Embed Size (px)
DESCRIPTION
Oracle error messages
Citation preview
SAP Knowledge Base Article
Symptom
There are different symptoms for this issue.
. The error can occur in Backups when connecting as SYSTEM user and also as the OPS$ user.
. The error is also visible in R3trans and transaction ST11 ->Developer traces when the OPS$ authentification fails. In the traces you may also see an accompanying error like (ORA-28000, the account is locked). If the account is locked after too many failed attempts for OPS$ user this is generally a result of an incorrect OPS$ configuration.
Scenario A:
========
In your Backup logfile the following error occurs when running the backup as SYSTEM user, please note->(SYSTEM user can be used to run backups however the OPS$ user is recommended and is mostly used).
BR0301E SQL error -1017 at location db_connect-2, SQL statement: 'CONNECT system/*******' ORA-01017: invalid username/password; logon denied
Scenario B:
=======
- In your backup logfile the following error occurs when running the backup as OPS$ user. Hint: (OPS$ user is used where you see '-u/' or 'connect /' in the command line)
brbackup -u /..... BR0051I BRBACKUP 7.00 (18) BR0055I Start of database backup: bbdzxyz.anf -11-19 05.30.00 BR0280I BRBACKUP time stamp: 2008-11-19 05.30.00 BR0301E SQL error -1017 at location BrDbConnect-2, SQL statement: 'CONNECT /' ORA-01017: invalid username/password; logon denied
Scenario C:
=======
- In your Developer tracefile or Trans.log (output of R3trans -d), you see errors like
"CONNECT failed with sql error '1017'" "OCI-call 'OCISessionBegin' failed with rc=1017"
Environment
. SAP release independent
. Oracle
Reproducing the Issue
Connect using the incorrect password for SYSTEM, SAPR3/SAP<SID>
Cause
Scenario A:
=======
. The SYSTEM password has been lost/forgotton and now the BR*tools are reporting ORA-01017: invalid username/password
Scenario B:
=======
1576837 - ORA-01017: invalid username/password;
Version 4 Validity: 27.02.2013 - active Language English
. The SAPR3/SAP<SID> password was changed but was only updated in the Oracle dictionary and not in the SAPUSER table,
->(work processes, R3trans and saplicense check fail)
Scenario C:
=======
1a)
- In the logfile the first connect with the OPS$ user, goes to the SAPUSER table to retrieve the SAPR3/SAP<SID> password.
-> In the trans.log you see the lines
Logon as OPS$ user to get <sapowner>'s password Connecting as /@<sid> on connection 0 ... Now I'm connected to ORACLE Got <sapowner>'s password from table SAPUSER Disconnecting from connection 0 ... Now I'm disconnected from ORACLE Try to connect with the password I got from OPS$-user Connecting as <sapowner>/<pwd>@<sid> on connection 0 *** ERROR => OCI-call 'olog' failed: rc = 1017
. In the first step above the SAPR3 password cannot be retrieved from the SAPUSER table
1b)
The OPS$ user fails above so continues to connect with the default password 'sap'
- In the trans.log you see the following lines
Try to connect with default password Connecting as SAPR3/<pwd>@<sid> on connection 0 . ERROR => CONNECT failed with sql error '1017'
Resolution
Scenario A:
========
Reset the password
sqlplus (as ora<sid> OS user) / as sysdba alter user system identified by <newPW>; exit
HINT:
If you wish to then use the SYSTEM user to call the Br*tools you need to specify the -u system/<pw> in the command line
If you don't specify the user (-u switch), then the connection will attempt to use the default password 'manager' (system/manager) and you will get the ORA-01017 again
Scenario B:
========
. Stop R/3
- Reason for stopping SAP
You MUST stop SAP to change the above password. If you do not do this the change is not recorded. Your work processes are still connected. If for any reason, the work processes disconnect and tries again to connect it will hit the ORA-1017 because the password is already cached. From the outside R3trans etc will work fine.
. Change the password as follows.
Hint: (It is important that the password is changed with Brconnect). If you do not use this method then the password will not get updated both in the oracle dictionary and SAPUSER table.
- brconnect -u system/<password> -f chpass -o <sapowner> -p <password>
- If the issue still persists please check the configuration of the OPS$ user with SAP notes #400241, #50081(NT) and # 361641(Unix).
400241 - problems with OPS$ user
50088 - creating OPS$ user on Windows
361641 - creating OPS$ user on Unix
Scenario C:
========
1b)
When the first logon attempt fails 1b), this is when the OPS$ user tries to retrieve the SAPR3/SAP<SID> password from the SAPUSER table to connect with. If the password is incorrect the ORA-01017 is issued. The ORA-01403: no data found error may also be issued, this means that the SAPUSER table contains no entries.
Solution: Please change the password as follows (SAP must be stopped) to do this, please run the following command
brconnect -u system/<password> -f chpass -o <sapowner> -p <password>
Hint 2: If you are unsure of the "sapowner", you can run the following SQL command to identify the owner of the R/3 objects
SQLPLUS
connect / as sysdba
SQL> SELECT OWNER FROM DBA_TABLES WHERE TABLE_NAME = 'T000';
- If the issue still persistes please check the configuration of the OPS$ user with oss notes #400241, #50081(NT) and # 361641(Unix).
2b)
The OPS$ user continues to try to connect after the first failed attempt with the default password 'sap'. Usually Customer's have changed this for security reasons and we get a second ORA-01017. To get SAP working, you need to reset the <sapowner> password to "sap", this will allow you to then work on the OPS$ user configuration issue.
The general steps in the oss note #400241 should be followed along with the note #50081 for NT and 361641 for UNIX. Afterwards you can again change the default password 'sap'.
How to reset the <sapowner> password to "sap",
Call SQLPLUS
connect / as sysdba;
ALTER USER <sapowner> IDENTIFIED BY sap;
See Also
If facing ORA-01017 in MSCS environment. Please ensure that the "OPS$<DOMAIN>\<USER>" was created where the DOMAIN is the Windows domain (or hostname for local user) and USER is the windows user under which the SAP gateway is running. Once this user is created the SAPDBA role needs to be granted.
Please refer to notes 400241 and 50088 to create the above user
Keywords
"ORA-01017: invalid username/password; logon denied",
"Backup with SYSTEM user fails",
"OPS$ connect fails", "R3trans fails",
"work processes fail at startup with ORA-01017",
"ORA-28000: the account is locked"
"OPS$"
"permissions"
MSCS
Header Data
Product
This document is not restricted to a product or product version
References
This document refers to:
CSS SAP Notes
Released On 08.03.2013 08:53:27
Release Status Released to Customer
Component BC-DB-ORA Oracle
Priority Normal
Category Problem
400241 Problems with ops$ or sapr3 connect to Oracle
50088 Creating OPS$ users on Windows NT/Oracle
620540 Authentication Troubleshooting Guide
361641 Creating OPS$ users on UNIX
