Oracle password management is very important, which is beyond doubt. In the Oracle system, you can use the privileged user identity INTERNAL/SYSDBA/SYSOPER to log on to Oracle using two authentication methods:
1. Use authentication integrated with the operating system
2. Use the password file of the Oracle database for authentication.
Therefore, managing the password file is of great significance for controlling authorized users to log on to the Oracle Database System from the remote end or local end and perform database management.
The password file of the Oracle DATABASE is stored in the Super User INTERNAL/SYS password and the user name/password of other privileged users. It is generally stored in the ORACLE_HOME \ DATABASE directory.
The following describes the key points of Oracle password management:
I. Create a password file:
When you use Oracle Instance Manager to create a DATABASE Instance, a password file is automatically created under the ORACLE_HOME \ DATABASE directory. The file name is PWDSID. ORA, where SID represents the corresponding Oracle database system identifier. This password file is the basis for initial database management. Then, the administrator can use ORAPWD. EXE to manually create a password file as needed. The command format is as follows:
C: \> orapwd file = <FILENAME> PASSWORD
= <PASSWORD> ENTRIES = <MAX_USERS>
The meanings of command parameters are as follows:
FILENAME: password file name;
PASSWORD: Set the PASSWORD of the INTERNAL/SYS account;
MAX_USERS: the maximum number of users in the password file, which corresponds to the maximum number of users allowed to log on to the database with SYSDBA/SYSOPER permissions. In future maintenance, if the number of users exceeds this limit, the password file needs to be rebuilt. Therefore, this parameter can be set to be larger as needed.
With the password file, you need to set the initialization parameter REMOTE_LOGIN_PASSWORDFILE to control the Usage Status of the password file.
2. Set the initialization parameter REMOTE_LOGIN_PASSWORDFILE:
In the initialization parameter file of the Oracle database instance, this parameter controls the usage and status of the password file. It can have the following options:
NONE: indicates that the Oracle system does not use password files. Privileged users can log on to the Oracle System for authentication;
EXCLUSIVE: indicates that only one database instance can use this password file. Only the password file under this setting can contain user information except INTERNAL/SYS, that is, the system permission SYSOPER/SYSDBA can be granted to other users except INTERNAL/SYS.
SHARED: indicates that multiple database instances can use this password file. In this setting, only the INTERNAL/SYS account can be identified by the password file. Even if the file contains information from other users, they are not allowed to log on with the SYSOPER/SYSDBA permission. This is the default value.
---- When the REMOTE_LOGIN_PASSWORDFILE parameter is set to EXCLUSIVE and SHARED, the order of the password files searched by the Oracle system is: search for the ORA_SID_PWFILE parameter value in the System Registration Database, which is the full path name of the password file ); if not, search for the ORA_PWFILE parameter value. If not, use the default value ORACLE_HOME \ DATABASE \ PWDSID. ORA; the SID represents the corresponding Oracle database system identifier.
3. add or delete users to or from the password file:
When the initialization parameter REMOTE_LOGIN_PASSWORDFILE is set to EXCLUSIVE, the system allows users other than INTERNAL/SYS to log on to the Oracle database system as administrators from the remote end or local end to perform database management; these usernames must exist in the password file before the system can recognize them. Whether it is the password file automatically created when you create a database instance or the tool ORAPWD. the password files manually created by EXE only contain the information of INTERNAL/SYS users. To do this, you may need to add or delete other user accounts to the password file.
Because only users granted SYSOPER/SYSDBA system permissions exist in the password file, when a user is granted or revoked SYSOPER/SYSDBA system permissions, their accounts will also be added to or deleted from the password file. Therefore, adding or deleting a user to or from the password file actually grants or revokes SYSOPER/SYSDBA system permissions to a user.
To perform this authorization, you must use the SYSDBA permission or INTERNAL account to connect to the database and set the REMOTE_LOGIN_PASSWORDFILE initialization parameter to EXCLUSIVE. The procedure is as follows:
Create a password file;
Set the initialization parameter REMOTE_LOGIN_PASSWORDFILE = EXCLUSIVE;
Use SYSDBA permissions to log on:
Connect sys/internal_user_passsword as sysdba;
Start the database instance and open the database;
Create a user account and authorize it to SYSOPER and SYSDBA ):
GRANT permissions: grant sysdba to user_name;
REVOKE permissions: revoke sysdba from user_name;
Now these users can log on to the database system as administrators;