• RSA Governance & Lifecycle 8.0.0

This failure may occur when importing a 7.5.2 or earlier database into the 8.0.0 version of the product.  The failure occurs on the first startup of the Wildffly application server immediately after the schema migration is authorized. 

The error message may be either one of the following errors:

• ORA-01017 invalid username or password
• ORA-28000 the account is locked 

The GUI displays the following text immediately after authorizing the schema migration. 

"ORA-01017: invalid username/password; logon denied"
or
" ORA-28000: The account is locked."

Note that this error message is an Oracle error message related to Oracle usernames and passwords and is not related to the (correct) schema migration password that was entered. 

(IMAGE1)

The following log message is logged in the aveksaserver.log file:

02/13/2024 15:58:10.988 INFO  (default task-2) [com.aveksa.migration.jdbctool.CheckDatabase] Schema Migration
02/13/2024 15:58:12.420 ERROR (Schema Migration) [com.aveksa.migration.jdbctool.CheckDatabase] ORA-01017: invalid username/password; logon denied02/13/2024 15:58:12.420 FATAL (Schema Migration) [com.aveksa.migration.jdbctool.CheckDatabase] ****************************************Migration has failed!ORA-01017: invalid username/password; logon denied

or

10/30/2023 19:36:38.854 INFO  (default task-1) [com.aveksa.migration.jdbctool.CheckDatabase] Schema Migration
10/30/2023 19:36:38.936 ERROR (Schema Migration) [com.aveksa.migration.jdbctool.CheckDatabase] ORA-28000: The account is locked.

Improvements have been made in the data migration code in the following version to prevent specific causes of this failure. 

• RSA Governance & Lifecycle 8.0.0 P02

Further improvements are being made in future versions for more use cases. 

• Ensure that all of Oracle user accounts required for 8.0.0 have been setup.
• Ensure that the passwords are not expired.
• Ensure the accounts are not locked.

This is a list of Oracle accounts used in 8.0.0 version of the product.

• avuser (mandatory)
• avdwuser (mandatory) introduced in 7.5.2
• ACMDB (mandatory)
• perfstat (optional)
• avcuser (optional) introduced in 7.5.2

For Wildfly the -check dbcredentials command for the cliAveksa.sh tool may be used to validate each of the required Oracle accounts.

Execute the following command from the command prompt:
"/home/oracle/database/cliAveksa.sh -check dbcredentials"

acm-800:~ # /home/oracle/database/cliAveksa.sh -check dbcredentials

The tool will check each of the Oracle accounts in sequence.

It will print out a successful message indicating the Database is up and running.

- Checking User Entered Values for userName and password for AVEKSA_USER, AVEKSA_REPORTS_USER, AVEKSA_PUBLIC_DB_USER and AVEKSA_AVPERF_USER in case of remote DB
- Attempting to check if database is running with user:avuser
...
- Attempting to connect to database using url:jdbc:oracle:thin:@//localhost:1555/AVDB, with the user:avuser
-

- Fri Mar 01 17:58:52 EST 2024
Fri Mar 01 17:58:52 EST 2024
- Database is up and running.
Database is up and running.

Or an error message indicating the problem with the account such as ORA-01017 or ORA-28000

 - Attempting to connect to database using url:jdbc:oracle:thin:@//localhost:1555/AVDB, with the user:avcsuser

- Database problems connecting for (Optional)  user: avcsuser: ORA-01017: invalid username/password; logon denied
 

At this time for WebSphere and Weblogic deployments this tool is not available.  You must validate accounts using Oracle tools.

See the following KB article for additional information on using Oracle tools:

'ORA-28000: the account is locked' error when migrating an imported database in RSA Identity Governance & Lifecycle