Resetting the Oracle Weblogic Server Password

It happens sometimes we forget the password for Weblogic server or there is a need to change the weblogic password.Then follow the steps:


1. Stop all the Weblogic services


2. change directory to <Middleware_Home>\user_projects\domains\yourdomain_domain\bin

cd <Middleware_Home>\user_projects\domains\yourdomain_domain\bin

3. Source the setDomainEnv.cmd(Windows) / setDomainEnv.sh (Linux) script so we can get all the WebLogic variables set correctly

In windows: setDomainEnv.cmd

In Linux: . setDomainEnv.sh

4. Now change the directory to security directory in your instance.

cd <Middleware_Home>\user_projects\domains\yourdomain_domain\security

5. Move the DefaultAuthenticatorInit.ldift to a backup file

In Windows:

mv DefaultAuthenticatorInit.ldift DefaultAuthenticatorInit_old.ldift

In Linux:

mv DefaultAuthenticatorInit.ldift DefaultAuthenticatorInit_old.ldift

6. Run the “java weblogic.security.utils.AdminAccount newuser newpassword .” to generate a new DefaultAuthenticatorInit.ldift with a new user with the assigned password within the security directory

eg: java weblogic.security.utils.AdminAccount weblogic weblogic123 .

Note: replace newuser and newpassword with a user and password of your choosing. Ensure the password is a minimum of 8 characters and contains at least one numeric character. Also, don’t forget the period “.” at the end of the above command, it is required.

7. Change directory to <Middleware_Home>\user_projects\domains\yourdomain_domain\servers\AdminServer\security

cd <Middleware_Home>\user_projects\domains\yourdomain_domain\servers\AdminServer\security\

8. Edit the boot.properties file and replace newpassword and newusername with the user and password you defined in step 6. Do this for all the servers in the domain.

password=newpassword

username=newusername

The boot.properties will get encrypted once the admin server starts up

9. Rename or remove directory <Middleware_Home>\user_projects\domains\yourdomain_domain\servers\AdminServer\data\ldap as it will get recreated once the WebLogic Admin server starts.

e.g:

rename <Middleware_Home>\user_projects\domains\yourdomain_domain\servers\AdminServer\data\ldap <Middleware_Home>\user_projects\domains\yourdomain_domain\servers\AdminServer\data\ldap_OLD

10. Change directory to <Middleware_Home>\user_projects\domains\yourdomain_domain\bin and start the Weblogic Admin Server

In Windows: startWebLogic.cmd

In Linux: ./ startWebLogic.sh

11. Once the weblogic server is up, you’ll be able to login to Console with the new weblogic Admin user and password.

R12 E-Business Suite Registration and error Resolution (Unable to call fnd_ldap_wrapper.create_user/update_user ORA-20001

OID integration with Oracle E-Business Suite has to register 3 components in EBS.

i) 10.1.3 ORACLE_HOME

$FND_TOP/bin/txkrun.pl -script=SetSSOReg -registerinstance=yes

ii) SSO Registration

$FND_TOP/bin/txkrun.pl -script=SetSSOReg -registersso=yes

iii) OID Registration

$FND_TOP/bin/txkrun.pl -script=SetSSOReg -registeroid=yes



EBS and OID will have 4 types of Provisioning:

i)  BiDirectional Provisioning (-provisiontype=1)
This is set by using the "-provisiontype=1" command line argument during OID registration. This is the default
provisioning type set by the registration utility.

ii) InBound Provisioning
This is set by using the "-provisiontype=2" command line argument during OID registration.

iii) OutBound Provisioning
This is set by using the "-provisiontype=3" command line argument during OID registration.

iv) BiDiNoCreation Provisioning
This is set by using the "-provisiontype=4" command line argument during OID registration. 


Provisioning Status:


Status of Provisioning can be known using the following command:

oidprovtool operation=STATUS \

> ldap_host=<Server_name> ldap_port=3060 \

> ldap_user=cn=orcladmin ldap_user_password=manager3 \

> application_dn="orclApplicationCommonName=DEV,cn=EBusiness,cn=Products,cn=OracleContext,dc=abcdefg,dc=com"    


Set the profile Options as per the Oracle note and restart the OPMN processes.



