[toc]

在一次处理 ORACLE 19.5 DG 密码错误的过程中偶然发现 DG 的密码文件在通过 sqlplus sys/paxxx@dgtns  远程登录之后,md5  值就会发生一次变化,通过搜索mos 查到如下文章:Why do the timestamp and md5 hash values of a password file change? (Doc ID 2821102.1)

出现此现象的前提条件是 :密码文件通过 orapwd 创建   并且没有使用 format 参数(默认 format=12.2),或者 format=12.2 设置为 12.2 ,会出现md5 在每次远程登录之后,就会发生变化,这是由于从 ORACLE 12.2.0.1 and later, oracle 引入了 密码限制和密码复杂度满足度的要求,同时密码文件也会记录 last login time 也就是上一次的登录时间,从而出现了密码文件的md5会发生变化。

format - use format=12 for new 12c features like SYSBACKUP, SYSDG and SYSKM support, longer identifiers, SHA2 Verifiers etc. use format=12.2 for 12.2 features like enforcing user profile (password limits and password complexity) and account status for administrative users. If not specified, format=12.2 is default (optional),

From 12.2 , orapwd enforces password complexity rules (Doc ID 2294754.1)

SOLUTION
Use strong password Provide a password which fulfills all complexity requirements.

1
$ orapwd file=orapwd122 password=welcome1!

Create Password File in 12c format If you don’t want to set a strong password, you can use the 12c Release 1 format using the format parameter (the default value of Format is 12.2).

1
$ orapwd file=orapwd122 password=oracle format=12

Addtional infomation: - Mixed case passwords of user name / “oracle” can not set, too. - “special character” are the following characters ‘ ~ ! @ # $ % ^ & * ( ) _ - + = { } [ ] / < > , . ; ? ‘ : (space)

附:

Why do the timestamp and md5 hash values of a password file change? (Doc ID 2821102.1)

In this Document

Goal

Solution

References

APPLIES TO:

Oracle Database - Enterprise Edition - Version 12.2.0.1 and later

Information in this document applies to any platform.

GOAL

As extensively indicated here, a password file can be modified through the use of the ORAPWD tool, or by granting or revoking administrative privileges such as SYSDBA, SYSOPER, SYSBACKUP, SYSDG, or SYSKM to database users. Any of these modifications also modify the timestamp and MD5 hash values of a password file, naturally. However, what could cause these characteristics of a password file to change if neither of the previously indicated actions were performed?

SOLUTION

Considering that a password file has not been modified by the previously indicated actions, and it has not been directly manipulated from the operating system by any other means either, from Oracle database software version 12.2 an onwards, its timestamp and md5 hash values can still change if a remote connection to the database as a user granted with any of the previously indicated administrative privileges takes place, as demonstrated below:

When a local connection to the database takes place, its password file timestamp and MD5 hash values remain unchanged:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110

[oracle@testsys1 dbs]$ orapwd file=orapworcl format=12.2

Enter password for SYS:

[oracle@testsys1 dbs]$ ls -l orapworcl

-rw-r-----. 1 oracle oinstall 6144 Oct 28 15:40 orapworcl

[oracle@testsys1 dbs]$ md5sum orapworcl

8d1f02a6bc482a338d60e4b07029cd98 orapworcl

[oracle@testsys1 dbs]$ sqlplus sys/<password> as sysdba

SQL*Plus: Release 12.1.0.2.0 Production on Thu Oct 28 15:41:17 2021

Copyright (c) 1982, 2014, Oracle. All rights reserved.

Connected to:

Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

SQL> select name from v$database;

NAME

---------

orcl

SQL> select host_name,version from v$instance;

HOST_NAME VERSION

--------- -----------------

testsys1  12.2.0.1.0

SQL> exit

Disconnected from Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

[oracle@testsys1 dbs]$ hostname ; date

testsys1

Thu Oct 28 15:41:49 CDT 2021

[oracle@testsys1 dbs]$ ls -l orapworcl

-rw-r-----. 1 oracle oinstall 6144 Oct 28 15:40 orapworcl

[oracle@testsys1 dbs]$ md5sum orapworcl

8d1f02a6bc482a338d60e4b07029cd98 orapworcl

However and as previously stated, when performing a remote connection to the database as a user with administrative privileges, its password file timestamp and MD5 hash values do change:

[oracle@remotesys ~]$ hostname ; date

remotesys

Thu Oct 28 15:42:10 CDT 2021

[oracle@remotesys ~]$ sqlplus sys/<password>@orcl as sysdba

SQL*Plus: Release 12.2.0.1.0 Production on Thu Oct 28 15:42:14 2021

Copyright (c) 1982, 2016, Oracle. All rights reserved.

Connected to:

Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

SQL> select name from v$database;

NAME

---------

orcl

SQL> select host_name,version from v$instance;

HOST_NAME VERSION

--------- ----------------

testsys1  12.2.0.1.0

SQL> exit

Disconnected from Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

[oracle@remotesys ~]$

[oracle@testsys1 dbs]$ hostname ; date

testsys1

Thu Oct 28 15:42:44 CDT 2021

[oracle@testsys1 dbs]$ ls -l orapworcl

-rw-r-----. 1 oracle oinstall 6144 Oct 28 15:42 orapworcl

[oracle@testsys1 dbs]$ md5sum orapworcl

497439f6178d1b51e43e89cf6dd190e9 orapworcl

This is an expected behavior that works as designed. This password file modification does not signify a password nor a privilege change, but simply indicates that a remote login has been done. The feature “last login time” has been introduced in 12.2 and hence, the behavior.

PLEASE DO NOTE THAT THIS AFFECTS BOTH, PASSWORD FILES STORED IN OPERATING SYSTEM FILE SYSTEMS AND IN ASM DISKGROUPS, AS WELL AS DATA GUARD (DG) AND REAL APPLICATION CLUSTERS (RAC) DATABASES. HAVING THIS IN CONSIDERATION, KEEP IN MIND THAT A PASSWORD FILE DIFFERENCE AMONG THE MEMBERS OF A DG OR A RAC ARRAY DOES NOT NECESSARILY MEAN DE-SYNCHRONIZATION, IT COULD BE DUE TO THIS BEHAVIOR.

原文作者: liups.com

原文链接: http://liups.com/posts/fe1bd2fe/

许可协议: 知识共享署名-非商业性使用 4.0 国际许可协议