Change the "protect" user password in the Oracle database
search cancel

Change the "protect" user password in the Oracle database

book

Article ID: 159992

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention Oracle Standard Edition 2 Data Loss Prevention

Issue/Introduction

Learn how to change the password for the "protect" user in the Oracle database for Symantec Data Loss Prevention (DLP).

Resolution

  • DLP connects to the Oracle database using a user named "protect".
  • The Oracle protect password is stored in an encrypted file named DatabasePassword.properties located on the Enforce server
  • The DBPasswordChanger utility is used to change the Oracle database password in that file.
  • In DLP versions 15.0 and earlier, the DBPasswordChanger is located in \SymantecDLP\Protect\bin
  • In DLP versions 15.1 and later it is located at \Program Files\Symantec\DataLossPrevention\EnforceServer\15.x\Protect\bin (Windows), or  /opt/Symantec/DataLossPrevention/EnforceServer/15.8.00000/Protect/bin (Linux)

NOTE:

To avoid an account lock-out, run the DBPasswordChanger utility as soon as possible after the Oracle Data Loss Prevention account password is changed. If a lock-out does occur, see the article: "ORA-28000: the account is locked" for resolution.

Example:

  • DLP Administrator password is rhubarb
  • New Oracle protect user password is potato

 

Process Overview:

  1. Shutdown all DLP services. (see Windows, see Linux)
  2. Change the database password within Oracle.
  3. Verify the new password.
  4. Change the password on the Enforce server.
  5. Start the DLP services.
  6. Log in to the Enforce UI.

 

Detailed steps for 2-4 above:

Changing the database password for the protect account on Oracle:

IMPORTANT: Be sure to follow the guidelines for acceptable passwords in the article: Password guidelines for the Oracle 'protect' user

- Start a sqlplus session:
sqlplus /nolog

 

- Login as protect user (if current password is known) OR sysdba (if current password is unknown):
SQL> connect protect (connect sys as sysdba)
    (Enter the password when prompted.)

 

- Change the protect password to potato:
SQL> alter user protect identified by potato;
 

- Verify the password change:
SQL> conn protect/potato
- Exit sqlplus:
SQL> exit

 

Changing the password for the protect account used by the Enforce server:

NOTE: The examples assume a Windows installation; for Linux, substitute the appropriate paths (e.g. /opt/Vontu/Protect/bin)

- Start a command shell and change to the bin directory:
<DLP 15.0 and older> cd \SymantecDLP\Protect\bin
<DLP 15.1 and later> cd "C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.7\Protect\bin"

- Change the Oracle password in the configuration file:

For version 15.0 and earlier:

The syntax for DBPasswordChanger is:

DBPasswordChanger <PasswordFilePath> <New Oracle Password>

So:

DBPasswordChanger c:\SymantecDLP\protect\config\DatabasePassword.properties potato

For version 15.1 and later:

The syntax for DBPasswordChanger is:

DBPasswordChanger <PasswordFilePath> <New Oracle Password>

So:

DBPasswordChanger "C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.7\Protect\config\DatabasePassword.properties" potato

Linux Red Hat Environment 6.x / 7.x

1. Change to directory /opt/Symantec/DataLossPrevention/EnforceServer/16.0.00000/Protect/bin/

2. Run the command: ./DbPasswordChanger DatabasePassword.properties potato

 

Note - While running DBPasswordChanger tool command, "DatabasePassword.properties" should be entered keeping case sensitivity as it is. Otherwise, command output will show as "Password changed", but in reality, password will not be changed and it will cause account lockout for Oracle user.

Additional Information

If you need to UNLOCK the "protect" account, please see the following KB article for instructions on how to unlock the protect account...
https://knowledge.broadcom.com/external/article/160068

 

Powered by Wolken Software