The password file stores a list of usernames and passwords that are allowed to remotely authenticate as SYSDBA over the network.
Oracle must use this file to authenticate them, not the normal list of passwords stored in the database.
And for this authentication to use password file, the value of REMOTE_LOGIN_PASSWORDFILE should be EXCLUSIVE or SHARED.
orapwd tool is used to create and manage password files.
DEFAULT LOCATION FOR PWD FILE – $ORACLE_HOME/dbs
orapwd syntax:
Usage: orapwd file= entries= force=<y/n> asm=<y/n>
dbuniquename= format=<legacy/12> sysbackup=<y/n> sysdg=<y/n>
syskm=<y/n> delete=<y/n> input_file=
Usage: orapwd describe file=
where
file - name of password file (required),
password - password for SYS will be prompted
if not specified at command line.
Ignored, if input_file is specified,
entries - maximum number of distinct DBA (optional),
force - whether to overwrite existing file (optional),
asm - indicates that the password to be stored in
Automatic Storage Management (ASM) disk group
is an ASM password. (optional).
dbuniquename - unique database name used to identify database
password files residing in ASM diskgroup only.
Ignored when asm option is specified (optional),
format - use format=12 for new 12c features like SYSBACKUP, SYSDG and
SYSKM support, longer identifiers, etc.
If not specified, format=12 is default (optional),
delete - drops a password file. Must specify 'asm',
'dbuniquename' or 'file'. If 'file' is specified,
the file must be located on an ASM diskgroup (optional),
sysbackup - create SYSBACKUP entry (optional and requires the
12 format). Ignored, if input_file is specified,
sysdg - create SYSDG entry (optional and requires the 12 format),
Ignored, if input_file is specified,
syskm - create SYSKM entry (optional and requires the 12 format),
Ignored, if input_file is specified,
input_file - name of input password file, from where old user
entries will be migrated (optional),
describe - describes the properties of specified password file
(required).
There must be no spaces around the equal-to (=) character.
Create a password file for standalone database .
cd $ORACLE_HOME/dbs
orapwd file=orapwORCL password=oracle force=y
Create a password file in ASM diskgroup:
orapwd file='+DATA/orapwORCL' ENTRIES=10 DBUNIQUENAME='ORCL'
Create password file from asmcmd tool:(Oracle 12c onwards)
ASMCMD> pwcreate --dbuniquename ORCL +DATA/PWDFILE/pwdORCL oracle
We can view users authenticated through password file in v$pwfile_users table
SQL> select username,sysdba from v$pwfile_users; USERNAME SYSDB --------- ----- SYS TRUE
password Changes in oracle 12.2
From oracle 12.2 , complex password verification method is deployed.
Below are the criteria for password file in oracle 12.2
- The password contains no fewer than 8 characters and includes at least one numeric and one alphabetic character.
- The password is not the same as the user name or the user name reversed.
- The password is not the same as the database name.
- The password does not contain the word oracle (such as oracle123).
- The password differs from the previous password by at least 8 characters.
- The password contains at least 1 special character.
Not following the criteria will throw error as below
orapwd file=orapwORCL password=oracle OPW-00029: Password complexity failed for SYS user : Password must contain at least 8 characters.
But we can bypass this password verification, by using format=12 as below:
orapwd file=orapw$ORACLE_SID password=oracle format=12
Password file is used to store the password of the Oracle that allows user to remotely authenticate the user from network.
Note:
1. Use password file, the value of REMOTE_LOGIN_PASSWORDFILE should be EXCLUSIVE or SHARED.
2. Default location for Password file is diffenetn in windows and unix operating systems.
Windows : %ORACLE_HOME%\database\PWDORCL.ora
UNIX: $ORACLE_HOME\dbs\PWDORCL.ora
Check the user list present in Password file
SQL> select username,sysdba from v$pwfile_users;
USERNAME SYSDB
------------------------------ -----
SYS TRUE
Check the ORAPWD syntax of 11g and 12c version
-- For 11g Oracle
C:\Users\oracle>orapwd
Usage: orapwd file= entries= force= ignorecase= nosysdba=
where
file - name of password file (required),
password - password for SYS will be prompted if not specified at command line,
entries - maximum number of distinct DBA (optional),
force - whether to overwrite existing file (optional),
ignorecase - passwords are case-insensitive (optional),
nosysdba - whether to shut out the SYSDBA logon (optional Database Vault only).
