search cancel

Oracle target account update logic causes accounts to get locked in the DB


Article ID: 253146


Updated On:


CA Privileged Access Manager (PAM)


As standard good practice, all our target accounts are configured to be updated by a service account, including our Oracle DB accounts. There is no problem with the password update process, and we have jobs running to update the password daily to satisfy business requirements. But we keep getting reports that accounts get locked. This raises red flags, because it may indicate that someone tried an unauthorized access into the Oracle database.

We understand that this is caused by the PAM update process, where the managed account first tries to logon with the new password, causing the failed login count to increase by one, and only after that the service account logs on and sets the new password.

We see that this logic flaw recently was fixed for the UNIX target connector as a new feature in 4.0.2. We need this to be fixed for the Oracle target connector as well.


Release : 4.0


The current logic had been coded with the use case in mind that an administrator would set target account passwords in PAM to the new correct password in the credential source. In that case it makes sense to first check, if the newly entered password is the current password. But it is not right for scheduled jobs, where PAM itself creates and sets a new password.


As of October 2022 a tactical feature is defined to change the update logic in the Oracle account, similar to what was done for UNIX accounts in PAM 4.0.2, see documentation page

Tactical features typically are added in maintenance releases rather than new main releases. At the time of writing of this KB it is not clear yet, which maintenance release will be the first one to include this change. The expectation is that it will be done in less than a year.
Until the feature is included in the product, we recommend to define password verification jobs between the update jobs. In the Verify process the account logs on with the current password, which will reset the failed login count.