Support Article

Production Password Rotation policy for PEGA

SA-37938

Summary



A change in the password for the JAAS J2CE account for the connection is cached within the Websphere application server. This causes the Database tolock out the old account denying the Pega application access.


Error Messages



5/8/17 4:08:04:275 EDT] 00000091 PRMiniLoader Z com.pega.pegarules.internal.bootstrap.PRMiniLoader PRMiniLoader - unable to load classes from the database: ORA-01017: invalid username/password; logon denied
wsjar:file:/profiles/your_dir/installedApps/your)cell/your_pegaear.ear/APP-INF/lib/prresources.jar!/prbootstrap.properties
[5/8/17 2:43:03:974 EDT] 0000006a SystemErr java.sql.SQLException: ORA-01017: invalid username/password; logon denied DSRA0010E: SQL State = 72000, Error Code = 1,017
[5/8/17 2:43:07:236 EDT] 0000006a SystemErr R java.sql.SQLException: ORA-28000: the account is locked

[5/8/17 19:26:29:335 EDT] 00000049 PRBootstrapDa E com.pega.pegarules.internal.bootstrap.PRBootstrapDataSource Unable to connect to database. Will only use properties from file. java.sql.SQLException: ORA-01017: invalid username/password; logon denied
DSRA0010E: SQL State = 72000, Error Code = 1,017


Steps to Reproduce

  1. Bring down the WAS servers.
  2. Update the password through command-line script using properties file to update directly in to security.xml with encrypted new account credential.
  3. Update the WAS config with the new account details for JDBC datasource in server.xml
  4. Update the same user account in Database server to allow access with all read, write, access, execute privileges with same credential.
  5. After the above step, restart the server to use the above new account.


Root Cause



In the above process the application server is not up and the change did not take effect.

Resolution



Here’s the explanation for the reported behavior:

This process should be followed.
  1. Stop the pega application on the server.
  2. Run the password update script.
  3. Restart the Application server to flush the cached credentials
  4. Restart the application on the server

Published May 12, 2017 - Updated June 4, 2017

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.