Thursday, September 17, 2015

Global Database Link feature in Oracle 11G can result in Peoplesoft Signon Failure

If you use Oracle Internet Directory (OID) to resolve database names, then you have this feature enabled by default. With Global database link feature, users can access tables/view in other database using @dbname syntax even when there is no explicit database link is created. For e.g User A logged in to Database A using his personal id : XXXX can run the below query to access table in database b. Only thing that is needed to make this work is that password for the user A must be same in both database A and B.

select * from ps_job@databaseb

This may create a potential locking situation,if password in database are not synced up and there is an account lock policy implemented to lock account after x invalid attempts. As soon as user runs more than x sql statements using global database link feature, it will lock the account in database b. When you look at dba audit trail, you will see the connection attempt was made by oracle user and machine name will be of database server machine name. This makes it confusing to determine how this account got locked up.

This is even more dangerous, if some one runs a SQR or Application engine program using peoplesoft process scheduler with a remotedbname sysntax for sql for e.g. ps_job@databaseb

This is because, PeopleSoft process scheduler runs the sql using database access id in database A, which inurn access the database b using the access id password in Database A. Most likely you would keep the database access id password (default : SYSADM) different for different databases and this can potentially lock the sysadm password in database B due to account lock out policy. If this happens, users will see when trying to access the application

“Bea.jolt.serviceexception: TPENOENT – No entry”

image

You can find more information on this at My Oracle Support

What are Global Database Link and How do you Disable them? (Doc ID 1632329.1)

http://docs.oracle.com/cd/E11882_01/server.112/e25494/ds_concepts.htm#ADMIN02801

If this happens in your environment, Please check if database access id is locked out. If yes, unlock the database access id and restart all your app and batch servers.

No comments: