12c, security, Users

Oracle 12c – Create the password file

Leave a comment

Oracle uses a password file to restrict access to database for users with elevated permissions.   Password file is required for users with the following privileges: SYSDBA, SYSOPER, SYSBACKUP, SYSDG, SYSKM.   If the password file is lost or corrupted, it must be recreated with the utility ORAPWD.    Syntax of ORAPWD is:

ORAPWD File=<filename> [ENTRIES=number_users] [FORCE={Y/N}] [IGNORECASE={Y/N}]

Command options for ORAPWD are:

  • FILE – Name of the file, can include complete directory or file is written in current directory.
  • ENTRIES – Max number of entries (user accounts) to add. This is users with any of the privileges of SYSDBA, SYSOPER, SYSBACKUP, SYSDG, SYSKM
  • FORCE – if Y command will overwrite existing password file.
  • IGNORECASE – If Y password will not be case sensitive.
  • FORMAT – When set to 12 which is the default, will create file in 12c format. 12C format is required for SYSBACKUP, SYSDG, SYSKM admin privilege support.  IF set to less, then file will only support for SYSDBA and SYSOPER privileges.
  • SYSBACKUP – If Y creates a SYSBACKUP entry in password file.
  • SYSDG – If Y creates a SYSDG entry in password file.
  • SYSDM – If Y creates a SYSKM entry in password file.

 

example of use of password file creation for a database with ORACLE_SID of db1:

orapwd File=orapwdb1 Entries=10

The initialization parameter REMOTE_LOGIN_PASSWORDFILE controls the connection to the password file with the following options:

  • NONE – Database will not recognize any password file.
  • EXCLUSIVE – Password file can be used with only one database. It allows you to add multiple users to the database of which any can have one of the privileges: SYSDBA, SYSOPER, SYSBACKUP, SYSDG, SYSKM.   This is the default.
  • SHARED – Password file can be used by multiple databases running on the same server or multiple instances in a RAC database. Shared password files are read-only and cannot be modified.  All users needing access must be must be added while the REMOTE_LOGIN_PASSWORDFILE is set to EXCLUSIVE, then change the init parameter back to SHARED.

 

Larry Catt

OCP

Leave a Reply