There must be no spaces around the equal-to (=) character.
--- For 12c Oracle
orapwd file= entries= force= asm= dbuniquename= format= sysbackup= sysdg= syskm= delete= input_file=
orapwd describe file=
where
file - name of password file (required),
password - password for SYS will be prompted if not specified at command line.
entries - maximum number of distinct DBA (optional),
force - whether to overwrite existing file (optional),
asm - indicates that the password to be stored in Automatic Storage Management (ASM) disk group is an ASM password. (optional).
dbuniquename - unique database name used to identify database password files residing in ASM diskgroup only.
format - use format=12 for new 12c features like SYSBACKUP, SYSDG and SYSKM support, longer identifiers, etc. If not specified, format=12 is default (optional),
delete - drops a password file. Must specify 'asm','dbuniquename' or 'file'. If 'file' is specified, the file must be located on an ASM diskgroup (optional),
sysbackup - create SYSBACKUP entry (optional and requires the 12 format).
sysdg - create SYSDG entry (optional and requires the 12 format),
syskm - create SYSKM entry (optional and requires the 12 format),
input_file - name of input password file, from where old user entries will be migrated (optional),
describe - describes the properties of specified password file.
There must be no spaces around the equal-to (=) character.
Create a password file having SYS USER
orapwd file=E:\oracle\product\12.1.0\dbhome_1\database\PWD.ora password="Nopassword1!" entries=3
Drop the password file
orapwd delete=y file=E:\oracle\product\12.1.0\dbhome_1\database\PWD.ora
Find the format of Password file
orapwd describe file=c:\app\oracle\product\12.1.0\dbhome_1\database\PWD.ora
Create a password file in ASM diskgroup
orapwd file='+DATA/orapwORCL' ENTRIES=10 DBUNIQUENAME='ORCL'
Create password file from asmcmd
ASMCMD> pwcreate --dbuniquename ORCL +DATA/PWDFILE/pwdORCL oracle
In this post, we will discuss password file in oracle,oracle password file utility orapwd, how to create a password file in oracle , create password file in RAC
Introduction to ORAPWD
- orapwd is an oracle password file utility and it allows the remote connection to the database with administrative privilege i.e. if you want to connect a remote database with sysdba privilege, then a password file needs to be present in the remote database
- You can create a password file using the orapwd utility.
- Users are added to the password file when they are granted the SYSDBA or SYSOPER or SYSASM privilege. The Oracle orapwd utility assists the DBA while granting SYSDBA, SYSOPER, and SYSASM privileges to other users. By default, SYS is the only user that has SYSDBA and SYSOPER privileges.
how to create password file in oracle
Creating a password file, via orapwd, enables remote users to connect with administrative privileges. Here is the 11g Syntax
$ orapwd file=password_file_name [password=the_password] [entries=n] [force=Y|N] [ignorecase=Y|N] [nosysdba=Y|N] Examples: cd $ORACLE_HOME/dbs $ orapwd file=orapwTEST password=sys_password force=y nosysdba=y $orapwd file=orapwPROD password=<secret> entries=12 ignorecase=n $orapwd file=orapwPROD password=<secret> entries=30 ignorecase=Y
The following describes the orapwd command line arguments.
FILE
Name to assign to the password file, which will hold the password information. You must supply a complete path. If you supply only filename, the file is written to the current directory. The contents are encrypted and are unreadable. This argument is mandatory.
The filenames allowed for the password file are OS-specific. Some operating systems require the password file to adhere to a specific format and be located in a specific directory. Other operating systems allow the use of environment variables to specify the name and location of the password file.
PASSWORD
This is the password the privileged users should enter while connecting as SYSDBA or SYSOPER or SYSASM. This is the sys password
ENTRIES
Entries specify the maximum number of distinct SYSDBA, SYSOPER, and SYSASM users that can be stored in the password file.
FORCE
(Optional) If Y permits overwriting an existing password file. An error will be returned if a password file of the same name already exists and this argument is omitted or set to N.
IGNORECASE
(Optional) If Y, passwords are treated as case-insensitive i.e. case is ignored when comparing the password that the user supplies during login with the password in the password file. This becomes more important after 11g release as passwords become case sensitive in that release
NOSYSDBA
(Optional) For Oracle Data Vault installations.
Importance of parameter REMOTE_LOGIN_ PASSWORDFILE
Just creating the password file will not serve any purpose unless we specified the parameter REMOTE_LOGIN_ PASSWORDFILE in the oracle database initialization file
Important Note
If REMOTE_LOGIN_PASSWORDFILE is set to EXCLUSIVE or SHARED and the password file is missing, this is equivalent to setting REMOTE_LOGIN_PASSWORDFILE to NONE.
How to view password File members
V$PWFILE_USERS view can be used to see the users who have been granted SYSDBA or SYSOPER system privileges for a database
SQL> select * from v$pwfile_users; USERNAME SYSDBA SYSOPER SYSASM -------- ------ ------- ------ SYS TRUE TRUE FALSE
USERNAME This column contains the name of the user that is recognized by the password file.
SYSDBA If the value of this column is TRUE, then the user can log on with SYSDBA system privileges.
SYSOPER If the value of this column is TRUE, then the user can log on with SYSOPER system privileges.
SYSASM If the value of this column is TRUE, then the user can log on with SYSOPER system privileges.
Let’s add a user
SQL> grant sysdba to TEST;
Now again see the view
SQL> select * from v$pwfile_users; USERNAME SYSDBA SYSOPER SYSASM -------- ------ ------- ------ SYS TRUE TRUE FALSE TEST TRUE FALSE FALSE
If you receive the file full error (ORA-1996) when you try to grant SYSDBA or SYSOPER system privileges to a user, you must create a larger password file and re-grant the privileges to the users. Check below how to expand the password file
How to Expand the Password file using orapwd
- First Identify the users who have SYSDBA or SYSOPER privileges by querying the V$PWFILE_USERS view.
- Delete the existing password file. You can just remove the file from operating system
- Now again create the password file using orapwd utility .Ensure that the ENTRIES parameter is set to a number larger than you think you will ever need.
- Now add all the users which were there earlier
create password file in oracle 12c
With 12c Release, there are a host of changes in the utility. The syntax is
orapwd FILE=filename [ENTRIES=numusers] [FORCE={y|n}] [ASM={y|n}]
[DBUNIQUENAME=dbname] [FORMAT={12|legacy}] [SYSBACKUP={y|n}] [SYSDG={y|n}]
[SYSKM={y|n}] [DELETE={y|n}] [INPUT_FILE=input-fname]
Examples
orapwd FILE='+DATA/TEST/orapwTEST' ENTRIES=10 DBUNIQUENAME='TEST' FORMAT=12 orapwd FILE='+DATA/TEST/orapwTEST' ENTRIES=10 DBUNIQUENAME='TEST' SYSBACKUP=y orapwd FILE='orapwTEST' ENTRIES=30 FORMAT=12 We dont have ignorecase parameter .It is depcreated
ORA-01994 error
If orapwd has not yet been executed, attempting to grant SYSDBA or SYSOPER privileges will result in the following error:
SQL> grant sysdba to TEST;
ORA-01994: GRANT failed: cannot add users to the public password file
This can also happen if the database was started using srvctl and it did not get the path of the password file. We should check the configuration and fix
How to change the SYS password in the Oracle database
Prior to 12.2, you can change the sys using alter user system and this change will be reflected in the password file also if it exists
With 12.2, it is mandatory to have the password file existence before changing the SYS password else it will throw errors
Steps will be
- Set remote_login_passwordfile=exclusive
then restart the database - generate a password file:
orapwd file=orapwSID password=<sys pass> entries=3 - check in DB
SQL> select username,sysdba,sysoper from v$pwfile_users; - after that execute the following command to reset the SYS password:
SQL> alter user sys identified by ; - rm the password file.
- change init.ora parameter back to remote_login_passwordfile=none and restart the database
Password file in RAC
password file in RAC should be stored in a common location i.e ASM Diskgroup. we can create the password file as
orapwd file='+DATA/orapwTEST' ENTRIES=10 DBUNIQUENAME='TEST'
From 12c onwards, we can create the password file in ASM using the below command also
ASMCMD> pwcreate –dbuniquename {db_unique_name} {file_path} {sys_password}
Example
ASMCMD>pwcreate –dbuniquename TEST '+DATA/PWDFILE/orapwTEST' {sys_password}
Hope you like the detailed explanation of the orapwd utility on the Oracle database and how to create, modify and expand it.
This is quite useful when setting up Data-guard, using active duplicate command for cloning and other purposes
Related Articles
ORA-01017: invalid username/password; logon denied Tips
How to Stop the Force Password Reset on Creation of User Account
Top 10 Oracle Database Security Tips for DBA
How to change the DBNAME /DBID using DBNEWID(nid) utility for Oracle database
Password file — orapwd utility in Oracle
Oracle password file stores passwords for users with administrative privileges.
If the DBA wants to start up an Oracle or ASM instance there must be a way for Oracle to authenticate the DBA. Obviously, DBA password cannot be stored in the database, because Oracle cannot access the database before the instance is started up. Therefore, the authentication of the DBA must happen outside of the database. There are two distinct mechanisms to authenticate the DBA:
(i) Using the password file or
(ii) Through the operating system (groups). Any OS user under dba group, can login as SYSDBA.
Password file for an Oracle database is called a database password file, and the password file for Oracle ASM is called an Oracle ASM password file.
The default location for the password file is:
$ORACLE_HOME/dbs/orapw$ORACLE_SID on Unix,
%ORACLE_HOME%\database\PWD%ORACLE_SID%.ora on Windows
REMOTE_LOGIN_PASSWORDFILE
The init parameter REMOTE_LOGIN_PASSWORDFILE specifies if a password file is used to authenticate the Oracle DBA or not. If it is set either to SHARED or EXCLUSIVE, password file will be used.
REMOTE_LOGIN_PASSWORDFILE is a static initialization parameter and therefore cannot be changed without bouncing the database.
Following are the valid values for REMOTE_LOGIN_PASSWORDFILE:
NONE – Oracle ignores the password file if it exists i.e. no privileged connections are allowed over non-secure connections. If REMOTE_LOGIN_PASSWORDFILE is set to EXCLUSIVE or SHARED and the password file is missing, this is equivalent to setting REMOTE_LOGIN_PASSWORDFILE to NONE.
EXCLUSIVE (default) – Password file is exclusively used by only one (instance of the) database. Any user can be added to the password file. Only an EXCLUSIVE file can be modified. EXCLUSIVE password file enables you to add, modify, and delete users. It also enables you to change the SYS password with the ALTER USER command.
SHARED – The password file is shared among databases. A SHARED password file can be used by multiple databases running on the same server, or multiple instances of an Oracle RAC database. However, the only user that can be added/authenticated is SYS.
A SHARED password file cannot be modified i.e. you cannot add users to a SHARED password file. Any attempt to do so or to change the password of SYS or other users with the SYSDBA or SYSOPER or SYSASM (this is from Oracle 11g), SYSKM, SYSDG and SYSBACKUP (these 3 are from Oracle 12c R1) privileges generates an error. All users needing SYSDBA, SYSOPER, SYSASM, SYSKM, SYSDG and SYSBACKUP system privileges must be added to the password file when REMOTE_LOGIN_PASSWORDFILE is set to EXCLUSIVE. After all users are added, you can change REMOTE_LOGIN_PASSWORDFILE to SHARED.
This option is useful if you are administering multiple databases or a RAC database.
If a password file is SHARED or EXCLUSIVE is also stored in the password file. After its creation, the state is SHARED. The state can be changed by setting REMOTE_LOGIN_PASSWORDFILE and starting the database i.e. the database overwrites the state in the password file when it is started up.
ORAPWD
You can create a password file using orapwd utility. For some Operating systems, you can create this file as part of standard installation.
Users are added to the password file when they are granted the SYSDBA, SYSOPER, SYSASM, SYSKM, SYSDG or SYSBACKUP privilege.
The Oracle orapwd utility assists the DBA while granting SYSDBA, SYSOPER, SYSASM, SYSKM, SYSDG or SYSBACKUP privileges to other users. By default, SYS is the only user that has SYSDBA and SYSOPER privileges. Creating a password file, via orapwd, enables remote users to connect with administrative privileges.
$ orapwd file=password_file_name [password=the_password] [entries=n] [force=Y|N] [ignorecase=Y|N] [nosysdba=Y|N]
From Oracle Database 12c release 2:
orapwd FILE = filename
[FORCE = {y|n}]
[ASM = {y|n}]
[DBUNIQUENAME = dbname]
[FORMAT = {12.2|12}]
[SYS = {y|n|password|external('sys-external-name')|global('sys-directory-DN')}]
[SYSBACKUP = {y|n|password|external('sysbackup-external-name')|global('sysbackup-directory-DN')}]
[SYSDG = {y|n|password|external('sysdg-external-name')|global('sysdg-directory-DN')}]
[SYSKM = {y|n|password|external('syskm-external-name')|global('syskm directory-DN')}]
[DELETE = {y|n}]
[INPUT_FILE = input-fname]
$ orapwd file=orapwSID password=sys_password force=y nosysdba=y
$ orapwd file=$ORACLE_HOME/dbs/orapw$ORACLE_SID password=secret
$ orapwd file=orapwprod entries=32 force=y
C:\orapwd file=%ORACLE_HOME%\database\PWD%ORACLE_SID%.ora password=2012 entries=20
C:\orapwd file=D:\oracle11g\product\11.1.0\db_1\database\pwdsfs.ora password=id entries=8 force=y
$ orapwd file=orapwPRODB3 password=abc123 entries=12 ignorecase=n
$ orapwd file=orapwprodb password=oracle1 ignorecase=y
$ orapwd FILE='+DATA/orcl/orapworcl' DBUNIQUENAME='orcl' SYSBACKUP=password FORMAT=12.2
$ orapwd FILE='+DATA/orcl/orapworcl' DBUNIQUENAME='orcl' FORMAT=12.2 sys=external('[email protected]') syskm=external('[email protected]')
$ orapwd FILE='/u01/oracle/dbs/orapworcl' FORMAT=12.2 INPUT_FILE='/u01/oracle/dbs/orapworcl' FORCE=y
$ orapwd FILE='/u01/oracle/dbs/orapworcl' SYS=Y INPUT_FILE='/u01/oracle/dbs/orapworcl' FORCE=y
$ orapwd DESCRIBE FILE=’orapwprod’
There are no spaces permitted around the equal to (=).
The following describes the orapwd command line arguments.
FILE
Name to assign to the password file, which will hold the password information. You must supply complete path. If you supply only filename, the file is written to the current directory. The contents are encrypted and are unreadable. This argument is mandatory.
The filenames allowed for the password file are OS specific. Some operating systems require the password file to adhere to a specific format and be located in a specific directory. Other operating systems allow the use of environment variables to specify the name and location of the password file.
If you are running multiple instances of Oracle Database using Oracle Real Application Clusters (RAC), the environment variable for each instance should point to the same password file.
It is critically important to secure password file.
PASSWORD
This is the password the privileged users should enter while connecting as SYSDBA, SYSOPER, SYSASM, SYSKM, SYSDG or SYSBACKUP.
ENTRIES
Entries specify the maximum number of distinct SYSDBA, SYSOPER, SYSASM, SYSKM, SYSDG or SYSBACKUP users that can be stored in the password file.
This argument specifies the number of entries that you require the password file to accept. The actual number of allowable entries can be higher than the number of users, because the orapwd utility continues to assign password entries until an OS block is filled. For example, if your OS block size is 512 bytes, it holds four password entries. The number of password entries allocated is always a multiple of four.
Entries can be reused as users are added to and removed from the password file. When you exceed the allocated number of password entries, you must create a new password file. To avoid this necessity, allocate a number of entries that is larger than you think you will ever need.
