Shulou(Shulou.com)06/01 Report--

Oracle relational database system has been widely used because of its excellent performance, and ensuring database security is an important part of database management. On the basis of summarizing the security management of Oracle database, this paper introduces in detail the creation, use and maintenance of password files in Oracle database system for your reference.

In the Oracle database system, if a user wants to log in to the Oracle database as a privileged user (INTERNAL/SYSDBA/SYSOPER), there are two authentication methods: using authentication integrated with the operating system or using the password file of the Oracle database for authentication. Therefore, a good management of password files is of great significance for controlling authorized users to log in to Oracle database system from remote or local computer and to carry out database management.

The password file of the Oracle database stores the password of the superuser INTERNAL/SYS and the username / password of other privileged users, which is generally stored in the ORACLE_HOME\ DATABASE directory.

I. creation of password files

When you create a database instance using Oracle Instance Manager, a corresponding password file named PWDSID.ORA is automatically created in the ORACLE_HOME\ DATABASE directory, where SID represents the corresponding Oracle database system identifier. This password file is the basis for the initial database administration. After that, the administrator can also manually create the password file using the tool ORAPWD.EXE as needed. The command format is as follows:

[oracle@hyyk200 dbs] $orapwdUsage: orapwd file= entries= force= ignorecase= nosysdba= where file-name of password file (required), password-password for SYS will be prompted if not specified at command line, entries-maximum number of distinct DBA (optional), force-whether to overwrite existing file (optional), ignorecase-passwords are case-insensitive (optional), nosysdba-whether to shut out the SYSDBA logon (optional Database Vault only) There must be no spaces around the equal-to (=) character. [oracle@hyyk200 dbs] $

The meaning of each command parameter is:

FILENAME: password file name

PASSWORD: set the password for the INTERNAL/SYS account

MAX_USERS: the maximum number of users that can be stored in the password file, corresponding to the maximum number of users allowed to log in to the database with SYSDBA/SYSOPER privileges. Because in future maintenance, if the number of users exceeds this limit, the password file needs to be rebuilt, so this parameter can be set larger as needed.

After you have the password file, you need to set the initialization parameter REMOTE_LOGIN_PASSWORDFILE to control the usage of the password file.

2. Set initialization parameter REMOTE_LOGIN_PASSWORDFILE

In the initialization parameter file of the Oracle database instance, this parameter controls the use and status of the password file. It can have the following options:

NONE: instructs the Oracle system not to use password files, and the login of privileged users is authenticated by the operating system

EXCLUSIVE: indicates that only one database instance can use this password file. Only password files under this setting can contain user information other than INTERNAL/SYS, which allows the system permission SYSOPER/SYSDBA to be granted to users other than INTERNAL/SYS.

SHARED: indicates that this password file can be used by multiple database instances. Under this setting, only INTERNAL/SYS accounts can be identified by password files, and even if other users' information is stored in the file, they are not allowed to log in with SYSOPER/SYSDBA privileges. This setting is the default.

When the REMOTE_LOGIN_PASSWORDFILE parameter is set to EXCLUSIVE or SHARED, the Oracle system searches for the password file in the system registry for the ORA_SID_PWFILE parameter value (which is the full path name of the password file); if it is not found, it looks for the ORA_PWFILE parameter value; if it is not found yet, the SID in the default value ORACLE_HOME\ DATABASE\ PWDSID.ORA; is used to represent the corresponding Oracle database system identifier.

Add or delete users to the password file

When the initialization parameter REMOTE_LOGIN_PASSWORDFILE is set to EXCLUSIVE, the system allows users other than INTERNAL/SYS to log in to the Oracle database system as an administrator to perform database administration; these usernames must exist in the password file for the system to recognize them. Because the password file created automatically when creating the database instance or manually created using the tool ORAPWD.EXE contains only the information of the INTERNAL/SYS user, you may need to add or delete other user accounts to the password file in practice.

Since only users granted SYSOPER/SYSDBA system permissions exist in the password file, when SYSOPER/SYSDBA system permissions are granted or revoked to a user, their accounts are added to or removed from the password file accordingly. Thus, adding or removing a user from the password file is actually granting or withdrawing SYSOPER/SYSDBA system permissions to a user.

To perform this authorization operation, you need to connect to the database with SYSDBA permission (or INTERNAL account), and the initialization parameter REMOTE_LOGIN_PASSWORDFILE must be set to EXCLUSIVE. The specific steps are as follows:

Create the corresponding password file

Set initialization parameter REMOTE_LOGIN_PASSWORDFILE=EXCLUSIVE

Log in with SYSDBA privileges: CONNECTSYS/internal_user_passswordASSYSDBA

Start the database instance and open the database

Create the appropriate user account and authorize it (including SYSOPER and SYSDBA): grant permission: GRANTSYSDBATOuser_name

Revoke permission: REVOKESYSDBAFROMuser_name

Now these users can log in to the database system as administrators

4. Log in using password file

With the password file, users can use the password file to log in to the Oracle database instance with SYSOPER/SYSDBA privileges. Note that the initialization parameter REMOTE_LOGIN_PASSWORDFILE should be set to EXCLUSIVE or SHARED. Any user logged in with the authority of SYSOPER/SYSDBA will be placed under the Schema of the SYS user. Here are two examples of login:

1. Log in as an administrator:

Assuming that user scott has been granted SYSDBA privileges, he can log in using the following command:

CONNECTscott/tigerASSYSDBA

two。 Log in as INTERNAL:

CONNECTINTERNAL/INTERNAL_PASSWORD

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.