When the user try to create the user, he may experience an error like:

Unable to call fnd_ldap_wrapper.create_user / update_user ORA-20001 after OID integration with R12



This error could be because of many reasons , to name few
1) More Secure Password Policy in OID compared to E-Business Suite
2) User already exists in OID but missing in E-Business Suite
3) apps user does not have privileges to access dbms_ldap package.
4) AppsDN password expired in OID (password expiry in OID)
5) OID or DIP server not running



To get the more relevant error message for the above error, enable the FND DEBUG with the below profile options at user level:

FND: Debug Log Enabled - YES
FND: Debug Log Level - Error
FND: Debug Log Mode - Asynchronous
FND_DEBUG_RULE_THRESHOLD - 100

and reproduce the same error as the same user to whom the above profile actions are set and execute the following sql to know the exact error:

select module||' '||message_text , timestamp from apps.fnd_log_messages where timestamp > (sysdate - 1) order by timestamp;


In our case the error message was like this:

fnd.plsql.oid.fnd_ldap_user.create_user:  ORA-31202: DBMS_LDAP: LDAP client/server error: Constraint violation. Password Policy Error :9004: GSL_PWDNUMERIC_EXCP :Your Password must contain at least 1 numeric characters.

So the OID Policy was to have atleast one number and one character in password.

User Profile Values updated by Whom and When?

SELECT   t.user_profile_option_name, profile_option_value, v.creation_date,
         v.last_update_date, v.creation_date, v.last_update_date "ChangeDate",
         (SELECT UNIQUE user_name
                   FROM fnd_user
                  WHERE user_id = v.created_by) "Created By",
         (SELECT user_name
            FROM fnd_user
           WHERE user_id = v.last_updated_by) "LastUpdatedBy"
    FROM fnd_profile_options o,
         fnd_profile_option_values v,
         fnd_profile_options_tl t
   WHERE o.profile_option_id = v.profile_option_id
     AND o.application_id = v.application_id
     AND start_date_active <= SYSDATE
     AND NVL (end_date_active, SYSDATE) >= SYSDATE
     AND o.profile_option_name = t.profile_option_name
     AND level_id = 10001
     AND t.LANGUAGE IN (SELECT language_code
                          FROM fnd_languages
                         WHERE installed_flag = 'B'
                        UNION
                        SELECT nls_language
                          FROM fnd_languages
                         WHERE installed_flag = 'B')
ORDER BY user_profile_option_name;

How to view Profile Option values from Backend for all Levels

SELECT p.profile_option_name short_name, n.user_profile_option_name NAME,
       DECODE (v.level_id,
               10001, 'Site',
               10002, 'Application',
               10003, 'Responsibility',
               10004, 'User',
               'UnDef'
              ) level_set,
       v.level_value level_val, v.profile_option_value VALUE
  FROM fnd_profile_options p,
       fnd_profile_option_values v,
       fnd_profile_options_tl n
 WHERE p.profile_option_id = v.profile_option_id(+)
   AND p.profile_option_name = n.profile_option_name
   AND UPPER(n.user_profile_option_name)LIKEUPPER('%&ProfileName%');

Oracle Apps Password Hack

     As you know the Oracle Apps Schema is the centralized schema to hold all the objects with all the grants. Sometimes in some unusual circumstances, the organization or DBA lacks of the knowledge of APPS password, then it really a very big issue to recover from the Database. As this password in Oracle Apps schema in an encrypted format. Normally the Oracle Apps Users Password and Oracle Apps Passwords are encrypted and stored under these tables:

i) FND_ORACLE_USERID

ii) FND_USER

     Oracle makes use of FND_WEB_SEC package to decrypt these passwords for validating against the user.The DECRYPT function is a local function and cannot be called outside the FND_WEB_SEC package.

--------------Decrypt function in the FND_WEB_SEC package---------------------------

function decrypt(key in varchar2, value in varchar2)
return varchar2
as language java name 'oracle.apps.fnd.security.WebSessionManagerProc.decrypt(java.lang.String,java.lang.String) return java.lang.String';

----------------------------------------------------------------------------------------------------------
To make this Function available for outside the function, the FND_WEB_SEC package spec to be altered with the following line:

----------------------------------------------------------------------------------------------
 function decrypt(key in varchar2, value in varchar2)

return varchar2;
----------------------------------------------------------------------------------------------
After altering the package, we need to things to be used to get the decrypted password:

 i) The encrypted password : fnd_user.encrypted_user_password

 ii) the decryption key for the user password to be decrypted "encrypted_foundation_password" of the GUEST User.

Meaning that the first step to decrypt the user password is to decrypt the foundation password of the guest user. When Oracle Apps is verifying a login attempt it will also needs to perform those steps so we can find the standard Oracle approach of decrypting the foundation password in the FND_WEB_SEC package under the function “get_foundation_password”.

This GUEST password can be retrieved using the following query:

 ----------------------------------------------------------------------------------------
SELECT upper(fnd_profile.value('GUEST_USER_PWD')) FROM dual; 
 -----------------------------------------------------------------------------------------
Now time to retrieve the  APPS password using the following query:

/*--------------------------------------------------------------*/
SELECT(
SELECT
fnd_web_sec.decrypt(
UPPER((SELECT upper(fnd_profile.value('GUEST_USER_PWD')) FROM dual))
,usertable.encrypted_foundation_password)
FROM dual
) AS apps_password
FROM
fnd_user usertable
WHERE
usertable.user_name LIKE upper(
(SELECT
substr(fnd_profile.value('GUEST_USER_PWD'),1,instr(fnd_profile.value('GUEST_USER_PWD'),'/')-1)
FROM dual)
)
/*--------------------------------------------------------------*/
With the help of  password/decryption key we can now start decrypting all the other user passwords. We can make use of the following query to decrypt the password of the specified username


/*--------------------------------------------------------------*/
SELECT
usertable.user_name
,(SELECT
fnd_web_sec.decrypt(UPPER((
SELECT(
SELECT
fnd_web_sec.decrypt(UPPER(
(SELECT upper(fnd_profile.value('GUEST_USER_PWD')) FROM dual)
)
,usertable.encrypted_foundation_password)
FROM dual
) AS apps_password
FROM
fnd_user usertable
WHERE
usertable.user_name LIKE upper(
(SELECT
substr(fnd_profile.value('GUEST_USER_PWD'),1,instr(fnd_profile.value('GUEST_USER_PWD'),'/')-1)
FROM dual)
)
)
),usertable.encrypted_user_password)
FROM
dual
) AS encrypted_user_password
FROM
fnd_user usertable
WHERE
usertable.user_name LIKE upper('&username')
/*--------------------------------------------------------------*/


This however has still only returned the user password of a user account, if you also want to have the decrypted foundation password of a user account we have to take a closer look at the way the foundation passwords for a user account are decrypted. First take a close look at the way the user foundation password is encrypted by Oracle:

/*--------------------------------------------------------------*/
encFndPwd := encrypt(user||'/'||pwd,fndPwd);
/*--------------------------------------------------------------*/


This learns us that the combination username / password is used to encrypt the foundation password. As we already have decrypted the user password and we know the username we can easily combine those so we have the decryption key. However there is no real use to decrypt the foundation password of the user account because this will be exactly the same foundation password as the one for the guest user. Oracle uses this mechanism to obtain the user foundation password with only the knowledge of the username and password given by the user who tries to login. Using those queries you will be able to decrypt all user passwords available in the FND_USER table.

ORA-04061 : existing state of has been invalidated for Workflow realted packages after modifiction

Whenever we modify the Oracle Workflow related package, the workflow enters into the error Ora-04061: : existing state of has been invalidated workflow. This is quite happens for any workflow,as the packages related to the workflow already loaded into the SGA of the database and which can be cleared most often by restarting the database.But this is not possible for 24 X 7 based databases. 

We can resolve this by the following procedure:

1) Shutdown the Workflow Agent Listeners and Workflow mailer or shutdown the Workflow Generic Service Component Container.
2) Make sure the Package in compiled successfully. 
3) Compile the APPS schema using the adadamin.
4) Bounce the Apache.
5) Restart the Service components and Workflow Mailer service
6) Retry the error workflow.

If the above steps were unable to resolve the issue, then do the additional steps as follows:

 
1) Shutdown the Workflow Agent Listeners and Workflow mailer or shutdown the Workflow Generic Service Component Container.
2) Make sure the Package in compiled successfully. 
3) Compile the APPS schema using the adadamin.
4) connect / as sysdba

SQL>alter system set aq_tm_processes=0 scope=memory;

You need to wait until the q00* and qmnc* processes are no longer running. You can check via

ps -ef | grep q00 and ps -ef | grep qmn

5)  SQL> alter system flush shared_pool;

6) SQL> alter system set aq_tm_processes=1 scope=memory;
 
7) Start the Notification Mailer and agent listeners

8) Retry the error workflow.