3.6. Re-creating the Password File
There are multiple methods for a database administrator to authenticate to an Oracle database. The standard method is to log in directly to the operating system of the server, connect directly to the database with Inter-Process Control (IPC), and establish a local connection on the database, which does not need to use SQL*Net. This method requires the operating system's account to require the password for validation. Once in the secure operating system account, you can connect as SYSOPER or SYSDBA. SYSOPER has partial database administration privilege, which is good for operational support, and SYSDBA has full database administration privilege. In Unix, you would most likely be the Oracle user; and on Windows, you would be the administrator. The operating system account is local, which assures that the account is secure.
A second primary method is to connect remotely using SQL*Net and authenticate with a password file. This is how Enterprise Manager (EM) connects to the Oracle database. Remote connectivity requires a password file to be set up and configured to prevent unauthorized connections. In order to connect as SYSOPER or SYSDBA remotely, you need to know the defined password, which is created by the ORAPWD utility. Table 3.2 lists the ways that you can authenticate to the Oracle database.
| Connection Type | Connectivity Method | Authentication Method |
|---|---|---|
| Local | Local IPC connection | Operating system secure account |
| Remote | Remote SQL*Net connection | Oracle password file |
The password file is required for all remote database administrative connections to an Oracle database using SYSOPER or SYSDBA. Re-creating a password file to allow connections of these types is another non-critical recovery scenario. Some key information must be known about the contents of the password files, information about the users who have remote password access through SYSDBA or SYSOPER. When this information is known, the password file can be quickly and easily re-created. Then remote access will be unaffected.
The ORAPWD executable is an Oracle utility that generates a password file for remote connections. ORAPWD should be run when the database is shut down. It is also best to run this utility in the directory this file needs to be located at. When using the ORAPWD, one should use the appropriate naming convention, which includes orapw$ORACLE_SID. The $ORACLE_SID reference is the name of the Oracle database. The file must be located in the $ORACLE_HOME/dbs directory in Unix and in $ORACLE_HOMEdatabase in Windows. The init.ora file must also contain the REMOTE_LOGIN_PASSWORDFILE parameter, set to SHARED or EXCLUSIVE. This should already be set to either SHARED or EXCLUSIVE, so you likely won't need to do this step.
Let's walk through an example of rebuilding a password file:
First, shut down the database:
SQL> shutdown immediate Database closed. Database dismounted. ORACLE instance shut down. SQL> startup
Run the ORAPWD utility to build the password file in the $ORACLE_HOME/dbs directory in name convention orapw$ORACLE_SID. The entries option determines how many users can be stored in the password file:
orapwd file=orapwORA101T password=syspass entries=20
To see what users are utilizing the password file, keep a copy of the following query:
SQL> select * from v$pwfile_users; USERNAME SYSDB SYSOP ------------------------------ ----- ----- SYS TRUE TRUE SQL>