The role and description of password file in Oracle

Oracle|word
Database-built users cannot authenticate to the database until the database is started.

The password file holds the username and password of the Sysdba/sysoper user, allows the user to authenticate by password file, log in before the database is started, and start the database.

If there is no password file, it can only be authenticated by the operating system before the database is started.

The use of Rman, many times the need to nomount,mount in the state of the database processing so often require SYSDBA permissions if the local DBA group, you can log in through the operating system to login if the remote SYSDBA landing, the need to pass Passwordfile certification.

1.remote_login_passwordfile = NONE

At this time, disable password file authentication, the Oracle database does not allow remote Sysdba/sysoper identity logins can not be remote database start and stop operation management

Local



[Oracle@jumper oracle]$ Sqlplus "/As SYSDBA"

Sql*plus:release 9.2.0.3.0-production on Thu Apr 15 09:58:45 2004

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

Connected to:oracle9i Enterprise Edition release 9.2.0.3.0-productionwith The partitioning, OLAP and Oracle Data Mining Optionsjserver Release 9.2.0.3.0-production

sql> alter USER SYS identified by Oracle;

User altered.

Sql> Show Parameter Pass

NAME TYPE VALUE--------------------------------------------------------------remote_login_passwor Dfile string NONE

Remote



E:\oracle\ora92\bin>sqlplus/nologsql*plus:release 9.2.0.4.0-production on Thursday April 09:39:22 2004Copyright (c) 1982 , 2002, Oracle Corporation. All rights reserved. Sql> Connect SYS/ORACLE@HSJF as Sysdbaerror:ora-01017:invalid Username/password; Logon denied

This is virtually impossible to authenticate with a password file

2.remote_login_passwordfile = Exclusive







Sql> alter system set remote_login_passwordfile=exclusive Scope=spfile;

System altered.

Sql> Startup Force;oracle instance started.

Total System Global area 131142648 bytesfixed size 451576 bytesvariable size 104857600 bytesdatabase buffers 25165824 byte Sredo buffers 667648 bytesdatabase mounted. Database opened. Sql> Show Parameter Pass

NAME TYPE VALUE-----------------------------------------------------------------------------remote_login_ Passwordfile string exclusivesql> alter USER SYS identified by Oracle;

User altered.



Remote





E:\oracle\ora92\bin>sqlplus/nologsql*plus:release 9.2.0.4.0-production on Thursday April 09:47:11 2004Copyright (c) 1982 , 2002, Oracle Corporation. All rights reserved. Sql> Connect SYS/ORACLE@HSJF as SYSDBA is connected. Sql> show Useruser as "SYS" sql>



This is actually a password file to authenticate the login

3. Further testing

If we delete Passwdfile,sysdba/sysoper at this time will not be able to authenticate, can not log into the database

Server:



Sql>! [Oracle@jumper oracle]$ cd $ORACLE _home/dbs[oracle@jumper dbs]$ ls orapwhsjforapwhsjf[oracle@jumper dbs]$ mv ORAPWHSJF Orapwhsjf.bak[oracle@jumper dbs]$





Remote:



E:\oracle\ora92\bin>sqlplus/nolog

Sql*plus:release 9.2.0.4.0-production on Thursday April 15 09:50:14 2004

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

Sql> Connect SYS/ORACLE@HSJF as Sysdbaerror:ora-01031:insufficient privileges

Sql>





This is virtually impossible to authenticate with the password file.



4. If the Passwdfile is lost

If you accidentally lose using Passwdfile, you will not be able to start the database at this time





Sql> Startup Force;oracle instance started.

Total System Global area 131142648 bytesfixed size 451576 bytesvariable size 104857600 bytesdatabase buffers 25165824 byte Sredo buffers 667648 bytesora-01990:error opening password file '/OPT/ORACLE/PRODUCT/9.2.0/DBS/ORAPW ' ora-27037:unable To obtain file Statuslinux error:2: No such file or directoryadditional Information:3







At this point, you can rebuild the password file by orapwd to resolve the password file to restore



Sql>! [Oracle@jumper oracle]$ mv $ORACLE _home/dbs/orapwhsjf.bak orapwhsjf[oracle@jumper oracle]$ exitexit

sql> ALTER DATABASE open;

Database altered.

Sql>







This is roughly the case.



5. Remote_login_passwordfile = Shared

Let's take a look at the instructions in the Oracle9i documentation:

SHARED

More than one database can use a password file. However, the only user recognized by the password file is SYS.

It means that multiple databases can share a password file, but only one user can be identified: SYS



Sql> select * from V$pwfile_users;

USERNAME sysdb SYSOP----------------------------------------SYS True

Sql> Grant SYSDBA to Eygle;grant SYSDBA to Eygle*error on line 1:ora-01994:grant failed:cannot add users to public PA ssWOrd file

Sql> Show parameter password

NAME TYPE VALUE-----------------------------------------------------------------------------remote_login_ Passwordfile string SHARED





We see that the password file in this case cannot be added to the user.

