An upgrade to a new release always
makes a lot of testing necessary. This is especially the
case if you upgrade to 11g and want to use the case
sensitive passwords feature.
As we have already seen the parameter
sec_case_sensitive_login must be set to TRUE
explicitly to enable the feature after a manual
upgrade.
When upgrading from 10g to 11g with
the upgrade assistant (DBUA) the passwords of all user
accounts are case insensitive until they are changed the
next time.
DBCA as well as DBUA allow you to
choose if you want to enable the new security features or
if you want to start with the Pre 11g functionalities and
enable the new 11g security features later on.
How to enable the ORACLE 11g
EXCLUSIVE MODE
Oracle 10g utilities which use the
OCI drivers including SQL*PLUS, Forms, ODBC, .NET are
compatible with Oracle 11g EXCLUSIVE MODE. This mode can
be enabled in after making an upgrade to 11g database.
sqlnet.allowed_logon_versions=11
This
parameter defines the minimum client version that is
allowed to connect to the database instance.
%
Before enabling EXCLUSIVE MODE after upgrading to 11g
make sure that all clients are compatible
with this mode
%
The default for sqlnet.allowed_logon_versions is 8
After this it is necessary to remove
all old password hashes from the database. You must be
connected as sysdba:
LUTZ AS SYSDBA @ orcl SQL> UPDATE sys.user$ SET
password=NULL;
LUTZ AS SYSDBA @ orcl SQL> DELETE FROM user_history$;
LUTZ AS SYSDBA @ orcl SQL> COMMIT;
% JDBC (thin)
versions prior to Oracle 11g cannot use the enhanced 11g
Oracle password algorithm or the Oracle Call
Interface (OCI) driver prior to Oracle 10g.
% Test carefully before you use case sensitive
passwords in production!
There might be a number of pitfalls waiting
for you with hard coded passwords for logons
Case sensitive passwords are a very
good feature but on the other hand they can also cause a
lot of problems especially if you upgrade to 11g since
many applications use hard coded passwords in scripts and
routines which cannot be easily changed.
Especially database links
in pre 11g databases which logon to release 11g databases
with case sensitive passwords must be taken care of. The
passwords for those database links must be recreated in
upper case because Oracle stores these passwords in upper
case even if the original password in the 11g database is
created in lower or mixed case.
% It might be
necessary to disable case sensitive passwords if it is
not possible to modify scripts and routines
which log on to an 11g database or use database
links until all necessary changes to all
scripts have been applied.
Keep in mind that the parameter
sec_case_sensitive_login is a dynamic parameter
and that it is possible to change it to TRUE any time with
an ALTER SYSTEM command.
%
In 11g it is possible to check if a password is
a case sensitive password. The data
dictionary view dba_users has been added
the new column password_versions.
The value 10g indicates a user account which
still uses the old case insensitive password.
The value 10g 11g indicates an user account
with a case sensitive password.
SYSTEM @ orcl111 SQL> SELECT username, password_versions
AS versions,
FROM dba_users;
USERNAME
VERSIONS
------------------------------ --------
MGMT_VIEW
10G 11G
SYS
10G 11G
SYSTEM
10G 11G
DBSNMP
10G 11G
SYSMAN
10G 11G
LUTZ
10G
OUTLN
10G 11G
FLOWS_FILES
10G 11G
ANONYMOUS
EXFSYS
10G 11G
WMSYS
10G 11G
XDB
10G 11G
FLOWS_030000
10G 11G
DIP
10G 11G
APEX_PUBLIC_USER
10G 11G
ORACLE_OCM
10G 11G
TSMSYS
10G 11G
XS$NULL
10G 11G
19 rows selected.
and include the URL for the page.
