In this Document
Oracle Application Object Library - Version 12.1.3 to 12.1.3 [Release 12.1]
Information in this document applies to any platform.
It is ideal to complete this process as soon as possible after the database data files have been copied. At a minimum it should be completed before the database is turned over to any party less trusted than the Production database DBA team.
This document describes the steps required to remove the Production EBS database credentials, such as database user (schema) password hashes and encrypted passwords. Additionally information is provided about how to reestablish credentials in the cloned copy so that the clone may be used for functional, performance or patch application testing.
Steps from this paper should be incorporated into your database cloning process and procedures.
Create Date 14-Mar-2007
Update Date 11-JUL-2011
Expire Date
The following sequence of steps will remove production account credentials from the cloned copy of the production database and reestablish new credentials in the cloned copy. All of the new accounts on the clone target will have the password "clone".
All application tier processes must be stopped during this procedure.
$ export ORACLE_SID=<sid>
$ export ORACLE_HOME=<db-oraclehome>
$ export PATH=$ORACLE_HOME/bin
$ unset TWO_TASK
To clear all credentials in the cloned copy of a Production database, create and execute the following 3 SQL scripts:
At this point, the cloned copy of the database is free from Production credentials. The database was shut down by the script in order for the unusual way of clearing the database user (schema) passwords to take effect. You will need to restart the cloned copy of the database in preparation for steps 2, 3 and 4:
Here is the script for step 2, including inline comments which explains what is done.
The expected output from step 2 is as follows:
Now we have completed establishing a set of bootstrap EBS credentials in the database.
The comments in script below explains what is done in step 3.
NOTE: The script above calls the UNIX command "grep" to extract 2 sets of lines from the step3.lst spool file. If you are running Windows, the shell redirection will fail when attempted from within sqlplus. You can perform the failed step by going to a command prompt (using the HOST command from sqlplus). If you have your MKS environment set, then you can use the "grep" syntax or alternatively you can use the below syntax from a Windows command (cmd.exe) prompt.
Sample content of "dbusers4.sql" listed below for illustration purposes only, you must run the one you generated on your system.
Now run the "dbusers4.sql" file:
The output spool file should show many output lines stating "User altered.". No error messages (ORA-nnnnn) should appear.
At this point, the database should be started and running. Stop and restart the database at this time. To ensure that the application tier code can access the database for Step 5, you must also ensure that the database TNS-listener service is running.
You will need to locate and copy the "dbusers5.sh" script from the directory where it was created in Step 3. Again, as with any dynamcially generated scripts that you run on your system, you should review the contents of the file before running it.
To run "FNDCPASS" you also need a number of environment variables set, at a minimum ensure that:
The following is sample content of a "dbusers5.sh" file is listed below for illustration purposes only, run the one you generated on your system.
To verify that you have assigned passwords to all the database users, run the following query and ensure that it does not return any rows:
This concludes the clearing and re-establishment of account credentials from a cloned database. Please see the following 2 steps "Additional Steps" and "Running Autoconfig" before attempting to use the system.
You may also wish to change the passwords to something other than "clone". You can use modified versions of the scripts in this note and you should reference the security best practices document for advice on changing passwords for an E-Business Suite system, see the References section below.
Prior to running AutoConfig ensure that the AutoConfig Context file contains the new "GUEST" password (Context variable "s_guest_pass") and the new password for "APPLSYSPUB" (Context variable "s_gwyuid_pass").
NOTE:230672.1 - Cloning Oracle Applications Release 11i with Rapid Clone
NOTE:165195.1 - Using AutoConfig to Manage System Configurations with Oracle Applications 11i
NOTE:387859.1 - Using AutoConfig to Manage System Configurations in Oracle E-Business Suite Release 12
NOTE:394448.1 - Getting Started with the Application Management Pack for Oracle E-Business Suite (Releases 2.0.0-2.0.2)
NOTE:403537.1 - Secure Configuration for Oracle E-Business Suite Release 12.1
NOTE:406982.1 - Cloning Oracle Applications Release 12 with Rapid Clone
PATCH:4745998
Abstract |
History |
Details |
Step 1 - Clear All Credentials |
Step 2 - Re-establish Bootstrap Credentials |
Step 3 - Prepare Scripts for Setting Additional Passwords |
Step 4 - Assign New Passwords to All Schemas Not Managed with EBS |
Step 5 - Assign New Passwords to All Schemas Managed with EBS |
Additional Steps |
Running AutoConfig |
References |
Applies to:
Oracle Applications Manager - Version 11.5.9 to 12 [Release 11.5 to 1.2]Oracle Application Object Library - Version 12.1.3 to 12.1.3 [Release 12.1]
Information in this document applies to any platform.
Abstract
When cloning a Production database in Oracle E-Business Suite (EBS) it is a best practice to remove all Production account credentials in the cloned copy of the database. This will help to prevent retrieval of Production credentials, which could be used to compromise the security and integrity of the Production database.It is ideal to complete this process as soon as possible after the database data files have been copied. At a minimum it should be completed before the database is turned over to any party less trusted than the Production database DBA team.
This document describes the steps required to remove the Production EBS database credentials, such as database user (schema) password hashes and encrypted passwords. Additionally information is provided about how to reestablish credentials in the cloned copy so that the clone may be used for functional, performance or patch application testing.
Steps from this paper should be incorporated into your database cloning process and procedures.
History
Author :Create Date 14-Mar-2007
Update Date 11-JUL-2011
Expire Date
Details
The steps outlined in this White Paper will:- Help to ensure that Production credentials are not retrievable from a cloned copy of an EBS Production database.
- Boot strap the cloned copy with enough "clone credentials" that it may be used for testing.
NOTE: In the examples below the data represents a fictitious sample (based upon made up data used in the Oracle Demo Vision instance). Any similarity to actual persons, living or dead, is purely coincidental and not intended in any manner.
The following sequence of steps will remove production account credentials from the cloned copy of the production database and reestablish new credentials in the cloned copy. All of the new accounts on the clone target will have the password "clone".
- Step 1 - Clear all credentials
- Step 2 - Re-establish basic accounts (for runtime: SYS,SYSTEM,APPLSYSPUB,APPLSYS,APPS + GUEST,SYSADMIN)
- Step 3 - Prepare scripts for setting additional passwords
- Step 4 - Assign new passwords to all database users not managed with EBS
- Step 5 - Assign new passwords to all database users managed with EBS
- Optional additional steps
All application tier processes must be stopped during this procedure.
Step 1 - Clear All Credentials
To clear all credentials on a target clone of a production database you must establish a shell environment with sufficient Oracle environment variables to successfully start "sqlplus" via the "BEQ" (bequeth) driver. If Rapid Clone has been completed successfully, then each Oracle Home should have a <SID>.env file. However, in the event you need to set the environment manually, here are the minimal environment settings:$ export ORACLE_SID=<sid>
$ export ORACLE_HOME=<db-oraclehome>
$ export PATH=$ORACLE_HOME/bin
$ unset TWO_TASK
oracle$ sqlplus '/ as sysdba'
To clear all credentials in the cloned copy of a Production database, create and execute the following 3 SQL scripts:
REM --- step1.sql spool step1.lst REM Start the database clone for the first time startup restrict REM Clear all production credentials from the cloned database update SYS.user$ set password = translate(password,'0123456789ABCDEF','0000000000000000') where type#=1 and length(password) = 16 / update APPLSYS.FND_ORACLE_USERID set ENCRYPTED_ORACLE_PASSWORD='INVALID' / update APPLSYS.FND_USER set ENCRYPTED_FOUNDATION_PASSWORD='INVALID', ENCRYPTED_USER_PASSWORD='INVALID' / commit; REM Shutdown the database shutdown exit REM end of script
oracle$ echo startup | sqlplus '/ as sysdba'
Step 2 - Re-establish Bootstrap Credentials
The database at the moment has no credentials. Now log on as "SYS" with operation system authentication. This will allow you to establish new credentials.oracle$ sqlplus '/ as sysdba'
REM --- step2.sql spool step2.lst REM Set a new password for a few initial database users alter user SYS identified by CLONE; alter user SYSTEM identified by CLONE; alter user APPLSYSPUB identified by CLONE; alter user APPLSYS identified by CLONE; alter user APPS identified by CLONE; REM Provide boot-strap info for FNDCPASS... update APPLSYS.FND_ORACLE_USERID set ENCRYPTED_ORACLE_PASSWORD='CLONE' where ORACLE_USERNAME = 'APPLSYSPUB' / update APPLSYS.FND_ORACLE_USERID set ENCRYPTED_ORACLE_PASSWORD='ZG' || 'B27F16B88242CE980EF07605EF528F9391899B09552FD89FD' || 'FF43E4DDFCE3972322A41FBB4DDC26DDA46A446582307D412' where ORACLE_USERNAME = 'APPLSYS' / update APPLSYS.FND_ORACLE_USERID set ENCRYPTED_ORACLE_PASSWORD='ZG' || '6CC0BB082FF7E0078859960E852F8D123C487C024C825C0F9' || 'B1D0863422026EA41A6B2B5702E2299B4AC19E6C1C23333F0' where ORACLE_USERNAME = 'APPS' / commit; REM We run as SYS, now connect as APPS to run some plsql connect APPS/CLONE REM Every EBS database needs a GUEST user select APPS.fnd_web_sec.change_guest_password( 'CLONE', 'CLONE' ) "RES" from dual; commit; REM Set GUEST credential in site level profile option set serveroutput on declare dummy boolean; begin dummy := APPS.FND_PROFILE.SAVE('GUEST_USER_PWD', 'GUEST/CLONE', 'SITE'); if not dummy then dbms_output.put_line( 'Error setting GUEST_USER_PWD profile' ); end if; end; / commit; REM One more time for luck (avoid session caching of profiles) connect APPS/CLONE REM Set SYSADMIN password select APPS.fnd_web_sec.change_password('SYSADMIN','CLONE') "RES" from dual; commit; exit
The expected output from step 2 is as follows:
User altered. User altered. User altered. User altered. User altered. 1 row updated. 1 row updated. 1 row updated. Commit complete. Connected. RES ------ Y Commit complete. PL/SQL procedure successfully completed. Commit complete. Connected. RES ------ Y Commit complete.
