Changing Passwords in Fusion Applications Wp v1.1

An Oracle White Paper May 2012

Oracle Fusion Applications Managing Passwords

Disclaimer

The following is intended to outline our general product direction. It is intended for information purposes only,

and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or

functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing

of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

Fusion Applications – Changing Passwords

Copyright © 2012 Oracle Corporation Page 2

Table of Contents

Introduction .................................................................................................................................................. 3

Administrators for Fusion Applications .................................................................................................... 3

Fusion Applications Super Administrator Users ....................................................................................... 5

Stop Fusion Applications ............................................................................................................................... 6

Changing APP ID Passwords .......................................................................................................................... 7

Changing Keystore Password ........................................................................................................................ 9

Changing Super User (FAdmin) Password ................................................................................................... 13

Changing System/Policy Users Password ................................................................................................... 15

Account Lock and Password Expiration Policies ......................................................................................... 15

Changing Fusion Applications Database Passwords ................................................................................... 16

Changing JDBC Data Sources .................................................................................................................. 16

Changing Credential Store Mapping ....................................................................................................... 20

Updating ESS Spawned Job Wallet ......................................................................................................... 22

Changing ODI Repository Password ........................................................................................................ 23

Changing BI Repository Password ........................................................................................................... 23

Updating ESSBase Registry...................................................................................................................... 26

Changing passwords in Oracle Metadata Repository schema ................................................................ 28

Changing Node Manager Password ............................................................................................................ 28

Changing BI System User Password ............................................................................................................ 29

Changing the Oracle Internet Directory Database Password ..................................................................... 29

Changing the Password for the ODSM Administrator Account .................................................................. 30

Restart Fusion Applications ........................................................................................................................ 30

Appendix A – Fusion Apps RUP1 Schema ................................................................................................... 32



Appendix B – Sample Python script ............................................................................................................ 34

Appendix C – Sample Input file for Fusion Applications Schemas .............................................................. 36

Introduction There are several types of administrative passwords that could be changed periodically based on

security requirements and standard operating procedures. The scope of this document is to reflect how

password changes in external components such as databases, IDMs, etc impacts Fusion Applications tier

and how to reconfigure them. This document covers critical password changes such as Fusion Apps

administrators, super users, Keystores, database schema, etc.

This document does not include IDM and Oracle database related administrative user password

changes. Also there is absolutely no attempt in this document on providing any best practices on

password management and security policies.

This document is targeted at experienced Fusion Applications System Administrators, Security

Architects, and Operation teams.

The sample code provided in any section is for demonstration purpose only.

Administrators for Fusion Applications

The application provisioning process bootstraps the provisioned environment with two administrator groups for each application family.

These two administrator groups are:

A system administrator - A directory group representing the WebLogic Server domain administrators for all the domains.

An application administrator - A directory group with an assigned enterprise role reflecting all the application roles and delegation privileges for all the applications in a given family.

The purpose of creating these "Super Administrators" during provisioning is to enable ongoing administration and/or delegation privileges. The above process facilitates separation of duties between system administration and application administration responsibilities, but you are free to assign the same user to both hierarchies ("system admin" and "application admin").

The following table shows the groups that are created for each family.

Provisioned Administrator Groups



Product Family/Product System Administrator Group

Application Administrator Group

Oracle Fusion Supply Chain Management FSCMSysAdmin FSCMAppAdmin

Oracle Fusion Customer Relationship Management

CRMSysAdmin CRMAppAdmin

Oracle Fusion Human Capital Management HCMSysAdmin HCMAppAdmin

Oracle Fusion Financials FINSysAdmin FINAppAdmin

Oracle Fusion Procurement PRCSysAdmin PRCAppAdmin

Oracle Fusion Project PRJSysAdmin PRJAppAdmin

Oracle Fusion Incentive Compensation OICSysAdmin OICAppAdmin

In addition a single user, known as the super user, is set up to belong to all the administrator groups.

That user becomes the administrator for all middleware and the application administrator for all

product families. This is typically known as FAAdmin as per Enterprise document guide (EDG).

The following diagram illustrates the relationship between the two groups.



Fusion Applications Super Administrator Users

It is important to distinguish between the two types of super-administrators that exist in the provisioning process.

Pre-seeded bootstrap user Designated super-user



In the context of the pre-seeded user, provisioning employs an identity known as the App ID that is required to bootstrap the WebLogic domains. The pre-configuration phase of provisioning automatically generates the credential needed for this App ID user.

In the context of the designated super user, during the interview phase of provisioning, you are asked to specify the user ID of the designated "real" user who will be set up as the Middleware Administrator and Functional Setup Manager. As per EDG, this is FAAdmin user. Although FAAdmin user can be used for this purpose, a 'real' user should be used in bare metal provisioning for better security and auditing. This can be achieved by supplying the username of the 'real' user in the Provisioning Wizard instead of FAAdmin.

Stop Fusion Applications

To prepare the environment for the password changes:

1. Stop all user requests by stopping the Oracle HTTP server. 2. Stop all the Fusion Applications Servers (including Admin Servers). Please consult the following doc

to start/stop Fusion Applications using “fastartstop” utility. 3. Stop all “opmn” processes such as BI, GOP, etc. depending on your Fusion Applications installation

type. 4. Do not shutdown Node Manager. 5. Update user profiles in the Oracle Database to prevent account lockout:

a. Log in to the database as a user with DBA privileges. b. Get a list of all profiles in the Oracle Database using SQL: c. SQL> SELECT profile, username FROM dba_users ORDER BY 1;

You should see most schemas with profile 'DEFAULT' and a few other profiles, including the profile SEARCHSYS_PROF used by SEARCHSYS.

d. Find existing settings for failed login attempts: e. SQL> SELECT * FROM dba_profiles WHERE resource_name = 'FAILED_LOGIN_ATTEMPTS';

At a minimum, write down the settings for DEFAULT and SEARCHSYS_PROF.

f. Alter the default profile to have unlimited login attempts: g. SQL> ALTER PROFILE default LIMIT FAILED_LOGIN_ATTEMPTS UNLIMITED; h. Alter the SEARCHSYS_PROF profile to have unlimited login attempts: i. SQL> ALTER PROFILE searchsys_prof LIMIT FAILED_LOGIN_ATTEMPTS UNLIMITED;

6. Update the passwords you want to change in the Oracle Database using a tool such as SQL*Plus. 7. Start up only the Administration Servers of all the domains

Please consult the following doc to start/stop Fusion Applications using “fastartstop” utility.

http://docs.oracle.com/cd/E25054_01/fusionapps.1111/e14496/basic_admin.htm#BABGEBIH




Changing APP ID Passwords When invoking Web services, Oracle Fusion Applications must rely on a type of credential known as the

Application ID or App ID. Each application has its own App ID which is initially provisioned for the

application.

