Oracle 口令文件：即 oracle密码文件

一：文件路径位置

[[email protected] db_1]$ cd $ORACLE_HOME/dbs
[[email protected] dbs]$ ls
dbsorapwPROD1   hc_orcl.dat   initneworcl.ora  initorcl.ora   lkNEWORCL  lkPROD1  orapwneworcl  spfileorcl.ora   tem.dbf
hc_neworcl.dat  hc_PROD1.dat  init.ora         initPROD1.ora  lkORCL     my.dbf   orapworcl     spfilePROD1.ora
[[email protected] dbs]$ pwd
/u01/app/oracle/product/11.2.0/db_1/dbs
[[email protected] dbs]$

 

 

 

二、口令文件的命名规则

 

orapw+sid
如：
orapworcl

 

三、口令文件存放的是sys

主要是存放管理用户的密码信息的

select *from v$pwfile_users;

[email protected]> select * from v$pwfile_users;

USERNAME                       SYSDB SYSOP SYSAS
------------------------------ ----- ----- -----
SYS                            TRUE  TRUE  FALSE

[email protected]>

 

 

四：实验操作

 

注： remote_login_passwordfile 是静态参数。修改了该值之后，数据库需要重启。

 

 

 

 

 

1）当remote_login_passwordfile  是 EXCLUSIVE

 

没有sqlnet.ora文件
   sqlplus sys/oracle as sysdba
    sqlplus / as sysdba
    sqlplus sys/[email protected] as sysdba
    以上均成功

   

 

  2）当remote_login_passwordfile是 EXCLUSIVE

[[email protected] dbs]$ clear

[[email protected] dbs]$ ls
dbsorapwPROD1   hc_orcl.dat   initneworcl.ora  initorcl.ora   lkNEWORCL  lkPROD1  orapwneworcl  spfileorcl.ora   tem.dbf
hc_neworcl.dat  hc_PROD1.dat  init.ora         initPROD1.ora  lkORCL     my.dbf   orapworcl     spfilePROD1.ora
[[email protected] dbs]$ cd ../network/
[[email protected] network]$ ls
admin  doc  install  jlib  lib  log  mesg  tools  trace
[[email protected] network]$ ca admin/
-bash: ca: command not found
[[email protected] network]$ ls
admin  doc  install  jlib  lib  log  mesg  tools  trace
[[email protected] network]$ cd admin/
[[email protected] admin]$ ls
listener.ora  samples  shrept.lst  sqlnet.ora  tnsnames.ora
[[email protected] admin]$ cat sqlnet.ora
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=$ORACLE_BASE/admin/$ORACLE_SID/wallet/)))
[[email protected] admin]$ vi sqlnet.ora











ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=$ORACLE_BASE/admin/$ORACLE_SID/wallet/)))
SQLNET.AUTHENTICATION_SERVICES=none


~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
"sqlnet.ora" 4L, 152C written
[[email protected] admin]$ cat sqlnet.ora
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=$ORACLE_BASE/admin/$ORACLE_SID/wallet/)))
SQLNET.AUTHENTICATION_SERVICES=none


[[email protected] admin]$ pwd
/u01/app/oracle/product/11.2.0/db_1/network/admin
[[email protected] admin]$

 

[[email protected] admin]$ rlwrap sqlplus / as sysdba;

SQL*Plus: Release 11.2.0.3.0 Production on Sat Jun 23 16:01:36 2018

Copyright (c) 1982, 2011, Oracle.  All rights reserved.

ERROR:
ORA-01031: insufficient privileges


Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied


Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied


SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
[[email protected] admin]$ rlwrap sqlplus sys/oracle as sysdba;

SQL*Plus: Release 11.2.0.3.0 Production on Sat Jun 23 16:02:40 2018

Copyright (c) 1982, 2011, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

[email protected]>

   

   3）当remote_login_passwordfile是 EXCLUSIVE

 

   sqlnet.ora文件参数     SQLNET.AUTHENTICATION_SERVICES=all

    sqlplus sys/oracle as sysdba  成功
   sqlplus / as sysdba           成功
   sqlplus sys/[email protected] as sysdba   不成功

 

   4）当remote_login_passwordfile是 none     没有sqlnet.ora文件

   

 

   sqlplus sys/oracle as sysdba  成功
   sqlplus / as sysdba           成功
   sqlplus sys/[email protected] as sysdba   不成功

 

 

  5）当remote_login_passwordfile是 none

 

 

   sqlnet.ora文件参数     SQLNET.AUTHENTICATION_SERVICES=none

   sqlplus sys/oracle as sysdba  不成功
   sqlplus / as sysdba           不成功
   sqlplus sys/[email protected] as sysdba   不成功

  

 

   6）当remote_login_passwordfile是 none

 

   sqlnet.ora文件参数     SQLNET.AUTHENTICATION_SERVICES=all

    sqlplus sys/oracle as sysdba  成功
   sqlplus / as sysdba           成功
   sqlplus sys/[email protected] as sysdba   不成功

 

五、创建口令文件

 

 

 orapwd file=口令文件名称 password=用户密码

 

Creating a Password File with ORAPWD

The syntax of the ORAPWD command is as follows:

Command arguments are summarized in the following table.

