Learn how to change the password for the "protect" user in the Oracle database for Symantec Data Loss Prevention (DLP) using the DBPasswordChanger utility and SQLPlus.

In DLP versions 15.1 and later the Database password changer (DBPasswordChanger) is located at \Program Files\Symantec\DataLossPrevention\EnforceServer\xx.x\Protect\bin (Windows), or  /opt/Symantec/DataLossPrevention/EnforceServer/xx.x.xxxx/Protect/bin (Linux)  - where xx.x.xxxx is substituted for version strings, such as 15.8.xxxx

• By default, DLP connects to the Oracle database using a user named "protect".
• The Oracle protect password is stored in an encrypted file named DatabasePassword.properties located on the Enforce server.
• The DBPasswordChanger utility is used to change the Oracle database password in that file.

Process Overview:

1. Shutdown all DLP services. (see Windows, see Linux)
2. Change the database password within Oracle.
3. Verify the new password.
4. Change the password on the Enforce server.
5. Start the DLP services.
6. Log in to the Enforce UI.

NOTE:

To avoid an account lock-out, if you are unable to stop ALL the services, run the DBPasswordChanger utility as soon as possible after the Oracle Data Loss Prevention account password is changed. If a lock-out does occur, see the article: "ORA-28000: the account is locked" for resolution.

Example:

• DLP Administrator password is rhubarb
• New Oracle protect user password is potato

Detailed steps for 2-4 above:

Changing the database password for the protect account on Oracle:

IMPORTANT: Be sure to follow the guidelines for acceptable passwords in the article: Password guidelines for the Oracle 'protect' user

- Start a sqlplus session:
sqlplus /nolog

 

- Login as protect user (if current password is known) OR sysdba (if current password is unknown):
SQL> connect protect (connect sys as sysdba)
    (Enter the password when prompted.)

 

- Change the protect password to potato:
SQL> alter user protect identified by potato;
 

- Verify the password change:
SQL> conn protect/potato

- Exit sqlplus:
SQL> exit

 

Changing the password for the protect account used by the Enforce server:

NOTE: The examples assume a Windows installation; for Linux, substitute the appropriate paths (e.g. /opt/Symantec/Protect/bin)

- Start a command shell and change to the bin directory:
<DLP 15.0 and older> cd \SymantecDLP\Protect\bin
<DLP 15.1 and later> cd "C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.7\Protect\bin"

- Change the Oracle password in the configuration file:

For version 15.0 and earlier:

The syntax for DBPasswordChanger is:

DBPasswordChanger <PasswordFilePath> <New Oracle Password>

So:

DBPasswordChanger c:\SymantecDLP\protect\config\DatabasePassword.properties potato

For version 15.1 and later:

The syntax for DBPasswordChanger is:

DBPasswordChanger <PasswordFilePath> <New Oracle Password>

So:

DBPasswordChanger "C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.7\Protect\config\DatabasePassword.properties" potato

Linux Red Hat Environments 

1. Change to directory /opt/Symantec/DataLossPrevention/EnforceServer/<version>/Protect/bin/

2. Run the command: ./DBPasswordChanger ../config/DatabasePassword.properties potato

This was successful when you see:

Password changed

Note - While running DBPasswordChanger tool command, filename is case sensitive. "DatabasePassword.properties" should be entered keeping case sensitivity as it is. Otherwise, command output will show as "Password changed", but in reality, password will not be changed and it will cause account lockout for Oracle user.

If you need to UNLOCK the "protect" account, please see the following KB article for instructions on how to unlock the protect account...
https://knowledge.broadcom.com/external/article/160068

In DLP versions 15.0 and earlier, the DBPasswordChanger is located in \SymantecDLP\Protect\bin