Updated 26 April 2022
ORDS_PUBLIC_USER is the database user that’s used to create your ORDS connection pool(s). Each database configured with ORDS gets one.
Need help with “The pool named: |default | is invalid and will be ignored” ?
Try this post, Troubleshooting ORDS startup errors, the pool is invalid
When you publish a RESTful Service under HR on database X, ORDS resolves the call to the proper jdbc connection pool, then proxy connects from ORDS_PUBLIC_USER to user HR, and runs the SQL or PL/SQL.
So, now imagine what happens when you let the ORDS_PUBLIC_USER password expire? Or even worse, someone does this:
Well, let’s see what could go wrong.
Let’s try to start ORDS.
In case you can’t read that text, ORDS is having an issue with one of our connection pools.
SEVERE: The username or password for the connection pool named apex_pu, are invalid, expired, or the account is locked
So, you could unlock the account, or simply change the password BACK to what it was when ORDS was configured for the database.
But, what if you need to tell ORDS what the new password is instead?
Directions for ORDS v3 – v21.4.x
Update the connection pool properties file.
Go into your ORDS config directory.
There will be an XML file in there for each connection pool.
Edit it with VI or notepad, and update the password field.
Maybe you’re having a bad feeling about this. Are we really going to put the password in plain text into the config file?
Kinda.
Note the ‘!’ in front of the password string. This tells ORDS to re-write the password back out hashed when it starts up. So let’s do that, and see what happens.
Start ORDS back up.
OK, so ORDS is running. Let’s go back and take a look at our pool config XML file.
So the ORDS process has written the file back out.
!string = ORDS, please take this new password for the pool, then write it back such that no one else can read it, please.
@string = ORDS is using this password, but you can’t see it.
string = ORDS, this is the actual password, don’t touch it.
Remember, you need to restart ORDS for it to pick up any changes in its config files.
Directions for ORDS v22.1 and beyond
Database connection pool passwords are now stored in a java wallet. You’ll see them in each of your connection pool directories.
If you have just the one pool (DEFAULT)
If you don’t specify which pool you’re trying to update, it defaults to … default.
If you have multiple pools
My pool name is ‘orcl’ – I’m telling ORDS I want to update the db.password secret for the orcl connection pool.
The secret command allows you to store a new secret in your wallet or update an existing one. The ‘db.password’ item is what we’re stowing in the wallet for ORDS_PUBLIC_USER’s password on the pool.
This is the interactive mode. You can also redirect standard input to the command so this can be automated, see the Docs.
30 Comments
I have executed the steps as they are in the post and it does not give me the same message.
“ORDS: Release 23.3 Production on Thu Jul 04 16:50:27 2024
Copyright (c) 2010, 2024, Oracle.
Configuration:
/etc/ords/config/
Enter the database password:
Confirm password:
/etc/ords/config/databases/default/wallet/cwallet.sso”
I do not know what I’m doing wrong! Help me!
Try deleting the wallet files and setting the password again.
I already managed to change the password successfully, I just couldn’t because I didn’t have permissions.
I’m working with docker.
And…?
I changed the ORDS_PUBLIC_USER password to the original password and used “alter profile default limit_password_life_time unlimited;”, then “ords –config /opt/oracle/config config secret db.password”, it worked.
So now every single user in your db will by default have passwords that never expire.
Something I would reconsider and definitely NOT recommend to anyone reading this.
Hi! How/where would you restart the ORDS?
How are you running it? If just as a basic standalone application, kill it, and start it again.
Tomcat and WLS have their own procedures.
If you use our RPM, I believe there’s a ‘restart’ command.
I am using ORDS 19.4.6
I want to change the password for the “mod_plsql” user MAIN
!main_password
After restarting Tomcat, the password in the file MAIN.XML is not encrypted.
What could be the problem?
Sometimes……
ORDS / APEX combi can not handle more complex passwords like “MyPassword_123#”. It took me ages to figure that one out… Archchchhchc
My question is related to generate Authorization token.
What is ORDS_PUBLIC_USER role for authorization token generation?
Hi Jeff,
I know this is an old thread, but I have a related question. Can the pool config file be changed and ORDS pick it up with a restart? We’re running 18.4.
Thanks.
Sorry, WITHOUT a restart.
No, you’ll need to restart ORDS for it to pick up new settings.
If ords_public_user does what you say then what is the point of apex_public_user?
APEX creates it for the plsql gateway.
This post helped me solve my issue with ords3 and now ords18
We are using passwords beginning with an ! (exclamation mark).
With ords2 this seems to work fine.
With ords3 and later: On first deployment of ords in tomcat the listener works fine. After restarting tomcat I get a 404 and ‘The pool named: |apex|| is invalid and will be ignored: The username or password for the connection pool named apex, are invalid, expired, or the account is locked’ in the logfile.
I have changed the passwords for APEX_PUBLIC_USER , APEX_REST_PUBLIC_USER , APEX_LISTENER and ORDS_PUBLIC_USER to passwords not beginning with an ! and now it works fine.
Can you tell me what method is used to encrypt the file? I work for the DoD and they require a FIPS compliant encryption method.
Encrypt the file or encrypt the password in the file?
Sorry, the password in the file.
We’re working on version 18.2, which will look for cwallet.sso, that would bring in what you need via https://docs.oracle.com/cd/B28359_01/network.111/b28530/asoappe.htm#BABCBGIF
When it’s released, you’ll want to download and test of course.
What is the cwallet.sso file going to be used for? Will it be used for password encryption? Are you moving the stored passwords to this file? At present, I’m just concerned about what method is used to encrypt the passowords in the ORDS config file.
Today, we’re using an Oracle library, ojmisc. In the future, they’ll be stored in the wallets, and have access to encryption levels supported by said wallets.
Thanks Jeff, I appreciate the info.
It used to work for me just fine, but with latest ords.18.1.1.95.1251 prefixing password with ! results in error:
apex.xml:
Generated by Ansible
!apex_public_user
APEX_PUBLIC_USER
Result is failure:
The pool named: |apex|| is invalid and will be ignored: The username or password for the connection pool named apex, are invalid, expired, or the account is locked
But with apex.xml:
Generated by Ansible
apex_public_user
APEX_PUBLIC_USER
Result is good:
02-May-2018 14:12:02.211 INFO [localhost-startStop-1] . Creating Pool:|apex||
02-May-2018 14:12:02.226 INFO [localhost-startStop-1] . Configuration properties for: |apex||
…
File is readable/writable by tomcat, SELinux disabled 🙂
It’s an 18.1 bug – will be fixed for 18.2
It helps me to avoid a full reinstallation of ORDS env. It was APEX_REST_PUBLIC_USER that was blocked but solution was the same.
Thanks a lot….
Hi Jeff,
What about Passwordless schemas/accounts.
Why not integrate it with these ORDS config so that this issue does not happen ever, because there is effectively NO password!
Something to think about, eh?
Regards,
Gauss
Except…ORDS_PUBLIC_USER is an account that actually logs into the database.
Passwordless accounts are for application schemas that don’t actually have USERs that do things like login. But we most definitely DO login.