The following sample Application Identities are predefined. For complete list, please consult the following doc (http://docs.oracle.com/cd/E28271_01/fusionapps.1111/e16689/F323386AN14D2F.htm#F114032AN1631A).

Application Identity Code Application Identity Name

FUSION_APPS_ECSF_SES_ADMIN_APPID Oracle Fusion Search Administrator Application Identity (CRM)

FUSION_APPS_OBIA_BIEE_APPID Business Intelligence Applications Extract Transform and Load Application Identity

FUSION_APPS_OIM_SPML_APPID Oracle Identity Manager Application Identity

FUSION_APPS_CRM_SOA_APPID Web Services Application Identity (CRM)

FUSION_APPS_FIN_SOA_APPID Web Services Application Identity (Financials)

FUSION_APPS_HCM_SOA_APPID Web Services Application Identity (HCM)

FUSION_APPS_PRC_SOA_APPID Web Services Application Identity (Procurement)

FUSION_APPS_PRJ_ESS_APPID Enterprise Scheduler Job Application Identity (Projects)

FUSION_APPS_PRJ_SOA_APPID Web Services Application Identity (Projects)

FUSION_APPS_SCM_SOA_APPID Web Services Application Identity (SCM)

FUSION_APPS_SETUP_ESS_APPID Enterprise Scheduler Job Application Identity (Setup)

… …

Get list of APPIDs from your Environment

Run the following command to get the list of all the entries for which the passwords need to be set:

Export ORACLE_HOME= $ORACLE_BASE/product/fmw/idm/bin ($ORACLE_BASE/product/fmw is a

Fusion Middleware home).

$ORACLE_HOME/bin/ldapsearch -h idmhost.mycompany.com -p 389 -D

"cn=orcladmin" -w <password> -b

'cn=AppIdUsers,cn=Users,dc=mycompany,dc=com' -s sub

'objectclass=orclAppiduser' cn >& reset.txt

http://docs.oracle.com/cd/E28271_01/fusionapps.1111/e16689/F323386AN14D2F.htm#F114032AN1631A



Sample Content of reset.txt:

cn=FUSION_APPS_BI_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com cn=FUSION_APPS_BI_APPID cn=FUSION_APPS_ATK_ADF_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com cn=FUSION_APPS_ATK_ADF_APPID cn=FUSION_APPS_CRM_ADF_SOAP_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com cn=FUSION_APPS_CRM_ADF_SOAP_APPID cn=FUSION_APPS_CRM_ECSF_SEARCH_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com cn=FUSION_APPS_CRM_ECSF_SEARCH_APPID

Changing APP IDs Passwords

Changing APP IDs password has a ripple effect on various configurations including Credential Stores

(CSF) in Fusion Applications. The App Id passwords are stored in the credential store (encrypted) and

that is how Fusion Applications get the password values before talking to other applications/web

services. Once the APPID passwords are changed in LDAP, the corresponding entries in CSF must be

changed. Oracle does not support it as it is a manual, tedious and error prone process at this time. In

future releases, Oracle may provide a utility to change these passwords that will automate the process.

The APP ID passwords are generated randomly when Fusion Applications is provisioned. They are

completely secured, encrypted and no human will ever have to use these APP IDs.

Changing FUSION_APPS_PROV_PATCH_APPID using custom passwords

The only exception is to change password of “FUSION_APPS_PROV_PATCH_APPID” (if absolutely

necessary). The Fusion Applications uses “FUSION_APPS_PROV_PATCH_APPID” to manage life cycle of

Weblogic Admin and Managed servers. The new password must be reflected in Weblogic’s

“boot.properties” file of all the domains.

You could change “FUSION_APPS_PROV_PATCH_APPID” password from Administrative Console of IDM

or Weblogic; or using the following ldap command:

Create ldif file as “update_apps_prov_patch.ldif” cn= FUSION_APPS_PROV_PATCH_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com

changetype: modify

replace: userPassword

userPassword: new_password

Use LDAPMODIFY command as



$ORACLE_HOME/bin/ldapmodify -h oid_hostName -p oid_port -D

“cn=orcladmin” -w orcladmin_password -f <update_apps_prov_patch.ldif>

Note: $ORACLE_HOME= $ORACLE_BASE/product/fmw/idm/bin ($ORACLE_BASE/product/fmw is a


Changing boot.properties file with new password

Since “FUSION_APPS_PROV_PATCH_APPID” this APP ID’s password is reset, the boot.properties of

Admin Server must be modified with new password in all the domains respectively.

Run the following command (for each domain) to get encrypted password string of

FUSION_APPS_PROV_PATCH_APPID:

Set environment: . $FUSION_APPS_HOME/wlserver_10.3/server/bin/setWLSenv.sh

Go to each domain directory such as: $ORACLE_BASE/config/domains/<Host

Name>/CommonDomain

Run the following command: java weblogic.security.Encrypt Welcome1

This will echo the encrypt string that must be replaced in boot.properties.

Modify boot.properties in AdminServer/security folder.

Note: The encrypted password string must be generated for each domain.

Changing Keystore Password There are multiple Keystores used in Fusion Apps including in IDM, database and OHS. These are the

following sample Keystores instructions to change their password:

1. Keystore to store public and private keys for all secure web services connections within the domain: <domain_directory><domain_name>/config/fmwconfig/default-keystores.jks

2. Keystore to enable host name verification for the Node Manager a. Custom Trust Keystore :

$ORACLE_BASE/products/fusionapps/wlserver_10.3/server/lib/fusion_trust.jks b. Custom Identity Keystore for each machine:

$ORACLE_BASE/products/fusionapps/wlserver_10.3/server/lib/<hostname>_fusion_trust.jks (Alias is <hostname>_fusion).



