Password Files   «Prev  Next»

Lesson 5 Creating the password file
Objective Create a password file for the COIN database.

Creating password File

Question: Which command is used to create a password file for an Oracle database?
In Oracle Database environments, the `orapwd` utility is the authoritative tool used for creating a password file. This password file stores credentials for users who are granted SYSDBA, SYSOPER, SYSASM, SYSBACKUP, or SYSDG privileges. Utilizing this utility effectively is crucial for enabling secure remote authentication and role-based management operations.

Syntax for Creating a Password File

Here is the general syntax for using the `orapwd` utility:
orapwd FILE=<password_file_path> PASSWORD=<sys_password> [OPTIONS]
  1. FILE: Specifies the complete path where the password file will be created. The standard naming convention is `orapw<SID>` for Unix/Linux systems.
  2. PASSWORD: Sets the password for the SYS user. You are generally prompted to enter this password unless you specify it explicitly in the command.

Optional Parameters:

  1. ENTRIES: Defines the maximum number of unique privileged users that can simultaneously connect to the database. The default is 30.
  2. FORCE: If set to `Y`, this option overwrites an existing password file. The default is `N`.
  3. IGNORECASE: If set to `Y`, passwords are treated as case-insensitive. This parameter is available in Oracle 11g and above.
  4. NOSYSDBA: If set to `Y`, the SYSDBA privilege is not granted to SYS, and you must specify another user with the SYSDBA privilege.

Example Usage

orapwd FILE=$ORACLE_HOME/dbs/orapw$ORACLE_SID PASSWORD=
mysecretpassword ENTRIES=10 FORCE=Y

In this example:
  1. The password file will be located at `$ORACLE_HOME/dbs/orapw$ORACLE_SID`.
  2. The SYS password is set to `mysecretpassword`.
  3. The maximum number of distinct privileged users who can connect is set to 10.
  4. An existing password file will be overwritten due to the `FORCE=Y` option.

Important Security Considerations

  1. Ensure that the Oracle instance is shut down before creating or modifying the password file.
  2. The `orapwd` utility should be run by a user who has the necessary file system permissions to write to the directory where the password file resides.
  3. After creating the password file, set restrictive permissions on it to prevent unauthorized access.

Once the password file is successfully created, update your Oracle database initialization parameters (typically in `init.ora` or `spfile.ora`) to set `REMOTE_LOGIN_PASSWORDFILE` to either `EXCLUSIVE`, `SHARED`, or `NONE`, depending on your use case.
By adhering to these guidelines, you ensure the secure and effective management of privileged user authentication in Oracle Database environments.

ORAPWD syntax

To create a password file, you use a very simple command-line utility named orapwd. You run orapwd from the operating system command prompt, and pass in three pieces of information as arguments to the command. The syntax for orapwd looks like this:

oradim file=filename password=internal_password 
[entries=administrator_count]

filename is the path and filename for the password file that you want to create.
internal_password is the password for the INTERNAL user.
administrator_count is a number representing the maximum number of DBA users that you ever expect to have.

Take special note of the “=” characters in the syntax. oradim requires that no spaces exist on either side of the “=” characters.

The Entries Parameter

The value for the entries parameter is used to size the password file. Each entry takes up a fixed amount of space. The file is then created large enough to accommodate the number of entries that you specify. This number represents the maximum number of users to whom you will be able to grant SYSDBA or SYSOPER privileges. Be generous with the number of users you allow for. Password files are not that big to begin with, so space is not an issue here. Strictly speaking, the entries parameter is optional, but under most circumstances you should use it. If you leave it off, the password file will only be large enough to hold passwords for the SYS and INTERNAL users, forcing all remote DBAs to share those passwords. That is not a very secure solution.

Creating Password File - Quiz

Click the Quiz link below to test your knowledge of the details of creating a password file.
Creating Password File - Quiz