Oracle has back-ported “Gradual Database Password Rollover” security feature that was initially introduced in Oracle 21c to Oracle 19c with July 2021 RU (Release Update- 19.12) and there is no need to change the compatibility parameter.
Reference link: https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/release-changes.html#GUID-FDE1D67B-1766-48E1-89EE-7F8505A4EF83
This great new feature is very much needed and great addition from Oracle (Thank You Oracle)….if there is a need to change passwords for critical applications/systems this will require application shutdown first then updating the “new” password in multiple places of the application….with this new feature you can change the password without the need of application outage/downtime and there will be NO Locking of the account taking place as both old & new passwords will be authenticated successfully by the database until rollover period is finished.
T Explore it I will create a new profile called “DEFAULT2” with parameter PASSWORD_ROLLOVER_TIME set to 1 day:
CREATE PROFILE DEFAULT2
LIMIT
COMPOSITE_LIMIT UNLIMITED
SESSIONS_PER_USER UNLIMITED
CPU_PER_SESSION UNLIMITED
CPU_PER_CALL UNLIMITED
LOGICAL_READS_PER_SESSION UNLIMITED
LOGICAL_READS_PER_CALL UNLIMITED
IDLE_TIME UNLIMITED
CONNECT_TIME UNLIMITED
PRIVATE_SGA UNLIMITED
FAILED_LOGIN_ATTEMPTS 5
PASSWORD_LIFE_TIME 360
PASSWORD_REUSE_TIME 1
PASSWORD_REUSE_MAX 4
PASSWORD_VERIFY_FUNCTION ORA12C_STIG_VERIFY_FUNCTION
PASSWORD_LOCK_TIME 1
PASSWORD_GRACE_TIME 30
PASSWORD_ROLLOVER_TIME 1;
SQL> CREATE USER emad1 IDENTIFIED BY EMAD_first_prm221d
PROFILE DEFAULT2
DEFAULT TABLESPACE “USERS”
TEMPORARY TABLESPACE “TEMP”;
SQL> grant create session to emad1 ;
SQL> select username,account_status,profile,authentication_type from dba_users where username=’EMAD1′;
Now, I will change the password to a different value:
SQL> alter user emad1 identified by EMAD_first_prm33zd;
If you query the dba_users view, you find that account_status is now changed from “OPEN” to “OPEN & IN ROLLOVER”
NOTE: What will happen if you change the password again, in this case Only the first password and the third one will authenticate successfully….so if you change the password multiple times only 2 passwords are valid for authentication (the first initial password, and the last password reset).
Another side note…. that maximum number of days allowed for the value of the parameter “PASSWORD_ROLLOVER_TIME” is 60 (which is 60 days), and minimum value is 1 hour.
To forcefully end the rollover period you can execute the following SQL command:
SQL> alter user emad1 expire password rollover period;
Checking SYS.USER$ table, you will see the value of ASTATUS column changed from “32” to “0” , zero is the value after the rollover period is finished. So the value of “32” indicates that the database account is in the “rollover” phase.
