About password file

Hai,
Here i am facing one problem. I put remote_login_passwordfile = exclusive in init<sid>.ora.
It means it has to use password file.
But how come i could connect to internal with out using password.
$ svrmgrl
Oracle Server Manager Release 3.1.6.0.0 - Production
Copyright (c) 1997, 1999, Oracle Corporation. All Rights Reserved.
Oracle8i Release 8.1.6.0.0 - Production
JServer Release 8.1.6.0.0 - Production
SVRMGR> connect internal
Connected.
SVRMGR>
Even i put remote_login_passwordfile = none also i could connect internal with out using password.
What is the difference.
I read in oracle documentation that if we put remote_login_passwordfile = none it will use operating system authentication, if remote_login_passwordfile = exclusive then it will follow password file.
Please give me clear explanation please.
Waiting for reply,
Priya.
null

Setting REMOTE_LOGIN_PASSWORDFILE to NONE signifies that Oracle should ignore any password file. In such a scenario, the privileged users must be authenticated by the operating system. Setting the parameter to EXCLUSIVE signifies that the password file can be used by only one database. In your case it happens because the OS user has got the correct privileges. That is why you are able to connect as internal when this is set to None.

Similar Messages

Question about Password file

Good afternoon,
In the 2 Day DBA document it states:
>
When you invoke DBCA as part of the Oracle Database installation process, DBCA
creates a password file with one entry: the SYS user.
>
I created the database using DBCA and, it must have created a password file for me since I am able to log in remotely to the database.
The question is: I cannot locate the password file DBCA created, I don't know what its name is. Can someone provide me with the name DBCA uses for the password file ?
Thank you very much for helping,
John.

Hello SB,
>
post proof
>
I don't know if this qualifies as "proof" but... from the 2 Day DBA document distributed by Oracle, page 6-9:
>
When you invoke DBCA as part of the Oracle Database installation process, DBCA
creates a password file with one entry: the SYS user. Granting SYSDBA to a user adds
that user to the password file automatically.
>
I have no reason to doubt that statement. ;)
>
for some/many/most Oracle versions which you decided we did not need to know yours the file resides in
$ORACLE_HOME/dbs
>
I didn't decide you didn't need to know. I forgot to mention I am using Windows. As far as the Oracle version, since I used to constantly forget, I made the version part of my user name 11gR2, I can see how that can be easily overlooked.
Thank you for your help,
John.

Password file

can you?please to give me information about password file
or documentations ?

Hi, please review the next links for more information about the password files.
http://download.oracle.com/docs/cd/B19306_01/server.102/b14196/storage001.htm#sthref333
http://download.oracle.com/docs/cd/B19306_01/server.102/b14231/dba.htm#sthref157
http://download.oracle.com/docs/cd/B19306_01/server.102/b14231/dba.htm#sthref189
Regards.

About passwd file !!!!!!!!!

Dear Friends ,
I m confused about password file . Plz tell me , where contain SYS user password and other oracle user's passwd ?
Both are stored in the passwd file ?
My anotehr question , I know the "remote_login_passwordfile " parameter file are three types . NONE , Shared and Exclusive . I m not clear about this three types of options . Can u plz tell me the difference between them , so that I understand clearly .

