Professional Documents
Culture Documents
1)
InthisDocument
Abstract
History
Details
Step1ClearAllCredentials
Step2ReestablishBootstrapCredentials
Step3PrepareScriptsforSettingAdditionalPasswords
Step4AssignNewPasswordstoAllSchemasNotManagedwithEBS
Step5AssignNewPasswordstoAllSchemasManagedwithEBS
AdditionalSteps
RunningAutoConfig
References
APPLIESTO:
OracleApplicationsManagerVersion11.5.9to12[Release11.5to1.2]
OracleApplicationObjectLibraryVersion12.1.3to12.1.3[Release12.1]
Informationinthisdocumentappliestoanyplatform.
ABSTRACT
WhencloningaProductiondatabaseinOracleEBusinessSuite(EBS)itisabestpracticetoremoveallProductionaccountcredentialsintheclonedcopyofthedatabase.
ThiswillhelptopreventretrievalofProductioncredentials,whichcouldbeusedtocompromisethesecurityandintegrityoftheProductiondatabase.
Itisidealtocompletethisprocessassoonaspossibleafterthedatabasedatafileshavebeencopied.Ataminimumitshouldbecompletedbeforethedatabaseis
turnedovertoanypartylesstrustedthantheProductiondatabaseDBAteam.
ThisdocumentdescribesthestepsrequiredtoremovetheProductionEBSdatabasecredentials,suchasdatabaseuser(schema)passwordhashesandencrypted
passwords.Additionallyinformationisprovidedabouthowtoreestablishcredentialsintheclonedcopysothattheclonemaybeusedforfunctional,performanceor
patchapplicationtesting.
Stepsfromthispapershouldbeincorporatedintoyourdatabasecloningprocessandprocedures.
HISTORY
Author:
CreateDate14Mar2007
UpdateDate11JUL2011
ExpireDate
DETAILS
ThestepsoutlinedinthisWhitePaperwill:
1. HelptoensurethatProductioncredentialsarenotretrievablefromaclonedcopyofanEBSProductiondatabase.
2. Bootstraptheclonedcopywithenough"clonecredentials"thatitmaybeusedfortesting.
Thestepsinthisdocumentshouldbeintegratedinyourdatabasecloningprocess,seethe"Reference"sectionbelowfordocumentationoncloningEBSsystemsfor
Releases11iand12.
Thefollowingsequenceofstepswillremoveproductionaccountcredentialsfromtheclonedcopyoftheproductiondatabaseandreestablishnewcredentialsinthe
clonedcopy.Allofthenewaccountsontheclonetargetwillhavethepassword"clone".
1.
2.
3.
4.
5.
6.
Step1Clearallcredentials
Step2Reestablishbasicaccounts(forruntime:SYS,SYSTEM,APPLSYSPUB,APPLSYS,APPS+GUEST,SYSADMIN)
Step3Preparescriptsforsettingadditionalpasswords
Step4AssignnewpasswordstoalldatabaseusersnotmanagedwithEBS
Step5AssignnewpasswordstoalldatabaseusersmanagedwithEBS
Optionaladditionalsteps
Steps1through4arerunonthedatabaseserverrunningastheOperatingSystemuser,"oracle",using"sqlplus"connectedasthe"SYS"or"APPS"databaseuser.
Step5isrunastheOperatingSystemuser"applmgr"onanapplicationtierandusesthe"FNDCPASS"commandlineutility.Thismeansthatsteps1through4canbe
performedthefirsttimethecloneddatabaseisstarted,i.e.beforeitismadeaccessibletothenetworkviathedatabaseTNSlistener.Step5isnottimecriticalandcan
beperformedwhenaccesstotheclonedsystemforpatchpurposesisrequired.
Allapplicationtierprocessesmustbestoppedduringthisprocedure.
Step1ClearAllCredentials
ToclearallcredentialsonatargetcloneofaproductiondatabaseyoumustestablishashellenvironmentwithsufficientOracleenvironmentvariablestosuccessfully
start"sqlplus"viathe"BEQ"(bequeth)driver.IfRapidClonehasbeencompletedsuccessfully,theneachOracleHomeshouldhavea<SID>.envfile.However,inthe
eventyouneedtosettheenvironmentmanually,herearetheminimalenvironmentsettings:
$exportORACLE_SID=<sid>
$exportORACLE_HOME=<dboraclehome>
$exportPATH=$ORACLE_HOME/bin
$unsetTWO_TASK
oracle$sqlplus'/assysdba'
ToclearallcredentialsintheclonedcopyofaProductiondatabase,createandexecutethefollowing3SQLscripts:
REMstep1.sql
spoolstep1.lst
REMStartthedatabasecloneforthefirsttime
startuprestrict
REMClearallproductioncredentialsfromthecloneddatabase
updateSYS.user$set
password=translate(password,'0123456789ABCDEF','0000000000000000')
wheretype#=1andlength(password)=16
/
updateAPPLSYS.FND_ORACLE_USERIDset
ENCRYPTED_ORACLE_PASSWORD='INVALID'
/
updateAPPLSYS.FND_USERset
ENCRYPTED_FOUNDATION_PASSWORD='INVALID',
ENCRYPTED_USER_PASSWORD='INVALID'
/
commit
REMShutdownthedatabase
shutdown
exit
REMendofscript
Atthispoint,theclonedcopyofthedatabaseisfreefromProductioncredentials.Thedatabasewasshutdownbythescriptinorderfortheunusualwayofclearingthe
databaseuser(schema)passwordstotakeeffect.Youwillneedtorestarttheclonedcopyofthedatabaseinpreparationforsteps2,3and4:
oracle$echostartup|sqlplus'/assysdba'
Step2ReestablishBootstrapCredentials
Thedatabaseatthemomenthasnocredentials.Nowlogonas"SYS"withoperationsystemauthentication.Thiswillallowyoutoestablishnewcredentials.
oracle$sqlplus'/assysdba'
Hereisthescriptforstep2,includinginlinecommentswhichexplainswhatisdone.
REMstep2.sql
spoolstep2.lst
REMSetanewpasswordforafewinitialdatabaseusers
alteruserSYSidentifiedbyCLONE
alteruserSYSTEMidentifiedbyCLONE
alteruserAPPLSYSPUBidentifiedbyCLONE
alteruserAPPLSYSidentifiedbyCLONE
alteruserAPPSidentifiedbyCLONE
REMProvidebootstrapinfoforFNDCPASS...
updateAPPLSYS.FND_ORACLE_USERIDset
ENCRYPTED_ORACLE_PASSWORD='CLONE'
whereORACLE_USERNAME='APPLSYSPUB'
/
updateAPPLSYS.FND_ORACLE_USERIDset
ENCRYPTED_ORACLE_PASSWORD='ZG'||
'B27F16B88242CE980EF07605EF528F9391899B09552FD89FD'||
'FF43E4DDFCE3972322A41FBB4DDC26DDA46A446582307D412'
whereORACLE_USERNAME='APPLSYS'
/
updateAPPLSYS.FND_ORACLE_USERIDset
ENCRYPTED_ORACLE_PASSWORD='ZG'||
'6CC0BB082FF7E0078859960E852F8D123C487C024C825C0F9'||
'B1D0863422026EA41A6B2B5702E2299B4AC19E6C1C23333F0'
whereORACLE_USERNAME='APPS'
/
commit
REMWerunasSYS,nowconnectasAPPStorunsomeplsql
connectAPPS/CLONE
REMEveryEBSdatabaseneedsaGUESTuser
selectAPPS.fnd_web_sec.change_guest_password('CLONE','CLONE')"RES"
fromdual
commit
REMSetGUESTcredentialinsitelevelprofileoption
setserveroutputon
declare
dummyboolean
begin
dummy:=APPS.FND_PROFILE.SAVE('GUEST_USER_PWD','GUEST/CLONE','SITE')
ifnotdummythen
dbms_output.put_line('ErrorsettingGUEST_USER_PWDprofile')
endif
end
/
commit
REMOnemoretimeforluck(avoidsessioncachingofprofiles)
connectAPPS/CLONE
REMSetSYSADMINpassword
selectAPPS.fnd_web_sec.change_password('SYSADMIN','CLONE')"RES"
fromdual
commit
exit
Theexpectedoutputfromstep2isasfollows:
User
User
User
User
User
altered.
altered.
altered.
altered.
altered.
1 row updated.
1 row updated.
1 row updated.
Commit complete.
Connected.
RES
-----Y
Commit complete.
PL/SQL procedure successfully completed.
Commit complete.
Connected.
RES
-----Y
Commit complete.
It is important to verify that no errors are reported and that the 2 returned "RES" values are both "Y", which indicates success.
ATTENTION:
Ithasbeenidentified,thatsomeCustomersrunningintoanerrorfortheSQLPLuscommand
selectAPPS.fnd_web_sec.change_password('SYSADMIN','CLONE')"RES"fromdual
Inthiscase,pleasecheckNote1350776.1forthesolution,beforeyouraregoingaheadwiththenextsteps!
NowwehavecompletedestablishingasetofbootstrapEBScredentialsinthedatabase.
Step3PrepareScriptsforSettingAdditionalPasswords
InthisstepscriptsarepreparedtoassignpasswordstotheotherdatabaseuserswhichweredisabledinStep1.Dynamicallygeneratedscriptsareusedtoaccomplish
thisbecausethesetofdatabaseusersmaydifferbetweeninstancesofEBS.CreatethescriptbelowandrunitastheOperatingSystemuser"oracle":
$sqlplus'/assysdba'
Thecommentsinscriptbelowexplainswhatisdoneinstep3.
REMstep3.sql
REMPrepareSQLandSHELLscriptstosetmorepasswordslater
spoolstep3.lst
REMGenerateasqlscripttosetpasswordfordbusersnotmanagedwithEBS
select'alteruser"'||USERNAME||'"identifiedbyCLONE'
fromSYS.DBA_USERS
whereUSERNAMEnotin(selectORACLE_USERNAMEfromAPPLSYS.FND_ORACLE_USERID)
andUSERNAMEnotin('SYS','SYSTEM')
REMGenerateashellscripttosetpasswordforallbaseproductschemas
select'FNDCPASSapps/clone0Ysystem/cloneALLORACLEclone'fromdual
REMGenerateashellscripttosetpasswordfornonEBSdbusersmanagedwithEBS
select'FNDCPASSapps/clone0Ysystem/cloneORACLE"'||
replace(ORACLE_USERNAME,'$','\$')||'"clone'
fromAPPLSYS.FND_ORACLE_USERID
whereREAD_ONLY_FLAG='X'
andORACLE_USERNAMEin(selectUSERNAMEfromSYS.DBA_USERS)
REMGenerateashellscripttosetpasswordforAPPS/APPLSYS/APPM_mrcdbusers
select'FNDCPASSapps/clone0Ysystem/cloneSYSTEMAPPLSYSclone'fromdual
REMGeneratescriptsforsteps4&5
spooloff
HOSTgrep'^alteruser'step3.lst>dbusers4.sql
HOSTgrep'^FNDCPASS'step3.lst>dbusers5.sh
exit
REMEndofScript
NOTE:ThescriptabovecallstheUNIXcommand"grep"toextract2setsoflinesfromthestep3.lstspoolfile.IfyouarerunningWindows,theshellredirection
willfailwhenattemptedfromwithinsqlplus.Youcanperformthefailedstepbygoingtoacommandprompt(usingtheHOSTcommandfromsqlplus).Ifyouhave
yourMKSenvironmentset,thenyoucanusethe"grep"syntaxoralternativelyyoucanusethebelowsyntaxfromaWindowscommand(cmd.exe)prompt.
