(//docs.oracle.

com/en/)

SignIn(http://www.oracle.com/webapps/redirect/signon?nexturl=http://docs.oracle.com/cd/B28359_01/server.111/b28310/dba007.htm)

Home(https://docs.oracle.com/)/Database(https://docs.oracle.com/en/database/)/OracleDatabaseOnlineDocumentation
11gRelease1(11.1)(../../index.htm)/DatabaseAdministration(../../nav/portal_4.htm)

DatabaseAdministrator'sGuide
()

()()

CreatingandMaintainingaPassword
File
Youcancreateapasswordfileusingthepasswordfilecreationutility, ORAPWD .Forsomeoperating
systems,youcancreatethisfileaspartofyourstandardinstallation.
Thissectioncontainsthefollowingtopics:

UsingORAPWD
SettingREMOTE_LOGIN_PASSWORDFILE
AddingUserstoaPasswordFile
MaintainingaPasswordFile

SeeAlso:
"UsingPasswordFileAuthentication"(dba006.htm#i1006740)
"SelectinganAuthenticationMethodforDatabaseAdministrators"(dba006.htm#i1006628)

()()

UsingORAPWD()()()

Thesyntaxofthe ORAPWD commandisasfollows:

ORAPWDFILE=filename[ENTRIES=numusers]
[FORCE={Y|N}][IGNORECASE={Y|N}][NOSYSDBA={Y|N}]

Commandargumentsaresummarizedinthefollowingtable.
Argument

Description

FILE

Nametoassigntothepasswordfile.Seeyouroperatingsystemdocumentation
fornamerequirements.Youmustsupplyacompletepath.Ifyousupplyonlyafile
name,thefileiswrittentothecurrentdirectory.

ENTRIES

(Optional)Maximumnumberofentries(useraccounts)topermitinthefile.

FORCE

(Optional)If y ,permitsoverwritinganexistingpasswordfile.

IGNORECASE

(Optional)If y ,passwordsaretreatedascaseinsensitive.

NOSYSDBA

(Optional)ForDataVaultinstallations.SeetheDataVaultinstallationguidefor
yourplatformformoreinformation.

Therearenospacespermittedaroundtheequalto(=)character.
Thecommandpromptsforthe SYS passwordandstoresthepasswordinthecreatedpasswordfile.

()Example

Thefollowingcommandcreatesapasswordfilenamed orapworcl thatallowsupto30privileged

userswithdifferentpasswords.
orapwdFILE=orapworclENTRIES=30
()
()

ORAPWDCommandLineArgumentDescriptions
Thefollowingsectionsdescribethe ORAPWD commandlinearguments.
FILE
Thisargumentsetsthenameofthepasswordfilebeingcreated.Youmustspecifythefullpathname
forthefile.Ifyousupplyonlyafilename,thefileiswrittentothecurrentdirectory.Thecontentsof
thisfileareencrypted,andthefilecannotbereaddirectly.Thisargumentismandatory.
Thetypesoffilenamesallowedforthepasswordfileareoperatingsystemspecific.Someoperating
systemsrequirethepasswordfiletoadheretoaspecificformatandbelocatedinaspecificdirectory.
Otheroperatingsystemsallowtheuseofenvironmentvariablestospecifythenameandlocationof

thepasswordfile.FornameandlocationinformationfortheUnixandLinuxoperatingsystems,see
Administrator'sReferenceforUNIXBasedOperatingSystems.ForWindows,seePlatformGuidefor
MicrosoftWindows.Forotheroperatingsystems,seeyouroperatingsystemdocumentation.
IfyouarerunningmultipleinstancesofOracleDatabaseusingOracleRealApplicationClusters,the
environmentvariableforeachinstanceshouldpointtothesamepasswordfile.

Caution:
Itiscriticallyimportanttothesecurityofyoursystemthatyouprotectyourpasswordfile
andtheenvironmentvariablesthatidentifythelocationofthepasswordfile.Anyuserwith
accesstothesecouldpotentiallycompromisethesecurityoftheconnection.

ENTRIES
Thisargumentspecifiesthenumberofentriesthatyourequirethepasswordfiletoaccept.This
numbercorrespondstothenumberofdistinctusersallowedtoconnecttothedatabaseas SYSDBA
or SYSOPER .Theactualnumberofallowableentriescanbehigherthanthenumberofusers,
becausethe ORAPWD utilitycontinuestoassignpasswordentriesuntilanoperatingsystemblockis
filled.Forexample,ifyouroperatingsystemblocksizeis512bytes,itholdsfourpasswordentries.
Thenumberofpasswordentriesallocatedisalwaysamultipleoffour.
Entriescanbereusedasusersareaddedtoandremovedfromthepasswordfile.Ifyouintendto
specify REMOTE_LOGIN_PASSWORDFILE=EXCLUSIVE ,andtoallowthegrantingof SYSDBA and
SYSOPER privilegestousers,thisargumentisrequired.

