Confusion about Oracle Profile Parameters
I spend a lot of time with the right configuration of profiles and certainly I consulted the oracle documentation for that. Because not all of the parameters are self-explaining. PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX are such candidates, maybe you can guess what they mean by yourself but in the end you need the documentation to understand their real behaviour. So I did. After a few minutes I choose an appropriate strategy for my case by the help of the Oracle Documentation. But when I started to configure these parameters over OEM I got an inconsistent error message.
The documentation suggests that you have to use these parameters in conjunction. PASSWORD_REUSE_TIME specifies a number of days and PASSWORD_REUSE_MAX speciefies a number of password changes. You must set an integer for both parameters if you want to have any affext. If you set an Integer for one and UNLIMITED the other, the can never reuse a password.
PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX
These two parameters must be set in conjunction with each other. PASSWORD_REUSE_TIME specifies the number of days before which a password cannot be reused. PASSWORD_REUSE_MAX specifies the number of password changes required before the current password can be reused. For these parameter to have any effect, you must specify an integer for both of them.
- If you specify an integer for both of these parameters, then the user cannot reuse a password until the password has been changed the password the number of times specified for PASSWORD_REUSE_MAX during the number of days specified for PASSWORD_REUSE_TIME.
- If you specify an integer for either of these parameters and specify UNLIMITED for the other, then the user can never reuse a password. (Oracle Documentation)
In my sample PASSWORD_REUSE_TIME should be set to 1 and PASSWORD_REUSE_MAX to 10. What means that the User can reuse the password after one day provided that he has changed the password meanwhile 10 times. For the „normal“ User unlikely, for the audit sufficient and for the familiar administrator a good possibility to switch back to the initial password in case. The documentation provides a simple understandable example here:
For example, if you specify PASSWORD_REUSE_TIME to 30 and PASSWORD_REUSE_MAX to 10, then the user can reuse the password after 30 days if the password has already been changed 10 times. (Oracle Documentation)
Convicted that my choice is good I navigated to the Oracle Enterprise Manager Cloud Control 12c typed my parameters and got the following error message: If the number of passwords to keep is set to an integer valuem the number of days to keep them must be set to UNLIMITED.
(Screenshot: Oracle Enterprise Manager Cloud Control 12c – Database > Security > Profile)
But that goes against Oracle’s own documentation … ? What shall I believe? Maybe a reader of the Blog have an advice?
When I do the same the old-fashined way, directly per SQL-Plus I can set the parameters as expected without any error message. But a bad feeling remains.
Oracle Documentation: http://docs.oracle.com/cd/B28359_01/server.111/b28286/statements_6010.htm
UPDATE: While browsing in “My Oracle Support” I found out that this problem exists for a very … veeeery … veeery looong time, so the bug report was filed in October 2004 … two thousand and four! Apperantly they want to save something into modern times 😉 Doc ID 1937232.1