Oracle 口令文件：即 oracle密码文件

一：文件路径位置

[oracle@localhost db_1]$ cd $ORACLE_HOME/dbs
[oracle@localhost dbs]$ ls
dbsorapwPROD1   hc_orcl.dat   initneworcl.ora  initorcl.ora   lkNEWORCL  lkPROD1  orapwneworcl  spfileorcl.ora   tem.dbf
hc_neworcl.dat  hc_PROD1.dat  init.ora         initPROD1.ora  lkORCL     my.dbf   orapworcl     spfilePROD1.ora
[oracle@localhost dbs]$ pwd
/u01/app/oracle/product/11.2.0/db_1/dbs
[oracle@localhost dbs]$

二、口令文件的命名规则

orapw+sid
如：
orapworcl

三、口令文件存放的是sys

主要是存放管理用户的密码信息的

select *from v$pwfile_users;

SYS@orcl> select * from v$pwfile_users;

USERNAME                       SYSDB SYSOP SYSAS
------------------------------ ----- ----- -----
SYS                            TRUE  TRUE  FALSE

SYS@orcl>

四：实验操作

注： remote_login_passwordfile 是静态参数。修改了该值之后，数据库需要重启。

1）当remote_login_passwordfile  是 EXCLUSIVE

没有sqlnet.ora文件
   sqlplus sys/oracle as sysdba
    sqlplus / as sysdba
    sqlplus sys/oracle@togogo as sysdba
    以上均成功

2）当remote_login_passwordfile是 EXCLUSIVE

    sqlnet.ora文件参数     SQLNET.AUTHENTICATION_SERVICES=none

    sqlplus sys/oracle as sysdba  成功
   sqlplus / as sysdba           不成功
   sqlplus sys/oracle@togogo as sysdba   成功

[oracle@localhost dbs]$ clear

[oracle@localhost dbs]$ ls
dbsorapwPROD1   hc_orcl.dat   initneworcl.ora  initorcl.ora   lkNEWORCL  lkPROD1  orapwneworcl  spfileorcl.ora   tem.dbf
hc_neworcl.dat  hc_PROD1.dat  init.ora         initPROD1.ora  lkORCL     my.dbf   orapworcl     spfilePROD1.ora
[oracle@localhost dbs]$ cd ../network/
[oracle@localhost network]$ ls
admin  doc  install  jlib  lib  log  mesg  tools  trace
[oracle@localhost network]$ ca admin/
-bash: ca: command not found
[oracle@localhost network]$ ls
admin  doc  install  jlib  lib  log  mesg  tools  trace
[oracle@localhost network]$ cd admin/
[oracle@localhost admin]$ ls
listener.ora  samples  shrept.lst  sqlnet.ora  tnsnames.ora
[oracle@localhost admin]$ cat sqlnet.ora
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=$ORACLE_BASE/admin/$ORACLE_SID/wallet/)))
[oracle@localhost admin]$ vi sqlnet.ora

ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=$ORACLE_BASE/admin/$ORACLE_SID/wallet/)))
SQLNET.AUTHENTICATION_SERVICES=none

~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
"sqlnet.ora" 4L, 152C written
[oracle@localhost admin]$ cat sqlnet.ora
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=$ORACLE_BASE/admin/$ORACLE_SID/wallet/)))
SQLNET.AUTHENTICATION_SERVICES=none

[oracle@localhost admin]$ pwd
/u01/app/oracle/product/11.2.0/db_1/network/admin
[oracle@localhost admin]$

[oracle@localhost admin]$ rlwrap sqlplus / as sysdba;

SQL*Plus: Release 11.2.0.3.0 Production on Sat Jun 23 16:01:36 2018

Copyright (c) 1982, 2011, Oracle.  All rights reserved.

ERROR:
ORA-01031: insufficient privileges

Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied

Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied

SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
[oracle@localhost admin]$ rlwrap sqlplus sys/oracle as sysdba;

SQL*Plus: Release 11.2.0.3.0 Production on Sat Jun 23 16:02:40 2018

Copyright (c) 1982, 2011, Oracle.  All rights reserved.

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SYS@orcl>

3）当remote_login_passwordfile是 EXCLUSIVE

   sqlnet.ora文件参数     SQLNET.AUTHENTICATION_SERVICES=all

    sqlplus sys/oracle as sysdba  成功
   sqlplus / as sysdba           成功
   sqlplus sys/oracle@togogo as sysdba   不成功

4）当remote_login_passwordfile是 none     没有sqlnet.ora文件

   sqlplus sys/oracle as sysdba  成功
   sqlplus / as sysdba           成功
   sqlplus sys/oracle@togogo as sysdba   不成功

5）当remote_login_passwordfile是 none

   sqlnet.ora文件参数     SQLNET.AUTHENTICATION_SERVICES=none

   sqlplus sys/oracle as sysdba  不成功
   sqlplus / as sysdba           不成功
   sqlplus sys/oracle@togogo as sysdba   不成功

6）当remote_login_passwordfile是 none

   sqlnet.ora文件参数     SQLNET.AUTHENTICATION_SERVICES=all

    sqlplus sys/oracle as sysdba  成功
   sqlplus / as sysdba           成功
   sqlplus sys/oracle@togogo as sysdba   不成功

五、创建口令文件

 orapwd file=口令文件名称 password=用户密码

Creating a Password File with ORAPWD

The syntax of the ORAPWD command is as follows:

ORAPWD FILE=filename [ENTRIES=numusers] [FORCE={Y|N}] [IGNORECASE={Y|N}]

Command arguments are summarized in the following
table.

Argument	Description
FILE	Name to assign to the password file. You must supply a complete path. If you supply only a file name, the file is written to the current directory.
ENTRIES	(Optional) Maximum number of entries (user accounts) to permit in the file.
FORCE	(Optional) If y, permits overwriting an existing password file.
IGNORECASE	(Optional) If y, passwords are treated as case-insensitive.

There are no spaces permitted around the equal-to (=)
character.

The command prompts for the SYS password and stores the password in the created
password file.

Example

The following command creates a password file
named orapworcl that
allows up to 30 privileged users with different passwords.

orapwd FILE=orapworcl ENTRIES=30

Sharing and Disabling the Password File

You use the
initialization parameter REMOTE_LOGIN_PASSWORDFILE to
control whether a password file is shared among multiple Oracle Database
instances. You can also use this parameter to disable password file
authentication. The values recognized for REMOTE_LOGIN_PASSWORDFILE are:

• NONE:
  Setting this parameter to NONE causes Oracle Database to behave as if the password
  file does not exist. That is, no privileged connections are allowed over
  nonsecure connections.

• EXCLUSIVE:
  (The default) An EXCLUSIVE password file can be used with only one instance of one
  database. Only an EXCLUSIVE file
  can be modified. Using an EXCLUSIVE password file enables you to add, modify, and delete
  users. It also enables you to change the SYS password with the ALTER USER command.

• SHARED:
  A SHARED password file can be used by multiple databases running
  on the same server, or multiple instances of an Oracle Real Application Clusters
  (Oracle RAC) database. A SHARED password file cannot be modified. Therefore, you cannot
  add users to a SHARED password file. Any attempt to do so or to change the
  password of SYS or
  other users with the SYSDBA or SYSOPER privileges generates an error. All users
  needing SYSDBA or SYSOPERsystem privileges must be added to the password file
  when REMOTE_LOGIN_PASSWORDFILE is
  set to EXCLUSIVE.
  After all users are added, you can changeREMOTE_LOGIN_PASSWORDFILE to SHARED, and
  then share the file.

  This option is useful if you are administering multiple
  databases or an Oracle RAC database.

If REMOTE_LOGIN_PASSWORDFILE is
set to EXCLUSIVE or SHARED and
the password file is missing, this is equivalent to setting REMOTE_LOGIN_PASSWORDFILE to NONE.

Note:

You cannot change the password for SYS if REMOTE_LOGIN_PASSWORDFILE is
set to SHARED. An
error message is issued if you attempt to do so.

Keeping
Administrator Passwords Synchronized with the Data Dictionary

If you change the REMOTE_LOGIN_PASSWORDFILE initialization parameter from NONE to EXCLUSIVE or SHARED, or
if you re-create the password file with a different SYSpassword, then you must ensure that the passwords in
the data dictionary and password file for the SYS user
are the same.

To synchronize the SYS passwords, use the ALTER USER statement to change the SYS password. The ALTER USER statement updates and synchronizes both the dictionary
and password file passwords.

To synchronize the passwords for non-SYS users who log in using the SYSDBA or SYSOPER privilege, you must revoke and then regrant the
privilege to the user, as follows:

1. Find
   all users who have been granted the SYSDBA privilege.

   SELECT USERNAME FROM V$PWFILE_USERS WHERE USERNAME != 'SYS' AND SYSDBA='TRUE';
   

2. Revoke
   and then re-grant the SYSDBA privilege to these users.

   REVOKE SYSDBA FROM non-SYS-user;
   GRANT SYSDBA TO non-SYS-user;
   

3. Find
   all users who have been granted the SYSOPER privilege.

   SELECT USERNAME FROM V$PWFILE_USERS WHERE USERNAME != 'SYS' AND SYSOPER='TRUE';
   

4. Revoke
   and regrant the SYSOPER privilege to these users.

   REVOKE SYSOPER FROM non-SYS-user;
   GRANT SYSOPER TO non-SYS-user;

Adding Users to a Password File

When you grant SYSDBA or SYSOPER privileges to a user, that user's name and privilege
information are added to the password file. If the server does not have
an EXCLUSIVE password file (that is, if the initialization
parameter REMOTE_LOGIN_PASSWORDFILE is NONE or SHARED, or
the password file is missing), Oracle Database issues an error if you attempt to
grant these privileges.

A user's name remains in the password file only as long
as that user has at least one of these two privileges. If you revoke both of
these privileges, Oracle Database removes the user from the password
file.

Creating a
Password File and Adding New Users to It

Use the following procedure to create a password and
add new users to it:

1. Follow the instructions for creating a password file as
   explained in "Creating a Password File with ORAPWD".

2. Set the REMOTE_LOGIN_PASSWORDFILE initialization parameter to EXCLUSIVE.
   (This is the default.)

   Note:

   REMOTE_LOGIN_PASSWORDFILE is a
   static initialization parameter and therefore cannot be changed without
   restarting the database.

3. Connect with SYSDBA privileges as shown in the following example, and enter
   the SYS password when prompted:

   CONNECT SYS AS SYSDBA
   

4. Start up the instance and create the database if
   necessary, or mount and open an existing database.

5. Create users as necessary. Grant SYSDBA or SYSOPER privileges to yourself and other users as appropriate.
   See "Granting and Revoking SYSDBA and SYSOPER Privileges",
   later in this section.

——————————————————————————————————————————————————————————————————