FORCE
(Optional) If Y, permits overwriting an existing password file. An error will be returned if password file of the same name already exists and this argument is omitted or set to N.
IGNORECASE
(Optional) If Y, passwords are treated as case-insensitive i.e. case is ignored when comparing the password that the user supplies during login with the password in the password file.
Oracle Database 12C onwards, IGNORECASE parameter has been deprecated.
FORMAT (from 12c Oracle)
The administrative privileges SYSBACKUP, SYSDG, and SYSKM are not supported in the password file when the file is created with the FORMAT=LEGACY argument. 12.2 is the default for the FORMAT command line argument.
NOSYSDBA
(Optional) For Oracle Data Vault installations.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
Granting SYSDBA, SYSOPER, SYSASM, SYSKM, SYSDG or SYSBACKUP privileges
Use the V$PWFILE_USERS view to see the users who have been granted SYSDBA, SYSOPER, SYSASM, SYSKM, SYSDG or SYSBACKUP system privileges for a database.
select * from v$pwfile_users;
USERNAME SYSDBA SYSOPER SYSASM
——– —— ——- ——
SYS TRUE TRUE FALSE
The columns displayed by the view V$PWFILE_USERS are:
| Column | Description |
|---|---|
| USERNAME |
This column contains the name of the user that is recognized by the password file. |
| SYSDBA | If the value of this column is TRUE, then the user can log on with SYSDBA system privilege. |
| SYSOPER | If the value of this column is TRUE, then the user can log on with SYSOPER system privilege. |
| SYSASM | If the value of this column is TRUE, then the user can log on with SYSASM system privilege. |
If orapwd has not yet been executed or password file is not available, attempting to grant SYSDBA, SYSOPER, SYSASM, SYSKM, SYSDG or SYSBACKUP privileges will result in the following error:
grant sysdba to Chetan; ORA-01994: GRANT failed: cannot add users to public password file
If your server is using an EXCLUSIVE password file, use the GRANT statement to grant the SYSDBA, SYSOPER, SYSASM, SYSKM, SYSDG or SYSBACKUP system privilege to a user, as shown in the following example:
grant sysoper to Chetan; select * from v$pwfile_users; USERNAME SYSDBA SYSOPER SYSASM SYSBACKUP SYSKM SYSDG -------- ------ ------- ------ ------ ------- ------ SYS TRUE TRUE FALSE FALSE FALSE FALSE SATYA TRUE TRUE FALSE FALSE FALSE FALSE
grant sysasm to Chetan; SQL> select * from v$pwfile_users; USERNAME SYSDBA SYSOPER SYSASM SYSBACKUP SYSKM SYSDG -------- ------ ------- ------ ------ ------- ------ SYS TRUE TRUE FALSE FALSE FALSE FALSE SATYA TRUE TRUE TRUE FALSE FALSE FALSE
When you grant SYSDBA, SYSOPER, SYSASM, SYSKM, SYSDG and SYSBACKUP privileges to a user, that user’s name and privilege information are added to the password file. If the server does not have an EXCLUSIVE password file (i.e. if the initialization parameter REMOTE_LOGIN_PASSWORDFILE is NONE or SHARED, or the password file is missing), Oracle issues an error if you attempt to grant these privileges.
Use the REVOKE statement to revoke the SYSDBA, SYSOPER, SYSASM, SYSKM, SYSDG and SYSBACKUP system privilege from a user, as shown in the following example:
revoke sysoper from Chetan; SQL> select * from v$pwfile_users; USERNAME SYSDBA SYSOPER SYSASM SYSASM SYSBACKUP SYSKM SYSDG -------- ------ ------- ------ ------ ------- ------ SYS TRUE TRUE FALSE FALSE FALSE FALSE SATYA TRUE FALSE TRUE FALSE FALSE FALSE
A user’s name remains in the password file only as long as that user has at least one of these three privileges. If you revoke all 3 privileges, Oracle removes the user from the password file.
