Summary: Oracle relational database systems have been widely used in its superior performance, and the security of the database is important for database management. This article is that on the basis of summarizing the security management of Oracle database, the author has a detailed introduction to the creation, use and maintenance of the Oracle database system password file for your reference. Keywords: Oracle Database Password File In Oracle Database System, users can have two authentication methods if they are to log in to the Oracle database with privileged user identity (INTERNAL / SYSDBA / SYSOPER): The password file for the Oracle database performs authentication. Therefore, manage the password file, log in to the Oracle database system from the remote or local machine for the control authorization user, and perform database management work, which is important. The password file of the Oracle database stores the username / password of the superuser INTERNAL / SYS and other privileged users, which is typically stored in the Oracle_Home\Database directory. First, the creation of the password file: When you create a database instance using Oracle Instance Manager, a corresponding password file is automatically created in the oracle_home \Database directory, the file name is PWDSID.ORA, where the SID represents the corresponding Oracle Database System Identifier. This password file is the basis for performing the initial database management. After that, the administrator can use the tool ORAPWD.EXE manually to create a password file as needed, and the command format is as follows:
C: \> ORAPWD File = password = Entries = The meaning of each command parameter is: filename: Password file name; Password: Setting the Internal / Sys account; Max_Users: The password file can be stored in the password file The maximum number of users, corresponding to the maximum number of users that allow log in to the database in SYSDBA / SYSOPER privileges. Due to future maintenance, if the number of users exceeds this limit, you need to rebuild the password file, so this parameter can be set to be larger as needed. After having a password file, you need to set the initialization parameter remote_login_passwordfile to control the use of the password file. Second, set the initialization parameter remote_login_passwordfile: In the initialization parameter file of the Oracle Database Instance, this parameter controls the use of the password file and its status. It can have the following options: None: Indicates that the Oracle system does not use a password file, and the privileged user login is authenticated by the operating system; Exclusive: Indicates that only one database instance can use this password file. The password file only in this setting can contain user information other than INTERNAL / SS, that is, allowing system authority Sysoper / SysDBA to grant other users other than INTERNAL / SS. Shared: Indicates that there are multiple database instances to use this password file. Under this setting, only the internal / sys account can be identified by the password file, even if there are other users in the file, they do not allow them to log in with SYSOPER / SYSDBA permissions. This is set to default. ---- In the remote_login_passwordfile parameter set to Exclusive, Shared case, the order of the Oracle system search password file is: Find the ORA_SID_PWFILE parameter value in the system registration library (it is a full path name of the password file); if not found, look for ORA_PWFILE parameter value; if you still have not found, use the default value oracle_home \Database@pwdsid.ora; where the SID represents the appropriate Oracle database system identifier. Third, add the user: Delete the user: When the initialization parameter remote_login_passwordfile is set to Exclusive, the system allows other users other than INTERNAL / SS to log in to the Oracle database system from the remote or local machine, execute database management work These usernames must exist in the password file, the system can identify them. Since the password file automatically created automatically when you create a database instance, or use the tool ORAPWD.EXE manually created password file, all of the INTERNAL / SYS user information; for this, in practice, you may need to add to the password file Or delete other user accounts. Since users who are only granted SYSOPER / SYSDBA system exist in the password file, when a user grants or reclaims the Sysoper / SysDBA system permission, their account will also be added to the password file or from the password file. Delete.
Thus, an additional or deleted user is added to the password file, which is actually granting or recovering the SYSOPER / SYSDBA system authority for a user. To perform this authorization, you need to use SysDBA Permissions (or Internal Account) to enter the database, and the setting of the initialization parameter remote_login_passwordfile must be Exclusive. The specific steps are as follows: Create a corresponding password file; set the initialization parameter remote_login_passwordfile = Exclusive; log in with sysdba: Connect Sys / INTERNAL_USER_PASSSWORD AS SYSDBA; Start the database instance and open the database; create the corresponding user account, authorize it (including sysoper and sysdba) : Grant permission: Grant sysdba to user_name; Reclaimed: Revoke Sysdba from user_name; Now these users can log in to the database system as an administrator; four Log in to the Oracle database instance with SYSOPER / SYSDBA Permissions, Note Initialization Parameters Remote_login_passwordfile should be set to Exclusive or Shared. After logging in with SYSOPER / SYSDBA, it will be under the SCHEMA of the SYS user. The following is an example of two logins: 1. Log in as an administrator: Suppose the user Scott has been granted SYSDBA permissions, then he can use the following Command login: