RemovingCredentialsfromaClonedEBSProductionDatabase(DocID419475.

1)
InthisDocument
Abstract
History
Details

Step1ClearAllCredentials

Step2ReestablishBootstrapCredentials

Step3PrepareScriptsforSettingAdditionalPasswords

Step4AssignNewPasswordstoAllSchemasNotManagedwithEBS

Step5AssignNewPasswordstoAllSchemasManagedwithEBS

AdditionalSteps

RunningAutoConfig

References

APPLIESTO:
OracleApplicationsManagerVersion11.5.9to12[Release11.5to1.2]
OracleApplicationObjectLibraryVersion12.1.3to12.1.3[Release12.1]
Informationinthisdocumentappliestoanyplatform.

ABSTRACT
WhencloningaProductiondatabaseinOracleEBusinessSuite(EBS)itisabestpracticetoremoveallProductionaccountcredentialsintheclonedcopyofthedatabase.
ThiswillhelptopreventretrievalofProductioncredentials,whichcouldbeusedtocompromisethesecurityandintegrityoftheProductiondatabase.
Itisidealtocompletethisprocessassoonaspossibleafterthedatabasedatafileshavebeencopied.Ataminimumitshouldbecompletedbeforethedatabaseis
turnedovertoanypartylesstrustedthantheProductiondatabaseDBAteam.
ThisdocumentdescribesthestepsrequiredtoremovetheProductionEBSdatabasecredentials,suchasdatabaseuser(schema)passwordhashesandencrypted
passwords.Additionallyinformationisprovidedabouthowtoreestablishcredentialsintheclonedcopysothattheclonemaybeusedforfunctional,performanceor
patchapplicationtesting.
Stepsfromthispapershouldbeincorporatedintoyourdatabasecloningprocessandprocedures.

HISTORY
Author:
CreateDate14Mar2007
UpdateDate11JUL2011
ExpireDate

DETAILS
ThestepsoutlinedinthisWhitePaperwill:
1. HelptoensurethatProductioncredentialsarenotretrievablefromaclonedcopyofanEBSProductiondatabase.
2. Bootstraptheclonedcopywithenough"clonecredentials"thatitmaybeusedfortesting.
Thestepsinthisdocumentshouldbeintegratedinyourdatabasecloningprocess,seethe"Reference"sectionbelowfordocumentationoncloningEBSsystemsfor
Releases11iand12.
Thefollowingsequenceofstepswillremoveproductionaccountcredentialsfromtheclonedcopyoftheproductiondatabaseandreestablishnewcredentialsinthe
clonedcopy.Allofthenewaccountsontheclonetargetwillhavethepassword"clone".
1.
2.
3.
4.
5.
6.

Step1Clearallcredentials
Step2Reestablishbasicaccounts(forruntime:SYS,SYSTEM,APPLSYSPUB,APPLSYS,APPS+GUEST,SYSADMIN)
Step3Preparescriptsforsettingadditionalpasswords
Step4AssignnewpasswordstoalldatabaseusersnotmanagedwithEBS
Step5AssignnewpasswordstoalldatabaseusersmanagedwithEBS
Optionaladditionalsteps

Steps1through4arerunonthedatabaseserverrunningastheOperatingSystemuser,"oracle",using"sqlplus"connectedasthe"SYS"or"APPS"databaseuser.
Step5isrunastheOperatingSystemuser"applmgr"onanapplicationtierandusesthe"FNDCPASS"commandlineutility.Thismeansthatsteps1through4canbe
performedthefirsttimethecloneddatabaseisstarted,i.e.beforeitismadeaccessibletothenetworkviathedatabaseTNSlistener.Step5isnottimecriticalandcan
beperformedwhenaccesstotheclonedsystemforpatchpurposesisrequired.
Allapplicationtierprocessesmustbestoppedduringthisprocedure.

Step1ClearAllCredentials
ToclearallcredentialsonatargetcloneofaproductiondatabaseyoumustestablishashellenvironmentwithsufficientOracleenvironmentvariablestosuccessfully
start"sqlplus"viathe"BEQ"(bequeth)driver.IfRapidClonehasbeencompletedsuccessfully,theneachOracleHomeshouldhavea<SID>.envfile.However,inthe
eventyouneedtosettheenvironmentmanually,herearetheminimalenvironmentsettings:
$exportORACLE_SID=<sid>

$exportORACLE_HOME=<dboraclehome>
$exportPATH=$ORACLE_HOME/bin
$unsetTWO_TASK

oracle$sqlplus'/assysdba'

ToclearallcredentialsintheclonedcopyofaProductiondatabase,createandexecutethefollowing3SQLscripts:

REMstep1.sql
spoolstep1.lst
REMStartthedatabasecloneforthefirsttime
startuprestrict
REMClearallproductioncredentialsfromthecloneddatabase
updateSYS.user$set
password=translate(password,'0123456789ABCDEF','0000000000000000')
wheretype#=1andlength(password)=16
/
updateAPPLSYS.FND_ORACLE_USERIDset
ENCRYPTED_ORACLE_PASSWORD='INVALID'
/
updateAPPLSYS.FND_USERset
ENCRYPTED_FOUNDATION_PASSWORD='INVALID',
ENCRYPTED_USER_PASSWORD='INVALID'
/
commit
REMShutdownthedatabase
shutdown
exit
REMendofscript

Atthispoint,theclonedcopyofthedatabaseisfreefromProductioncredentials.Thedatabasewasshutdownbythescriptinorderfortheunusualwayofclearingthe
databaseuser(schema)passwordstotakeeffect.Youwillneedtorestarttheclonedcopyofthedatabaseinpreparationforsteps2,3and4:

oracle$echostartup|sqlplus'/assysdba'

Step2ReestablishBootstrapCredentials
Thedatabaseatthemomenthasnocredentials.Nowlogonas"SYS"withoperationsystemauthentication.Thiswillallowyoutoestablishnewcredentials.

oracle$sqlplus'/assysdba'

Hereisthescriptforstep2,includinginlinecommentswhichexplainswhatisdone.

REMstep2.sql
spoolstep2.lst

REMSetanewpasswordforafewinitialdatabaseusers

alteruserSYSidentifiedbyCLONE
alteruserSYSTEMidentifiedbyCLONE
alteruserAPPLSYSPUBidentifiedbyCLONE
alteruserAPPLSYSidentifiedbyCLONE
alteruserAPPSidentifiedbyCLONE

REMProvidebootstrapinfoforFNDCPASS...
updateAPPLSYS.FND_ORACLE_USERIDset
ENCRYPTED_ORACLE_PASSWORD='CLONE'
whereORACLE_USERNAME='APPLSYSPUB'
/

updateAPPLSYS.FND_ORACLE_USERIDset
ENCRYPTED_ORACLE_PASSWORD='ZG'||
'B27F16B88242CE980EF07605EF528F9391899B09552FD89FD'||
'FF43E4DDFCE3972322A41FBB4DDC26DDA46A446582307D412'
whereORACLE_USERNAME='APPLSYS'
/
updateAPPLSYS.FND_ORACLE_USERIDset
ENCRYPTED_ORACLE_PASSWORD='ZG'||
'6CC0BB082FF7E0078859960E852F8D123C487C024C825C0F9'||
'B1D0863422026EA41A6B2B5702E2299B4AC19E6C1C23333F0'

whereORACLE_USERNAME='APPS'
/
commit
REMWerunasSYS,nowconnectasAPPStorunsomeplsql
connectAPPS/CLONE
REMEveryEBSdatabaseneedsaGUESTuser
selectAPPS.fnd_web_sec.change_guest_password('CLONE','CLONE')"RES"
fromdual
commit
REMSetGUESTcredentialinsitelevelprofileoption
setserveroutputon
declare
dummyboolean
begin
dummy:=APPS.FND_PROFILE.SAVE('GUEST_USER_PWD','GUEST/CLONE','SITE')
ifnotdummythen
dbms_output.put_line('ErrorsettingGUEST_USER_PWDprofile')
endif
end
/
commit
REMOnemoretimeforluck(avoidsessioncachingofprofiles)
connectAPPS/CLONE
REMSetSYSADMINpassword
selectAPPS.fnd_web_sec.change_password('SYSADMIN','CLONE')"RES"
fromdual
commit
exit

Theexpectedoutputfromstep2isasfollows:

User
User
User
User
User

altered.
altered.
altered.
altered.
altered.

1 row updated.
1 row updated.
1 row updated.
Commit complete.
Connected.
RES
-----Y
Commit complete.
PL/SQL procedure successfully completed.
Commit complete.
Connected.
RES
-----Y
Commit complete.

It is important to verify that no errors are reported and that the 2 returned "RES" values are both "Y", which indicates success.

ATTENTION:
Ithasbeenidentified,thatsomeCustomersrunningintoanerrorfortheSQLPLuscommand
selectAPPS.fnd_web_sec.change_password('SYSADMIN','CLONE')"RES"fromdual

Inthiscase,pleasecheckNote1350776.1forthesolution,beforeyouraregoingaheadwiththenextsteps!
NowwehavecompletedestablishingasetofbootstrapEBScredentialsinthedatabase.

Step3PrepareScriptsforSettingAdditionalPasswords
InthisstepscriptsarepreparedtoassignpasswordstotheotherdatabaseuserswhichweredisabledinStep1.Dynamicallygeneratedscriptsareusedtoaccomplish
thisbecausethesetofdatabaseusersmaydifferbetweeninstancesofEBS.CreatethescriptbelowandrunitastheOperatingSystemuser"oracle":

$sqlplus'/assysdba'

Thecommentsinscriptbelowexplainswhatisdoneinstep3.

REMstep3.sql
REMPrepareSQLandSHELLscriptstosetmorepasswordslater
spoolstep3.lst
REMGenerateasqlscripttosetpasswordfordbusersnotmanagedwithEBS
select'alteruser"'||USERNAME||'"identifiedbyCLONE'
fromSYS.DBA_USERS
whereUSERNAMEnotin(selectORACLE_USERNAMEfromAPPLSYS.FND_ORACLE_USERID)
andUSERNAMEnotin('SYS','SYSTEM')

REMGenerateashellscripttosetpasswordforallbaseproductschemas
select'FNDCPASSapps/clone0Ysystem/cloneALLORACLEclone'fromdual
REMGenerateashellscripttosetpasswordfornonEBSdbusersmanagedwithEBS
select'FNDCPASSapps/clone0Ysystem/cloneORACLE"'||
replace(ORACLE_USERNAME,'$','\$')||'"clone'
fromAPPLSYS.FND_ORACLE_USERID
whereREAD_ONLY_FLAG='X'
andORACLE_USERNAMEin(selectUSERNAMEfromSYS.DBA_USERS)
REMGenerateashellscripttosetpasswordforAPPS/APPLSYS/APPM_mrcdbusers
select'FNDCPASSapps/clone0Ysystem/cloneSYSTEMAPPLSYSclone'fromdual
REMGeneratescriptsforsteps4&5
spooloff
HOSTgrep'^alteruser'step3.lst>dbusers4.sql
HOSTgrep'^FNDCPASS'step3.lst>dbusers5.sh
exit
REMEndofScript

NOTE:ThescriptabovecallstheUNIXcommand"grep"toextract2setsoflinesfromthestep3.lstspoolfile.IfyouarerunningWindows,theshellredirection
willfailwhenattemptedfromwithinsqlplus.Youcanperformthefailedstepbygoingtoacommandprompt(usingtheHOSTcommandfromsqlplus).Ifyouhave
yourMKSenvironmentset,thenyoucanusethe"grep"syntaxoralternativelyyoucanusethebelowsyntaxfromaWindowscommand(cmd.exe)prompt.

#alternativecommandsforextractingsqlandshellcommandsfromstep3.lst
C:\ORACLE\Clone>findstr"^alteruser"step3.lst>dbusers4.sql
C:\ORACLE\Clone>findstr"^FNDCPASS"step3.lst>dbusers5.cmd

Step4AssignNewPasswordstoAllSchemasNotManagedwithEBS
ThisSteprunstheSQLscript,"dbusers4.sql",generatedinStep3.
Samplecontentof"dbusers4.sql"listedbelowforillustrationpurposesonly,youmustruntheoneyougeneratedonyoursystem.

NOTE:"dbusers4.sql",forexamplepurposesonly!
alter
...
alter
alter
alter
alter
alter
alter
alter

user "OLAPSYS" identified by CLONE;

user
user
user
user
user
user
user

"MDSYS" identified by CLONE;

"ORDPLUGINS" identified by CLONE;
"ORDSYS" identified by CLONE;
"DBSNMP" identified by CLONE;
"OUTLN" identified by CLONE;
"AD_MONITOR" identified by CLONE;
"EM_MONITOR" identified by CLONE;

Note:Priortorunningyourscript,youshouldreviewthecontentsofthescriptforanyobviousproblemsorsyntaxerrorsthisisgoodadviceforanydynamically
createdSQLscripts.
Connectas"SYSDBA":

$sqlplus"/assysdba"

Nowrunthe"dbusers4.sql"file:
SQL>spoolstep4.lst
SQL>startdbusers4.sql
SQL>exit

Theoutputspoolfileshouldshowmanyoutputlinesstating"Useraltered.".Noerrormessages(ORAnnnnn)shouldappear.
Atthispoint,thedatabaseshouldbestartedandrunning.Stopandrestartthedatabaseatthistime.Toensurethattheapplicationtiercodecanaccessthedatabase
forStep5,youmustalsoensurethatthedatabaseTNSlistenerserviceisrunning.

$echoshutdown|sqlplus"/assysdba"
$echostartup|sqlplus"/assysdba"
$lsnrctlstart<listener_name>

Step5AssignNewPasswordstoAllSchemasManagedwithEBS
Thisstepusesthe"FNDCPASS"commandtosetthepasswordsforalltheEBSmanagedschemasandallthebaseproductschemas.The"FNDCPASS"mustberun
fromanapplicationtiernode.(AnynodewithanAPPL_TOPfilesystem.)
Youwillneedtolocateandcopythe"dbusers5.sh"scriptfromthedirectorywhereitwascreatedinStep3.Again,aswithanydynamciallygeneratedscriptsthatyou
runonyoursystem,youshouldreviewthecontentsofthefilebeforerunningit.

NoteforWindowsusers:Intheunlikelyeventthatanyoftheusernamescontainthedollarsign"$"ithasbeenescapedbyprefixingitbyabackslash"\"on
Windowsthebackslashshouldberemoved.

Torun"FNDCPASS"youalsoneedanumberofenvironmentvariablesset,ataminimumensurethat:
"FNDCPASS"isinthe"$PATH"("$whichFNDCPASS"willtellyouifitis.)
The"ORACLE_HOME"environmentvariablepointstothe"Tools"ORACLE_HOME(8.0.6on11i,10.1.2onR12)
The"TWO_TASK"environmentvariableissettoavaluethatcanberesolvedviathe"$TNS_ADMIN/tnsnames.orafile",inordertoaccesstheclonetarget
database.

#VerifythattheOracleclientenvironmentissettocorrectdatabase(as"applmgr"OSuser)
applmgr$sqlplussapps/clone<<EOF
selectSYSDATE,NAMEfromv\$DATABASE
EOF
SYSDATENAME

25JUL07PRD12
applmgr$mkdir~/s5cd~/s5#createnewdirectorytoholdoutputfiles
applmgr$shdbusers5.sh#RuntheFNDCPASSshellscript

Thefollowingissamplecontentofa"dbusers5.sh"fileislistedbelowforillustrationpurposesonly,runtheoneyougeneratedonyoursystem.

