on 08-17-2013 5:18 PM
Hello everyone,
I have the following question: In oracle 10G the users like "system" and "sapsr3" had the "DEFAULT" user profile where the parameter "PASSWORD_LIFE_TIME" was set to UNLIMITED, however, now in Oracle 11G the "DEFAULT" user profile has the parameter
"PASSWORD_LIFE_TIME" set to "180". I know that for users like "sapsr3" we have the "SAPUPROF" user profile but what about the user "system" which still use the "DEFAULT" profile. Should we create a new profile with "PASSWORD_LIFE_TIME" set to UNLIMITED? or change the "DEFAULT" profile with
PASSWORD_LIFE_TIME" set to UNLIMITED like in Oracle 10G? or It's better to change the password periodically?
Regards,
JAM
Hello
Should we create a new profile with "PASSWORD_LIFE_TIME" set to UNLIMITED? or change the "DEFAULT" profile with PASSWORD_LIFE_TIME" set to UNLIMITED like in Oracle 10G? or It's better to change the password periodically?
If you have any scripts enabled on the crontab or some external connections to the database where the SYSTEM user is used then you will need to change the password in all these locations every time you change the SYSTEM password.
In order to avoid such problems after the upgrade I modified the FAILED_LOGIN_ATTEMPTS 10 and PASSWORD_LIFE_TIME 180 to UNLIMITED
ALTER PROFILE DEFAULT LIMIT FAILED_LOGIN_ATTEMPTS UNLIMITED;
ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME UNLIMITED;
I have backups scheduled with the SYSTEM user and I don't want the backups to fail.
From my point of view it is better to set them to unlimited to avoid any unnecessary troubles.
Regards
RB
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for the reply Reagan. I have changed the DEFAULT profile and set FAILED_LOGIN_ATTEMPS and PASSWORD_LIFE_TIME parameters to UNLIMITED, then I changed the password with brtools.
By the way, I notice that the parameter PASSWORD_GRACE_TIME is set to UNLIMITED in the DEFAULT user profile, so I guess even If PASSWORD_LIFE_TIME was set to 180, the users with that profile would never get EXPIRED, right?
I was also wondering why after my oracle upgrade to 11.2.0.3 (from 10.2.0.4) the user "system" went on "Expired(grace)" status before the 180 days have passed, was this a bug? I know that during upgrade oracle locks some accounts except for "sys" and "system".
regards,
JAM
Good Day Jam
By the way, I notice that the parameter PASSWORD_GRACE_TIME is set to UNLIMITED in the DEFAULT user profile, so I guess even If PASSWORD_LIFE_TIME was set to 180, the users with that profile would never get EXPIRED, right?
Yes. The account status will be in EXPIRED(GRACE) but you will still be able to login as the PASSWORD_GRACE_TIME is set to unlimited.
I was also wondering why after my oracle upgrade to 11.2.0.3 (from 10.2.0.4) the user "system" went on "Expired(grace)" status before the 180 days have passed, was this a bug? I know that during upgrade oracle locks some accounts except for "sys" and "system".
As the PASSWORD_LIFE_TIME was set to 180 after the upgrade the last password change time was taken into account.
Have a look at the definitions of the password parameters and their definitions
http://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_6010.htm
http://docs.oracle.com/cd/E11882_01/network.112/e16543/authentication.htm#CHDCGJED
Check this link for a scenario.
http://edstevensdba.wordpress.com/2012/01/16/exploring-password-lifetime-and-grace-period/
Regards
RB
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.