How to change the password for the Oracle database user (protect).
Symantec Data Loss Prevention (DLP) connects to the Oracle database using an Oracle user named protect. The password for this Oracle user is stored in a file located in \SymanteDLP\Protect\config (Windows) or /opt/SymantecDLP/Protect/config (Linux). As a security measure the contents of the file are encrypted. Due to the encryption it is not possible to modify (edit) the file directly.
In version 11.0 and earlier, the protect user's password is stored in the file ProtectPassword.properties, and this same value is also used as a master key to encrypt the cryptographic keys used to read encrypted entries from the database. In version 11.1 and later, these two functions have been separated, and the Oracle protect password is now stored in a file named DatabasePassword.properties.
DLP ships with a command-line utility to change the encrypted password in the file. The DBPasswordChanger utility is used to change the Oracle database password used by the DLP Enforce server. DBPasswordChanger is located in \SymantecDLP\Protect\bin (Windows) or /opt/SymantecDLP/Protect/bin (Linux).
DLP Administrator password is rhubarb
New Oracle protect user password is potato
Summary of password change procedure:
Shutdown all DLP services
Change the database password within Oracle
Verify the new password
Change the password on the Enforce server
Start the DLP services
Login to the Enforce UI
On the Oracle server:
- Start a sqlplus session: sqlplus /nolog
- Login as sysdba: SQL> connect sys as sysdba (Enter the password when prompted.)
- Change the protect password to potato: SQL> alter user protect identified by potato;
- Verify the password change:
SQL> conn protect/potato
- Exit sqlplus:
IMPORTANT: Follow password guideline in TECH220505.
On the Enforce server:
NOTE: The examples assume a Windows installation; for Linux, substitute the appropriate paths (e.g. /opt/Vontu/Protect/bin) - Start a command shell and change to the bin directory: cd \SymantecDLP\Protect\bin
- Change the Oracle password in the configuration file:
For version 11.0 and earlier:
The syntax for DBPasswordChanger is:
DBPasswordChanger <PasswordFilePath> <DLP Administrator Password> <Password Property to Change> <New Oracle Password>The oracle and oracle-thin passwords must be changed separately, as follows: