{"id":4889,"date":"2020-12-15T07:43:22","date_gmt":"2020-12-15T10:43:22","guid":{"rendered":"https:\/\/www.dbarj.com.br\/2020\/12\/understanding-internally-how-21c-gradual-database-password-rollover-works\/"},"modified":"2020-12-15T07:43:22","modified_gmt":"2020-12-15T10:43:22","slug":"understanding-internally-how-21c-gradual-database-password-rollover-works","status":"publish","type":"post","link":"https:\/\/www.dbarj.com.br\/pt-br\/2020\/12\/understanding-internally-how-21c-gradual-database-password-rollover-works\/","title":{"rendered":"Understanding internally how 21c Gradual Database Password Rollover works"},"content":{"rendered":"

Oracle Database 21c introduced the new feature called “Gradual Database Password Rollover<\/strong>“. This allows the database password of the application user to be altered while allowing the older password to remain valid for the time specified by the\u00a0PASSWORD_ROLLOVER_TIME<\/code> limit (PROFILE parameter).<\/p>\n

With this new feature, a password of an application can be changed without having to schedule a downtime, which is great..<\/p>\n

However, you may be wondering how oracle internally store and validate the old and new hashes in the dictionary. In this article, I will investigate and show how it works.<\/p>\n

Getting started<\/h4>\n

First of all, to recap, we have the user_history$<\/strong> table that was introduced some time back to keep the old user password hashes for reuse control.<\/p>\n

\"\"<\/h4>\n

Before we start, let me change the DEFAULT profile and enable the ROLLOVER feature:<\/p>\n

SQL> select LIMIT from dba_profiles where PROFILE='DEFAULT' AND RESOURCE_NAME='PASSWORD_ROLLOVER_TIME';\r\n\r\nLIMIT\r\n--------\r\n0\r\n\r\nSQL> ALTER PROFILE DEFAULT LIMIT PASSWORD_ROLLOVER_TIME 1\/24;\r\n\r\nProfile altered.\r\n\r\nSQL> select LIMIT from dba_profiles where PROFILE='DEFAULT' AND RESOURCE_NAME='PASSWORD_ROLLOVER_TIME';\r\n\r\nLIMIT\r\n--------\r\n.0416<\/pre>\n
The PASSWORD_ROLLOVER_TIME is given in number of days. Giving 1\/24 is 1 hour, meaning the user will still be able to use his old and new passwords for this period.<\/p>\n
Now, let’s start creating a new user and checking that:<\/p>\n
SQL> alter session set nls_date_format='YYYY-MM-DD HH24:MI:SS';\r\n\r\nSession altered.\r\n\r\nSQL> select SYSDATE FROM DUAL;\r\n\r\nSYSDATE\r\n-------------------\r\n2020-12-14 20:42:49\r\n\r\nSQL> create user C##DBA identified by \"welcome1\";\r\n\r\nUser created.\r\n\r\nSQL> grant create session, dba to C##DBA;\r\n\r\nGrant succeeded.\r\n\r\nSQL> select user_id from dba_users where username='C##DBA';\r\n\r\n   USER_ID\r\n----------\r\n       117\r\n\r\nSQL> select USER#,PASSWORD_DATE from user_history$ where USER#=117 order by PASSWORD_DATE desc;\r\n\r\n     USER# PASSWORD_DATE\r\n---------- -------------------\r\n       117 2020-12-14 20:43:10\r\n\r\nSQL> select row_number() over (order by PASSWORD_DATE asc) as seqnum, password from user_history$ where USER#=117 order by seqnum asc;\r\n\r\n    SEQNUM PASSWORD\r\n---------- ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------\r\n         1 T:00D396D65A0A899837CA952D3122C6CC146F8883D2B307EE744FE23E53EF489307721CD9D726F9075593807D6E470A69824D63AF0CFE2119B012CA90FE7A4C7E451CC4B224409EFA64D5E5FBF6BB4EB5\r\n\r\nSQL> select replace(spare4,';',chr(10)) spare4 from user$ where USER#=117;\r\n\r\nSPARE4\r\n----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------\r\nS:F0D6ED816568FCC320228B39CF2101E7D7F151A25217196D2FBA0E58E854\r\nT:00D396D65A0A899837CA952D3122C6CC146F8883D2B307EE744FE23E53EF489307721CD9D726F9075593807D6E470A69824D63AF0CFE2119B012CA90FE7A4C7E451CC4B224409EFA64D5E5FBF6BB4EB5<\/pre>\n
The “S<\/strong>” entry in SPARE4 column represents the SHA1<\/strong> hash (11g authentication) while the “T<\/strong>” entry is the SHA2<\/strong> (12c authentication). We can note that the value stored in the user_history$<\/strong> (control password reuse) has only the SHA2 entry.<\/p>\n
PS: When I say “SHA2”, please read “PBKDF2-based SHA512 hashing algorithm”.<\/span><\/strong><\/p>\n
Let’s change the user password and see what happens:<\/p>\n
SQL> alter user C##DBA identified by \"welcome2\";\r\n\r\nUser altered.\r\n\r\nSQL> conn C##DBA\/welcome1\r\nConnected.\r\n\r\nSQL> conn C##DBA\/welcome2\r\nConnected.<\/pre>\n
So after changing the password, you can note I still could connect using both password. How is it possible internally?<\/p>\n
SQL> select USER#,PASSWORD_DATE from user_history$ where USER#=117 order by PASSWORD_DATE desc;\r\n\r\n     USER# PASSWORD_DATE\r\n---------- -------------------\r\n       117 2020-12-14 20:47:25\r\n       117 2020-12-14 20:43:10\r\n\r\nSQL> select row_number() over (order by PASSWORD_DATE asc) as seqnum, password from user_history$ where USER#=117 order by seqnum asc;\r\n\r\n    SEQNUM PASSWORD\r\n---------- ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------\r\n         1 T:00D396D65A0A899837CA952D3122C6CC146F8883D2B307EE744FE23E53EF489307721CD9D726F9075593807D6E470A69824D63AF0CFE2119B012CA90FE7A4C7E451CC4B224409EFA64D5E5FBF6BB4EB5\r\n         2 T:2F85521FC89E01B445B622C6D4686062BCCD0AF8B030871946F85423049EB0576D3B3CDCDAB0936D299223E141B0C0889A0540443ED3857B572E54AA1A23A4E773B783F8C84531ECC4FBCF5DFF174510\r\n\r\nSQL> select replace(spare4,';',chr(10)) spare4 from user$ where USER#=117;\r\n\r\nSPARE4\r\n----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------\r\nS:F0D6ED816568FCC320228B39CF2101E7D7F151A25217196D2FBA0E58E854\r\nT:00D396D65A0A899837CA952D3122C6CC146F8883D2B307EE744FE23E53EF489307721CD9D726F9075593807D6E470A69824D63AF0CFE2119B012CA90FE7A4C7E451CC4B224409EFA64D5E5FBF6BB4EB5\r\nt:DF10CCD2DC546657A975E81604E99D48BD1A2729F804EA811B2111E43D64021CCA4027588D61ED9C718DAECEA5940C875CF6659049062AABA571073AD790774F451CC4B224409EFA64D5E5FBF6BB4EB5\r\nV:2F85521FC89E01B445B622C6D4686062BCCD0AF8B030871946F85423049EB0576D3B3CDCDAB0936D299223E141B0C0889A0540443ED3857B572E54AA1A23A4E773B783F8C84531ECC4FBCF5DFF174510\r\ns:7EE335579302B734BD399D2F342924862A8870F75217196D2FBA0E58E854\r\nU:5B1D91705F57E211D52F9F7546D1E6EF85130600F3CC762601AF5C2A8657\r\n\r\n<\/pre>\n
As you can note, SPARE 4 column has now 4 new attributes (s, t, U, V<\/strong>). Before we only had S<\/strong> and T<\/strong> uppercase. Matching their values with the past execution, we can find out that:<\/p>\n