Oracle Fusion Middleware provides these tools for keystore operations:

WLST, a command-line interface for JKS keystores and wallets orapki, a command-line tool for wallets Fusion Middleware Control, a graphical user interface the keytool utility

If an Oracle wallet or JKS keystore was created with tools such as orapki or keytool, it must be imported prior to using WLST and Fusion Middleware Control. Please consult the following doc for more information.

Changing Keystore password using “keytool” utility

Please follow the following steps to change the keystore password:

1. Change directory to $ORACLE_BASE/products/fusionapps/wlserver_10.3/server/lib

2. Run the following command to change the password used to protect the integrity of the

keystore contents:

keytool -storepasswd -new <NewPassword> -keystore

fusion_trust.jks -storepass <Original Password>

3. Run the following command to change the password used which the private/secret key

identified by alias is protected, from old_keypass to new_keypass:

keytool -keypasswd {-alias alias} [-keypass old_keypass] [-new new_keypass] -keystore fusion_trust.jks [-storepass storepass] {-v} {-Jjavaoption}

Once the password is changed, you must re-configure all Weblogic domain and respective servers to reflect new password.

Configure Weblogic Domain default_keystore.jks

Navigate to <Weblogic Domain>/<Domain Name>. Select “Security Provider Configuration” as shown here:

http://docs.oracle.com/cd/E25178_01/core.1111/e10105/wallets.htm#CIHFJGAB



Change password by clicking “Configure” under Keystore section as shown below:

Once the keystore password and paraphrase are changed, please change respectively the keystore and SSL configiration of all the servers in a domain.



Note: Repeat the above steps for all the domains

Configure Admin and managed Servers for each domain to reflect new keystore password

Please login to Weblogic Administrative Console and navigate it to Environment/Servers. For each server select Configuration and then Keystore tab. Please see the following screens to update Passphrase. (Repeat for all servers and respective domains)



Note: The keystore password can only be changed if “old” password is available.

Changing Super User (FAdmin) Password This is a super user that was provided during Fusion Applications Provisioning plan – typically FAAdmin

as per EDG. You can change the password of the administrative user using the Oracle WebLogic Server

Administration Console, WLST command line, ODSM (Oracle Directory Service Manager) console or LDIF

(LDAP Data Interchange Format) command.

Since Fusion Applications users are provisioned through OID, the best practice is to change the password

from ODSM console or using LDIF command.

Changing FAAdmin password Using ODSM console

To change the password of the Oracle Fusion Middleware administrative user using ODSM Console:

Navigate to the ODSM Console. (For example, from the home page of the domain in Fusion Applications Control, select “To configure and managed this WebLogic Domain, use the Oracle WebLogic Server Administration Console”.)



Changing FAAdmin password Using LDIF Command

Create a LDIF file such as “updatePassword.ldif” with the following entries

dn: cn=FAAdmin,cn=Users,dc=mycompany,dc=com changetype: modify replace: userPassword userPassword: new_password

Use LDAPMODIFY command

$ORACLE_HOME/bin/ldapmodify -h oid_hostName -p oid_port -D

“cn=orcladmin” -w orcladmin_password -f updatePassword.ldif

Note: $ORACLE_HOME= $ORACLE_BASE/product/fmw/idm/bin ($ORACLE_BASE/product/fmw is a


Changing the Oracle Fusion Middleware Administrative User Password Using the WLST Command

Line

To change the Oracle Fusion Middleware administrative user password or other user passwords using the command line, you invoke the UserPasswordEditorMBean.changeUserPassword method, which is extended by the security realm's AuthenticationProvider MBean.

Start a WLST session as follows:

Run wlst.sh from

<path_to_domain_home_of_the_domain>/fusionapps/oracle_common/common/bin.

Connect to the domain.

nmConnect('<node_manager_user_name>','<node_manager_password>','<node_

manager_machine_name>','< node_manager_machine_port>', '<domain

name>','<path_to_domain_home_of_the_domain>')

Example:



nmConnect('bootstrap_admin','welcome','<hostname>','5556',

'CommonDomain','/oracle/fusion/top/instance/domains/weblogic1.company.

com/CommonDomain')

WLST Script

from weblogic.management.security.authentication import

UserPasswordEditorMBean

print "Changing password ..."

atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthentica

tionProvider("DefaultAuthenticator")

atnr.changeUserPassword('my_user','my_password','new_password')

print "Changed password successfully"

Please consult the following doc

(http://docs.oracle.com/cd/E23943_01/web.1111/e13715/config_wls.htm#i1019970) for more

information.

Changing System/Policy Users Password These are the following system (or Policy) users provisioned by Fusion Applications: “PolicyRWUser”,

“PolicyROUser”, “IDRWUser”, “IDROUser”. The passwords are changed like any other OID user through

ODSM console or LDAP as described earlier. However, changing some of these passwords impacts CSF

(Credential Stores) keys.

The map and key for “PolicyRWUser” and “IDROUser” respectively are as follows:

oracle.patching, FUSION_APPS_PATCH_POLICY_STORE-KEY

oracle.patching, FUSION_APPS_PATCH_ID_STORE-KEY

Please consult the following section to change CSF keys.

Account Lock and Password Expiration Policies The default password policy for Oracle Internet Directory enforces:

Password expiration in 120 days

Account lockout after 10 login failures. Except for the superuser account, all accounts remain

locked for a duration of 24 hours unless the passwords are reset by the directory administrator.

A user account stays locked even after the lockout duration has passed unless the user binds

with the correct password.

http://docs.oracle.com/cd/E23943_01/web.1111/e13715/config_wls.htm#i1019970

http://docs.oracle.com/cd/E23943_01/web.1111/e13715/config_wls.htm#i1019970



When Fusion Applications is provisioned, the APP IDs container do not have password expiration policy,

but system (or policy) users such as “PolicyRWUser”, “PolicyROUser”, “IDRWUser”, “IDROUser” have

password expiration policy. These are the following alternatives to handle password expiration policy:

1. Disable password expiration policy. If password is already expired then change the password to

same “old password” and disable the expiration policy to prevent it in future. This ensures that

no changes are required in respective Credential Stores.

