The latest Release Update of Oracle Database 19c, namely 19.12, comes with two new features: Oracle memory speed support for PMEM devices and gradual database password rollover for applications. The gradual database password rollover is backported from Oracle 21c.
I still remember very well the times when changing the password of a databases schema/user required shutting down both the database and the application and this practice has not really changed much until now. You can change database credentials without downtime thanks to proxy users:
Password rolling change before Oracle 21c
With the latest RU of 19c, there is a way to do this online. And of course also with 21c.
Now, there is a password rollover time period when the user can log in using either the old password or the new password. Here is how it works.
Oracle Database 19.12 introduces a new parameter related to the already existing PASSWORD_LIFE_TIME and PASSWORD_GRACE_TIME parameters called PASSWORD_ROLLOVER_TIME.
Note the default and the minimum and maximum values for the 3 parameters above. All numbers show days.
In order to enable the feature, we have to modify first the user profile with a non-zero limit for PASSWORD_ROLLOVER_TIME. This allows the database password of the application user to be changed to a new one and at the same time the old password can be used for the time specified by the PASSWORD_ROLLOVER_TIME. During the rollover period of time defined by PASSWORD_ROLLOVER_TIME, the application user/schema can use both the old password and the new password. When the rollover time expires (that is 1a), only the new password can be used.
After a password is created for a new user or the password is being changed, then the password follows a life cycle and grace period in four phases: 1a&1b, 2, 3 an 4:
We can query DBA_USERS to find the user’s account status from the ACCOUNT_STATUS column (check the screenshot on the top of the post). It is important to point out that after the rollover period has begun, we can still change the password: with or without the REPLACE clause. The rollover start time is fixed at the time when the user changes the password. The start time is not affected by further password changes during the password rollover period.Â
Here is how I could connect to the database with 2 different passwords after the initial profile re-configuration:
If needed, we can quit the rollover time period at any time with the following command:
ALTER USER JULIAN EXPIRE PASSWORD ROLLOVER PERIOD;
We cannot configure the gradual database password rollover for the following connection types:
Direct logins for Oracle Real Application Security usersKerberos-, certificate-, or RADIUS-based externally authenticated connectionsCentrally managed user (CMU) connectionsAdministrative connections that use external password filesThe Oracle Data Guard connection between the primary and the standby
For more on the topic check Rodrigo Jorge’s post Gradual Database Password Rollover brings new backdoor opportunities to find out how to prevent from possible hackers when using this new feature or if interested in the internals, check Understanding internally how 21c Gradual Database Password Rollover works.
A good example on how to use the feature is given by Mouhamadou Diaw in his blog post Oracle 21c Security: Gradual Database Password Rollover
And here is something from Oracle v4:
Read MoreJulian Dontcheff’s Database Blog
