Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Document457166.1
R12:FNDCPASSUtilityNewFeature:EnhanceSecurityWithNonReversibleHashPassword
(DocID457166.1)
Modified: 22May2014
Type: HOWTO
InthisDocument
Goal
Solution
ClientPrerequisites:
KnownIssues
References
APPLIESTO:
OracleApplicationObjectLibraryVersion12.0.4to12.2[Release12to12.2]
Informationinthisdocumentappliestoanyplatform.
PATCHSET:11I.ATG_PF.H.DELTA.6
OracleApplicationsRelease:12.0.4
***Checkedforrelevanceon25NOV2012***
GOAL
ThisnoteexplainstheusageofanewFNDCPASSUtilityintroducedin11.5.10RUP6and12.0.4tomigrateOracle
ApplicationsUserpasswordstoanonreversiblehashpasswordschemewithasinglecommandlineinvocation.
StartingwithReleases11.5.10RUP6and12.0.4,asinglecommandlineinvocationofFNDCPASSUSERMIGRATEutility
migratestheencryptedpasswordsforalllocalOracleApplicationUsers(i.e.passwordsforallusersstoredin
FND_USER)toanonreversiblehashpasswordscheme.Thisutilitydoesnotaffectexistingpasswordschemesfor:
UserswhosepasswordsaremanagedexternallyinOracleInternetDirectory
UserswhosepasswordsaremanagedexternallyinathirdpartyLDAPdirectory(e.g.MicrosoftActiveDirectory)
OracleApplicationsDatabaseusers
ThisfeaturewasprovidedaspartofaninitiativetoenhancethesecurityofOracleApplicationsUserPasswords.This
SystemAdministrativeutilitymigrateslocalOracleApplicationsUserPasswordsfromtheircurrentencryptionscheme
toanonreversiblehashthusmakingOracleApplicationUserPasswordsnonrecoverable.Thisisanoptional,
manuallyexecutedutilityprovidedforSystemAdministratorswhowishtoconverttheApplicationsUserstoamore
secureencryptedpasswordscheme.
Note:Migrationtohashpasswordsisonetime,onewayoperationthatcannotbeundonewithoutasystem
restorefrombackup.PleasemakesureyouhaveabackupofyoursystempriortorunningFNDCPASS
USERMIGRATE.
Systemswhichremainwiththeexistingpasswordencryptionschemewillexperiencenoimpactfromthecode
supportingthenonreversiblehashpasswordscheme.Formigratedsystems,theeffectsofthemigrationshouldbe
transparent.
Note:Thecodesupportingthenonreversiblehashpasswordschemeisdeliveredincompatibilitymode,i.e.hash
https://support.oracle.com/epmos/faces/DocContentDisplay?_adf.ctrlstate=aruznbwad_4&id=457166.1
1/4
11/27/2014
Document457166.1
modeis"turnedoff"bydefaultuntilexplicitlyactivated.
OraclerecommendsyouimplementthenonreversiblehashpasswordschemetoenhanceFND_USERpassword
security.However,ifyourinstallationusesDesktopClientslistedbelowandnoupdatepathismentioned,pleaseloga
ServiceRequestviaMetalinkagainsttheaffectedproductstoverifythattheyhavebeentestedwiththenewFNDPUB,
andtoverifythatyouhaveanyrequiredinteroperabilityfixesandclientupdatespriortomigratingtothepassword
hashscheme.
Note:Ifyourinstallationisona11.5.10CU2upgradedto11i.ATG_PF.HRUP6(#5903765)withScheduler(CSR)
implementedandSSOorHashPasswordisconfigured,whenavailable,downloadandapplyPatch5997218(CSR).
Also,RUP6alonedoesNOTcausethisissueforCSR,butaftermigrationtohashedpasswordsorifintegratedwith
SSO.
Note:Ifyourinstallationisona11.5.10CU2upgradedto11i.ATG_PF.HRUP6(#5903765)withCADView3D
implementedandHashPasswordisconfigured,whenavailable,downloadandapplyPatch6378800(Oracle
CADView3D)asapostHashmigrationstep.
Note:WhenupgradingtoOracleEBusinessSuiteRelease12.1.1,ifyouhavealreadyruntheFNDCPASSUtilityto
useEnhancedSecurityWithNonReversibleHashPasswordsyoumustmergeorpreinstallPatch
8764069:R12.FND.Bbeforeyouupgrade.PleasefollowtheinstructionsintheREADMEofthatpatch.
Note:Oncemigratedtohashedpasswords,youmayencounterBug7034106ifyouusethe10GExportutility,
expdp.ThecauseofthisissueisthattheFND_USER_PREFERENCEStabledoesnotgetexportedproperlyduetoa
newfeaturethatisnotcoveredoraccountedforinNote362205.1.Theworkaroundistoimmediatelygobackand
reexport/reimporttheFND_USER_PREFERENCEStableseparatelyaftertheinitialexpdpandimpdparerun.Using
theold(9.2)exputility,exporttheFND_USER_PREFERENCEStablefromthesourcedb.
expsystem/<systempwd>TABLES=(<APPLSYSSCHEMANAME>.FND_USER_PREFERENCES)COMPRESS=Y
DIRECT=Y
Forexample,
expsystem/managerTABLES=(APPLSYS.FND_USER_PREFERENCES)COMPRESS=YDIRECT=Y
Then,importthisdataintothetargetdbusingthiscommand:
impsystem/<systempwd>FILE=expdat.dmpLOG=imptab.logTABLES=FND_USER_PREFERENCES
FROMUSER=<APPLSYSSCHEMANAME>IGNORE=Y
Forexample,
impsystem/managerFILE=expdat.dmpLOG=imptab.logTABLES=FND_USER_PREFERENCES
FROMUSER=APPLSYSIGNORE=Y
https://support.oracle.com/epmos/faces/DocContentDisplay?_adf.ctrlstate=aruznbwad_4&id=457166.1
2/4
11/27/2014
Document457166.1
ALERT:OracleFinancialAnalyzerVersion:6.4orOracleSalesAnalyzerVersion:6.4usingtheSingleSignOn
(SSO)mechanism,pleaseseeNote735814.1.
SOLUTION
ClientPrerequisites:
BeforemigratingyoumustupgradeALLDesktopclientstothelatestversionoftheFNDPUBDLL/Librariesorthey
willnolongerbeabletoconnectuntilupdated.PleasecontactrespectiveClientteamforthelatestDLL/Libandany
requiredclientupdates.
IfyourclientswillalsobeconnectingtopreATG.11i.RUP5systems,forthenewclientDLL/Libtoconnectthose
systemsyouwillneedtoapplyPatch6430269(ClientInteroperabilityPatchforFNDPUBDLLdatabase
compatibility).FormoreinformationpleaseseetheincludedDocumentreferences.
OracleDiscoverer
NOTE:313418.1UsingDiscoverer10.1.2withOracleEBusinessSuite11i
OracleConfigurator
11i10ConfiguratorCustomersusingLimitedEditionVBdeveloper,upgradetoConfiguratorbuild
11.5.10.25.43A(Patch7505626)orlateranduptakeLtdEditionVBdeveloperbuild2540A(Patch7189809)
R12ConfiguratorCustomersusingLimitedEditionVBdeveloper,upgradetoRelease12RUP4orlaterand
uptakeLtdEditionVBdeveloperbuild276(Patch6683830)
OracleApplicationsDesktopIntegrator(NOTWebADI)
CustomersusingADIwillneedtoupgradetoADI7.2RollupPatch10(Patch6455020)orlaterafter
upgradingto11i.ATG.RUP6.
OracleBalancedScorecard
OracleFilesOnline
Express
OracleDemandPlanning
OptimalFlexibleArchitecture
OracleSalesAnalyzer
UsethiscommandtoconvertalllocalOracleApplicationUserencryptedpasswordstoanonreversible,non
recoverablehashscheme
BourneshellorKornshell:
FNDCPASS<logon>0Y<system/password><mode><algorithm>
Usetheabovecommandwiththefollowingarguments.
logon:TheOracleFNDschemausername/password.
system/password:TheusernameandpasswordfortheSYSTEMDBAaccount.
https://support.oracle.com/epmos/faces/DocContentDisplay?_adf.ctrlstate=aruznbwad_4&id=457166.1
3/4
11/27/2014
Document457166.1
mode:USERMIGRATE
algorithm:SHA
Note:CurrentlyonlytheSHAhashalgorithmissupported.Otherhashalgorithmsmaybesupportedinthefuture.
Forexample,thefollowingcommandmigratesthepasswordsofallusersinFND_USER(exceptSSOusers,invalid
usersandcorruptusers)tononreversible,nonrecoverablehashpasswords.
FNDCPASSapps/apps0Ysystem/managerUSERMIGRATESHA
TheFNDCPASSlogfileiswrittentothedirectorywhereFNDCPASSwasexecuted.Pleasecheckthislogfileforthe
statusofthemigration.ThislogfilecontainsinformationregardingtheresultsofUSERMIGRATE.Thisincludesany
problemsencounteredandcontainsinformationaboutthenumberofusersmigratedsuccessfullyandindicateswhy
otheruserswerenotmigratedsuccessfully.
Forexample,hereisanexcerptfromasamplelogfile:
Usersmigratedsuccessfully:1847
UserswithExternalpasswords:0
UserswithInvalidpasswords:4
Usersnotmigrated:1of1852
Systemwassuccessfullyconvertedtohashmode.
KnownIssues
1.OracleFinancialAnalyserandOracleSalesAnalyzerdonotwork
ThisisdescribedinNote735814.1NewApplicationsFNDCPASSUtilityFeatureBreaksOFAandOSASingleSignOn
2.JDevelopergiveserror"oracle.apps.fnd.framework.OAException:Application:FND,MessageName:
FNDSECURITY_APPL_USER_NOTAUTH"
ThisisresolvedinPatch67392359IJDeveloperWithOAExtensionARUFOR11i10RUP6
3.OAMPatchWizard"RecomendedPatches"fails
ThisisresolvedwithPatch6898133PatchWizard:SupportHashPassword
REFERENCES
NOTE:313418.1UsingDiscoverer10.1.2withOracleEBusinessSuite11i
NOTE:735814.1NewApplicationsFNDCPASSUtilityFeatureBreaksOFAandOSASingleSignOn
PATCH:5997218
PATCH:6378800
PATCH:6430269
https://support.oracle.com/epmos/faces/DocContentDisplay?_adf.ctrlstate=aruznbwad_4&id=457166.1
4/4