It is important to verify that no errors are reported and that the 2 returned "RES" values are both "Y", which indicates success.
ATTENTION :
It has been identified, that some Customers running into an error for the SQL PLus command
select APPS.fnd_web_sec.change_password('SYSADMIN','CLONE') "RES" from dual;
In this case, please check Note 1350776.1 for the solution, before your are going ahead with the next steps !
Now we have completed establishing a set of bootstrap EBS credentials in the database.
Step 3 - Prepare Scripts for Setting Additional Passwords
In this step scripts are prepared to assign passwords to the other database users which were disabled in Step 1. Dynamically generated scripts are used to accomplish this because the set of database users may differ between instances of EBS. Create the script below and run it as the Operating System user "oracle":$ sqlplus '/ as sysdba'
The comments in script below explains what is done in step 3.
REM --- step3.sql REM Prepare SQL and SHELL scripts to set more passwords later spool step3.lst REM Generate a sql script to set password for db users not managed with EBS select 'alter user "'|| USERNAME ||'" identified by CLONE; ' from SYS.DBA_USERS where USERNAME not in (select ORACLE_USERNAME from APPLSYS.FND_ORACLE_USERID) and USERNAME not in ('SYS','SYSTEM'); REM Generate a shell script to set password for all base product schemas select 'FNDCPASS apps/clone 0 Y system/clone ALLORACLE clone' from dual; REM Generate a shell script to set password for non-EBS db users managed with EBS select 'FNDCPASS apps/clone 0 Y system/clone ORACLE "' || replace(ORACLE_USERNAME,'$','\$') || '" clone' from APPLSYS.FND_ORACLE_USERID where READ_ONLY_FLAG = 'X' and ORACLE_USERNAME in (select USERNAME from SYS.DBA_USERS); REM Generate a shell script to set password for APPS/APPLSYS/APPM_mrc db users select 'FNDCPASS apps/clone 0 Y system/clone SYSTEM APPLSYS clone' from dual; REM Generate scripts for steps 4 & 5 spool off HOST grep '^alter user ' step3.lst > dbusers4.sql HOST grep '^FNDCPASS ' step3.lst > dbusers5.sh exit REM End of Script
# alternative commands for extracting sql and shell commands from step3.lst C:\ORACLE\Clone> findstr "^alter user " step3.lst > dbusers4.sql C:\ORACLE\Clone> findstr "^FNDCPASS " step3.lst > dbusers5.cmd
Step 4 - Assign New Passwords to All Schemas Not Managed with EBS
This Step runs the SQL script, "dbusers4.sql", generated in Step 3.Sample content of "dbusers4.sql" listed below for illustration purposes only, you must run the one you generated on your system.
NOTE: "dbusers4.sql", for example purposes only!alter user "OLAPSYS" identified by CLONE; ... alter user "MDSYS" identified by CLONE; alter user "ORDPLUGINS" identified by CLONE; alter user "ORDSYS" identified by CLONE; alter user "DBSNMP" identified by CLONE; alter user "OUTLN" identified by CLONE; alter user "AD_MONITOR" identified by CLONE; alter user "EM_MONITOR" identified by CLONE;
Note: Prior to running your script, you should review the contents of the script for any obvious problems or syntax errors- this is good advice for any dynamically-created SQL scripts.
Connect as "SYSDBA":$ sqlplus "/ as sysdba"
Now run the "dbusers4.sql" file:
SQL> spool step4.lst
SQL> start dbusers4.sql
SQL> exit
SQL> start dbusers4.sql
SQL> exit
The output spool file should show many output lines stating "User altered.". No error messages (ORA-nnnnn) should appear.
At this point, the database should be started and running. Stop and restart the database at this time. To ensure that the application tier code can access the database for Step 5, you must also ensure that the database TNS-listener service is running.
