OracleAppsDBAKK1: FNDCPASS Troubleshooting Guide For Login and Changing Applications Passwords (Doc ID 1306938.1)

In this Document

APPLIES TO:

Oracle E-Business Suite Technology Stack - Version 12.1.3 to 12.2.7 [Release 12.1 to 12.2]
Oracle Application Object Library - Version 11.5.10.2 to 12.2.7 [Release 11.5 to 12.2]
Information in this document applies to any platform.
Reviewed for Relevance 29 Jul 18

GOAL

This is a consolidation of Top Documents to provide a Single Source for troubleshooting common problems with FNDCPASS.

SOLUTION

1. Error Starting Application Services After Changing APPS Password Using FNDCPASS

Error:
Cannot complete applications logon. You may have entered an invalid applications password, or there may have been a database connect error.

From the error, it's confirmed that the APPS password did not change correctly. Sometimes when changing the APPS password using FNDCPASS with a new APPS password, if able to log into SQLPLUS as the apps user, then it's thought that the password has changed correctly In every scenario, this is not true. If able to connect th SQLPLUS with the new APPS password, then it doesn't verify new APPS password completely. It is just one test for new APPS passwords. If able to start application services successfully, then one can confirm that the APPS password has changed successfully.

Points to keep in mind when changing the APPS password using the FNDCPASS utility:

Point 1: Changing APPS password using an "alter user" command is not supported and should not be used for changing the apps password in any case.

Point 2: Always use FNDCPASS to change the APPS password. For an improved solution to FNDCPASS as of R12.1.2, click here.

Point 3: Before changing APPS password, it is strongly recommended to take a backup of FND_USER and FND_ORACLE_USERID.

Point 4: Always check FNDCPASS log for any kind of error. If there is any error in the FNDCPASS log, then DO NOT run autoconfig or try to change configuration file manually. Until and unless FNDCPASS log has no error please do not run autoconfig as you will get problem while logging in oracle application.

Point 5: If getting any error in the FNDCPASS log, then either replace from an original backup with FND_USER and FND_ORACLE_USERID to log into Applications or raise an SR to support with the FNDCPASS log.

1. If autoconfig was not run, did not make any change in configuration file manually and also have a valid backup of FND_USER and FND_ORACLE_USERID table, then recover from the original backup. Start application services.

If a valid backup of the FND_USER and FND_ORACLE_USERID table does not exist, then an export/import of table FND_USER and FND_ORACLE_USERID from a Instance that has the same patchset level must be used because autoconfig was not run. If the patchset level is not same, then the export/import of the tables will not work. For example: If facing the issue on a newly cloned instance, then export/import the source instance from which the clone instance was made.

2. If a valid backup of FND_USER and FND_ORACLE_USERID table exists, but have already run autoconfig then the application services cannot be started. Once autoconfig is run, then replacing the original backup of FND_USER and FND_ORACLE_USERID table will not work.

In this case, a backup of the FND_USER and FND_ORACLE_USERID table is not valid because autoconfig was already run and hence only two options left:

A. Follow the procedure mentioned in the below note to remove database credentials:

Note 419475.1: Removing Credentials from a Cloned EBS Production Database

B. Do a fresh clone. (In case the issue exists in a test instance.)

4. One should able to start application services without any error. If able to start the application services without any error, but still are not able to log in, then check a direct forms log in:

For Release 11i : http://<hostname>:<port>/dev60cgi/f60cgi
For Release 12: http://<hostname>:<port>/forms/frmservlet
For direct forms logging, below parameter in CONTEXT file should be set to OFF. If it is not set to OFF then make below changes and run autoconfig.

<appserverid_authentication oa_var="s_appserverid_authentication">OFF</appserverid_authentication>

5. Once able to login Forms mentioned in step 4, but still personal home page login is not working. Then it's confirmed that the issue is now with personal home page login only and no issue with the APPS password.

Run AOL/J Test. Use below URL to run AOL/J Test:
http://<hostname>:<port>/OA_HTML/jsp/fnd/aoljtest.jsp

2. Log In Fails With: You Don't Have Permission To Access /pls/.../fnd_icx_launch.launch On This Server

The apps account is locked from repeatedly running FNDCPASS or logging into sqlplus as apps using the wrong password.

To implement the solution, execute the following steps:

1. Log-in as system owner and run:

SQL> alter profile DEFAULT limit failed_login_attempts unlimited;
SQL> alter user apps account unlock;

The first line (optional) results in preventing repeated failed log in attempts from locking the account.
The second line (required) simply unlocks the apps account.

2. Restart the services.

3. APP-FND-01564: ORACLE Error 6550 In changepassword With Portal/Login Server/SSO After Patch

APP-FND-01564: ORACLE error 6550 in changepassword
Cause: changepassword failed due to ORA-06550: line 1, column 7:
PLS-00201: identifier 'FND_SSO_REGISTRATION.IS_OPERATION_ALLOWED' must be declared
ORA-06550: line 1, column 7:
PL/SQL: Statement ignored
ORA-06512: at "APPS.FND_LDAP_WRAPPER", line 1190

To implement the solution, execute the following step:

1. For instances integrated with Portal 3.0.9 from ATG_PF.H.RUP3 and above the profile option Applications SSO LDAP Synchronization (APPS_SSO_LDAP_SYNC) needs to be set to "Disabled".

4. FNDCPASS Not Able To Decrypt Password For APPLSYSPUB When Changing The APPS Password

The APPS password appears to have been successfully updated and Autoconfig runs without issue. However, Discoverer users have authentication problems.

The issue is caused by a data corruption issue in the fnd_user table.

To implement the solution, execute the following steps:

1. Use FNDCPASS to reset the APPLSYSPUB password.

e.g. FNDCPASS apps/<password> 0 Y system/<password> ORACLE APPLSYSPUB PUB

2. Retest for the issue.

5. Changing APPS Password Using FNDCPASS Gives 'not able to decrypt password' Message

Found in log:

FNDCPASS was not able to decrypt password for <testuser1> during applsys password change.
FNDCPASS was not able to decrypt password for <testuser2> during applsys password change.

The profile option "Applications SSO Login Types" is set to 'SSO'.

Because the profile "Applications SSO Login Types" is set to 'SSO', the password is maintained by Oracle Internet Directory - OID and not Applications, FNDCPASS cannot update the OID data directly.

The FND_USER table record has the value 'EXTERNAL' in the encrypted password columns.

This can be confirmed using the following SQL:

select user_id, encrypted_foundation_password, encrypted_user_password
from fnd_user
where user_name = '{User Name from FNDCPASS log}' ;

To implement the solution, execute the following steps:

1. Set the profile "Applications SSO Login Types" to 'Both' or 'Local'.
Then change the identified User password using the Security / User / Define form..

2. Ignore the message and remember that the password is managed externally..

Note:
As long as the table value is 'EXTERNAL', the FNDCPASS utility will display the messages in the log.

6. FNDCPASS Fails Changing Database Password: APP-FND-02704, APP-FND-01564, ORA-01403

Note: It has been reported that the error may occur if the password starts with a number.

FNDCPASS apps/***** 0 Y system/**** ORACLE HR HR
APP-FND-02704: Unable to alter user HR to change password.
APP-FND-01564: ORACLE error 1403 in changepassword

Cause: changepassword failed due to ORA-01403: no data found.

The SQL statement being executed at the time of the error was: and was executed from the file &ERRFILE.

The database profile DEFAULT was changed for the resource PASSWORD_REUSE_MAX.

To implement the solution, execute the following steps:

1. Revert back the resource of the database profile DEFAULT as:

FAILED_LOGIN_ATTEMPTS to UNLIMITED
PASSWORD_REUSE_MAX to UNLIMITED
PASSWORD_LOCK_TIME to UNLIMITED
PASSWORD_GRACE_TIME to UNLIMITED
PASSWORD_VERIFY_FUNCTION to NULL

2. Re-run FNDCPASS.

NOTE: The issue is not always with DEFAULT profile. It depends on the profile assigned to the user where the command is failing. Check this with:

select profile from dba_users where username=<user with the error>';

Ex:

select profile from dba_users where username='HR';

After finding the profile, one should set the options for this profile to UNLIMITED AS it is not always the DEFAULT profile.

7. FNDCPASS Fails With 'ORA-01017: invalid username/password; logon denied

Upgraded to Applications release 12.0 and database from 10.2.0.2 to 11.1.0.6

The database SEC_CASE_SENSITIVE_LOGON parameter defaults to TRUE. When this occurs the password sensitivity conversion does not occur. Passwords that are input as lower case are automatically updated as upper case.

To implement the solution, execute the following steps:

1. Set the database SEC_CASE_SENSITIVE_LOGON parameter to FALSE in the init.ora.

2. Run autoconfig on the application tiers and bounce the database.

8. adpatch Errors: The Given ORACLE Password Is Not The Correct Password.

FNDCPASS fails with:

Working...
APP-FND-01496: Cannot access application ORACLE password

Cause: Application Object Library was unable access your ORACLE password.

Action: Contact your support representative. (USER=TWOODS)
APP-FND-01496: Cannot access application ORACLE password

Issue caused by user password corruption, which resulted in failure when running FNDCPASS in an attempt to re-encrypt the APPLSYS password.

To implement the solution, execute the following steps:

1. Use FNDCPASS to update each failing User password individually.

FNDCPASS apps/<password> 0 Y system/<password> ORACLE <oracle user> <new password>

Ex: FNDCPASS apps/<password> 0 Y system/<password> ORACLE GL GLPASSWORD

2. Rerun FNDCPASS again to successfully alter the APPLSYS password:

FNDCPASS apps/<password> 0 Y system/<password> SYSTEM APPLSYS <new password>

Ex: $FNDCPASS apps/<password> 0 Y system/<password> SYSTEM APPLSYS NEWPASSWORD

NOTE: Changing the APPLSYS password automatically changes the APPS password to match as these two must always agree.

9. APP-FND-01496 Received When Changing The APPLSYS Password With FNDCPASS

APP-FND-01496: Cannot access application ORACLE password
Cause: Application Object Library was unable access your ORACLE password.

The ALTER command was run manually against the APPS user before running FNDCPASS. The APPS and APPLSYS user passwords must be identical.

To implement the solution, execute the following steps:

1. Run the ALTER command against the APPS and APPLSYS users in sqlplus to change back to the old passwords:

sql>ALTER USER APPLSYS IDENTIFIED BY XXX;
sql>ALTER USER APPS IDENTIFIED BY XXX;

Note: Before running code above make sure to have a valid database backup should you may need to revert these changes.

2. Afterwards run FNDCPASS:

FNDCPASS apps/<password> 0 Y system/<password> SYSTEM APPLSYS <new password>

Ex: $FNDCPASS apps/<password> 0 Y system/<password> SYSTEM APPLSYS NEWPASSWORD

Note: Changing the APPLSYS password automatically changes the APPS password to match as these two must always agree.

10. Using FNDCPASS With The ALLORACLE Option, Why Doesn't It Change All User Passwords?

To implement the solution, reference the following:

Usernames must appear in the FND_USER or FND_ORACLE_USERID tables. The FNDCPASS utility and ALLORACLE functionality was designed for applications users/schemas.

The following username passwords must be manually changed:

Account Name
--------------------------------
ABM
AHM
AMF
CSS
CUE
CUN
DBSNMP
EAA
EVM
FPT
IBA
IMT
IPD
JUNK_PS
MDSYS
ME
ODM
ODM_MTR
OKB
OKO
OKR
OLAPSYS
ORDPLUGINS
ORDSYS
OUTLN
OWAPUB
OZP
OZS
RHX
RLA
SCOTT
SSOSDK
SYS
VEH
XNC
XNI
XNM
XNS

alter user XNS identified by password

For IBA, IMT, IPD, ODM_MTR, OKB, OKO, OKR, OLAPSYS, ABM, AHM, VEH, XNC, XNI, XNM, XNS, RHX, RLA schemas are part of the 6th category FNDCPASS should not be used.

Also development mentioned this:

Internal Bug 5394202: ARE120.7:ALL SCHEMAS PASSWORD NOT GETTING CHANGED FNDCPASS
The 38 users listed above do not exist in FND_ORACLE_USERID or FND_USER
tables.
FNDCPASS is not intended to change passwords for users who do not exist in
these tables.

For the users which are absent in FND_ORACLE_USERID , you can change the password using alter command.

11. Fndcpass Fails with 500 Internal Server Error After Migrating Database From HP-Unix To Linux

When attempting to log in to a R12 instance, after migrating the database from HP to Linux following the steps in Note 454616.1, the following error occurs.

500 Internal Server Error
oracle.apps.fnd.cache.CacheException
at oracle.apps.fnd.cache.AppsCache.get(AppsCache.java:228)......

The issue can be reproduced at will by attempting to log in.

Password Hash Migration (FNDCPASS USERMIGRATE) done prior to the data migration.

The cause of this issue is that the FND_USER_PREFERENCES table did not get exported properly due to password hash migration not being covered or accounted for in the existing procedure.

To implement the solution, reference the following:

1. Export of the fnd_user_preferences table separately using:

$ exp system/<PWD> TABLES=(APPLSYS.FND_USER_PREFERENCES) COMPRESS=Y DIRECT=Y FILE=fnd_user_preferences.dmp LOG=exp_fnd_user_preferences.log

2. Import the Applications database target
3. Import of the fnd_user_preferences table separately

$ imp system/<PWD> FILE=fnd_user_preferences.dmp
LOG=imp_fnd_user_preferences.log TABLES=FND_USER_PREFERENCES FROMUSER=APPLSYS IGNORE=Y

4. Reset Advanced Queues ( Note 362205.1 - Section 5)
5. Run adgrants (Note 362203.1 - After the Database Upgrade)
6. Run adctxprv.sql (Note 362203.1 - After the Database Upgrade)
7. Compile Invalid Objects running adadmin
8. Implement and run Autoconfig ( Note 362203.1)
9. Gather Statistics for SYS schema (Note 362203.1 - After the Database Upgrade)
10. Create ConText and Spatial Objects (Note 362205.1 - Section 5)
11. Compile Invalid Objects (Note 362205.1 - Section 5)
12. Maintain Applications database objects (Note 362205.1 - Section 5)
13. Restart Applications Server Processes (Note 362205.1 - Section 5)

12. FNDCPASS Fails with APP-FND-02702 and APP-FND-02704

Followed Note.456838.1 and found a number of accounts that are database users with passwords equal to database users, but those do not seem to be registered as Oracle Schemas/Users.

FNDCPASS ends with the following error:

APP-FND-02702: ABM is not a valid oracle user

The list includes: ABM, AMF, CSS, CUE, CUN, EAA, EVM, FPT, IBA, IMT, IPD, ME, OKB, OKO, OKR, OZP, OZS, RHX, RLA, VEH, XNC, XNI, XNM, XNS.

Also tried to change password for EDWREP user which is not a Database user but is defined as Oracle Schema/User and FNDCPASS errored with:

APP-FND-02704: Unable to alter user EDWREP to change password

To implement the solution, reference the following:

1. EDWREP is not in the table DBA_USERS nor in FND_USER, so there is no password to change for this user as there is no possible connection to this user. This is explained in Orion Note 431272.1. EDWREP can be ignored as it is not an Oracle user nor an APPS user ( FND_USER ).

2. The list of others users provided ( ABM, ... ) is not in the table fnd_oracle_userid , so it cannot be changed with FNDCPASS, that's the normal behavior.

Note 461904.1 explains that ABM is now obsoleted.

Some Applications/Products are obsoleted in release 12:

cun, amf, jts, xni, oko, okb, ahm, imt, veh, rla, rhx, ozs, ozp, iba, cue, okr, fpt, xns, xnc, xnm, css, me, zfa, zsa, rcm, ipd, evm, abm, eaa

As obsoleted, using the alter command can be used to safely change the password of the above users.

13. APP-FND-00434 Unable to Change Password Using FNDCPASS Utility

When attempting to change the password of any application/database user using FNDCPASS, the following error occurs:

Error:
APP-FND-00434: AFPRCP:Failed to initialize profile option values : FDWHOAMI environment variable contains invalid value 5 for user ID

Step to Reproduce:
Change password of application user "VISION" using below FNDCPASS command:
FNDCPASS apps/apps 0 Y system/manager USER VISION WELCOME

Seeded application user "APPSMGR" is not present in FND_USER table. USER_ID of application user "APPSMGR" is 5. That is why when you are trying to change the password of any application/database user using FNDCPASS utility then it errors out with invalid value 5 for user ID (see the error).

To implement the solution, please execute the following steps:

1. If a backup of the FND_USER table exists, then restore the record for USER_ID=5 from the backup table to the existing FND_USER table.

Connect to SQLPLUS as APPS user:

SQL> insert into FND_USER select * from FND_USER_BAK where USER_ID=5 ;

Where FND_USER_BAK is backup table of FND_USER table.

If a backup of the FND_USER table does not exist, then thedata for the 'APPSMGR' user must be inserted using the below SQL:

Connect to SQLPLUS as APPS user :

SQL> INSERT INTO FND_USER(
USER_ID,
USER_NAME,
LAST_UPDATE_DATE,
LAST_UPDATED_BY,
CREATION_DATE,
CREATED_BY,
LAST_UPDATE_LOGIN,
ENCRYPTED_FOUNDATION_PASSWORD,
ENCRYPTED_USER_PASSWORD,
SESSION_NUMBER,
START_DATE,
END_DATE,
DESCRIPTION)
VALUES(5,'APPSMGR',TO_DATE('10/27/2004 6:00:51 PM','MM/DD/YYYY HH:MI:SS PM') ,0,TO_DATE('05/21/1987 6:00:51 PM','MM/DD/YYYY HH:MI:SS PM'),1,0,'INVALID','INVALID',0,TO_DATE('01/01/1951 6:00:51 PM','MM/DD/YYYY HH:MI:SS PM'),NULL,'User for routine maintenance activities scheduled as concurrent requests. Should be used for pre scheduled requests and for requests submitted at the time of patching applications.')

SQL> Commit;

2. Retest the issue.

3. Migrate the solution as appropriate to other environments.

DO NOT delete any seeded data from any of seeded table. For example: 'APPSMGR' is a seeded application user and should not delete this record from the FND_USER table. Deletion of seeded records from any seeded table is not supported.

14. FNDCPASS Gives: APP-FND-01502: Cannot Encrypt Application ORACLE Password

APP-FND-01502: Cannot encrypt application ORACLE password
Application Object Library was unable encrypt your ORACLE password.
Action: Contact your support representative. (ORACLEUSER=APPS_SERV)

The table fnd_oracle_userid contain rows for schemas that does not exist. Those rows must be deleted
from the table.

To implement the solution, execute the following steps:

1. Execute the following select statement:

select * from fnd_oracle_userid
where oracle_username not in
(select username from all_users);

If this returns any rows, then delete them.

15. Why FNDCPASS Fails With ORA-01005 Using Underscore or Dollar Sign in Passwords?

To implement the solution, execute the following steps:

Using the Underscore ( _ ) or Dollar Sign ( $ ) as well as Parentheses ( ) and Comma ( , ) will cause the following error to be generated:

Routine AFPCSQ encountered an ORACLE error. ORA-01005: null password given; logon denied
Review your error messages for the cause of the error. (=<POINTER>)

Only alphanumeric characters should be for passwords. Bug 5239293 - UNABLE USE THE PUNCTUATION MARK IN FNDCPASS UTILITY has been logged to address using special characters such as the _, #, and $.

16. FNDCPASS-CANNOT DECRYPT For Some Users

Getting error messages like:

FNDCPASS-CANNOT DECRYPT (USER=CONCURRENT MANAGER)
FNDCPASS-CANNOT DECRYPT (USER=ANONYMOUS)
FNDCPASS-CANNOT DECRYPT (USER=APPLSYSPUB)

Patch (5846796) was created to fix the fnd_web_sec.validate_password to use the SIGNON_PASSWORD_CASE profile setting for establishing new password criteria.

According to Development Patch 5846796 will not be available standalone.

To implement the solution, execute the following steps:

1. Customers should apply 11i.ATG_PF.H.delta.6 (RUP 6) Patch 5903765 for this issue.

Workaround
The error messages should disappear setting the System Profile 'Password Case Option' to 'Insensitive'.

17. Database Links Are Invalid After Changing The Apps User Password With FNDCPASS

To implement the solution, execute the following steps:

1. Since changing the apps password all the db links should have the new APPS password. Please note that there is no need to run autoconfig each time FNDCPASS is run, only if changing any of the following users:

- APPS_MRC
- APPLSYSPUB
- PORTAL30 & PORTAL30_SSO (For Oracle Log in Server and Portal 3.0.9 with E-Business Suite 11i)

18. Is PASSWORD_VERIFY_FUNCTION Compatible with FNDCPASS in E-Business Suite?

To implement the solution, execute the following steps:

1. Log a service request requesting to attach it to the existing enhancement. Once this is done, the service request will be closed as it's unknown when the enhancement will be integrated into Applications.

2. Follow Enhancement Request: Bug 3363011.

19. ORA-29541 Unable to Change Password Using FNDCPASS Utility

Oracle error -29541: ORA-29541: class APPS.oracle/apps/fnd/security/WebSessionManagerProc could not be resolved has been detected in FND_WEB_SEC.VALIDATE_PASSWORD

To implement the solution, execute the following steps:

1. Unzip RDBMS $ORACE_HOME/rdbms/jlib/servlet.jar to a temporary location.

2. cd to the <temp location>/javax/servlet

loadjava -u sys/<syspwd> -v -f -r ServletRequest.class

3. cd to the <temp location>/javax/servlet/http

loadjava -u sys/<syspwd> -v -f -r HttpServletRequest.class

4. If the above load is successful, then try to compile the following java classes in this order:

/69cdcac5_URLTools
/9bcc02c9_GenericFileManager
/98ca471e_GenericFileManager
/7ef1f61b_AppsContext
/be1b2bb2_ErrorStack
/4cc59dc8_AppsException
/4f323587_DataVerificationExce
/b3e79110_HTTPData
/50e4719a_AolSecurity
/3906534f_WebSessionManagerProc

For example :
SQL> conn apps/apps
Connected.

SQL> alter java class "/69cdcac5_URLTools" resolve;

Java altered.

5. Retest the issue.

20. FNDCPASS Updates FND_USER.LAST_LOGON_DATE with SYSDATE

The FND_USER.LAST_LOGON_DATE table is getting reset with SYSDATE when FNDCPASS command is run to change the apps password on the database.

Changing APPS, APPLSYS and Oracle Apps schema passwords is updating FND_USER.LAST_LOGON_DATE for Application Users.

eg FNDCPASS apps/<pass> 0 Y system/<pass> SYSTEM APPLSYS <new pass>

To implement the solution, execute the following steps:

1. The official fix is included in RUP7 Patch 6241631.

As a workaround, please disable the trigger:

1. Connect to the apps schema using sqlplus.

2. Alter trigger FND_USER_RESET DISABLE;

21. Why aren't users forced to change/reset passwords during next login after running FNDCPASS?

This is expected functionality. FNDCPASS does not force the user to reset their passwords during the next log in. Users wanting to reset/change their passwords upon change should do so through the FNDSCAUS.fmb (Define User) form. When a password is changed in the Define User form, the user is forced to reset their password.

22. FNDCPASS Was Not Able to Decrypt Password for User 'ABC' During APPLSYS Password Change

When attempting to run command 'FNDCPASS apps/XXX 0 Y system/XXX SYSTEM APPLSYS XXX',
the following error occurs:

ERROR
-----------------------
FNDCPASS was not able to decrypt password for user 'GCC' during applsys password change.
FNDCPASS was not able to decrypt password for user 'APPS' during applsys password change.
FNDCPASS was not able to decrypt password for user 'APPLSYS' during applsys password change.

Debug line of code (fnd_preference.remove) was found in a sql script that ran during the upgrade process - patch/115/sql/afsecctx.sql. This causes the error message when run FNDCPASS to change APPS password after upgrading to 12.1.3 .

This is justified in Bug 8764069 - POST USERMIGRATE TO HASH PASSWORDS, AFTER 12.1 UPG, FNDCPASS FAILS DECRYPT

To implement the solution, execute the following steps:

1. Download and review the readme for Patch 8764069.

2. Apply Patch 8764069 in a test environment.

3. Confirm the following file versions:

<FND_TOP>/patch/115/sql/afsecctx.sql 120.3.12010000.2

You can use the commands like the following:

strings -a $FND_TOP/ patch/115/sql/afsecctx.sql | grep -i '$Header'

4. Retest the issue.

5. Migrate the solution as appropriate to other environments.

WORKAROUND

1. Change password of All Oracle Applications Users (FND_USER) according to Note 419475.1 Removing Credentials from a Cloned EBS Production Database.

2. Retest the issue.

23. FNDCPASS was not able to decrypt password for {User Name} during APPLSYS password change

The passwords were updated by a method other than the Define User form or FNDCPASS. This is NOT supported.

To implement the solution, execute the following steps:

Re-run FNDCPASS for the specific failed {User Name}.

Examples:

FNDCPASS apps/<pwd> 0 Y system/<passwrd> ORACLE GL <NEWPASSWORD>
FNDCPASS apps/<pwd> 0 Y system/<passwrd> USER JOEUSER <NEWPASSWORD>

24. APP-FND-01496 Results From FNDCPASS Chaning The APPLSYS password

AFTER manually using the 'alter user' in sqlplus the following error occurs in the log for every application user account:

ERROR
APP-FND-01496: Cannot access application ORACLE password
Cause: Application Object Library was unable access your ORACLE password.

The APPLSYS (APPS) password became corrupted using ALTER USER because an applications session was not maintained at the same time. This apps session is necessary to change the APPLSYS password in:
'Security> Oracle> Register' WHILE being in SQL*PLUS as the SYSTEM user.

The supported method is use of FNDCPASS.

To implement the solution, execute the following steps:

1. Restore the FND_ORACLE_USERID and FND_USER tables from a backup.

2. Then run FNDCPASS to change the APPLSYS password. Ex.

FNDCPASS apps/<apps password> 0 Y system/<system password> SYSTEM APPLSYS WELCOME

25. APP-FND-1238: Cannot set value for field :USER.ENCRYPTED_USER_PASSWORD

When attempting to change a user password, the error below is generated:

APP-FND-1238: Cannot set value for field :USER.ENCRYPTED_USER_PASSWORD.
Review your error messages (Help ->Diagnostics -> Display Database Error ...) to see the cause of the error.

Encrypted APPLSYS password was corrupted.

To implement the solution, execute the following steps:

Run FNDCPASS on the database tier and change the APPLSYS password to its original password value.

For example:

FNDCPASS apps/<password> 0 Y system/<password> SYSTEM APPLSYS <new password>
Ex: $FNDCPASS apps/<password> 0 Y system/<password> SYSTEM APPLSYS NEWPASSWORD

NOTE: Changing the APPLSYS password automatically changes the APPS password to match as these two must always agree.

26. FRM-40200 Changing Users Password With The System Administrator Responsibility

Unable to change a users password with the System Administrator responsibility. The password field is not accessible and the following message appears at the bottom of the window:

FRM-40200 Field is protected against update

The fnd_user.encrypted_user_password column = 'EXTERNAL'.

In FND_USER, if the fnd_user.encrypted_user_password column = 'EXTERNAL', then:

1. The Change Password menu entry should be disabled on the Forms menu.
2. The Password field should be disabled on the Users form.

This is expected behavior for the column being set to EXTERNAL.

To implement the solution, execute the following steps:

1. Use FNDCPASS to change the password as required.

Example: FNDCPASS apps/<password> 0 Y system/<password> USER VISION WELCOME

27. "Signon Password Failure Limit" Is Reached Unlocking Queries

Q1: A user account is locked after "Signon Password Failure Limit" is reached. Can it be unlocked without resetting the password?

Q2: After the account is locked because of "Signon Password Failure Limit", can it be automatically unlocked after 24hrs (or a set # of hrs)?

To implement the solution, execute the following step:

A1. No. To elaborate:
'Signon Password Failure Limit' invalidates the user account by updating the fnd_user encrypted password columns with value INVALID. In order to reinstate (unlock) the account these INVALID password values must be again populated with encrypted values. This ONLY happens when the password is reset.

A2. No. To elaborate:
There is no such automatic functionality within EBusiness Suite Apps to do this. The reinstatement (unlocking) of the application user account must be done by resetting the password which is done by the administrator either thru the FNDSCAUS (Security > User > Define) form or by FNDCPASS.

28. APP-FND-02704, APP-FND-01564, ORA-01403 changepassword Errors In Custom Schema

When attempting to modify a custom schema's (XXINT) password with FNDCPASS, the following error message occurred:

APP-FND-02704: Unable to alter user XXINT to change password.
APP-FND-01564: ORACLE error 1403 in changepassword
Cause: changepassword failed due to ORA-01403: no data found.

FND does not support case sensitive passwords for ORACLE accounts. FND expects database level passwords to be in uppercase. The SQL Reference manual, under Object Naming Rules, states that passwords can only contain alphanumeric characters from your database's character set and the characters _, $, and #.

Using $ and # is strongly discouraged.

When "Hard to Guess" functionality is activated, the password cannot contain repeating characters. (By repeating characters, it is meant *consecutively* repeating characters. Hence oracleo passes this criteria, while oraclee does not.) The ORACLE password is converted to all upper case internally and then "Hard to Guess" is validated, if enabled.

To implement the solution, execute the following step:

Only use single case (upper suggested) passwords for ORACLE passwords. If the "Hard to Guess" functionality is activated, verify that the selected password meets all the requirements.

29. FND Invalid Hash mode detected for user_id = &USERID When Changing Password

Occurs when:
1. Go to Navigator Menu Edit> Preference > Change Password.
2. Enter Old Password and New Password/Re-enter password.
3. Press OK Button.

