When I tried to change the password for SYS, I got an ORA-28017 error message. This was caused by a manual DB upgrade to 12C without upgrading the password file as well.
Problem Description
The way I encountered this error was when I was unable to logon remotely to a database instance with SYS AS SYSDBA. I tried to change the password directly using a bequeath connection and got the following error:
SQL> alter user sys identified by "****************"; alter user sys identified by "****************" * ERROR at line 1: ORA-28017: The password file is in the legacy format.
Error Description
The Oracle error lookup tool, oerr ora 28017
, shows:
28017, 00000, "The password file is in the legacy format." // *Cause: There are multiple possibilities for the cause of the error: // // * An attempt was made to grant SYSBACKUP, SYSDG or SYSKM. // * These administrative privileges could not be granted unless // the password file used a newer format ("12" or higher). // * An attempt was made to grant a privilege to a user who // has a large password hash which cannot be stored in // the password file unless the password file uses a newer // format ("12" or higher). // * An attempt was made to grant or revoke a common administrative // privilege in a CDB // *Action: Regenerate the password file in the newer format ("12" or higher). // Use the newer password file format ("12" or higher) if you need to // grant a user the SYSBACKUP, SYSDG or SYSKM administrative // privileges, or if you need to grant a privilege to a user // who has a large password hash value. //
Investigation
I found the following Oracle Support document:
As advised in Doc ID 2112456.1, I used the following command to examine the password file:
orapwd describe file=${ORACLE_HOME}/dbs/orapw${ORACLE_SID}
The result was:
Password file Description : format=LEGACY ignorecase=N
Remediation
Instead of migrating the password, I just overwrote it with desired password values:
orapwd file=${ORACLE_HOME}/dbs/orapw${ORACLE_SID} force=
I verified the result as follows:
orapwd describe file=${ORACLE_HOME}/dbs/orapw${ORACLE_SID}
The result was:
Password file Description : format=12 ignorecase=N
Note
This problem only affects databases with compatible=’12.1.0′ or higher. Leaving the compatible parameter at 11.2 does not cause a problem with the password file.