I just wrapped up a webinar this week, and it went well. Once of the folks attending asked about a feature I have beeb really enjoying in 19c. This feature called gradual password rollover allows a database user to have two valid passwords at the same time. Yes, you heard that correctly… TWO DIFFERENT passwords at the same time.
This is how you set it up.
First, this was a new feature added to 19.12, so if you are on an older version of 19c, you need to patch.
Next, lets add a new profile with this feature and a new test user called bubba.
Login to the PDB and then add a new profile. The profile will allow us to set how long the rollover time is. The default time in days, but you can use fractions or decimals to do hours. So if it’s set to 8, it is 8 days, but 4/24 is four hours and 12.5 is 12 days and 12 hours.
Here we will create a profile called appuser, that expires in two hours
CREATE PROFILE appuser LIMIT PASSWORD_ROLLOVER_TIME 2/24;
You can also add this to an existing profile, the following command sets the period to seven days to the profile ebsapp
ALTER PROFILE ebsapp LIMIT PASSWORD_ROLLOVER_TIME 7;
Next, lets create a user called bubba, using the new profile;
CREATE USER bubba IDENTIFIED BY Pass_W0rd_2test PROFILE appuser;
Next, we grant the session access to bubba, so he can log in
GRANT CREATE SESSION TO bubba;
Now bubba can log in!
Now, go back into the dba as admin, and lets add a new password to bubba!
ALTER USER bubba IDENTIFIED BY Pass_W0rd_2test_v2;
And we can login with the new password
But at the same time use the old one!
This will continue until the period ends, or we manually end the rollover period! Manually ending the period is done by expiring the period.
ALTER USER bubba EXPIRE PASSWORD ROLLOVER PERIOD;
Now, when the user tries to log in with the older password, they cannot, but the new password still works!
This is a great feature in 19c, making life a lot easier to do large scale password changes without impacting applications.