How to move the Oracle ASM instance password file from the file system to the disk group ?

When the password file is stored inside a disk group, it is automatically replicated across all disks in the group, providing redundancy. It also allows the ASM instance to be started without specifying a pfile that points to an external password file, which is crucial in clustered environments like Oracle RAC.

Prerequisites

1. SYSDBA Privileges: You must be connected to the ASM instance as a user with SYSASM or SYSDBA privileges.

2. Existing Disk Group: You need at least one disk group (e.g., DATA, FRA) that is mounted and available. This will be the target for storing the password file.

3. Current Password File: You likely already have a password file on the file system, typically at $ORACLE_HOME/dbs/orapw+ASM (or orapw+ASM1, orapw+ASM2 in RAC).

Using ASMCMD pwmove Command (Oracle 11g R2 and Above)

The asmcmd pwmove command is the simplest and recommended way to perform this operation. It handles both the copy and the cleanup of the old file.

Step 1: Identify the Current Password File Location

Connect to the ASM instance and check the current password file location from the spfile.

sqlplus / as sysasm

SQL> show parameter spfile;
-- If spfile is used, it will show the location.

SQL> show parameter passwordfile;
-- This might show the current file system location if it's specified in the spfile/pfile.

You can also check the default file system location:

ls $ORACLE_HOME/dbs/orapw+ASM*

Step 2: Use ASMCMD pwmove to Relocate the File

The pwmove command copies the password file from the file system to the specified disk group and updates the ASM instance’s parameter to point to the new location.

# Connect to the ASM environment and run asmcmd 
. oraenv 
# +ASM 

asmcmd

ASMCMD> pwmove --dbuniquename +ASM /u01/app/oracle/product/19.x.x/dbhome_1/dbs/orapw+ASM DATA

• --dbuniquename +ASM: Specifies the unique name of the ASM instance (or a database if you were moving its password file).

• {source_file}: The full path to the current password file on the file system.

• {disk_group}: The target disk group (e.g., DATA, FRA).

For RAC: You only need to do this from one node. The command will update the password file location for the entire cluster.

Example :

ASMCMD> pwmove --asm -f  /u01/app/12.2.0.1/grid/dbs/orapw+ASM +DBFS_DG/ASM/orapwASM
moving /u01/app/12.2.0.1/grid/dbs/orapw+ASM -> +DBFS_DG/ASM/orapwASM

Step 3: Verify the Move

1. Check with ASMCMD: List the contents of the disk group to see the password file.

   ASMCMD> pwget --asm
   +DBFS_DG/ASM/orapwASM

2. Check the Parameter: The passwordfile parameter will now point to the disk group.

   sqlplus / as sysasm 
   
   SQL> show parameter passwordfile; 
   NAME TYPE VALUE 
   ------------------------------------ ----------- ------------------------------ 
   asm_password_file string +DATA/+ASM/PASSWORD/pwdasm.xxx.xxxxxxx 
   
   # OR, more generally, it might just show the disk group 
   
   # asm_password_file string +DATA

3. Test Authentication: Verify you can still connect to the ASM instance using the password file.

   sqlplus 'sys@+ASM as sysasm' 
   
   # Enter the SYS password when prompted.

   If this fails, check the orapw file in $ORACLE_HOME/dbs as a fallback.

Step 4: Remove the Old File System Password File (Optional but Recommended)

Once you have confirmed that the new password file in the disk group is working correctly, you can safely remove the old file from the file system.

rm /u01/app/oracle/product/19.x.x/dbhome_1/dbs/orapw+ASM