ORA-01017 means that you either provided an incorrect pair of username and password, or mismatched authentication protocol, so the database that you tried to connect denied you to logon.
SQL> conn hr/hr@orcl
ERROR:
ORA-01017: invalid username/password; logon denied
There’re several errors patterns that throw ORA-01017.
- Common Situations
- Connect to Oracle 19c
- Database Links
- Standby Database
- RMAN Duplication
Common Situations
For solving ORA-01017, you should inspect the following items carefully.
Connect Identifier
Sometimes, your credentials are correct, you just went for the wrong destination. So please check the connect identifier, and you can make some tests if necessary.
C:Usersedchen>tnsping orcl
...
Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = db.example.com)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = ORCL)))
OK (0 msec)
Password
Case-Sensitive
Most password problem are case-sensitive problem. By default, SEC_CASE_SENSITIVE_LOGON initialization parameter is set as TRUE which means that everything involves password are all case-sensitive, even though you didn’t quote the password.
SQL> conn hr/hr@orcl
Connected.
SQL> alter user hr identified by HR;
User altered.
SQL> conn hr/hr@orcl
ERROR:
ORA-01017: invalid username/password; logon denied
As you can see, IDENTIFIED BY clause treats password as a case-sensitive string with or without quotation marks. That is, you have to use it case-sensitively.
SQL> conn hr/HR@ora19cdb
Connected.
Special Character
If your password contains any special character, you have to double-quote it.
SQL> alter user hr identified by "iam@home";
User altered.
SQL> conn hr/"iam@home"@ora19cdb
Connected.
Other Considerations
Beside case-sensitive and special character problems, you can try the following things.
- Check whether CAPS LOCK is enabled or not, this could ruin every password you typed.
- Type the password in a text editor to make sure it’s right.
- Change the password if there’s no other way to solve it.
- Set SEC_CASE_SENSITIVE_LOGON to FALSE if the problem is becoming global.
Username
Normally, you don’t have to care about case-sensitive problem on username, because username creation follows Oracle object naming rule that I have explained about the differences between quoted and non-quoted identifiers pretty much.
Connect to Oracle 19c
After you set SQLNET.ALLOWED_LOGON_VERSION=8 in your 12c, 18c or 19c database server to overcome ORA-28040 for your users who may be using old releases like Oracle 9i clients, users still have a great chance to see ORA-01017, even though you use correct username / password to login.
This is because the password of the PDB users must be expired before applying new logon protocol.
Solution
You should expire user’s password who is using old Oracle client. For example, user HR in a PDB.
Normal Users
First, get into the PDB.
SQL> show pdbs
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
2 PDB$SEED READ ONLY NO
3 ORCLPDB1 READ WRITE NO
SQL> alter session set container=ORCLPDB1;
Session altered.
SQL> show con_name
CON_NAME
------------------------------
ORCLPDB1
Let the password expire.
SQL> alter user hr password expire;
User altered.
Provide a new password for the user, an uppercase password is preferable for old clients.
SQL> alter user hr identified by <PASSWORD> account unlock;
User altered.
Privileged Users
For users like SYS or SYSTEM, it’s a little bit complicated.
First, go to the root container.
SQL> alter session set container=CDB$ROOT;
Session altered.
SQL> show con_name
CON_NAME
------------------------------
CDB$ROOT
Expire SYSTEM‘s password for all containers.
SQL> alter user system password expire container=all;
User altered.
Provide a new password for SYSTEM, an uppercase password is preferable for old clients.
SQL> alter user system identified by <PASSWORD> account unlock;
User altered.
You can try again now.
Database Links
Before troubleshooting error ORA-01017, please make sure that every basic portion of connection string that you provided is correct.
Let’s me show you how I reproduce ORA-01017 when connecting to a remote database via a database link, then I will explain the cause of problem.
In 12c, we set the password of a user by ALTER USER.
SQL> alter user scott identified by scott;
In 9i, we created a database link for connecting to the 12c database.
SQL> create database link ora12c_scott connect to scott identified by scott using 'ORA12C';
Database link created.
Then we tested the connectivity of the database link.
SQL> select sysdate from dual@ora12c_scott;
select sysdate from dual@ora12c_scott
*
ERROR at line 1:
ORA-01017: invalid username/password; logon denied
ORA-02063: preceding line from ORA12C_SCOTT
Although it seemed nothing wrong with the statement, we got ORA-01017 eventually.
Rationale
In 12c, IDENTIFIED BY clause treats the non-quoted password as a case-sensitive string, which is lower-cased in this case. But in 9i, IDENTIFIED BY clause treats the non-quoted password as an upper-cased one, no matter what case it is in the statement. That’s the problem.
Generally speaking, non-quoted identifiers in Oracle should be recognized as upper-cased ones and quoted identifiers are regarded as whatever they are in quotation marks. So I think Oracle make the password an exception in order to comply with some security policies, which is starting from 11g.
Solution
To solve ORA-01017, we should make the password to be saved as a lower-case one in the database link. But how? Let’s keep going.
First of all, we dropped the incorrect database link in the 9i database.
SQL> drop database link ora12c_scott;
Database link dropped.
Then we created the database link with the password quoted. The database link will save the password as it is in the double quotes.
SQL> create database link ora12c_scott connect to scott identified by "scott" using 'ORA12C';
Database link created.
Then we tested the database link again.
SQL> select sysdate from dual@ora12c_scott;
SYSDATE
---------
17-DEC-19
This time, we succeeded.
Please note that, IDENTIFIED BY clause treats non-quoted password as case-sensitive one starting from 11g.
Standby Database
Before troubleshooting error ORA-01017, please make sure that every basic portion of connection string that you provided is correct.
When switching over to the standby database by DGMGRL, ORA-01017 may cause switchover to be interrupted. But luckily, the interruptions are not serious.
There’re two error patterns for ORA-01017 in DGMGRL Switchover, one is common mistake, the other is pretty hard to troubleshoot.
- OS Authentication
- Case-Sensitive Name
1. ORA-01017 due to OS Authentication
We are able to connect to databases by OS authentication to check data guard status.
[oracle@primary-19c ~]$ dgmgrl
...
DGMGRL> connect /
Connected to "PRIMDB"
Connected as SYSDG.
For example, we can show broker configuration.
DGMGRL> show configuration verbose;
Configuration - drconf
Protection Mode: MaxPerformance
Members:
primdb - Primary database
standb - Physical standby database
Properties:
FastStartFailoverThreshold = '30'
OperationTimeout = '30'
TraceLevel = 'USER'
FastStartFailoverLagLimit = '30'
CommunicationTimeout = '180'
ObserverReconnect = '0'
FastStartFailoverAutoReinstate = 'TRUE'
FastStartFailoverPmyShutdown = 'TRUE'
BystandersFollowRoleChange = 'ALL'
ObserverOverride = 'FALSE'
ExternalDestination1 = ''
ExternalDestination2 = ''
PrimaryLostWriteAction = 'CONTINUE'
ConfigurationWideServiceName = 'COMPDB_CFG'
Fast-Start Failover: Disabled
Configuration Status:
SUCCESS
Also, we can show the status of primary or standby databases.
DGMGRL> show database primdb;
Database - primdb
Role: PRIMARY
Intended State: TRANSPORT-ON
Instance(s):
PRIMDB
Database Status:
SUCCESS
DGMGRL> show database standb;
Database - standb
Role: PHYSICAL STANDBY
Intended State: APPLY-ON
Transport Lag: 0 seconds (computed 0 seconds ago)
Apply Lag: 0 seconds (computed 0 seconds ago)
Average Apply Rate: 1.00 KByte/s
Real Time Query: ON
Instance(s):
STANDB
Database Status:
SUCCESS
But we can’t perform a switchover.
DGMGRL> switchover to standb;
Performing switchover NOW, please wait...
Operation requires a connection to database "standb"
Connecting ...
ORA-01017: invalid username/password; logon denied
Warning: You are no longer connected to ORACLE.
connect to instance "STANDB" of database "standb"
Since we provided empty credentials, the broker used the empty username and password to connect to the standby database for a switchover. That’s why we got ORA-01017.
It just like we try to connect to a database with empty credentials like this:
[oracle@primary-19c ~]$ sqlplus /@standb
...
ERROR:
ORA-01017: invalid username/password; logon denied
It’s the same pattern of ORA-01017.
Solution
Please explicitly provide user credentials (username/password pair) to connect to database in DGMGRL. Usually, we use SYS to operate switchovers in DGMGRL.
DGMGRL> connect sys@primdb;
Password:
Connected to "PRIMDB"
Connected as SYSDBA.
Then we perform a switchover.
DGMGRL> switchover to standb;
Performing switchover NOW, please wait...
Operation requires a connection to database "standb"
Connecting ...
Connected to "STANDB"
Connected as SYSDBA.
New primary database "standb" is opening...
Operation requires start up of instance "PRIMDB" on database "primdb"
Starting instance "PRIMDB"...
Connected to an idle instance.
ORACLE instance started.
Connected to "PRIMDB"
Database mounted.
Database opened.
Connected to "PRIMDB"
Switchover succeeded, new primary is "standb"
Good, no more ORA-01017.
2. ORA-01017 due to Case-Sensitive Name
This error case could be rare and complicated, but we can still learn something from it. So be patient with it.
Data Guard Configuration
Let’s check some data guard configurations before switching over to the standby database.
Check Static Service for DGMGRL in listener.ora
For switching over smoothly, we usually add a very special static service to listener for data guard broker.
Primary Server
...
SID_LIST_LISTENER=
(SID_LIST=
(SID_DESC=
(SID_NAME=primdb)
(GLOBAL_DBNAME=primdb_DGMGRL)
(ORACLE_HOME=/u01/app/oracle/product/19.0.0/dbhome_1)
)
)
Standby Server
[oracle@standby-19c ~]$ cat $ORACLE_HOME/network/admin/listener.ora
...
SID_LIST_LISTENER=
(SID_LIST=
(SID_DESC=
(SID_NAME=standb)
(GLOBAL_DBNAME=standb_DGMGRL)
(ORACLE_HOME=/u01/app/oracle/product/19.0.0/dbhome_1)
)
)
Check Listener Status
Primary Server
[oracle@primary-19c ~]$ lsnrctl status
...
Services Summary...
Service "COMPDB_CFG" has 1 instance(s).
Instance "PRIMDB", status READY, has 1 handler(s) for this service...
Service "PRIMDB" has 1 instance(s).
Instance "PRIMDB", status READY, has 1 handler(s) for this service...
Service "PRIMDBXDB" has 1 instance(s).
Instance "PRIMDB", status READY, has 1 handler(s) for this service...
Service "primdb_DGMGRL" has 1 instance(s).
Instance "primdb", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully
Standby Server
[oracle@standby-19c ~]$ lsnrctl status
...
Services Summary...