Caution:
Whenyouexceedtheallocatednumberofpasswordentries,youmustcreateanew
passwordfile.Toavoidthisnecessity,allocateanumberofentriesthatislargerthanyou
thinkyouwilleverneed.

FORCE
Thisargument,ifsetto Y ,enablesyoutooverwriteanexistingpasswordfile.Anerrorisreturnedifa
passwordfileofthesamenamealreadyexistsandthisargumentisomittedorsetto N .
IGNORECASE
Ifthisargumentissetto y ,passwordsarecaseinsensitive.Thatis,caseisignoredwhencomparing
thepasswordthattheusersuppliesduringloginwiththepasswordinthepasswordfile.

SeeAlso:
OracleDatabaseSecurityGuide(../../network.111/b28531/toc.htm)formoreinformationaboutcase
sensitivityinpasswords.

()()

SettingREMOTE_LOGIN_PASSWORDFILE()
()()()
()Inadditiontocreatingthepasswordfile,youmustalsosettheinitializationparameter

REMOTE_LOGIN_PASSWORDFILE totheappropriatevalue.Thevaluesrecognizedare:

NONE :Settingthisparameterto NONE causesOracleDatabasetobehaveasifthepasswordfile

doesnotexist.Thatis,noprivilegedconnectionsareallowedovernonsecureconnections.
EXCLUSIVE :(Thedefault)An EXCLUSIVE passwordfilecanbeusedwithonlyoneinstanceofone

database.Onlyan EXCLUSIVE filecanbemodified.Usingan EXCLUSIVE passwordfileenablesyou

toadd,modify,anddeleteusers.Italsoenablesyoutochangethe SYS passwordwiththe
ALTERUSER command.
SHARED :A SHARED passwordfilecanbeusedbymultipledatabasesrunningonthesameserver,or

multipleinstancesofanOracleRealApplicationClusters(RAC)database.A SHARED passwordfile

cannotbemodified.Thismeansthatyoucannotadduserstoa SHARED passwordfile.Anyattempt
todosoortochangethepasswordof SYS orotheruserswiththe SYSDBA or SYSOPER privileges
generatesanerror.Allusersneeding SYSDBA or SYSOPER systemprivilegesmustbeaddedtothe
passwordfilewhen REMOTE_LOGIN_PASSWORDFILE issetto EXCLUSIVE .Afterallusersareadded,
youcanchange REMOTE_LOGIN_PASSWORDFILE to SHARED ,andthensharethefile.
ThisoptionisusefulifyouareadministeringmultipledatabasesoraRACdatabase.

If REMOTE_LOGIN_PASSWORDFILE issetto EXCLUSIVE or SHARED andthepasswordfileismissing,

thisisequivalenttosetting REMOTE_LOGIN_PASSWORDFILE to NONE .

Note:
Youcannotchangethepasswordfor SYS if REMOTE_LOGIN_PASSWORDFILE issetto
SHARED .Anerrormessageisissuedifyouattempttodoso.

()()

()()AddingUserstoaPasswordFile()()
Whenyougrant SYSDBA or SYSOPER privilegestoauser,thatuser'snameandprivilegeinformation
areaddedtothepasswordfile.Iftheserverdoesnothavean EXCLUSIVE passwordfile(thatis,ifthe
initializationparameter REMOTE_LOGIN_PASSWORDFILE is NONE or SHARED ,orthepasswordfileis
missing),OracleDatabaseissuesanerrorifyouattempttogranttheseprivileges.

Auser'snameremainsinthepasswordfileonlyaslongasthatuserhasatleastoneofthesetwo
privileges.Ifyourevokebothoftheseprivileges,OracleDatabaseremovestheuserfromthepassword
file.
()CreatingaPasswordFileandAddingNewUserstoIt

Usethefollowingproceduretocreateapasswordandaddnewuserstoit:

1. Followtheinstructionsforcreatingapasswordfileasexplainedin"UsingORAPWD".
2. Setthe REMOTE_LOGIN_PASSWORDFILE initializationparameterto EXCLUSIVE .(Thisisthedefault.)

