怎样新建asm的密码
How to recreate shared ASM password file in 12c GI cluster (文档 ID 1929673.1)
In this Document
Oracle Database - Enterprise Edition - Version 12.1.0.2 to 12.2.0.1 [Release 12.1 to 12.2]
APPLIES TO:
Information in this document applies to any platform.
GOAL
This note provides the steps to recreate the shared ASM password file in 12c Flex ASM.
SOLUTION
1. Backup the password file
ASMCMD> pwcopy +DATA/orapwASM /tmp/asm.pwd
copying +DATA/orapwASM -> /tmp/asm.pwd
2. In case of issue with password file, we can restore it as below
ASMCMD> pwcopy --asm /tmp/asm.pwd +DATA/orapwASM -f
copying /tmp/asm.pwd -> +DATA/orapwASM
ASMCMD> ls -l
Type Redund Striped Time Sys Name
N ASM/
N _mgmtdb/
Y cehaovm-cluster/
PASSWORD UNPROT COARSE SEP 19 09:00:00 N orapwasm => +DATA/ASM/PASSWORD/pwdasm.257.955101541
For 12c R1
Step 1: Create ASM password file with sys and asmsnmp user
ASMCMD> orapwusr --grant sysasm sys
ASMCMD> orapwusr --add asmsnmp
Enter password: ********
ASMCMD> orapwusr --grant sysdba asmsnmp
If "pwcreate" fails with ORA-15005, delete the existing password file first:
Step 2: Find out user name and password for CRSD to connect
$ crsctl query credmaint -path ASM/Self -credtype userpass
Path Credtype ID Attrs
/ASM/Self/c6d161f1b2106fd6ff51c756aa846819userpass 0 create_time=2014-09-16 00:05:52, modify_time=2014-09-16 00:05:52, expiration_time=NEVER,bootstrap=FALSE
Note: First column "path" in the output will be used in the next two commands
$ crsctl get credmaint -path /ASM/Self/c6d161f1b2106fd6ff51c756aa846819 -credtype userpass -id 0 -attr user -local
crsuser__asm_001 ====>> this is the user name
$ crsctl get credmaint -path /ASM/Self/c6d161f1b2106fd6ff51c756aa846819 -credtype userpass -id 0 -attr passwd -local
hKcb3TMBj3y3Im7Mx2Uifvx8LZ8PP ====>> this is the password
Step 3: Create the user for CRSD to connect
Enter password: *****************************
ASMCMD> orapwusr --grant sysdba crsuser__asm_001
ASMCMD> orapwusr --grant sysasm crsuser__asm_001
Step 4: Confirm list of users
Username sysdba sysoper sysasm
SYS TRUE TRUE TRUE
CRSUSER__ASM_001 TRUE FALSE TRUE
ASMSNMP TRUE FALSE FALSE
If the procedure isn't followed, after recreating ASM password file, on non-local node, ora.crsd will not start as ora.storage resource fails with the following errors in <ADR_HOME>/crs/<node>/crs/trace/ohasd_orarootagent_root.trc
.
2014-09-09 00:04:34.060702*:kgfn.c@6286: kgfnConnect2Int: OCISessionBegin failed
2014-09-09 00:04:34.060702*:kgfn.c@1606: kgfnRecordErrPriv: status=-1 at kgfn.c:6370
2014-09-09 00:04:34.060702*:kgfn.c@1652: kgfnRecordErrPriv: 1017 error=ORA-01017: invalid username/password; logon denied
OR
2014-09-24 22:11:41.799924*:kgfn.c@6200: kgfnConnect2Int: OCISessionBegin failed
2014-09-24 22:11:41.799924*:kgfn.c@1602: kgfnRecordErrPriv: status=-1 at kgfn.c:6284
2014-09-24 22:11:41.799924*:kgfn.c@1648: kgfnRecordErrPriv: 1031 error=ORA-01031: insufficient privileges
NOTE:As per Bug 25847218 the above procedure is only applicable to Flex-ASM Configurations.