2. Change the password and then consult the following section to change the respective Credential

Stores (CSF) keys.

Option “1” is recommended until in future releases Oracle provides complete listing of Credential Stores

Mappings (similar to APP IDs).

Please consult the following doc to manage Password Policies.

Changing Fusion Applications Database Passwords Changing Fusion Applications database schema passwords impact several components in middle tier

stack, such as JDBC data sources, Credential Store mappings, and various repositories. Please follow the

Oracle database documentation on how to change schema passwords in the database.

Changing JDBC Data Sources These objects contain properties such as the URL or user name and password. Application components

use data sources to obtain connections to a relational database. They are known as Weblogic Data

Sources.

Please see Appendix A of database schemas based on Fusion Applications RUP1 (New schemas could be

added in later Fusion Apps versions).

The best approach is to create a WLST script to modify JDBC data sources with new password. The

alternative option is to change it for each data source from Weblogic Console.

Sample WLST Script for demonstration purpose only

Once the schema password is changed in the database, please see the following sample to update

respective data sources:

Sample

Let’s assume there are 3 schemas jrd1, jrd2 and jrd3 with password “Welcome1”. There are 3 respective

jdbc data sources. The CommonDomain has jrdtest1 and jrdtest2; and HCMDomain has jrdtest3. All 3

data sources for the sample are targeted to soa_server1 respectively by domain.

http://docs.oracle.com/cd/E23943_01/oid.1111/e10029/pwdpolicies.htm#i1048871



The following Python script demonstrates how to change the password of jdbc data sources:

import sys

import os

import ConfigParser

import time

from datetime import datetime

_wlsUsername = 'weblogic_fa'

_wlsPassword = 'Welcome1'

_domainT3UrlProperty = 'domain.url.t3'

_schemaSectionName = 'SCHEMAS'

_fsSectionName = 'CommonDomain'

def updateDatasourcesInOneDomain(_wlsUsername, _wlsPassword,

_domainT3Url, _parser):

connect(_wlsUsername,_wlsPassword,_domainT3Url)

_dsNames = ls('/JDBCSystemResources', returnMap='true',

returnType='c')

edit()

startEdit()

for _dsName in _dsNames:

jdbcSR = lookup(_dsName,"JDBCSystemResource")

theJDBCResource = jdbcSR.getJDBCResource()

driverParams = theJDBCResource.getJDBCDriverParams()

driverProperties = driverParams.getProperties()

# update schema password if schema user is specified in the

input file

_userprop = driverProperties.lookupProperty('user')

_userval = _userprop.getValue()

#print '***user is:' + _userval

if _parser.has_option(_schemaSectionName, _userval):

print '*** Updating the password of datasource ' + _dsName +

' (username=' + _userval + ')'

_dbPassword = _parser.get(_schemaSectionName, _userval)

print 'password is:' + _dbPassword

driverParams.setPassword(_dbPassword)

save()

activate(block="true")

disconnect()

Read the input file as follows:

# read the input file

try:

_inputFile = sys.argv[1]



print

'*********************************************************************

************************'

print '* Input file: ' + _inputFile

print '*** Reading ' + str(_inputFile) + '...'

_parser = ConfigParser.ConfigParser()

_parser.optionxform = str

_parser.read(_inputFile)

except:

print

'*********************************************************************

************************'

print '* Error:'

sys.exit(2)

Call the above function as: # update the datasource passwords

for _sectionName in _parser.sections():

if _parser.has_option(_sectionName, _domainT3UrlProperty):

# get domain t3 url

_domainT3Url = _parser.get(_sectionName, _domainT3UrlProperty)

print '*** Retrieved ' + _sectionName + ' domain t3 url: ' +

_domainT3Url

try:

print '************Update Datasource password'

updateDatasourcesInOneDomain(_wlsUsername, _wlsPassword,

_domainT3Url, _parser)

except:

dumpStack()

sys.exit(1)

print '***Successfully updated datasource '

exit()

The sample input file is:

[SCHEMAS]

##########

jrd1=newWelcome1

jrd2=newWelcome1

jrd3=newWelcome1

[CommonDomain]

# The WLS admin URL for the Common Domain



domain.url.t3=t3://scmhost1as1.us.oracle.com:7001

[HCMDomain]


domain.url.t3=t3://scmhost1as1.us.oracle.com:9401

Run the Python script as follows:

$FA_HOME/wlserver_10.3/common/bin/wlst.sh $SCRIPT_PATH/<script_name>.py $

SCRIPT_PATH/<input_filename>.ini

Please see the following screen shots for output:



Note: The password output value is for debugging only. You should remove it from your production

script.

You can modify Fusion Applications data sources based on the input file provided in Appendix C.

Changing Credential Store Mapping In Oracle Fusion Applications, credentials used for various components such as patching, BI Enterprise,

Security, etc are stored securely, based in the Lightweight Directory Access Protocol (LDAP) Credential

Store Framework (CSF), where they can be retrieved when required transparently. Some of this

credential mapping contains database schema and password keys. Hence when schema passwords are

changed, the respective CSF mapping must be updated.