This issue has been fixed in the file "fnd src/security fdspwd.lc" in version "115.33"
This is explained in the following bug:
BUG 7304220 - 1OFF:6658428:ATG RUP6:11.5.10.2:UNABLE TO RESET PASSWORD AFTER IMPLEMENTING NON-REVERSIBLE HASH PASSWD(FNDCPASS)

To implement the solution, execute the following step:

1. Download and review the readme and pre-requisites for Patch 7304220.
2. Ensure that you have taken a backup of your system before applying the recommended patch.
3. Apply the patch in a test environment.
4. Please log a Service Request for support to post you the password.
5. Retest the issue.
6. Migrate the solution as appropriate to other environments.

WORKAROUNDS

1. a. The SSWA/Framework Preferences page.
b. Security > Define > User form.

OR

2. FNDCPASS apps/<password> 0 Y system/<password> USER <username> <password>.

30. After 12.1.3 Upgrade FNDCPASS Fails: Was Not Able To Decrypt Password For User 'Username' During Applsys Password Change

SymptomsIn 12.1.3, When attempting to change password using FNDCPASS the following error is encountered. Another symptom could be, FNDCPASS fails with Unable to connect as applsys.

FNDCPASS apps/<apps_passwd> 0 Y system/manager SYSTEM APPLSYS <New Passwd>

ERROR
FNDCPASS was not able to decrypt password for user 'EDWREP' during applsys password change.
FNDCPASS was not able to decrypt password for user 'CTXSYS' during applsys password change.
FNDCPASS was not able to decrypt password for user 'PORTAL30_SSO' during applsys password change.
FNDCPASS was not able to decrypt password for user 'PORTAL30' during applsys password change.
FNDCPASS was not able to decrypt password for user 'XNB' during applsys password change.
FNDCPASS was not able to decrypt password for user 'ZFA' during applsys password change.
FNDCPASS was not able to decrypt password for user 'ZSA' during applsys password change.
FNDCPASS was not able to decrypt password for user 'APPS' during applsys password change.
FNDCPASS was not able to decrypt password for user 'APPLSYS' during applsys password change.

Cause
The cause of this problem has been identified and verified in an unpublished Bug 11845888. After upgrade to 12.1.3, apply the Patch 11845888 before changing the password to avoid these problems. This fixes the issues in FNDCPASS and issues with username length.

To implement the solution, execute the following steps:

1. Download and review the readme and pre-requisites for Patch 11845888.

2. Ensure that you have taken a backup of your system before applying the recommended patch.

3. Apply the patch in a test environment.

4. Confirm the following file versions

afspwd.o 120.5.12010000.8
fdscpwd.o 120.24.12010000.8

You can use the commands like the following:

strings -a $FND_TOP/bin/FNDCPASS | grep afspwd
strings -a $FND_TOP/bin/FNDCPASS | grep fdscpwd

5. Retest the issue and migrate to appropriate environments.

After the Patch is applied, the following errors might still occur.The below messages can be ignored. Those are oracle seeded users to be used by the FNDLOAD. They do not have login capabilities, So it is normal that they are shown in the FNDCPASS log files.

FNDCPASS was not able to decrypt password for user 'INDUSTRY DATA' during applsys password change.
FNDCPASS was not able to decrypt password for user 'ORACLE12.0.0' during applsys password change.
FNDCPASS was not able to decrypt password for user 'ORACLE12.1.0' during applsys password change.
FNDCPASS was not able to decrypt password for user 'ORACLE12.2.0' during applsys password change.
FNDCPASS was not able to decrypt password for user 'ORACLE12.3.0' during applsys password change.
FNDCPASS was not able to decrypt password for user 'ORACLE12.4.0' during applsys password change.
FNDCPASS was not able to decrypt password for user 'ORACLE12.5.0' during applsys password change.
FNDCPASS was not able to decrypt password for user 'ORACLE12.6.0' during applsys password change.
FNDCPASS was not able to decrypt password for user 'ORACLE12.7.0' during applsys password change.
FNDCPASS was not able to decrypt password for user 'ORACLE12.8.0' during applsys password change.
FNDCPASS was not able to decrypt password for user 'ORACLE12.9.0' during applsys password change.

12.0 customers can apply equivalent Patch 11854373

31. APP-FND-01564: ORACLE error 6502 in changepassword

When attempting to run FNDCPASS, the following error occurs.

ERROR
-----------------------
FNDCPASS apps/pwd 0 Y system/pwd USER sysadmin pwd

Current system time is 25-JUN-2012 01:42:24
+---------------------------------------------------------------------------+

APP-FND-01564: ORACLE error 6502 in changepassword

Cause: changepassword failed due to ORA-06502: PL/SQL: numeric or value error: character string buffer too small
ORA-06512: at "APPS.FND_WEB_SEC", line 1372
ORA-06512: at line 1.

The SQL statement being executed at the time of the error was: begin :r := fnd_web_sec.change_password(:u,:p); end; and was executed from the file &ERRFILE.

The likely cause for this error is that the profile option value for 'SIGNON_PASSWORD_CASE' is wrongly set to INSENSITIVE , it should be set to value 1. Possible values are : INSENSITIVE - 1 and SENSITIVE - 2.

