Guide to Managing WebLogic and APPS Passwords in Oracle EBS R12.2

 Guide to Managing WebLogic and APPS Passwords in Oracle EBS R12.2

For any Oracle Apps DBA, managing passwords is a critical and routine task. In Oracle E-Business Suite (EBS) R12.2, with the introduction of WebLogic Server, the process has more layers than in previous releases. Mismanagement of these passwords can lead to system-wide outages, so it's essential to follow the correct procedures.

This guide will walk you through the necessary steps and best practices for changing the APPS schema password and the WebLogic administrator password.

Part 1: Changing the APPS/APPLSYS Password

In EBS, the APPS and APPLSYS schemas are tightly linked, and their passwords must always be identical. 

You should use Oracle's recommended utilities, FNDCPASS or its enhanced version AFPASSWD, for this task. 

Key Utilities:

FNDCPASS: The standard utility for changing passwords for Application Object Library (AOL) users and schemas. 

AFPASSWD: An enhanced version of FNDCPASS that prompts for passwords, allowing for a better separation of duties between DBAs and application administrators. 

Step-by-Step Guide to Changing the APPS Password:

Backup Critical Tables: Before you begin, it's highly recommended to back up the FND_USER and FND_ORACLE_USERID tables. 

Shut Down Application Services: All application tier services must be shut down before changing a system schema password. 

Use the adstpall.sh script from your $INST_TOP/admin/scripts directory.

Change the Password: Use the FNDCPASS or AFPASSWD utility to change the APPLSYS password. When you change the APPLSYS password, the passwords for APPS and APPS_NE are changed simultaneously. 

bash

# Using FNDCPASS 

FNDCPASS apps/<old_apps_password> 0 Y system/<system_password> SYSTEM APPLSYS <new_apps_password> 

# Using AFPASSWD 

AFPASSWD -c apps@<TWO_TASK> -s APPLSYS 

Run AutoConfig: After changing the password, run AutoConfig to propagate the changes. 

Start Only the AdminServer: Do not start all services yet. Start only the WebLogic Admin Server. 

bash

$INST_TOP/admin/scripts/adadminsrvctl.sh start 

Update the WebLogic Data Source: This is a critical step in R12.2. You must update the data source in WebLogic with the new APPS password. You have two options:

Manual Update via Console: Log in to the WLS Administration Console, navigate to Services > Data Sources > EBSDataSource > Connection Pool, and update the password. 

Another Using the txkManageDBConnectionPool.pl Script: For more recent versions of R12.2, Oracle provides a script to automate this. 

bash

perl $FND_TOP/patch/115/bin/txkManageDBConnectionPool.pl 

When prompted, choose the updateDSPassword option.

Start All Application Services: Once the data source is updated, you can start the remaining application services. 

bash

$INST_TOP/admin/scripts/adstrtal.sh 

Verify the Changes: Log in to the WLS Administration Console and test the EBSDataSource connection to ensure it's successful. 

Part 2: Changing the WebLogic Administrator Password

The WebLogic administrator password is also a critical credential to manage. The method for changing it can vary depending on your EBS patch level. 

Step-by-Step Guide to Changing the WebLogic Password (for recent patch levels):

Shutdown Application Services: Stop all application tier services. 

Start the AdminServer: Start only the Admin Server. 

Use the txkUpdateEBSDomain.pl Script: Oracle provides a script to update the WebLogic administrator password. 

Be extremely careful, as it does not ask for password confirmation.

bash

perl $FND_TOP/patch/115/bin/txkUpdateEBSDomain.pl -action=updateAdminPassword 

Restart All Services: After the script completes successfully, restart all application tier services. 

Verify the New Password: Log in to the WebLogic Server console and the Enterprise Manager (EM) with the new password to confirm the change was successful. 

For older patch levels, the process involves more manual steps within the WebLogic console and editing boot.properties files. 

