TUCoPS :: HP Unsorted M :: bt-21844.htm

McKesson Horizon Clinical Infrastructure (HCI) version 7.6/7.8/10.0/10.1 hardcoded passwords
McKesson Horizon Clinical Infrastructure (HCI) version 7.6/7.8/10.0/10.1 hardcoded passwords
McKesson Horizon Clinical Infrastructure (HCI) version 7.6/7.8/10.0/10.1 hardcoded passwords



McKesson Horizon Clinical Infrastructure, also known as McKesson HCI, utilizes hardcoded passwords
for Oracle database access. HCI serves as the patient record datastore for the majority of McKesson applications. There are two components to an HCI implementation: the Infrastructure (or Master) server
and the database back-end. The HCI Infrastructure Server has an Oracle client installed that initializes
OCI/sqlplus connections to the Oracle database back-end. A file on each HCI Infrastructure server
contains the database account usernames and their respective passwords, /usr/local/bin/password. Content from /usr/local/bin/password is shown:

# cat /usr/local/bin/password
AMBU:hacschema
QUEUE_USER:qmanager
SYS:alLp0ver2
SYSTEM:urA7mvP
CHANGEMGR:datacontrol
CCDEV:ccdev
CCDBA:ccnulls				*HAS ORACLE SYSDBA PRIVS*
CCDATA:ccdata
CCFORMS:ccforms
CCINTERFACE:ccinterface
MCKHEO:mckheo
CCREL:ccrel
CCQUERY:ccquery
CDXWEB:winplu5
DRUG1:fdb3schema
DRUG2:fdb3schema
enc_ent:encent
ENT:entpazz
ENT_CONFIG:ent_configpazz
ADF:adfpazz
INF:infpazz
INF_CONFIG:inf_configpazz
SDM:sdmpazz
STRMADM:pazzw0rd
ENT_AUD:pazzw0rd
ENT_ARCH:pazzw0rd
POC_ARCH:pazzw0rd
POC_AQ:qmanager
INF_AQ:qmanager
DATAMGR:datamgr
CCUSER:bueno
ALERTS:monitorhca
HCALERTS:alertsuser
AM:ampazz
AM_AUD:pazzw0rd
AUD:audpazz
TMF:tmfpazz
MN:mnpazz
EH:ehpazz
NG:ngpazz
DM:dmpazz
DMTOOL:dmtoolpazz
STG_DMT:stg_dmtpazz
WRL:wrlpazz
NOTES:notespazz
REPORTS:reportspazz
ICONS:iconspazz
BS:bspazz
QZ:qzpazz
RM:rmpazz
RM_AUD:pazzw0rd
COMMGR:commgrpazz
OPSERVICE:opservicepazz
SEC_CONFIG:sec_configpazz
CTXSYS:ctxsyspazz
OLOGY:ologypazz
OLOGY_CONFIG:ology_configpazz
DOC:docpazz
DOC_CONFIG:doc_configpazz
PORTAL:portal
PORTAL_INSTALL:portal_install
EBIDBADMIN:ebidbadmin
DESIGN_OWNER:owb
OWB_RUNTIME_REPOSITORY:owb
RUNTIME_A_USER:owb

Despite having a "central" password file that contains the credential information, much of the credentials
are hardcoded throughout binaries and scripts that are shipped as part of the HCI Infrastructure server.

# cd /u/live
# find . -type f -print | xargs grep ccnull | wc -l
85

Here is some context of how the credentials are used throughout the HCI code:

# find . -type f -print | xargs grep ccnull        
./RUN_dmArchive:remote_db=`sqlplus -s ccdba/ccnulls$DB_SPEC_IF_REMOTE << EOF
./all_ord:LOGIN=ccdba/ccnulls
./bin/BatchDischarge:ora_user="ccdba/ccnulls$DB_SPEC_IF_REMOTE"
./bin/CheckDischargeRpts:ora_user="ccdba/ccnulls$DB_SPEC_IF_REMOTE"
./bin/Make_iv_template:sqlldr ccdba/ccnulls iv_bottle >> $LOG
./bin/Make_iv_template:ORD_SEQ=`sqlplus -S ccdba/ccnulls$DB_SPEC_IF_REMOTE <<- ENDSQL

McKesson supports HCI on the AIX, HP-UX, and Linux passwords. The nature of hardcoded passwords implies
that for every customer that has purchased HCI, the credentials for all of these role accounts are the same across the installations. 

According to the following press release, http://www.oracle.com/corporate/press/2008_mar/em-mckesson.html, McKesson software is installed in 70% of hospitals within the US. HCI serves as the core infrastructure 
component of other McKesson applications such as Horizon Lab, Horizon Patient Folder, Horizon CareLink,
Horizon Expert Documentation, etc.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH