'ORA-28000: the account is locked' error when migrating an imported database in RSA Identity Governance & Lifecycle
4 years ago
Originally Published: 2015-04-21
Article Number
000055981
Applies To
RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: All
 
Issue
Attempting to migrate a database that was imported from another system fails with the following error:
 
Unable to migrate schema. (class org.jboss.util.NestedSQLException: Could not create connection; - nested throwable: (java.sql.SQLException: ORA-28000: the account is locked
; - nested throwable: (org.jboss.resource.JBossResourceException: Could not create connection; - nested throwable: (java.sql.SQLException: ORA-28000: the account is locked
))

 
Cause
The issue occurs when an imported database has Oracle user accounts that have expired.

By default, RSA Identity Governance & Lifecycle creates the Oracle application user accounts with an Oracle profile that configures the passwords as non-expiring. The reason for this is to prevent the application from unexpectedly failing when the Oracle account expires. This profile is the ACMPROFILE as documented in the RSA Identity Governance & Lifecycle Database Setup and Management Guide.

Because some corporate environments may have requirements that do not allow non-expiring accounts, the ACMPROFILE profile may be changed to enforce a password expiration date which will cause the Oracle accounts to expire and become inaccessible.
 
Resolution
To resolve this issue, the Oracle account status needs to be checked and corrected so that the account is accessible. A good practice would be to check the Oracle account status prior to attempting the database migration to avoid the initial migration failure.  
  1. Using a SQL tool such as SQL*Plus or SQL Developer, login to SQL as SYSDBA.
  2. Run the following SQL command:
select username, account_status from dba_users;
This may return output similar to the following:
 
User-added image
  1. To unlock and unexpire the RSA Identity Governance & Lifecycle Oracle application accounts, run the following SQL for each account that is locked (where <password> is the password that is associated with each individual account):
alter user <username> account unlock;
alter user <username> identified by <password>;
For example, if only the AVUSER account is noted as locked, then the commands would be:
alter user AVUSER account unlock;
alter user AVUSER identified by <AVUSER password>;
  1. Restart RSA Identity Governance & Lifecycle:
acm restart
  1. Restart the migration of the imported database by entering the migration password.

 

Related Articles

Trending Articles

Don't see what you're looking for?