Depending
on whether you want to administer your database locally on the same machine on
which the database resides or to administer many different database servers
from a single remote client, you can choose either operating system or password
file authentication to authenticate database administrators:
•
If
the database has a password file and you have been granted the SYSDBA or
SYSOPER system privilege, then you can be authenticated by a password file.
•
If
the server is not using a password file, or if you have not been granted SYSDBA
or SYSOPER privileges and are, therefore, not in the password file, you can use
operating system authentication. On most operating systems, authentication for
database administrators involves placing the operating system username of the
database administrator in a special group, generically referred to as OSDBA.
Users in that group are granted SYSDBA privileges. A similar group, OSOPER, is
used to grant SYSOPER privileges to users.
•
Operating
system authentication takes precedence over password file authentication.
Specifically, if you are a member of the OSDBA or OSOPER group for the
operating system, and you connect as SYSDBA or SYSOPER, you will be connected
with associated administrative privileges regardless of the
username/password that you specify.
Re-Creating
a Password Authentication File
The Oracle
database provides a password utility, orapwd, to create a password file. When
you connect using the SYSDBA privilege, you are connecting as the SYS schema
and not the schema associated with your username. For SYSOPER, you are
connected to the PUBLIC schema. Access to the database using the password file
is provided by GRANT commands issued by privileged users.
Typically,
the password file is not included in backups because, in almost all situations,
it can be easily re-created.
It is
critically important to the security of your system that you protect your
password file and the environment variables that identify the location of the
password file. Any user with access to these could potentially compromise the
security of the connection.
You should
not remove or modify the password file if you have a database or instance
mounted using REMOTE_LOGIN_PASSWORDFILE=EXCLUSIVE or SHARED. If you do, you
will be unable to reconnect remotely using the password file.
Note: Passwords are case-sensitive, so
you must take that into consideration when recreating the password file.
Using a
Password File
The following
are the steps for re-creating the password file:
1. Create the password file by using the
password utility orapwd.
orapwd
file=filename password=password entries=max_users
where:
·
filename is the name of the password file
(mandatory).
·
password is the password for SYSOPER and
SYSDBA (mandatory).
·
Entries
is the maximum
number of distinct users allowed to connect as SYSDBA or SYSOPER. If you exceed
this number, you must create a new password file. It is safer to have a larger
number. There are no spaces around the “equal to” (=) character.
Example: orapwd file=$ORACLE_HOME/dbs/orapwOrcl password=admin
entries=5
2. Connect to the database by using the
password file created in step 1, and grant privileges as needed.
SQL> CONNECT sys/admin
AS SYSDBA
SQL> grant sysdba to
admin2;
Password
File Locations
UNIX: $ORACLE_HOME/dbs
Windows:
%ORACLE_HOME%\database
Maintaining
the Password File
Delete the
existing password file by using operating system commands, and create a new
password file by using the password utility.
