Friday, April 12, 2024

Oracle E-Business Suite Release 12.2 System Schema Migration

In This Document

Section 1: Overview of the EBS System Schema

The Release 12.2 database architecture has been modernized by adoption of the Oracle E-Business Suite System Schema, EBS_SYSTEM. Prior to the introduction of the EBS_SYSTEM schema, Oracle E-Business Suite installed application objects in the Oracle Database SYS and SYSTEM schemas. Migration to the EBS System Schema obviates the need for any EBS-owned objects to reside in the SYS or SYSTEM schemas.

Key characteristics of the EBS System Schema include:

  • Creation of the EBS_SYSTEM schema and associated grant management is performed as follows:
    1. Creation of the EBS_SYSTEM schema and is performed by SYS running the adgrants.sql script (supplying the APPS account as the parameter) before applying the AD-TXK Delta 13 (or later) RUPs.
    2. Grants required by the APPS account are run automatically by the AD-TXK Delta 13 (or later) RUP installation process.
  • All EBS database objects that currently reside in the SYS or SYSTEM schemas are migrated to appropriate Oracle E-Business Suite schemas. Depending upon the EBS object type and function, the object is migrated to EBS_SYSTEMAPPS, or APPS_NE.

  • All Oracle E-Business Suite administration actions (such as running adop, adadmin and other utilities) are now performed by EBS_SYSTEM.

  • Access to the Oracle database SYS and SYSTEM and the Oracle database server operating system is no longer required for Oracle E-Business Suite system administrative functions.

  • If any grants need to be fixed after the AD-TXK Delta 13 (or later) RUPs are applied, refer to My Oracle Support Knowledge Document 2758993.1Managing Database Privileges in Oracle E-Business Suite Release 12.2 (Running adgrants.sql).

Key benefits of migrating to the EBS System Schema include support for the following features:

  • Public Oracle Database APIs
  • Least Privileges Model for database object access
  • Separation of Duties for administrators
  • Database service names for application tier database connections
  • Oracle Database Unified Auditing
  • Easier interoperability across Oracle Database releases

Diagram 1 - The modernized Oracle E-Business Suite database and its key features.

Modernized EBS Database

Each of these will be discussed in the subsections below. Be aware that numbering of the subsections is for ease of reference only, and is not intended to reflect any set order of importance.

1.1 Public Oracle Database APIs

As part of the Oracle E-Business Suite System Schema Migration, all Oracle E-Business Suite code is updated to map to public Oracle database dictionary objects and APIs. Utilizing public Oracle database APIs provides further capability to lock down EBS runtime accounts.

1.2 Least Privileges Model for Database Object Access

With the migration to the EBS_SYSTEM schema and usage of public Oracle Database APIs, runtime accounts may be constrained even further. As part of this feature, unnecessary privileges are revoked from Oracle E-Business Suite application accounts.

1.3 Separation of Duties for Administrators

Migration to the EBS_SYSTEM schema makes it possible to separate the role of the Oracle E-Business Suite system administrators from database administrators. All Oracle E-Business Suite administration actions (such as running adop, adadmin, and other utilities) will now prompt for the EBS_SYSTEM password instead of the SYSTEM password. Highly privileged operations that were previously run by the SYS or SYSTEM accounts are now run by EBS_SYSTEM.

Access to the Oracle database SYS and SYSTEM and the Oracle database server operating system is no longer required for Oracle E-Business Suite system administration functions. Database patching may be performed by the Oracle database administrator, and Oracle E-Business Suite patching may be performed by the Oracle E-Business Suite system administrator or applications database administrator (DBA).

The passwords for EBS_SYSTEM and SYSTEM must match until after the Completion Patch is successfully applied. Once the Completion Patch has been successfully applied, the password for EBS_SYSTEM should be changed to be different from the SYSTEM schema password.

1.4 Database Service Names for Application Tier Database Connections

As part of modernizing the Oracle E-Business Suite, connections from the Oracle E-Business Suite application tier to the Oracle E-Business Suite database are now performed using database service names.

1.5 Support for Oracle Database Unified Auditing

Once all requirements are met, Oracle E-Business Suite customers are now able to utilize Unified Auditing, the latest method for auditing an Oracle Database. With Unified Auditing, audit data is combined into a single audit trail.  A new schema, AUDSYS, is used for storing the Unified Audit Trail. Separation of duties is achieved with multiple database roles to audit configuration and view the audit data.

