Oracle SYS/SYSTEM shared passwords
Unfortunately we have a requirement not to have the sys/system passwords shared even among the DBA staff. Someone mentioned an Oracle article which details not having shared passwords. The problem is that security perceives this issue as a threat. I have argued until I am blue in the face that these two accounts are needed by the dba team. Does anyone have any information on this subject to pass along? Things that worked and even those that didnt? The real issue comes into play when you start looking at cron jobs on the oracle account which have most of the privileged passwords visible.
Thanks!
You could argue that with me - a DBA - until you are blue in the face and you would still loose. You DO NOT need the sys and system accounts to do your job as a DBA.
Here is what we do...
1. create a role, or set of roles something like DBA_SENIOR, DBA_SECURITY, DBA_USERADMIN, etc. Give them all of the privileges they need for their specific jobs.
2. create user accounts for each DBA - we use externally identified but they need not be.
3. grant each DBA his appropriate role.
4. create a password file.
5. grant sysdba to the DBAs - so that they can become SYS on those times when it is the only way to do what needs to be done.
6. give sys and system impossible passwords.
7. DO NOT grant DBA role to anyone.
Now you have met the requirement and your dba's can do their jobs. And if you create scripts, then it is easy to make this routine for whenever you create a database.
Similar Messages
-
What is step reset sys,system,sysman password
Dear Expert,
Due to security issue, company request to change sys,system,sysman and ASM sys password running on RAC DB 11.2.0.3
What is a proper way to change above power user login and does it efffect ORACLE ENTERPRISE MANAGE 11g user login. Please advise
Regard
LIANG1.recreate the password file to reset sys password for DB/ASM
2.for system ,you may change it by alter user system identified by .....
3.check metalink...for sysman How to Change the Password of SYSMAN User in 10g and 11g Grid Control? [ID 270516.1]
Please close the thread after marking it helpful or correct if you feel you have the answer and keep the Oracle forum clean.
https://forums.oracle.com/forums/ann.jspa?annID=885
Thanks
Kuljeet Pal Singh -
Password for Oracle user , sys , system , saprpd
Hi All ,
I just join a new company as sys admin . I tried to search password for Oracle user sys , system and saprd in my company password file . Those users password are not stored.
Am I supposed to know those oracle user password ? If yes , Can I find them in my Unix system or sap application ?
Please help !
FelixIt is not possible to determine the passwords if you don't know them. But perhaps note 562863 and the described default passwords are useful. Furthermore you can always change passwords if you have SYSDBA privilege using "alter user ... identified by ..." or "brconnect -f chpass".
Regards
Martin -
RMAN Backup job fails after changing sys, system passwords
Hello Oracle community,
11.1g
After we changed the passwords for sys, system and sysman the backup jobs fails. this is my error log:
Recovery Manager: Release 11.1.0.7.0 - Production on Mo Aug 30 11:16:29 2010
Copyright (c) 1982, 2009, Oracle and/or its affiliates. All rights reserved.
RMAN>
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
ORA-12532: TNS: Ungültiges Argument
RMAN>
Echo einstellen ein
RMAN> set command id to 'BACKUP_MEGALON.INT_083010111617';
Befehl wird ausgeführt: SET COMMAND ID
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: Fehler bei set Befehl auf 08/30/2010 11:16:29
RMAN-06171: Nicht bei Zieldatenbank angemeldet
RMAN> backup device type disk tag 'BACKUP_MEGALON.INT_083010111617' database;
Starten backup um 30.08.10
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: Fehler bei backup Befehl auf 08/30/2010 11:16:29
RMAN-06171: Nicht bei Zieldatenbank angemeldet
RMAN> backup device type disk tag 'BACKUP_MEGALON.INT_083010111617' archivelog all not backed up;
Starten backup um 30.08.10
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: Fehler bei backup Befehl auf 08/30/2010 11:16:29
RMAN-06171: Nicht bei Zieldatenbank angemeldet
RMAN> exit;
Recovery Manager abgeschlossen.
IkrischerHello Tychos,
I am able to make a sqlplus connection, but your hint send me in the correct direction. I had a special character "@" in the password and I think that was the reason for my problems with RMAN.
Ikrischer -
SYS and SYSTEM user password expired
My 11g2 database on Redhat 5 has sys and system user password expiredSQL> select username,account_status,EXPIRY_DATE
from dba_users where username like 'SYS%';
2
USERNAME ACCOUNT_STATUS EXPIRY_DA
SYSMAN OPEN
SYSTEM OPEN 15-FEB-11
SYS OPEN 15-FEB-11But I can still connect the databsae with t expired password.
Do I need worry about the expiration of these user's password? For a normal user, I connot login with expired passwordDear user13148231,
Here is an illustration;
SQL> alter user sys account lock;
User altered.
SQL> select username, account_status, lock_date, expiry_date from dba_users where USERNAME='SYS';
USERNAME ACCOUNT_STATUS LOCK_DATE EXPIRY_DA
SYS LOCKED 20-AUG-10 23-FEB-09
SQL> host sqlplus sys/password@opttest as sysdba
SQL*Plus: Release 10.2.0.4.0 - Production on Fri Aug 20 12:25:43 2010
Copyright (c) 1982, 2007, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> exit
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> alter user sys identified by password password expire;
User altered.
SQL> select username, account_status, lock_date, expiry_date from dba_users where username='SYS';
USERNAME ACCOUNT_STATUS LOCK_DATE EXPIRY_DA
SYS EXPIRED & LOCKED 20-AUG-10 20-AUG-10
SQL> host sqlplus sys/password@opttest as sysdba
SQL*Plus: Release 10.2.0.4.0 - Production on Fri Aug 20 12:27:02 2010
Copyright (c) 1982, 2007, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> exit
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> alter user sys identified by password account unlock;
SQL> select username, account_status, lock_date, expiry_date from dba_users where username='SYS';
USERNAME ACCOUNT_STATUS LOCK_DATE EXPIRY_DA
SYS OPENEven if it shows expired and locked it is OK to connect to the database for the SYS user.
SQL> alter user ogan identified by password account lock password expire;
User altered.
SQL> select username, account_status, lock_date, expiry_date from dba_users where username='OGAN';
USERNAME ACCOUNT_STATUS LOCK_DATE EXPIRY_DA
OGAN EXPIRED & LOCKED 20-AUG-10 20-AUG-10
SQL> conn ogan/password
ERROR:
ORA-28000: the account is locked
Warning: You are no longer connected to ORACLE.
SQL> conn / as sysdba
Connected.
SQL> alter user ogan account unlock;
User altered.
SQL> conn ogan/password@opttest
ERROR:
ORA-28001: the password has expired
Changing password for ogan
New password:
Retype new password:
Password changed
Connected.
SQL>Ogan -
Hi,
I used a modified personal.rsp and dbca.rsp to install Oracle 9.2 personal and a DB on Win2k/XPp, but despite the "-slient" flag, I get a dialog prompting for the sys, system passwords in the end.
How can I avoid this? Are there (undocumented) parameters for dbca.rsp which allow to avoid the dialog?
Thanks for any help.Hi,
Use below command and you no need to pass userid/password. It works for all versions.
imp \'/ AS SYSDBA\' full=Y CONSTRAINTS=Y FILE=V:\exp_test20090729.dmp
Regards,
Satishbabu Gunukula
http://oracleracexpert.blogspot.com
Edited by: Satishbabu Gunukula on Aug 10, 2009 4:34 PM -
View and change passwords for sys, system, sapr3
Dear All
1.I need to view the password the for account :
sys, system, sapr3
2. I need to know for how long passwords have not been changed?
. and how can i change these passwords?
Any sugestions??
Regards
Rajesh
Edited by: rajesh sharma on Oct 15, 2008 1:51 PMHi Rajesh,
1.I need to view the password the for account :
sys, system, sapr3
Its not possible to view the password, password is always encrypted format stored, if the default has not been changed for SYS, SYSTEM then their password are CHANGE_ON_INSTALL and MANAGER respectively.
2. I need to know for how long passwords have not been changed?
. and how can i change these passwords?
For knowing what date they were changed last,
- connect /as sysdba;
- SQL> select name, ptime from user$;
ptime will give you the last password change date.
you can view at what date the password will be expired by
- select username, account_status, expiry_date from dba_users;
change the password by brtools menu options or directly by chpass.
http://help.sap.com/saphelp_nw70/helpdata/EN/4f/c3883989676778e10000000a11402f/frameset.htm
Note -
Always recommended to use brtools for changing password rather than using the sql commands.
Regards,
Debasis.
Edited by: Debasis Sahoo on Oct 16, 2008 1:09 AM -
Forgotten Sys and System user passwords
In the case of forgetting the Sys and the System user passwords, is there anyway of logging on with privilages to be able to change these passwords, if not, are there any other solutions?
Thanks,
NickIn order for "/ as sysdba" to work, you need to run
the password file creation utility (orapwd).
No, it has nothing to do with the password file. In order for "connect / as sysdba" to succeed, it is necessary to have an operating system account which is a member of the "osdba group". In Windows, this OS group is : "ORA_DBA". Any member of this group can and has privileges to connect "/ as sysdba". Again, it has nothing to do with password file.
In Windows there is another condition for it to work :
The file %ORACLE_HOME%\network\admin\sqlnet.ora must have the following line :
SQLNET.AUTHENTICATION_SERVICES= (NTS)
In Unix systems, the osdba group is configured at installation and is conventionally named "dba". -
Setting password limits on SYS, SYSTEM, DBSNMP
We are having a security audit conducted and the auditors want us to set password limits for system accounts (SYS, SYSTEM, DBSNMP). They're asking us to set PASSWORD_LIFE_TIME, PASSWORD_GRACE_TIME, PASSWORD_REUSE_MAX, PASSWORD_REUSE_TIME. I have not been able to find any documentation that discusses the implications of doing this, if any. I'm wondering what will happen if these accounts become locked and/or expired because of invalid login attempts and not changing the password in time. I need something definitive one way or the other to show the customer. Please help!
Thanks,
SusanWhich operating System and which database release?
In AIX you can define password limit on OS level (using smitty for it) very straight forward.
You can also use OEM to do the password configuration which includes your assignment.
DN -
Oracle Traditional Import Overrides Password
Hi to all
I had just successfully finished a full importing from Oracle 9i DB to Oracle 11gR2 DB. My export was a full db export.
Prior to this importing, my 11g was a newly created DB with the default SYS, System etc.. schema. Their passwords is different from those in 9i.
However, i realised that after importing... their passwords in 11g was replaced by those passwords in 9i, including SYS and SYSTEM user...
Is this normal? Thanks for sharing..Hi Srini
Oh yes...I tested a few times and my SYSTEM & SYS password were replaced by the 9i password (redo the whole testing with a new installation of OS server and Oracle 11g) . I am able to login in 11g for those user schema imported from Oracle 9i.. Their passwords are the same as in 9i.. Will not the password file from 9i replaced the 11g password file?
Here are the details and first 15 lines of my latest export/import log...
In Oracle 9i (source)
1. set NLS_LANG=.US7ASCII
2. exp system/<pwd>@db FULL=Y INDEXES=N FILE=DB_27Nov12.DMP LOG=DB_27Nov12.log
===============
Export Log
===============
Connected to: Oracle9i Enterprise Edition Release 9.2.0.8.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.8.0 - Production
Export done in US7ASCII character set and AL16UTF16 NCHAR character set
Note: indexes on tables will not be exported
About to export the entire database ...
. exporting tablespace definitions
. exporting profiles
. exporting user definitions
. exporting roles
. exporting resource costs
. exporting rollback segment definitions
. exporting database links
. exporting sequence numbers
. exporting directory aliases
. exporting context namespaces
. exporting foreign function library names
. exporting PUBLIC type synonyms
. exporting private type synonyms
. exporting object type definitions
. exporting system procedural objects and actions
. exporting pre-schema procedural objects and actions
. exporting cluster definitions
. about to export SYSTEM's tables via Conventional Path ...
. . exporting table AQ$_INTERNET_AGENTS 0 rows exported
===================================
Copy the dmp file from old server over to the new server using Run program
In Oracle 11g (destination)
1. Created a new 11g database with pre-created tablespaces..
2. imp system/<pwd>@dbnew FULL=Y IGNORE=Y FILE=DB_27Nov12.DMP LOG=import_DB_27Nov12.log
===============
Import Log
===============
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Export file created by EXPORT:V09.02.00 via conventional path
import done in WE8MSWIN1252 character set and AL16UTF16 NCHAR character set
export client uses US7ASCII character set (possible charset conversion)
. importing SYSTEM's objects into SYSTEM
IMP-00017: following statement failed with ORACLE error 29339:
"CREATE UNDO TABLESPACE "UNDOTBS" BLOCKSIZE 4096 DATAFILE 'F:\ORADATA\UNDO\"
"UNDOTBS.DBF' SIZE 5120M , 'F:\ORADATA\UNDO\UNDOTBS1.DBF' SIZE 5120M "
" EXTENT MANAGEMENT LOCAL "
IMP-00003: ORACLE error 29339 encountered
ORA-29339: tablespace block size 4096 does not match configured block sizes
IMP-00017: following statement failed with ORACLE error 29339:
"CREATE TEMPORARY TABLESPACE "TEMP" BLOCKSIZE 4096 TEMPFILE 'D:\ORADATA\TEM"
"P\TEMP.DBF' SIZE 7524M AUTOEXTEND ON NEXT 20971520 MAXSIZE 8192M EXT"
"ENT MANAGEMENT LOCAL UNIFORM SIZE 10485760"
IMP-00003: ORACLE error 29339 encountered
ORA-29339: tablespace block size 4096 does not match configured block sizes
IMP-00017: following statement failed with ORACLE error 29339:
"CREATE TABLESPACE "USERS" BLOCKSIZE 4096 DATAFILE 'D:\ORADATA\OFA\USERS.DB"
"F' SIZE 838860800 AUTOEXTEND ON NEXT 10485760 MAXSIZE 1048576000 EX"
"TENT MANAGEMENT LOCAL UNIFORM SIZE 327680 ONLINE PERMANENT NOLOGGING SEGM"
"ENT SPACE MANAGEMENT AUTO"
===================================
*This change of password is not a serious problem to me as there are only 2 DBAs who knows those passwords.. Just curious to know more about this issue..
Edited by: moslee on Nov 27, 2012 5:37 PM -
Oracle Active Dataguard 11g - Passwords
Hi all
Environment description: Production database, 11.2.0.3 version, standalone running on Solaris and an Oracle Active Dataguard database in read only mode, same version and operating system.
Question: The users passwords and sys/system passwrod (orapw ) could be different in the ADG environment? I mean, could the orapwd file and user password be changed in the Dataguard database ?
Thanks a lot.user1687821 wrote:
Hi All,
Please suggest a good step by step guide to implement Oracle Active Dataguard on Oracle 11g, OS : RHEL 5.4
Have searched a couple of documents, but ending up with physical or logical dataguard setup guides...
Please suggest end to end steps guide for Active Dataguard Implementation
DB : Oracle 11g Release 2
OS : RHEL 5.4
ThanksHi,
Active dataguard is option after configuring dataguard.
You can put standby database in Open(read only) mode also you can enable Recover(MRP) while open so this can be used for reporting purpose too.
Please refer below links for configuring them.
http://www.oracle-class.com/wp-content/uploads/2011/01/dataguard/11gR2%20Physical%20Data%20Guard%20Setup%20%20project,%20with%20Active%20Data%20Guard%20option.pdf
http://www.databasejournal.com/features/oracle/article.php/3834931/Using-Oracle-11gs-Active-Data-Guard-and-Snapshot-Standby-Features.htm
http://www.oracle-base.com/articles/11g/DataGuardSetup_11gR2.php
http://www.oracle.com/technology/deploy/availability/pdf/maa_wp_11gr1_activedataguard.pdf
HTH. -
I installed the 32-Bit version of Oracle 11gR2 on my Windows 7 x64 system because the x64 version wouldn't install. I downloaded the 32-Bit version of SQL Developer with JRE, but when I run SQL Developer, the default connections (SYS, SYSTEM, DBSNMP, and SYSMAN) are not available.
I have entered the tnsnames directory on the Database:Advanced Preferences screen, and restarted my PC, but there's obviously something I'm missing.
Suggestions?
