Oracle Database SYS Password Rotation for DataGuard Databases

Changing SYS Password is scary and disastrous work! When it comes to Oracle DataGuard Database even more difficult. If your Database User accounts are managed through 3rd party tools like PAM, Cyberark , Rundeck or Jenkins we can’t accomplice that change for DataGuard since we need to stop replication, copy the password file and re-sync replication. Thank you Oracle for the work around with Data Guard password Auto-sync feature.

In 12cR2, the password file of standby database gets synchronized automatically when there is a change in Primary database password file. The password file change of Primary will be included in Redo and when the Redo is applied to standby, the synchronization happens in the background. [Data Guard Standby Automatic Password file Synchronization in 12.2 (Doc ID 2307365.1)] Frankly Speaking most of DBA’s won’t rotate SYS password but this feature we can rotate all our SYS account for various databases.

Changing SYS Password on Oracle 19c Primary Database :

SQL> select username, sysdba, sysoper, sysasm,sysbackup,authentication_type AT from v$pwfile_users;
USERNAME
--------------------------------------------------------------------------------
SYSDB SYSOP SYSAS SYSBA AT
----- ----- ----- ----- --------
SYS
TRUE  TRUE  FALSE FALSE PASSWORD
SQL> select max(sequence#),thread# from gv$archived_log group by thread#;
MAX(SEQUENCE#)    THREAD#
-------------- ----------
            53          1
SQL> alter user sys identified by "DBADeeds13#$$&*gh" account unlock;
User altered.
SQL> alter system switch logfile;
System altered.
SQL> exit
Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.10.0.0.0
Connecting Standby with changed password from Primary server.
[oracle@PrimaryDb ~]$  sqlplus sys/'DBADeeds13#$$&*gh'@stdby as sysdba
SQL*Plus: Release 19.0.0.0.0 - Production on Tue Jun 7 16:29:07 2022
Version 19.10.0.0.0
Copyright (c) 1982, 2020, Oracle.  All rights reserved.
Last Successful login time: Tue Jun 07 2022 14:42:24 -07:00
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.10.0.0.0
SQL> select name,open_mode,database_role,log_mode from v$database;
NAME      OPEN_MODE            DATABASE_ROLE    LOG_MODE
--------- -------------------- ---------------- ------------
DBADEEDCDB  MOUNTED              PHYSICAL STANDBY ARCHIVELOG
SQL> select max(sequence#),thread# from gv$archived_log group by thread#;
MAX(SEQUENCE#)    THREAD#
-------------- ----------
            54          1
SQL> exit
-------------------------------------
Once Oracle switch logfile happens then it will update the passwords on both primary and standby servers 
PR00 (PID:2731909): Media Recovery Waiting for T-1.S-55 (in transit)
2022-06-07T16:33:43.049584-07:00
 rfs (PID:2733091): Archived Log entry 7 added for B-1105533231.T-1.S-55 ID 0x839616ac LA                                                                               D:2
 rfs (PID:2733091): No SRLs available for T-1
2022-06-07T16:33:43.096069-07:00
 rfs (PID:2733091): Opened log for T-1.S-56 dbid 2207600556 branch 1105533231
2022-06-07T16:33:43.365058-07:00
PR00 (PID:2731909): Media Recovery Log +DATA/stdby/ARCHIVELOG/2022_06_07/thread_1_seq_5                                                                               5.329.1106756917
PR00 (PID:2731909): Media Recovery Waiting for T-1.S-56 (in transit)
[oracle@primary ~]$ cd $ORACLE_HOME/dbs
[oracle@primary dbs]$ ls -ltr *pw*
-rw-r----- 1 oracle oinstall     6144 Jun  7 16:33 orapwdbadeedcdb
---------------
[oracle@standby]$ cd $ORACLE_HOME/dbs
[oracle@standby dbs]$ ls -ltr *pw*
-rw-r----- 1 oracle oinstall     6144 Jun  7 16:33 orapwstdby

DBADEEDS