To check the value of this profile option do the followiing:

1. SQL> select profile_option_id,application_id from fnd_profile_options where profile_option_name='SIGNON_PASSWORD_CASE';
Then from the profile_option_id returned

2.SQL> select profile_option_value,level_id,level_value from fnd_profile_option_values
where profile_option_id=[VALUE RETURNED FROM ABOVE QUERY] and application_id=0;

If PROFILE_OPTION_VALUE returned is INSENSITIVE (-1), then execute the following steps:

1. Declare
value Boolean;
Begin
value := FND_PROFILE.SAVE('SIGNON_PASSWORD_CASE', '1', 'SITE');
End;

2. Retry the fndcpass

32. Unable To Change APPLSYS Password Using FNDCPASS In Applications 12.1.3

Patch 11845888 delivers a new option that the customer can control whether or not they want to perform the invalid-check. The OS variable: FND_CHECK_INVALID was created to activate/inactivate this new functionality. That is when one runs the FNDCPASS those records are marked, so the program will not process the invalid-records again, meaning the next time that FNDCPASS runs it will not show those records in the report.

To Activate the option set the environment variable before running FNDCPASS:

export FND_CHECK_INVALID=TRUE

To Inactivate the option Unset the environment variable before running FNDCPASS:

export FND_CHECK_INVALID=FALSE

OR

Comment it out # or unset FND_CHECK_INVALID.

33. AFPASSWD Relink Fails While Applying R12 Patch With Error Undefined Reference To `iifgcg'

On Oracle Applications 12.1.3,
when applying R12.1 patches relinking AFPASSWD, the following error occurs:

Relinking module 'AFPASSWD' in product fnd ...
12362384/fnd/lib/afpsslbm.c:(.text+0x51c): multiple definition of `ShowUsage'
APPL_TOP/fnd/12.0.0/lib/afpasswd.o:8974458/fnd/lib/a
fpasswd.c:(.text+0x0): first defined here
APPL_TOP/fnd/12.0.0/lib/libfnd.a(afwaol.o): In
function `afwtogi':
5069629/fnd/src/sqf/afwaol.c:(.text+0x11): undefined reference to `iifgcg'
5069629/fnd/src/sqf/afwaol.c:(.text+0x56): undefined reference to `iifwru'
APPL_TOP/fnd/12.0.0/lib/libfnd.a(afwaol.o): In
function `afwfmdi':
5069629/fnd/src/sqf/afwaol.c:(.text+0x91): undefined reference to `iifgcg'
5069629/fnd/src/wnd/afwdev.c:(.text+0xbe3): undefined reference to `uigrsw'
5069629/fnd/src/wnd/afwdev.c:(.text+0xbfe): undefined reference to `uioarc'
5069629/fnd/src/wnd/afwdev.c:(.text+0xc21): undefined reference to `uigrsa'
...
5069629/fnd/src/wnd/afwdev.c:(.text+0x3768): undefined reference to `uioim'
collect2: ld returned 1 exit status
make: *** [/APPL_TOP/fnd/12.0.0/bin/AFPASSWD] Error 1
Done with link of fnd executable 'AFPASSWD' on Wed Oct 3 15:52:12 EDT 2012

Cause
The issue is caused by the following setup :
Incorrect version of file afwdev.c

This cause is outlined in the following notes/bugs :
Bug 13954129 - INCOMPLETE INFORMATION SHOWN IN DELIVERY TO SCREEN IF SUBMIT REQUEST BY COPYING

This can occur for other R12.1 patches needing to relink AFPASSWD.

Solution
1. Ensure that you have taken a backup of your environment.
2. Download and review the readme of Patch 13855823.
3. Apply the patch in a test instance and retest the issue.
4. Migrate the solution as appropriate to other environments.

How to change the APPLSYSPUB password

NOTE: s_gwyuid_pass needs to be changed when changing APPLSYSPUB password.

1. Update s_gwyuid_pass through OAM with the new APPLSYSPUB password.
2. Stop applications.
3. Change the APPLSYSPUB password using FNDCPASS.
4. Run autoconfig.
5. Start Applications

Diagnostics & Utilities Community:

Diagnostics
Please access the EbusinessSecurity section on security diagnostics for the latest releases as reflected in Document 421245.1 E-Business Suite Diagnostics References for R12.
Utilities Community
Visit the Utilities community for help from industry experts or to share knowledge.

BUG:12985552 - FNDCPASS WAS NOT ABLE TO DECRYPT PASSWORD FOR USER 'USERNAME' DURING APPLSYS PAS

NOTE:761567.1 - Oracle E-Business Suite Installation and Upgrade Notes Release 12 (12.1.1) for Microsoft Windows Server (32-bit)
NOTE:461904.1 - Can the ABM Schema and EAA Schema and Objects Be Dropped in R12?
BUG:8764069 - POST USERMIGRATE TO HASH PASSWORDS, AFTER 12.1 UPG, FNDCPASS FAILS DECRYPT

NOTE:362203.1 - Oracle Applications Release 11i with Oracle 10g Release 2 (10.2.0)

Monday, August 19, 2019

FNDCPASS Troubleshooting Guide For Login and Changing Applications Passwords (Doc ID 1306938.1)