Best Practices for Password Management

Regularly Change Passwords: Adhere to your organization's security policies for password rotation. 

Use Strong Passwords: Avoid easily guessable passwords. Use a combination of uppercase letters, lowercase letters, numbers, and special characters. 

Separate Duties: Where possible, use tools like AFPASSWD to allow for a separation of administrative roles. 

Document Everything: Keep a secure record of all password changes and the procedures followed.

Backup: Always back up relevant tables and configuration files before making any changes.

By following these structured procedures and best practices, you can confidently and securely manage the critical passwords in your Oracle EBS R12.2 environment.

Caution: Your use of any information or materials on this Blog is entirely at your own risk. It is provided for educational purposes only.

Mastering Your EBS Environment: A Deep Dive into the AD Utilities Toolkit

For every Oracle Apps DBA, there's a set of command-line tools that are less of a convenience and more of a lifeline. They are the bedrock of administration, the key to maintenance, and the power behind patching. We're talking, of course, about the Oracle Applications DBA (AD) Utilities.

If you're managing an Oracle E-Business Suite (EBS) environment, these utilities are your essential toolkit. In a world often dominated by graphical interfaces, EBS administration remains firmly rooted in the power and precision of the command line. Forgetting about a slick GUI, true power comes from mastering these workhorses. Let's pull back the curtain and explore the most critical tools in the Apps DBA's arsenal.

---

The Core Mission: What Are AD Utilities?

At their heart, AD Utilities are a suite of specialized programs designed for the complete lifecycle management of your EBS instance. They are the engine that drives four primary functions:

• Installation & Upgrades: Setting up new instances or upgrading existing ones.
• Patching: Applying critical updates, from one-off fixes to major maintenance packs.
• Maintenance: Performing the daily, weekly, and monthly tasks that keep the system healthy.
• Configuration: Adjusting and managing the complex configuration of your EBS environment.

You'll find these powerful scripts residing in the $AD_TOP/bin directory, waiting to be called into action.

---

Meet the Tools: The DBA's Most-Used Utilities

While the toolkit is extensive, a few key players handle the bulk of the work. Let's get to know them.

adadmin: The Swiss Army Knife

If you could only know one utility, adadmin would be it. Think of it as your central command for a vast range of maintenance tasks. It's a menu-driven tool that helps you perform critical database and file system activities without having to remember dozens of different commands.

Common uses for adadmin:

• Generating message, form, and report files.
• Compiling invalid database objects.
• Verifying and rebuilding the Applications context file.
• Managing system-wide maintenance mode.

Pro-Tip: Before a major patching session or upgrade, run the "Validate Apps Schema" task in adadmin to proactively find and fix issues with your database objects.

adpatch & adop: The Patching Powerhouses

Patching is a non-negotiable part of a DBA's life.

• adpatch is the traditional utility used to apply patches in pre-R12.2 versions. It's a robust tool that has served DBAs for years, often run in a dedicated maintenance window.
• adop (AD Online Patching) is the modern standard for EBS R12.2 and beyond. This is a game-changer, leveraging a dual file system to allow patches to be applied while users are still online. It dramatically reduces downtime by keeping one file system active while patching the other, only requiring a brief cutover at the end.

adctrl: The Worker's Manager

When you run a major task like patching, it often spawns multiple "worker" processes to do the job in parallel. But what happens when a worker gets stuck on a failing task? That's where adctrl comes in. This utility is your control panel for those workers, allowing you to:

• Check the status of all workers (running, failed, complete).
• Restart a failed worker after fixing the underlying issue.
• Tell the system to skip a problematic job (use with caution!).

Without adctrl, a failed patch could leave you completely in the dark, unable to diagnose or recover the session.

adautocfg: The Configuration King

Your EBS environment's configuration is stored in a central XML file ($CONTEXT_FILE). When you run adautocfg (via the adconfig.sh script), it reads this file and propagates the defined settings to hundreds of configuration files across the application and database tiers. Any time you make a major change to your system's setup—like changing a port, a password, or a directory path—running AutoConfig is the final, essential step to make that change official.