Because SYSDBA, SYSOPER, SYSASM, SYSKM, SYSDG and SYSBACKUP are the most powerful database privileges, the WITH ADMIN OPTION is not used in the GRANT statement. That is, the grantee cannot, in turn, grant the SYSDBA, SYSOPER, SYSASM, SYSKM, SYSDG and SYSBACKUP privilege to another user. Only a user currently connected as SYSDBA can grant or revoke another user’s SYSDBA, SYSOPER, SYSASM, SYSKM, SYSDG and SYSBACKUP system privileges. These privileges cannot be granted to roles, because roles are available only after database startup.
If you receive the file full error (ORA-01996) when you try to grant SYSDBA, SYSOPER, SYSASM, SYSKM, SYSDG and SYSBACKUP system privileges to a user, you must create a larger password file and regrant the privileges to the users.
REVOKE SYSDG FROM non-SYS-user; GRANT SYSKM TO non-SYS-user;
Removing Password File
If you determine that you no longer require a password file to authenticate users, you can delete the password file and then optionally reset the REMOTE_LOGIN_PASSWORDFILE initialization parameter to NONE. After you remove this file, only those users who can be authenticated by the OS can perform SYSDBA, SYSOPER, SYSASM, SYSKM, SYSDG and SYSBACKUP database administration operations.
- SiteMap
«Prev
Next»
- User Connectivity
- Configuring Oracle
- NetClient PC Database
- Oracle Net Basic Concepts
- Finding Listener Service
- Listener Control Program
- Configuring Listener
- Stop Restart Listener
- Configuring OracleNet Client
- Testing Client Connectivity
- Testing OracleNet Connectivity
- Check Default Domain
- Connecting from Client
- Oracle Net Conclusion
- Password Files
- Necessary Password Files
- Password Creation Process
- Placing | Naming PW File
- Creating Password File
- Remote Login Password
- Connecting Internal Password
- DBA Privileges
- Different DBA Roles
- Connect Database
- PW Files Data Dictionary
- Rebuilding Password File
- Manage PW Conclusion
- Enterprise Manager
- OEM Architecture
- OEM Architecture
- Install OEM
- DBA Management Pack
- Using Instance Manager
- View Information
- Using Security Manager
- Examine Objects Schema Manager
- Using SQL Plus
- SQL* Plus CLI
- SQL Plus Reports
- SQL Plus Column
- SQL Plus Formatting
- Formatting Numeric Columns
- Oracle Date Columns
- SQL Plus Scripting
- SQL Plus Command
- Suppress Repeating Columns
- Line Page Break Reports
- Report Headers Footers
- Spooling Printing Report
- Substitution Variables
- Accept Prompt Commands
- SQL Plus Editing Commands
- SQL Plus Settings
- SQL Plus Script
- SQL Plus Conclusion
- Creating Users
- Manage Users
- Before Creating User
- Default Tablespaces
- Temporary Tablespaces
- Assign Disk Quotas
- Creating Database User
- OS Authentication
- Granting Session Privileges
- altering Database User
- Changing User Password
- Locking Users Account
- Drop User
- Data Dictionary User Info
- Create manage Users
- Managing User Roles
- Types System Privileges
- Granting System Privileges
- With Admin Option Clause
- session_privs View
- Revoke Privileges Oracle
- Managing System Privileges
| Lesson 4 | Placing and naming the password file |
| Objective | Determine the proper location and name for a password file. |
Placing Naming Password File in Oracle
As an Oracle Database Administrator (DBA), determining the proper location and name for a password file is crucial for database security and administration. The password file stores passwords for users with SYSDBA, SYSOPER, SYSASM, SYSBACKUP, or SYSDG privileges. Here’s how you can determine the proper location and name for the password file in Oracle 12c:
The location of the password file is generally specified by the `ORACLE_HOME/dbs` directory on Unix and Linux systems or
`ORACLE_HOME\database`
on Windows systems.
- Unix/Linux: `$ORACLE_HOME/dbs`
- Windows: `%ORACLE_HOME%\database`
- `orapw<SID>` on Unix and Linux systems
- `PWD<SID>.ora` on Windows systems
- Initialization Parameters: The parameters `REMOTE_LOGIN_PASSWORDFILE` and `ORACLE_HOME` in the initialization file (init.ora or spfile.ora) can give you information about password files.