#alternativecommandsforextractingsqlandshellcommandsfromstep3.lst
C:\ORACLE\Clone>findstr"^alteruser"step3.lst>dbusers4.sql
C:\ORACLE\Clone>findstr"^FNDCPASS"step3.lst>dbusers5.cmd
Step4AssignNewPasswordstoAllSchemasNotManagedwithEBS
ThisSteprunstheSQLscript,"dbusers4.sql",generatedinStep3.
Samplecontentof"dbusers4.sql"listedbelowforillustrationpurposesonly,youmustruntheoneyougeneratedonyoursystem.
NOTE:"dbusers4.sql",forexamplepurposesonly!
alter
...
alter
alter
alter
alter
alter
alter
alter
Note:Priortorunningyourscript,youshouldreviewthecontentsofthescriptforanyobviousproblemsorsyntaxerrorsthisisgoodadviceforanydynamically
createdSQLscripts.
Connectas"SYSDBA":
$sqlplus"/assysdba"
Nowrunthe"dbusers4.sql"file:
SQL>spoolstep4.lst
SQL>startdbusers4.sql
SQL>exit
Theoutputspoolfileshouldshowmanyoutputlinesstating"Useraltered.".Noerrormessages(ORAnnnnn)shouldappear.
Atthispoint,thedatabaseshouldbestartedandrunning.Stopandrestartthedatabaseatthistime.Toensurethattheapplicationtiercodecanaccessthedatabase
forStep5,youmustalsoensurethatthedatabaseTNSlistenerserviceisrunning.
$echoshutdown|sqlplus"/assysdba"
$echostartup|sqlplus"/assysdba"
$lsnrctlstart<listener_name>
Step5AssignNewPasswordstoAllSchemasManagedwithEBS
Thisstepusesthe"FNDCPASS"commandtosetthepasswordsforalltheEBSmanagedschemasandallthebaseproductschemas.The"FNDCPASS"mustberun
fromanapplicationtiernode.(AnynodewithanAPPL_TOPfilesystem.)
Youwillneedtolocateandcopythe"dbusers5.sh"scriptfromthedirectorywhereitwascreatedinStep3.Again,aswithanydynamciallygeneratedscriptsthatyou
runonyoursystem,youshouldreviewthecontentsofthefilebeforerunningit.
NoteforWindowsusers:Intheunlikelyeventthatanyoftheusernamescontainthedollarsign"$"ithasbeenescapedbyprefixingitbyabackslash"\"on
Windowsthebackslashshouldberemoved.
Torun"FNDCPASS"youalsoneedanumberofenvironmentvariablesset,ataminimumensurethat:
"FNDCPASS"isinthe"$PATH"("$whichFNDCPASS"willtellyouifitis.)
The"ORACLE_HOME"environmentvariablepointstothe"Tools"ORACLE_HOME(8.0.6on11i,10.1.2onR12)
The"TWO_TASK"environmentvariableissettoavaluethatcanberesolvedviathe"$TNS_ADMIN/tnsnames.orafile",inordertoaccesstheclonetarget
database.
#VerifythattheOracleclientenvironmentissettocorrectdatabase(as"applmgr"OSuser)
applmgr$sqlplussapps/clone<<EOF
selectSYSDATE,NAMEfromv\$DATABASE
EOF
SYSDATENAME
25JUL07PRD12
applmgr$mkdir~/s5cd~/s5#createnewdirectorytoholdoutputfiles
applmgr$shdbusers5.sh#RuntheFNDCPASSshellscript
Thefollowingissamplecontentofa"dbusers5.sh"fileislistedbelowforillustrationpurposesonly,runtheoneyougeneratedonyoursystem.
NOTE:This"dbusers5.sh"isforexampleonly!