For additional information, refer to My Oracle Support Knowledge Document 2777404.1Enabling Unified Auditing in Oracle E-Business Suite Release 12.2 with Oracle Database 19c or 12c.

1.6 Streamline Database Directory Objects

Following migration to EBS System Schema (EBS_SYSTEM), the APPS schema will no longer have the ability to create database directory objects. Database directory objects are now created by the EBS_SYSTEM user.

The following four standard new database directory objects are created with the privileges shown:

Object NamePrivileges
EBS_LOG

Read/Write

EBS_TEMPRead/Write
EBS_INBOUNDRead
EBS_OUTBOUNDWrite

By default, the database directory objects are mapped to a temporary directory in the $ORACLE_HOME on the database tier file system. If a large number of files are written to this directory, your $ORACLE_HOME database tier file system may reach capacity: it is therefore recommended that you instead map the database directory objects to a secure location in a separate mount point from your $ORACLE_HOMEdatabase tier file system. For more information, refer to the Oracle Database documentation for your specific database release.

1.7 Interoperabilty Across Oracle Database Releases

Oracle E-Business Suite uptake of database releases will be made easier by EBS only referencing public database views and APIs.

Section 2: Requirements for Using the EBS System Schema

2.1 Prerequisites

To use the EBS System Schema, you need to be on Oracle E-Business Suite Release 12.2.3 or later.

2.2 Mandatory Patches and Steps

You must have available the following release update packs (RUPs) and other patches, ready to apply below in Section 3, in the order shown here.

  1. AD and TXK Delta 13 (or later) — Support for EBS System Schema Migration was introduced in the Oracle Applications DBA (AD) and Oracle E-Business Suite Technology Stack (TXK) Delta 13 release update packs. Earlier releases of AD and TXK included database objects owned by AD or TXK that resided in the Oracle Database SYS or SYSTEM schemas, and also included references to private Oracle database SYS or SYSTEM objects.

    With AD and TXK Delta 13 (or later), EBS database objects are migrated from SYS and SYSTEM into the EBS_SYSTEMAPPS, or APPS_NE schemas.  All relevant object references are updated to point to the migrated objects in the APPS or APPS_NE schemas.

    AD and TXK Delta 13 (or later) also update all code that previously referenced private Oracle Database SYS and SYSTEM objects, to reference Oracle Database approved public objects or public APIs instead.

  2. EBS Release 12.2.11 (or later), or EBS Releases 12.2.3 to 12.2.10 plus EBS System Schema Migration Consolidated Patch — Oracle E-Business Suite Releases 12.2.3 to 12.2.10 include EBS-owned database objects that reside in the database SYS or SYSTEM schemas, or reference database SYS or SYSTEM objects. The EBS System Schema Migration Consolidated Patch (also referred to as the Consolidated Patch) migrates these objects to the appropriate EBS schemas. Note that EBS Release 12.2.11 (and later) include the Consolidated Patch.

    Note: Oracle E-Business Suite Release 12.2.11 (and later) do not install EBS objects in the SYS or SYSTEM schemas, and therefore do not require the EBS System Schema Migration Consolidated Patch.

  3. Before proceeding with application of the final patch in Step 4, you must update any customizations that have been identified with mandatory compliance requirements. For guidance, refer to My Oracle Support Knowledge Document 1577661.1Developing and Deploying Customizations in Oracle E-Business Suite Release 12.2.

  4. EBS System Schema Migration Completion Patch — Although it is possible to apply AD-TXK Delta 13 and the EBS System Schema Migration Consolidated Patch without applying the EBS System Schema Migration Completion Patch immediately afterwards, the migration is not finished until the Completion Patch has been applied. This patch drops AD, TXK, and EBS product code in the database SYS or SYSTEM schemas, and removes any final restricted references to database SYS or SYSTEM objects.

    Prior to applying the Completion Patch, you must apply the following prerequisite patches:
    • AD-TXK Delta 13 (or later)
    • Either the EBS Release 12.2.11 (or later) RUP or the EBS System Schema Migration Consolidated Patch

    The Completion Patch will fail to apply if you do not apply these patches first.

    Diagram 2 - The four major requirements for EBS System Schema Migration.

