Sunday, March 25, 2012

vCloud ORA-28001: password expired

Finally got around to upgrading our vCloud Director to the latest 1.5.1 today and ran into a couple issues that took some research:

1) Unable to upgrade the database: java.sql.SQLException: ORA-28001: the password has expired:

/opt/vmware/vcloud-director/bin/upgrade
Welcome to the vCloud Director upgrade utility

This utility will apply several updates to the database. Please
ensure you have created a backup of your database prior to continuing.


Do you wish to upgrade the product now? [Y/N] y
Examining database at URL: jdbc:oracle:thin:@localhost:1521/XE
Unable to upgrade the database: java.sql.SQLException: ORA-28001: the password has expired
2) Once #1 is solved, we the upgrade script is working off the old password stored in the keystore:

Unable to upgrade the database: java.sql.SQLException: ORA-01017: invalid username/password; logon denied

So we need to update the keystore according to @recklessop's post


Solution for issue #1 (reset the oracle password):

su - oracle
-bash-3.2$ sqlplus "/ as sysdba"
SQL*Plus: Release 11.2.0.2.0 Production on Sun Mar 25 10:43:32 2012
Copyright (c) 1982, 2010, Oracle.  All rights reserved.
ERROR:
ORA-12162: TNS:net service name is incorrectly specified

This means we forgot to set the ORACLE_HOME and ORACLE_SID - those must be set in the /etc/init.d/oracle* startup script:
ORACLE_HOME=/u01/app/oracle/product/11.2.0/xe
ORACLE_SID=XE

export ORACLE_HOME
export ORACLE_SID

Now, we are in - just follow @BasRaayman's post:

-bash-3.2$ sqlplus "/ as sysdba"
SQL*Plus: Release 11.2.0.2.0 Production on Sun Mar 25 10:48:33 2012
Copyright (c) 1982, 2010, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Beta
SQL> select username,ACCOUNT_STATUS,EXPIRY_DATE from dba_users;
USERNAME               ACCOUNT_STATUS            EXPIRY_DA
------------------------------ -------------------------------- ---------
VCLOUD                   EXPIRED                13-MAR-12


SQL> alter user VCLOUD identified by newpass;
SQL> alter user VCLOUD account unlock;

Solution for issue #2 (reset keystore pass):

cp /opt/vmware/cloud-director/jre/bin/certificates.ks /opt/vmware/cloud-director/jre/bin/certificates.ks.old
/opt/vmware/vcloud-director/jre/bin/keytool -keystore certificates.ks -storetype JCEKS -storepass newpass -genkey -keyalg RSA -alias http -dname "cn=vcloud,  ou=vmware, o=vmware, c=US" -keypass newpass

/opt/vmware/vcloud-director/jre/bin/keytool -keystore certificates.ks -storetype JCEKS -storepass newpass -genkey -keyalg RSA -alias consoleproxy -dname "cn=vcloud,  ou=vmware, o=vmware, c=US" -keypass newpass
then overwrite the old keystore:

cp certificates.ks /opt/vmware/cloud-director/jre/bin/certificates.ks
and run configure to sync things up:

/opt/vmware/vcloud-director/bin/configure 

then finally we can run the upgrade:

/opt/vmware/vcloud-director/bin/upgrade
Welcome to the vCloud Director upgrade utility

This utility will apply several updates to the database. Please
ensure you have created a backup of your database prior to continuing.


Do you wish to upgrade the product now? [Y/N] y
Examining database at URL: jdbc:oracle:thin:@localhost:1521/XE
Applying 1 upgrade batches
Executing upgrade batch: 1.5 to 1.5.1
Executing SQL statements from file: Upgrade_Data_15_151.sql [17 statements]
.................[17]
Executing SQL statements from file: Upgrade_15_151.sql [7 statements]
.......[7]

Successfully applied upgrade batch: 1.5 to 1.5.1
Running 0 upgrade tasks
Applying 0 upgrade batches
Database upgrade complete

Would you like to start the vCloud Director service now? If you choose not
to start it now, you can manually start it at any time using this command:
service vmware-vcd start

Start it now? [y/n] y
Done!

1 comment:

ks said...

The certificates file is completely independent of the vCD database credentials, so updating it should not be necessary.

Also, be aware that the certificates you've generated are invalid, even as self-signed certificates. The CN should be the FQDN or IP address of the vCD HTTP or console proxy service. When a client's browser attempts to connect to your service it will attempt to match the hostname/IP to the CN in the certificate.