---

The All-Important Log Files: Your Troubleshooting Compass

When a utility runs, it creates log files that are your single most important resource for troubleshooting. Knowing where to look is half the battle.

• Main Log File Location: By default, logs are created in $APPL_TOP/admin/<SID>/log.
• Worker Logs: For parallel jobs, each worker has its own log file in the same directory. The main log will usually point you to the specific worker log that has the error.
• adop Logs: Online patching logs have their own extensive structure under $NE_BASE/EBSapps/log/adop/<session_id>/.

Always check the logs! The answer to "Why did it fail?" is almost always waiting for you there.

---

Other Essential Utilities You Should Know

Beyond the big four, several other utilities solve specific, but crucial, problems:

Utility	What It Does
adclone	Your go-to tool for cloning an EBS instance—perfect for creating test/dev environments from production.
admrgpch	Merges multiple patches into a single, combined patch. Invaluable when you have dozens of patches to apply.
adrelink	Relinks program executables with the necessary libraries. Use this if you suspect a binary has become corrupted.
adsplice	"Splices" a new, custom, or off-cycle product into your EBS instance so it's recognized as a legitimate application.
adident	A simple but vital tool that identifies the exact version of any given application file. Essential for troubleshooting.
admon	The AD Monitor. This is used to monitor the progress of a long-running utility that is already in progress, such as an adpatch session. You can run it from another terminal to see which workers are running, which have completed, and which (if any) have failed, all without interrupting the main session.
FNDCPASS	While technically an FND utility, no Apps DBA's toolkit is complete without it. This is the command-line tool for changing passwords for application users (like APPS, APPLSYS) and front-end users. It's essential for security policies and resolving user access issues.
adcfgclone.pl	This is the master Perl script used to clone an Oracle E-Business Suite system. It gathers the necessary information and then calls other AD utilities (like adclone.pl) to perform the actual configuration of a cloned target system. For DBAs, this is the starting point for any cloning procedure.
addgn.pl	The AD Diagnostics script. This is an incredibly powerful tool for collecting a wealth of diagnostic information about your EBS instance. When you need to log a Service Request with Oracle Support for a technology stack issue, they will almost always ask for the output from this script.

---

Bringing It All Together: A Final Word

Mastering the AD utilities is a journey that separates a good DBA from a great one. It's about moving beyond just running commands and truly understanding the impact they have on the intricate web of your E-Business Suite environment. By embracing the command line and learning the language of these tools, you empower yourself to patch, maintain, and troubleshoot with confidence and precision.

So next time you're in the terminal, remember the power you have at your fingertips. Happy administering!

Caution: Your use of any information or materials on this Blog is entirely at your own risk. It is provided for educational purposes only.

My Life Revolves Around Oracle Apps DBA: I Just Keep Things from Breaking (Mostly)

         So, You Think You Know What an Oracle Apps DBA Does? Bless Your Heart.

Welcome, dear reader, to the digital world's most misunderstood profession. If you picture an Oracle Apps DBA as a mythical creature who lives in a server room, subsisting on stale coffee and the glow of a command-line interface, well... you're not entirely wrong.

But the reality is so much more chaotic. We are the digital firefighters, the professional worriers, and the high-wire acrobats of the IT world. Our job is to keep a multi-billion dollar enterprise application, cobbled together from millions of lines of code, from imploding. All before our second cup of coffee.

So, grab a seat, and let me walk you through a totally normal, not-at-all-stressful day in my life. 

7:00 AM: The Pre-Dawn Panic Check

My alarm doesn't wake me up. The cold dread of a P1 (Priority 1) incident does. The first thing I do, before my feet even touch the floor, is grab my phone. I'm not checking social media; I'm frantically swiping through monitoring alerts, muttering a silent prayer to the Database Gods.