Argument	Description
FILE	Name to assign to the password file. You must supply a complete path. If you supply only a file name, the file is written to the current directory.
ENTRIES	(Optional) Maximum number of entries (user accounts) to permit in the file.
FORCE	(Optional) If y, permits overwriting an existing password file.
IGNORECASE	(Optional) If y, passwords are treated as case-insensitive.

 

There are no spaces permitted around the equal-to (=) character.

The command prompts for the SYS password and stores the password in the created password file.

Example

The following command creates a password file named orapworcl that allows up to 30 privileged users with different passwords.

 

Sharing and Disabling the Password File

You use the initialization parameter REMOTE_LOGIN_PASSWORDFILE to control whether a password file is shared among multiple Oracle Database instances. You can also use this parameter to disable password file authentication. The values recognized for REMOTE_LOGIN_PASSWORDFILE are:

• NONE: Setting this parameter to NONE causes Oracle Database to behave as if the password file does not exist. That is, no privileged connections are allowed over nonsecure connections.

• EXCLUSIVE: (The default) An EXCLUSIVE password file can be used with only one instance of one database. Only an EXCLUSIVE file can be modified. Using an EXCLUSIVE password file enables you to add, modify, and delete users. It also enables you to change the SYS password with the ALTER USER command.

• SHARED: A SHARED password file can be used by multiple databases running on the same server, or multiple instances of an Oracle Real Application Clusters (Oracle RAC) database. A SHARED password file cannot be modified. Therefore, you cannot add users to a SHARED password file. Any attempt to do so or to change the password of SYS or other users with the SYSDBA or SYSOPER privileges generates an error. All users needing SYSDBA or SYSOPERsystem privileges must be added to the password file when REMOTE_LOGIN_PASSWORDFILE is set to EXCLUSIVE. After all users are added, you can changeREMOTE_LOGIN_PASSWORDFILE to SHARED, and then share the file.

  This option is useful if you are administering multiple databases or an Oracle RAC database.

If REMOTE_LOGIN_PASSWORDFILE is set to EXCLUSIVE or SHARED and the password file is missing, this is equivalent to setting REMOTE_LOGIN_PASSWORDFILE to NONE.

Note:

You cannot change the password for SYS if REMOTE_LOGIN_PASSWORDFILE is set to SHARED. An error message is issued if you attempt to do so.

Keeping Administrator Passwords Synchronized with the Data Dictionary

If you change the REMOTE_LOGIN_PASSWORDFILE initialization parameter from NONE to EXCLUSIVE or SHARED, or if you re-create the password file with a different SYSpassword, then you must ensure that the passwords in the data dictionary and password file for the SYS user are the same.

To synchronize the SYS passwords, use the ALTER USER statement to change the SYS password. The ALTER USER statement updates and synchronizes both the dictionary and password file passwords.

To synchronize the passwords for non-SYS users who log in using the SYSDBA or SYSOPER privilege, you must revoke and then regrant the privilege to the user, as follows:

1. Find all users who have been granted the SYSDBA privilege.

2. Revoke and then re-grant the SYSDBA privilege to these users.

3. Find all users who have been granted the SYSOPER privilege.

4. Revoke and regrant the SYSOPER privilege to these users.

 

Adding Users to a Password File

When you grant SYSDBA or SYSOPER privileges to a user, that user's name and privilege information are added to the password file. If the server does not have an EXCLUSIVE password file (that is, if the initialization parameter REMOTE_LOGIN_PASSWORDFILE is NONE or SHARED, or the password file is missing), Oracle Database issues an error if you attempt to grant these privileges.

A user's name remains in the password file only as long as that user has at least one of these two privileges. If you revoke both of these privileges, Oracle Database removes the user from the password file.

Creating a Password File and Adding New Users to It

Use the following procedure to create a password and add new users to it:

1. Follow the instructions for creating a password file as explained in "Creating a Password File with ORAPWD".

2. Set the REMOTE_LOGIN_PASSWORDFILE initialization parameter to EXCLUSIVE. (This is the default.)

   Note:

   REMOTE_LOGIN_PASSWORDFILE is a static initialization parameter and therefore cannot be changed without restarting the database.

3. Connect with SYSDBA privileges as shown in the following example, and enter the SYS password when prompted:

4. Start up the instance and create the database if necessary, or mount and open an existing database.

5. Create users as necessary. Grant SYSDBA or SYSOPER privileges to yourself and other users as appropriate. See "Granting and Revoking SYSDBA and SYSOPER Privileges", later in this section.