Hide username and password while calling oracle Reports

If you have not configured reports with Oracle Single Sign-on, Oracle report server explicitly requires username and password when report is called using Web.Show_document(). Username and password is required in report calling URL, for example following method calls a reports using Web.Show_Documnet().

Web.Show_Document('http://domainname.com:8090/reports/rwservlet?userid=username/[email protected]& server=ReportsServer_1&desformat=PDF&destype=cache&report=report.rdf&paramform=yes','_blank');

In above call username and password are visible in URL, causing security problem. Oracle has provieded serveral methods to resolve this problem, one of these solution is to define keymapping in CGICMD.DAT file. In Reports services 11g this file is located at following location


In Oracle Reports services 10g this file can be located in reportsconf directory.

To define a key mapping, append follwing line at the end of the file

userlogin: userid=username/[email protected] %*

Restart reports server/Managed server, now you can call your report using following URL


You can define key mapping for as many parameter as you need using following syntax,

userlogin: userid=username/[email protected] server=ReportsServer_1 desformat=PDF destype=cache %*

If reports have been configured with SSO, simply pass ssoconn=config parameter in reports calling URL, here config is the Resource Access Descriptor defined in OID. This parameter will automatically get login information from Oracle Internet Directory.

Reference: http://download.oracle.com/docs/cd/E12839_01/bi.1111/b32121/pbr_run013.htm

9 thoughts on “Hide username and password while calling oracle Reports”

  1. Very helfull.
    if a user changes his/her password then he/she will be required
    to change in the config file?

  2. If you are using the same user, then you would be required to update new password in config file. But usually reports are run as a separate user. In production environment, application has many users, so it is not practical to use the credential of a application specific user to run reports.

  3. i am new to oracle and i got to know about hiding the username and password and i did follow the procedure mentioned by you. i added the following line at the end of the cgicmd.dat file

    userlogin: userid=username/[email protected] %*

    But it didnt help me in hiding the username and password. i use oracle 10g and application in windows 2003 server.

    You have mentioned about “Restart reports server”. How do i do it. i did stopped oc4j and restarted it , but didn’t help. could you please guide me in this

  4. Nayayan,

    Once you have registered a key in cgicmd.dat, you append this key in you URL that calls report. What syntax you are using to call you report?

    In following line, you need to replace your original username, password and connection string.

    userlogin: userid=username/[email protected] %*

  5. This is very helpfull, I want to know what are the other methods to hide the username and password other than define keymapping in CGICMD.DAT file.

  6. Best solution is to user single sign-on. Another method can be to use cookies, you can read more about cookies implementation in oracle while paper titled, “Oracle Forms Services – Secure Web.Show_Document calls to Oracle Reports”

  7. Hi,

    I am using oracle reports in my application and i need to hide the userid information in the URL. I tried the way that has been suggested here. But I am not able to find a location called


    but when I searched for cgicmd.dat file i found that in the below locations.




    Please help me to find the correct location of the cgicmd.dat file.


  8. Hi Priya,

    Following seems to be the correct path for your version.


Leave a Reply

Your email address will not be published. Required fields are marked *