Lesson 4	Placing and naming the password file
Objective	Determine the proper location and name for a password file in Oracle 23ai

Oracle Password File Location and Naming (Linux, Windows, and ASM)

The proper name and location for a password file is specific to the operating system. There are some slight differences between Windows and Linux and Unix, and there may be differences for other operating systems as well. Oracle must be able to find the password file automatically when the instance starts — if the file is named incorrectly or placed in the wrong directory, Oracle treats the situation as if no password file exists and remote privileged connections will fail.
Before creating a password file with orapwd, two questions must be answered: where does the file need to be placed, and what must it be named? This lesson covers both questions for all supported platforms in Oracle 19c and 23ai, including Oracle ASM-based deployments.

Platform-Specific Naming Conventions

Oracle password file naming follows a strict convention on each platform. The convention is derived from the Oracle SID — the system identifier that uniquely names the database instance on the server. The ORACLE_SID environment variable must be set correctly before running orapwd, as the utility uses it to resolve the correct filename when only a directory path is provided.

Linux and Unix

On Linux and Unix systems, the password file must be named using the following pattern, with no file extension:

orapw<SID>

For a database with SID ORCL, the correct filename is orapwORCL. The SID is case-sensitive on Linux — orapwORCL and orapworcl are different files. Oracle searches for the uppercase form by default. The complete default path is:

$ORACLE_HOME/dbs/orapwORCL

Verify the correct Oracle Home is active before creating the file, especially on servers hosting multiple Oracle installations:

echo $ORACLE_HOME
echo $ORACLE_SID

Set them explicitly if needed:

export ORACLE_HOME=/u01/app/oracle/product/19.0.0/dbhome_1
export ORACLE_SID=ORCL

Windows

On Windows, the password file uses a different naming pattern and includes a file extension:

PWD<SID>.ora

For a database with SID ORCL, the correct filename is PWDORCL.ora. The complete default path is:

%ORACLE_HOME%\database\PWDORCL.ora

On Windows, verify the environment variables using:

ECHO %ORACLE_HOME%
ECHO %ORACLE_SID%

Windows environment variables for Oracle are typically set by the Oracle installer and stored in the Windows registry. If multiple Oracle homes are installed, use Oracle Home Selector or the ORACLE_HOME registry key to confirm which home is active.

Oracle ASM (12.2 and Later)

In Oracle 12.2 and later, the password file can be stored in an Oracle Automatic Storage Management disk group instead of the local file system. This is the recommended approach for Oracle Real Application Clusters environments because it makes the password file accessible to all RAC nodes through the ASM infrastructure without manual synchronization.

The ASM path follows this pattern:

+<DISKGROUP>/orapw<SID>

For a database with SID ORCL using a disk group named DATA:

+DATA/orapwORCL

To create a password file directly in ASM, pass the ASM path to orapwd:

orapwd FILE='+DATA/orapwORCL' ENTRIES=10 FORMAT=12

The ASM instance must be running and the disk group must be mounted before this command can succeed. The ORACLE_SID environment variable should point to the database SID, not the ASM SID, when running this command.

Platform Summary Table

Platform	Default Path	Default Filename	Example
Linux and Unix	`$ORACLE_HOME/dbs`	`orapw<SID>`	`orapwORCL`
Windows	`%ORACLE_HOME%\database`	`PWD<SID>.ora`	`PWDORCL.ora`
Oracle ASM (12.2+)	ASM disk group	`orapw<SID>`	`+DATA/orapwORCL`

How Oracle Locates the Password File at Startup

Search Order and the Alert Log

When the Oracle instance starts, it searches for the password file in the following order:

The ASM disk group specified by DB_CREATE_FILE_DEST if the database uses ASM storage.
The default OS-specific location — $ORACLE_HOME/dbs on Linux and Unix, or %ORACLE_HOME%\database on Windows.
Any path explicitly referenced by the ORACLE_SID environment variable.

If the password file is not found at the expected location, Oracle writes a message to the alert log specifying the exact filename and directory it searched. This is the most reliable diagnostic tool when remote SYSDBA connections fail immediately after database startup. To find the alert log location:

SELECT VALUE FROM V$DIAG_INFO WHERE NAME = 'Diag Trace';

The alert log entry will show something similar to:

WARNING: password file not found: /u01/app/oracle/product/19.0.0/dbhome_1/dbs/orapwORCL

This message tells you exactly which filename Oracle expected and where it looked — making the fix straightforward.