$ echo shutdown | sqlplus "/ as sysdba" $ echo startup | sqlplus "/ as sysdba" $ lsnrctl start <listener_name>
Step 5 - Assign New Passwords to All Schemas Managed with EBS
This step uses the "FNDCPASS" command to set the passwords for all the EBS managed schemas and all the base product schemas. The "FNDCPASS" must be run from an application tier node.(Any node with an APPL_TOP file system.)You will need to locate and copy the "dbusers5.sh" script from the directory where it was created in Step 3. Again, as with any dynamcially generated scripts that you run on your system, you should review the contents of the file before running it.
Note for Windows users: In the unlikely event that any of the usernames contain the dollar sign "$" it has been escaped by prefixing it by a backslash "\"; on Windows the backslash should be removed.
To run "FNDCPASS" you also need a number of environment variables set, at a minimum ensure that:
- "FNDCPASS" is in the "$PATH" ("$ which FNDCPASS" will tell you if it is.)
- The "ORACLE_HOME" environment variable points to the "Tools" ORACLE_HOME (8.0.6 on 11i, 10.1.2 on R12)
- The "TWO_TASK" environment variable is set to a value that can be resolved via the "$TNS_ADMIN/tnsnames.ora file", in order to access the clone target database.
# Verify that the Oracle client environment is set to correct database (as "applmgr" OS user) applmgr$ sqlplus -s apps/clone <<EOF select SYSDATE,NAME from v\$DATABASE; EOF SYSDATE NAME --------- --------- 25-JUL-07 PRD12 applmgr$ mkdir ~/s5 ; cd ~/s5 # create new directory to hold output files applmgr$ sh dbusers5.sh # Run the FNDCPASS shell script
The following is sample content of a "dbusers5.sh" file is listed below for illustration purposes only, run the one you generated on your system.
Each run of "FNDCPASS" will generate output an output/log file in the current working directory, you should review these log files (example "L2763902.log") for errors.NOTE: This "dbusers5.sh" is for example only!
FNDCPASS apps/clone 0 Y system/clone ALLORACLE clone FNDCPASS apps/clone 0 Y system/clone ORACLE "OWAPUB" clone FNDCPASS apps/clone 0 Y system/clone ORACLE "ODM" clone FNDCPASS apps/clone 0 Y system/clone ORACLE "CTXSYS" clone FNDCPASS apps/clone 0 Y system/clone SYSTEM APPLSYS clone
NOTE: If your version of the "FNDCPASS" utility does not support the "ALLORACLE" mode, see "Q5" in the "Discussion" section below.
To verify that you have assigned passwords to all the database users, run the following query and ensure that it does not return any rows:
SQL> select USERNAME,PASSWORD from DBA_USERS where PASSWORD='0000000000000000';
This concludes the clearing and re-establishment of account credentials from a cloned database. Please see the following 2 steps "Additional Steps" and "Running Autoconfig" before attempting to use the system.
Additional Steps
What remains to be done is to set new passwords for additional applications users or the creation of new test users, depending on your needs. Changing passwords for applications users can be done using the "Define User" form (logged on as "SYSADMIN/CLONE") or by running "FNDCPASS" with the below syntax from an "applmgr" applications shell environment.applmgr$ FNDCPASS apps/clone 0 Y system/clone USER <username> <password>
Running AutoConfig
Before you can actually start and access the cloned EBS system from the Application, a number of other configuration items, such as system Profile Options, most likely need to be changed in the cloned environment. Items to change typically include:- IP addresses, hostnames and port numbers
- Profiles containing hostnames and port numbers
- Web interface URLs
- Hostnames of external services (mail, print, SSO)
Prior to running AutoConfig ensure that the AutoConfig Context file contains the new "GUEST" password (Context variable "s_guest_pass") and the new password for "APPLSYSPUB" (Context variable "s_gwyuid_pass").
Password for Context Variable New Value APPLSYSPUB s_gwyuid_pass CLONE GUEST s_guest_pass CLONE
References
NOTE:189367.1 - Secure Configuration Guide for Oracle E-Business Suite 11iNOTE:230672.1 - Cloning Oracle Applications Release 11i with Rapid Clone
NOTE:165195.1 - Using AutoConfig to Manage System Configurations with Oracle Applications 11i
NOTE:387859.1 - Using AutoConfig to Manage System Configurations in Oracle E-Business Suite Release 12
NOTE:394448.1 - Getting Started with the Application Management Pack for Oracle E-Business Suite (Releases 2.0.0-2.0.2)
NOTE:403537.1 - Secure Configuration for Oracle E-Business Suite Release 12.1
NOTE:406982.1 - Cloning Oracle Applications Release 12 with Rapid Clone
PATCH:4745998
No comments:
Post a Comment