Role and description of password file orapwd in Oracle

The role and description of password file orapwd in Oracle before the database is started, database built-in users are password files that cannot be verified by the database. The usernames and passwords of sysdba/sysoper users can be verified by password files, log on to the database before it is started. If there is no password file to start the database, you can only pass operating system authentication before the database is started. when Rman is used, the database needs to be processed in nomount, mount, and other States. Therefore, sysdba permissions are usually required. If the database belongs to a local DBA group, you can log on to the database through operating system authentication. If the database is remotely logged on to sysdba, passwordfile authentication is required. 1. remote_login_passwordfile = NONE Password File authentication is disabled at this time. Oracle database does not allow remote SYSDBA/SYSOPER logon to manage database start/stop operations. local: [oracle @ jumper oracle] $ sqlpl Us "/as sysdba" SQL * Plus: Release 9.2.0.3.0-Production on Thu Apr 15 09:58:45 2004 Copyright (c) 1982,200 2, Oracle Corporation. all rights reserved. connected to: Oracle9i Enterprise Edition Release 9.2.0.3.0-ProductionWith the Partitioning, OLAP and Oracle Data Mining optionsJServer Release 9.2.0.3.0-Production SQL> alter user sys identified by oracle; User altered. SQL> show parameter pas S name type value ----------------------- ------------------------------------ remote_login_passwordfile string NONE remote: E: \ Oracle \ ora92 \ bin> sqlplus/nolog SQL * Plus: release 9.2.0.4.0-Production on Thursday April 15 09:39:22 2004 Copyright (c) 1982,200 2, Oracle Corporation. all rights reserved. SQL> connect sys/oracle @ hsjf as sysdbaERROR: ORA-01017: invalid username/password; logon denied here actually cannot Verify by password file 2. remote_login_passwordfile = exclusive SQL> alter system set remote_login_passwordfile = exclusive scope = spfile; System altered. SQL> startup force; ORACLE instance started. total System Global Area 131142648 bytesFixed Size 451576 bytesVariable Size 104857600 bytesDatabase Buffers 25165824 bytesRedo Buffers 667648 bytesDatabase mounted. database opened. SQL> show parameter pass NAME TYPE VALU E ------------------------------------------- ------------------------------ remote_login_passwordfile string EXCLUSIVESQL> alter user sys identified by oracle; User altered. remote: E: \ Oracle \ ora92 \ bin> sqlplus/nolog SQL * Plus: Release 9.2.0.4.0-Production on Thursday April 15 09:47:11 2004 Copyright (c) 1982,200 2, Oracle Corporation. all rights reserved. SQL> connect sys/oracle @ hsjf as sysdba is connected. SQL> show userUSER is "SYS" SQL> This is actually the login 3 verified by the password file. further test if passwdfile is deleted at this time, sysdba/sysoper will not be able to authenticate, so it will not be able to log on to the database Server: SQL>! [Oracle @ jumper oracle] $ cd $ ORACLE_HOME/dbs [oracle @ jumper dbs] $ ls orapwhsjforapwhsjf [oracle @ jumper dbs] $ mv orapwhsjf. bak [oracle @ jumper dbs] $ Remote: E: \ Oracle \ ora92 \ bin> sqlplus/nolog SQL * Plus: Release 9.2.0.4.0-Production on Thursday April 15 09:50:14 2004 Copyright (c) 1982,200 2, Oracle Corporation. all rights reserved. connect sys/oracle @ hsjf as sysdbaERROR: ORA-01031: insufficient pr Ivileges SQL> This is actually unable to verify the identity through the password file. 4. if passwdfile is lost and passwdfile is used, the database SQL> startup force; ORACLE instance started cannot be started. total System Global Area 131142648 bytesFixed Size 451576 bytesVariable Size 104857600 bytesDatabase Buffers 25165824 bytesRedo Buffers 667648 bytesORA-01990: error opening password file '/opt/oracle/product/9.2.0/dbs/orapw' ORA-27037: unable to obtain file statusLinux Error: 2: No such file or directoryAdditional information: 3 at this time, you can use orapwd to recreate the password file. Here, we can restore the password file to SQL>! [Oracle @ jumper oracle] $ mv $ ORACLE_HOME/dbs/orapwhsjf. bak orapwhsjf [oracle @ jumper oracle] $ exitexit SQL> alter database open; Database altered. SQL> This is roughly the case. 5. remote_login_passwordfile = shared. Let's take a look at the description in Oracle9i: SHAREDMore than one database can use a password file. however, the only user recognized by the password file is SYS. it means that multiple databases can share one password file, but only one user can be identified: sys SQL> select * from v $ pwfile_users; U Sername sysdb sysop ---------------------------- ----- sys true truesql> grant sysdba to eygle; grant sysdba to eygle * ERROR at line 1: ORA-01994: GRANT failed: cannot add users to public password fileSQL> show parameter passwordNAME type value ---------------------------------------- remote_login_passwordfile string SHARED. At this time, users cannot be added to the password file. many people have questions about passwords. The default file name is orapw <sid>. How can I share it? In fact, when the Oracle database is started, it first looks for the password file of orapw <sid>. If the file does not exist, it starts searching, if the password file of orapw is named orapw, multiple databases can share the file. let's take a look at the test: [oracle @ jumper dbs] $ sqlplus "/as sysdba" SQL * Plus: Release 9.2.0.3.0-Production on Tue Jul 6 09:40:34 2004 Copyright (c) 1982,200 2, oracle Corporation. all rights reserved. connected to: Oracle9i Enterprise Edition Release 9.2.0.3.0-ProductionWith the Partitioning, OLAP and Oracle Data Min Ing optionsJServer Release 9.2.0.3.0-Production SQL> shutdown immediateDatabase closed. Database dismounted. ORACLE instance shut down. SQL>! [Oracle @ jumper dbs] $ lshsjf initdw. ora inithsjf. ora init. ora lkHSJF orapwhsjf spfilehsjf. ora [oracle @ jumper dbs] $ mv orapwhsjf. bak [oracle @ jumper dbs] $ exitexit SQL> startupORACLE instance started. total System Global Area 235999908 bytesFixed Size 451236 bytesVariable Size 201326592 bytesDatabase Buffers 33554432 bytesRedo Buffers 667648 bytesORA-01990: error opening password file '/opt/or Acle/product/9.2.0/dbs/orapw '-- this is the final file ORA-27037: unable to obtain file statusLinux Error: 2: No such file or directoryAdditional information: 3. Create an orapw password file to open the database. SQL>! [Oracle @ jumper dbs] $ lshsjf initdw. ora inithsjf. ora init. ora lkHSJF orapwhsjf. bak spfilehsjf. ora [oracle @ jumper dbs] $ cp orapwhsjf. bak orapw [oracle @ jumper dbs] $ exitexit SQL> alter database open; Database altered. SQL> show parameter passw NAME TYPE VALUE ------------------------------------ ---------------------------------------- remote_login_passwordfile string SHAREDSQL> you may have such questions, multiple Exclusive Can the database share a password file (orapw? Let's continue this experiment: SQL> show parameter passwordNAME TYPE VALUE =----------- export remote_login_passwordfile string SHARED [oracle @ jumper dbs] $ strings orapw] \ [ZORACLE Remote Password example note that only the INTERNAL/SYS Password REMOTE_LOGIN_PASSWORDFILE is recorded here = exclusive SQL> alter system set remote_login_passwordfile = exclusive scope = sp File; System altered. SQL> startup force; ORACLE instance started. Total System Global Area 235999908 bytesFixed Size 451236 bytesVariable Size 201326592 bytesDatabase Buffers 33554432 bytesRedo Buffers 667648 bytesDatabase mounted. Database opened. SQL>! [Oracle @ jumper bin] $ cd $ ORACLE_HOME/dbs [oracle @ jumper dbs] $ strings orapw] \ [ZORACLE Remote Password login [oracle @ jumper dbs] $ exitexit note here, after the instance is started in EXCLUSIVE mode, the Instance name information is written into the password file. if other instances start in Exclusive mode, you can still use this password file. The instance name in the password file is rewritten at the same time. that is to say, the database only reads the password file during the startup process. The file is not locked during the database operation, similar to the pfile/spfile file. SQL> select * from v $ pwfile_users; USERNAME SYSDB SYSOP ---------------------- -------- ----- Sys true truesql> grant sysdba to eygle; Grant succeeded. SQL> select * from v $ pwfile_users; USERNAME SYSDB SYSOP certificate ----- SYS TRUE TRUEEYGLE TRUE FALSESQL>! [Oracle @ jumper bin] $ cd $ ORACLE_HOME/dbs [oracle @ jumper dbs] $ strings orapw] \ [ZORACLE Remote Password secret> eygleb09e09fe21f8e83 note that SYSDBA users can be added at this time, and the information can be written into the password file. once other SYSDBA users are added to the password file, the file cannot be shared by other Exclusive instances. in fact, the password file serves as a sudo for other users. 6. if the password file is lost, you can use orapwd to recreate the password file. The syntax is as follows: [oracle @ jumper oracle] $ orapwdUsage: orapwd file = <fname> password = <password> Entries = <users> wherefile-name of password file (mand), password-password for SYS (mand), entries-maximum number of distinct DBA and OPERs (opt ), there are no spaces around the equal-to (=) character. orapwd is a command provided by oracle to create a password file. If the password file disappears, use this command to create a new one. The following are some explanations of the orapwd command. D: \ oracle \ ora92 \ database> orapwdUsage: orapwd file = <fname> password = <password> entries = <users> where file-name of password file (mand ), password-password for SYS (mand), entries-maximum number of distinct DBA and OPERs (opt), There are no spaces around the equal-to (=) character. example: D: \ oracle \ ora92 \ database> orapwd file = pwdcloud. ora password = cshortentries = 2 the entries parameter indicates the maximum number of users that can be stored in the password file. The maximum number of users with the YSDBA/SYSOPER permission to log on to the database. If the number of users exceeds this value, only the password file can be rebuilt to increase entries. You can specify the full path and file name of the password file. Otherwise, the file is created in the current directory. In windows, oracle is located in the ora92/database directory by default. The default file name is pwdSID. ora, which is not recognized by other file names. In linux, the default location of oracle is the $ ORACLE_HOME/dbs directory. The default file name is orapwSID, which is not recognized by other file names. After the database is created, it must be restarted before the new password file takes effect. However, this password file is useful for non-operating system authentication, such as network connection. For local login, because the operating system authentication is adopted, no password can be used to log on. In fact, the password does not play any role. If you do not use operating system authentication when logging on to the local machine, set sqlnet under ora92/network/admin. SQLNET. change AUTHENTICATION_SERVICES = (CNT) to SQLNET. AUTHENTICATION_SERVICES = (NONE) and then use D: \ oracle \ ora92 \ database> sqlplus "sys/cjh @ cjh as sysdba" to log on.