Service "COMPDB_CFG" has 1 instance(s).
Instance "STANDB", status READY, has 1 handler(s) for this service...
Service "STANDB" has 1 instance(s).
Instance "STANDB", status READY, has 1 handler(s) for this service...
Service "STANDBXDB" has 1 instance(s).
Instance "STANDB", status READY, has 1 handler(s) for this service...
Service "standb_DGMGRL" has 1 instance(s).
Instance "standb", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully
As we can see, the special static services for DGMGRL are working on both listeners.
Switchover by DGMGRL
First of all, we have to connect to the primary database in DGMGRL.
Connect to Data Guard Broker
[oracle@primary-19c ~]$ dgmgrl
...
DGMGRL> connect sys@primdb
Password:
Connected to "PRIMDB"
Connected as SYSDBA.
First Attempt of Switchover
DGMGRL> switchover to standb;
Performing switchover NOW, please wait...
Operation requires a connection to database "standb"
Connecting ...
Connected to "STANDB"
Connected as SYSDBA.
New primary database "standb" is opening...
Operation requires start up of instance "PRIMDB" on database "primdb"
Starting instance "PRIMDB"...
ORA-01017: invalid username/password; logon denied
Please complete the following steps to finish switchover:
start up instance "PRIMDB" of database "primdb"
We found ORA-01017 during switching over. It seemed that the broker tried to connect to the new standby database (former primary) PRIMDB, but it failed with ORA-01017.
No matter what cause it could be, we should startup the new standby database for data synchronization.
Startup Standby Database
We startup the instance manually by running dbstart in order to recover the data guard synchronization.
[oracle@primary-19c ~]$ dbstart
Since ORACLE_HOME is not set, cannot auto-start Oracle Net Listener.
Usage: /u01/app/oracle/product/19.0.0/dbhome_1/bin/dbstart ORACLE_HOME
Processing Database instance "PRIMDB": log file /u01/app/oracle/product/19.0.0/dbhome_1/rdbms/log/startup.log
By the way, we usually use dbstart to automatically startup the instance and the listener on system boot.
Then we checked the status.
[oracle@primary-19c ~]$ sqlplus / as sysdba
...
SQL> select name, open_mode, database_role from v$database;
NAME OPEN_MODE DATABASE_ROLE
--------- -------------------- ----------------
COMPDB READ ONLY WITH APPLY PHYSICAL STANDBY
Please note that, READ ONLY WITH APPLY is a feature of active data guard, which is called real-time query.
DGMGRL Problem Tracing
Here comes the most important part. For tracing the connection problem that caused ORA-01017 in DGMGRL, we enabled the debug mode.
Connect to Data Guard Broker
We added -debug option for DGMGRL utility to enable debug mode.
[oracle@primary-19c ~]$ dgmgrl -debug
Created directory /u01/app/oracle/product/19.0.0/dbhome_1/dataguard
DGMGRL for Linux: Release 19.0.0.0.0 - Production on Tue Aug 13 21:22:52 2019
Version 19.3.0.0.0
Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved.
Welcome to DGMGRL, type "help" for information.
DGMGRL> connect sys@primdb
Password:
[W000 2019-08-13T21:23:03.360-08:00] Connecting to database using primdb.
[W000 2019-08-13T21:23:03.361-08:00] Attempt logon as SYSDBA
[W000 2019-08-13T21:23:03.421-08:00] Successfully logged on as SYSDBA
[W000 2019-08-13T21:23:03.421-08:00] Executing query [select sys_context('USERENV','CON_ID') from dual].
[W000 2019-08-13T21:23:03.423-08:00] Query result is '0'
[W000 2019-08-13T21:23:03.423-08:00] Executing query [select value from v$parameter where name = 'db_unique_name'].
[W000 2019-08-13T21:23:03.430-08:00] Query result is 'PRIMDB'
Connected to "PRIMDB"
[W000 2019-08-13T21:23:03.431-08:00] Checking broker version [BEGIN :version := dbms_drs.dg_broker_info('VERSION'); END;].
[W000 2019-08-13T21:23:03.440-08:00] Oracle database version is '19.3.0.0.0'
Connected as SYSDBA.
We’re in debug mode of DGMGRL.
Second Attempt of Switchover
In fact, it’s a switch back operation within debug mode.
DGMGRL> switchover to primdb;
[W000 2019-08-13T21:23:39.512-08:00] <DO_MONITOR version="19.1"><VERIFY object_id="4096" level="minor"/></DO_MONITOR>
[W000 2019-08-13T21:23:39.555-08:00] <RESULT ><MESSAGE ><SUCCESS ></SUCCESS></MESSAGE><MESSAGE ><SUCCESS ></SUCCESS></MESSAGE></RESULT>
Performing switchover NOW, please wait...
[W000 2019-08-13T21:23:39.563-08:00] <DO_CONTROL version="19.1"><DO_MOVE type="Switchover" site_id="16777216"/></DO_CONTROL>
[W000 2019-08-13T21:24:09.465-08:00] <TABLE name="DG BROKER CLIENT OPERATION LIST"><DESCRIPTION ><COLUMN name="OPERATION" type="string" max_length="20"></COLUMN><COLUMN name="INSTANCE_ID" type="integer" max_length="30"></COLUMN><COLUMN name="CONNECT" type="string" max_length="4095"></COLUMN></DESCRIPTION><TR ><TD >OPENING</TD><TD >16842753</TD><TD >(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=primary-19c)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=PRIMDB_DGMGRL)(INSTANCE_NAME=PRIMDB)(SERVER=DEDICATED)))</TD></TR><TR ><TD >STARTUP</TD><TD >33619969</TD><TD >(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=standby-19c)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=STANDB_DGMGRL)(INSTANCE_NAME=STANDB)(SERVER=DEDICATED)))</TD></TR></TABLE>
New primary database "primdb" is opening...
Operation requires start up of instance "STANDB" on database "standb"
Starting instance "STANDB"...
[W000 2019-08-13T21:24:12.470-08:00] Connecting to database using (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=standby-19c)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=STANDB_DGMGRL)(INSTANCE_NAME=STANDB)(SERVER=DEDICATED))).
[W000 2019-08-13T21:24:12.470-08:00] Attempt logon as SYSDBA
ORA-01017: invalid username/password; logon denied
Please complete the following steps to finish switchover:
start up instance "STANDB" of database "standb"
In the above log, the broker tried to connect to the standby database STANDB, but it failed with ORA-01017. The best thing is that it showed the connect descriptor that it used to connect to the database.
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=standby-19c)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=STANDB_DGMGRL)(INSTANCE_NAME=STANDB)(SERVER=DEDICATED)))
Please note that, the service name used to connect is a static service. That is to say, we can connect the database with the static service, no matter it is idle, nomount or restricted as long as the listener is up.
Test the Connect Descriptor
We used sqlplus to test the connect descriptor. Let’s see how I use it.
[oracle@primary-19c ~]$ sqlplus sys@"(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=standby-19c)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=STANDB_DGMGRL)(INSTANCE_NAME=STANDB)(SERVER=DEDICATED)))" as sysdba
SQL*Plus: Release 19.0.0.0.0 - Production on Tue Aug 13 21:28:30 2019
Version 19.3.0.0.0
Copyright (c) 1982, 2019, Oracle. All rights reserved.
Enter password:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
Oh, it’s true, I cannot connect to the database with the connect descriptor. The connection failed with ORA-01017.
It looked like that it can reach the right listener and find the right Oracle home (ORACLE_HOME), but it cannot find the right instance (SID_NAME) to enter.
What’s wrong? What the difference between the connect descriptor and the listener configuration? Can you tell?
Startup Standby Database
Although we are in troubleshooting, we still need to startup the instance as soon as possible in order to recover the data guard synchronization.
[oracle@standby-19c ~]$ dbstart
Since ORACLE_HOME is not set, cannot auto-start Oracle Net Listener.
Usage: /u01/app/oracle/product/19.0.0/dbhome_1/bin/dbstart ORACLE_HOME
Processing Database instance "STANDB": log file /u01/app/oracle/product/19.0.0/dbhome_1/rdbms/log/startup.log
[oracle@standby-19c ~]$ sqlplus / as sysdba
...
SQL> select name, open_mode, database_role from v$database;
NAME OPEN_MODE DATABASE_ROLE
--------- -------------------- ----------------
COMPDB READ ONLY WITH APPLY PHYSICAL STANDBY
Solution
A tiny difference I found is that the names used in the connect descriptor by the broker are all upper-cased, but the names for static service in listener.ora are lower-cased. Could it be the cause to ORA-01017?
Modify listener.ora
It seemed a little stupid, but I still changed all names in upper-case on both listener configurations to comply with the broker’s behaviors.
Primary Server
[oracle@primary-19c ~]$ vi $ORACLE_HOME/network/admin/listener.ora
...
SID_LIST_LISTENER=
(SID_LIST=
(SID_DESC=
(SID_NAME=PRIMDB)
(GLOBAL_DBNAME=PRIMDB_DGMGRL)
(ORACLE_HOME=/u01/app/oracle/product/19.0.0/dbhome_1)
)
)
Then we restarted the listener.
[oracle@primary-19c ~]$ lsnrctl stop; lsnrctl start
...
[oracle@primary-19c ~]$ lsnrctl status
...
Services Summary...
Service "COMPDB_CFG" has 1 instance(s).
Instance "PRIMDB", status READY, has 1 handler(s) for this service...
Service "PRIMDB" has 1 instance(s).
Instance "PRIMDB", status READY, has 1 handler(s) for this service...
Service "PRIMDBXDB" has 1 instance(s).
Instance "PRIMDB", status READY, has 1 handler(s) for this service...
Service "PRIMDB_DGMGRL" has 1 instance(s).
Instance "PRIMDB", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully
Standby Server
[oracle@standby-19c ~]$ vi $ORACLE_HOME/network/admin/listener.ora
...
SID_LIST_LISTENER=
(SID_LIST=
(SID_DESC=
(SID_NAME=STANDB)
(GLOBAL_DBNAME=STANDB_DGMGRL)
(ORACLE_HOME=/u01/app/oracle/product/19.0.0/dbhome_1)
)
)
Then we restarted the listener.
[oracle@standby-19c ~]$ lsnrctl stop; lsnrctl start
...
[oracle@standby-19c ~]$ lsnrctl status
...
Services Summary...
Service "COMPDB_CFG" has 1 instance(s).
Instance "STANDB", status READY, has 1 handler(s) for this service...
Service "STANDB" has 1 instance(s).
Instance "STANDB", status READY, has 1 handler(s) for this service...
Service "STANDBXDB" has 1 instance(s).
Instance "STANDB", status READY, has 1 handler(s) for this service...
Service "STANDB_DGMGRL" has 1 instance(s).
Instance "STANDB", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully
Third Attempt of Switchover
[oracle@primary-19c ~]$ dgmgrl
...
DGMGRL> connect sys@primdb
Password:
Connected to "PRIMDB"
Connected as SYSDBA.
DGMGRL> switchover to standb;
Performing switchover NOW, please wait...
Operation requires a connection to database "standb"
Connecting ...
Connected to "STANDB"
Connected as SYSDBA.
New primary database "standb" is opening...
Operation requires start up of instance "PRIMDB" on database "primdb"
Starting instance "PRIMDB"...
Connected to an idle instance.
ORACLE instance started.
Connected to "PRIMDB"
Database mounted.
Database opened.
Connected to "PRIMDB"
Switchover succeeded, new primary is "standb"
Good, we switch over to the standby database smoothly. Try to switch back to the primary database.
DGMGRL> switchover to primdb;
Performing switchover NOW, please wait...
Operation requires a connection to database "primdb"
Connecting ...
Connected to "PRIMDB"
Connected as SYSDBA.
New primary database "primdb" is opening...
Operation requires start up of instance "STANDB" on database "standb"
Starting instance "STANDB"...
Connected to an idle instance.
ORACLE instance started.
Connected to "STANDB"
Database mounted.
Database opened.
Connected to "STANDB"
Switchover succeeded, new primary is "primdb"
To my surprise, ORA-01017 in this case turned out to be an instance name mismatch problem caused by case-sensitive SID_NAME in listener.ora.
Please note that, the key action to troubleshoot the problem is to enable debug mode of DGMGRL to check any clues related to the database connection.
RMAN Duplication
Before troubleshooting error ORA-01017, please make sure that every portion of connection string that you provided is correct.
I tried to connect both primary and standby database by RMAN. But it failed with ORA-01017 error.
[oracle@primary01 ~]$ rman target sys@primdb auxiliary sys@standb
Recovery Manager: Release 11.2.0.4.0 - Production on
Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.
target database Password:
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-00554: initialization of internal recovery manager package failed
RMAN-04005: error from target database:
ORA-01017: invalid username/password; logon denied
I am pretty sure that my parameters are fine, so here is my solution: overwrite current password of sys, and then transport the password file to the standby server.
[oracle@primary01 ~]$ sqlplus / as sysdba
...
SQL> show parameter password
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
remote_login_passwordfile string EXCLUSIVE
SQL> alter user sys identified by password;
User altered.
Transport the password file to the standby server.
[oracle@standby01 ~]$ scp -p primary01:/u01/app/oracle/product/11.2.0.4/dbhome_1/dbs/orapwcompdb /u01/app/oracle/product/11.2.0.4/dbhome_1/dbs/
Now, we can connect both database by RMAN.
ORA-01017 is one of the common error seen while connecting to oracle database.
Here is what documentation says about this error
Here are the checklist to run to resolve the ORA-01017: invalid username/password
(1)The main issue with an ORA-01017 error is an invalid user ID and passwords combination. You have to make sure ,you are entering the right password
In-case the target system is 11g, the password can be Case sensitive
You can check the parameter in the system
SQL> SHOW PARAMETER SEC_CASE_SENSITIVE_LOGON NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ sec_case_sensitive_logon boolean TRUE SQL>
When the above parameter is set to true, the case sensitivity is on, You may disable it and check the connection again
SQL> ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = FALSE; System altered.
And the try connecting. If it works , then you know the case sensitivity is the problem, you may want to alter the user password and write it somewhere to remember the case -sensitive password and then again enable the system parameter
SQL> ALTER user test identified by TEST1; User altered. SQL> ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = TRUE; System altered.
(2) It may be that the user ID is invalid for the target system . Check if the user ID exists as the username column in the dba_users view.
select username from dba_users where username ='<user name>';
(3) Check your $ORACLE_SID or $TWO_TASK environmental parameter. If your $ORACLE_SID is set to the wrong database then you may get a ORA-01017 error because you are connecting to the wrong oracle database.
(4) Check your tnsnames.ora to ensure that the TNS service is pointing to right database. You can use tnsping command to check that also
TNS Ping Utility for Linux: Version 11.2.0.4.0 - Production on 22-JUNE-2016 23:01:06 Copyright (c) 1997, 2014, Oracle. All rights reserved. Used parameter files: /oracle/product/11.2.0.4/network/admin/sqlnet.ora Used TNSNAMES adapter to resolve the alias Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = techgoeasy.com)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = TEST))) OK (0 msec)
(5) You may get ORA-01017 error in dataguard environment and standby environment also
Make sure SYS user password is same on both the Primary and standby side. Create the oracle password file using orapwd with same password on both the primary and standby side
With Oracle database 12c, in case Primary RAC database,we need to have password file at shared location
orapwd file='+DATA/TEST/PASSWORDFILE/oraTEST' entries=10 dbuniquename=TEST password=<sys pass>
(6) Sometimes ,there could be other reason for the error and ORA-01017 is misleading error.
You can trace the call stack by using truss or trace command
Linux: strace -o /tmp/strace_user.output -cfT sqlplus Scott/[email protected] AIX, Solaris: truss -fea -o /tmp/truss_user.output sqlplus scott/[email protected] HP-UX: tusc -afpo /tmp/tusc_user.output -aef sqlplus scott/[email protected]
(7) This error can be encountered during RMAN active duplication also
Cause The SYS password is not the same between the original/source database and auxiliary/duplicate database.
SOLUTION Perform the following steps:
1) Copy the password file from the original/source database to the auxiliary/duplicate database.
