Managing Oracle Access Manager (OAM) Schema Database Password

Introduction

Over the course of using the Oracle Access Manager Product, the OAM schema database password may need to be changed.

Common questions are …

• Is the OAM Schema password tied to the OPSS schema password in regards that if the OAM password is changed, then the OPSS must also be changed?
• Is the process to change the OAM schema password same for the 11g and 12c versions?

This blog will cover how to change the OAM schema password. This information is based on my experience and testing and applies to both Oracle Access Manager 11g and 12c versions.

Change The OAM Schema Database Password

Changing the OAM Schema password will require changes in two areas, the WLS Data Source and the Repository Database. The OAM schema password can be changed independently from the OPSS schema password as there are no dependencies.

Weblogic Server Administration Console

OAM uses a Weblogic data source object that enables a Java Database Connectivity (JDBC) client to obtain a pool of database connections. The WebLogic JDBC data sources provide database access and database connection management.

Step One

Update the password for the OAM WLS Data Source

• Access and log into the WLS Admin Console
• From the Domain Structure menu, expand Services and click Data Sources
• Select the oamDS data source in the Data Sources table
• Select the Configuration > Connection Pool sub tab
• Enter a new password for the OAM schema in the Password and Confirm Password fields
• Click Save to save the new password, and then click Activate Changes in the Change Center

Step Two

Stop the WLS Administration Server and Managed Servers running OAM in the environment.

Repository Database

SQLplus

• Log on to sqlplus as the SYS database user
• If needed validate the OAM Schema “OWNER”

Example Syntax/Output

Based on this query the OAM Schema “OWNER” is “DEVOAM_OAM” is equal to PREFIX_OAM_SCHEMA_USER

• Update the schema passwords in the database

Syntax

Useful Practice for Test Environments

Password Never Expires

I have found it useful in a testing or development environment not to have to change the OAM schema password, which helps simplify the maintenance for the environment, one less task to worry about. Change the default password policy for the database by configuring the password settings in the DEFAULT database profile (or in another relevant profile assigned to the OAM schema) so that the database users’ passwords will never expire.

Change Default Password Policy

SQLplus Syntax

• Log on to sqlplus as the SYS database user
• Validate the DEFAULT database profile values for the PASSWORD_LIFE_TIME,  PASSWORD_GRACE_TIME and FAILED_LOGIN_ATTEMPTS.

Example Syntax/Output

• ALTER the default profile to set the PASSWORD_LIFE_TIME, PASSWORD_GRACE_TIME, and FAILED_LOGIN_ATTEMPTS parameters to UNLIMITED

Example Syntax/Output

• Validate the DEFAULT database profile values for the PASSWORD_LIFE_TIME,  PASSWORD_GRACE_TIME and FAILED_LOGIN_ATTEMPTS, were set to unlimited

Example Syntax/Output

For more information about the password-related settings in the default profile and how to configure them, refer to the version specific Database documentation

in the areas of …

•  “Configuring Password Settings in the Default Profile” in the Oracle Database Security Guide.
• “ALTER PROFILE to modify the default password settings.” In the Oracle Database SQL Language Reference.

Bonus Information

OPSS Schema Database Password

To Change the OPSS Schema Database Password

Step One

Update the password for OPSS Data Source in the WebLogic Server Administration Console

• From the Domain Structure menu, expand Services and click Data Sources
• Select the oamDS data source in the Data Sources table
• Select the Configuration > Connection Pool sub tab
• Enter a new password for the OAM schema in the Password and Confirm Password fields
• Click Save to save the new password, and then click Activate Changes in the Change Center

Step Two

Stop the WLS Administration Server and Managed Servers running OAM in the environment.

Step Three

Log on to sqlplus as the SYS database user, and update the schema passwords in the database

Step Four

Start WLST from the MW_HOME/oracle_common/common/bin directory. For example

Step Five

Run the WLST modifyBootStrapCredential command as follows 

Step Six

Exit WLST

Step Seven

Start the servers in the environment.

Warp up

The mysteries behind the OAM Schema User password maintenance have now been removed. The focus of this blog was to validate that the OAM user schema password can be maintained separately from any other user’s schema. It is only affected at 2 layers, the WLS data source and the database.

The “Useful Practice” section covered a way to set the PASSWORD to Never Expires, as a way to keep a test environments, user maintenance as a low impact option. This is not the approach in regards to database users passwords for a production or critical environments. Apply these practices to a test environment and modify as needed for your specific needs. amples

Related Articles:

• Simplify Knowing Your Identity and Access Management Environment – Overlooked Resources Part 1 of 6-part series that discusses overlooked resources that will help improve many aspects of an Administrators Duties, such as upgrade, maintenance and overall ease of resolving environment issues.