NOTE:This"dbusers5.sh"isforexampleonly!
FNDCPASS
FNDCPASS
FNDCPASS
FNDCPASS
FNDCPASS

apps/clone
apps/clone
apps/clone
apps/clone
apps/clone

0
0
0
0
0

Y
Y
Y
Y
Y

system/clone
system/clone
system/clone
system/clone
system/clone

ALLORACLE clone
ORACLE "OWAPUB" clone
ORACLE "ODM" clone
ORACLE "CTXSYS" clone
SYSTEM APPLSYS clone

Eachrunof"FNDCPASS"willgenerateoutputanoutput/logfileinthecurrentworkingdirectory,youshouldreviewtheselogfiles(example"L2763902.log")for
errors.
NOTE:Ifyourversionofthe"FNDCPASS"utilitydoesnotsupportthe"ALLORACLE"mode,see"Q5"inthe"Discussion"sectionbelow.

Toverifythatyouhaveassignedpasswordstoallthedatabaseusers,runthefollowingqueryandensurethatitdoesnotreturnanyrows:
SQL>selectUSERNAME,PASSWORDfromDBA_USERSwherePASSWORD='0000000000000000'

Thisconcludestheclearingandreestablishmentofaccountcredentialsfromacloneddatabase.Pleaseseethefollowing2steps"AdditionalSteps"and"Running
Autoconfig"beforeattemptingtousethesystem.

AdditionalSteps
Whatremainstobedoneistosetnewpasswordsforadditionalapplicationsusersorthecreationofnewtestusers,dependingonyourneeds.Changingpasswordsfor
applicationsuserscanbedoneusingthe"DefineUser"form(loggedonas"SYSADMIN/CLONE")orbyrunning"FNDCPASS"withthebelowsyntaxfroman"applmgr"
applicationsshellenvironment.

applmgr$FNDCPASSapps/clone0Ysystem/cloneUSER<username><password>

Youmayalsowishtochangethepasswordstosomethingotherthan"clone".Youcanusemodifiedversionsofthescriptsinthisnoteandyoushouldreferencethe
securitybestpracticesdocumentforadviceonchangingpasswordsforanEBusinessSuitesystem,seetheReferencessectionbelow.

RunningAutoConfig
BeforeyoucanactuallystartandaccesstheclonedEBSsystemfromtheApplication,anumberofotherconfigurationitems,suchassystemProfileOptions,mostlikely
needtobechangedintheclonedenvironment.Itemstochangetypicallyinclude:
IPaddresses,hostnamesandportnumbers
Profilescontaininghostnamesandportnumbers
WebinterfaceURLs
Hostnamesofexternalservices(mail,print,SSO)
Thecloningnotes,listedinthe"Reference"sectionbelow,willprovideyouwithinformationonhowtorunAutoConfig.RunningAutoConfigisarequirementanditmust
berunonalltiersoftheclonedsystemtopropagatepasswordchangesandotherchangedsettingsintoAutoconfigmanagedfiles.
PriortorunningAutoConfigensurethattheAutoConfigContextfilecontainsthenew"GUEST"password(Contextvariable"s_guest_pass")andthenewpasswordfor
"APPLSYSPUB"(Contextvariable"s_gwyuid_pass").
Passwordfor

ContextVariable NewValue

APPLSYSPUB

s_gwyuid_pass

CLONE

GUEST

s_guest_pass

CLONE

REFERENCES
NOTE:189367.1SecureConfigurationGuideforOracleEBusinessSuite11i
NOTE:230672.1CloningOracleApplicationsRelease11iwithRapidClone

NOTE:165195.1UsingAutoConfigtoManageSystemConfigurationswithOracleApplications11i
NOTE:387859.1UsingAutoConfigtoManageSystemConfigurationsinOracleEBusinessSuiteRelease12
NOTE:394448.1GettingStartedwiththeApplicationManagementPackforOracleEBusinessSuite(Releases2.0.02.0.2)
NOTE:403537.1SecureConfigurationGuideforOracleEBusinessSuiteRelease12
NOTE:406982.1CloningOracleApplicationsRelease12withRapidClone
PATCH:4745998
Didn'tfindwhatyouarelookingfor?