2) Run the following OS command "cksum" to check whether the password files are the same on both the original/source database and auxiliary/duplicate database.
cksum {password_file_name}
(8) Case-Insensitive Passwords and ORA-1017 Invalid Username or Password
The Oracle Database 12c release 2 (12.2) default authentication protocol is 12 (Exclusive Mode). This protocol requires case-sensitive passwords for authentication. Review your options if you have earlier release password versions.
Starting with Oracle Database 12c release 2 (12.2), the default value for the SQLNET.ORA parameter ALLOWED_LOGON_VERSION_SERVER is changed to 12. This parameter refers to the logon authentication protocol used for the server, not the Oracle Database release.
By default, Oracle no longer supports case-insensitive password-based authentication; only the new password versions (11G and 12C) are allowed. The case-insensitive 10G password version is no longer generated.
If you have accounts that require 10G password versions, then to prevent accounts using that password version from being locked out of the database, you can change from an Exclusive Mode to a more permissive authentication protocol.
Password version can be checked as
select username,password_version from dba_users;
Log in as an administrator.
Edit the SQLNET.ORA file to change the SQLNET.ALLOWED_LOGON_VERSION_SERVER setting from the default, 12, to 11 or lower. For example:
SQLNET.ALLOWED_LOGON_VERSION_SERVER=11
(9) ORA-01017 using “sqlplus / as sysdba”
This can happen if the OS user where you are trying to use the above command is not member of dba group.
Make sure the OS user is part of DBA group.
Also check the sqlnet.ora .if you have sqlnet.authentication_services=none ,then also you may get this error
Hope you like the content on ORA-01017 invalid username/password
Related articles
ORA-00911 : This post is for common causes of ORA-00911: invalid character in oracle with examples and resolution to help you complete the job
ORA-29913 :troubleshooting tips for the ORA errors like ora-29913: error in executing odciexttableopen callout, ora-29913: error in executing odciexttablefetch callout
ORA-00257 :Learn how to troubleshoot for ORA-00257 archiver error. Connect internal only error.Various resolution and example provided in step by step manner.
alter user identified by values : Learn about Oracle password ,stored in database, algorithm , how to login as user without changing the oracle password using alter user identified by values
ORA-28000 :ORA-28000 the account is locked is very common error. Check out this post on how to solve it step by step easily without any issues
ORA-00904 :This post for the description and possible solutions of ORA-00904: invalid identifier.troubleshooting tips is also provided
ORA-28002 :This post in on how to resolve ORA-28002 the password will expire. What can be done to altogether avoid it by creating new profile
Oracle 12.2 Documentation
ORA-01017: invalid username/password; logon denied error occurs when an invalid username or password was submitted in an attempt to connect on to Oracle. The ORACLE username and password should be the same as those specified in the GRANT CONNECT statement. The connect statement uses the username/password format for username and password. It’s possible that the username, password, or both are incorrect. The error ORA-01017: invalid username/password; logon denied will be fixed if the correct user name and password are used to connect to the Oracle server.
While attempting to connect to the database, the user name or password may be invalid or misspelt. Passwords in Oracle 11g and later are case sensitive. It’s possible that the password was created before to 11g, and the error ORA-01017: invalid username/password; logon denied occurred after the update. The error will be fixed if you define the password as case sensitive. It’s possible that the connection string contains incorrect database connection information. In the database link setup, double-check all of the settings.
The Problem
The database connection string is used to connect to the database in Oracle when you want to make a database connection. Oracle database could not create a connection using the string if improper connection settings were added to connect to the database. It’s possible that the user name or password is wrong. It’s possible that the database settings or database connection link setup is improper or faulty. The error ORA-01017: invalid username/password; logon denied is going to be thrown.
[oracle@localhost ~]$ sqlplus sys as sysdba
SQL*Plus: Release 19.0.0.0.0 - Production on Wed Apr 6 20:37:22 2022
Version 19.3.0.0.0
Copyright (c) 1982, 2019, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
SQL> conn hr/hr1
ERROR:
ORA-01017: invalid username/password; logon denied
SQL> Solution 1
An error ORA-01017: invalid username/password; logon denied will appear if you attempt to connect to an Oracle database with an incorrect password. It’s possible that the password is wrong or that the password has been deactivated. The oracle database connection could not be made if you used an invalid password. Double-check that the password is accurate. If you forget your password, use the system user password to reset it. Alternatively, you can contact your database administrator to have the database user password reset.
[oracle@localhost ~]$ sqlplus sys as sysdba
SQL*Plus: Release 19.0.0.0.0 - Production on Wed Apr 6 20:37:22 2022
Version 19.3.0.0.0
Copyright (c) 1982, 2019, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
SQL> alter user hr identified by hr;
User altered.
