SecurID® Governance & Lifecycle Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID Governance & Lifecycle experts.
Article Number
000030105
Applies To
RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: All
RSA Version/Condition: All
Issue
Attempting to migrate a database that was imported from another system fails with the following error:
Unable to migrate schema. (class org.jboss.util.NestedSQLException: Could not create connection; - nested throwable: (java.sql.SQLException: ORA-28000: the account is locked
; - nested throwable: (org.jboss.resource.JBossResourceException: Could not create connection; - nested throwable: (java.sql.SQLException: ORA-28000: the account is locked
))
; - nested throwable: (org.jboss.resource.JBossResourceException: Could not create connection; - nested throwable: (java.sql.SQLException: ORA-28000: the account is locked
))
Cause
The issue occurs when an imported database has Oracle user accounts that have expired.
By default, RSA Identity Governance & Lifecycle creates the Oracle application user accounts with an Oracle profile that configures the passwords as non-expiring. The reason for this is to prevent the application from unexpectedly failing when the Oracle account expires. This profile is the ACMPROFILE as documented in the RSA Identity Governance & Lifecycle Database Setup and Management Guide.
Because some corporate environments may have requirements that do not allow non-expiring accounts, the ACMPROFILE profile may be changed to enforce a password expiration date which will cause the Oracle accounts to expire and become inaccessible.
By default, RSA Identity Governance & Lifecycle creates the Oracle application user accounts with an Oracle profile that configures the passwords as non-expiring. The reason for this is to prevent the application from unexpectedly failing when the Oracle account expires. This profile is the ACMPROFILE as documented in the RSA Identity Governance & Lifecycle Database Setup and Management Guide.
Because some corporate environments may have requirements that do not allow non-expiring accounts, the ACMPROFILE profile may be changed to enforce a password expiration date which will cause the Oracle accounts to expire and become inaccessible.
Resolution
To resolve this issue, the Oracle account status needs to be checked and corrected so that the account is accessible. A good practice would be to check the Oracle account status prior to attempting the database migration to avoid the initial migration failure.
Image description
- Using a SQL tool such as SQL*Plus or SQL Developer, login to SQL as SYSDBA.
- Execute the following SQL command:
select account, account status from dba_users;
This may return output similar to the following:
Image description- To unlock and unexpire the RSA Identity Governance & Lifecycle Oracle application accounts, execute the following SQL for each account that is locked (where <password> is the password associated with each individual account):
alter user <username> account unlock; alter user <username> identified by <password>;
For example, if only the AVUSER account is noted as locked, then the commands would be:
alter user AVUSER account unlock; alter user AVUSER identified by <AVUSER password>;
- Restart RSA Identity Governance & Lifecycle:
acm restart
- Restart the migration of the imported database by entering the migration password.
In this article
