Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Set up Gradual Password Rollover in Oracle Database on Oracle Cloud Infrastructure

Introduction

Gradual password rollover is a feature in Oracle Database that allows to change a database user’s password without interrupting applications that are currently using the old password. With gradual password rollover, the old password remains valid for a specified period of time, after which it is no longer accepted, that is two different passwords are allowed for a user temporarily. This allows the propagation of new password to all client applications without any downtime. Password rollover period begins the moment password is changed.

Gradual password rollover feature is exposed as a user profile password resource setting (password resource limit) PASSWORD_ROLLOVER_TIME, which is applied to the user sessions. User profiles in Oracle Database are a set of limits on database resources - user level configuration. User profile helps regulate the amount of resources used by each database user. A database gets created with a default profile named DEFAULT, which is assigned to all users of the database if not specified otherwise. We can use default profile or create a new profile to add password resource limits.

In this tutorial, we will only focus on PASSWORD_ROLLOVER_TIME, and go through a step-by-step guide for using this feature in an Oracle Autonomous Transaction Processing (ATP) database service. We will use Oracle SQL Developer Web tool from OCI Console for this purpose.

There are other things that one should know before using the password rollover feature.

• If password is changed again within the rollover period, then only the oldest and newest passwords remain valid, for example, if initially user had password p1 which was changed to p2 with password rollover, and it is changed again to p3 within the rollover period of first change, then only p1 and p3 remain valid, and p2 becomes invalid. Also, the expiration time of password rollover period does not change, that is it does not get updated for new password changes. This is very helpful when password is rotated multiple times within password rollover window, as the applications can still use the old password to create connections.

• Administrative users cannot use password rollover feature even if they are attached to a profile which has PASSWORD_ROLLOVER_TIME parameter set, and administrative privileges cannot be granted to users who are attached to a profile which has PASSWORD_ROLLOVER_TIME parameter set.

Objectives

• Use gradual password rollover feature in Oracle Database. Leverage this capability to avoid application downtime or coordination occurring due to password change.

Prerequisites

• An active OCI account.

• Knowledge of Oracle Database.

• An ATP database instance.

• User privileges to be able to create profile and assign profile to the user in Oracle Cloud Infrastructure Database.

Task 1: Check the Default Profile in ATP

We will see the default profile and the value of PASSWORD_ROLLOVER_TIME resource in an ATP.

Open Oracle SQL Developer Web tool and run the following SQL query to check the limits of DEFAULT profile.

select * from dba_profiles where profile = 'DEFAULT';

In the following image, we see that DEFAULT profile has many resources, and the limit (value) of PASSWORD_ROLLOVER_TIME is 0. This means gradual password rollover is disabled for DEFAULT profile. Limit of resources in the DEFAULT profile can be changed, but we will create a new profile to demonstrate this feature.

Task 2: Create a New User Profile

Create a profile with FAILED_LOGIN_ATTEMPTS set to 10 and PASSWORD_ROLLOVER_TIME limit as 1 hour (1/24 day).

1. Run the following SQL query to create a profile named PW_ROLLOVER_TIME_1HR_PROF.

   create profile PW_ROLLOVER_TIME_1HR_PROF limit FAILED_LOGIN_ATTEMPTS 10 PASSWORD_ROLLOVER_TIME 1/24;
   

   

2. Run the following SQL query to check the PASSWORD_ROLLOVER_TIME limit.

   select * from dba_profiles where profile = 'PW_ROLLOVER_TIME_1HR_PROF';
   

   

   The resource limit for PASSWORD_ROLLOVER_TIME is 0.416 (1/24 day), and failed login attempts is set to 10.

Task 3: Create a User Account

We will create a user account and assign the created profile PW_ROLLOVER_TIME_1HR_PROF to the user.

1. Run the following SQL query to create a user named db_test.

   create user db_test identified by "Pass_Rollover@2023" profile = 'PW_ROLLOVER_TIME_1HR_PROF';
   

   

   An existing user can also be attached to a profile using the following command.

   alter user <user_name> profile <profile_name>;
   

2. Run the following SQL query to grant CREATE SESSION privilege to test the database connection.

   GRANT CREATE SESSION TO DB_TEST;
   

   

3. We will check the account status by using the following SQL query.

   select user_name, profile, account_status from dba_users where user_name = 'DB_TEST';
   

   

Task 4: Change the User Password

Change the user password and see account status.

1. Run the following SQL query to change user password.

   alter user DB_TEST identified by "New_Pass@2023";
   

2. Check the account status.

   

   Account status now shows IN ROLLOVER, which means DB_TEST user account is currently in rollover and both old and new password can be used to connect to the user for 1 hour. After 1 hour, old password will no longer be accepted, and connections can be established using new password only.

Task 5: Expire Rollover Period Forcefully

Password rollover feature allows us to expire rollover forcefully when we do not want the old password to be valid for remaining rollover period.

1. Run the following SQL query to expire password rollover for the user.

   alter user DB_TEST expire password rollover period;
   

   

2. Check the account status.

   

   The account status has changed to OPEN, and we can no longer connect to the database using old password. So, when a user is in rollover such as both new and old passwords are functional, the account status in DBA_USERS table is OPEN & IN ROLLOVER, and account status changes to OPEN after the rollover period expires.

Related Links

• Managing Gradual Database Password Rollover for Applications

Acknowledgments

• Author - Satyam Kumar (Member of Technical Staff)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Set up Gradual Password Rollover in Oracle Database on Oracle Cloud Infrastructure

F93052-01

February 2024

Copyright © 2024, Oracle and/or its affiliates.