ORACLE_SID Environment Variable Dependency

The ORACLE_SID environment variable is critical to password file resolution. Oracle derives the expected password filename from the SID at startup. If ORACLE_SID is set to ORCL, Oracle looks for orapwORCL on Linux. If it is set to COIN, Oracle looks for orapwCOIN.

When running orapwd, confirm that ORACLE_SID matches the database you are creating the file for. A common mistake on servers with multiple databases is running orapwd while the environment is set for a different database, creating the file with the wrong SID in the name.

-- Verify SID before running orapwd (Linux)
echo "Creating password file for SID: $ORACLE_SID"
orapwd FILE=$ORACLE_HOME/dbs/orapw$ORACLE_SID ENTRIES=10 FORMAT=12

Using $ORACLE_SID as part of the FILE parameter prevents the filename mismatch error entirely.

Multiple Oracle Homes on the Same Server

When a server hosts multiple Oracle database installations — for example, Oracle 19c and Oracle 23ai running simultaneously — each installation has its own $ORACLE_HOME directory, and each $ORACLE_HOME/dbs directory is completely separate. The password file for each database must be in its own Oracle Home's dbs directory.

Placing a password file in the wrong Oracle Home is a common configuration error when upgrading databases or running multiple versions side by side. Always verify which Oracle Home is active before creating or modifying the password file:

-- Linux: check both variables
echo $ORACLE_HOME
echo $ORACLE_SID

-- Confirm the orapwd binary being used matches the correct Oracle Home
which orapwd

Verifying the Current Password File Configuration

Check REMOTE_LOGIN_PASSWORDFILE

The REMOTE_LOGIN_PASSWORDFILE initialization parameter confirms whether Oracle is configured to use the password file and in what mode. Check it from SQL*Plus connected as SYSDBA:

SHOW PARAMETER REMOTE_LOGIN_PASSWORDFILE;

The three recognized values are:

EXCLUSIVE - The password file is owned by one database instance and can be modified. This is the correct setting for single-instance databases and for the primary database in a Data Guard configuration. Multiple users can be added to the password file.
SHARED - The password file is shared across multiple databases or RAC instances but cannot be modified while this setting is active. In Oracle 12.2 and later, the ASM-based shared password file is the preferred approach for RAC, as it supports modification while remaining accessible to all nodes.
NONE - Oracle ignores the password file even if it exists on disk. Remote privileged connections are not permitted. This is the effective behavior when the parameter is set to EXCLUSIVE or SHARED but the password file is missing from the expected location.

Query V$PWFILE_USERS

The dynamic performance view V$PWFILE_USERS lists all users whose credentials are stored in the password file. If this view returns no rows, the password file is either missing, in the wrong location, or REMOTE_LOGIN_PASSWORDFILE is set to NONE:

SELECT USERNAME,
       SYSDBA,
       SYSOPER,
       SYSBACKUP,
       SYSDG,
       SYSKM
FROM   V$PWFILE_USERS
ORDER  BY USERNAME;

At minimum, SYS with SYSDBA=TRUE should appear. If the view returns no rows after creating the password file, verify the file is in the correct location with the correct name before investigating further.

An alternative query using V$PARAMETER confirms the parameter value at the instance level:

SELECT VALUE
FROM   V$PARAMETER
WHERE  NAME = 'remote_login_passwordfile';

Creating or Relocating the Password File

Standard orapwd Command

The complete orapwd command for Oracle 19c and 23ai on Linux, including all recommended parameters:

orapwd FILE=$ORACLE_HOME/dbs/orapwORCL ENTRIES=10 FORMAT=12

The utility prompts interactively for the SYS password when the PASSWORD argument is omitted — this is recommended practice to avoid password exposure in shell history. After creating the file, restrict its permissions:

chmod 600 $ORACLE_HOME/dbs/orapwORCL
chown oracle:oinstall $ORACLE_HOME/dbs/orapwORCL

