|Applies To||RSA Product Set: Identity Governance and Lifecycle|
RSA Product/Service Type:
RSA Version/Condition: 5.0.x, 5.1.1, 5.5.x, 6.0.2, 6.5.x, 6.8.1, 6.9.1
|Issue||Oracle 11G implemented new password and account controls. One of these changes is a default password expiration date of 180 days (6 months) for database accounts.|
The attached document outlines this Oracle security feature and its potential impact for Aveksa's access governance application, and specifically what it means for the Aveksa ACM database accounts: AVUSER; AVDWUSER and ACMDB.
For more information regarding this Oracle feature, please refer to the official Oracle Security Documentation which is available on the Oracle Technical Network website.
|Cause||One of the obvious side affects of the ACM Oracle database accounts reaching a password expiration date, would be that the application is no longer accessible. The error that is seen if this happens, would be similar to this (when testing SQL*Plus accessibility):|
|Resolution||The attached PDF file outlines the possible errors seen and how to resolve these errors. It also covers how to prevent this.|
It is possible that Oracle accounts, not just Aveksa ACM accounts have expired dates/passwords. Attached to this article is a simple text SQL script (ck_expire.sql), which contains specific SQL, which should be run as sysdba. This script output creates a file named check expiry.out, which lists status, expiration dates (if they are set) and profile information of several key Oracle accounts as well as the ACM accounts.
The following SQL updates the SYSMAN and DBSNMP accounts so that they will not expire.
These accounts are needed in order to access OEM.