The CSF mappings are in “CommonDomain”. They can be managed from Fusion Middleware Control

(EM). However, one should create WLST scripts to automate the process. The following screens shots

provide the reference on how to browse CSF maps from EM:

Log in to Fusion Middleware Control and navigate to Domain > Security > Credentials, to display the

Credentials page



Creating WLST script to automate CSF mappings

Enhanced the database schema password script to include CSF updates. Create another Python function

as follows:

def updateCredentialPasswords(_wlsUsername, _wlsPassword, _domainT3Url, _parser):

if _parser.has_option(_fsSectionName, _domainT3UrlProperty):

_domainT3Url = _parser.get(_fsSectionName, _domainT3UrlProperty)



# only look at section whose name is an expected credential map name

if _sectionName in _expectedCredMapList:

_map = _sectionName

for _key in _parser.options(_map):

_schemaUsername = _parser.get(_map, _key)

_password = ''

if _parser.has_option(_schemaSectionName, _schemaUsername):

_password = _parser.get(_schemaSectionName, _schemaUsername)

if _password.__len__() > 0:

_credFound = 'false'

try:

print '*** Deleting existing credential with map [' + _map + '] and key

[' + _key + ']. Failure indicates that no such credential exists.'

deleteCred(map=_map, key=_key)

_credFound = 'true'

except:

dumpStack()

if _credFound == 'true':

_now = str(datetime.now())

_desc = 'Reset at ' + _now



createCred(map=_map, key=_key, user=_schemaUsername, password=_password,

desc=_desc)

print '*** Credential with map [' + _map + '] and key [' + _key + '] has

been reset at ' + _now

else:

print '*** Skipping reset of credential with map [' + _map + '] and key

[' + _key + ']. Credential does not exist.'

else:

print '*** Skipping reset of credential with map [' + _map + '] and key [' +

_key + ']. Input file does not contain password for schema username "' + _schemaUsername + '"'

else:

print '*** Skipping reset of credential with map [' + _map + '] and key [' +

_key + ']. Input file does not contain schema username "' + _schemaUsername + '"'

disconnect()

else:

print '*** Cannot find section [CommonDomain] with property "' + _domainT3UrlProperty + '".

Skipping credential store password reset.'

# update the credential store passwords

updateCredentialPasswords(_wlsUsername, _wlsPassword, _domainT3Url, _parser)

Updating ESS Spawned Job Wallet A configured Oracle wallet enables spawned jobs to connect to the database at the command line. A provisioned Fusion applications environment will have this wallet pre-configured. Configuring a spawned job involves creating an environment file and configuring an Oracle wallet. This wallet stores “fusion_runtime” schema password used by ESS jobs.

The “environment.properties” is located at $ORACLE_BASE/config/ess/config. This property file includes

critical properties that are required to update Wallet such as:

Wallet Location $ORACLE_CSF_WALLET_LOC

Database Name $TWO_TASK

TNSAdmin Path $TNS_ADMIN

Syntax to Update Wallet:

mkstore –wrl walletLocation –modifyCredential dbName dbUser dbPassword

Run the following command:

1. Go to command prompt $TNS_ADMIN

2. Execute mkstore –wrl $ORACLE_CSF_WALLET_LOC –modifyCredential $TWO_TASK

fusion_runtime <NewPassword>



Changing ODI Repository Password

There are two database schemas FUSION_ODI and FUSION_ODI_STAGE that must be updated in ODI work repository.

Oracle Fusion Applications Provisioning does not install ODI Studio. You must install ODI Studio to change work repository password.

To change the ODI work repository password from ODI Studio:

1. Start the ODI Studio and, in the Connection profile, uncheck the Work Repository 2. Verify that the password of Master Repository database is OK 3. In ODI Studio, go to the Topology Manager > Work Repositories 4. Edit the Work Repository, click on the "Connection" icon button, and set the appropriate

password.

5. Double-click the work repository. The Work Repository Editor opens. 6. On the Definition tab of the Work Repository Editor click Change password. 7. Enter the current password and the new one. 8. Click OK.

Changing BI Repository Password

Each repository has a password that is used to encrypt its contents. You create the repository password when you create a new repository file, or when you upgrade a repository from a previous release of Oracle Business Intelligence.

You can change the repository password using the Administration Tool in offline mode, or using the “obieerpdpwdchg” utility. You cannot change the repository password when the repository is open in the Administration Tool in online mode.

The obieerpdpwdchg utility is especially useful when you want to change the repository password on Linux and UNIX systems where the Administration Tool is not available. You cannot change the repository password when the repository is open in online mode.

After you change the repository password in the Administration Tool, you must also publish the updated repository and specify the new password in Fusion Middleware Control. Specifying the repository password in Fusion Middleware Control enables the password to be stored in an external credential store, so that the Oracle BI Server can retrieve it to load the repository.



Changing the Oracle BI Repository password using Administration Tool

1. Open the repository in the Administration Tool in offline mode. 2. Select File, then select Change Password. 3. Enter the current (old) password. 4. Enter the new password and confirm it. The repository password must be longer than five

characters and cannot be empty. 5. Click OK. 6. Save and close the repository. 7. Open a Web browser and log in to Fusion Middleware Control from the computer where the

updated repository is located. 8. In the navigation tree, expand Business Intelligence and then click coreapplication to display the

Business Intelligence Overview page. 9. Display the Repository tab of the Deployment page. 10. Click Lock and Edit Configuration. 11. Click Browse next to Repository File. Then, select the updated repository file and click Open. 12. Enter the new (updated) repository password in the Repository Password and the Confirm

Password fields.

Make sure to specify the password that has been set in the repository. If the passwords do not match, the Oracle BI Server fails to start, and an error is logged in nqserver.log.

13. Click Apply, then click Activate Changes. 14. Return to the Business Intelligence Overview page and click Restart.



Changing the Oracle BI Repository Password Using “obieerpdpwdchg” Utility

Follow these steps to change the repository password using the obieerpdpwdchg utility, and then publish the modified repository in Fusion Middleware Control:

1. Run bi-init to launch a command prompt or shell window that is properly initialized.

For Example:

Linux:ORACLE_INSTANCE/bifoundation/OracleBIApplication/coreapplication/setup/bi-init.sh

Windows Client Installation: ORACLE_HOME/bifoundation/server/bin/bi-init.bat

Windows All other Installation Types: ORACLE_INSTANCE/bifoundation/OracleBIApplication/coreapplication/setup/bi-init.cmd

2. At the command prompt, type obieerpdpwdchg with the following arguments: o -I name_and_path_of_existing_repository



o -O path_of_new_repository

Then, enter the current (old) password and the new password when prompted. The repository password must be longer than five characters and cannot be empty. For example:

obieerpdpwdchg -I my_repos.rpd -O my_changed_repos.rpd Please enter the repository password: my_old_password Please enter a new repository password: my_new_password

Note that passwords are masked on the command line unless you include the -C option to disable masking.