For 12c R2
Step 1: Create ASM password file with sys and asmsnmp user
Username sysdba sysoper sysasm
SYS TRUE TRUE TRUE
CRSUSER__ASM_001 TRUE FALSE TRUE
ASMSNMP TRUE FALSE FALSE
$ asmcmd pwget --asm
+DATA/orapwASM
ASMCMD> pwcopy +DATA/orapwASM /tmp/asm.pwd
copying +DATA/orapwASM -> /tmp/asm.pwd
ASMCMD> pwcreate --asm +DATA/orapwASMnew 'welcome@1' -f
ASMCMD> pwget --asm
+DATA/orapwasmnew
ASMCMD> lspwusr
Username sysdba sysoper sysasm
SYS TRUE TRUE FALSE
ASMCMD> orapwusr --grant sysasm SYS
ASMCMD> orapwusr --add ASMSNMP
Enter password: *********<<<<<<<<<<<<<<<<<<<<<welcome@1
ASMCMD> orapwusr --grant sysdba ASMSNMP
ASMCMD> lspwusr
Username sysdba sysoper sysasm
SYS TRUE TRUE TRUE
ASMSNMP TRUE FALSE FALSE
Step 2: Find out user name and password for CRSD to connect, starting from 12.2 "query credmaint" will not work as per design
Path Credtype ID Attrs
credmaint is an internal option and therefore undocumented. It is used by internal scripts in configuring various services.
Dump the OCR contents as below
$ $GRID_HOME/bin/ocrdump /tmp/ocr.dmp
PROT-310: Not all keys were dumped due to permissions.
$ vi /tmp/ocr.dmp
--Search for below
SYSTEM.ASM.CREDENTIALS.USERS.CRSUSER__ASM_001]
ORATEXT : 3889b62c95b64f9bffae7aa8eaa6001d:oracle<<<<<<<<<<<<<<<<<<<<<<This is our credential to retrieve the password
SECURITY : {USER_PERMISSION : PROCR_ALL_ACCESS, GROUP_PERMISSION : PROCR_READ, OTHER_PERMISSION : PROCR_NONE, USER_NAME : oracle, GROUP_NAME : oinstall}
$ crsctl get credmaint -path /ASM/Self/3889b62c95b64f9bffae7aa8eaa6001d -credtype userpass -id 0 -attr user -local
CRSUSER__ASM_001
$ crsctl get credmaint -path /ASM/Self/3889b62c95b64f9bffae7aa8eaa6001d -credtype userpass -id 0 -attr passwd -local
VWadlWRmYlAc9hfKGuVslNz4XANSl<<<<<<<<<This is the password
Step 3: Create the user for CRSD to connect
Enter password: *****************************<<<<<<<<Password taken from Step 2
ASMCMD> lspwusr
Username sysdba sysoper sysasm
SYS TRUE TRUE TRUE
ASMSNMP TRUE FALSE FALSE
CRSUSER__ASM_001 FALSE FALSE FALSE
ASMCMD> orapwusr --grant sysdba CRSUSER__ASM_001
ASMCMD> orapwusr --grant sysasm CRSUSER__ASM_001
ASMCMD> lspwusr
Username sysdba sysoper sysasm
SYS TRUE TRUE TRUE
ASMSNMP TRUE FALSE FALSE
CRSUSER__ASM_001 TRUE FALSE TRUE
[oracle@cehaovmsp1003 ~]$ srvctl config asm
ASM home: <CRS home>
Password file: +DATA/orapwasmnew
Backup of Password file:
ASM listener: LISTENER
ASM instance count: 3
Cluster ASM listener: ASMNET1LSNR_ASM
REFERENCES
BUG:19675509 - ORA-1017 ORA-15077 COULD NOT START CRSD AFTER CHANGING ASM PASSWD
BUG:25847218 - CREDENTIALS NOT CREATED FOR NEW ASM USER IN OCR CAUSING CRS-10407
NOTE:2256199.1 - PRVG-10091 : failed to retrieve the ASM password file location for an ASM instance
NOTE:1638586.1 - How To Recreate The ASM Password File And Change ASM Users Password On 11.2 RAC.