FNDCPASS
FNDCPASS
FNDCPASS
FNDCPASS
FNDCPASS
apps/clone
apps/clone
apps/clone
apps/clone
apps/clone
0
0
0
0
0
Y
Y
Y
Y
Y
system/clone
system/clone
system/clone
system/clone
system/clone
ALLORACLE clone
ORACLE "OWAPUB" clone
ORACLE "ODM" clone
ORACLE "CTXSYS" clone
SYSTEM APPLSYS clone
Eachrunof"FNDCPASS"willgenerateoutputanoutput/logfileinthecurrentworkingdirectory,youshouldreviewtheselogfiles(example"L2763902.log")for
errors.
NOTE:Ifyourversionofthe"FNDCPASS"utilitydoesnotsupportthe"ALLORACLE"mode,see"Q5"inthe"Discussion"sectionbelow.
Toverifythatyouhaveassignedpasswordstoallthedatabaseusers,runthefollowingqueryandensurethatitdoesnotreturnanyrows:
SQL>selectUSERNAME,PASSWORDfromDBA_USERSwherePASSWORD='0000000000000000'
Thisconcludestheclearingandreestablishmentofaccountcredentialsfromacloneddatabase.Pleaseseethefollowing2steps"AdditionalSteps"and"Running
Autoconfig"beforeattemptingtousethesystem.
AdditionalSteps
Whatremainstobedoneistosetnewpasswordsforadditionalapplicationsusersorthecreationofnewtestusers,dependingonyourneeds.Changingpasswordsfor
applicationsuserscanbedoneusingthe"DefineUser"form(loggedonas"SYSADMIN/CLONE")orbyrunning"FNDCPASS"withthebelowsyntaxfroman"applmgr"
applicationsshellenvironment.
applmgr$FNDCPASSapps/clone0Ysystem/cloneUSER<username><password>
Youmayalsowishtochangethepasswordstosomethingotherthan"clone".Youcanusemodifiedversionsofthescriptsinthisnoteandyoushouldreferencethe
securitybestpracticesdocumentforadviceonchangingpasswordsforanEBusinessSuitesystem,seetheReferencessectionbelow.
RunningAutoConfig
BeforeyoucanactuallystartandaccesstheclonedEBSsystemfromtheApplication,anumberofotherconfigurationitems,suchassystemProfileOptions,mostlikely
needtobechangedintheclonedenvironment.Itemstochangetypicallyinclude:
IPaddresses,hostnamesandportnumbers
Profilescontaininghostnamesandportnumbers
WebinterfaceURLs
Hostnamesofexternalservices(mail,print,SSO)
Thecloningnotes,listedinthe"Reference"sectionbelow,willprovideyouwithinformationonhowtorunAutoConfig.RunningAutoConfigisarequirementanditmust
berunonalltiersoftheclonedsystemtopropagatepasswordchangesandotherchangedsettingsintoAutoconfigmanagedfiles.
PriortorunningAutoConfigensurethattheAutoConfigContextfilecontainsthenew"GUEST"password(Contextvariable"s_guest_pass")andthenewpasswordfor
"APPLSYSPUB"(Contextvariable"s_gwyuid_pass").
Passwordfor
ContextVariable NewValue
APPLSYSPUB
s_gwyuid_pass
CLONE
GUEST
s_guest_pass
CLONE
REFERENCES
NOTE:189367.1SecureConfigurationGuideforOracleEBusinessSuite11i
NOTE:230672.1CloningOracleApplicationsRelease11iwithRapidClone
NOTE:165195.1UsingAutoConfigtoManageSystemConfigurationswithOracleApplications11i
NOTE:387859.1UsingAutoConfigtoManageSystemConfigurationsinOracleEBusinessSuiteRelease12
NOTE:394448.1GettingStartedwiththeApplicationManagementPackforOracleEBusinessSuite(Releases2.0.02.0.2)
NOTE:403537.1SecureConfigurationGuideforOracleEBusinessSuiteRelease12
NOTE:406982.1CloningOracleApplicationsRelease12withRapidClone
PATCH:4745998
Didn'tfindwhatyouarelookingfor?