Oracle Database Password Security Management summary

In an Oracle database system, there are two ways to authenticate users if they want to log on to an Oracle database as a privileged user (Internal/sysdba/sysoper): Using authentication that is integrated with the operating system or using the Oracle database password file Verification. Therefore, the management of password files, for the control of authorized users from remote or local login Oracle database system, the implementation of database management work, has important significance. The Oracle database password file holds the Superuser internal/sys password and the user name/password of other privileged users, which is generally stored in the Oracle_home\database directory.

First, the creation of the password file:

When you create a database instance using Oracle Instance Manager, a corresponding password file is automatically created in the Oracle_home\database directory with the file name Pwdsid. ORA, where the SID represents the corresponding Oracle database system identifier. This password file is the basis for the initial database management effort. After this, the administrator can also use tool orapwd as needed. EXE to create the password file manually, the command format is as follows:

C:\>orapwd file= the FILENAME > PASSWORD

= PASSWORD > entries=< max_users >

The meaning of each command parameter is:

FileName: password filename;

PASSWORD: Set the password of the Internal/sys account;

Max_users: The maximum number of users that can be stored in the password file, corresponding to the maximum number of users allowed to log on to the database with Sysdba/sysoper permissions. Because in future maintenance, if the number of users exceeds this limit, the password file needs to be rebuilt, so this parameter can be set larger as needed.

After you have the password file, you need to set the initialization parameter Remote_login_passwordfile to control the use status of the password file.

Second, set initialization parameters Remote_login_passwordfile:

In the initialization parameter file for an Oracle database instance, this parameter controls the use of the password file and its status. It can have several options:

NONE: Instructs the Oracle system not to use a password file, and the privileged user's login is authenticated through the operating system;

EXCLUSIVE: Indicates that only one instance of the database can use this password file. Only the password file under this setting can contain user information other than Internal/sys, allowing system permission sysoper/sysdba to be granted to users other than Internal/sys.

SHARED: Indicates that multiple database instances can be used with this password file. Only the Internal/sys account can be identified by the password file under this setting, even if there are other users ' information in the file, they are not allowed to log in with SYSOPER/SYSDBA privileges. This setting is the default value.

When the Remote_login_passwordfile parameter is set to EXCLUSIVE, SHARED, the Oracle system searches for the password file in the order that the Ora_sid_pwfile parameter value (which is the full path name of the password file) is found in the system registry. If not found, find the Ora_pwfile parameter value, or use the default value ORACLE_HOME\DATABASE\PWDSID if it is still not found. ORA, where the SID represents the corresponding Oracle database system identifier.