000027926 - KB-1563 Oracle 11g Account password expiration

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000027926
Applies ToAffected Versions: 6.9.x, 6.8.1; 6.5.x; 6.0.2; 5.5.x; 5.1.1; 5.0.X
IssueOracle 11G has implemented new password and account controls. One of these changes is a default password expiration date of 180 days (6 months) for database accounts.
The attached document outlines this Oracle security feature and it's potential impact for Aveksa's Access governance application, and specifically what it means for the Aveksa ACM database accounts: AVUSER; AVDWUSER and ACMDB.
For more information regarding this Oracle feature, please refer to the official Oracle Security Documentation which is available on the Oracle Technical Network website.
CauseOne of the obvious side affects of the ACM Oracle database accounts reaching a password expiration date, would be that the application is no longer accessible. The error that is seen if this happens, would be similar to this (when testing sqlplus accessibility):
$ sqlplus avuser
SQL*Plus: Release 11.2.0.2.0 Production on Wed Feb 8 09:05:25 2012
Copyright (c) 1982, 2010, Oracle. All rights reserved.
Enter password:
ERROR:
ORA-28001: the password has expired
ResolutionThe attached PDF file outlines the possible errors seen and how to resolve these errors. It also covers how to prevent this.

UPDATE:
It is possible that Oracle accounts, not just Aveksa ACM accounts have expired dates/passwords. Attached to this kbase, is a simple text SQL script (ck_expire.sql), which contains specific SQL, which should be run as sysdba. This script output creates a file named check expiry.out, which lists status, expiration dates (if they are set) and profile information of several key Oracle accounts as well as the ACM accounts.

==========
SQL to update the SYSMAN and DBSNMP accounts so that they will not expire.
Need these accounts in order to access OEM.
==========
ALTER USER SYSMAN IDENTIFIED BY secret;
ALTER USER SYSMAN ACCOUNT UNLOCK;
ALTER USER SYSMAN PROFILE ACMPROFILE;
ALTER USER DBSNMP IDENTIFIED BY secret;
ALTER USER DBSNMP ACCOUNT UNLOCK;
ALTER USER DBSNMP PROFILE ACMPROFILE;

==========
.
Select Username, Profile, Lock_date, Expiry_date, Account_status
, (Select Limit From Dba_Profiles
Where Profile = Du.Profile AND RESOURCE_TYPE='PASSWORD'
And Resource_Name='PASSWORD_LIFE_TIME') As Password_Life_Time_Days
From Dba_Users Du Where
Username In ('ACMDB', 'AVDWUSER', 'AVUSER', 'ASMSNMP','DBSNMP', 'MGMT_VIEW','PERFSTAT', 'SYS', 'SYSMAN', 'SYSTEM')
order by DU.USERNAME;

Outcomes