Change the Database Schema Password for an Oracle Java Cloud Service Instance

Update the password used by an Oracle Java Cloud Service instance to access the Oracle schemas in the infrastructure database.

You might change the password for the Oracle schemas in order to meet Oracle security policies, corporate security policies or government regulations, or in response to a perceived security threat. By default, this password is set to expire 180 days after your service instance was created.

You can only use Oracle Java Cloud Service to change the password for the Oracle Required Schemas found in the Infrastructure Schema database for a service instance. To change the password for schemas hosted in an Application database in your service instance, you must directly modify the configuration of both the database and your WebLogic Server domain.

Change the Schema Password with the Console

Use Oracle Java Cloud Service to change the Oracle schema password in the Oracle Database Cloud Service deployment, and to also update your service instance to use the new password.

You cannot use the console to change the schema password if your service instance uses Oracle Cloud Infrastructure Database or Oracle Autonomous Transaction Processing. You must use the REST API. See Change the Database Schema Password in REST API for Oracle Java Cloud Service.

You cannot use Oracle Java Cloud Service to automatically change the schema password if your service instance was created before November 2017. See Change the Schema Password Manually.

  1. Access your service console.
  2. Click the name of the service instance whose schema password you want to change.
  3. At the bottom of the Overview page, expand Associations.
  4. From the list of associations for this service instance, identity the association with these characteristics:
    • Service Type - Oracle Database Cloud Service
    • Type - Depends On
  5. Click Manage Association Menu icon for this association, and then select Update Database Credentials.

    This menu option is only available for the Infrastructure database association. It it not available for Application databases.

  6. Enter the Database Administrator Username and Database Administrator Password of the system administrator for the selected database deployment.
  7. For New Schema Password, enter a new password for the Oracle schemas in the selected database deployment.

    The password must start with a letter, be between 8 and 30 characters long, and contain at least one number. The password can optionally include the special characters: $, #, _.

  8. Click Update.

You can monitor the operation’s progress from this page or from the Activity page. Oracle Java Cloud Service updates the database credentials, the WebLogic Server domain configuration, and the bootstrap credentials. If your service instance is running WebLogic Server 11g or 12.1.3, then all server processes are restarted as well.

Change the Schema Password Manually

If you want to change the password for the Oracle database schemas used by your Oracle Java Cloud Service instance, and your service instance was created prior to November 2017, then you must manually update the database and the service instance to use the new database password.

  1. Update the password for each Oracle Java Cloud Service schema in the database.
    1. Connect to your database using a secure shell (SSH) client.
    2. Switch to the oracle user.
      sudo su oracle
    3. Connect to the database using sqlplus.
      sqlplus / as sysdba
    4. If your database version is 12c, set the name of the pluggable database (PDB).
      alter session set container=PDB_name;

      Use the PDB name that you provided during the creation of your Oracle Java Cloud Service instance. The default is PDB1.

      alter session set container=PDB1;
    5. List all the schemas (users) in the database.
      select username from dba_users;
    6. Locate the schema schema_prefix_IAU. Note the generated schema prefix.
      For example: SP737755846_IAU
    7. Unlock and change the password for the following users.
      Oracle WebLogic Server 11g Oracle WebLogic Server 12.1.3 Oracle WebLogic Server 12.2.1.x

      schema_prefix_IAU

      schema_prefix_IAUOES

      schema_prefix_IAUOES_APPEND

      schema_prefix_IAUOES_VIEWER

      <schema_prefix>_IAU_APPEND

      schema_prefix_IAU_VIEWER

      schema_prefix_MDS

      schema_prefix_OPSS

      schema_prefix_IAU

      schema_prefix_IAU_APPEND

      schema_prefix_IAU_VIEWER

      schema_prefix_MDS

      schema_prefix_OPSS

      schema_prefix_STB

      schema_prefix_IAU

      schema_prefix_IAU_APPEND

      schema_prefix_IAU_VIEWER

      schema_prefix_MDS

      schema_prefix_OPSS

      schema_prefix_STB

      schema_prefix_UMS

      alter user schema_prefix_user account unlock;
      alter user schema_prefix_user identified by new_password;

      For example:

      alter user SP737755846_IAU account unlock;
      alter user SP737755846_IAU identified by new_password;

      The password must start with a letter, be between 8 and 30 characters long, and contain at least one number. The password can optionally include the special characters: $, #, _.

  2. If your Administration Server is running, use the Administration Console to update the data source passwords.
    If your Administration Server is not running, skip to step 3.
    1. Access the Oracle Java Cloud Service console.
    2. Click Manage this instance Menu icon for your service instance, and then select Open WebLogic Server Administration Console.
    3. Log in to the Administration Console.
    4. Click Lock & Edit.
    5. From the Domain Structure panel, expand Services, and then click Data Sources.
    6. Click mds-owsm.
    7. Click the Connection Pool tab.
    8. Update the Password and Confirm Password fields.
    9. Click Save.
    10. Repeat from step e to update the password for the other data sources below.
      Oracle WebLogic Server 11g Oracle WebLogic Server 12c

      mds-owsm

      opss-ds

      mds-owsm

      LocalSvcTblDataSource

      opss-audit-DBDS

      opss-audit-viewDS

      opss-data-source

    11. Click Activate Changes.
    12. From the Domain Structure panel, expand Environment, and then click Servers.
    13. Click the Control tab.
    14. Select the check box for every server. Click Shutdown, and then select Force Shutdown Now.
    15. When prompted for confirmation, click Yes.
    16. Skip to step 4.
  3. If your Administration Server is not running or the Administration Console is not accessible, update the domain’s configuration files.
    1. Connect to the Administration Server node in your service instance using SSH.
    2. Switch to the oracle user.
      sudo su oracle
    3. Navigate to the domain home directory.
      cd /u01/data/domains/domain_name
    4. Stop any WebLogic Server processes if they are running.
      ps -ef | grep weblogic.Server
      kill -9 process_id

      Do not stop the Node Manager process.

    5. Encrypt your new schema password using the weblogic.security.Encrypt utility.
      source bin/setDomainEnv.sh
      java weblogic.security.Encrypt

      When prompted, enter the new password.

    6. Copy the encrypted password.
    7. Navigate to the directory that contains your domain’s data source configuration files.
      cd config/jdbc
    8. Edit the following files and update the password-encrypted element with the new encrypted value.
      Oracle WebLogic Server 11g Oracle WebLogic Server 12c

      mds-owsm-jbdc.xml

      opss-ds-jdbc.xml

      LocalSvcTblDataSource-jdbc.xml

      opss-auditview-jdbc.xml

      mds-owsm-jdbc.xml

      opss-datasource-jdbc.xml

      opss-audit-jdbc.xml

      <password-encrypted>encrypted_password</password-encrypted>
  4. Use the WebLogic Scripting Tool (WLST) to update the bootstrap credentials for the OPSS database schema.
    1. Connect to the Administration Server node in your service instance using SSH.
    2. Switch to the oracle user.
      sudo su oracle
    3. Identify your domain’s name.
      ls /u01/data/domains
    4. Start a WLST prompt.
      /u01/app/oracle/middleware/oracle_common/common/bin/wlst.sh
    5. Run the modifyBootStrapCredential command. Specify the full path to the jps-config-jse.xml file, the OPSS schema name, and your new database password.
      modifyBootStrapCredential(jpsConfigFile='/u01/data/domains/domain_name/config/fmwconfig/jps-config-jse.xml',username='schema_prefix_OPSS',password='new_password')
    6. Exit WLST.
      exit()
  5. Start the servers.
    1. From the Administration Server node, identify its host name.
      hostname
    2. Identify the name of the Administration Server.
      ls /u01/data/domains/domain_name/servers

      The server’s name ends with the text adminserver.

    3. View the nodemanager.properties file to determine the Node Manager’s listen port number.

      For Oracle WebLogic Server 11g: u01/app/oracle/middleware/wlserver_10.3/common/nodemanager/nodemanager.properties

      For Oracle WebLogic Server 12c: /u01/data/domains/domain_name/nodemanager/nodemanager.properties

    4. Start a WLST prompt.
      /u01/app/oracle/middleware/oracle_common/common/bin/wlst.sh
    5. Connect to the Node Manager.
      nmConnect('weblogic_username','weblogic_password','hostname','nm_port','domain_name','/u01/data/domains/domain_name','ssl')
    6. Start the Administration Server.
      nmStart('admin_server_name')
    7. Exit WLST.
      exit()
    8. Access the Oracle Java Cloud Service console.
    9. Click Manage this instance Menu icon for your service instance, and then select Open WebLogic Server Administration Console.
    10. Log in to the Administration Console.
    11. From the Domain Structure panel, expand Environment, and then click Servers.
    12. Click the Control tab.
    13. Select the check box for every managed server. Click Start.
    14. When prompted for confirmation, click Yes.