Practice: Forcing an Upgraded Password File to be Case Sensitive

Overview

This practice shows how the passwords in the password files in Oracle Database 21c are case-sensitive. In earlier Oracle Database releases, password files retain their original case-insensitive verifiers by default. The IGNORECASE parameter, to enable or disable password file case sensitivity, is removed. All passwords in new password files are case-sensitive.

Before starting any new practice, refer to the Practices Environment recommendations.

Step 1 : Display the password file format of CDB21


$ cd /u01/app/oracle/dbs/
$ ls -l orapwCDB21
-rw-r----- 1 oracle oinstall 2048 Dec 10 09:45 orapwCDB21
$ orapwd describe file=orapwCDB21
Password file Description : format=12
$

Step 2 : Change the SYS password and verify that the password is now case-sensitive

  • Change the SYS user password in the password file.

    
    $ orapwd file=$ORACLE_BASE/dbs/orapwCDB21 sys=Y force=Y format=12 ignorecase=Y
    Usage 1: orapwd file= force={y|n} asm={y|n}
              dbuniquename= format={12|12.2}
              delete={y|n} input_file=
              'sys={y | password | external()
                    | global()}'
              'sysbackup={y | password | external()
                          | global()}'
              'sysdg={y | password | external()
                      | global()}'
              'syskm={y | password | external()
                      | global()}'
    
    Usage 2: orapwd describe file=
    
      where
        file   - name of password file (required),
        password
               - password for SYS will be prompted
                 if not specified at command line.
                 Ignored, if input_file is specified,
        force  - whether to overwrite existing file, also clears
                 CRS resource if it already has password file
                 registered (optional),
        asm    - indicates that the ASM instance password file is to
                 be stored in Automatic Storage Management (ASM)
                 disk group (optional),
        dbuniquename
               - unique database name used to identify database
                 password files residing in ASM diskgroup
                 or Exascale Vault.
                 Ignored when asm option is specified (optional),
        format - use format=12 for new 12c features like SYSBACKUP, SYSDG
                 and SYSKM support, longer identifiers, SHA2 Verifiers etc.
                 use format=12.2 for 12.2 features like enforcing user
                 profile (password limits and password complexity) and
                 account status for administrative users.
                 If not specified, format=12.2 is default (optional),
        delete - drops a password file. Must specify 'asm',
                 'dbuniquename' or 'file'. If 'file' is specified,
                 the file must be located on an ASM diskgroup
                 or Exascale Vault,
        input_file
               - name of input password file, from where old user
                 entries will be migrated (optional),
        sys    - specifies if SYS user is password, externally or
                 globally authenticated.
                 For external SYS, also specifies external name.
                 For global SYS, also specifies directory DN.
                 SYS={y | password} specifies if SYS user password needs
                 to be changed when used with input_file,
        sysbackup
               - creates SYSBACKUP entry (optional).
                 Specifies if SYSBACKUP user is password, externally or
                 globally authenticated.
                 For external SYSBACKUP, also specifies external name.
                 For global SYSBACKUP, also specifies directory DN.
                 Ignored, if input_file is specified,
        sysdg  - creates SYSDG entry (optional).
                 Specifies if SYSDG user is password, externally or
                 globally authenticated.
                 For external SYSDG, also specifies external name.
                 For global SYSDG, also specifies directory DN.
                 Ignored, if input_file is specified,
        syskm  - creates SYSKM entry (optional).
                 Specifies if SYSKM user is password, externally or
                 globally authenticated.
                 For external SYSKM, also specifies external name.
                 For global SYSKM, also specifies directory DN.
                Ignored, if input_file is specified,
        describe
               - describes the properties of specified password file
                 (required).
    
      There must be no spaces around the equal-to (=) character.
    $

    The usage notes mention all parameters that can be used in the command. IGNORECASE is not mentioned because it is now a deprecated parameter.


  • Re-enter the command without the deprecated parameter.

    
    $ orapwd file=/u01/app/oracle/dbs/orapwCDB21 sys=Y force=Y format=12
    Enter password for SYS:
    $
  • Log on as SYS to CDB21.

    
    $ sqlplus sys@CDB21 AS SYSDBA
    
    Enter password: password_with_case-sensitiveness
    
    Connected to:
    SQL> CONNECT sys@CDB21 AS SYSDBA
    Enter password: password_without_case-sensitiveness
    ERROR:
    ORA-01017: invalid username/password; logon denied
    
    Warning: You are no longer connected to ORACLE.
    SQL>
  • Display the list of the users.

    
    SQL> CONNECT sys@CDB21 AS SYSDBA
    Enter password: password_with_case-sensitiveness
    Connected.
    SQL> SET PAGES 100
    SQL> COL username FORMAT A30
    SQL> SELECT username, password_versions FROM dba_users ORDER BY 2,1;
    
    USERNAME                       PASSWORD_VERSIONS
    ------------------------------ -----------------
    SYS                            11G 12C
    SYSTEM                         11G 12C
    ANONYMOUS
    APPQOSSYS
    AUDSYS
    CTXSYS
    ...
    
    SQL> EXIT
    $