Database: ONLINE. Thank you.

Concurrent Managers: ACTIVE. Praise be.

Workflow Mailer: NOT on fire. Hallelujah.

No red alerts? Excellent. Now I can stumble to the kitchen and begin the sacred coffee ritual.

8:30 AM: The Morning Health Check, or "Poking the Bear"

Coffee in hand, I log in and run my Grand Master Health Check Script. This isn't just a script; it's an ancient incantation passed down through generations of DBAs. It checks tablespaces, listeners, invalid objects, and all the other things that can decide to ruin your day.

The entire time it runs, I'm whispering, "Please be green, please be green..."

Of course, today, it's not. A tablespace is at 95% full. This means the system is about to run out of digital real estate and will soon start screaming at me. I kick off a process to add more space, feeling like a hero who just prevented an apocalypse that nobody even knew was coming. You're welcome, everyone.

10:00 AM: The User-pocalypse Begins

The users are logged in. The coffee is flowing. And the ticket queue has started to light up like a Christmas tree. This is when an Apps DBA has to become a professional translator.

Here's a handy guide:

What the User Says	What the User Actually Means
The system is slow."	I ran a financial report for all data from 1998 to today.  Why isn't it instant?
I can't log in!	I've forgotten my password for the 8th time this month,  but it's definitely the system's fault.
My report is stuck.	It's not stuck. It's just calculating the meaning of life based on your  query. It needs a minute.
Is the system down?"	A website from 2003 loaded slowly, so I'm assuming the entire  multi-million dollar infrastructure has collapsed.

My job is to investigate each one, armed with SQL queries and the patience of a saint, to find the user who ran a query that's currently trying to boil the ocean.

2:00 PM: "Project Work" (aka Juggling Chainsaws)

My calendar has a lovely, optimistic block labeled "Project Work." This is when I'm supposed to be architecting a new disaster recovery solution or planning a major application upgrade.

In reality, this is my "Try to Read a 300-Page Oracle README File While Simultaneously Putting Out Small Fires" time. The README for a simple patch is written in a language that only the Oracle developers who wrote it can understand, and it's booby-trapped with "gotchas" that can turn a 2-hour job into a 2-day ordeal.

This is also when I get to do fun things like cloning. This isn't just copying files. It’s like performing a delicate brain transplant on a multi-terabyte environment, hoping it doesn't wake up with amnesia and a sudden desire to cause chaos in your testing cycle.

6:00 PM: The Maintenance Window of Opportunity

The business day is over for most people. For me? It's party time.

This is the "maintenance window," a magical time when I'm allowed to take the system down to do the really scary stuff. Applying that patch I was reading about? Now's the time. Refreshing the test environment from production? Let's do it. It's a race against time, fueled by lukewarm coffee and the fear of a post-maintenance bug.

Every DBA knows the feeling of running that final startup script and holding their breath, waiting for the system to come back to life. When it does, and you see "All services are up," it's a feeling of victory that few will ever know.

11:00 PM: The Final Check

One last look at the dashboards. Everything is green. The system is stable, the patches are applied, and no one is screaming. I can finally log off, knowing I've successfully kept the digital world spinning for one more day.

So, the next time you see your friendly neighborhood Apps DBA, give them a nod. They've probably just saved your company from an invisible catastrophe, and they're already worrying about what tomorrow might bring. Now if you'll excuse me, I think I see an alert...

Mastering Oracle Fusion Applications Environment Refreshes Process

               Oracle Fusion Applications Environment Refreshes Guide and Demo step

A robust testing strategy is the backbone of any successful Oracle Fusion Applications implementation. A critical component of this strategy is the environment refresh, a process that ensures your non-production environments are a reliable mirror of your source data.

This comprehensive guide will walk you through everything you need to know to master the self-service Production-to-Test (P2T) and Test-to-Test (T2T) refresh process for your Fusion Applications environments.