    Note: The principles shown in the diagram also apply to AD and TXK RUPs later than Delta 13.


    Requirements to Complete System Schema Migration

    Note: Until the Oracle E-Business Suite System Schema Migration Completion Patch (also referred to as the Completion Patch) has been applied, the EBS_SYSTEM and Oracle Database SYSTEM schema passwords must be identical. This requirement is for backward compatibility, until all EBS code has been migrated from the SYS or SYSTEM schemas. Diagram 3 depicts when the EBS_SYSTEM and SYSTEM passwords must be identical.

    Diagram 3 - The need for the EBS_SYSTEM and SYSTEM passwords to match.

    Note: The principles shown in the diagram also apply to AD and TXK RUPs later than Delta 13.

    EBS_SYSTEM and SYSTEM Passwords Must Match

    Note: After the Completion Patch has been applied, the EBS_SYSTEM and Oracle Database SYSTEM passwords can be different, and we recommend that they are. Diagram 4 depicts when it is recommended to update the EBS_SYSTEM and SYSTEM passwords to unique values.

    Diagram 4 - The need to update the EBS_SYSTEM and SYSTEM passwords to have unique (different) values.

    Note: The principles shown in the diagram also apply to AD and TXK RUPs later than Delta 13.

    Make EBS_SYSTEM and SYSTEM Passwords Unique

Section 3: Migrating to the EBS System Schema

Migration consists of several stages, as summarized below.

By performing the applicable steps in this section, you will:

  1. Apply the latest AD-TXK RUP.
  2. Either:
    • Apply the EBS Release 12.2.11 (or later) RUP.
      or:
    • If remaining on any EBS release from 12.2.3 to 12.2.10 inclusive, apply the EBS System Schema Migration Consolidated Patch.
  3. Update any customizations reported with mandatory compliance requirements for the EBS System Schema migration.
  4. Apply the EBS System Schema Migration Completion Patch.

3.1 Upgrade Oracle E-Business Suite to Release 12.2.3 or Later

If applicable, upgrade your Oracle E-Business Suite environment to at least Release 12.2.3. We highly recommend that you upgrade to the latest available EBS Release RUP. For more information, refer to My Oracle Support Knowledge Document 1320300.1Oracle E-Business Suite Release Notes, Release 12.2.

Refer to whichever of these books is relevant to you:

3.2 Apply Latest AD-TXK RUPs

Apply the latest release update packs for AD and TXK for Release 12.2, by following the instructions in My Oracle Support Knowledge Document 1617461.1Applying the Latest AD and TXK Release Update Packs to Oracle E-Business Suite Release 12.2. AD and TXK introduced support for EBS System Schema Migration starting with R12.AD.C.Delta.13 and R12.TXK.C.Delta.13.

Note: Oracle strongly recommends that you always apply the latest version of the AD and TXK RUPs at the earliest opportunity.

3.3 Apply Either EBS Release 12.2.11 (or later), or Consolidated Patch for Releases 12.2.3 to 12.2.10

If you are are on an Oracle E-Business Suite release from 12.2.3 to 12.2.10 inclusive, we recommend upgrading to Release 12.2.11 by applying the EBS 12.2.11 (or later) RUP. If you are not currently planning to upgrade to Release 12.2.11 (or later), you must apply the EBS System Schema Migration Consolidated Patch, Patch 31817501. For instructions, refer to My Oracle Support Knowledge Document 2774309.1Applying the Oracle E-Business Suite Consolidated Patch for EBS System Schema Migration.

3.4 Remove Customization Dependencies on Database SYS or SYSTEM Objects

3.4.1 Mandatory Steps

Run the Oracle E-Business Suite System Schema Migration Compliance Checker report, ADSYSCC.sql, and remove or update any of your customizations that would give errors on running the EBS System Schema Migration Completion Patch. For detailed instructions, refer to My Oracle Support Knowledge Document 1577661.1Developing and Deploying Customizations in Oracle E-Business Suite Release 12.

3.4.2 Optional Steps

Run the Oracle E-Business Suite System Schema Migration Compliance Checker report, ADSYSCC.sql, and remove or update any of your customizations that are identified with mandatory compliance requirements and would result in invalid database objects for your customizations.