- Environment Variables: The `$ORACLE_SID` and `$ORACLE_HOME` environment variables on Unix/Linux or `%ORACLE_SID%` and `%ORACLE_HOME%` on Windows can help you identify the SID and Oracle home directory.
- SQL Query: You can query the `v$pwfile_users` view to get details about the password file:
SELECT * FROM v$pwfile_users;
- Show Parameter: Use the following SQL command to see the current setting for the `REMOTE_LOGIN_PASSWORDFILE` parameter:
SHOW PARAMETER REMOTE_LOGIN_PASSWORDFILE;
- Make sure the `ORACLE_HOME` and `ORACLE_SID` environment variables are set correctly.
- The user who is creating the password file should have write permissions to the specified directory.
- Ensure that the `REMOTE_LOGIN_PASSWORDFILE` parameter is set appropriately (`EXCLUSIVE`, `SHARED`, or `NONE`).
- Keep the password file secure, and restrict its permissions to prevent unauthorized access.
- When the failure occurs during installation of Oracle 11g, click on cancel, you will need to restart the installation from scratch
- On win 7 64bit, go to PATH variable(Right click on my computer>properties>Advanced system Settings>Advanced Tab>click on Envirnment variable>in system variable — look for Path>
- Find the Path environment in the System Variables window and edit it, click on it and select all the values within it, paste these into a word document or something and save it.
- Clear the Path environment and simply add a single directory such as c:\Seer
- Start the installation of Oracle 11g again and wait while it executes the process
- Return to the Environment Variables and paste the originals back after the new ones put in by the installation
Name
The name of the password file is usually associated with the Oracle instance SID and takes the form:
Finding Password File Information
Here are the ways you can find or specify the password file location and name:
Creating or Changing the Password File
If you need to create or re-create the password file, you can use the `orapwd` utility. Here’s an example command to create a password file:
orapwd FILE=$ORACLE_HOME/dbs/orapw$ORACLE_SID PASSWORD= ENTRIES=
Replace `<sys_password>` with the password for the SYS user and `<max_users>`with the maximum number of distinct privileged users you plan to have.
Key Points to Remember
By following these guidelines, you should be able to determine the proper location and name for the password file in Oracle 12c.
The proper name and location for a password file is specific to the operating system. There are some slight differences between Windows and Unix, and there may be differences for other operating systems as well.
If you make a Mistake
Naming the password file is one area where Oracle is somewhat forgiving. If you configure a database to use a password file and Oracle can not find the file when you try to start the database, Oracle will display a message showing you the exact directory path and filename that it is looking for. So if you get the filename or location wrong the first time, it is a very easy mistake to correct. You can simply create the password file again using the correct name and location.
Naming Password file
The name of the password file for a database should take one of the following two forms:
| Unix: | orapw_instance_identifier |
| Windows: | pwd_instance_identifier.ora |
In both cases, the «_instance_identifier» represents the Oracle instance identifier, or SID. Using the COIN instance as an example, the password file should be named orapwCOIN or pwdCOIN.ora, depending on whether you are running Oracle on Unix or Windows NT. Note that Oracle on Unix does not expect the password file to have an extension, while Oracle running on Windows NT does.
Placing the password file in Legacy Environments
In addition to having inconsistent naming conventions across platforms, Oracle also expects to find the password file in different directories for each operating system. For Unix and Windows, the password file should be in one of the following two directories:
Under Windows, the c:\oracle\ora81 part of the path represents the default install.
When installing an Oracle 11g database on a Windows 7 machine which already has a lot of different software installed,
On win 7 64bit, go to PATH variable
Right click on my computer > properties > Advanced system Settings > Advanced Tab > click on Envirnment variable > in system variable - look for Path>
If you chose a different location for your Oracle home when you installed the software, that part of the path will reflect your choice.
Also, do not be confused by the fact that both the Windows NT and Unix implementations have a dbs directory.
The password file goes in dbs for Unix and in database for Windows.
Now, determine the proper location and name for the password file for your own database. Later on in this module, you will use this information to actually create the password file.
