Changing System Database Passwords

JDEWine

Member
I am being told my management to change all system database ID (PRODDTA, CTRLDTA, etc.) passwords to complex passwords. I also have a very experienced CNC team telling me I should NEVER change system ID DB passwords. Can anyone tell me if they have done this before and if it is recommended? I have not found anything related to changing passwords on the Oracle site. I have found CNC consultant blogs that say you SHOULD change system passwords.
 
This is the not the type of response I like to give since I don't know the context of the "NEVER change system ID DB passwords" but if that was said as a black and white statement then I would personally doubt the experience of the group saying it. Maybe it was correct in a narrow context. First keep in mind that PRODDTA, CRPDTA, etc are not system database users. They are schema owners. A system id is a database user that is loaded into the F98OWPU table and used as a database proxy account for one or more users as either a DEFAULT datasource password or for a specific datasource. Some sites, especially long time AS/400 sites that had World user profiles may even go so far as to have 1 system user for each JDE user. The only default "System Id" that gets installed is "JDE" and I am still amazed by the number of sites I have visited over the years who have been running JDE for years with that proxy user set to the default password of "JDE" and often with the account having been given DBA authority for ease of install.

The only time the schema owners get used by JDE is when generating a table, adding an index or otherwise altering the table such as during an ESU install that has a table change. During install and upgrades it is easiest to keep them set to their default values but there are ways to set them secure from the beginning and Oracle has moved further in this direction by giving you the ability to change them to non-default values in the database platform pack installer.

Here is my opinion, I feel it is an experienced on. You should always change passwords for the schema owners when you are done with the initial installation. I would go one step further and expire/lock them when they are not needed. I make an exception for the TESTDTA/TESTCTL schemas where developers are going to need regular table generation ability. I still use a secure password but I share it with the developers.

If you leave the passwords set to default values anybody with access to the database via the network will be able to connect to PRODDTA/PRODCTL and using those values for passwords they will have full update authority to your production schemas. As a general security policy, service accounts and schema owner passwords should be changed yearly or whenever someone with privileged access to those passwords leaves an organization. In practice I find very few companies adhere to that practice. So at worst I like to start with nice complex passwords, keep them secure and assume they will have to stand the test of time. I also expire/lock the schema owners to prevent inadvertent table generation in any environment. Following the SDLC, when there needs to be a table generation, ESU apply or other table structure change that requires the schema owner, I will unlock the account, perform the work under a change request and then lock the schema owners again.

As an aside, I also recommend not using the default system ID "JDE". I suggest creating a new system account to act as the DB proxy account for all users. I do this to prevent an auditor or penetration tester from coming in with their "JDE auditing 101" book, trying to login as JDE to the database multiple times with password "JDE" and then locking the account out and causing a system outage. That has probably happened to me 5 or 6 times in 20 years.
 
I am being told my management to change all system database ID (PRODDTA, CTRLDTA, etc.) passwords to complex passwords. I also have a very experienced CNC team telling me I should NEVER change system ID DB passwords. Can anyone tell me if they have done this before and if it is recommended? I have not found anything related to changing passwords on the Oracle site. I have found CNC consultant blogs that say you SHOULD change system passwords.

Only every single CNC and development person in the entire world knows those default passwords. You're getting bad advice, change the passwords.
 
Back
Top