3. Open a Web browser and log in to Fusion Middleware Control from the computer where the updated repository is located.

4. In the navigation tree, expand Business Intelligence and then click coreapplication to display the Business Intelligence Overview page.

5. Display the Repository tab of the Deployment page. 6. Click Lock and Edit Configuration. 7. Click Browse next to Repository File. Then, select the updated repository file and click

Open. 8. Enter the new (updated) repository password in the Repository Password and the

Confirm Password fields.

Make sure to specify the password that has been set in the repository. If the passwords do not match, the Oracle BI Server fails to start, and an error is logged in nqserver.log.

9. Click Apply, then click Activate Changes. 10. Return to the Business Intelligence Overview page and click Restart.

Updating ESSBase Registry

Essbase Server uses a database schema password stored in the “reg.properties” file.

Change ESSBase Registry properties as follows:

The “updateRegProperties.py” is located at:

$ORACLE_BASE/products/fusionapps/bi/bifoundation/install

Syntax is:



updateRegProperties.py biHome biInstance DbUrl DbUserName DbNewPassword DbDriverClass

Run the following command to update registry:

wlst.sh

$ORACLE_BASE/products/fusionapps/bi/bifoundation/install/updateR

egProperties.py $BIHOME $BIINST

jdbc:oracle:thin:@<dbhostname>:1592/ems2671 FUSION_BI_PLATFORM

newpasss “oracle.jdbc.OracleDriver”

Where $BIHOME is $ORACLE_BASE/products/fusionapps/bi and BIInstance is

<INSTANCE_DIR>/config/BIInstance/config

Change EPM Registry as follow:

$BIInstance/config/foundation/11.1.2.0/epmsys_registry.sh updateencryptedproperty

HOST/database_conn/@dbPassword DbNewPassword

Example of $BIInstance is <INSTANCE_DIR>/config/BIInstance/config/foundation/11.1.2.0

Change ESSBase Monitoring Credential as follows:



Changing passwords in Oracle Metadata Repository schema Oracle Metadata Services (MDS) repository contains metadata for the Oracle Fusion Applications and

some Oracle Fusion Middleware component applications. The schema passwords are stored in the

Oracle database. Since, MDS is configured to use JDBC data sources no action is required.

Changing Node Manager Password

The Node Manager account authenticates the connection between a client (for example, the Administration Server) and Node Manager. In an Oracle Fusion Applications installation, this user is specified on the Installation Location page of the Provisioning Wizard.

Please consult the "Specify Node Manager Username and Password" section in the Oracle Fusion Middleware Node Manager Administrator's Guide for Oracle WebLogic Server.

http://www.oracle.com/pls/topic/lookup?ctx=E25054-01&id=NODEM161



Changing BI System User Password The BISystemUser account provides access to the Oracle Business Intelligence system components.

Please consult "Default Users and Passwords" section in the Oracle Fusion Middleware Security Guide for

Oracle Business Intelligence Enterprise Edition

Changing the Oracle Internet Directory Database Password

The Oracle Internet Directory uses a password when connecting to its own designated Oracle database. The default for this password when you install Oracle Internet Directory is the same as that for the Oracle Fusion Middleware administrator. You can change this password by using oidpasswd.

The following example shows how to change the Oracle Internet Directory database password, assuming the database in on the same machine.

oidpasswd connect=dbs1 change_oiddb_pwd=true current password: oldpassword new password: newpassword confirm password: newpassword password set.

Changing the OID Super user Password by Using Fusion Middleware Control

To change the password for the superuser by using Oracle Enterprise Manager Fusion Middleware Control:

1. Select Administration, then Shared Properties from the Oracle Internet Directory menu. 2. Click the Change Superuser Password tab. 3. Specify the old password. 4. Specify the new password. 5. Confirm the new password. 6. Click Apply.

Changing the Superuser password Using ldapmodify

To set or modify a user name or password for the superuser, use ldapmodify to modify the

attribute orclsuname or orclsupassword, respectively, in the DSE root. Changing the user

name of the superuser can have serious repercussions and is not recommended.

To change the password of the superuser to superuserpassword, use an LDIF file such as

the following:

http://www.oracle.com/pls/topic/lookup?ctx=E25054-01&id=BIESC789



dn:

changetype:modify

replace:orclsupassword

orclsupassword:superuserpassword

Changing the Password for the ODSM Administrator Account

Oracle Internet Directory connects to its Oracle Database, using the password specified for the ODS schema during schema creation. It also connects to retrieve its metrics using the ODSSM schema password, given during schema creation as well.The Oracle Enterprise Manager Fusion Middleware Control default password, at the end of install, is the same as the ODSSM password.

To change the password for the ODSSM administrator, you must change it in the Oracle Database and then change it on both the WebLogic domain server and on each Oracle instance in the domain. Use the following procedure:

1. Use SQLPlus or a similar tool to alter the password in the database. 2. Invoke wlst and connect to the WebLogic server. 3. java weblogic.WLST 4. connect('weblogic', 'weblogic_user_password', 'protocol:host:port') 5. Run the following WLST command: 6. upupdateCred(map='odssm',keu='ODSSM_instance_name',

password='newpassword',user='ODSSM') 7. On each Oracle instance in the WebLogic domain, execute the following command line: 8. ORACLE_HOME/ldap/bin/oidcred odssm update [instanceName] 9. Update the component registration of the Oracle instance, as described in "Updating the

Component Registration of an Oracle Instance by Using opmnctl"

Restart Fusion Applications Restore the User Profiles in the Oracle Database and restart the Oracle Fusion Applications Environment

Please bounce all Managed Servers after the tool runs, so that the Managed Servers read the updated configuration information.

To restart the Managed Servers:

1. Restore values of user profiles in the Oracle Database: a. Log in to the database as a user with DBA privileges.

http://docs.oracle.com/cd/E12839_01/oid.1111/e10029/oid_server_instances.htm#BABBJHFJ

http://docs.oracle.com/cd/E12839_01/oid.1111/e10029/oid_server_instances.htm#BABBJHFJ



b. Alter the default profile to have unlimited login attempts. The following syntax assumes the original value was 10.

c. ALTER PROFILE default LIMIT FAILED_LOGIN_ATTEMPTS 10; d. Restore the SEARCHSYS_PROF. The following syntax assumes the original value

was 10. e. ALTER profile DEFAULT LIMIT FAILED_LOGIN_ATTEMPTS 10;

2. Shut down the Administration Servers. 3. Start all the Admin and Managed Servers. Please consult the following doc to start/stop

Fusion Applications using “fastartstop” utility. 4. Start all “opmn” processes such as BI, GOP, etc depending on your Fusion Applications

installation type. 5. Start Oracle HTTP Server, so users can resume sending requests.




