Password Files   «Prev  Next»

Lesson 6 The REMOTE_LOGIN_PASSWORDFILE parameter
ObjectiveConfigure your Database to use a Password File.

Configure your Database to use Password File

The configuration for the REMOTE_LOGIN_PASSWORDFILE parameter is still valid for Oracle Cloud databases, including Oracle 12c and Oracle 19c. However, there are some nuances you should consider:
Key Points about `REMOTE_LOGIN_PASSWORDFILE` in Oracle 12c and Oracle 19c:
  1. Purpose of `REMOTE_LOGIN_PASSWORDFILE`:
    • This parameter determines whether Oracle uses a password file to authenticate privileged users connecting remotely (e.g., SYSDBA or SYSOPER).
  2. Parameter Values:
    • EXCLUSIVE: The password file is exclusively used for one database.
    • SHARED: A single password file can be shared among multiple databases.
    • NONE: The password file is not used, and remote login with privileged users is disabled.
  3. Behavior in Oracle 12c and Oracle 19c:
    • The parameter works as it did in earlier versions (e.g., Oracle 11g).
    • In Oracle 12c, with the advent of multitenant architecture (CDBs and PDBs), the password file applies to the CDB (Container Database). Privileged operations in PDBs use the password file of the CDB.
    • Oracle 19c supports the same behavior, and it further enhances the multitenant architecture.
  4. For Oracle Cloud Databases:
    • The same parameter is applicable for cloud-enabled Oracle databases.
    • Password files are created and managed in cloud environments similarly to on-premises databases, but Oracle Cloud automates much of the database administration, including password file management.
    • Example: In Autonomous Databases, you typically use an Oracle Wallet for authentication, and password files might not be required.
  5. Administration Tools:
    • Tools like orapwd are still used to create and manage password files for cloud databases, just as in on-premises environments.

Recommendation for Oracle Cloud Use:
  • For standard databases in Oracle Cloud (e.g., Database Cloud Service), you should still configure REMOTE_LOGIN_PASSWORDFILE = EXCLUSIVE in the init.ora or SPFILE if remote privileged authentication is required.
  • For Autonomous Databases, Oracle Wallet and IAM (Identity and Access Management) are the preferred methods for authentication, making password files less relevant.

Conclusion: Once you have created a password file, you need to tell Oracle to use it.


Once you have created a password file, you need to tell Oracle to use it. You do this by placing the following line in your database initialization file:
REMOTE_LOGIN_PASSWORDFILE = EXCLUSIVE
This statement holds true for "Oracle Cloud databases" in Oracle 12c and 19c, particularly for standard and custom-built databases. The exclusive setting tells Oracle that your instance is the only one accessing the password file. There is also a shared option that allows multiple instances to share one password file. Of course, you must stop and restart the instance in order for the initialization file to be reread and for this change to take effect.
Now that you know how to run ORADIM[1] and how to properly set the
REMOTE_LOGIN_PASSWORDFILE
parameter, you can create a password file for your database.

Authenticating Database Administrators by Using Their Passwords

Oracle Database uses database-specific password files to keep track of database user names that have been granted the SYSDBA and SYSOPER privileges. These privileges enable the following activities:
  1. The SYSOPER system privilege lets database administrators perform STARTUP, SHUTDOWN, ALTER DATABASE OPEN/MOUNT, ALTER DATABASE BACKUP, ARCHIVE LOG, and RECOVER operations. SYSOPER also includes the RESTRICTED SESSION privilege.
  2. The SYSDBA system privilege has all system privileges with ADMIN OPTION, including the SYSOPER system privilege, and permits CREATE DATABASE and time-based recovery.
  3. A password file containing users with SYSDBA or SYSOPER privileges can be shared between different databases. You can have a shared password file that contains users in addition to the SYS user. To share a password file among different databases, set the REMOTE_LOGIN_PASSWORDFILE parameter in the init.ora file to SHARED
  4. Password file-based authentication is enabled by default. This means that the database is ready to use a password file for authenticating users that have SYSDBA or SYSOPER system privileges. Password file based authentication is activated as soon as you create a password file using the ORAPWD utility.
Anyone who has EXECUTE privileges and write privileges to the $ORACLE_HOME/dbs directory can run the ORAPWD utility.
However, be aware that using password files may pose security risks. For this reason, consider using the authentication methods described in "Strong Authentication and Centralized Management for Database Administrators" .
Examples of password security risks are as follows:
  1. An intruder could steal or attack the password file.
  2. Many users do not change the default password.
  3. The password could be easily guessed.
  4. The password is vulnerable if it can be found in a dictionary.
Passwords that are too short, chosen perhaps for ease of typing, are vulnerable if an intruder obtains the cryptographic hash of the password.

Remote Login Password File - Exericse

Take this exercise to create a password file for the COIN database.
Remote Login Password File- Exericse

[1] ORADIM: ORADIM is a command-line tool used in Oracle Database on Windows systems. It allows you to create, delete, modify, start, and stop database instances and services. Essentially, ORADIM is the Windows equivalent of the dbstart and dbshut scripts used on Unix-based systems.

SEMrush Software