=======================================================================================================
How To Recreate The ASM Password File And Change ASM Users Password On 11.2 RAC. (文档 ID 1638586.1)
In this Document
APPLIES TO:
Oracle Database - Enterprise Edition - Version 11.2.0.1 to 11.2.0.4 [Release 11.2]
Information in this document applies to any platform.
GOAL
The current document provides an example about how to recreate the ASM password file and change the ASM users’ password.
Note: For 12c Flex cluster with Flex ASM, the ASM password file must be on a shared disk (e.g. ASM diskgroup), it cannot be stored locally on every node, therefore use the solution described in Note 1929673.1 instead for 12c Flex cluster with Flex ASM.
SOLUTION
You can recreate the ASM password file as follows:
1) Rename all the ASM password files on each node:
$> mv <Grid Infrastructure Oracle Home>/dbs/orapw+ASM <Grid Infrastructure Oracle Home>/dbs/orapw+ASM_OLD
2) Create ASM password file manually on the first node as the OS user which owns the Grid Infrastructure Oracle Home:
$> cd <Grid Infrastructure Oracle Home>/dbs/
$> orapwd file='orapw+ASM' entries=5 password=<here type your password>
3) Add the ASMSNMP user from the first node (+ASM1) instance, and grant sysdba privilege to it (SYS user is implicitly created by default during the ASM password file creation):
[grid@asmgrid1 dbs]$ . oraenv
ORACLE_SID = [+ASM1] ? +ASM1
The Oracle base remains unchanged with value /u01/app/grid
[grid@asmgrid1 dbs]$ sqlplus "/as sysasm"
SQL*Plus: Release 11.2.0.3.0 Production on Wed Mar 19 15:56:33 2014
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - Production
With the Real Application Clusters and Automatic Storage Management options
SQL> create user ASMSNMP identified by <password>;
SQL> grant sysdba to ASMSNMP;
4) If it is required, set the new passwords for the “SYS” & “ASMSNMP” users (from +ASM1 instance):
SQL> ALTER USER ASMSNMP IDENTIFIED BY <new password>;
SQL> ALTER USER SYS IDENTIFIED BY <new password>;
5) Then copy the ASM password file (from node #1) to all the other nodes:
Example:
scp orapw+ASM to remote node #2: <Grid Infrastructure Oracle Home>/dbs/
scp orapw+ASM to remote node #3: <Grid Infrastructure Oracle Home>/dbs/
.
.
.
scp orapw+ASM to remote node #4: <Grid Infrastructure Oracle Home>/dbs/
This step is optional due to on 11.2 & onwards release includes the fix for the next bug:
Bug 8394187: ASM PASSWORD FILE UPDATES CAN RESULT IN INCONSISTENCIES ACROSS THE CLUSTER
Therefore, there is no need to copy password files across nodes after password change with ALTER USER command.
After changing password of SYS or ASMSNMP users from any RAC ASM instance, the ASM instance will report the following log in the ASM alert.log:
Tue Aug 05 09:39:53 2014
SUCCESS: ASM password file update succeeded on node 0
SUCCESS: ASM password file update succeeded on node 1
6) Make sure the next ownership and permissions are set on the new ASM password file on ALL the RAC/Cluster nodes:
-rw-r----- 1 grid oinstall 1536 Mar 14 13:57 orapw+ASM
REFERENCES
NOTE:1092213.1 - ASM 11.2 Configuration KIT (ASM 11gR2 Installation & Configuration, Deinstallation, Upgrade, ASM Job Role Separation (Standalone Only).
NOTE:1376731.1 - ASM 11gR2 and 12cR1 Grid Infrastructure And RDBMS/Database Installation & Configuration Using ASM Job Role Separation (A Complete Guide).
NOTE:1929673.1 - How to recreate shared ASM password file in 12c GI cluster
浙公网安备 33010602011771号