How to Update the ORDS_PUBLIC_USER Password

thatjeffsmith ORDS 10 Comments

Tell Others About This Story:

ORDS_PUBLIC_USER is the database user that’s used to create your ORDS connection pool(s). Each database configured with ORDS gets one.

When you publish a RESTful Service under HR on database X, ORDS resolves the call to the proper jdbc connection pool, then proxy connects from ORDS_PUBLIC_USER to user HR, and runs the SQL or PL/SQL.

So, now imagine what happens when you let the ORDS_PUBLIC_USER password expire? Or even worse, someone does this:

What could go wrong?

Well, let’s see what could go wrong.

Let’s try to start ORDS.

Ruh-roh…

In case you can’t read that text, ORDS is having an issue with one of our connection pools.

SEVERE: The username or password for the connection pool named apex_pu, are invalid, expired, or the account is locked

So, you could unlock the account, or simply change the password BACK to what it was when ORDS was configured for the database.

But, what if you need to tell ORDS what the new password is instead?

Update the connection pool properties file.

Go into your ORDS config directory.

There will be an XML file in there for each connection pool.

Edit it with VI or notepad, and update the password field.

This seems bad to me?

Maybe you’re having a bad feeling about this. Are we really going to put the password in plain text into the config file?

Kinda.

Note the ‘!’ in front of the password string. This tells ORDS to re-write the password back out hashed when it starts up. So let’s do that, and see what happens.

Start ORDS back up.

This looks MUCH better.

OK, so ORDS is running. Let’s go back and take a look at our pool config XML file.

That’s NOT what we put in there.

So the ORDS process has written the file back out.

!string = ORDS, please take this new password for the pool, then write it back such that no one else can read it, please.
@string = ORDS is using this password, but you can’t see it.
string = ORDS, this is the actual password, don’t touch it.

Remember, you need to restart ORDS for it to pick up any changes in its config files.

Tell Others About This Story:

Comments 10

  1. Can you tell me what method is used to encrypt the file? I work for the DoD and they require a FIPS compliant encryption method.

    1. thatjeffsmith Post
      Author
    2. thatjeffsmith Post
      Author
      1. What is the cwallet.sso file going to be used for? Will it be used for password encryption? Are you moving the stored passwords to this file? At present, I’m just concerned about what method is used to encrypt the passowords in the ORDS config file.

      2. thatjeffsmith Post
        Author

        Today, we’re using an Oracle library, ojmisc. In the future, they’ll be stored in the wallets, and have access to encryption levels supported by said wallets.

  2. It used to work for me just fine, but with latest ords.18.1.1.95.1251 prefixing password with ! results in error:

    apex.xml:

    Generated by Ansible
    !apex_public_user
    APEX_PUBLIC_USER

    Result is failure:
    The pool named: |apex|| is invalid and will be ignored: The username or password for the connection pool named apex, are invalid, expired, or the account is locked

    But with apex.xml:

    Generated by Ansible
    apex_public_user
    APEX_PUBLIC_USER

    Result is good:
    02-May-2018 14:12:02.211 INFO [localhost-startStop-1] . Creating Pool:|apex||
    02-May-2018 14:12:02.226 INFO [localhost-startStop-1] . Configuration properties for: |apex||

    File is readable/writable by tomcat, SELinux disabled 🙂

    1. thatjeffsmith Post
      Author
  3. It helps me to avoid a full reinstallation of ORDS env. It was APEX_REST_PUBLIC_USER that was blocked but solution was the same.

    Thanks a lot….

Leave a Reply

Your email address will not be published. Required fields are marked *