Learn how to change the password for the "protect" user in the Oracle database for Symantec Data Loss Prevention (DLP).
DLP connects to the Oracle database using a user named "protect".
The password for this Oracle user is stored in a file located in \SymanteDLP\Protect\config (Windows) or /opt/SymantecDLP/Protect/config (Linux). As a security measure the contents of the file are encrypted. Due to the encryption it is not possible to modify (edit) the file directly.
In version 11.0 and earlier, the protect user's password is stored in the file ProtectPassword.properties, and this same value is also used as a master key to encrypt the cryptographic keys used to read encrypted entries from the database. In version 11.1 and later, these two functions have been separated, and the Oracle protect password is now stored in a file named DatabasePassword.properties.
DLP ships with a command-line utility to change the encrypted password in the file. The DBPasswordChanger utility is used to change the Oracle database password used by the DLP Enforce server. In version 15.0 and earlier, the DBPasswordChanger is located in \SymantecDLP\Protect\bin, 15.1 and later it is located at \Program Files\Symantec\DataLossPrevention\EnforceServer\15.5\Protect\bin (Windows), or /opt/SymantecDLP/Protect/bin (Linux).
Note: The DBPasswordChanger utility should be ran as soon as possible after the Oracle Data Loss Prevention account password is changed or else an account lockout can occur due to multiple invalid login attempts using the encrypted Password.properties file. If this occurs, you will need to unlock the Oracle Data Loss Prevention account. (see https://support.symantec.com/en_US/article.TECH220299.htmlfor more details)
DLP Administrator password is rhubarb
New Oracle protect user password is potato
Summary of password change procedure:
Shutdown all DLP services.
Change the database password within Oracle.
Verify the new password.
Change the password on the Enforce server.
Start the DLP services.
Log in to the Enforce UI.
On the Oracle server:
- Start a sqlplus session: sqlplus /nolog
- Login as sysdba: SQL> connect sys as sysdba (Enter the password when prompted.)
- Change the protect password to potato: SQL> alter user protect identified by potato;
- Verify the password change:
SQL> conn protect/potato
- Exit sqlplus:
IMPORTANT: Follow password guideline in TECH220505.
On the Enforce server:
NOTE: The examples assume a Windows installation; for Linux, substitute the appropriate paths (e.g. /opt/Vontu/Protect/bin) - Start a command shell and change to the bin directory: cd \SymantecDLP\Protect\bin
- Change the Oracle password in the configuration file:
For version 11.0 and earlier:
The syntax for DBPasswordChanger is:
DBPasswordChanger <PasswordFilePath> <DLP Administrator Password> <Password Property to Change> <New Oracle Password>The oracle and oracle-thin passwords must be changed separately, as follows: