com/en/)
SignIn(http://www.oracle.com/webapps/redirect/signon?nexturl=http://docs.oracle.com/cd/B28359_01/server.111/b28310/dba007.htm)
Home(https://docs.oracle.com/)/Database(https://docs.oracle.com/en/database/)/OracleDatabaseOnlineDocumentation
11gRelease1(11.1)(../../index.htm)/DatabaseAdministration(../../nav/portal_4.htm)
DatabaseAdministrator'sGuide
()
()()
CreatingandMaintainingaPassword
File
Youcancreateapasswordfileusingthepasswordfilecreationutility, ORAPWD .Forsomeoperating
systems,youcancreatethisfileaspartofyourstandardinstallation.
Thissectioncontainsthefollowingtopics:
UsingORAPWD
SettingREMOTE_LOGIN_PASSWORDFILE
AddingUserstoaPasswordFile
MaintainingaPasswordFile
SeeAlso:
"UsingPasswordFileAuthentication"(dba006.htm#i1006740)
"SelectinganAuthenticationMethodforDatabaseAdministrators"(dba006.htm#i1006628)
()()
UsingORAPWD()()()
Commandargumentsaresummarizedinthefollowingtable.
Argument
Description
FILE
Nametoassigntothepasswordfile.Seeyouroperatingsystemdocumentation
fornamerequirements.Youmustsupplyacompletepath.Ifyousupplyonlyafile
name,thefileiswrittentothecurrentdirectory.
ENTRIES
(Optional)Maximumnumberofentries(useraccounts)topermitinthefile.
FORCE
(Optional)If y ,permitsoverwritinganexistingpasswordfile.
IGNORECASE
(Optional)If y ,passwordsaretreatedascaseinsensitive.
NOSYSDBA
(Optional)ForDataVaultinstallations.SeetheDataVaultinstallationguidefor
yourplatformformoreinformation.
Therearenospacespermittedaroundtheequalto(=)character.
Thecommandpromptsforthe SYS passwordandstoresthepasswordinthecreatedpasswordfile.
()Example
ORAPWDCommandLineArgumentDescriptions
Thefollowingsectionsdescribethe ORAPWD commandlinearguments.
FILE
Thisargumentsetsthenameofthepasswordfilebeingcreated.Youmustspecifythefullpathname
forthefile.Ifyousupplyonlyafilename,thefileiswrittentothecurrentdirectory.Thecontentsof
thisfileareencrypted,andthefilecannotbereaddirectly.Thisargumentismandatory.
Thetypesoffilenamesallowedforthepasswordfileareoperatingsystemspecific.Someoperating
systemsrequirethepasswordfiletoadheretoaspecificformatandbelocatedinaspecificdirectory.
Otheroperatingsystemsallowtheuseofenvironmentvariablestospecifythenameandlocationof
thepasswordfile.FornameandlocationinformationfortheUnixandLinuxoperatingsystems,see
Administrator'sReferenceforUNIXBasedOperatingSystems.ForWindows,seePlatformGuidefor
MicrosoftWindows.Forotheroperatingsystems,seeyouroperatingsystemdocumentation.
IfyouarerunningmultipleinstancesofOracleDatabaseusingOracleRealApplicationClusters,the
environmentvariableforeachinstanceshouldpointtothesamepasswordfile.
Caution:
Itiscriticallyimportanttothesecurityofyoursystemthatyouprotectyourpasswordfile
andtheenvironmentvariablesthatidentifythelocationofthepasswordfile.Anyuserwith
accesstothesecouldpotentiallycompromisethesecurityoftheconnection.
ENTRIES
Thisargumentspecifiesthenumberofentriesthatyourequirethepasswordfiletoaccept.This
numbercorrespondstothenumberofdistinctusersallowedtoconnecttothedatabaseas SYSDBA
or SYSOPER .Theactualnumberofallowableentriescanbehigherthanthenumberofusers,
becausethe ORAPWD utilitycontinuestoassignpasswordentriesuntilanoperatingsystemblockis
filled.Forexample,ifyouroperatingsystemblocksizeis512bytes,itholdsfourpasswordentries.
Thenumberofpasswordentriesallocatedisalwaysamultipleoffour.
Entriescanbereusedasusersareaddedtoandremovedfromthepasswordfile.Ifyouintendto
specify REMOTE_LOGIN_PASSWORDFILE=EXCLUSIVE ,andtoallowthegrantingof SYSDBA and
SYSOPER privilegestousers,thisargumentisrequired.
Caution:
Whenyouexceedtheallocatednumberofpasswordentries,youmustcreateanew
passwordfile.Toavoidthisnecessity,allocateanumberofentriesthatislargerthanyou
thinkyouwilleverneed.
FORCE
Thisargument,ifsetto Y ,enablesyoutooverwriteanexistingpasswordfile.Anerrorisreturnedifa
passwordfileofthesamenamealreadyexistsandthisargumentisomittedorsetto N .
