This topic describes how to configure password rollover in Oracle mode, including its behavior and examples. Password rollover allows you to use both the old and new passwords for authentication during a specified period after a password change. This helps ensure a smooth transition and minimizes business disruption during the password change process.
Note
This feature is available starting from V4.4.2 BP1.
Password rollover behavior
Before you configure password rollover, understand its behavior:
- Automatic rollover: If the
PASSWORD_ROLLOVER_TIMEparameter is set for the user's profile, password changes automatically trigger a rollover period. During this period, both the old and new passwords can be used for authentication. - Multiple password changes during rollover: If you change your password multiple times within the rollover period, only the original password and the last one set will remain valid. Intermediate passwords will no longer be considered valid.
- Expiration: After the rollover period defined by the profile has passed, the old password becomes invalid, and only the new password can be used.
- Early rollover termination: You can manually end the current password rollover period before it expires, making the old password immediately invalid (only the current password remains valid). For details, see the "Manually end rollover" section below.
Configure password rollover
Control the rollover period
Password rollover refers to the period during which a user can change their password, but the old password remains valid for login until the rollover period expires or is manually ended. The current feature allows you to configure the rollover period and view it.
- Control method: Define the password rollover window using the PASSWORD_ROLLOVER_TIME parameter at the profile level, with the unit in microseconds. During this window, users can authenticate using either the old or new password after a password change. Once the window expires or the rollover is manually ended, the old password becomes invalid. Users must be associated with a profile that has
PASSWORD_ROLLOVER_TIMEconfigured to enter the rollover period after a password change. - View the rollover period: You can view the DBA_PROFILES view for the
PASSWORD_ROLLOVER_TIMEresource, where theLIMITcolumn displays the configured rollover strategy for the tenant or profile. - Profile explanation: A profile is a template that defines password and login restrictions. When a user is associated with a profile, they inherit the password policies defined in it, such as
PASSWORD_ROLLOVER_TIME.
Manually end rollover
You can manually end the current password rollover period before it expires, making the old password immediately invalid (only the current password remains valid):
ALTER USER user_name EXPIRE PASSWORD ROLLOVER PERIOD;
Parameter description:
user_name: The target Oracle username. The execution permissions are the same as the standardALTER USERcommand, typically requiring theALTER USERsystem privilege.
Example
To set the password rollover period for the DEFAULT profile to 86400000000 microseconds (example value, use the actual value based on your business needs), you must have the appropriate management privileges:
obclient [SYS]> ALTER PROFILE "DEFAULT" LIMIT PASSWORD_ROLLOVER_TIME 86400000000;
Update the password for the appuser user to NewSecret, and if the profile has password rollover enabled, the user will enter the rollover period:
obclient [SYS]> ALTER USER appuser IDENTIFIED BY NewSecret;
After the business switch is complete, manually end the rollover:
obclient [SYS]> ALTER USER appuser EXPIRE PASSWORD ROLLOVER PERIOD;
Feature maintenance
You can observe the password rollover status using system views:
- If the account is in the password rollover period and can still log in, the
DBA_USERSorUSER_USERSview will showOPEN & IN ROLLOVERin theACCOUNT_STATUSfield, indicating that the account is active and in the password rollover period, where both the old and new passwords can be used.