Oracle 口令文件：即 oracle密码文件

一：文件路径位置

[oracle@localhost db_1]$ cd $ORACLE_HOME/dbs
[oracle@localhost dbs]$ ls
dbsorapwPROD1   hc_orcl.dat   initneworcl.ora  initorcl.ora   lkNEWORCL  lkPROD1  orapwneworcl  spfileorcl.ora   tem.dbf
hc_neworcl.dat  hc_PROD1.dat  init.ora         initPROD1.ora  lkORCL     my.dbf   orapworcl     spfilePROD1.ora
[oracle@localhost dbs]$ pwd
/u01/app/oracle/product/11.2.0/db_1/dbs
[oracle@localhost dbs]$

二、口令文件的命名规则

orapw+sid
如：
orapworcl

三、口令文件存放的是sys

主要是存放管理用户的密码信息的

select *from v$pwfile_users;

SYS@orcl> select * from v$pwfile_users;

USERNAME                       SYSDB SYSOP SYSAS
------------------------------ ----- ----- -----
SYS                            TRUE  TRUE  FALSE

SYS@orcl>

四：实验操作

注： remote_login_passwordfile 是静态参数。修改了该值之后，数据库需要重启。

1）当remote_login_passwordfile  是 EXCLUSIVE

没有sqlnet.ora文件
   sqlplus sys/oracle as sysdba
    sqlplus / as sysdba
    sqlplus sys/oracle@togogo as sysdba
    以上均成功

   

  2）当remote_login_passwordfile是 EXCLUSIVE

    sqlnet.ora文件参数     SQLNET.AUTHENTICATION_SERVICES=none

    sqlplus sys/oracle as sysdba  成功
   sqlplus / as sysdba           不成功
   sqlplus sys/oracle@togogo as sysdba   成功

[oracle@localhost dbs]$ clear

[oracle@localhost dbs]$ ls
dbsorapwPROD1   hc_orcl.dat   initneworcl.ora  initorcl.ora   lkNEWORCL  lkPROD1  orapwneworcl  spfileorcl.ora   tem.dbf
hc_neworcl.dat  hc_PROD1.dat  init.ora         initPROD1.ora  lkORCL     my.dbf   orapworcl     spfilePROD1.ora
[oracle@localhost dbs]$ cd ../network/
[oracle@localhost network]$ ls
admin  doc  install  jlib  lib  log  mesg  tools  trace
[oracle@localhost network]$ ca admin/
-bash: ca: command not found
[oracle@localhost network]$ ls
admin  doc  install  jlib  lib  log  mesg  tools  trace
[oracle@localhost network]$ cd admin/
[oracle@localhost admin]$ ls
listener.ora  samples  shrept.lst  sqlnet.ora  tnsnames.ora
[oracle@localhost admin]$ cat sqlnet.ora
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=$ORACLE_BASE/admin/$ORACLE_SID/wallet/)))
[oracle@localhost admin]$ vi sqlnet.ora











ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=$ORACLE_BASE/admin/$ORACLE_SID/wallet/)))
SQLNET.AUTHENTICATION_SERVICES=none


~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
"sqlnet.ora" 4L, 152C written
[oracle@localhost admin]$ cat sqlnet.ora
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=$ORACLE_BASE/admin/$ORACLE_SID/wallet/)))
SQLNET.AUTHENTICATION_SERVICES=none


[oracle@localhost admin]$ pwd
/u01/app/oracle/product/11.2.0/db_1/network/admin
[oracle@localhost admin]$

[oracle@localhost admin]$ rlwrap sqlplus / as sysdba;

SQL*Plus: Release 11.2.0.3.0 Production on Sat Jun 23 16:01:36 2018

Copyright (c) 1982, 2011, Oracle.  All rights reserved.

ERROR:
ORA-01031: insufficient privileges


Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied


Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied


SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
[oracle@localhost admin]$ rlwrap sqlplus sys/oracle as sysdba;

SQL*Plus: Release 11.2.0.3.0 Production on Sat Jun 23 16:02:40 2018

Copyright (c) 1982, 2011, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SYS@orcl>

  

   3）当remote_login_passwordfile是 EXCLUSIVE

   sqlnet.ora文件参数     SQLNET.AUTHENTICATION_SERVICES=all

    sqlplus sys/oracle as sysdba  成功
   sqlplus / as sysdba           成功
   sqlplus sys/oracle@togogo as sysdba   不成功

   4）当remote_login_passwordfile是 none     没有sqlnet.ora文件

   

   sqlplus sys/oracle as sysdba  成功
   sqlplus / as sysdba           成功
   sqlplus sys/oracle@togogo as sysdba   不成功

  5）当remote_login_passwordfile是 none

   sqlnet.ora文件参数     SQLNET.AUTHENTICATION_SERVICES=none

   sqlplus sys/oracle as sysdba  不成功
   sqlplus / as sysdba           不成功
   sqlplus sys/oracle@togogo as sysdba   不成功

  

   6）当remote_login_passwordfile是 none

   sqlnet.ora文件参数     SQLNET.AUTHENTICATION_SERVICES=all

    sqlplus sys/oracle as sysdba  成功
   sqlplus / as sysdba           成功
   sqlplus sys/oracle@togogo as sysdba   不成功

五、创建口令文件

 

 orapwd file=口令文件名称 password=用户密码

Creating a Password File with ORAPWD

The syntax of the ORAPWD command is as follows:

ORAPWD FILE=filename [ENTRIES=numusers] [FORCE={Y|N}] [IGNORECASE={Y|N}]

Command arguments are summarized in the following table.

