Account Not Locked If 'Current Password' Is Incorrectly Entered 3 Times During 'Force Change Password' When OAM Password Policy Is in Place. (Doc ID 2043366.1)

Last updated on SEPTEMBER 21, 2016

Applies to:

Oracle Access Manager - Version 11.1.2.2.0 and later
Information in this document applies to any platform.

Symptoms

1] Consider a user 'user001' who requests the admin team for a password reset.
2] Admin resets the password to 'Oracle12345'.
3] Login to the application(protected with Oracle Access Manager (OAM)) with username mk001 and password Oracle12345.
4] Force change password window appears.
5] Enter the current password as (some random value) 'asdkfjghfasdljgfadljgfhdalkjghl'
6] Enter in New and confirm password fields a password that meets the password policy e.g. Welcome1234
7] Click on 'Change Password'
8] Repeat steps 5 to 7 for 3 times

Expected Result:
 
After 3 invalid attempts the user account must get locked and error message.

Actual Result:
 
User account is not getting locked. User can continue to enter incorrect current password - we tested till 9 attempts.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms