Database: Rolling Password Change

Database: Rolling Password Change
Photo by rc.xyz NFT gallery / Unsplash

Recently, I found a great Oracle Database 21c feature: Gradual Password Rollover. Here is the best part: it was backported to Database 19c.

This database trait that only middleware administrators or DevOps engineers could really appreciate. For Oracle Fusion Middleware installations, a database password change is a carefully choreographed effort that still could hit your error budget. By introducing the feature, Oracle eliminates all risks associated with database password rotation.

Besides the compatible database version, your accounts should have a profile. I hope you have them already to keep other security controls in check.

-- Enable password rollover for profile for 24 hours
ALTER PROFILE ofmw_accounts 
     LIMIT PASSWORD_ROLLOWER_TIME 2;

-- Change the user password with the profile ofmw_accounts
ALTER USER WLS_OPSS 
      IDENTIFIED BY my-new-and-log-password;

After the password change, old and new passwords would co-exist for the next forty-eight hours. Which allows your middleware administrators to update database connections without any downtime. Rollover window sets in days, but you can use fractions. For example, value 1/2 means that you have 12 hours until an old password disappears.

You can not set a rollover window longer than 60 days or set it larger than the expiration grace time or the password lifetime. The graceful rollover window should be the smallest one.

Finally, to disable this feature, update an account profile and set it back to default. It is the same as setting it to 0.

--- Disable password rollover 
ALTER PROFILE ofmw_accounts 
   LIMIT PASSWORD_ROLLOWER_TIME DEFAULT;