Appendix A – Fusion Apps RUP1 Schema

These are the database schemas implemented based on Fusion Applications RUP1 (New schemas could

be added in later Fusion Apps versions).

CRM_FUSION_MDS_SOA CRM_FUSION_SOAINFRA FIN_FUSION_MDS_SOA FIN_FUSION_SOAINFRA FUSION FUSION_ACTIVITIES FUSION_APM FUSION_AQ FUSION_BI FUSION_BIPLATFORM FUSION_DISCUSSIONS FUSION_DISCUSSIONS_CRAWLER FUSION_DQ FUSION_DYNAMIC FUSION_IPM FUSION_MDS FUSION_MDS_ESS FUSION_MDS_SPACES FUSION_OCSERVER11G FUSION_ODI FUSION_ODI_STAGE FUSION_ORA_ESS FUSION_ORASDPLS FUSION_ORASDPM FUSION_ORASDPSDS FUSION_ORASDPXDMS FUSION_OTBI FUSION_PORTLET FUSION_RUNTIME FUSION_WEBCENTER HCM_FUSION_MDS_SOA HCM_FUSION_SOAINFRA OIC_FUSION_MDS_SOA OIC_FUSION_SOAINFRA PRC_FUSION_MDS_SOA PRC_FUSION_SOAINFRA PRJ_FUSION_MDS_SOA PRJ_FUSION_SOAINFRA SCM_FUSION_MDS_SOA SCM_FUSION_SOAINFRA SEARCHSYS SETUP_FUSION_MDS_SOA



SETUP_FUSION_SOAINFRA



Appendix B – Sample Python script import sys

import os

import ConfigParser

import time

from datetime import datetime

_wlsUsername = 'weblogic_fa'

_wlsPassword = 'Welcome1'

_domainT3UrlProperty = 'domain.url.t3'

_wlstSectionName = 'WLS'

_schemaSectionName = 'SCHEMAS'

_servicenameName = 'servicename'

_fusionruntimeName = 'fusion_runtime'

_fsSectionName = 'CommonDomain'

def updateDatasourcesInOneDomain(_wlsUsername, _wlsPassword, _domainT3Url, _parser):


_dsNames = ls('/JDBCSystemResources', returnMap='true', returnType='c')

edit()

startEdit()

for _dsName in _dsNames:

jdbcSR = lookup(_dsName,"JDBCSystemResource")

theJDBCResource = jdbcSR.getJDBCResource()

driverParams = theJDBCResource.getJDBCDriverParams()

driverProperties = driverParams.getProperties()

# update schema password if schema user is specified in the input file

_userprop = driverProperties.lookupProperty('user')

_userval = _userprop.getValue()

#print '***user is:' + _userval

if _parser.has_option(_schemaSectionName, _userval):

print '*** Updating the password of datasource ' + _dsName + ' (username=' + _userval +

')'

_dbPassword = _parser.get(_schemaSectionName, _userval)

print 'password is:' + _dbPassword

driverParams.setPassword(_dbPassword)

save()

activate(block="true")

disconnect()

# read the input file

try:

_inputFile = sys.argv[1]

print '*** Reading ' + str(_inputFile) + '...'

_parser = ConfigParser.ConfigParser()

_parser.optionxform = str

_parser.read(_inputFile)

except:

print '* Error:'

sys.exit(2)

# update the datasource passwords


if _parser.has_option(_sectionName, _domainT3UrlProperty):

# get domain t3 url

_domainT3Url = _parser.get(_sectionName, _domainT3UrlProperty)

print '*** Retrieved ' + _sectionName + ' domain t3 url: ' + _domainT3Url

try:

print '************Update Datasource password'

updateDatasourcesInOneDomain(_wlsUsername, _wlsPassword, _domainT3Url, _parser)

except:

dumpStack()

sys.exit(1)

print '***Successfully updated datasource '



exit()



Appendix C – Sample Input file for Fusion Applications Schemas [SCHEMAS]

