Update the Repository Schema Utility Password using Secrets

If you are using Model in Image and modified the Repository Schema Utility (RCU) password, then you must update the schema password in the domain.

Note:

If you are using Domain in Image, the RCU password is handled in the update domain pipeline job by using the Update_RCU_Schema_Password check box. See Update the Domain Configuration.

During initial provisioning, we create a secret named <resource_prefix>-rcu-access, which contains all the RCU related information, like db_connect_String, schema prefix, and schema password.

Complete the following steps to update the schema password in the domain:

1. Shutdown the domain.
   Run the following command:

   kubectl edit domain -n <domain_ns> -o yaml

   Sample output:

   kind: Domain
     metadata:
       name: domain1
     spec:
       serverStartPolicy: "NEVER"  

   Change the serverStartPolicy value, from IF_NEEDED to NEVER. See Starting and stopping servers.

2. If you have not changed the RCU schema password on the database, then complete this step.
   1. In the administration server, run the rcu_secret.sh script, which is located at /u01/scripts/pipeline/helper-scripts. This displays the existing schemaPrefix information.
   2. Connect to the database as sysdba user using sqlplus.

      connect sys/<password>@//dbhost.subnet1.vcn1.oraclevcn.com:1521/pdbName.subnet1.vcn1.oraclevcn.com as sysdba

      Example:

      connect sys/<password>@//sidb19-scan.admin.existingnetwork.oraclevcn.com:1521/sipdb.admin.existingnetwork.oraclevcn.com as sysdba

   3. Set the login attempts for the DEFAULT profile to UNLIMITED and then check the limit for the DEFAULT profile.

      ALTER PROFILE DEFAULT LIMIT FAILED_LOGIN_ATTEMPTS UNLIMITED;
      select limit from dba_profiles where profile='DEFAULT' /
      and resource_name='FAILED_LOGIN_ATTEMPTS';
      LIMIT
      –-------------------------------------------------------------------
      UNLIMITED

   4. List all the dba users where username like <schema_prefix>__%.

      select username from dba_users where username like '<schema_prefix>__%';
      
      

      USERNAME
      -------------------------------
      <schema_prefix>_STB
      <schema_prefix>_IAU_APPEND
      <schema_prefix>_OPSS
      <schema_prefix>_WLS
      <schema_prefix>_IAU
      <schema_prefix>_WLS_RUNTIME
      <schema_prefix>_IAU_VIEWER
      <schema_prefix>_UMS
      <schema_prefix>_MDS

      For example:

      select username from dba_users where username like 'SP1601029287_%';
      

      All user names are prefixed with SP1601029287 as in SP1601029287_STB.

   5. Change the password for the following users:

      alter user <schema_prefix>_STB identified by <new_password>;
      alter user <schema_prefix>_IAU_APPEND identified by <new_password>;
      alter user <schema_prefix>_OPSS identified by <new_password>;
      alter user <schema_prefix>_WLS identified by <new_password>;
      alter user <schema_prefix>_IAU identified by <new_password>;
      alter user <schema_prefix>_WLS_RUNTIME identified by <new_password>;
      alter user <schema_prefix>_IAU_VIEWER identified by <new_password>;
      alter user <schema_prefix>_UMS identified by <new_password>;
      alter user <schema_prefix>_MDS identified by <new_password>;

      For example:

      alter user SP1601029287_STB identified by <new_password>;

   6. Connect to the database for the MDS user.

      connect <schema_prefix>_MDS/<password>//dbhost.example.com:1521
      Connected

   7. List the table names in the database for the current user.

      select table_name from user_tables;

   8. Exit SQL.

      exit

3. Delete the existing kubernetes secret: <resource_prefix>-rcu-access
4. Run the following command to obtain the name of the secret.
   kubectl get secrets -n domain10-ns |grep rcu-access
5. Recreate the secret with the same name. The name that you obtained in the previous step.

   The <resource_prefix>-rcu-access secret has certain fields other than the schema password, which also needs to be specified based on the database type. When you run the rcu_secret.sh script, located at /u01/scripts/pipeline/helper-scripts/, it outputs all the other required fields in addition to the schema password for recreating the secret.

   For ATP database:

   
   [opc@wrjrf1-admin helper-scripts]$./rcu_secret.sh
   rcu_db_name = <atp_db_name_low>
   rcu_prefix = <prefix>
   rcu_wallet_password = <password>
   [opc@wrjrf1-admin helper-scripts]$kubectl create secret generic -n <domain_ns> '<resource_prefix>-rcu-access' --from-literal=rcu_db_name=<atp_db_name_low> --from-literal=rcu_prefix=<prefix> --from-literal=rcu_wallet_password=<password> --from-literal=rcu_schema_password=<new_password>
    

   For OCI, SI, or RAC database:

   
   [opc@wrjrf1-admin helper-scripts]$./rcu_secret.sh
   rcu_admin_password = <admin_password>
   rcu_db_conn_string = <connect_String>
   rcu_db_user = sys
   rcu_prefix = <prefix>
   [opc@wrjrf1-admin helper-scripts]$kubectl create secret generic -n <domain_ns> '<resource_prefix>-rcu-access' --from-literal=rcu_admin_password=<admin_password> --from-literal=rcu_db_conn_string=name-scan.subnet2ad2phx.paasdevjcsphx.oraclevcn.com:1521/db0409_pdb1.subnet2ad2phx.paasdevjcsphx.oraclevcn.com --from-literal=rcu_db_user=sys --from-literal=rcu_prefix=<prefix> --from-literal=rcu_schema_password=<new_password>
   

6. Change the serverStartPolicy value, from NEVER to IF_NEEDED, and then increment the restartVersion.

   kind: Domain
     metadata:
       name: domain1
     spec:
       serverStartPolicy: "IF_NEEDED"
       restartVersion: "3" 

   Change the serverStartPolicy value, from NEVER to IF_NEEDED. Then, increment the restartVersion value.

7. Wait for the domain to start for a rolling restart. Then, verify that the datasource mds-owsm tests okay in the WLS admin console.