Change the "protect" user password in the Oracle database
Article ID: 159992
Updated On:
Products
Issue/Introduction
Learn how to change the password for the "protect" user in the Oracle database for Symantec Data Loss Prevention (DLP) using the DBPasswordChanger utility and SQLPlus.
Environment
The Database password changer (DBPasswordChanger) is located at
Windows: \Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\bin (Windows)
Linux: /opt/Symantec/DataLossPrevention/EnforceServer/xx.x.xxxx/Protect/bin (Linux)
Cause
By default, DLP connects to the Oracle database using a user named "protect".
-
The Oracle protect password is stored in an encrypted file named DatabasePassword.properties located on the Enforce server.
- The DBPasswordChanger utility is used to change the Oracle database password in that file.
Resolution
Process Overview:
- Shutdown all DLP services. (see Windows, see Linux)
- Change the database password within Oracle.
- Verify the new password.
- Change the password on the Enforce server.
- Start the DLP services.
- Log in to the Enforce UI.
NOTE:
To avoid an account lock-out, if you are unable to stop ALL the services, run the DBPasswordChanger utility as soon as possible after the Oracle Data Loss Prevention account password is changed. If a lock-out does occur, see the article: "ORA-28000: the account is locked" for resolution.
Example:
- DLP Administrator password is rhubarb
- New Oracle protect user password is potato
Detailed steps for 2-4 above:
Changing the database password for the protect account on Oracle:
IMPORTANT: Be sure to follow the guidelines for acceptable passwords in the article: Password guidelines for the Oracle 'protect' user
- Collect the connection string from Jdbc.properties
Open Jdbc.properties at
Windows:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\config
Linux:/opt/Symantec/DataLossPrevention/EnforceServer/xx.x.xxxx/Protect/config
Copy the last line in the file, starting after the "@" symbol.
This is the connection string we will use in the following steps.
- Start a sqlplus session:
sqlplus /nolog
- Login as protect user (if current password is known) OR sysdba (if current password is unknown):
SQL> connect protect@<paste oracle connection string from Jdbc.properties file> (connect sys as sysdba)
(Enter the password when prompted.)
- Change the protect password to potato:
SQL> alter user protect identified by potato;
- Verify the password change:
SQL> conn protect@<pasted connection string>/potato
- Exit sqlplus:
SQL> exit
Changing the password for the protect account used by the Enforce server:
NOTE: The examples assume a Windows installation; for Linux, substitute the appropriate paths (e.g. /opt/Symantec/Protect/bin)
- Start a command shell and change to the bin directory:
cd "C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\bin"
- Change the Oracle password in the configuration file:
The syntax for DBPasswordChanger is:
DBPasswordChanger <PasswordFilePath> <New Oracle Password>
So:
DBPasswordChanger "C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\config\DatabasePassword.properties" potato
Linux Red Hat Environments
1. Change to directory /opt/Symantec/DataLossPrevention/EnforceServer/<version>/Protect/bin/
2. Run the command: ./DBPasswordChanger ../config/DatabasePassword.properties potato
This was successful when you see:
Password changed
Note - While running DBPasswordChanger tool command, filename is case sensitive. "DatabasePassword.properties" should be entered keeping case sensitivity as it is. Otherwise, command output will show as "Password changed", but in reality, password will not be changed and it will cause account lockout for Oracle user.
Additional Information
If you need to UNLOCK the "protect" account, please see the following KB article for instructions on how to unlock the protect account...
https://knowledge.broadcom.com/external/article/160068
In DLP versions 15.0 and earlier, the DBPasswordChanger is located in \SymantecDLP\Protect\bin
Feedback