3.5 Apply EBS System Schema Migration Completion Patch

Before the Oracle E-Business Suite System Schema Migration Completion Patch ("Completion Patch") can be applied, all EBS code must have been migrated from the SYS or SYSTEM schemas to the APPS or APPS_NE schemas. To finish the migration process, the EBS System Schema Migration Completion Patch will drop all EBS code that resides in the SYS or SYSTEM accounts.

Consequently, before you apply the Completion Patch, any custom code that points to EBS-defined objects in Oracle Database system accounts must be updated to point to the appropriate migrated EBS-defined objects in EBS-defined schemas. Failure to do so will result in invalid database objects for your custom code.

Apply the Oracle E-Business Suite System Schema Migration Completion Patch (Patch 32573930) by following the steps below.

Note: If you have previously applied the Completion Patch as per the steps in this section, do not re-perform the steps.
  1. Source the run edition applications environment:

    UNIX:
  2. <INSTALL_BASE>/EBSapps.env run
    Windows:
    C:\> <INSTALL_BASE>\EBSapps.cmd run
  3. Before proceeding with application of the Completion Patch, perform a full adop cleanup by running the following command:
  4. adop phase=cleanup cleanup_mode=full
  5. Run the EBS System Schema Migration Compliance Checker, ADSYSCC.sql. When prompted, enter the APPS schema password.
    sqlplus <APPS schema name>@<TWO_TASK> @$AD_TOP/sql/ADSYSCC.sql
    This utility reports all violations of the EBS System Schema Migration Standards. Any EBS violations are fixed by both the EBS Release 12.2.11 (or later) RUP and the EBS System Schema Migration Consolidated Patch. If the report for your environment includes EBS violations after you have applied all mandatory patches (including the Completion Patch), you should log a service request with Oracle Support.

    You must fix any mandatory compliance violations listed in this report that are part of your custom code. For detailed instructions, refer to My Oracle Support Knowledge Document 1577661.1Developing and Deploying Customizations in Oracle E-Business Suite Release 12.

  6. Note: If you proceed with applying the Completion Patch when there are reported violations with custom code, you will have invalid database objects until your custom code is fixed.

    If after applying the completion patch there are reported violations with EBS code, log a service request with Oracle Support to obtain assistance.

  7. (Conditional) If you have integrated EBS with Oracle Database Vault, disable all existing Oracle Database Vault realms by navigating to the $FND_TOP/patch/115/sql directory and running the fnddbvstatus.sql script as follows:
    SQL> @fnddbvstatus.sql DISABLE
    For more information, refer to Appendix A, Management Scripts, in the following My Oracle Support knowledge documents:
    • Document 2131435.1Integrating Oracle E-Business Suite Release 12.2 with Oracle Database Vault 12c
    • Document 2617770.1, Integrating Oracle E-Business Suite Release 12.2 with Oracle Database Vault 19c

  8. Apply the Completion Patch by running the following adop command, as shown in this UNIX example:
  9. adop phase=apply patches=32573930 apply_mode=hotpatch options=forceapply,nocopyportion,nogenerateportion
    Note: You may encounter errors if you attempt to apply the Completion Patch and have specified different passwords for the EBS_SYSTEM and SYSTEM schemas.To apply the completion patch successfully, the SYSTEM and EBS_SYSTEM passwords must be the same.

  10. Run the adsysmigclnup.sql cleanup script on the database tier by performing substeps a to d below. This will drop AD objects from the SYS schema and revoke the associated privileges.

    1. Create <ORACLE_HOME>/appsutil/admin on the database server.

    2. Copy <AD_TOP>/patch/115/sql/adsysmigclnup.sql to the database tier <ORACLE_HOME>/appsutil/admin directory using the appropriate command for your system:

      UNIX:
    3. cp $AD_TOP/patch/115/sql/adsysmigclnup.sql $ORACLE_HOME/appsutil/admin
      Windows:
      C:\> copy %AD_TOP%\patch\115\sql\adsysmigclnup.sql %ORACLE_HOME%\appsutil\admin
    4. Set the environment to point to the $ORACLE_HOME on the database server.

    5. Note: If the database is multitenant, source using the following steps as applicable for your environment.

      UNIX:
      $ source $ORACLE_HOME/<CDB_NAME>_<NODE_NAME>.env
      export ORACLE_PDB_SID=<EBS_PDB_Name>
      Windows:
      C:\> %ORACLE_HOME%\<EBS_PDB_Name>_<NODE_NAME>.cmd
    6. Use SQL*Plus to run the cleanup script as follows.

      UNIX:
      sqlplus /nolog
      SQL> @$ORACLE_HOME/appsutil/admin/adsysmigclnup.sql <APPS schema name>
      Windows:
      C:\> sqlplus /nolog
      SQL> @%ORACLE_HOME%\appsutil\admin\adsysmigclnup.sql <APPS schema name>
      Note: If you find new invalid objects after performing the above steps, compile the invalid objects by running $ORACLE_HOME/rdbms/admin/utlrp.sql as the SYS user.

      Note: If you have Oracle Database Vault enabled, you may see an error message like the following in the report produced after the cleanup script runs:

      revoke READ on SYS.DUAL from "DVSYS" ERROR ORA-01031: insufficient privileges
      Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production

      Such errors can be safely ignored.

    7. (Conditional) If you are using a multitenant database on UNIX and set ORACLE_PDB_SID in step c, you must unset it now:
      unset ORACLE_PDB_SID
  11. After you have applied the Completion Patch, you should change the EBS_SYSTEM password and SYSTEM passwords by running substeps a to c below. We recommend that you set the two passwords to unique values (i.e. different from each other).

    1. On the application tier, source the environment using the appropriate command for your system:

      UNIX:
      $ . <INSTALL_BASE>/EBSapps.env run
      Windows:
      C:\> <INSTALL_BASE>\EBSapps.cmd run
      Still on the application tier, change the EBS_SYSTEM schema password to be different from that of the SYSTEM schema password, and provide the new password only to DBAs who specifically require access to the SYSTEM account:
      sqlplus EBS_SYSTEM/<EBS_SYSTEM PASSWORD>
      SQL> alter user EBS_SYSTEM identified by <NEW PASSWORD>;
    2. On the database tier, set the environment using the appropriate command for your system:

      UNIX:
      . $ORACLE_HOME/<CDB SID>_<HOST>.env
      Windows:
      C:\> %ORACLE_HOME%\<CDB_SID>_<HOST>.cmd
    3. Still on the database tier, change the SYSTEM schema password, and provide the new password only to DBAs who specifically require access to the SYSTEM account.
    4. sqlplus SYSTEM/<SYSTEM PASSWORD>
      SQL> alter user SYSTEM identified by <NEW PASSWORD>
      ;
      Note: If your EBS instance is integrated with Oracle Database Vault, connect as the <DV_ACCTMGR> user instead of the SYSTEM user.


  12. Validate adop by performing substeps (a) and (b) below.

    1. Source the run edition applications environment.

      UNIX:
      $ . <INSTALL_BASE>/EBSapps.env run
      Windows:
      C:\> <INSTALL_BASE>\EBSapps.cmd run
    2. Run the command:
      adop -validate
  13. (Conditional) Integrate Oracle E-Business Suite with Oracle Database Vault using EBS_SYSTEM.

    If you have previously integrated EBS with Oracle Database Vault, follow subsection (a) below. If you have not previously performed such an integration but would like to do so now, follow subsection (b).

    1. Existing Integration with Oracle Database Vault

      1. Enable Oracle Database Vault by navigating to the $FND_TOP/patch/115/sql directory and running the following command:
        SQL> @fnddbvstatus.sql ENABLE
      2. Download and apply Patch 33267691:R12.AD.C.

      3. Follow Section 3: Integrate Oracle Database Vault with Oracle E-Business Suite Release 12.2 in My Oracle Support knowledge Document 2727580.1Integrating Oracle E-Business Suite Release 12.2 with Oracle Database Vault using EBS_SYSTEM.

    2. New Integration with Oracle Database Vault

      Follow the instructions in My Oracle Support Knowledge Document 2727580.1Integrating Oracle E-Business Suite Release 12.2 with Oracle Database Vault using EBS_SYSTEM

 Oracle E-Business Suite Release 12.2 System Schema Migration (Doc ID 2755875.1)

No comments:

Post a Comment

Database Options/Management Packs Usage Reporting for Oracle Databases 11.2 and later (Doc ID 1317265.1)

  Database Options/Management Packs Usage Report You can determine whether an option is currently in use in a database by running options_pa...