Change the Schema Password Manually

If you want to change the password for the Oracle database schemas used by your Oracle SOA Cloud Service instance, and your service instance was created prior to November 2017, then you must manually update the database and the service instance to use the new database password.

Overview

The following summary shows the high-level tasks to perform. Detailed steps are below.

1. Update each infrastructure repository schema's password on the database deployment.

2. If the WebLogic Servers are running and the WebLogic Server Administration Console is accessible, change the password for all the corresponding data sources from the Weblogic Administration Console.

3. If the WebLogic Servers are not running and WebLogic Server console is inaccessible, manually change the passwords in the WebLogic Server configuration.

4. Update the bootstrap credentials using the WebLogic Scripting Tool (WLST).

5. Start the Administration Server with the Node Manager, and then start the Managed Servers.

Follow these steps:

1. Update each infrastructure repository schema's password on the database deployment.

    If the schema prefix is already known, jump to Step b.

   1. Connect to the Java Cloud Service Instance node that hosts the Administration Server, and get the value of the schema prefix.  

      ssh -i private_key opc@IP_address_of_admin_server_VM
      sudo su oracle
      curl http://192.1.1.192/latest/user-data/chef/initial_attributes/wlss/schema_prefix

      The Schema Prefix value returned would be similar to the following:

      SP255951777

   2. Login to the Oracle Database Cloud Service database deployment node.

      ssh -i ssh_key opc@DB_vm_ip_address
      sudo su oracle

   3. Connect to the Oracle Database Cloud Service database deployment.

      sqlplus / as sysdba

      Use the username provided when provisioning the database deployment.

      If your database deployment version is 12c, the following step is also required:

      alter session set container=PDB1 

      Use the PDB name provided during Oracle SOA Cloud Service provisioning.

   4. Change the password for the infrastructure repository schema users.

      For Fusion Middleware 11g	For Fusion Middleware 12.1.3	For Fusion Middleware 12.2.1.x
      schema_prefix_IAU schema_prefix_IAUOES schema_prefix_IAUOES_APPEND schema_prefix_IAUOES_VIEWER <schema_prefix>_IAU_APPEND schema_prefix_IAU_VIEWER schema_prefix_MDS schema_prefix_OPSS	schema_prefix_IAU schema_prefix_IAU_APPEND schema_prefix_IAU_VIEWER schema_prefix_MDS schema_prefix_OPSS schema_prefix_STB	schema_prefix_IAU schema_prefix_IAU_APPEND schema_prefix_IAU_VIEWER schema_prefix_MDS schema_prefix_OPSS schema_prefix_STB schema_prefix_UMS

      Change the password for each of the schema users pertaining to the WebLogic Server version on the database deployment. For example:

      ALTER USER schema_prefix_IUA identified by new_password;

      The password must start with a letter, be between 8 and 30 characters long, and contain at least one number. The password can optionally include the special characters: $, #, _.

   5. Unlock all the user accounts on the database to cover for the case that they are locked due to repeated login failures after password expiry.

      ALTER USER schema_prefix_IAU ACCOUNT UNLOCK;

      Note:

      If the WebLogic Administration Server is running and the WebLogic Administration Console is accessible, follow Step 2, else go to Step 3.
2. Update all the datasources from the WebLogic Administration Console to reflect the new password.
   1. Log in to the WebLogic Administration Console and navigate to the Services — Datasources menu on the Domain Structure box.
   2. Click Lock & Edit.
   3. For each datasource, navigate to the Datasource Name — Configuration — Connection Pool tab and update the Password and Confirm Password field with the new password.
   4. Click on Save button on this page, and then Activate. 
   5. Stop all the WebLogic Servers.

      From the WebLogic Administration Console, click on Servers under Environments in the Domain Structure section.

      Under the Control tab, select all of the servers and click Shutdown —Force Shutdown Now.

      Proceed to Step 4.

3. If the WebLogic Server is not running or the Administration Console is not accessible:
   1. Encrypt the new schema password and Update Data Source Configuration files

      ssh -i private_key opc@ipaddress_of Admin_VM
      sudo su oracle; cd /u01/data/domain/domain_name

      Ensure WebLogic Servers are not running. If running, to stop the processes.

      Find the process IDs:

      ps -ef | grep java

      Kill processes:

      kill -9 pid

      then run:

      . domain_home/bin/setDomainEnv.sh

   2. Run the WebLogic Encryption Utility and enter the password you set for the database schemas.

      /u01/jdk/bin/java weblogic.security.Encrypt
       password: <Enter the new password for the schema user>

   3. Note the encrypted password output for future reference.

      The following example shows an encrypted password:

      AES}JHyrhOMB5hVRuDU/pV0qX86qz98ZV0xWXBSEAANA4Gs=

   4. Update the new password in the datasource xml files.

      cd domain_home/domain_name/config/jdbc

      Open the datasource xml files found in the domain_home/domain_name/config/jdbc directory that need to be updated with the new encrypted password:

      For Fusion Middleware 11g	For Fusion Middleware 12.1.3	For Fusion Middleware 12.2.1.x
      mds-owsm-jbdc.xml opss-ds-jdbc.xml	LocalSvcTblDataSource-jdbc.xml opss-auditview-jdbc.xml mds-owsm-jdbc.xml opss-datasource-jdbc.xml opss-audit-jdbc.xml	LocalSvcTblDataSource-jdbc.xml opss-auditview-jdbc.xml mds-owsm-jdbc.xml opss-datasource-jdbc.xml opss-audit-jdbc.xml

4. Run the modifyBootStrapCredential WLST command to update jps-config.xml with the new password for the SCHEMA_PREFIX_OPSS user.
   1. Connect to the Oracle SOA Cloud Service node hosting the Administration Server.

      ssh -i private_key opc@IP_of_admin_server
      sudo su oracle

   2. Invoke WLST.

      /u01/app/oracle/middleware/oracle_common/common/bin/wlst.sh

   3. Run the modifyBootStrapCredential command. Specify the full path to the jps-config.xml file.

      Use the following syntax:

      wls:/offline>modifyBootStrapCredential(jpsConfig_File='domain_home/domain_name/config/fmwconfig/jps-config.xml',username='schema_prefix_OPSS',password='new_password_set_for_this_schema_user')

5. Start the Administration Server through the Node Manager and then the Managed Server(s).
   1. Log in to the Oracle SOA Cloud Service node hosting the WebLogic Administration Server.
   2. Start WLST.

      /u01/app/oracle/middleware/oracle_common/common/bin/wlst.sh

   3. Connect to the Node Manager.
      Before running the command, get the required values of some of the variables involved.

      • Host name — On the command prompt, type hostname.

      • Node Manager port number, domain name, domain home — Open the nodemanager.properties files to determine the respective values.

        For 11g:

        u01/app/oracle/middleware/wlserver_10.3/common/nodemanager/nodemanager.properties

        For 12c:

        /u01/data/domains/domain_name/nodemanager/nodemanager.properties

      • Administration Server name —

        cd /u01/data/domains/domain_name/servers.

        Look for the server name ending in adminserver.

      Run the nmConnect command.

      nmConnect('weblogic_username','weblogic_password','hostname','domain_name','domain_home/domain_name','ssl')

   4. Start the Administration Server.

      nmStart("admin_server_name")

   5. After the Administration Server has status RUNNING, access the WebLogic Administration Console and start the Managed Servers.

      • Click on Servers under Environments in the Domain Structure section.

      • Under the Control tab, select the Managed Servers and click Start.