#

# Passwords for all schemas in the Fusion Apps database which

# are used by Fusion Apps and could have corresponding

# data sources or CSF entries.

#

# Used to update data sources and CSF entries to contain

# the new schema passwords.

#

# This list is static for a given Fusion Apps version.

# New schemas could be added in later Fusion Apps versions.

# -------------------------------------------------------------

#

CRM_FUSION_MDS_SOA=crm_fusion_mds_soa

CRM_FUSION_SOAINFRA=crm_fusion_soainfra

FIN_FUSION_MDS_SOA=fin_fusion_mds_soa

FIN_FUSION_SOAINFRA=fin_fusion_soainfra

FUSION=fusion

FUSION_ACTIVITIES=fusion_activities

FUSION_APM=fusion_apm

FUSION_AQ=fusion_aq

FUSION_BI=fusion_bi

FUSION_BIPLATFORM=fusion_biplatform

FUSION_DISCUSSIONS=fusion_discussions

FUSION_DISCUSSIONS_CRAWLER=fusion_discussions_crawler

FUSION_DQ=fusion_dq

FUSION_DYNAMIC=fusion_dynamic

FUSION_IPM=fusion_ipm

FUSION_MDS=fusion_mds

FUSION_MDS_ESS=fusion_mds_ess

FUSION_MDS_SPACES=fusion_mds_spaces

FUSION_OCSERVER11G=fusion_ocserver11g

FUSION_ODI=fusion_odi

FUSION_ODI_STAGE=fusion_odi_stage

FUSION_ORA_ESS=fusion_ora_ess

FUSION_ORASDPLS=fusion_orasdpls

FUSION_ORASDPM=fusion_orasdpm

FUSION_ORASDPSDS=fusion_orasdpsds

FUSION_ORASDPXDMS=fusion_orasdpxdms

FUSION_OTBI=fusion_otbi

FUSION_PORTLET=fusion_portlet

FUSION_RUNTIME=fusion_runtime

FUSION_WEBCENTER=fusion_webcenter

HCM_FUSION_MDS_SOA=hcm_fusion_mds_soa

HCM_FUSION_SOAINFRA=hcm_fusion_soainfra

OIC_FUSION_MDS_SOA=oic_fusion_mds_soa

OIC_FUSION_SOAINFRA=oic_fusion_soainfra

PRC_FUSION_MDS_SOA=prc_fusion_mds_soa

PRC_FUSION_SOAINFRA=prc_fusion_soainfra

PRJ_FUSION_MDS_SOA=prj_fusion_mds_soa

PRJ_FUSION_SOAINFRA=prj_fusion_soainfra

SCM_FUSION_MDS_SOA=scm_fusion_mds_soa

SCM_FUSION_SOAINFRA=scm_fusion_soainfra

SEARCHSYS=searchsys

SETUP_FUSION_MDS_SOA=setup_fusion_mds_soa

SETUP_FUSION_SOAINFRA=setup_fusion_soainfra

SYS=sys

#

# The [*Domain] sections list all Fusion Apps WLS domains that contain

# data sources to be updated.

#

# The list will not change in a given Fusion Apps release, but could

# change in future releases.

# -------------------------------------------------------------

#



[CommonDomain]

#


#

domain.url.t3=t3://fa-internal.us.oracle.com:7001

[FinancialDomain]

# The WLS admin URL for the Financials Domain


[SCMDomain]

# The WLS admin URL for the SCM Domain


[HCMDomain]

# The WLS admin URL for the HCM Domain


[CRMDomain]

# The WLS admin URL for the CRM Domain


[PRJDomain]

# The WLS admin URL for the PRJ Domain


[BIDomain]

# The WLS admin URL for the BI Domain


[oracle.apps.security]

#

# CSF key names and corresponding schema names for the CSF map

# oracle.apps.security.

#

# Used to update the password stored along with the schema name

# for each listed CSF entry.

#

# You should not need to change these values.

# -------------------------------------------------------------

#

FUSION_APPS_ECSF_SES_ADMIN-KEY=SEARCHSYS

FUSION-DB-KEY=FUSION_RUNTIME

[oracle.patching]

#


# oracle.patching.

#



#


# -------------------------------------------------------------

#

FUSION_ACTIVITIES-KEY=FUSION_ACTIVITIES

FUSION_APM-KEY=FUSION_APM

FUSION_APPS_BIPLATFORM-KEY=FUSION_BIPLATFORM

FUSION_APPS_CRM_MDS_SOA_SCHEMA-KEY=CRM_FUSION_MDS_SOA

FUSION_APPS_CRM_SOAINFRA-KEY=CRM_FUSION_SOAINFRA

FUSION_APPS_DBA-KEY=SYS

FUSION_APPS_FIN_MDS_SOA_SCHEMA-KEY=FIN_FUSION_MDS_SOA

FUSION_APPS_FIN_SOAINFRA-KEY=FIN_FUSION_SOAINFRA

FUSION_APPS_HCM_MDS_SOA_SCHEMA-KEY=HCM_FUSION_MDS_SOA

FUSION_APPS_HCM_SOAINFRA-KEY=HCM_FUSION_SOAINFRA

FUSION_APPS_MDS-KEY=FUSION_MDS

FUSION_APPS_MDS_ESS-KEY=FUSION_MDS_ESS

FUSION_APPS_MDS_SPACES-KEY=FUSION_MDS_SPACES



FUSION_APPS_ODI_SCHEMA-KEY=FUSION_ODI

FUSION_APPS_OIC_MDS_SOA_SCHEMA-KEY=OIC_FUSION_MDS_SOA

FUSION_APPS_OIC_SOAINFRA-KEY=OIC_FUSION_SOAINFRA

FUSION_APPS_PATCH_FUSION_DYNAMIC_SCHEMA-KEY=FUSION_DYNAMIC

FUSION_APPS_PATCH_FUSION_RUNTIME_SCHEMA-KEY=FUSION_RUNTIME

FUSION_APPS_PATCH_FUSION_SCHEMA-KEY=FUSION

FUSION_APPS_PRC_MDS_SOA_SCHEMA-KEY=PRC_FUSION_MDS_SOA

FUSION_APPS_PRC_SOAINFRA-KEY=PRC_FUSION_SOAINFRA

FUSION_APPS_PRJ_MDS_SOA_SCHEMA-KEY=PRJ_FUSION_MDS_SOA

FUSION_APPS_PRJ_SOAINFRA-KEY=PRJ_FUSION_SOAINFRA

FUSION_APPS_SCM_MDS_SOA_SCHEMA-KEY=SCM_FUSION_MDS_SOA

FUSION_APPS_SCM_SOAINFRA-KEY=SCM_FUSION_SOAINFRA

FUSION_APPS_SETUP_MDS_SOA_SCHEMA-KEY=SETUP_FUSION_MDS_SOA

FUSION_APPS_SETUP_SOAINFRA-KEY=SETUP_FUSION_SOAINFRA

FUSION_APPS_UCM-KEY=FUSION_OCSERVER11G

FUSION_APPS_WEBCENTER-KEY=FUSION_WEBCENTER

FUSION_ORA_ESS-KEY=FUSION_ORA_ESS

SEARCHSYS-KEY=SEARCHSYS

[oracle.bi.enterprise]

#


# oracle.bi.enterprise.

#



#


# -------------------------------------------------------------

#

scheduler.schema=FUSION_BIPLATFORM



Oracle Fusion Applications:

Managing Passwords

May 2012

Author: Jack Desai, A-Team

Oracle Corporation

World Headquarters

500 Oracle Parkway

Redwood Shores, CA 94065 U.S.A.

Worldwide Inquiries:

Phone: +1.650.506.7000

Fax: +1.650.506.7200

oracle.com

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. UNIX is a registered trademark licensed through X/Open Company, Ltd. 1010

Documents

Changing Passwords in Fusion Applications Wp v1.1