RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: All
Attempting to migrate a database that was imported from another system fails with the following error:
Unable to migrate schema. (class org.jboss.util.NestedSQLException: Could not create connection; - nested throwable: (java.sql.SQLException: ORA-28000: the account is locked
; - nested throwable: (org.jboss.resource.JBossResourceException: Could not create connection; - nested throwable: (java.sql.SQLException: ORA-28000: the account is locked
The issue occurs when an imported database has Oracle user accounts that have expired.
By default, RSA Identity Governance & Lifecycle creates the Oracle application user accounts with an Oracle profile that configures the passwords as non-expiring. The reason for this is to prevent the application from unexpectedly failing when the Oracle account expires. This profile is the ACMPROFILE as documented in the RSA Identity Governance & Lifecycle Database Setup and Management Guide
Because some corporate environments may have requirements that do not allow non-expiring accounts, the ACMPROFILE profile may be changed to enforce a password expiration date which will cause the Oracle accounts to expire and become inaccessible.
To resolve this issue, the Oracle account status needs to be checked and corrected so that the account is accessible. A good practice would be to check the Oracle account status prior to attempting the database migration to avoid the initial migration failure.
- Using a SQL tool such as SQL*Plus or SQL Developer, login to SQL as SYSDBA.
- Execute the following SQL command:
select account, account status from dba_users;
This may return output similar to the following:
- To unlock and unexpire the RSA Identity Governance & Lifecycle Oracle application accounts, execute the following SQL for each account that is locked (where <password> is the password associated with each individual account):
alter user <username> account unlock;
alter user <username> identified by <password>;
For example, if only the AVUSER account is noted as locked, then the commands would be:
alter user AVUSER account unlock;
alter user AVUSER identified by <AVUSER password>;
- Restart RSA Identity Governance & Lifecycle:
- Restart the migration of the imported database by entering the migration password.