Friday, December 16, 2016

How to change passwords for eBS schemas in an Oracle database

In an Oracle database supporting eBS, there are a number of schemas that supports the different modules in eBS. Everything is installed and must be maintained, regardless if the module is in use or not.
If you want to change the passwords for these accounts, you need to do that through the utility AFPASSWD or the deprecated FNDCPASS utility.

Requirements:

* The environment variable TWO_TASK must be set on the eBS application server
* The SYSTEM password for your eBS database
* The current APPS password

I strongly recommend using the same password for all eBS schemas.
Unfortunately, you cannot use special characters in the passwords, so you need to compensate this by making them at least 12-20 characters lang.

To change the passwords, use the following procedure:

1. logon to your eBS application server
2. change user to the owner of the software installation
3. shut down all eBS processes
4. take backup of FND_USER and FND_ORACLE_USERID tables (you can use CTAS for this)
connect apps/oldpassword
create table FND_USER_BUP AS SELECT * FROM FND_USER;
create table FND_ORACLE_USERID_BUP AS SELECT * FROM FND_ORACLE_USERID;

5.
cd $FND_TOP/bin
6. Change the password for all type 3 passwords (meaning all eBS schemas except APPS, APPLSYS,APPLSYSPUB)
./AFPASSWD -c APPS@$TWO_TASK -a

7. Change the passwords for type 2 schema password
./AFPASSWD -c APPS@$TWO_TASK -s APPS

8. Change the password for type 2 schema password APPLSYS
./AFPASSWD -c APPS@$TWO_TASK -s APPLSYS 


9. Change the password for type 2 schema password for APPLSYSPUB. Note that the APPLSYSPUB password must be uppercase, even if you have enabled case sensitive passwords
./AFPASSWD -c APPS@$TWO_TASK -o APPLSYSPUB

10. Update the s_gwyuid_pass variable in the AutoConfig context file to reflect the new password
vi $CONTEXT_FILE
Change from
<oa_user type="GWYUID">
            <username oa_var="s_gwyuid_user">APPLSYSPUB</username>
            <password oa_var="s_gwyuid_pass">PUB</password>
         </oa_user>
to
<oa_user type="GWYUID">
            <username oa_var="s_gwyuid_user">APPLSYSPUB</username>
            <password oa_var="s_gwyuid_pass">YOURNEWSECRETCOMPLICATEDPASSWORD</password>
         </oa_user>


11. verify that the users now have a new password:
sqlplus /nolog
SQL> connect APPS/YOURNEWSECRETCOMPLICATEDPASSWORD
Connected.
SQL> show user
USER is "APPS"

12. start your eBS application processes

Here is a query that will extract the description of each schema, and when the password was last changed:
SELECT ORACLE_USERNAME,LAST_UPDATE_DATE, DESCRIPTION
FROM FND_ORACLE_USERID
WHERE ORACLE_USERNAME IN ('APPS','APPLSYSPUB','APPLSYS','AR','GMO','PFT')
ORDER BY LAST_UPDATE_DATE;
Output:

ORACLE_USERNAME LAST_UPDATE_DATE DESCRIPTION
AR 15.12.2016 16:28:45 Oracle Receivables Account
GMO 15.12.2016 16:28:47 Oracle Manufacturing Execution System for Process Manufacturing Account
PFT 15.12.2016 16:28:47 Oracle Profitability Manager Account
APPLSYS 15.12.2016 16:30:34 Application Object Library Account
APPS 15.12.2016 16:30:34 APPS #1 Account
APPLSYSPUB 15.12.2016 16:31:09 Application Object Library Public Account

For a complete list, leave out the WHERE-clause.

1 comment: