FNDCPASS

42913 Document Display

httpssupportoraclecomepmosfacesuikmSearchDocDisplayjspx_adfctrl-state=18dxyccwg2_9 122

FNDCPASS Troubleshooting Guide For Login and Changing Applications Passwords [ID13069381]

Modified Mar 27 2013 Type HOWTO Status PUBLISHED Priority 1

In this Document

Goal

Fix

1 Error Starting Application Services After Changing APPS Password Using FNDCPASS

2 Log In Fails With You Dont Have Permission To Access plsfnd_icx_launchlaunch On This Server

3 APP-FND-01564 ORACLE Error 6550 In changepassword With PortalLogin ServerSSO After Patch

4 FNDCPASS Not Able To Decrypt Password For APPLSYSPUB When Changing The APPS Password

5 Changing APPS Password Using FNDCPASS Gives not able to decrypt password Message

6 FNDCPASS Fails Changing Database Password APP-FND-02704 APP-FND-01564 ORA-01403

7 FNDCPASS Fails With ORA-01017 invalid usernamepassword logon denied

8 adpatch Errors The Given ORACLE Password Is Not The Correct Password

9 APP-FND-01496 Received When Changing The APPLSYS Password With FNDCPASS

10 Using FNDCPASS With The ALLORACLE Option Why Doesnt It Change All User Passwords

11 Fndcpass Fails with 500 Internal Server Error After Migrating Database From Hp-Ux To Linux

12 FNDCPASS Fails with APP-FND-02702 and APP-FND-02704

13 APP-FND-00434 Unable to Change Password Using FNDCPASS Utility

14 FNDCPASS Gives APP-FND-01502 Cannot Encrypt Application ORACLE Password

15 Why FNDCPASS Fails With ORA-01005 Using Underscore or Dollar Sign in Passwords

16 FNDCPASS-CANNOT DECRYPT For Some Users

17 Db Links Are Invalid After Changing The Apps User Password With FNDCPASS

18 Is PASSWORD_VERIFY_FUNCTION Compatible with FNDCPASS in E-Business Suite

19 ORA-29541 Unable to Change Password Using FNDCPASS Utility

20 FNDCPASS Updates FND_USERLAST_LOGON_DATE with SYSDATE

21 Why arent users forced to changereset passwords during next login after running FNDCPASS

22 FNDCPASS Was Not Able to Decrypt Password for User ABC During APPLSYS Password Change

23 FNDCPASS was not able to decrypt password for User Name during APPLSYS password change

24 APP-FND-01496 Results From FNDCPASS Chaning The APPLSYS password

25 APP-FND-1238 Cannot set value for field USERENCRYPTED_USER_PASSWORD

26 FRM-40200 Changing Users Password With The System Administrator Responsibility

27 Signon Password Failure Limit Is Reached Unlocking Queries

28 APP-FND-02704 APP-FND-01564 ORA-01403 changepassword Errors In Custom Schema

29 FND Invalid Hash mode detected for user_id = ampUSERID When Changing Password

30 After 1213 Upgrade FNDCPASS Fails Was Not Able To Decrypt Password For User Username DuringApplsys Password Change

31 APP-FND-01564 ORACLE error 6502 in changepassword

32 Unable To Change APPLSYS Password Using FNDCPASS In Applications 1213

Diagnostics amp Utilities Community

References



Applies to

Oracle Application Object Library - Version 1159 to 1213 [Release 115 to 121]Information in this document applies to any platform

Goal

This is a consolidation of Top Documents to provide a Single Source for troubleshooting common problems withFNDCPASS

Fix


ErrorCannot complete applications logon You may have entered an invalid applications password or there may havebeen a database connect error

From the error its confirmed that the APPS password did not change correctly Sometimes when changing the APPSpassword using FNDCPASS with a new APPS password if able to log into SQLPLUS as the apps user then its thoughtthat the password has changed correctly In every scenario this is not true If able to connect th SQLPLUS with thenew APPS password then it doesnt verify new APPS password completely It is just one test for new APPS passwordsIf able to start application services successfully then one can confirm that the APPS password has changedsuccessfully

Points to keep in mind when changing the APPS password using the FNDCPASS utility

Point 1 Changing APPS password using an alter user command is not supported and should not be used forchanging the apps password in any case

Point 2 Always use FNDCPASS to change the APPS password For an improved solution to FNDCPASS as ofR1212 click here