Note:
REMOTE_LOGIN_PASSWORDFILE isastaticinitializationparameterandthereforecannot

bechangedwithoutrestartingthedatabase.

3. Connectwith SYSDBA privilegesasshowninthefollowingexample,andenterthe SYS password

whenprompted:
CONNECTSYSASSYSDBA

4. Startuptheinstanceandcreatethedatabaseifnecessary,ormountandopenanexistingdatabase.
5. Createusersasnecessary.Grant SYSDBA or SYSOPER privilegestoyourselfandotherusersas
appropriate.See"GrantingandRevokingSYSDBAandSYSOPERPrivileges",laterinthissection.

()()

GrantingandRevokingSYSDBAandSYSOPERPrivileges
Ifyourserverisusingan EXCLUSIVE passwordfile,usethe GRANT statementtograntthe SYSDBA or
SYSOPER systemprivilegetoauser,asshowninthefollowingexample:()()()()
GRANTSYSDBATOoe

Usethe REVOKE statementtorevokethe SYSDBA or SYSOPER systemprivilegefromauser,asshown

inthefollowingexample:
REVOKESYSDBAFROMoe

Because SYSDBA and SYSOPER arethemostpowerfuldatabaseprivileges,the WITHADMINOPTION

isnotusedinthe GRANT statement.Thatis,thegranteecannotinturngrantthe SYSDBA or SYSOPER
privilegetoanotheruser.Onlyausercurrentlyconnectedas SYSDBA cangrantorrevokeanother

user's SYSDBA or SYSOPER systemprivileges.Theseprivilegescannotbegrantedtoroles,because

rolesareavailableonlyafterdatabasestartup.Donotconfusethe SYSDBA and SYSOPER database
privilegeswithoperatingsystemroles.

SeeAlso:
OracleDatabaseSecurityGuide(../../network.111/b28531/authorization.htm#DBSEG004)formore
informationonsystemprivileges

()
()

ViewingPasswordFileMembers
()()()()Usethe V$PWFILE_USERS viewtoseetheuserswhohavebeengranted SYSDBA or SYSOPER

systemprivilegesforadatabase.Thecolumnsdisplayedbythisviewareasfollows:
Column

Description

USERNAME

Thiscolumncontainsthenameoftheuserthatisrecognizedbythepasswordfile.

SYSDBA

Ifthevalueofthiscolumnis TRUE ,thentheusercanlogonwith SYSDBA system

privileges.

SYSOPER

Ifthevalueofthiscolumnis TRUE ,thentheusercanlogonwith SYSOPER system

privileges.

()()

MaintainingaPasswordFile
Thissectiondescribeshowto:

Expandthenumberofpasswordfileusersifthepasswordfilebecomesfull
Removethepasswordfile

()
()

ExpandingtheNumberofPasswordFileUsers
Ifyoureceivethefilefullerror( ORA1996 )whenyoutrytogrant SYSDBA or SYSOPER system
privilegestoauser,youmustcreatealargerpasswordfileandregranttheprivilegestotheusers.

()ReplacingaPasswordFile

Usethefollowingproceduretoreplaceapasswordfile:

1. Identifytheuserswhohave SYSDBA or SYSOPER privilegesbyqueryingthe V$PWFILE_USERS view.

2. Deletetheexistingpasswordfile.
3. Followtheinstructionsforcreatinganewpasswordfileusingthe ORAPWD utilityin"UsingORAPWD".
Ensurethatthe ENTRIES parameterissettoanumberlargerthanyouthinkyouwilleverneed.
4. Followtheinstructionsin"AddingUserstoaPasswordFile".

()
()

RemovingaPasswordFile
()Ifyoudeterminethatyounolongerrequireapasswordfiletoauthenticateusers,youcandeletethe

passwordfileandthenoptionallyresetthe REMOTE_LOGIN_PASSWORDFILE initializationparameterto

NONE .Afteryouremovethisfile,onlythoseuserswhocanbeauthenticatedbytheoperatingsystem

canperform SYSDBA or SYSOPER databaseadministrationoperations.

(http://www.oracle.com/us/legal/index.html)

ContactUs (http://www.oracle.com/us/corporate/contact/index.html)

TermsofUse(http://www.oracle.com/us/legal/terms/index.html)

(http://www.oracle.com/us/legal/privacy/index.html)

Copyright2014,Oracleand/oritsaffiliates.Allrightsreserved.

LegalNotices

YourPrivacyRights

AboutOracle(http://www.oracle.com/corporate/index.html)