What is an Oracle Fusion Environment Refresh?

An environment refresh in Oracle Fusion Applications is the process of copying data and configurations from a source environment to a target environment. This essentially overwrites the target with a recent backup of the source, making it an invaluable tool for creating high-fidelity testing, training, and development sandboxes.

There are two primary types of refreshes you need to know:

Production-to-Test (P2T) Refresh

A P2T refresh copies data from your live production environment (source) to a non-production environment like UAT or Dev (target). This is the most common method for getting realistic, current data into your testing environments for validation before deploying changes to production.

Test-to-Test (T2T) Refresh

A T2T refresh is used when you have multiple non-production environments and need to copy data between them. For example, you might refresh your Development environment from your UAT environment to align them for a specific testing cycle.

Important Considerations & Limitations 

While incredibly useful, environment refreshes come with a few important requirements and limitations:

Production Environments are Sacred: You cannot refresh a production environment as a target.

Downtime for Target: The target environment will be unavailable during the refresh, but your source environment remains fully operational.

Family Ties: Both source and target environments must belong to the same environment family.

Backup-Based: The refresh always uses the latest backup of the source, not the live source itself. Minor data discrepancies might occur if the source was highly active post-backup.

Patch Level Harmony is Key: The Fusion Applications version and patch level (including monthly and exception updates) must match between your source and target.

    Heads Up! Production and non-production environments often have different patching schedules. If a     mismatch is detected 7 days before a scheduled refresh, Oracle will notify you, and you'll need to            reschedule.

Language Pack Overwrite: If language packs differ, the target environment will be overwritten with the source's language packs.

Maintenance Conflicts: Avoid scheduling refreshes within 5 days before or 1 day after the start of scheduled maintenance for the target environment. Also, watch out for conflicting maintenance windows between source and target.

                    Step-by-Step Demo: How to Schedule a Fusion Environment Refresh

Step 1: Navigate to Your Environments

First, log in to your OCI Console. Using the navigation menu, find and select Fusion Applications. This will take you to your list of provisioned environments.

Step 2: Select Your Target Environment

From the list of environments, identify and click on the target environment.

This will open the Environment Details page for your chosen target.

Step 3: Initiate the Refresh

On the Environment Details page, you will see a "Refresh" button near the top. Click this button to open the refresh scheduling wizard.

Step 4: Configure the Refresh Options

This is the most important step. A "Schedule Refresh" panel or pop-up will appear, prompting you to configure the details.

Source Environment: Use the dropdown menu to select your source environment. For a P2T, you would select your production environment. For a T2T, you would select another non-production environment.

Enable data masking (Optional): You will see a checkbox to Enable data masking. Check this box if you need to obfuscate sensitive data in the target environment. Remember, this will add to the total refresh time.

Scheduling:

    Refresh now: Select this option to start the refresh process as soon as possible.

    Schedule for a later date: Select this to choose a specific date and time for the refresh to begin. This     is ideal for planning around business hours or maintenance windows.

Confirmation: Read the confirmation message carefully. You will need to acknowledge that you understand the target environment will be permanently overwritten with data from the source. This action cannot be undone.

Step 5: Monitor the Refresh Progress

Once you confirm the schedule, you will be returned to the Environment Details page. The status of the target environment will change from "Active" to "Refresh in progress".

You can monitor the status directly from this page. The system will provide updates on the current stage of the refresh (e.g., "Backup in progress," "Data copy in progress," "Data masking in progress").

Step 6: Verify Completion

The refresh is complete when the environment's status returns to "Active". You should also receive an email notification confirming the successful completion of the refresh.

Reference Documentation

For more information, refer to the official Oracle documentation:

https://docs.oracle.com/en-us/iaas/Content/fusion-applications/refresh-environment.htm

Caution: Your use of any information or materials on this Blog is entirely at your own risk. It is provided for educational purposes only.