IGNORECASE
Ifthisargumentissetto y ,passwordsarecaseinsensitive.Thatis,caseisignoredwhencomparing
thepasswordthattheusersuppliesduringloginwiththepasswordinthepasswordfile.
SeeAlso:
OracleDatabaseSecurityGuide(../../network.111/b28531/toc.htm)formoreinformationaboutcase
sensitivityinpasswords.
()()
SettingREMOTE_LOGIN_PASSWORDFILE()
()()()
()Inadditiontocreatingthepasswordfile,youmustalsosettheinitializationparameter
REMOTE_LOGIN_PASSWORDFILE totheappropriatevalue.Thevaluesrecognizedare:
doesnotexist.Thatis,noprivilegedconnectionsareallowedovernonsecureconnections.
EXCLUSIVE :(Thedefault)An EXCLUSIVE passwordfilecanbeusedwithonlyoneinstanceofone
Note:
Youcannotchangethepasswordfor SYS if REMOTE_LOGIN_PASSWORDFILE issetto
SHARED .Anerrormessageisissuedifyouattempttodoso.
()()
()()AddingUserstoaPasswordFile()()
Whenyougrant SYSDBA or SYSOPER privilegestoauser,thatuser'snameandprivilegeinformation
areaddedtothepasswordfile.Iftheserverdoesnothavean EXCLUSIVE passwordfile(thatis,ifthe
initializationparameter REMOTE_LOGIN_PASSWORDFILE is NONE or SHARED ,orthepasswordfileis
missing),OracleDatabaseissuesanerrorifyouattempttogranttheseprivileges.
Auser'snameremainsinthepasswordfileonlyaslongasthatuserhasatleastoneofthesetwo
privileges.Ifyourevokebothoftheseprivileges,OracleDatabaseremovestheuserfromthepassword
file.
()CreatingaPasswordFileandAddingNewUserstoIt
Usethefollowingproceduretocreateapasswordandaddnewuserstoit:
1. Followtheinstructionsforcreatingapasswordfileasexplainedin"UsingORAPWD".
2. Setthe REMOTE_LOGIN_PASSWORDFILE initializationparameterto EXCLUSIVE .(Thisisthedefault.)
Note:
REMOTE_LOGIN_PASSWORDFILE isastaticinitializationparameterandthereforecannot
bechangedwithoutrestartingthedatabase.
4. Startuptheinstanceandcreatethedatabaseifnecessary,ormountandopenanexistingdatabase.
5. Createusersasnecessary.Grant SYSDBA or SYSOPER privilegestoyourselfandotherusersas
appropriate.See"GrantingandRevokingSYSDBAandSYSOPERPrivileges",laterinthissection.
()()
GrantingandRevokingSYSDBAandSYSOPERPrivileges
Ifyourserverisusingan EXCLUSIVE passwordfile,usethe GRANT statementtograntthe SYSDBA or
SYSOPER systemprivilegetoauser,asshowninthefollowingexample:()()()()
GRANTSYSDBATOoe
SeeAlso:
OracleDatabaseSecurityGuide(../../network.111/b28531/authorization.htm#DBSEG004)formore
informationonsystemprivileges
()
()
ViewingPasswordFileMembers
()()()()Usethe V$PWFILE_USERS viewtoseetheuserswhohavebeengranted SYSDBA or SYSOPER
systemprivilegesforadatabase.Thecolumnsdisplayedbythisviewareasfollows:
Column
Description
USERNAME
Thiscolumncontainsthenameoftheuserthatisrecognizedbythepasswordfile.
SYSDBA
SYSOPER
()()
MaintainingaPasswordFile
Thissectiondescribeshowto:
Expandthenumberofpasswordfileusersifthepasswordfilebecomesfull
Removethepasswordfile
()
()
ExpandingtheNumberofPasswordFileUsers
Ifyoureceivethefilefullerror( ORA1996 )whenyoutrytogrant SYSDBA or SYSOPER system
privilegestoauser,youmustcreatealargerpasswordfileandregranttheprivilegestotheusers.
()ReplacingaPasswordFile
Usethefollowingproceduretoreplaceapasswordfile:
()
()
RemovingaPasswordFile
()Ifyoudeterminethatyounolongerrequireapasswordfiletoauthenticateusers,youcandeletethe
(http://www.oracle.com/us/legal/index.html)
ContactUs (http://www.oracle.com/us/corporate/contact/index.html)
TermsofUse(http://www.oracle.com/us/legal/terms/index.html)
(http://www.oracle.com/us/legal/privacy/index.html)
Copyright2014,Oracleand/oritsaffiliates.Allrightsreserved.
LegalNotices
YourPrivacyRights
AboutOracle(http://www.oracle.com/corporate/index.html)