+The [exclusive] password file can contain SYS as well as non-SYS users.+
Sorry to be picky, but the wording on that leaves a little bit to be desired.
A password file is only ever used for external authentication of privileged users, with "a privilged user" being defined as someone who can perform the five main classes of privileged action (startup, shutdown, backup, recover and create database). In fact, there is only ever one privileged user in this respect: SYS. Log on, for example, as fred/smith as sysdba in SQL*Plus and then do a show user and you will find you have been logged on as SYS. It doesn't matter what user names you supply (assuming they're valid usernames at all, of course), and you will find yourself always logged on as SYS.
So, you are right: 'grant sysdba to fred' causes fred's data dictionary credentials to be transferred to an exclusive password file, and that password file therefore must be said to contain 'non-SYS' users. But the minute Fred uses the fact that he has an entry in the password file to log on to the database as a privileged user, he will connect as SYS. He'll only connect as Fred if he doesn't use the 'as sysdba' clause of the logon command and therefore uses the internal authentication mechanism which is the data dictionary.
What you wrote isn't wrong, therefore, but it's potentially misleading, I think. It's also out-of-date, because it's not true for 10g... but see below for that.
I would have said:
1. The normal way to authenticate normal users of a database is to look up their details in a bunch of tables contained within the database itself (SYS.USER$, for example). This is called Data Dictionary Authentication, and the connection string would look like connect fred/smith
2. If you want to be authenticated as a user who is allowed to startup the database, however, it's not very helpful to discover that the only way of authenticating users is to look at tables inside the database you're trying to start up! There has to be an external authentication mechanism, allowing authentication of users even when the database hasn't even been created yet
3. In fact, there are two external authentication mechanisms: either you, the user of the operating system, can have membership of a special operating system group (dba on Unix, usually; ORA_DBA on Windows, usually). Or, a password file is created, using an Oracle tool that runs whether a database exists or not, called orapwd. These are called OS Authentication or Password File Authentication
4. No matter which external authentication mechanism you make use of, you will always end up logged on as SYS.
5. To indicate you want to use an external authentication mechanism, of either type, you add the as sysdba keywords to the standard logon string. Seeing that, Oracle will always check the operating system groups first to see if your OS account has group membership; if it fails there, then it looks for a password file, unless REMOTE_LOGIN_PASSWORDFILE=NONE (in which case, it doesn't bother looking for a file you've declared doesn't exist)
6. Password files, if they exist, can be SHARED (one per server, and all databases on that server can use it) or EXCLUSIVE (one per database, and not shareable) -but see below for more recent information about this. The principle difference these days between the two types is that the SYS password cannot be changed if the file is SHARED (and neither can any other of its contents), but can be if it's EXCLUSIVE.
7. If your password file is EXCLUSIVE, it must live in ORACLE_HOME/dbs (or ORACLE_HOME\database on Windows) and have a name that conforms to the OS-platform-specific default. On Windows, for example, that is pwdXXXX.ora, where XXXX is the ORACLE_SID.
I don't want to confuse anyone, either, but in fact the story has changed a bit with 10g, because EXCLUSIVE is no longer documented as a valid value for REMOTE_LOGIN_PASSWORDFILE. See http://download.oracle.com/docs/cd/B19306_01/server.102/b14237/initparams179.htm#REFRN10184. It's still supported for backwards compatibility, and it's in fact still the default, but allegedly -according to that document- an EXCLUSIVE password file behaves exactly like a SHARED one. That is sort-of true, in the sense that it's now possible for a SHARED file to contain details of users who aren't called SYS. However, it's still impossible to add a non-SYS user into a password file which is in SHARED mode (so, in a sense, setting SHARED locks the password file from any modification -including changing SYS's password).
But you can now do this for example:
set R_P_L=EXCLUSIVE
grant sysdba to scott;
set R_P_L=SHARED
bounce instance
show parameter remote_login -> proves the password file in use is SHARED
select * from v$pwfile_users; -> both SYS and SCOTT will be listed, even though the password file is SHARED
grant sysdba to fred; -> This will produce an ORA-01999: password file cannot be updated in SHARED mode error
In earlier versions of Oracle, that demo would have failed at step 3, because the existence of SCOTT in the password file would have prevented the file from becoming a SHARED one.

Password file usage

hpux 11.23
ora 10.2.0.2
I have a question about the password file. I've been doing a lot of searching, but haven't really found my answer.
I have my primary and my standby database, which I created the password file when I built the standby.
Is the password set to the sys user, synched up to the password in the file? All of the sudden I am getting heartbeat errors for this connection.
says invalid user/password.
If I recall right, the db has to be shut down to regenerate password files, correct? Is there any way to force these to resync without shutting down?
Thanks.

You dont need to do anything ..
If you change the password through SQL command your pasword file gets update automatically....
The reason for your issue could be the STANDBY sys password might have been changed..
Both the SYS password has to be same

What does it mean exactly when the file quarantine feature warns you about unsafe file types?

It says here http://support.apple.com/kb/HT3662 that "when you open a potentially unsafe file in Finder, Spotlight, or from the Dock, the file quarantine feature will warn you about unsafe file types. If you open a quarantined file, you will receive an alert asking, "Are you sure you want to open it?" You should click Cancel if you have any doubts about its safety."
Am I correct in thinking that when this ^ appears on the screen, it means the file you're trying to open is unsafe but not totally harmful to the Mac? Which means you can still open it and it won't be much of a problem?

