000030105 - 'ORA-28000: the account is locked' error when migrating an imported database in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jul 21, 2020
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000030105
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: All
IssueAttempting to migrate a database that was imported from another system fails with the following error:
Unable to migrate schema. (class org.jboss.util.NestedSQLException: Could not create connection; - nested throwable: (java.sql.SQLException: ORA-28000: the account is locked
; - nested throwable: (org.jboss.resource.JBossResourceException: Could not create connection; - nested throwable: (java.sql.SQLException: ORA-28000: the account is locked

CauseThe issue occurs when an imported database has Oracle user accounts that have expired.

By default, RSA Identity Governance & Lifecycle creates the Oracle application user accounts with an Oracle profile that configures the passwords as non-expiring. The reason for this is to prevent the application from unexpectedly failing when the Oracle account expires. This profile is the ACMPROFILE as documented in the RSA Identity Governance & Lifecycle Database Setup and Management Guide.

Because some corporate environments may have requirements that do not allow non-expiring accounts, the ACMPROFILE profile may be changed to enforce a password expiration date which will cause the Oracle accounts to expire and become inaccessible.
ResolutionTo resolve this issue, the Oracle account status needs to be checked and corrected so that the account is accessible. A good practice would be to check the Oracle account status prior to attempting the database migration to avoid the initial migration failure.  
  1. Using a SQL tool such as SQL*Plus or SQL Developer, login to SQL as SYSDBA.
  2. Execute the following SQL command:

select account, account status from dba_users;

This may return output similar to the following:

User-added image

  1. To unlock and unexpire the RSA Identity Governance & Lifecycle Oracle application accounts, execute the following SQL for each account that is locked (where <password> is the password associated with each individual account):

alter user <username> account unlock;
alter user <username> identified by <password>;

For example, if only the AVUSER account is noted as locked, then the commands would be:

alter user AVUSER account unlock;
alter user AVUSER identified by <AVUSER password>;

  1. Restart RSA Identity Governance & Lifecycle:

acm restart

  1. Restart the migration of the imported database by entering the migration password.