Oracle Database Security Best Practices for Oracle E-Business Suite (EBS)

Introduction

Security is a critical aspect of managing an Oracle E-Business Suite (EBS) environment. Since EBS stores sensitive enterprise data such as financial records, HR information, and business transactions, implementing strong database security controls is essential.

Oracle provides several built-in security features that help administrators protect the database from unauthorized access, data breaches, and internal misuse.

In this article, we will discuss Oracle Database security best practices for EBS environments, including access control, encryption, auditing, patching, and monitoring.

1. Follow the Principle of Least Privilege

One of the most important security practices is ensuring that users only have the minimum privileges required to perform their tasks.

Best practices

• Avoid granting DBA privileges unnecessarily

• Use role-based access control

• Regularly review user privileges

• Disable unused accounts

Example:

SELECT username, account_status FROM dba_users;

Lock unused accounts:

ALTER USER username ACCOUNT LOCK;

2. Enforce Strong Password Policies

Weak passwords are a common security risk. Oracle allows administrators to enforce strong password policies using profiles.

Recommended password policies

• Minimum password length

• Password expiration

• Failed login attempt limit

• Password complexity rules

Example:

ALTER PROFILE DEFAULT LIMIT
FAILED_LOGIN_ATTEMPTS 5
PASSWORD_LIFE_TIME 90
PASSWORD_REUSE_TIME 365;

This helps protect against brute-force attacks.

3. Enable Database Auditing

Database auditing helps track who accessed the database and what actions were performed.

Enable auditing for critical operations such as:

• Login attempts

• Privileged user activities

• Table modifications

Example:

AUDIT SESSION;
AUDIT TABLE;
AUDIT SYSTEM GRANT;

Audit logs can help detect suspicious activities and security breaches.

4. Use Oracle Transparent Data Encryption (TDE)

Sensitive data stored in EBS databases should be encrypted to protect against unauthorized access.

Transparent Data Encryption (TDE) encrypts:

• Tablespaces

• Columns

• Backups

Benefits:

• Protects data at rest

• Prevents data theft from storage devices

• Ensures compliance with security regulations

Example:

ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY password;

5. Apply Regular Security Patches

Oracle regularly releases Critical Patch Updates (CPUs) and Security Patch Updates (SPUs).

These patches fix vulnerabilities in:

• Oracle Database

• Oracle E-Business Suite

• Application technology stack

Best practices:

• Apply patches regularly

• Test patches in non-production environments

• Follow Oracle patching documentation

Using Online Patching (ADOP) in EBS R12.2 makes patching easier with minimal downtime.

6. Restrict Network Access

Restrict database access to trusted servers only.

Recommended controls:

• Use firewalls

• Restrict database ports

• Allow only application servers to connect

Example:

Limit database connections to application servers.

7. Enable SSL / Secure Network Communication

Use SSL/TLS encryption to secure communication between:

• Web server

• Application tier

• Database server

Benefits:

• Protects data in transit

• Prevents man-in-the-middle attacks

8. Monitor Database Activity

Monitoring helps detect potential security issues early.

Tools commonly used by DBAs include:

• AWR reports

• ASH reports

• Database alert logs

• Security audit reports

Regular monitoring helps identify:

• Unauthorized login attempts

• Abnormal database activity

• Suspicious queries

9. Secure Backup and Recovery

Backups must also be protected to prevent unauthorized access to sensitive data.

Best practices:

• Encrypt backups

• Store backups securely

• Restrict access to backup files

• Test recovery procedures regularly

Example:

CONFIGURE ENCRYPTION FOR DATABASE ON;

10. Use Oracle Database Security Tools

Oracle provides several tools to improve database security.

Common tools include:

• Oracle Database Security Assessment Tool (DBSAT)

• Oracle Audit Vault

• Oracle Database Vault

These tools help identify security risks, misconfigurations, and compliance issues.

Caution: Your use of any information or materials on this Blog is entirely at your own risk. It is provided for educational purposes only.