Change Applications Passwords using Applications Schema Password Change Utility (FNDCPASS or AFPASSWD)
Oracle Metalink Document and very helpful
In this Document
Goal |
Solution |
Using the FNDCPASS Utility: |
Verify the new password. |
Examples: |
Using the AFPASSWD Utility as of R12.1.2: |
Diagnostics & Utilities Community: |
Troubleshooting FNDCPASS |
References |
APPLIES TO:
Oracle Application Object Library - Version 11.5.10.2 to 12.2 [Release 11.5 to 12.2]Information in this document applies to any platform.
GOAL
- The goal of this document is to help understand the process of changing passwords in Oracle Applications. As the Applications directory structure has changed a little, the files that need to be updated have also changed, although the FNDCPASS commands to change/reset the passwords remained pretty much the same.
- For R12.1.2, an enhanced version of FNDCPASS is available using AFPASSWD noted at the bottom of this document.
SOLUTION
Since changing passwords frequently helps ensure database security, Oracle Applications provides a command line utility, FNDCPASS, to change/reset Oracle Applications schema passwords. This utility changes the password registered in Oracle Applications tables, changes the schema password in the database and can also change user passwords.
NOTE :
Autoconfig needs to be run after changing 'APPLSYSPUB' or 'GUEST' user password !
- One cannot change a schema name, such as APPLSYS or GL, after a product is installed, with FNDCPASS.
- Ensure that the entire Oracle Applications system has been shut down before changing any schema passwords.
- All users should log out and the Applications system should be down before running this utility.
- If Oracle Applications user passwords are being changed then the relevant users should not be logged in.
- Before changing any passwords, you should make a backup of the tables FND_USER and FND_ORACLE_USERID.
- Do not use any special characters in password because FNDCPASS utility does not support special characters.
Autoconfig needs to be run after changing 'APPLSYSPUB' or 'GUEST' user password !
Note: SOURCE the environment FIRST. Ex:
1. Log into the Operating system level by way of the applmgr user.
2. Run the environment script APPSORA.env:
a. cd $APPL_TOP
b. Run APPSORA.env.
c. The above should also run_.env, but can verify by running it.
d. cd admin.
e. Run adovars.env.
1. Log into the Operating system level by way of the applmgr user.
2. Run the environment script APPSORA.env:
a. cd $APPL_TOP
b. Run APPSORA.env.
c. The above should also run
d. cd admin.
e. Run adovars.env.
Using the FNDCPASS Utility:
FNDCPASS / 0 Y \
/
Please set the
Note:
The SYSTEM token is used when changing the APPLSYS password.
The ORACLE token is used when changing a SINGLE Applications schema password.
The ALLORACLE token is used when changing ALL Applications schema passwords.
The USER token is used when changing an Applications USER password.
The SYSTEM token is used when changing the APPLSYS password.
The ORACLE token is used when changing a SINGLE Applications schema password.
The ALLORACLE token is used when changing ALL Applications schema passwords.
The USER token is used when changing an Applications USER password.
Note: Passwords for APPLSYS and the APPS schemas -- including the MRC schema -- must be the same. If you change the password for one, FNDCPASS automatically changes the others. When changing APPS (or APPLSYS) and APPLSYSPUB passwords, do not restart the system until the entire password change process has been completed.
Verify the new password.
If you changed the password for APPS (and APPLSYS), restart all concurrent managers, then log on to Oracle Applications to test the new password.
Examples:
A). To change the APPS and APPLSYS schema password:
Use the following command to change passwords for schema that are used by shared components of Oracle Applications.
FNDCPASS0 Y SYSTEM
FNDCPASS uses the following arguments when changing the APPLSYS password. When specifying the SYSTEM token, FNDCPASS expects the next arguments to be the APPLSYS username and the new password.
- logon The Oracle username/password.
- system/password The username and password for the SYSTEM DBA account.
- username The APPLSYS username. For example, 'applsys'.
- new_password The new password.
This command does the following:
- Validates APPLSYS.
- Re-registers password in Oracle Applications.
- Changes the APPLSYS and all APPS passwords (for multi-APPS schema installations) to the same password.
Because everything with a Privilege Level [set to any of ('E', 'U', 'D')] in the FND_ORACLE_USERID table must always have the same password, FNDCPASS updates these passwords as well as APPLSYS's password.
For example, the APPS password will be updated when the APPLSYS password is changed. - ALTER USER is executed to change the ORACLE password for the above ORACLE users.
