Post] Oracle Database Password Document Usage and Maintenance Summary: Oracle Relations Database System has been widely used in its excellent performance, and ensuring that the security of the database is an important part of database management. This article is that on the basis of summarizing the security management of Oracle database, the author has a detailed introduction to the creation, use and maintenance of the Oracle database system password file for your reference.
---- Keywords: Oracle Database Password File
---- In the Oracle database system, users can have two authentication methods if they are to log in to the Oracle database with privileged user identity (INTERNAL / SYSDBA / SYSOPER): that is, using an ORACLE database with an Oracle database The password file is authenticated. Therefore, manage the password file, log in to the Oracle database system from the remote or local machine for the control authorization user, and perform database management work, which is important.
---- The password file of the Oracle database stores the username / password of the password and other privileged users of Super User INTERNAL / SS, which is typically stored in the Oracle_home \Database directory.
First, the creation of the password file:
---- When using Oracle Instance Manager, a database instance is used, and a corresponding password file is also automatically created in the Oracle_Home\Database directory, the file name is pwdsid.ora, where the SID represents the corresponding Oracle database system. Identifier. This password file is the basis for performing the initial database management. After that, the administrator can use the tool ORAPWD.EXE manually to create a password file as needed, and the command format is as follows:
C: \> ORAPWD File =
=
---- The meaning of each command parameter is:
---- FileName: Password file name;
---- Password: Sets the password of the internal / sys account;
---- MAX_USERS: The maximum number of users that can be stored in the password file, corresponding to the maximum number of users that allow for the SYSDBA / SYSOPER permission to log in to the database. Due to future maintenance, if the number of users exceeds this limit, you need to rebuild the password file, so this parameter can be set to be larger as needed.
---- After password file, you need to set the initialization parameter remote_login_passwordfile to control the use status of the password file.
Second, set the initialization parameter Remote_login_passwordfile:
---- In the initialization parameter file of the Oracle Database Instance, this parameter controls the use and its status of the password file. It can have the following options:
· None: Indicates that the Oracle system does not use the password file, and the privileged user login is authenticated by the operating system;
· Exclusive: Indicates that only one database instance can be used to use this password file. Only the password file in this setting can include user information other than INTERNAL / SS, i.e., allowing system permissions Sysoper / SysDBA to grant other users other than INTERNAL / SYS.
· Shared: Indicates that there are multiple database instances to use this password file. On this setting, only the internal / sys account can be identified by the password file, even if there is information in the file, it does not allow them to log in with SYSOPER / SYSDBA. This is set to default. ---- In the remote_login_passwordfile parameter set to Exclusive, Shared case, the order of the Oracle system search password file is: Find the ORA_SID_PWFILE parameter value in the system registration library (it is a full path name of the password file); if not found, look for ORA_PWFILE parameter value; if you still have not found, use the default value oracle_home \Database@pwdsid.ora; where the SID represents the appropriate Oracle database system identifier.
Third, add to the password file, delete the user:
---- When the initialization parameter remote_login_passwordfile is set to Exclusive, the system allows other users other than INTERNAL / SYS to log in to the Oracle database system from the far end or local machine, execute database management; these usernames must exist In the password file, the system can identify them. Since the password file automatically created automatically when you create a database instance, or use the tool ORAPWD.EXE manually created password file, all of the INTERNAL / SYS user information; for this, in practice, you may need to add to the password file Or delete other user accounts.
---- Since only users who are only granted SYSOPER / SYSDBA system exist in the password file, when the Sysoper / SysDBA system permission is granted or recovered to a user, their account will also be added to the password file accordingly. Or remove from the password file. Thus, an additional or deleted user is added to the password file, which is actually granting or recovering the SYSOPER / SYSDBA system authority for a user.
---- To make this authorization, you need to use SYSDBA Permissions (or Internal Account) to enter the database, and the initialization parameter remote_login_passwordfile must be exclusive. The specific steps are as follows:
1. Create a corresponding password file;
2. Set the initialization parameter remote_login_passwordfile = exclusive;
3. Log in with SYSDBA Permissions:
Connect Sys / INTERNAL_USER_PASSSWORD AS SYSDBA;
4. Start the database instance and open the database;
5. Create a corresponding user account, authorize it (including Sysoper and Sysdba):
Grant permission: GRANT SYSDBA to User_name;
Reclaimed: Revoke Sysdba from User_Name;
6. Now these users can log in to the database system as an administrator;
Fourth, log in with a password file:
---- After you have a password file, the user can log in to the Oracle database instance with the password file, Note that the initialization parameter remote_login_passwordfile should be set to Exclusive or Shared. After logging in with Sysoper / Sysdba permissions, the following is under the SCHEMA of the SYS user, the following is an example of two logins: ---- 1. Log in as an administrator:
---- Suppose User Scott has been granted SYSDBA permissions, then log in using the following command:
---- Connect Scott / Tiger AS Sysdba
---- 2. Log in as INTERNAL:
---- Connect INTERNAL_PASSWORD
V. Maintenance of password files:
---- 1. View members in the password file:
---- You can get information about users with SYSOPER / SYSDBA system privileges by querying view v $ pWFile_Users, and the value of the sysoper / sysdba column is True / False indicates whether this user has the appropriate permissions. These users are members of the password file accordingly.
---- 2. The number of users who extend the password file:
---- When the number of accounts added to the password file exceeds the restrictions set (ie the ORAPWD.exe tool), the user limit of the password file is restricted, and the specific steps are required to reconstruct the password file. The specific steps are as follows:
---- a) Query View V $ PWFILE_USERS, record user information with SYSOPER / SYSDBA system authority;
---- b) Turn off the database;
---- C) Delete the password file;
---- d) Create a password file with ORAPWD.EXE;
---- E) Add the user obtained in step A to the password file.
---- 3. Modify the status of the password file:
---- The status information of the password file is stored in this file, and when it is created, its default status is Shared. The state of the password file can be changed by changing the setting of the initialization parameter remote_login_passwordfile. When the database case is started, the Oracle system reads the setting of the Remote_login_passwordfile parameter from the initialization parameter file; when the database is loaded, the system compares this parameter with the status of the password file. If the different, the status of the password file is updated. If the program allows the database instance from multiple clients, due to the initialization parameter files on each client, the consistency of the initialization parameter file on each client should ensure that the state of the password file is accidentally changed, resulting in database login s failure.
---- 4. Modify the storage location of the password file:
---- The storage location of the password file can be moved as needed, but after making this modification, the system registration library should be modified according to the setting of parameters or environment variables that point to the location of the password file.
---- 5. Delete password files:
---- Before deleting password files, make sure that the initialization parameter of each database instance currently running is set to none. After deleting the password file, if you want to connect into the database as an administrator, you must log in with the method of operating system authentication.
-
