Oracle Database Target Account Time Out
search cancel

Oracle Database Target Account Time Out

book

Article ID: 261078

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Setting oracle database account to Update both the Credential Manager Server and the target system times out with the error message: "Warning: The save of the target account timed out due to a long running update process, please check the target account at a later time"

This affects accounts configured to connect to Oracle Internet Directory:

The problem occurs even though network port scan shows the port open and the account works fine using SQL explorer from another endpoint.

This is observed since we moved our primary cluster site to a different datacenter.

 

Environment

Release : 4.1

Cause

The Oracle Internet Directory dispatcher was accessible by PAM on the configured 3060 port, and this is what was confirmed to be open from the PAM servers in the new primary site. However, the dispatcher did not process the password verification or update attempts directly, but asked the Oracle JDBC driver running in PAM to connect to another IP and port to complete the task. That other IP and port was not accessible from the new primary site due to firewall restrictions.

Resolution

Make sure you have the firewall open to all Oracle DB server/port combinations that the dispatcher may redirect to. When a firewall blocks the connection by dropping packets rather than rejecting them, the Oracle JDBC driver will hang waiting for a response to a socket SYN request. PAM has a hardcoded timeout of 5 minutes for any target account verification or update task. The tomcat log will show an exception similar to the following exactly 5 minutes after the password verification or update starts. Unfortunately the log will not show the redirect URL and port. If you need help in finding out which other IPs and ports are involved, open a case with PAM Support.

2023-02-28T18:28:37.762+0000 WARNING [TP1] com.cloakware.cspm.server.app.impl.TargetManagerFactory.runTargetManager Stack trace of Target Manager thread at time of time-out interrupt:
sun.nio.ch.Net.connect0(Native Method)
sun.nio.ch.Net.connect(Net.java:482)
sun.nio.ch.Net.connect(Net.java:474)
sun.nio.ch.SocketChannelImpl.connect(SocketChannelImpl.java:647)
java.nio.channels.SocketChannel.open(SocketChannel.java:189)
oracle.net.nt.TimeoutSocketChannel.connect(TimeoutSocketChannel.java:184)
oracle.net.nt.TimeoutSocketChannel.<init>(TimeoutSocketChannel.java:158)
oracle.net.nt.TcpNTAdapter.establishSocket(TcpNTAdapter.java:380)

...