000027926 - Impact of Oracle 11g account password expiration on RSA Identity Management and Governance Aveksa Compliance Manager (ACM) 5.x and 6.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Mar 5, 2018
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000027926
Applies ToRSA Product Set: Identity Governance and Lifecycle
RSA Product/Service Type: 
RSA Version/Condition: 5.0.x, 5.1.1, 5.5.x, 6.0.2, 6.5.x, 6.8.1, 6.9.1
IssueOracle 11G implemented new password and account controls. One of these changes is a default password expiration date of 180 days (6 months) for database accounts.

The attached document outlines this Oracle security feature and its potential impact for Aveksa's access governance application, and specifically what it means for the Aveksa ACM database accounts: AVUSER; AVDWUSER and ACMDB.

For more information regarding this Oracle feature, please refer to the official Oracle Security Documentation which is available on the Oracle Technical Network website.
CauseOne of the obvious side affects of the ACM Oracle database accounts reaching a password expiration date, would be that the application is no longer accessible. The error that is seen if this happens, would be similar to this (when testing SQL*Plus accessibility):

$ sqlplus avuser
SQL*Plus: Release 11.2.0.2.0 Production on Wed Feb 8 09:05:25 2012
Copyright (c) 1982, 2010, Oracle. All rights reserved.

Enter password: <enter avuser_password>

ERROR:
ORA-28001: the password has expired
ResolutionThe attached PDF file outlines the possible errors seen and how to resolve these errors. It also covers how to prevent this.
 

Update


It is possible that Oracle accounts, not just Aveksa ACM accounts have expired dates/passwords. Attached to this article is a simple text SQL script (ck_expire.sql), which contains specific SQL, which should be run as sysdba. This script output creates a file named check expiry.out, which lists status, expiration dates (if they are set) and profile information of several key Oracle accounts as well as the ACM accounts.

The following SQL updates the SYSMAN and DBSNMP accounts so that they will not expire.
These accounts are needed in order to access OEM.
 

ALTER USER SYSMAN IDENTIFIED BY secret;
ALTER USER SYSMAN ACCOUNT UNLOCK;
ALTER USER SYSMAN PROFILE ACMPROFILE;

ALTER USER DBSNMP IDENTIFIED BY secret;
ALTER USER DBSNMP ACCOUNT UNLOCK;
ALTER USER DBSNMP PROFILE ACMPROFILE;



==========
.

SELECT Username, Profile, Lock_date, Expiry_date, Account_status
, (SELECT Limit From Dba_Profiles
WHERE Profile = Du.Profile AND RESOURCE_TYPE='PASSWORD'
AND Resource_Name='PASSWORD_LIFE_TIME') AS Password_Life_Time_Days
FROM Dba_Users Du WHERE
Username IN ('ACMDB', 'AVDWUSER', 'AVUSER', 'ASMSNMP','DBSNMP', 'MGMT_VIEW','PERFSTAT', 'SYS', 'SYSMAN', 'SYSTEM')
ORDER BY DU.USERNAME;

Outcomes