Sunday, March 21, 2010

PSOVM : sysadm's password policy

If like me you are working on Peoplesoft OVM for quite a while, you could have a problem when starting up the application and batch servers.
Here the output :
==============ERROR!================
Boot attempt encountered errors!. Check the TUXEDO log for details.
==============ERROR!================

Do you wish to see the error messages in the APPSRV.LOG file? (y/n) [n] :y

PSADMIN.1800 (0) [03/21/10 05:31:59](0) Begin boot attempt on domain APPDOM
PSAPPSRV.1813 (0) [03/21/10 05:32:10](0) PeopleTools Release 8.50.02 (Linux) starting. Tuxedo server is APPSRV(99)/1
PSAPPSRV.1813 (0) [03/21/10 05:32:10](0) Cache Directory being used: /home/psadm2/ps/pt/8.50/appserv/APPDOM/CACHE/PSAPPSRV_1/
PSAPPSRV.1813 (0) [03/21/10 05:32:10](3) File: SQL Access ManagerSQL error. Stmt #: 2 Error Position: 0 Return: 28002 - ORA-28002: the password will expire within 4 days
PSAPPSRV.1813 (0) [03/21/10 05:32:10](1) GenMessageBox(200, 0, M): SQL Access Manager: File: SQL Access ManagerSQL error. Stmt #: 2 Error Position: 0 Return: 28002 - ORA-28002: the password will expire within 4 days
PSAPPSRV.1813 (0) [03/21/10 05:32:10](1) GenMessageBox(0, 0, M): Database Signon: Could not sign on to database H91TMPLT with user PS.
PSAPPSRV.1813 (0) [03/21/10 05:32:10](0) Server failed to start
PSADMIN.1800 (0) [03/21/10 05:32:17](0) End boot attempt on domain APPDOM

Well, the message is quite clear, password will expire. We could be surprised why the application refuses to work since the password is not YET expired.
Ok, I did not verify it before, but then let's have a look in the SYSADM and PEOPLE's profile :
SQL> select username,account_status,expiry_date,profile
2 from dba_users
3 where username in ('PEOPLE','SYSADM');

USERNAME ACCOUNT_STATUS EXPIRY_DATE
------------------------------ -------------------------------- ------------------
PROFILE
------------------------------
PEOPLE EXPIRED(GRACE) 25-MAR-10
DEFAULT

SYSADM EXPIRED(GRACE) 28-MAR-10
DEFAULT
SQL> select * from dba_profiles where profile='DEFAULT'
2 and limit is not null and limit ! ='UNLIMITED';

PROFILE RESOURCE_NAME RESOURCE_TYPE
------------------------------ -------------------------------- --------------------------------
LIMIT
----------------------------------------------------------------------------------------------------
DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD
10

DEFAULT PASSWORD_LIFE_TIME PASSWORD
180

DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD
NULL

DEFAULT PASSWORD_LOCK_TIME PASSWORD
1

DEFAULT PASSWORD_GRACE_TIME PASSWORD
7

Whether those security policies are rather good enough in a non-application server configuration, it would be avoided in Peoplesoft environment. If you don't pay attention enough, in the middle of a working day everything will stopped down and your users will certainly start to call you.
So, much better to remove all the limits, and freed the password expiration from SYSADM and PEOPLE users :
SQL> alter profile default limit
2 failed_login_attempts unlimited
3 password_life_time unlimited
4 password_lock_time unlimited
5 password_grace_time unlimited;

Profile altered.

SQL> alter user sysadm identified by SYSADM;

User altered.

SQL> alter user people identified by peop1e;

User altered.

SQL> select username,account_status,expiry_date,profile
from dba_users
where username in ('PEOPLE','SYSADM');

USERNAME ACCOUNT_STATUS EXPIRY_DATE
------------------------------ -------------------------------- ------------------
PROFILE
------------------------------
PEOPLE OPEN
DEFAULT

SYSADM OPEN
DEFAULT

Now the application and batch server will start without issue.
PeopleSoft Domain Boot Menu
-------------------------------
Domain Name: APPDOM

1) Boot (Serial Boot)
2) Parallel Boot
q) Quit

Command to execute (1-2, q) [q]: 1
psappsrv.cfg has changed archiving old one...
Copying APPDOM/Archive/psappsrv.cfg to APPDOM/Archive/psappsrv_032110_0531_59.cfg
Attempting to boot bulletin board...
tmadmin - Copyright (c) 2007-2008 Oracle.
Portions * Copyright 1986-1997 RSA Data Security, Inc.
All Rights Reserved.
Distributed under license by Oracle.
Tuxedo is a registered trademark.
No bulletin board exists. Entering boot mode.

> INFO: Oracle Tuxedo, Version 10.3.0.0, 64-bit, Patch Level (none)

Booting admin processes ...

exec BBL -A :
process id=1822 ... Started.
1 process started.
Attaching to active bulletin board.

> Attempting to boot ...
INFO: Oracle Tuxedo, Version 10.3.0.0, 64-bit, Patch Level (none)

Booting server processes ...

exec PSWATCHSRV -o ./LOGS/stdout -e ./LOGS/stderr -A -- -ID 128959 -D APPDOM -S PSWATCHSRV :
process id=1826 ... Started.
exec PSAPPSRV -o ./LOGS/stdout -e ./LOGS/stderr -s@psappsrv.lst -- -D APPDOM -S PSAPPSRV :
process id=1827 ... Started.
exec PSAPPSRV -o ./LOGS/stdout -e ./LOGS/stderr -s@psappsrv.lst -- -D APPDOM -S PSAPPSRV :
process id=1840 ... Started.
exec PSQRYSRV -o ./LOGS/stdout -e ./LOGS/stderr -s@psqrysrv.lst -- -D APPDOM -S PSQRYSRV :
process id=1853 ... Started.
exec PSSAMSRV -o ./LOGS/stdout -e ./LOGS/stderr -A -- -D APPDOM -S PSSAMSRV :
process id=1866 ... Started.
exec PSBRKHND -o ./LOGS/stdout -e ./LOGS/stderr -s PSBRKHND_dflt:BrkProcess -- -D APPDOM -S PSBRKHND_dflt :
process id=1878 ... Started.
exec PSBRKDSP -o ./LOGS/stdout -e ./LOGS/stderr -s PSBRKDSP_dflt:Dispatch -- -D APPDOM -S PSBRKDSP_dflt :
process id=1881 ... Started.
exec PSPUBHND -o ./LOGS/stdout -e ./LOGS/stderr -s PSPUBHND_dflt:PubConProcess -- -D APPDOM -S PSPUBHND_dflt :
process id=1884 ... Started.
exec PSPUBDSP -o ./LOGS/stdout -e ./LOGS/stderr -s PSPUBDSP_dflt:Dispatch -- -D APPDOM -S PSPUBDSP_dflt :
process id=1888 ... Started.
exec PSSUBHND -o ./LOGS/stdout -e ./LOGS/stderr -s PSSUBHND_dflt:SubConProcess -- -D APPDOM -S PSSUBHND_dflt :
process id=1900 ... Started.
exec PSSUBDSP -o ./LOGS/stdout -e ./LOGS/stderr -s PSSUBDSP_dflt:Dispatch -- -D APPDOM -S PSSUBDSP_dflt :
process id=1903 ... Started.
exec PSMONITORSRV -o ./LOGS/stdout -e ./LOGS/stderr -A -- -ID 128959 -D APPDOM -S PSMONITORSRV :
process id=1906 ... Started.
exec WSL -o ./LOGS/stdout -e ./LOGS/stderr -A -- -n //psovmab.phoenix.nga:7000 -z 0 -Z 0 -I 5 -T 60 -m 1 -M 3 -x 40 -c 5000 -p 7001 -P 7003 :
process id=1918 ... Started.
exec JSL -o ./LOGS/stdout -e ./LOGS/stderr -A -- -n //psovmab.phoenix.nga:9000 -m 5 -M 7 -I 5 -j ANY -x 40 -S 10 -c 1000000 -w JSH :
process id=1920 ... Started.
exec JREPSVR -o ./LOGS/stdout -e ./LOGS/stderr -A -- -W -P /home/psadm2/ps/pt/8.50/appserv/APPDOM/jrepository :
process id=1926 ... Started.
15 processes started.


If you want to implement password time life or some other restriction on the Oracle users, better to do it manually during a defined maintenance window time.

Nicolas.

6 comments:

Ya estoy en Mexico said...

Excelent! tank you very much, regards from Mexico! :D

Anonymous said...

Perfect !!!

Anonymous said...

Excellent! It did help me.

Asif Bin Qadir said...

Thanks

Unknown said...

Great....

Unknown said...

¡¡¡Thank you very much!!!