SQL> Solution 2
The Oracle database will give an error if you supply an incorrect user name. To connect to the Oracle database, the correct user name must be specified in the connection command. The error ORA-01017: invalid username/password; logon denied will be issued if an incorrect user name is provided, or if the user name does not exist or was not created in the Oracle database. Ascertain that the database user exists and is accessible in the Oracle database.
select USERNAME, PASSWORD_VERSIONS from DBA_USERS where USERNAME='HR';Output
USERNAME PASSWORD_VERSIONS
---------------------------
HR 11G 12C Solution 3
It’s possible that you’re using an earlier version of Oracle than Oracle 11g. You’ve now updated to Oracle 11g or higher. The database fails to create a database connection with the same database credentials after the update. From Oracle 11g onwards, the password is case sensitive. If you’re using an older Oracle version, you can use case-insensitive passwords. Since the update version, the password has been failing. The error ORA-01017: invalid username/password; logon denied will be resolved if the password is changed to be case sensitive or if the existing password is reset.
show parameter sec_case;Output
NAME TYPE VALUE
------------------------ ------- -----
sec_case_sensitive_logon boolean TRUE [oracle@localhost ~]$ sqlplus sys as sysdba
SQL*Plus: Release 19.0.0.0.0 - Production on Wed Apr 6 20:37:22 2022
Version 19.3.0.0.0
Copyright (c) 1982, 2019, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
SQL> conn hr/hrSolution 4
If you’re experiencing this error ORA-01017: invalid username/password; logon denied while executing a query but have previously signed in to the database, it’s possible that your query utilises a database link and the database link’s connection details are wrong. To determine if the database link is functional, perform a basic query against it. Check the following details before connecting to the database
hostname : localhost
port : 1521
sid : orcl (any one Sid or service name)
service name : xe
user name : hr
password : hrSolution 5
A list of service ID information for your databases may be found in the tnsnames.ora file. Open the file and double-check that the information, such as the service name and ID, is valid. Make any required adjustments to the database connection string or the tnsnames.ora file if any information from the file differs from the database connection string.This will resolve the error ORA-01017: invalid username/password; logon denied
ORA-01017: invalid username/password; logon denied :
In my previous articles, I have given the basic idea about the most common errors in Oracle. There are lot of common errors in oracle, which has been searched thousands of times on google.OrA-01017 is most common error which has been search approximately 15000 times on google.ORA-01017 is very common error occurred during the log in of oracle application. When user enters the wrong username and password system denies logging in and oracle fires the ORA-01017: invalid username/password error. That is not the only reason for which this error will come. There might be several possible reasons for this error like, permissions (grants), tnsnames.ora, improper connection string or configuration of sqlnet.ora file.
Why this error will come?
The ORA-01017 error is another most common error that will come because of wrong username and password entry. Most of the times the user will get this error in spite of entering correct username and password. Following is the list of possible reasons of this error:
1.Wrong username or password:
The most possible reason of this error is entering wrong username or entering wrong password while connecting with the database.
2.Entering Incorrect user ID:
The userid must present in dba_users table.If the userid is not present in this table then the 01017 error will come.
3.ORACLE_SID parameters :
DBA needs to check ORACLE_SID parameters.If the ORACLE_SID parameters set to wrong system id this error will come
4.tnsnames.ora file issue :
Check the tnsnames.ora file to ensure that tns server will point to correct server.
5.External user authentication :
If you are using external OS user authentication then we need to verify the valid user id.
NO TIME TO READ CLICK HERE TO GET THIS ARTICLE
Resolution of this error:
User needs to check different parameters to resolve this error. Following are the possible resolutions of this error:
1.Enter correct username and password:
The first and most important possible solution to resolve this error is try entering correct username and password and try to connect the database server. Most of the times because of entering wrong password this error will come. Try altering password using following statement:
ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = FALSE;
2.Privilege issue:
There might be the user privilege issue for that user. So try giving all privileges to the user, which you tires to connect. You can use following statement to give all privileges:
Grant all to username;
3.Correct ORACLE_SID parameters :
ORACLE_SID parameter setting is also most critical part to resolve this error.So try setting correct system id for ORACLE_SID environmental parameters.
4.Check user is Entering correct username :
Most of times user is not entering correct username while connecting to the database. For checking the username use following statement :
Select user_name from dba_users where user_name=’Name of user entered to connect’;
5.External authentication user :
For external authentication user we need to connect the database using following statement :
User / password
Example :
Connect sys/as sysdba;
6.tnsnames.ora :
Check the connection string entered in tnsnames.ora. tnsnames should always point to correct server and correct instance.If user fails to insert correct instance name then userid and password may not exist in database. So check for correct instance is entered or not in tnsnames.ora file.
May 3, 2021
I got ” ORA-01017: invalid username/password; logon denied ” error in Oracle database.
ORA-01017: invalid username/password; logon denied
Details of error are as follows.
ORA-01017: invalid username/password; logon denied Cause: An invalid username or password was entered in an attempt to log on to Oracle. The username and password must be the same as was specified in a GRANT CONNECT statement. If the username and password are entered together, the format is: username/password. Action: Enter a valid username and password combination in the correct format.
invalid username/password; logon denied
This ORA-01017 errors are related with the invalid username or password was entered in an attempt to log on to Oracle.
The username and password must be the same as was specified in a GRANT CONNECT statement.
If the username and password are entered together, the format is: username/password.
Enter a valid username and password combination in the correct format.
Sometimes this error is get because of Oracle 11g credentials are case sensitive.
Try to set SEC_CASE_SENSITIVE_LOGON false again, then and alter password again as follows..
ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = FALSE; ALTER USER USERNAME IDENTIFIED BY "PASSWORD";
If you got this error for DBA or SYSDBA users, you can recreate the password file with ignorecase=Y option as follows.
orapwd file=orapwtestdb password=sys entries=100 ignorecase=Y
Sometimes this error is get bacause of Incorrect $ORACLE_SID, so check your $ORACLE_SID parameter. If your $ORACLE_SID is set to the wrong system ID then you may get a ORA-01017 error because you are connecting to the wrong instance.
The credentials provided when connecting remotely as sysdba are compared to the contents of the passwordfile.
Password file authentication is enabled by setting the database parameter remote_login_password file to “shared” or “exclusive”.
