Production Password Rotation policy for PEGA
SummaryA change in the password for the JAAS J2CE account for the connection is cached within the Websphere application server. This causes the Database tolock out the old account denying the Pega application access.
Error Messages5/8/17 4:08:04:275 EDT] 00000091 PRMiniLoader Z com.pega.pegarules.internal.bootstrap.PRMiniLoader PRMiniLoader - unable to load classes from the database: ORA-01017: invalid username/password; logon denied
[5/8/17 2:43:03:974 EDT] 0000006a SystemErr java.sql.SQLException: ORA-01017: invalid username/password; logon denied DSRA0010E: SQL State = 72000, Error Code = 1,017
[5/8/17 2:43:07:236 EDT] 0000006a SystemErr R java.sql.SQLException: ORA-28000: the account is locked
[5/8/17 19:26:29:335 EDT] 00000049 PRBootstrapDa E com.pega.pegarules.internal.bootstrap.PRBootstrapDataSource Unable to connect to database. Will only use properties from file. java.sql.SQLException: ORA-01017: invalid username/password; logon denied
DSRA0010E: SQL State = 72000, Error Code = 1,017
Steps to Reproduce
- Bring down the WAS servers.
- Update the password through command-line script using properties file to update directly in to security.xml with encrypted new account credential.
- Update the WAS config with the new account details for JDBC datasource in server.xml
- Update the same user account in Database server to allow access with all read, write, access, execute privileges with same credential.
- After the above step, restart the server to use the above new account.
Root CauseIn the above process the application server is not up and the change did not take effect.
ResolutionHere’s the explanation for the reported behavior:
This process should be followed.
- Stop the pega application on the server.
- Run the password update script.
- Restart the Application server to flush the cached credentials
- Restart the application on the server
Published May 12, 2017 - Updated June 4, 2017