RelationalDBDesign RelationalDBDesign

Password Files   «Prev  Next»
Lesson 2 Why password files?
Objective Explain why password files are necessary.

Necessary Password Files

Connecting to an instance when the database is not open

Password files are necessary because Oracle needs a way to authenticate you when you are connecting over a network to a database that has not been opened. If you are connecting to an instance over a network, then you have not logged into the database server, and Oracle has no way to verify that you are who you say you are. It can check your password against those stored in the database, but that only works if the database is open. DBAs often need to connect to an instance when a database is not open. A good example is when you need to connect in order to start an instance. To get around this problem, DBA passwords are stored in the password file.

What is a password file?

Password files are not database files. A password file is a small, simple file that just contains the encrypted passwords of the DBAs. Because it is not a database file, Oracle can read it when the database is closed. This gives Oracle a way to authenticate you, and this is what enables you to use tools such as Oracle Enterprise Manager in a secure manner.
There are three steps to using a password file:
  1. Create the password file
  2. Configure your database to use the password file
  3. Identify the users that are DBAs
The rest of this module shows you how to perform these tasks.

Creating and Maintaining a Password File

You can create a password file using the password file creation utility, ORAPWD. For some operating systems, you can create this file as part of your standard installation.


The syntax of the ORAPWD command is as follows:
ORAPWD FILE=filename [ENTRIES=numusers]
Command arguments are summarized in the following table.

Argument Description

FILE Name to assign to the password file. See your operating system documentation for name requirements. You must supply a complete path. If you supply only a file name, the file is written to the current directory.
ENTRIES (Optional) Maximum number of entries (user accounts) to permit in the file.
FORCE (Optional) If y, permits overwriting an existing password file.
IGNORECASE (Optional) If y, passwords are treated as case-insensitive.
NOSYSDBA (Optional) For Data Vault installations. See the Data Vault installation guide for your platform for more information.

There are no spaces permitted around the equal-to (=) character. The command prompts for the SYS password and stores the password in the created password file.
The following command creates a password file named orapworcl that allows up to 30 privileged users with different passwords.
orapwd FILE=orapworcl ENTRIES=30

ORAPWD Command Line Argument Descriptions

The following sections describe the ORAPWD command line arguments.


This argument sets the name of the password file being created. You must specify the full path name for the file. If you supply only a file name, the file is written to the current directory. The contents of this file are encrypted, and the file cannot be read directly. This argument is mandatory.
The types of filenames allowed for the password file are operating system specific. Some operating systems require the password file to adhere to a specific format and be located in a specific directory. Other operating systems allow the use of environment variables to specify the name and location of the password file. For name and location information for the Unix and Linux operating systems, see Administrator's Reference for UNIX-Based Operating Systems. For Windows, see Platform Guide for Microsoft Windows. For other operating systems, see your operating system documentation.
If you are running multiple instances of Oracle Database using Oracle Real Application Clusters, the environment variable for each instance should point to the same password file.