By Mouhamadou Diaw
Starting with Oracle 21c, a password of an application can be changed without having to schedule a downtime. This can be done by using the new profile parameter PASSWORD_ROLLOVER_TIME
This will set a rollover period of time where the application can log in using either the old password or the new password. With this enhancement, an administrator does not need any more to take the application down when the application database password is being rotated.
Let see in this blog how this works
1
2
3
4
5
6
7
|
SQL> show pdbs CON_ID CON_NAME OPEN MODE RESTRICTED ---------- ------------------------------ ---------- ---------- 2 PDB$SEED READ ONLY NO 3 PDB1 READ WRITE NO SQL> |
First we create a profile in PDB1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
SQL> show con_name; CON_NAME ------------------------------ PDB1 SQL> CREATE PROFILE testgradualrollover LIMIT FAILED_LOGIN_ATTEMPTS 4 PASSWORD_ROLLOVER_TIME 4; Profile created. SQL> |
Note that the parameter PASSWORD_ROLLOVER_TIME is specified in days. For example, 1/24 means 1H.
The minimum value for this parameter is 1h and the maximum value is 60 days or the lower value of the PASSWORD_LIFE_TIME or PASSWORD_GRACE_TIME parameter.
Now let’s create a new user in PDB1 and let’s assign him the profile we created
1
2
3
4
5
6
7
8
9
|
SQL> create user edge identified by "Borftg8957##" profile testgradualrollover; User created. SQL> grant create session to edge; Grant succeeded. SQL> |
We can also verify the status of the account in the PDB
1
2
3
4
5
6
7
|
SQL> select username,account_status from dba_users where username= 'EDGE' ; USERNAME ACCOUNT_STATUS -------------------- -------------------- EDGE OPEN SQL> |
Now let’s log with new user
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
[oracle@oraadserver admin]$ sqlplus edge/ "Borftg8957##" @pdb1 SQL*Plus: Release 21.0.0.0.0 - Production on Thu Dec 10 11:14:07 2020 Version 21.1.0.0.0 Copyright (c) 1982, 2020, Oracle. All rights reserved. Connected to : Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production Version 21.1.0.0.0 SQL> show con_name; CON_NAME ------------------------------ PDB1 SQL> show user ; USER is "EDGE" SQL> |
Now let’s change the password of the user edge
1
2
3
4
5
|
SQL> alter user edge identified by "Morfgt5879!!" ; User altered. SQL> |
As the rollover period is set to 4 days in the profile testgradualrollover, the user edge should be able to connect during 4 days with either the old password or the new one.
Let’s test with the old password
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
[oracle@oraadserver admin]$ sqlplus edge/ "Borftg8957##" @pdb1 SQL*Plus: Release 21.0.0.0.0 - Production on Thu Dec 10 11:21:02 2020 Version 21.1.0.0.0 Copyright (c) 1982, 2020, Oracle. All rights reserved. Last Successful login time : Thu Dec 10 2020 11:14:07 +01:00 Connected to : Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production Version 21.1.0.0.0 SQL> show con_name; CON_NAME ------------------------------ PDB1 SQL> show user ; USER is "EDGE" SQL> |
Let’s test with the new password
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
[oracle@oraadserver ~]$ sqlplus edge/ 'Morfgt5879!!' @pdb1 SQL*Plus: Release 21.0.0.0.0 - Production on Thu Dec 10 11:24:52 2020 Version 21.1.0.0.0 Copyright (c) 1982, 2020, Oracle. All rights reserved. Last Successful login time : Thu Dec 10 2020 11:21:02 +01:00 Connected to : Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production Version 21.1.0.0.0 SQL> show user ; USER is "EDGE" SQL> show con_name; CON_NAME ------------------------------ PDB1 SQL> |
We can see that the connection is successfully done with both cases. If we query the dba_users we can see the status of the rollover
1
2
3
4
5
|
SQL> select username,account_status from dba_users where username= 'EDGE' ; USERNAME ACCOUNT_STATUS -------------------- -------------------- EDGE OPEN & IN ROLLOVER |
To end the password rollover period
-Let the password rollover expire on its own
-As either the user or an administrator run the command
1
|
Alter user edge expire password rollover period; |
-As an administrator, expire the user password
1
|
Alter user edge password expire; |
Database behavior during the gradual password rollover period can be found here in the documentation