Oracle Database 12c Password File

Introduction:

I (and we) used to see the oracle database password file under $ORACLE_HOME/dbs for both single instance and RAC databases.

Example for RAC database:
On node1 /u01/app/oracle/product/11.2.0/dbhome_1/dbs/orapwPROD1
On node2 /u01/app/oracle/product/11.2.0/dbhome_1/dbs/orapwPROD2

If one password file was changed in one node, then you have to copy it to all other nodes in the cluster.

pwdFile

What is New in 12c:

Starting from Oracle Database version 12c, this is not the case.
If you created a RAC database using the dbca, you will not find any password file under $ORACLE_HOME/dbs

What was changed?

Starting from 12c and due to the introduction of the Flex ASM feature, the password file is now stored in the shared storage (ASM), and there is only one shared password file per database not one per instance.
Now, if the sys password was changed, the updated password file is automatically seen from all nodes in the cluster.

How do you know the name and location of the password file for 12c Database?

Use the “srvctl” utility to the database configuration as follows:

srvctl config database -d PROD
Database unique name: PROD
Database name: PROD
Oracle home: /u01/app/oracle/product/12.1.0.2/dbhome_1
Oracle user: oracle
Spfile: +DATA_DG/PROD/PARAMETERFILE/spfile_PROD.ora
Password file: +DATA_DG/PROD/PASSWORD/pwdPROD ==> This is an alias for the password file
Domain:
Start options: open
Stop options: immediate
Database role: PRIMARY
Management policy: AUTOMATIC
Server pools:
Disk Groups: DATA_DG,REOC_DG
Mount point paths:
Services:
Type: RAC
Start concurrency:
Stop concurrency:
OSDBA group: dba
OSOPER group:
Database instances: PROD1,PROD2
Configured nodes: prod01,prod02
Database is administrator managed

OR

# crsctl stat res ora.PROD.db -f | grep PWFILE

OR

ASMCMD> pwget –dbuniquename PROD
+DATA/PWDFILE/pwdPROD

The compatible.asm disk group attribute must be set to 12.1 or higher for the disk group where the password is to be placed.

How can I create a new password file on the ASM?

We have two ways, either by using the pwcreate/asmcmd command or by using the normal orapwd utility which is updated to support ASM

Steps
Create the password file using the following command. Go to the asmcmd command prompt and run :

$ asmcmd
ASMCMD> pwcreate –dbuniquename [dbuniquename] [file_path] [sys-password]
Here,
The –dbuniquename string option identifies the database unique name associated with the password file.
The file_path value identifies the location where the password file is created. Mention the diskgroup name where you want to place the password file.
The sys_password value identifies the initial SYS password.

For example:
ASMCMD> pwcreate –dbuniquename PROD +DATA_DG oracle

OR

$ orapwd file=’+DATA’ password=oracle dbuniquename=PROD asm=y

How to copy the shared ASM Password file to the Standby Server?

In the Data Guard environment, you have to copy the primary database password file to the standby server.
Note that it is not sufficient to create a password file on the standby with the same sys password.
The steps are as follows:

Copy the primary ASM PWD file from ASM to a temp location in filesystem (on the primary node)

su – grid
. oraenv => +ASM1
asmcmd
pwcopy –dbuniquename PROD +DATA/PROD/PASSWORD/pwdPROD.256.915702925 /tmp/opwdPROD

From the Primary Side:

su – grid
grid@prod02:~$ asmcmd
ASMCMD> cd +DATA_DG/PROD/PASSWORD
ASMCMD> ls -l
Type Redund Striped Time Sys Name
PASSWORD HIGH COARSE JAN 15 2017 N pwdPROD => +DATA_DG/PROD/PASSWORD/pwdPROD.872.933349975
PASSWORD HIGH COARSE JAN 15 2017 Y pwdPROD.872.933349975
ASMCMD> pwcopy pwdPROD.872.933349975 /tmp/orapwPRODdr1
copying +DATA_USG/PROD/PASSWORD/pwdPROD.872.933349975 -> /tmp/orapwPRODdr1

grid@monetadb02:~$ ls -l /tmp/orapwPRODdr1
-rw-r—– 1 grid oinstall 7680 Aug 30 12:30 /tmp/orapwPRODdr1

From the Standby side:

oradr@stndby01:~$ scp -p oracle@prod01:/tmp/orapwrarefdr1 $ORACLE_HOME/dbs/orapwPRODdr1
This system is the property of the xxxxx reserves the right to monitor the use of, The system to ensure its compliance with xxxxx information security policies, Any unauthorized access, use or modification of the systems is prohibited.
Password:
orapwPRODdr1 100% |*************************************************************************************************| 7680 00:00
oradr@stndby01:~$

oradr@stndby01:~$ ls -l $ORACLE_HOME/dbs/orapwPRODdr1
-rw-r—– 1 oradr oinstall 7680 Aug 30 12:30 /u01/app/oradr/product/12.1.0.2/dbhome_1/dbs/orapwPRODdr1

oradr@stndby02:~$ scp -p oradr@prod01:/u01/app/oradr/product/12.1.0.2/dbhome_1/dbs/orapwPRODdr1 $ORACLE_HOME/dbs/orapwPRODdr2
orapwPRODdr2 100% |*************************************************************************************************| 7680 00:00

oradr@stndby02:~$ ls -l $ORACLE_HOME/dbs/orapwPRODdr2
-rw-r—– 1 oradr oinstall 7680 Aug 30 12:30 /u01/app/oradr/product/12.1.0.2/dbhome_1/dbs/orapwPRODdr2

12cR2 Update:
Oracle synchronizes the SYS password [and so the orapw file] if you update it on the Primary alone. environment. You don’t have to  copy it to the Standby sites.

Donate to support our blogging work

$1.00

Thanks
Ahmed

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s