The Oracle database password file creation and

Oracle relational database system has been widely used for its excellent performance, and ensuring database security is an important part of database management work. On the basis of summarizing the security management of Oracle database, this paper introduces the creation, use and maintenance of the password files of Oracle database system in detail for your reference.

In an Oracle database system, users who want to log in to an Oracle database as a privileged user (Internal/sysdba/sysoper) can have two Authentication method: Use authentication that is integrated with the operating system or the password file that uses the Oracle database. Therefore, it is of great significance to manage the password files and to perform database administration work for the control of authorized users to log on to Oracle database system from remote or native computer.

The password file for the Oracle database holds the password of the Superuser Internal/sys and the username/password of other privileged users, which are generally stored in the Oracle_home\database directory.

One, the creation of the password file

When creating a DB instance using Oracle Instance Manager, a corresponding password file is automatically created in the Oracle_home\database directory with the file name Pwdsid. ORA, where the SID represents the corresponding Oracle database system identifier. This password file is the base for the initial database administration Chu after this, the administrator can also use the tool ORAPWD.EXE to manually create the password file, as appropriate, in the following format:

[[email protected] dbs]$ orapwdusage: orapwd file=<fname> entries=< users> force=<y/n> ignorecase=<y/n> nosysdba=<y/n>  where     file - name of password file  (required),     password - password for SYS will be prompted if not  specified at command line,    entries - maximum number  of distinct dba  (optional),    force - whether to  overwrite existing file  (optional),     ignorecase - passwords  are case-insensitive  (optional),     nosysdba - whether to  shut out the SYSDBA logon  (optional database vault only) .       there must be no spaces around the equal-to  (=)  character. [[email protected] dbs]$

The meaning of each command parameter is:

FileName: password file name;

PASSWORD: Set password for Internal/sys account;

Max_users: The maximum number of users that can be stored in a password file, corresponding to the maximum number of users allowed to log in to the database with Sysdba/sysoper permissions. Because in later maintenance, if the number of users exceeds this limit, the password file needs to be rebuilt, so this parameter can be set larger as needed.

After you have the password file, you need to set the initialization parameter Remote_login_passwordfile to control the usage status of the password file.

Second, set the initialization parameters Remote_login_passwordfile

In the initialization parameter file for an Oracle DB instance, this parameter controls the use of the password file and its status. It can have several options:

NONE: Indicates that the Oracle system does not use a password file, and the login of the privileged user is authenticated by the operating system;

EXCLUSIVE: Indicates that only one DB instance can use this password file. Only the password file under this setting can contain user information other than Internal/sys, which allows the system permissions SYSOPER/SYSDBA to be granted to users other than Internal/sys.

SHARED: Indicates that there can be more than one DB instance that can use this password file. In this setting, only the Internal/sys account can be identified by the password file, even if the file contains information about other users, and does not allow them to log on with SYSOPER/SYSDBA permissions. This setting is the default value.

When the Remote_login_passwordfile parameter is set to exclusive, shared, the order in which the Oracle system searches for password files is to find the Ora_sid_pwfile parameter value in the system registry (it is the full path name of the password file) If not found, the ora_pwfile parameter value is searched, and if not found, the default value of Oracle_home\database\pwdsid is used. ORA, where the SID represents the corresponding Oracle database system identifier.

Third, add to the password file, delete the user

When the initialization parameter remote_login_passwordfile is set to exclusive, the system allows users other than Internal/sys to log on to the Oracle database system from the remote or native computer as an administrator, performing database administration work These usernames must exist in the password file before they can be recognized by the system. Because either the password file that was created automatically when the DB instance was created or the password file that was manually created by using the tool ORAPWD.EXE contains only the information for the Internal/sys user, you may need to add or remove other user accounts to the password file in the actual operation.

Because only users granted SYSOPER/SYSDBA system permissions exist in the password file, when granting or withdrawing SYSOPER/SYSDBA system permissions to a user, their account will be added to the password file or deleted from the password file accordingly. Thus, adding or removing a user to a password file is, in effect, granting or withdrawing SYSOPER/SYSDBA system permissions to a user.

To perform this authorization operation, you need to connect to the database using SYSDBA permissions (or internal account number), and the initialization parameter remote_login_passwordfile must be set to exclusive. The following steps:

Create the appropriate password file;

Set initialization parameter remote_login_passwordfile=exclusive;

Login with SYSDBA permissions: CONNECTSYS/INTERNAL_USER_PASSSWORDASSYSDBA;

Start the DB instance and open the database;

Create the appropriate user account, authorize it (including Sysoper and SYSDBA): Grant permissions: Grantsysdbatouser_name;

Revoke permission: revokesysdbafromuser_name;

These users can now log into the database system as Administrator;

Iv. log in with a password file

With the password file, the user can log in to the Oracle DB instance with SYSOPER/SYSDBA permissions using the password file, paying attention to the initialization parameters Remote_login_ Passwordfile should be set to exclusive or shared. After any user is logged on with SYSOPER/SYSDBA permissions, the SYS user will be under the schema, and the following are two login examples:

1. Log in as Administrator:

Assuming that the user Scott has been granted SYSDBA permissions, he can log on using the following command:

Connectscott/tigerassysdba

2. Log in as internal:

Connectinternal/internal_password

The Oracle database password file creation and