ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Unable force change Oracle SYS password with PAM


Article ID: 127792


Updated On:


CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)


A master account, mcauser, is used to manage several other accounts(fire_db_user1 - 5, fire_sys_user1 & 2, system).  The master account is intended to manage all other db accounts in the oracle instance. When the accounts are first on-boarded the passwords are force-changed, as the current passwords from the oracle db side are not known.  This works perfectly fine for all of the above accounts, but not the SYS account.  There is a mandate is to treat this account like all the others, which includes the force change of the password after onboarding.

Things that have already been checked:
The SYS Account is Managed by the correct mcauser account.
Both sys and mcauser use REPLACE syntax.
The mcauser account has SYSDBA role.
The mcauser account is verified in PAM CA PAM.

PAM 3.2.2


Component: CAPAMX


It is possible to manage the Oracle SYS account with an Oracle SYSDBA account with PAM for Oracle versions prior to Oracle 12.2.  This was done for Oracle 11.2 and 12.1, specifically, using the following procedure:

1.  Login to the unix system running Oracle as user oracle.
2.  Run sqlplus.
3.  Enter the userid of the SYSDBA user, including the database name if no default exists, or if you wish to use a different database.
     ie [email protected]
4.  Enter the user's password.
5.  Enter the command to change the password for the sys account.
     SQL> alter user sys identified by <your new password> 
6.  Did the above work?  If it did you will be able to login as sys with the new password.  

If the above procedure worked you will be able to configure a Target Application and Target Account to manage sys, after first creating a Target Account for the SYSDBA account that will be used to manage sys.

On follow up it was determined that the change in Oracle 12.2 that affected PAM's initial management of the Oracle SYS account involved the Oracle Replace function. This is a feature of Oracle that requires that the old password be known before a new one can be specified. Oracle apparently made a changed that affected PAM's interaction with Oracle. Where previously, Oracle 11.2 and 12.1, it did not matter if the Use REPLACE Syntax box was checked it seems that it does matter with 12.2. Unchecking this box says that it is not required for the current password to be known. It appears that the box must be unchecked initially, because the password is not known, but it may be desirable to check it once the account is in sync. 

1.  Create a device for the unix system where the Oracle DB is installed.
2.  Create a Target Application, of type Oracle, for the device created in step 1.  On the Oracle tab, configure the DB Port and OID (LDAP) Port.
3.  Create a Target Account for the SYSDBA account, using the Application created in step 2.  Enter the account name and password on the Account tab.  Select Update both on the Password tab.  On the Oracle tab configure Use OID.  During testing JDBC Thin.  Enter the database name in the Schema field.  Set the Change Process to "Account can change own password."
4.  Create a Target Account for the Oracle sys account.  Click the Generate Credential icon to create a new password.  The existing password will not be needed.  On the Password tab select Update Both.  Configure the Use OID and Schema fields as in Step 3.  Configure the Change Process to "Use the following account to change password" and select the account created in step 3.

There appears to be a change with Oracle 12.2, which prevents this procedure from working.  It does work if the sys account is initially configured with the current password.  This link will take you to a page where the differences in Oracle 12.2 are explained: