Am 28.06.2025 um 15:59 schrieb Peter J. Holzer:
On 2025-06-27 19:00:36 +0200, raphi wrote:

It's the application's password that we want to ensure that it is
complex and gets changed after we set an initial password for it.
Why let a human change that at all? Couldn't you just create a suitable
random password at deployment time? (And then automatically every n
months if you want to rotate it.)

Because someone has to configure the password in the application, mostly within WLS or Tomcat and that's definitely not something that we DBA want to touch, that's the devs job. Which means we would have to provide some mechanism for the application to grab the password, say from a file or something, which has it's own pitfalls. Not to mention that we DBA usually don't want to know any application passwords. The only feasable way to implement this is with hashicorp Vault or something similar, then no one knows the password, neither DBA nor Dev and it would be guaranteed that it's complex. And application maintenance by a dev directly in the DB could then be made with personal logins via LDAP and switching to the application role as you so splendidly described ;) Same would be true for SSL certificates, only the application would need it and the devs could login via LDAP.

have fun
raphi




Reply via email to