11/27/2014

Document457166.1

R12:FNDCPASSUtilityNewFeature:EnhanceSecurityWithNonReversibleHashPassword
(DocID457166.1)
Modified: 22May2014

Type: HOWTO

InthisDocument
Goal
Solution

ClientPrerequisites:

KnownIssues

References

APPLIESTO:
OracleApplicationObjectLibraryVersion12.0.4to12.2[Release12to12.2]
Informationinthisdocumentappliestoanyplatform.
PATCHSET:11I.ATG_PF.H.DELTA.6
OracleApplicationsRelease:12.0.4
***Checkedforrelevanceon25NOV2012***

GOAL
ThisnoteexplainstheusageofanewFNDCPASSUtilityintroducedin11.5.10RUP6and12.0.4tomigrateOracle
ApplicationsUserpasswordstoanonreversiblehashpasswordschemewithasinglecommandlineinvocation.
StartingwithReleases11.5.10RUP6and12.0.4,asinglecommandlineinvocationofFNDCPASSUSERMIGRATEutility
migratestheencryptedpasswordsforalllocalOracleApplicationUsers(i.e.passwordsforallusersstoredin
FND_USER)toanonreversiblehashpasswordscheme.Thisutilitydoesnotaffectexistingpasswordschemesfor:
UserswhosepasswordsaremanagedexternallyinOracleInternetDirectory
UserswhosepasswordsaremanagedexternallyinathirdpartyLDAPdirectory(e.g.MicrosoftActiveDirectory)
OracleApplicationsDatabaseusers
ThisfeaturewasprovidedaspartofaninitiativetoenhancethesecurityofOracleApplicationsUserPasswords.This
SystemAdministrativeutilitymigrateslocalOracleApplicationsUserPasswordsfromtheircurrentencryptionscheme
toanonreversiblehashthusmakingOracleApplicationUserPasswordsnonrecoverable.Thisisanoptional,
manuallyexecutedutilityprovidedforSystemAdministratorswhowishtoconverttheApplicationsUserstoamore
secureencryptedpasswordscheme.
Note:Migrationtohashpasswordsisonetime,onewayoperationthatcannotbeundonewithoutasystem
restorefrombackup.PleasemakesureyouhaveabackupofyoursystempriortorunningFNDCPASS
USERMIGRATE.

Systemswhichremainwiththeexistingpasswordencryptionschemewillexperiencenoimpactfromthecode
supportingthenonreversiblehashpasswordscheme.Formigratedsystems,theeffectsofthemigrationshouldbe
transparent.

Note:Thecodesupportingthenonreversiblehashpasswordschemeisdeliveredincompatibilitymode,i.e.hash
https://support.oracle.com/epmos/faces/DocContentDisplay?_adf.ctrlstate=aruznbwad_4&id=457166.1

1/4

11/27/2014

Document457166.1

modeis"turnedoff"bydefaultuntilexplicitlyactivated.

OraclerecommendsyouimplementthenonreversiblehashpasswordschemetoenhanceFND_USERpassword
security.However,ifyourinstallationusesDesktopClientslistedbelowandnoupdatepathismentioned,pleaseloga
ServiceRequestviaMetalinkagainsttheaffectedproductstoverifythattheyhavebeentestedwiththenewFNDPUB,
andtoverifythatyouhaveanyrequiredinteroperabilityfixesandclientupdatespriortomigratingtothepassword
hashscheme.

Note:Ifyourinstallationisona11.5.10CU2upgradedto11i.ATG_PF.HRUP6(#5903765)withScheduler(CSR)
implementedandSSOorHashPasswordisconfigured,whenavailable,downloadandapplyPatch5997218(CSR).
Also,RUP6alonedoesNOTcausethisissueforCSR,butaftermigrationtohashedpasswordsorifintegratedwith
SSO.

Note:Ifyourinstallationisona11.5.10CU2upgradedto11i.ATG_PF.HRUP6(#5903765)withCADView3D
implementedandHashPasswordisconfigured,whenavailable,downloadandapplyPatch6378800(Oracle
CADView3D)asapostHashmigrationstep.

Note:WhenupgradingtoOracleEBusinessSuiteRelease12.1.1,ifyouhavealreadyruntheFNDCPASSUtilityto
useEnhancedSecurityWithNonReversibleHashPasswordsyoumustmergeorpreinstallPatch
8764069:R12.FND.Bbeforeyouupgrade.PleasefollowtheinstructionsintheREADMEofthatpatch.

Note:Oncemigratedtohashedpasswords,youmayencounterBug7034106ifyouusethe10GExportutility,
expdp.ThecauseofthisissueisthattheFND_USER_PREFERENCEStabledoesnotgetexportedproperlyduetoa
newfeaturethatisnotcoveredoraccountedforinNote362205.1.Theworkaroundistoimmediatelygobackand
reexport/reimporttheFND_USER_PREFERENCEStableseparatelyaftertheinitialexpdpandimpdparerun.Using
theold(9.2)exputility,exporttheFND_USER_PREFERENCEStablefromthesourcedb.
expsystem/<systempwd>TABLES=(<APPLSYSSCHEMANAME>.FND_USER_PREFERENCES)COMPRESS=Y
DIRECT=Y

Forexample,
expsystem/managerTABLES=(APPLSYS.FND_USER_PREFERENCES)COMPRESS=YDIRECT=Y
Then,importthisdataintothetargetdbusingthiscommand:
impsystem/<systempwd>FILE=expdat.dmpLOG=imptab.logTABLES=FND_USER_PREFERENCES
FROMUSER=<APPLSYSSCHEMANAME>IGNORE=Y

Forexample,
impsystem/managerFILE=expdat.dmpLOG=imptab.logTABLES=FND_USER_PREFERENCES
FROMUSER=APPLSYSIGNORE=Y

https://support.oracle.com/epmos/faces/DocContentDisplay?_adf.ctrlstate=aruznbwad_4&id=457166.1

2/4

11/27/2014

Document457166.1

ALERT:OracleFinancialAnalyzerVersion:6.4orOracleSalesAnalyzerVersion:6.4usingtheSingleSignOn
(SSO)mechanism,pleaseseeNote735814.1.

SOLUTION

ClientPrerequisites:
BeforemigratingyoumustupgradeALLDesktopclientstothelatestversionoftheFNDPUBDLL/Librariesorthey
willnolongerbeabletoconnectuntilupdated.PleasecontactrespectiveClientteamforthelatestDLL/Libandany
requiredclientupdates.
IfyourclientswillalsobeconnectingtopreATG.11i.RUP5systems,forthenewclientDLL/Libtoconnectthose
systemsyouwillneedtoapplyPatch6430269(ClientInteroperabilityPatchforFNDPUBDLLdatabase
compatibility).FormoreinformationpleaseseetheincludedDocumentreferences.
OracleDiscoverer
NOTE:313418.1UsingDiscoverer10.1.2withOracleEBusinessSuite11i
OracleConfigurator
11i10ConfiguratorCustomersusingLimitedEditionVBdeveloper,upgradetoConfiguratorbuild
11.5.10.25.43A(Patch7505626)orlateranduptakeLtdEditionVBdeveloperbuild2540A(Patch7189809)
R12ConfiguratorCustomersusingLimitedEditionVBdeveloper,upgradetoRelease12RUP4orlaterand
uptakeLtdEditionVBdeveloperbuild276(Patch6683830)
OracleApplicationsDesktopIntegrator(NOTWebADI)
CustomersusingADIwillneedtoupgradetoADI7.2RollupPatch10(Patch6455020)orlaterafter
upgradingto11i.ATG.RUP6.
OracleBalancedScorecard
OracleFilesOnline
Express
OracleDemandPlanning
OptimalFlexibleArchitecture
OracleSalesAnalyzer
UsethiscommandtoconvertalllocalOracleApplicationUserencryptedpasswordstoanonreversible,non
recoverablehashscheme
BourneshellorKornshell:
FNDCPASS<logon>0Y<system/password><mode><algorithm>

Usetheabovecommandwiththefollowingarguments.
logon:TheOracleFNDschemausername/password.
system/password:TheusernameandpasswordfortheSYSTEMDBAaccount.
https://support.oracle.com/epmos/faces/DocContentDisplay?_adf.ctrlstate=aruznbwad_4&id=457166.1

3/4

11/27/2014

Document457166.1

mode:USERMIGRATE
algorithm:SHA
Note:CurrentlyonlytheSHAhashalgorithmissupported.Otherhashalgorithmsmaybesupportedinthefuture.
Forexample,thefollowingcommandmigratesthepasswordsofallusersinFND_USER(exceptSSOusers,invalid
usersandcorruptusers)tononreversible,nonrecoverablehashpasswords.
FNDCPASSapps/apps0Ysystem/managerUSERMIGRATESHA

TheFNDCPASSlogfileiswrittentothedirectorywhereFNDCPASSwasexecuted.Pleasecheckthislogfileforthe
statusofthemigration.ThislogfilecontainsinformationregardingtheresultsofUSERMIGRATE.Thisincludesany
problemsencounteredandcontainsinformationaboutthenumberofusersmigratedsuccessfullyandindicateswhy
otheruserswerenotmigratedsuccessfully.
Forexample,hereisanexcerptfromasamplelogfile:
Usersmigratedsuccessfully:1847
UserswithExternalpasswords:0
UserswithInvalidpasswords:4
Usersnotmigrated:1of1852
Systemwassuccessfullyconvertedtohashmode.

KnownIssues
1.OracleFinancialAnalyserandOracleSalesAnalyzerdonotwork
ThisisdescribedinNote735814.1NewApplicationsFNDCPASSUtilityFeatureBreaksOFAandOSASingleSignOn
2.JDevelopergiveserror"oracle.apps.fnd.framework.OAException:Application:FND,MessageName:
FNDSECURITY_APPL_USER_NOTAUTH"
ThisisresolvedinPatch67392359IJDeveloperWithOAExtensionARUFOR11i10RUP6
3.OAMPatchWizard"RecomendedPatches"fails
ThisisresolvedwithPatch6898133PatchWizard:SupportHashPassword

REFERENCES
NOTE:313418.1UsingDiscoverer10.1.2withOracleEBusinessSuite11i
NOTE:735814.1NewApplicationsFNDCPASSUtilityFeatureBreaksOFAandOSASingleSignOn
PATCH:5997218
PATCH:6378800
PATCH:6430269

https://support.oracle.com/epmos/faces/DocContentDisplay?_adf.ctrlstate=aruznbwad_4&id=457166.1

4/4