Change the "protect" user password in the Oracle database

Article Id: 159992
Status: Published
Updated On: 08-06-2020 04:45
Legacy Id: TECH220107
Products:
Data Loss Prevention Enforce
Issue/Introduction:

Learn how to change the password for the "protect" user in the Oracle database for Symantec Data Loss Prevention (DLP).

Resolution:

  • DLP connects to the Oracle database using a user named "protect".
  • The Oracle protect password is stored in an encrypted file named DatabasePassword.properties located on the Enforce server
  • The DBPasswordChanger utility is used to change the Oracle database password in that file.
  • In DLP versions 15.0 and earlier, the DBPasswordChanger is located in \SymantecDLP\Protect\bin
  • In DLP versions 15.1 and later it is located at \Program Files\Symantec\DataLossPrevention\EnforceServer\15.5\Protect\bin (Windows), or /opt/SymantecDLP/Protect/bin (Linux).

 

NOTE:

To avoid an account lock-out, run the DBPasswordChanger utility as soon as possible after the Oracle Data Loss Prevention account password is changed. If a lock-out does occur, see the article: "ORA-28000: the account is locked" for resolution.

Example:

  • DLP Administrator password is rhubarb
  • New Oracle protect user password is potato

 

Process Overview:

  1. Shutdown all DLP services. (see Windows, see Linux)
  2. Change the database password within Oracle.
  3. Verify the new password.
  4. Change the password on the Enforce server.
  5. Start the DLP services.
  6. Log in to the Enforce UI.

 

Detailed steps for 2-4 above:

Changing the database password for the protect account on Oracle:

IMPORTANT: Be sure to follow the guidelines for acceptable passwords in the article: Password guidelines for the Oracle 'protect' user

- Start a sqlplus session:
sqlplus /nolog

 

- Login as sysdba:
SQL> connect sys as sysdba
(Enter the password when prompted.)

 

- Change the protect password to potato:
SQL> alter user protect identified by potato;
 

- Verify the password change:
SQL> conn protect/potato
- Exit sqlplus:
SQL> exit

 

Changeing the password for the protect account used by the Enforce server:

NOTE: The examples assume a Windows installation; for Linux, substitute the appropriate paths (e.g. /opt/Vontu/Protect/bin)

- Start a command shell and change to the bin directory:
cd \SymantecDLP\Protect\bin

- Change the Oracle password in the configuration file:

For version 15.0 and earlier:

The syntax for DBPasswordChanger is:

DBPasswordChanger <PasswordFilePath> <New Oracle Password>

So:

DBPasswordChanger c:\SymantecDLP\protect\config\DatabasePassword.properties potato

 

For version 15.1 and later:

The syntax for DBPasswordChanger is:

DBPasswordChanger <PasswordFilePath> <New Oracle Password>

So:

DBPasswordChanger "C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.5\Protect\config\DatabasePassword.properties" potato