SQL> alter system set remote_login_passwordfile=exclusive scope=spfile;
ORA-01017: invalid username/password; logon denied after upgrade to 19C
In Oracle 12c or upper version, you should use case sensitivity for that parameter value is true. Make SEC_CASE_SENSITIVE_LOGON = TRUE for setting case sensitivity.
Then , Edit the SQLNET.ora file and lower the default value of parameter SQLNET.ALLOWED_LOGON_VERSION_SERVER to a lower version (19)
edit sqlnet.ora as follows then restart the listener, then try again.
cat sqlnet.ora # sqlnet.ora.vfxjdbadm01 Network Configuration File: /u01/app/19.0.0.0/grid/network/admin/sqlnet.ora.vfxjdbadm01 # Generated by Oracle configuration tools. NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT) SQLNET.EXPIRE_TIME=10 # sqlnet.ora.vfxidb01 Network Configuration File: /u01/app/12.2.0.1/grid/network/admin/sqlnet.ora.vfxidb01 # Generated by Oracle configuration tools. NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT) SQLNET.ALLOWED_LOGON_VERSION_SERVER=8 SQLNET.ALLOWED_LOGON_VERSION_CLIENT=8
Do you want to learn Oracle Database for Beginners, then read the following articles.
Oracle Tutorial | Oracle Database Tutorials for Beginners ( Junior Oracle DBA )
1,318 views last month, 1 views today
About Mehmet Salih Deveci
I am Founder of SysDBASoft IT and IT Tutorial and Certified Expert about Oracle & SQL Server database, Goldengate, Exadata Machine, Oracle Database Appliance administrator with 10+years experience.I have OCA, OCP, OCE RAC Expert Certificates I have worked 100+ Banking, Insurance, Finance, Telco and etc. clients as a Consultant, Insource or Outsource.I have done 200+ Operations in this clients such as Exadata Installation & PoC & Migration & Upgrade, Oracle & SQL Server Database Upgrade, Oracle RAC Installation, SQL Server AlwaysOn Installation, Database Migration, Disaster Recovery, Backup Restore, Performance Tuning, Periodic Healthchecks.I have done 2000+ Table replication with Goldengate or SQL Server Replication tool for DWH Databases in many clients.If you need Oracle DBA, SQL Server DBA, APPS DBA, Exadata, Goldengate, EBS Consultancy and Training you can send my email adress [email protected].- -Oracle DBA, SQL Server DBA, APPS DBA, Exadata, Goldengate, EBS ve linux Danışmanlık ve Eğitim için [email protected] a mail atabilirsiniz.
Have you gotten an ORA-01017 error in your Oracle database? Learn what caused it and how you can resolve it in this article.
So you’re trying to connect to a database or run a query across a database link, and you get this message:
ORA-01017: invalid username/password; logon denied
There are a few reasons that you can get this error:
- Your username or password is actually incorrect
- The database configuration is not correct (tnanames.ora, $ORACLE_SID parameter)
Now, let’s look at the solution to this error.
ORA-01017 Solution
There are a few ways to resolve the ORA-01017 error:
- Check the username and password are correct
- Oracle 11g passwords are case sensitive, so ensure that your connection string caters for this
- Check the database link setup if you’re using a database link
Ensure that the Username and Password are Correct
It seems like an obvious step, but make sure that the username and password you’re entering are correct.
If you have them stored somewhere else, make sure you’re looking up the right password.
Also, try entering the username and password manually instead of copying and pasting (or vice versa) to make sure there are no issues with carriage returns or strange characters.
Case Sensitive Passwords in Oracle 11g
If you’re connecting to an Oracle 11g database, the passwords are case-sensitive.
This was a new feature introduced in Oracle 11g. It’s a database setting that can be turned on and off, but if it’s on, you’ll need to treat your connection string differently.
To fix this, you can specify your password inside double quotes when connecting to the database.
For example, if your password is “DatabaseStar”, and you’re connecting to a database like this, you’ll get an error:
CONN bob/databasestar;To resolve this error, specify the password in double quotes:
CONN bob/"DatabaseStar";Check the Database Link Setup
If you’re getting this error while running a query, but you’ve already logged in to the database, it might be because your query uses a database link, and the connection details for the database link are incorrect.
To check the database link, you can run a simple query against it to see if it works.
You can then check the connection string to make sure that the user is correct, and that the password is case sensitive (if you’re using an Oracle 11g database).
If you’re connecting to an Oracle 11g database but running the query from a 10g or earlier version, the case sensitivity still applies. It’s related to the database you’re connecting to, not from.
Using the earlier example, if you specify your password in the connection string as DatabaseStar, you’ll get an error.
This is because the password of DatabaseStar is converted to uppercase, which will be DATABASESTAR. This is then checked against the stored value of DatabaseStar, and is found to be different.
To resolve it, put your password inside double quotes.
CONNECT TO order_database IDENTIFIED BY bob USING "DatabaseStar";So, check these things for your database connection string.
Check Your TNSNAMES.ORA File
Your TNSNAMES.ORA file contains a list of service ID information for your databases.
You could be getting this ORA-01017 error if the information in that file is incorrect.
Open the file and check that this information is correct, such as the service name and ID.
So, that’s how you can check for and resolve any ORA-01017 invalid username/password issues.
Lastly, if you enjoy the information and career advice I’ve been providing, sign up to my newsletter below to stay up-to-date on my articles. You’ll also receive a fantastic bonus. Thanks!