OCI DBCS Clone from backup fails when Database Vault is enabled

Recently I was creating a DBCS database clone but the creation failed, luckily we could find out the node IPs through support and from the dcs-agent-debug.log we could see following statement failing:

! com.oracle.dcs.commons.exception.DcsException: DCS-10001:Internal error encountered: Failed to run SQL script: /u01/app/oracle/product/12.2.0.1/dbhome_1/rdbms/admin/utlpwdmg.sql. ********

When looking this script what it tries to do is set the default password limits for DEFAULT profile. While trying it out on the source database I noticed Database Vault was enabled which restricts modifying that profile.

Two possible workarounds since this wasn’t a production database, disable vault and take new backup which required a bounce of database or give SYS access to modify DEFAULT profile.

I opted for latter since it didn’t involve DB bounce. What I wanted to do is to give SYS grant for role DV_ACCTMGR profile, it has less privileges compared to DV_OWNER but it still can modify profiles.

[oracle@dbcs] sqlplus C##DBV_ACCTMGR_ROOT --this is DVACCTMGR role "owner"

SQL*Plus: Release 12.2.0.1.0 Production on Fri Dec 11 15:24:54 2020

Copyright (c) 1982, 2016, Oracle.  All rights reserved.

Enter password:

Connected to:
Oracle Database 12c EE Extreme Perf Release 12.2.0.1.0 - 64bit Production

SQL> grant DV_ACCTMGR to sys container=ALL;

Grant succeeded.

SQL> conn sys
Enter password:
Connected.

SQL> ALTER PROFILE DEFAULT LIMIT FAILED_LOGIN_ATTEMPTS 3; --try to modify profile to see it works

Profile altered.

After this was done I went to OCI Console and just ran a new manual backup for the instance.

Once the backup is finished I revoked the privilege from SYS.

SQL> conn C##DBV_ACCTMGR_ROOT
Enter password:
Connected.
SQL> revoke DV_ACCTMGR from sys container=all;

Revoke succeeded.

And started the clone:

After this no issues on creating DBCS clone from backup. I also have a SR open for this and will update later what Oracle thinks is required or if they will have a fix for this.

If you have production database which you would need to clone I’d be sure to verify if you can play around with grants like this.