Update the Infrastructure Schema Password

When you log in to your administration instance, you receive a message about password expiry of your infrastructure schema passwords, so that you can update the password.

For JRF-enabled Oracle WebLogic Server for OCI instances created after release 23.1.1, if your Oracle Platform Security Services (OPSS) schema password has expired, you see the password expiry date message, and you must update your schema password. You also see a message if password expiry is less than or equal to 30 days, and you can update your schema password. However, if password expiry is greater than 30 days, no message is displayed.

You can update passwords for OPSS and other JRF data sources, if the password has expired (administration server is not running) or if the password has not expired (administration server is running).

Tasks:

• Update the Data Source Password if the WebLogic Administration Server Is Running
• Update the Data Source Password if the WebLogic Administration Server Is Not Running

Update the Data Source Password if the WebLogic Administration Server Is Running

You must update the password for all the data sources through the WebLogic console.

The following table lists the data sources and their corresponding user names.

Note:

As of release 14c (14.1.2.0.0), the WebLogic Server Administration Console has been removed. For comparable functionality, you should use the WebLogic Remote Console. For more information, see Oracle WebLogic Remote Console.

Table 3-1 Data Sources and User Names

Data Source	User Name
LocalSvcTblDataSource	schema_prefix_STB
mds-owsm	schema_prefix_MDS
opss-audit-DBDS	schema_prefix_IAU_APPEND
opss-audit-viewDS	schema_prefix_IAU_VIEWER
opss-data-source	schema_prefix_OPSS
WLSSchemaDataSource	schema_prefix_WLS_RUNTIME

To update the data source password:

Note:

You must perform steps 1, 2, and 4 to update the password for each of these data sources listed in Table 3-1, except the OPSS data source, opss-data-source. For OPSS data source, opss-data-source, perform steps 1 to 4.

1. Stop the data source.
   1. Access the WebLogic console. See Access the WebLogic Server Administration Console.
   2. Click Lock & Edit.
   3. From the Domain Structure panel, expand Services, and then click Data Sources.
   4. Click the Data Source name, and on the Configuration tab, click Connection Pool.
   5. In the Properties field, identify the schema prefix and the schema user that has the format schema_prefix_user.

      For example, if the format is SP737755846_MDS, the schema prefix is SP737755846 and the schema user is MDS.

   6. Save the changes.
   7. Click the Control tab and select the instance that you want to stop.
   8. Click Shutdown, and then select Force Shutdown Now, and then click Yes to confirm.
   9. In the Change Center, click Activate Changes.
2. Change the password for the database schema.
   1. Connect to your database using SQL Plus or SQL Developer.
      • For an Oracle Cloud Infrastructure Database (DB System), connect to the database using SQL Plus as follows:
        1. Connect to the Administration Server node in your service instance using SSH.
        2. Switch to the oracle user.

           sudo su oracle

        3. Connect to the database using sqlplus.

           sqlplus / as sysdba 

      • For an Autonomous database, connect to the database using SQL Developer. See Connect to Autonomous Database on Dedicated Exadata Infrastructure with Oracle SQL Developer in Oracle Cloud Infrastructure documentation.
   2. If your Oracle Cloud Infrastructure Database uses PDB, set the name of the pluggable database (PDB).

      alter session set container=PDB_name;

      Note:

      This step is not required if you are using an Autonomous Database.
   3. List all the schemas (users) in the database.

      select username from dba_users;

   4. Locate the schema prefix like schema_prefix_MDS, and note the generated schema prefix. For example: SP737755846_MDS
   5. Unlock and change the password for the user:

      alter user schema_prefix_user account unlock; alter user schema_prefix_user identified by new_password;

      For example:

      alter user SP737755846_MDS account unlock; alter user SP737755846_MDS identified by new_password;

3. Update the data source password and start the data source.
   1. Access the WebLogic console.
   2. Click Lock & Edit.
   3. From the Domain Structure panel, expand Services, and then click Data Sources.
   4. Click the Data Source name, and on the Configuration tab, click Connection Pool.
   5. For the schema user name that you identified in step 1e, update the password.
   6. Save the changes.
   7. Click the Control tab and select the instances that you want to start.
   8. Click Start, and then click Yes to confirm.
   9. In the Change Center, click Activate Changes.
4. Use the WebLogic Scripting Tool (WLST) to update the bootstrap credentials for the OPSS database schema.

   Note:

   This step is applicable only for OPSS data source, opss-data-souce.

   1. Connect to the Administration Server node in your service instance using SSH.
   2. Switch to the

      oracle

      user.

      sudo su oracle 

   3. Identify your domain’s name.

      ls /u01/data/domains

   4. Start a WLST prompt.

      /u01/app/oracle/middleware/oracle_common/common/bin/wlst.sh

   5. Run the modifyBootStrapCredential command. Specify the full path to the jps-config-jse.xml file, the OPSS schema name, and your new database password.

      modifyBootStrapCredential(jpsConfigFile='/u01/data/domains/domain_name/config/fmwconfig/jps-config-jse.xml',username='schema_prefix_OPSS',password='new_password') 

   6. Exit WLST.

      exit()

Update the Data Source Password if the WebLogic Administration Server Is Not Running

To update the data source password:

1. Stop the servers in your domain.

   You must stop the servers so that database account does not get locked again after changing the password due to too many bad password connections.

   1. Connect to the Administration Server node in your service instance using SSH.
   2. Switch to the oracle user.

      sudo su oracle

   3. Run the restart_domain.sh script.

      /opt/scripts/restart_domain.sh -o stop

      You must run the script on every compute instance.

2. Change the password for the database schema.
   1. Connect to your database using SQL Plus or SQL Developer.
      • For an Oracle Cloud Infrastructure Database (DB System), connect to the database using SQL Plus as follows:
        1. Connect to the Administration Server node in your service instance using SSH.
        2. Switch to the oracle user.

           sudo su oracle

        3. Connect to the database using sqlplus.

           sqlplus / as sysdba 

      • For an Autonomous database, connect to the database using SQL Developer. See Connect to Autonomous Database on Dedicated Exadata Infrastructure with Oracle SQL Developer in Oracle Cloud Infrastructure documentation.
   2. If your Oracle Cloud Infrastructure Database uses PDB, set the name of the pluggable database (PDB).

      alter session set container=PDB_name;

      Note:

      This step is not required if you are using an Autonomous Database.
   3. List all the schemas (users) in the database.

      select username from dba_users;

   4. Locate the schema prefix like schema_prefix_MDS, and note the generated schema prefix. For example: SP737755846_MDS
   5. Unlock and change the password for the user.

      alter user schema_prefix_user account unlock; alter user schema_prefix_user identified by new_password;

      For example, to unlock the change the password for the MDS user:

      alter user SP737755846_MDS account unlock; alter user SP737755846_MDS identified by new_password;

      Ensure that you unlock and change the password for the following users.

      schema_prefix_STB schema_prefix_MDS schema_prefix_IAU_APPEND schema_prefix_IAU_VIEWER schema_prefix_OPSS schema_prefix_WLS_RUNTIME

3. Update the domain’s configuration files.
   1. Encrypt your new schema password using the weblogic.security.Encrypt utility.

      source $DOMAIN_HOME/bin/setDomainEnv.sh java weblogic.security.Encrypt

      When prompted, enter the new password.
   2. Copy the encrypted password.
   3. Navigate to the directory that contains your domain’s data source configuration files.

      cd config/jdbc

   4. Edit the following files and update the password-encrypted element with the new encrypted value.

      LocalSvcTblDataSource-jdbc.xml opss-auditview-jdbc.xml mds-owsm-jdbc.xml opss-datasource-jdbc.xml opss-audit-jdbc.xml WLSSchemaDataSource-jdbc.xml

      <password-encrypted>encrypted_password</password-encrypted>

4. Use the WebLogic Scripting Tool (WLST) to update the bootstrap credentials for the OPSS database schema.

   Note:

   This step is applicable only for OPSS data source, opss-data-source.

   1. Connect to the Administration Server node in your service instance using SSH.
   2. Switch to the oracle user.

      sudo su oracle 

   3. Identify your domain’s name.

      ls /u01/data/domains 

   4. Start a WLST prompt.

      /u01/app/oracle/middleware/oracle_common/common/bin/wlst.sh 

   5. Run the modifyBootStrapCredential command. Specify the full path to the jps-config-jse.xml file, the OPSS schema name, and your new database password.

      modifyBootStrapCredential(jpsConfigFile='/u01/data/domains/domain_name/config/fmwconfig/jps-config-jse.xml',username='schema_prefix_OPSS',password='new_password') 

   6. Exit WLST.

      exit()

5. Start the servers.
   1. Connect to the Administration Server node in your service instance using SSH.
   2. Switch to the oracle user.

      sudo su oracle

   3. Start the servers using the restart_domain.sh script.

      /opt/scripts/restart_domain.sh -o start

      You must run the script on every compute instance.