While supporting a number of databases there is often the need to change the SYS and other user’s passwords to stay in compliance with good security practices. To make it easier to change the passwords for multiple users on multiple databases, I created a C# solution that reads in a list of databases and issues the below commands to change the SYS, SYSTEM and DBSNMP passwords:
alter user SYS identified by a_new_password; alter user SYSTEM identified by a_new_password; alter user DBSNMP identified by a_new_password;
In 11g and below, my C# solution would run the alter command on every instance of a RAC. If the RAC had a physical standby (Data Guard), I would then FTP the password file from the $ORACLE_HOME/dbs directory on one of the primary nodes to each of the standby nodes.
In the case of 12c RAC environment, the password file is stored within ASM and shared with all the nodes of the RAC. I modified the C# solution to issue the alter user SYS on only one node. This seemed to work in many instances but we did encounter issues in some cases. A colleague pointed me to Oracle support document:
“Should ALTER USER Statement Be Used For Changing SYS Password? (Doc ID 2452286.1)”
The recommendation is:
From an Oracle Database directly, ‘alter user username identified by password’ statement works for all users. But for SYS user it is advised to use the oracle ORAPWD utility to change its password. Though alter user statement should also work, but it may cause future unforeseen issues as well.
Also goes on to state “You may have to bounce the database for this (recommended).”
This applies to version 12.1.0.1 to 12.2.0.1 [Release 12.1 to 12.2]