Thanks.Hi Paul,
Once I connect to the Network Adapter, will the default ids show up?The SQL Developer Help says (and I believe this procedure works even if you cannot "connect" to the local database):
To create (automatically generate) a database connection for each unlocked user account in the Oracle database instance
on the local system, right-click the Connections node and select Create Local Connections. The connections are placed in
a folder named Auto-Generated Local Connections. Note that for these autogenerated connections (except for the one
named system-<database-name>), you will always be prompted for the password when you connect, and you cannot edit
the user name or password in the connection properties dialog box.Next, if this what you are actually asking, and you have a local database installed, then you need to make sure your database listener is up and running. Open a command line and try these commands:
lsnrctl statusIf it is not already started, either start it with
lsnrctl startor otherwise from your Windows Administrator Tools -> Services -> Oracle<home>Listener (right-click: Start)
Hope this helps,
Gary -
i am an IT manager for a bank. we have several company owned iphones. WE have also implemented a mobile device management system to manage our iphones.
We setup acompany based itunes account, trying to share itunes on bank owned devices. This way i can add bank approved apps to the devices through our itunes account and push out to the iphones, and no one can download any other non bank approved apps.
it has been working ok. but recently i had one user who came in. He went to enter in his itunes account on the phone and didn't work. So then came back and my staff and myself have (as much as we can see) removed his email account itunes login from all sections in settings. and entered in our itunes account information, but when you go to the app store, and hit upgrade, it still shows his email account for itunes. I feel like i can't get all devices to keep our shared password on them without requesting user to enter password (which i am not giving them)
How can i troubleshoot his device. i tried changing password 5 times today, rebooted device, and no change.
Jenn McGlynni have an MDM application, and i push out the apps i want them to have with our IT apple id account. for some reason when two approved apps needed updating last week, they prompted him for our password. (which i told him to bring phone in and i would enter password).
but somehow he went to try to enter his personal to make it work (don't know why)
somewhere it's keeping his personal email. i went into itunes/apps and our apple id is in there.
there is nothing in icloud b/c we do not allow icloud, so that's clear. -
Can we pass values to Oracle Default window when Password expired?
We are using our own login form to login to our Oracle Form based application. All the passwords are encrypted as per our system design and hence password changed outside ( through SQLPLUS, TOAD ..etc) our application will block the user to be login to our system.
Now we are implementing the passowrd expiration logic through "PROFILES".
When the user's password is expired then if user is trying to loginb, oracle Form displays its default screen with the below three fields to change the password
1.Old passowrd
2.New password
3.Re enter password
Since we have implemented our own encryption method, we should not allow the user to enter new password in oracle's default window.
Instead we have to use the new password entered in our application, it will be encrypted and passed it directly to the oracle's default window and User should be able click ONLY the "OK" button other fields should be disabled.
In this way we will be able to change the old password with new encrypted one.
is it possible? is there any alternative to this?Hi,
My requirement is exactly the same as yours, can you please let me know what did you do to overcome the Oracle Forms Default change password screen.
Regards,
Praveen -
Personal Oracle 8i Database startup password
Can someone provide the database startup password for Personal Oracle 8i.I have tried passwords like "oracle","sys","manager"in both uppercase and lowercase.
None of this works.I have read the required documentation for the same.But I haven't recd any information.
Thanks.Hi,
Normally this combination should work.
Anyway, try this out.
In the command prompt,
set ORACLE_SID=<sid name>
start server manager/svrmgrl
connect internal.
At this juncture , if you are getting errors, exit the svrmgr application.
try to reset the password for internal with a new password file. (Backup the old one).
Tr connecting.
Regards
Lakshmanan, K
Maybe you are looking for
-
Creative MediaSource 5 is now officially available for download (22 Dec 20
I just saw that the latest (dated 22 Dec 2006) Creative MediaSource 5 and its various plugins are now officially available for download at your respecti've product download sites. The main Creative MediaSource 5 Player/Organizer: Creative MediaSource
-
Hi All, Do we have a limitation on no. of records in Alert .As when i run the query alone it showing all the result but when i attache it with alert its not showing all the data Edited by: Ankur Gupta on Jul 10, 2009 9:22 AM
-
Is anyone experiencing framed edges around text and vector art work after creating a PDF of the Indesign work? It only show up on the PDF and not on the Indesign file. Im running CS3, MAC 10.4.11 Thanks, -Z
-
what are theprogramming standardsfollowed?
-
Two iPad Mini's having the same problem
Ever since the iOS 6 update, both iPad's don't recognize the cell data plans. I've checked under settings, cellular data, and both show active and running. Suggestions? Many thanks.