If you know that you went to web site shown and downloaded the file shown at the date & time shown, then it's most probably exactly what you think it is. If a panel pops up for some software that should NOT have been downloaded -- as in a file that's part of the operating system -- then all sorts of alarms should go off. This is a classic technique for password grabbers -- you open something like Software Update and are completely expecting to have to type in the username and password of an account with Administrator priviledges, but if it is some nefarious program that you somehow downloaded and has substituted itself in the place of Software Update, then who knows where your password and username are going to get sent off to! If you got a panel like that and it said "Software Update" is an application downloaded from the internet. Or "Mail" is an application downloaded from the internet. Or "TextEdit". Big alarms!!!
This is why when you are downloading software you should type in urls directly, or click on them from a search page rather than some random link in an email/ad/etc. If I type get.adobe.com/flashplayer into the url bar on the browser then I know that I really went to adobe's web site and got the real flashplayer (unless something is REALLY wrong!). When you click on some link it might be going to anyplace at all -- including places that you don't want to go! This panel gives you one last chance to double-check that the file you are opening is what you think it is and it came from where you think it came from.

How to create a password file?

Dear buddies,
I tried these steps but getting error.
Please advice on how should I go about it.
in my pfile: REMOTE_LOGIN_PASSWORDFILE = shared
C:\Documents and Settings\administrator>orapwd file=D:\oracle\admin\u
at password=mydba
OPW-00001: Unable to open password-file
C:\Documents and Settings\administrator>orapwd file='D:\oracle\admin\
uat' password=mydba
OPW-00001: Unable to open password-fileWhere am I making a mistake?
Thanks.
Nith
Edited by: user645399 on Dec 16, 2010 4:33 PM
Edited by: user645399 on Dec 16, 2010 4:37 PM
Edited by: user645399 on Dec 16, 2010 4:37 PM
Edited by: user645399 on Dec 16, 2010 4:37 PM

Dear oradba,
I tried but it failed:
SQL> $orapwd file='D:\oracle\admin\uat\pwdfile' password=mydba
OPW-00001: Unable to open password-file
SQL>and also this
SQL> $orapwd file='D:\oracle\admin\uat\pwdfile.txt' password=possedba
OPW-00001: Unable to open password-fileThanks.
Nith
Edited by: user645399 on Dec 16, 2010 4:45 PM

Decrypt Password File

Evening. I am totally new to security. after hours of reading about keys and de-enCryption I created this experiment class, that most is copy&paste from sun. All I need is a class that in a simple way decrypt an password file.
Am I even close to the best solution? Code below has two errors, both says "cant find symbol" when mouse over in NetBeans.
public class EnDeCrypt {
   static byte[] encodedAlgParams;
    public static KeyPair myKey()throws Exception{
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("PBE");
        keyPairGenerator.initialize(1024);
        KeyPair keyPair = keyPairGenerator.genKeyPair();
        return keyPair;
    public static void enCrypt() throws Exception{
        try {
            Cipher c = Cipher.getInstance("PBEWithMD5AndDES");
            c.init(Cipher.ENCRYPT_MODE, myKey()); // *1* <---mouse over c.init says "cant find symbol"
            byte[] cipherText = c.doFinal(text.getBytes());
            AlgorithmParameters algParams = c.getParameters();
            encodedAlgParams = algParams.getEncoded();
            } catch (NoSuchAlgorithmException ex) {
            Logger.getLogger(EnDeCrypt.class.getName()).log(Level.SEVERE, null, ex);
            } catch (NoSuchPaddingException ex) {
            Logger.getLogger(EnDeCrypt.class.getName()).log(Level.SEVERE, null, ex);
    public static void deCrypt(String text) throws Exception {
        AlgorithmParameters algParams;
        algParams = AlgorithmParameters.getInstance("PBEWithMD5AndDES");
        algParams.init(encodedAlgParams);
        Cipher c = Cipher.getInstance("PBEWithMD5AndDES");
        c.init(Cipher.DECRYPT_MODE, myKey, algParams);// *2*<-- mouse over myKey() says, "cant find this symbol"
{code}

MagnusT76 wrote:
As i mention before this is new for me. Obviously.
I used the code below. Which simply hashes a password+salt, checks the hash against what is expected and then stores it. No 'decryption' involved.
And when I open the password file it shows alot of numbers and letters.And what makes you believe that these 'numbers and letters' in any way represent the 'decrypted' password?
>
public void storePassword(String password){
String hashed = BCrypt.hashpw(password, BCrypt.gensalt());
if (BCrypt.checkpw(password, hashed)){
FileHandler.setPasswd(hashed);
} else {
        failLogin("Error saving you password");
}Stop guessing. Start reading. Expect to find that you can't 'decrypt' the hashed passwords.
Bye

ORA-01017 error and re-create password file? seek advices.

I used TOAD 9.5 to log in one Oracle 10g database with sys/password as sysdba. It worked fine always. However, today I tried to log in again and come across the ORA-01017 error. Invalid username/password. Then I went to windows server command line to log in as conn / as sysdba and also log in conn sys/password@sid as sysdba, I all logged in successfully. I checked the password file is in $oracle_home\database\. I logged in as normal user successfully.
My question is: what caused this ORA-error? how to fix it? Is it necessary for me to re-create password file to fix this? Or there is other options? Thanks.

First though is double check make sure you have no typo when inputting username/password,
ORA-01017 is very specific error about wrong password, if you have problem with passwordfile you would likely to get ORA-01031: insufficient privileges
You can change your sys password using alter user statement, Oracle will sync the password file.

Password file authentication confusion

Dear experts,
I am a beginner (I'll keep stating this till I gain some knowledge about Oracle). I have database on Linux server. Currently the sysdba is OS Authenticated, so I can just do
SQL> conn /as sysdba
connectedI wanted to try the password file authentication also, so I did the following:
a) changed parameter remote_login_passwordfile to EXCLUSIVE
b) created password file using: orapwd file=orapwPROD password=testDBA entries=5
c) created one user pwFileDBA
d) grant sysdba to pwFileDBA
e) checked v$pwfile_users and found entry for pwfileDBA user
USERNAME                       SYSDB SYSOP
SYS                               TRUE TRUE
PWFILEDBA                         TRUE TRUENow When I tried to login as:
SQL> conn pwfileDBA/testDBA as sysdba
connectedI am happy it worked :). Now I tried
SQL> conn pwfileDBA/<some junk password> as sysdba
connectedThis also worked :(
I have no clue now, if password file authentication is enabled or not. Can anyone share if I am doing something wrong? How to test this?
Thanks
oraNeel.

Hi Maxim,
1. conn sys/testDBA@your_tns_alias as sysdba - this also says "insufficient privileges"
2.
-bash-3.2$ ps -ef|grep pmon
oracledb 9410     1 0 Dec13 ?        00:00:00 ora_pmon_PROD
oracledb 11415 11320 0 07:13 pts/1    00:00:00 grep pmon3. ls -la $ORACLE_HOME/dbs
-bash-3.2$ ls -la
total 14928
drwxr-x--- 2 oracledb dba     4096 Dec 13 22:27 .
drwxr-xr-x 66 oracledb dba     4096 Oct 22 11:32 ..
-rw-rw-r-- 1 oracledb dba        0 Oct 22 11:33 PROD_oradb_ifile.ora
-rw-rw---- 1 oracledb dba     1544 Oct 20 11:34 hc_PROD.dat
-rw-rw-r-- 1 oracledb dba    19028 Oct 21 14:57 initPROD_bak.ora
-rw-r--r-- 1 oracledb dba    23584 Oct 22 11:33 initPROD_noaq.ora
-rw-r--r-- 1 oracledb dba    23576 Oct 27 13:29 initPROD.ora
-rw-rw-r-- 1 oracledb dba    19028 Oct 21 14:55 initPROD.ora.21Oct
-rw-r--r-- 1 oracledb dba    12920 May 3 2001 initdw.ora
-rw-r----- 1 oracledb dba     8385 Sep 11 1998 init.ora
-rw-rw---- 1 oracledb dba       24 Oct 20 11:34 lkPROD
-rw-rw---- 1 oracledb dba       24 Oct 21 15:22 lkPROD
-rw-r----- 1 oracledb dba     2048 Dec 13 22:31 orapwPROD
-rw------- 1 oracledb dba 15122432 Dec 1 18:39 snapcf_PROD.fBest Regards,
Neel

Password file users issue... RAC help please...

Hi guys,
i have a two node rac database installed on my laptop.. 11gr2.
in rac a database will be accessed by more than once instance correct....
here i have two instance myinst1 and myinst2.
here if we add a user in any one of the instances (say myinst1).. using that user account. the user can connect to either the myinst1 and myinst2.... correct....
say now i grant the user i just created with the SYSDBA and SYSOPER privileges.. (user created on myinst1).
now i can connect to both of the instance using the following syntax as a sysdba..
connect user/password@servicename as sysdba
now here comes the best part..
oracle states that once the user is given either the sysdba or sysoper it will be updated in the password file...
now as i have created the user in the myinst1 instance and granted the privileges there... the password file at the node myinst1 shows the details of the user in the V$PWFILE_USERS views. where as the other instance myinst2 V$PWFILE_USERS does nt have the user...
can any one tell me why is this happening... do i have to explictly grant the SYSDBA privilege on all the instances once if i want to grant a user with the sysdba or sysoper privilege...

Surely there is more than this? I have always believed that the only valid configuration of a Password File in RAC is for a single file to be shared by all instances - by putting it on a shared file system or multipathed raw volume (like the database files), with a Unix symbolic link or init.ora SPFILE reference on each node. I have seen documentation that people have stored a database password file in ASM (SPFILE=+XYZ...) and even on NFS and CIFS.
SYSDBA and SYSOPER access uses the password file of course and it is effectively part of the database, and to me it seems reasonable to expect that an instance will only update the one Password File it knows aboutwhen SYSDBA/OPER access is added, removed or changed; so the consequences of having multiple copies for a single database may be expected to be bad. It was noted here that granting SYSDBA privilege on one node leads to inconsistency in that account's privileges across nodes. Maybe worse is that removing SYSDBA access from one node could leave SYSDBA access to other nodes/instances in place, in clusters where there are multiple local password files... this can be viewed as a very serious security defect, which one of our DBAs has demonstrated.
Now I have learned that Oracle's documentation does not actually give much advice about the configuration of Password Files for RAC; that while some people have done what I expected for years, some product guides suggest on the contrary that local copies should be created on each node; and even that Oracle may not support a single Password File on a shared device. Having Googled the web and scanned this forum quickly, I haven't found a resolution. I am stunned.
I am sure that, of all people, the RAC SIG will be able to advise on this authoritatively, so please do so. If it turns out that Oracle does not recommend or support the use of a single shared file (*),then I suggest there is a significant issue.
(*) Just to be clear, I am not refering to a SHARED password file, but to an EXCLUSIVE one that is on a shared storage volume accessed by every instance of the same RAC database. How Oracle behaves with a SHARED parameter setting may be another issue.

Secure clean up after editing password file

I would like to create my own password file using a spreadsheet editor (NeoOffice in my case).
My intent is to store the result on writeable CD or DVD (and for convenience possibly a USB flash drive and/or printed hardcopy).
I know that the act of viewing/editing any such digital media creates images of it in memory and possibly on my main drive (in temp files and swap files) ... and perhaps other hardware where scratch copies are stored when applications work on data (or the OS moves data around as part of its normal resource balancing activity) .
I would like to know if it is possible to fully and confidently clean up any lingering copies (or partial copies) of data that an application has used after the application has terminated.
I am not looking for a different overall method for creating and controlling my password database. Specifically, I am not looking for a utility that would allow me to 'securely' store the database on my computer using keychain technology, 3rd party password management apps or similar methods that leave the password database on my computer in a form that controls access.
I prefer the more conservative approach of storing my password database completely offline in non-volatile, unencrypted form ... but nevertheless having the convenience of accessing it electronically when I need it.
So what I'm asking for is general knowledge about how to maintain secure control over data accessed by an application running on Tiger

I don't think you need to worry if it's stored on external media, but if you're worried about temp/cache/swap files, then get Applejack...
http://www.versiontracker.com/dyn/moreinfo/macosx/19596
After installing, reboot holding down CMD+s, (+s), then when the DOS like prompt shows, type in...
applejack
Then do steps 3 & 5.

Regarding password file

While creating database i put remote_login_passwordfile = exclusive in init.ora.
i created the password file with user name and password.
Afer i could connect internal with out givng username and password which have been given in password file.
I don't have proper idea on this please give me idea about this.
Ganesh.G.
null

Omit the OS-User from ORA_SID_DBA group( in the User Manager) and try again to connect. it will solve your problem.

How to change the default password file's name and path when the database created?

how to change the default password file's name and path when the database created?
null

Usage: orapwd file=<fname> password=<password> entries=<users>
where
file - name of password file (mand),
password - password for SYS and INTERNAL (mand),
entries - maximum number of distinct DBA and OPERs (opt),
There are no spaces around the equal-to (=) character.

How to change default location of password file ?

Hi all,
Can i change the location of my password file from default to any other user defined location ?
If yes then how ?
Thanx in advance.
Deep

Dad you moved here?
Can i change the location of my password file ?

About password file

Similar Messages

Maybe you are looking for