserver01 Port: 1521 Database: DB1
You need to specify this:
Address: ldnserver01:1521/DB1 Port: 1521 (Fill it out for completeness but it's not used) Database: DB1 (Fill it out for completeness but it's not used)
As Gordan Ramsey might say, CyberArk, SQL Plus Pass Through…..DONE