Point 3 Before changing APPS password it is strongly recommended to take a backup of FND_USER andFND_ORACLE_USERID

Point 4 Always check FNDCPASS log for any kind of error If there is any error in the FNDCPASS log then DONOT run autoconfig or try to change configuration file manually Until and unless FNDCPASS log has no errorplease do not run autoconfig as you will get problem while logging in oracle application

Point 5 If getting any error in the FNDCPASS log then either replace from an original backup with FND_USER andFND_ORACLE_USERID to log into Applications or raise an SR to support with the FNDCPASS log

1 If autoconfig was not run did not make any change in configuration file manually and also have a valid backup ofFND_USER and FND_ORACLE_USERID table then recover from the original backup Start application services



If a valid backup of the FND_USER and FND_ORACLE_USERID table does not exist then an exportimport of tableFND_USER and FND_ORACLE_USERID from a Instance that has the same patchset level must be used becauseautoconfig was not run If the patchset level is not same then the exportimport of the tables will not work Forexample If facing the issue on a newly cloned instance then exportimport the source instance from which the cloneinstance was made

2 If a valid backup of FND_USER and FND_ORACLE_USERID table exists but have already run autoconfig then theapplication services cannot be started Once autoconfig is run then replacing the original backup of FND_USER andFND_ORACLE_USERID table will not work

In this case a backup of the FND_USER and FND_ORACLE_USERID table is not valid because autoconfig was alreadyrun and hence only two options left

A Follow the procedure mentioned in the below note to remove database credentials

Note 4194751 Removing Credentials from a Cloned EBS Production Database

B Do a fresh clone (In case the issue exists in a test instance)

4 One should able to start application services without any error If able to start the application services without anyerror but still are not able to log in then check a direct forms log in

For Release 11i httplthostnamegtltportgtdev60cgif60cgiFor Release 12 httplthostnamegtltportgtformsfrmservletFor direct forms logging below parameter in CONTEXT file should be set to OFF If it is not set to OFF then makebelow changes and run autoconfig

ltappserverid_authentication oa_var=s_appserverid_authenticationgtOFFltappserverid_authenticationgt

5 Once able to log in in forms mentioned in step 4 but still personal home page log in is not working then itsconfirmed that the issue is now with personel home page log in only and no issue with the APPS password

Run AOLJ Test Use below URL to run AOLJ Test httplthostnamegtltportgtOA_HTMLjspfndaoljtestjsp

2 Log In Fails With You Dont Have Permission To Access plsfnd_icx_launchlaunch On ThisServer

The apps account is locked from repeatedly running FNDCPASS or logging into sqlplus as apps using the wrongpassword

To implement the solution execute the following steps

1 Log-in as system owner and run

SQLgt alter profile DEFAULT limit failed_login_attempts unlimited

SQLgt alter user apps account unlock

The first line (optional) results in preventing repeated failed log in attempts from locking the accountThe second line (required) simply unlocks the apps account



2 Restart the services

3 APP-FND-01564 ORACLE Error 6550 In changepassword With PortalLogin ServerSSO AfterPatch

APP-FND-01564 ORACLE error 6550 in changepasswordCause changepassword failed due to ORA-06550 line 1 column 7PLS-00201 identifier FND_SSO_REGISTRATIONIS_OPERATION_ALLOWED must be declaredORA-06550 line 1 column 7PLSQL Statement ignored

ORA-06512 at APPSFND_LDAP_WRAPPER line 1190

To implement the solution execute the following step

1 For instances integrated with Portal 309 from ATG_PFHRUP3 and above the profile option Applications SSO LDAPSynchronization (APPS_SSO_LDAP_SYNC) needs to be set to Disabled

4 FNDCPASS Not Able To Decrypt Password For APPLSYSPUB When Changing The APPSPassword

The APPS password appears to have been successfully updated and Autoconfig runs without issueHowever Discoverer users have authentication problems

The issue is caused by a data corruption issue in the fnd_user table


1 Use FNDCPASS to reset the APPLSYSPUB password

eg FNDCPASS appsltpasswordgt 0 Y systemltpasswordgt ORACLE APPLSYSPUB PUB

2 Retest for the issue


Found in log

FNDCPASS was not able to decrypt password for lttestuser1gt during applsys password changeFNDCPASS was not able to decrypt password for lttestuser2gt during applsys password change

