Am 28.06.2025 um 15:59 schrieb Peter J. Holzer:
On 2025-06-27 19:00:36 +0200, raphi wrote:
It's the application's password that we want to ensure that it is
complex and gets changed after we set an initial password for it.
Why let a human change that at all? Couldn't you just create a suitable
random password at deployment time? (And then automatically every n
months if you want to rotate it.)
Because someone has to configure the password in the application, mostly
within WLS or Tomcat and that's definitely not something that we DBA
want to touch, that's the devs job. Which means we would have to provide
some mechanism for the application to grab the password, say from a file
or something, which has it's own pitfalls. Not to mention that we DBA
usually don't want to know any application passwords. The only feasable
way to implement this is with hashicorp Vault or something similar, then
no one knows the password, neither DBA nor Dev and it would be
guaranteed that it's complex. And application maintenance by a dev
directly in the DB could then be made with personal logins via LDAP and
switching to the application role as you so splendidly described ;) Same
would be true for SSL certificates, only the application would need it
and the devs could login via LDAP.
have fun
raphi