For instance, the following command changes the APPLSYS password to 'WELCOME'.
FNDCPASS apps/apps 0 Y system/manager SYSTEM APPLSYS WELCOME
B). To change an Oracle Applications schema password (other than APPS/APPLSYS):
Use this command to change the password of a schema provided by an individual product in Oracle Applications.
FNDCPASS0 Y ORACLE
Use the above command with the following arguments. When specifying the ORACLE token, FNDCPASS expects the next arguments to be an ORACLE username and the new password.
- logon The Oracle username/password.
- system/password The username and password for the SYSTEM DBA account.
- username The Oracle username. For example, 'GL'.
- new_password The new password.
For example, the following command changes the GL user password to 'GL1'.
FNDCPASS apps/apps 0 Y system/manager ORACLE GL GL1
C). To change all ORACLE schema passwords:
Use this command to change the passwords of all schemas provided by Oracle Applications products.
FNDCPASS0 Y ALLORACLE
Use the above command with the following arguments. When specifying the ALLORACLE token, FNDCPASS expects the next argument to be the new password.
- logon The Oracle username/password.
- system/password The username and password for the SYSTEM DBA account.
- new_password The new password.
For example, the following command changes all ORACLE schema passwords to "WELCOME":
FNDCPASS apps/apps 0 Y system/manager ALLORACLE WELCOME
For additional information on the use of ALLORACLE, please reference NOTE 189367.1 - Best Practices for Securing the E-Business Suite
D). To change an Oracle Applications user's password:
Use this command to change an individual Oracle Applications user's password.
FNDCPASS0 Y USER
Use the above command with the following arguments. When specifying the USER token, FNDCPASS expects the next arguments to be an Oracle Applications username and the new password.
- logon The Oracle username/password.
- system/password The username and password for the System DBA account.
- username The Oracle Applications username. For example, 'VISION'.
- new_password The new password.
For example, if you were changing the password for the user VISION to 'WELCOME', you would use the following command:
FNDCPASS apps/apps 0 Y system/manager USER VISION WELCOME
Using the AFPASSWD Utility as of R12.1.2:
For Applications release 12.1.2, please reference page 11-8 of the 'Oracle E-Business Suite System Administrator's Guide - Configuration' for use of the AFPASSWD utility. Document 457166.1 must be used for migration from FNDCPASS.
NOTE:
AFPASSWD only prompts for passwords required for the current operation, allowing separation of duties between applications administrators and database administrators.
This also improves interoperability with Oracle Database Vault.
In contrast, the FNDCPASS utility currently requires specification of the APPS and the SYSTEM usernames and corresponding passwords, preventing separation of duties
between applications administrators and database administrators.
When changing a password with AFPASSWD, the user is prompted to enter the new password twice to confirm.
$ AFPASSWD
Usage:
AFPASSWD [-c[@]] -f
AFPASSWD [-c[@]] -o
AFPASSWD [-c[@]] -a
AFPASSWD [-c[@]] -l {TRUE|FALSE}
AFPASSWD [-c[@]] -L {TRUE|FALSE}
AFPASSWD [-c[@]] -s
NOTE:
AFPASSWD only prompts for passwords required for the current operation, allowing separation of duties between applications administrators and database administrators.
This also improves interoperability with Oracle Database Vault.
In contrast, the FNDCPASS utility currently requires specification of the APPS and the SYSTEM usernames and corresponding passwords, preventing separation of duties
between applications administrators and database administrators.
When changing a password with AFPASSWD, the user is prompted to enter the new password twice to confirm.
$ AFPASSWD
Usage:
AFPASSWD [-c
AFPASSWD [-c
AFPASSWD [-c
AFPASSWD [-c
AFPASSWD [-c
AFPASSWD [-c
For further details see section "Oracle E-Business Suite Password Management" of the Oracle E-Business Suite Maintenance Guide Release 12.2.
Diagnostics & Utilities Community:
- Diagnostics
Please access the EbusinessSecurity section on security diagnostics for the latest releases as reflected in Document 421245.1 E-Business Suite Diagnostics References for R12. - Utilities CommunityVisit the Utilities community for help from industry experts or to share knowledge.
Troubleshooting FNDCPASS
Please reference Document 1306938.1 FNDCPASS Troubleshooting Guide For Login and Changing Applications Passwords which is a consolidation of Top Documents providing a Single Source for Troubleshooting common problems with FNDCPASS.
No comments:
Post a Comment