Sometimes You can get “ORA-12687: Credentials expired. ” error.
Details of error are as follows.
ORA-12687: Credentials expired.
When trying to connect using password authentication with the kerberos already configured and enabled, then the password authentication fails with the below error.
[oracle@<target_db_hotsname>]$ rman target / catalog=rman/rman@"(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<hostname>)(PORT=1521))(CONNECT_DATA=(SID=<sid>)))" Recovery Manager: Release 188.8.131.52.0 - Production on Mon Sep 16 16:48:40 2019 Copyright (c) 1982, 2014, Oracle and/or its affiliates. All rights reserved. connected to target database: <DB name> (DBID=<DB id>) RMAN-00571: =========================================================== RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS =============== RMAN-00571: =========================================================== RMAN-00554: initialization of internal recovery manager package failed RMAN-04004: error from recovery catalog database: ORA-12687: Credentials expired. or [oracle@<target_db_hotsname>]$ sqlplus rman/<password>@<RMANCAT_DB> SQL*Plus: Release 184.108.40.206.0 Production on Mon Sep 16 15:14:56 2019 Copyright (c) 1982, 2014, Oracle. All rights reserved. ERROR: ORA-12687: Credentials expired.
ORA-12687 error is specific to Kerberos authentication and it indicates that the ticket being used to connect to the database via Kerberos authentication is expired and a new one must be requested.
To display the list of service tickets obtained by the user, run the oklist utility from the Oracle client.i.e target db home in this scenario.
To destroy the expired tickets obtained by the client, run the okdstry utility.[oracle@<target_db_hostname>]$ okdstry
After running okdstry, the user’s expired ticket gets removed and those tickets are no longer visible when oklist command is run again.
Do you want to learn more details about RMAN, then read the following articles.