000030105 - IMG ORA-28000 the account is locked error seen after older database is imported and migration started

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000030105
Applies ToAll versions
All platforms

Customer is restoring an older IMG (ACM) database to a newer version and after a sucessful import of the database, upon acessing the application UI, they see a Initilization status message that database version is older than the existing application version - and that a migration is required.

User-added image

This is an expected and appropriate message.
After entering the migration password (currently available in Chapter 9 of the Installation Guide, under the section "Migrating the database:"),  the following error is seen:
Unable to migrate schema. (class.org.jboss.util.NestedSQLException: Could not create connection; - nested throwable: (java.sql.SQLException: ORA-28000: the account is locked.
User-added image


The issue is a result of an older database being imported and time has passed since that database was last accessed.
By default, the IMG creates the Oracle application user accounts with an Oracle profile (ACMPROFILE - as documented in the database setup guide).  This profile has no account password expiration, so that the application will not unexpectedly stop working when the Oracle account expires.
Some customers may find that they have corporate requirements which require them to not allow accounts which do not expire.  It is possible to change this default profile, however the customer must manage and maintain the account expiration themselves.
In this case, the older database account expiration dates had gone by, so that when the database was then imported and accessed, the accounts had passed their expiration dates.


To correct this and allow the database to be migrated, the Oracle account status needs to be checked and corrected.
To avoid the possibility of this error, this check can be run before the migration is initiated.  It can be checked after the sucessful import of the database and before the Application server is started.
To do this, access the IMG database using any sql tool, such as sqlplus or sqldeveloper and check the status of the IMG application accounts using this sql, logged into Oracle as a sysdba user such as sys:
select account, account status from dba_users;
This may return output such as:
User-added image
To unlock the IMG Application accounts, run this sql as a sysdba user, for each account that is locked:
For example, if only the AVUSER account is noted as locked, then the command would be:
Once the required accounts are unlocked, then the application server should be started, and the 'Migration Required' screen will be seen upon access to the UI.  The migration should now be able to start sucessfully.


WorkaroundNo workaround other than that mentioned above.
NotesAs a side note, when an older database is imported, it's possible that the AveksaAdmin password may not be remembered.  Use the appropriate method as documented for the application to reset this password.