Argument	Description
FILE	Name to assign to the password file. You must supply a complete path. If you supply only a file name, the file is written to the current directory.
ENTRIES	(Optional) Maximum number of entries (user accounts) to permit in the file.
FORCE	(Optional) If y, permits overwriting an existing password file.
IGNORECASE	(Optional) If y, passwords are treated as case-insensitive.

There are no spaces permitted around the equal-to (=) character.

The command prompts for the SYS password and stores the password in the created password file.

Example

The following command creates a password file named orapworcl that allows up to 30 privileged users with different passwords.

orapwd FILE=orapworcl ENTRIES=30

Sharing and Disabling the Password File

You use the initialization parameter REMOTE_LOGIN_PASSWORDFILE to control whether a password file is shared among multiple Oracle Database instances. You can also use this parameter to disable password file authentication. The values recognized for REMOTE_LOGIN_PASSWORDFILE are:

• NONE: Setting this parameter to NONE causes Oracle Database to behave as if the password file does not exist. That is, no privileged connections are allowed over nonsecure connections.

• EXCLUSIVE: (The default) An EXCLUSIVE password file can be used with only one instance of one database. Only an EXCLUSIVE file can be modified. Using an EXCLUSIVE password file enables you to add, modify, and delete users. It also enables you to change the SYS password with the ALTER USER command.

• SHARED: A SHARED password file can be used by multiple databases running on the same server, or multiple instances of an Oracle Real Application Clusters (Oracle RAC) database. A SHARED password file cannot be modified. Therefore, you cannot add users to a SHARED password file. Any attempt to do so or to change the password of SYS or other users with the SYSDBA or SYSOPER privileges generates an error. All users needing SYSDBA or SYSOPERsystem privileges must be added to the password file when REMOTE_LOGIN_PASSWORDFILE is set to EXCLUSIVE. After all users are added, you can changeREMOTE_LOGIN_PASSWORDFILE to SHARED, and then share the file.

  This option is useful if you are administering multiple databases or an Oracle RAC database.

If REMOTE_LOGIN_PASSWORDFILE is set to EXCLUSIVE or SHARED and the password file is missing, this is equivalent to setting REMOTE_LOGIN_PASSWORDFILE to NONE.

Note:

You cannot change the password for SYS if REMOTE_LOGIN_PASSWORDFILE is set to SHARED. An error message is issued if you attempt to do so.

Keeping Administrator Passwords Synchronized with the Data Dictionary

If you change the REMOTE_LOGIN_PASSWORDFILE initialization parameter from NONE to EXCLUSIVE or SHARED, or if you re-create the password file with a different SYSpassword, then you must ensure that the passwords in the data dictionary and password file for the SYS user are the same.

To synchronize the SYS passwords, use the ALTER USER statement to change the SYS password. The ALTER USER statement updates and synchronizes both the dictionary and password file passwords.

To synchronize the passwords for non-SYS users who log in using the SYSDBA or SYSOPER privilege, you must revoke and then regrant the privilege to the user, as follows:

1. Find all users who have been granted the SYSDBA privilege.

   SELECT USERNAME FROM V$PWFILE_USERS WHERE USERNAME != 'SYS' AND SYSDBA='TRUE';
   

2. Revoke and then re-grant the SYSDBA privilege to these users.

   REVOKE SYSDBA FROM non-SYS-user;
   GRANT SYSDBA TO non-SYS-user;
   

3. Find all users who have been granted the SYSOPER privilege.

   SELECT USERNAME FROM V$PWFILE_USERS WHERE USERNAME != 'SYS' AND SYSOPER='TRUE';
   

4. Revoke and regrant the SYSOPER privilege to these users.

   REVOKE SYSOPER FROM non-SYS-user;
   GRANT SYSOPER TO non-SYS-user;

Adding Users to a Password File

When you grant SYSDBA or SYSOPER privileges to a user, that user's name and privilege information are added to the password file. If the server does not have an EXCLUSIVE password file (that is, if the initialization parameter REMOTE_LOGIN_PASSWORDFILE is NONE or SHARED, or the password file is missing), Oracle Database issues an error if you attempt to grant these privileges.

A user's name remains in the password file only as long as that user has at least one of these two privileges. If you revoke both of these privileges, Oracle Database removes the user from the password file.

Creating a Password File and Adding New Users to It

Use the following procedure to create a password and add new users to it:

1. Follow the instructions for creating a password file as explained in "Creating a Password File with ORAPWD".

2. Set the REMOTE_LOGIN_PASSWORDFILE initialization parameter to EXCLUSIVE. (This is the default.)

   Note:

   REMOTE_LOGIN_PASSWORDFILE is a static initialization parameter and therefore cannot be changed without restarting the database.

3. Connect with SYSDBA privileges as shown in the following example, and enter the SYS password when prompted:

   CONNECT SYS AS SYSDBA
   

4. Start up the instance and create the database if necessary, or mount and open an existing database.

5. Create users as necessary. Grant SYSDBA or SYSOPER privileges to yourself and other users as appropriate. See "Granting and Revoking SYSDBA and SYSOPER Privileges", later in this section.

——————————————————————————————————————————————————————————————————