Change the "protect" user password in the Oracle database
search cancel

Change the "protect" user password in the Oracle database


Article ID: 159992


Updated On:


Data Loss Prevention Enforce Data Loss Prevention Oracle Standard Edition 2 Data Loss Prevention


Learn how to change the password for the "protect" user in the Oracle database for Symantec Data Loss Prevention (DLP).


  • DLP connects to the Oracle database using a user named "protect".
  • The Oracle protect password is stored in an encrypted file named located on the Enforce server
  • The DBPasswordChanger utility is used to change the Oracle database password in that file.
  • In DLP versions 15.0 and earlier, the DBPasswordChanger is located in \SymantecDLP\Protect\bin
  • In DLP versions 15.1 and later it is located at \Program Files\Symantec\DataLossPrevention\EnforceServer\15.x\Protect\bin (Windows), or  /opt/Symantec/DataLossPrevention/EnforceServer/15.8.00000/Protect/bin (Linux)


To avoid an account lock-out, run the DBPasswordChanger utility as soon as possible after the Oracle Data Loss Prevention account password is changed. If a lock-out does occur, see the article: "ORA-28000: the account is locked" for resolution.


  • DLP Administrator password is rhubarb
  • New Oracle protect user password is potato


Process Overview:

  1. Shutdown all DLP services. (see Windows, see Linux)
  2. Change the database password within Oracle.
  3. Verify the new password.
  4. Change the password on the Enforce server.
  5. Start the DLP services.
  6. Log in to the Enforce UI.


Detailed steps for 2-4 above:

Changing the database password for the protect account on Oracle:

IMPORTANT: Be sure to follow the guidelines for acceptable passwords in the article: Password guidelines for the Oracle 'protect' user

- Start a sqlplus session:
sqlplus /nolog


- Login as protect user (if current password is known) OR sysdba (if current password is unknown):
SQL> connect protect (connect sys as sysdba)
    (Enter the password when prompted.)


- Change the protect password to potato:
SQL> alter user protect identified by potato;

- Verify the password change:
SQL> conn protect/potato
- Exit sqlplus:
SQL> exit


Changing the password for the protect account used by the Enforce server:

NOTE: The examples assume a Windows installation; for Linux, substitute the appropriate paths (e.g. /opt/Vontu/Protect/bin)

- Start a command shell and change to the bin directory:
<DLP 15.0 and older> cd \SymantecDLP\Protect\bin
<DLP 15.1 and later> cd "C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.7\Protect\bin"

- Change the Oracle password in the configuration file:

For version 15.0 and earlier:

The syntax for DBPasswordChanger is:

DBPasswordChanger <PasswordFilePath> <New Oracle Password>


DBPasswordChanger c:\SymantecDLP\protect\config\ potato

For version 15.1 and later:

The syntax for DBPasswordChanger is:

DBPasswordChanger <PasswordFilePath> <New Oracle Password>


DBPasswordChanger "C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.7\Protect\config\" potato

Linux Red Hat Environment 6.x / 7.x

1. Change to directory /opt/Symantec/DataLossPrevention/EnforceServer/16.0.00000/Protect/bin/

2. Run the command: ./DbPasswordChanger potato


Note - While running DBPasswordChanger tool command, "" should be entered keeping case sensitivity as it is. Otherwise, command output will show as "Password changed", but in reality, password will not be changed and it will cause account lockout for Oracle user.

Additional Information

If you need to UNLOCK the "protect" account, please see the following KB article for instructions on how to unlock the protect account...