René Nyffenegger's collection of things on the web | |
René Nyffenegger on Oracle - Most wanted - Feedback
- Follow @renenyffenegger
|
Oracle's password file | ||
If the DBA wants to start up an Oracle instance there must be a way for Oracle to authenticate this
DBA. That is if (s)he is allowed to do so. Obviously, his password can not be stored in the database, because Oracle can not access the database before the instance is started up.
Therefore, the authentication of the DBA must happen outside of the database. There are two distinct mechanisms to authenticate the DBA: using the password file or through the operating system.
The init parameter remote_login_passwordfile specifies if a password
file is used to authenticate the DBA or not. If it set either to shared or exclusive a password file will be used.
Default location and file name
The default location for the password file is:
$ORACLE_HOME/dbs/orapw$ORACLE_SID on Unix and
%ORACLE_HOME%\database\PWD%ORACLE_SID%.ora on Windows.
Deleting a password file
If password file authentication is no longer needed, the password file can be deleted and the init parameter
remote_login_passwordfile set to none.
Password file state
If a password file is shared or exclusive is also stored in the password file. After its creation, the state is shared. The state can be changed
by setting remote_login_passwordfile and starting the database.
That is, the database overwrites the state in the password file when it is started up.
A password file whose state is shared can only contain SYS.
Creating a password file
Password files are created with the orapwd tool.
Adding Users to the password fileSYS@ora10> show user; USER is "SYS" SYS@ora10> select * from v$pwfile_users; USERNAME SYSDB SYSOP ------------------------------ ----- ----- SYS TRUE TRUE SYS@ora10> grant SYSDBA to rene; Grant succeeded. SYS@ora10> select * from v$pwfile_users; USERNAME SYSDB SYSOP ------------------------------ ----- ----- SYS TRUE TRUE RENE TRUE FALSE SYS@ora10> grant SYSOPER to rene; Grant succeeded. SYS@ora10> select * from v$pwfile_users; USERNAME SYSDB SYSOP ------------------------------ ----- ----- SYS TRUE TRUE RENE TRUE TRUE SYS@ora10> revoke SYSDBA from rene; Revoke succeeded. SYS@ora10> select * from v$pwfile_users; USERNAME SYSDB SYSOP ------------------------------ ----- ----- SYS TRUE TRUE RENE FALSE TRUE SYS@ora10> revoke SYSOPER from rene; Revoke succeeded. SYS@ora10> select * from v$pwfile_users; USERNAME SYSDB SYSOP ------------------------------ ----- ----- SYS TRUE TRUE LinksThanks
Thanks to Amanda Wendal who helped correct this page.
|