Password Files   «Prev  Next»

Lesson 6 The REMOTE_LOGIN_PASSWORDFILE parameter
ObjectiveConfigure your Database to use a Password File.

Configure your Database to use Password File

Once you have created a password file, you need to tell Oracle to use it. You do this by placing the following line in your database initialization file: 
REMOTE_LOGIN_PASSWORDFILE = EXCLUSIVE

The exclusive setting tells Oracle that your instance is the only one accessing the password file. There is also a shared option that allows multiple instances to share one password file. Of course, you must stop and restart the instance in order for the initialization file to be reread and for this change to take effect.
Now that you know how to run ORADIM and how to properly set the 
REMOTE_LOGIN_PASSWORDFILE
parameter, you can create a password file for your database.

Authenticating Database Administrators by Using Their Passwords

Oracle Database uses database-specific password files to keep track of database user names that have been granted the SYSDBA and SYSOPER privileges. These privileges enable the following activities:
  1. The SYSOPER system privilege lets database administrators perform STARTUP, SHUTDOWN, ALTER DATABASE OPEN/MOUNT, ALTER DATABASE BACKUP, ARCHIVE LOG, and RECOVER operations. SYSOPER also includes the RESTRICTED SESSION privilege.
  2. The SYSDBA system privilege has all system privileges with ADMIN OPTION, including the SYSOPER system privilege, and permits CREATE DATABASE and time-based recovery.
  3. A password file containing users with SYSDBA or SYSOPER privileges can be shared between different databases. You can have a shared password file that contains users in addition to the SYS user. To share a password file among different databases, set the REMOTE_LOGIN_PASSWORDFILE parameter in the init.ora file to SHARED
  4. Password file-based authentication is enabled by default. This means that the database is ready to use a password file for authenticating users that have SYSDBA or SYSOPER system privileges. Password file based authentication is activated as soon as you create a password file using the ORAPWD utility.
Anyone who has EXECUTE privileges and write privileges to the $ORACLE_HOME/dbs directory can run the ORAPWD utility.
However, be aware that using password files may pose security risks. For this reason, consider using the authentication methods described in "Strong Authentication and Centralized Management for Database Administrators" .

Examples of password security risks are as follows:
  1. An intruder could steal or attack the password file.
  2. Many users do not change the default password.
  3. The password could be easily guessed.
  4. The password is vulnerable if it can be found in a dictionary.
Passwords that are too short, chosen perhaps for ease of typing, are vulnerable if an intruder obtains the cryptographic hash of the password.

Remote Login Password File - Exericse

Take this exercise to create a password file for the COIN database.
Remote Login Password File- Exericse