-
Title
Oracle Account Change Password Failure -
Description
Test System is successful.
Check Password is successful.
Change password fails with the following error:
Failed to set the password on the far system
[08/22/2018 21:08:49] Gathering the change details for ACC1 on X_DB...
[08/22/2018 21:08:49] Testing port 25881 on example.fqdn.com before attempting change...
[08/22/2018 21:08:49] Setting the new (Oracle) password for ACC1 on X_DB using ExampleDB1...
[08/22/2018 21:08:50] Now resetting the expired password using OCINewPassword
[08/22/2018 21:08:51] Creating JDBC(ICv11_2) connection to the database example.fqdn.com:25881:XXX...
[08/22/2018 21:08:51] java.sql.SQLException: ORA-28041: Authentication protocol internal error
[08/22/2018 21:08:51] An error occurred changing the password for ACC1 on X_DB. -
Cause
Oracle was upgraded to 12 R2 and that is when the issue began.
With the Oracle platform, if SSL is not selected then: It is first set using the functional account to a random value and expire it via a DBI method(this is clear text). We then create a second connection using the account, specifying the old password (the one we just set) and the new password via JAVA and OCINewpassword, this is encrypted.
1st connection: ”alter user identified by password expire”
2nd connection: jdbc connect and execute the change as that user with the temporary password using OCINewpassword.
If SSL is used, then we do not have to use OCINewpassword, and a simple alter user identified by is issued over the encrypted channel.
It may be failing on the second step: jdbc connect and execute the change as that user with the temporary password using OCINewpassword.
-
Resolution
Enabling SSL changes what commands are used to change the password. They work successfully.
It can be enabled by checking the setting for Use SSL.
This is found in the /tpam interface | Systems, Accounts, & Collections | Systems | Manage Systems | Find the Oracle System | Details tab | Connection tab.