Many people's question is: The password file's default name is Orapw<sid&gt, how can it be shared?

In fact, when the Oracle database starts, it first looks for the orapw<sid> password file, and if the file does not exist, start looking, orapw password file if the password file is named ORAPW, multiple databases can be shared.

Let's take a look at the test:



[Oracle@jumper dbs]$ Sqlplus "/As SYSDBA"

Sql*plus:release 9.2.0.3.0-production on Tue June 6 09:40:34 2004

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

Connected to:oracle9i Enterprise Edition release 9.2.0.3.0-productionwith The partitioning, OLAP and Oracle Data Mining Optionsjserver Release 9.2.0.3.0-production

sql> shutdown immediatedatabase closed. Database dismounted. ORACLE instance shut down. Sql>! [Oracle@jumper dbs]$ lshsjf initdw.ora inithsjf.ora init.ora lkhsjf orapwhsjf spfilehsjf.ora[oracle@jumper dbs]$ MV ORAPWHSJF Orapwhsjf.bak[oracle@jumper dbs]$ Exitexit

Sql> Startuporacle instance started.

Total System Global area 235999908 bytesfixed size 451236 bytesvariable size 201326592 byte Sdatabase buffers 33554432 Bytesredo buffers 667648 bytesora-01990:error opening password file '/OPT/ORACLE/PRODUCT/9.2.0/DBS/ORAPW '-this is the last file found ora-27037:unable to obtain files Statuslinux error:2: No such file or dir Ectoryadditional Information:3





We build the ORAPW password file, and then we can open the database.

Sql>! [Oracle@jumper dbs]$ lshsjf initdw.ora inithsjf.ora init.ora lkhsjf orapwhsjf.bak spfilehsjf.ora[oracle@jumper dbs]$ CP Orapwhsjf.bak Orapw[oracle@jumper dbs]$ exitexit

sql> ALTER DATABASE open;

Database altered.

Sql> Show Parameter PASSW

NAME TYPE VALUE------------------------------------------------------------------ -----------Remote_login_passwordfile String sharedsql>

So you might have the question of whether multiple exclusive databases can share a password file (ORAPW)?

We continue this experiment:

Sql> Show parameter Passwordname TYPE VALUE--------------------------------------------------------------------- --------Remote_login_passwordfile String SHARED

[Oracle@jumper dbs]$ strings orapw]\[zoracle Remote Password fileinternalab27b53edc5fef418a8f025737a9097a

Note that only Internal/sys's password is recorded here.

When remote_login_passwordfile=exclusive

Sql> alter system set remote_login_passwordfile=exclusive Scope=spfile; System altered.

Sql> Startup Force;oracle instance started.

Total System Global area 235999908 bytesfixed size 451236 bytesvariable size 201326592 bytesdatabase buffers 33554432 byte Sredo buffers 667648 bytesdatabase mounted. Database opened. Sql>!

[Oracle@jumper bin]$ CD $ORACLE _home/dbs[oracle@jumper dbs]$ strings orapw]\[zoracle Remote Password Filehsjfinternalab27b53edc5fef418a8f025737a9097a[oracle@jumper dbs]$ Exitexit

Note Here, the instance name information is written to the password file after it is started in exclusive mode.

This password file can still be used if another instance is started in exclusive mode, and the instance name in the password file is overwritten at the same time.

That is, the database reads the password file only during the startup process, and the database does not lock the file while it is running, similar to the Pfile/spfile file.

Sql> select * from V$pwfile_users; USERNAME sysdb SYSOP----------------------------------------SYS True

Sql> Grant SYSDBA to Eygle;

Grant succeeded.

Sql> select * from V$pwfile_users;

USERNAME sysdb SYSOP----------------------------------------SYS true Trueeygle true FALSE

Sql>! [Oracle@jumper bin]$ CD $ORACLE _home/dbs[oracle@jumper dbs]$ strings orapw]\[zoracle Remote Password Filehsjfinternalab27b53edc5fef418a8f025737a9097a>eygleb726e09fe21f8e83

Note You can increase the SYSDBA user at this time, and this information can be written to the password file.

Once additional SYSDBA users are added to the password file, this file can no longer be shared by other exclusive instances.

In fact, the password file is a sudo effect for other users.

6. Rebuild Password file

If the password file is missing, you can use ORAPWD to rebuild the password file, as follows:

[Oracle@jumper oracle]$ orapwdusage:orapwd file=<fname> password=<password> entries=<users> Wherefile-name of password file (mand), Password-password for SYS (mand), entries-maximum number of distinct DBA and O PERs (opt), There are no spaces around the equal-to (=) character.