The equivalent command on Windows:

orapwd FILE=%ORACLE_HOME%\database\PWDORCL.ora ENTRIES=10 FORMAT=12

ASM-Based Password File

For Oracle RAC environments using ASM in Oracle 12.2 and later, create the password file directly in the ASM disk group:

orapwd FILE='+DATA/orapwORCL' ENTRIES=10 FORMAT=12

To migrate an existing local password file to ASM using ASMCMD:

-- Copy from local filesystem to ASM disk group
asmcmd pwcopy --asm $ORACLE_HOME/dbs/orapwORCL +DATA/orapwORCL

After migrating to ASM, verify the file is accessible from all RAC nodes before removing the local copy.

Correcting a Misplaced Password File

If the password file was created with an incorrect name or placed in the wrong directory, the simplest fix is to recreate it using the correct parameters. Use FORCE=Y only if a file of the same name already exists and needs to be overwritten:

-- Recreate with correct name and location
orapwd FILE=$ORACLE_HOME/dbs/orapwORCL ENTRIES=10 FORMAT=12 FORCE=Y

Alternatively, rename or move the existing file to the correct location on Linux:

mv $ORACLE_HOME/dbs/orapworcl $ORACLE_HOME/dbs/orapwORCL

After correcting the location, restart the database and verify with V$PWFILE_USERS that the file is now recognized.

Oracle Wallet vs Password File - Understanding the Difference

The original version of this page referred to the Oracle password file as the "Oracle Wallet Password File" — this is incorrect. The Oracle password file and the Oracle Wallet are two separate mechanisms that serve different purposes and are stored in different locations.

Password File - SYSDBA Authentication

The Oracle password file (orapw<SID> on Linux, PWD<SID>.ora on Windows) contains encrypted credentials for users who have been granted SYSDBA, SYSOPER, or other Oracle 12c+ administrative privileges. Its purpose is to authenticate DBAs who connect over a network with administrative privileges, particularly when the database is not open. It is created with orapwd and controlled by REMOTE_LOGIN_PASSWORDFILE.

Oracle Wallet - TDE and Auto-Login

The Oracle Wallet is a PKCS#12 container (ewallet.p12) with an optional auto-login version (cwallet.sso). It stores X.509 certificates, private keys, trusted certificates, and encrypted credential entries. Its primary uses are:

Transparent Data Encryption (TDE) - the wallet stores the TDE master encryption key, which Oracle reads at startup to decrypt tablespace encryption keys.
SSL/TLS connections - the wallet stores the database server certificate and trusted CA certificates for encrypted Oracle Net connections.
External password store - the wallet can store database connection credentials so that applications can connect without embedding passwords in connection strings.

The wallet path is configured in sqlnet.ora:

WALLET_LOCATION =
 (SOURCE =
  (METHOD = FILE)
  (METHOD_DATA =
   (DIRECTORY = /u01/app/oracle/admin/ORCL/wallet)))

Note that sqlnet.ora timeout parameters such as SQLNET.INBOUND_CONNECT_TIMEOUT and SQLNET.RECV_TIMEOUT should also be set in this file to prevent connection hangs in network environments with intermittent connectivity.

When Both Are Used Together

A production Oracle 23ai database typically uses both mechanisms simultaneously and for completely different purposes. The password file handles remote SYSDBA authentication. The wallet handles TDE key storage and SSL/TLS certificate management. Neither replaces the other. If a database uses TDE and also allows remote DBA access, both the password file and the wallet must be present and correctly configured.

An auto-login wallet (cwallet.sso) enables Oracle to open the wallet automatically at startup without a manual wallet password — this is required for databases that use TDE and must start unattended, such as after a server reboot. The auto-login wallet does not affect password file authentication in any way.

[1] Oracle Wallet (cwallet.sso): In Oracle 23ai, the Oracle Wallet is a securely encrypted PKCS#12 container that stores certificates, private keys, and credential entries. The auto-login form (cwallet.sso) enables the database to access TDE encryption keys at startup without manual intervention. It is distinct from the Oracle password file (orapw<SID>), which handles SYSDBA and SYSOPER remote authentication.
In the next lesson, you will learn how to use the orapwd utility to create the password file, including the full syntax and all required parameters for Oracle 19c and 23ai deployments.