Another way to do it...
Pete, August 12, 2016 - 1:04 pm UTC
One method I have used successfully in the past (before user accounts could actually be locked), is to set the password hash of the protected account to something that can NEVER be matched up correctly by Oracle. The password hash value in USER$.PASSWORD or USER$.SPARE4 is always upper case, alpha-numeric. All we need to do is make the hash value lower case and include some special characters.
By setting the password hash directly using alter user [name] identified by values '[hash]' we can effectively lock out the account to direct access without actually locking it - preserving the ability to connect via proxy.
Example:
alter user usera identified by values 'no_login_allowed';
Now any attempt to connect directly to this user will always result in an ORA-01017 - invalid password error.
Why?
Pete, August 16, 2016 - 3:01 am UTC
Read the post you recommended. Why, why, why would Oracle make this impossible in 12c? It's one of the best ways to secure an account; locking disables too many other features and as the post points out, provides valuable information to a hacker.
August 16, 2016 - 2:25 pm UTC
Well "identified by values" is undocumented and therefore unsupported. So you shouldn't really have been using this anyway!
Chris