The profile option Applications SSO Login Types is set to SSO

Because the profile Applications SSO Login Types is set to SSO the password is maintained by Oracle InternetDirectory - OID and not Applications FNDCPASS cannot update the OID data directly

The FND_USER table record has the value EXTERNAL in the encrypted password columns

This can be confirmed using the following SQL



select user_id encrypted_foundation_password encrypted_user_passwordfrom fnd_userwhere user_name = User Name from FNDCPASS log


1 Set the profile Applications SSO Login Types to Both or LocalThen change the identified User password using the Security User Define form

2 Ignore the message and remember that the password is managed externally

NoteAs long as the table value is EXTERNAL the FNDCPASS utility will display the messages in the log


Note It has been reported that the error may occur if the password starts with a number

FNDCPASS apps 0 Y system ORACLE HR HRAPP-FND-02704 Unable to alter user HR to change passwordAPP-FND-01564 ORACLE error 1403 in changepassword

Cause changepassword failed due to ORA-01403 no data found

The SQL statement being executed at the time of the error was and was executed from thefile ampERRFILE

The database profile DEFAULT was changed for the resource PASSWORD_REUSE_MAX


1 Revert back the resource of the database profile DEFAULT as

FAILED_LOGIN_ATTEMPTS to UNLIMITEDPASSWORD_REUSE_MAX to UNLIMITEDPASSWORD_LOCK_TIME to UNLIMITEDPASSWORD_GRACE_TIME to UNLIMITEDPASSWORD_VERIFY_FUNCTION to NULL

2 Re-run FNDCPASS

NOTE The issue is not always with DEFAULT profile It depends on the profile assigned to the user where thecommand is failing Check this with

select profile from dba_users where username=ltuser with the errorgt

Ex

select profile from dba_users where username=HR

After finding the profile one should set the options for this profile to UNLIMITED AS it is not always the DEFAULT



profile


Upgraded to Applications release 120 and database from 10202 to 11106

The database SEC_CASE_SENSITIVE_LOGON parameter defaults to TRUE When this occurs the passwordsensitivity conversion does not occur Passwords that are input as lower case are automatically updated as uppercase


1 For Applications 11i with database 11g Patch 6372396 is needed which is included in 11iATG_PFHRUP7 (Patch6241631)

WORKAROUND

1 Set the database SEC_CASE_SENSITIVE_LOGON parameter to FALSE in the initora

2 Run autoconfig on the application tiers and bounce the database


FNDCPASS fails with

WorkingAPP-FND-01496 Cannot access application ORACLE password

Cause Application Object Library was unable access your ORACLE password

Action Contact your support representative (USER=TWOODS)APP-FND-01496 Cannot access application ORACLE password

Issue caused by user password corruption which resulted in failure when running FNDCPASS in an attempt to re-encrypt the APPLSYS password


1 Use FNDCPASS to update each failing User password individually

FNDCPASS appsltpasswordgt 0 Y systemltpasswordgt ORACLE ltoracle usergt ltnew passwordgt

Ex FNDCPASS appsltpasswordgt 0 Y systemltpasswordgt ORACLE GL GLPASSWORD

2 Rerun FNDCPASS again to successfully alter the APPLSYS password



FNDCPASS appsltpasswordgt 0 Y systemltpasswordgt SYSTEM APPLSYS ltnew passwordgt

Ex $FNDCPASS appsltpasswordgt 0 Y systemltpasswordgt SYSTEM APPLSYS NEWPASSWORD

NOTE Changing the APPLSYS password automatically changes the APPS password to match as these two must alwaysagree


APP-FND-01496 Cannot access application ORACLE passwordCause Application Object Library was unable access your ORACLE password

The ALTER command was run manually against the APPS user before running FNDCPASS The APPS and APPLSYSuser passwords must be identical


1 Run the ALTER command against the APPS and APPLSYS users in sqlplus to change back to the old passwords

sqlgtALTER USER APPLSYS IDENTIFIED BY XXX

sqlgtALTER USER APPS IDENTIFIED BY XXX

2 Afterwards run FNDCPASS



Note Changing the APPLSYS password automatically changes the APPS password to match as these two must alwaysagree


To implement the solution reference the following

Usernames must appear in the FND_USER or FND_ORACLE_USERID tables The FNDCPASS utility and ALLORACLEfunctionality was designed for applications usersschemas

The following username passwords must be manually changed

Account Name--------------------------------ABMAHMAMF



CSSCUECUNDBSNMPEAAEVMFPTIBAIMTIPDJUNK_PSMDSYSMEODMODM_MTROKBOKOOKROLAPSYSORDPLUGINSORDSYSOUTLNOWAPUBOZPOZSRHXRLASCOTTSSOSDKSYSVEHXNCXNIXNMXNS

alter user XNS identified by password

For IBA IMT IPD ODM_MTR OKB OKO OKR OLAPSYS ABM AHM VEH XNC XNI XNM XNS RHX RLA schemasare part of the 6th category FNDCPASS should not be used

Also development mentioned this

Internal Bug 5394202 ARE1207ALL SCHEMAS PASSWORD NOT GETTING CHANGED FNDCPASS The 38 users listed above do not exist in FND_ORACLE_USERID or FND_USER tables FNDCPASS is not intended to change passwords for users who do not exist in these tables

For the users which are absent in FND_ORACLE_USERID you can change the password using alter command




When attempting to log in to a R12 instance after migrating the database from HP to Linux following the steps inNote 4546161 the following error occurs

500 Internal Server ErrororacleappsfndcacheCacheExceptionat oracleappsfndcacheAppsCacheget(AppsCachejava228)

The issue can be reproduced at will by attempting to log in

Password Hash Migration (FNDCPASS USERMIGRATE) done prior to the data migration

The cause of this issue is that the FND_USER_PREFERENCES table did not get exported properly due to passwordhash migration not being covered or accounted for in the existing procedure


1 Export of the fnd_user_preferences table separately using

$ exp systemltPWDgt TABLES=(APPLSYSFND_USER_PREFERENCES) COMPRESS=Y DIRECT=YFILE=fnd_user_preferencesdmp LOG=exp_fnd_user_preferenceslog

2 Import the Applications database target 3 Import of the fnd_user_preferences table separately

$ imp systemltPWDgt FILE=fnd_user_preferencesdmp LOG=imp_fnd_user_preferenceslog TABLES=FND_USER_PREFERENCES FROMUSER=APPLSYS IGNORE=Y

4 Reset Advanced Queues ( Note 3622051 - Section 5) 5 Run adgrants (Note 3622031 - After the Database Upgrade) 6 Run adctxprvsql (Note 3622031 - After the Database Upgrade) 7 Compile Invalid Objects running adadmin8 Implement and run Autoconfig ( Note 3622031) 9 Gather Statistics for SYS schema (Note 3622031 - After the Database Upgrade) 10 Create ConText and Spatial Objects (Note 3622051 - Section 5) 11 Compile Invalid Objects (Note 3622051 - Section 5) 12 Maintain Applications database objects (Note 3622051 - Section 5) 13 Restart Applications Server Processes (Note 3622051 - Section 5)


Followed Note4568381 and found a number of accounts that are database users with passwords equal todatabase users but those do not seem to be registered as Oracle SchemasUsers

FNDCPASS ends with the following error

APP-FND-02702 ABM is not a valid oracle user



The list includes ABM AMF CSS CUE CUN EAA EVM FPT IBA IMT IPD ME OKB OKO OKR OZP OZS RHXRLA VEH XNC XNI XNM XNS

Also tried to change password for EDWREP user which is not a Database user but is defined as OracleSchemaUser and FNDCPASS errored with

APP-FND-02704 Unable to alter user EDWREP to change password


1 EDWREP is not in the table DBA_USERS nor in FND_USER so there is no password to change for this user as thereis no possible connection to this user This is explained in Orion Note 4312721 EDWREP can be ignored as it is notan Oracle user nor an APPS user ( FND_USER )

2 The list of others users provided ( ABM ) is not in the table fnd_oracle_userid so it cannot be changed withFNDCPASS thats the normal behavior

Note 4619041 explains that ABM is now obsoleted

Some ApplicationsProducts are obsoleted in release 12

cun amf jts xni oko okb ahm imt veh rla rhx ozs ozp iba cue okr fpt xns xnc xnm css me zfa zsa rcmipd evm abm eaa

As obsoleted using the alter command can be used to safely change the password of the above users


When attempting to change the password of any applicationdatabase user using FNDCPASS the following erroroccurs

ErrorAPP-FND-00434 AFPRCPFailed to initialize profile option values FDWHOAMI environment variable containsinvalid value 5 for user ID

Step to ReproduceChange password of application user VISION using below FNDCPASS commandFNDCPASS appsapps 0 Y systemmanager USER VISION WELCOME

Seeded application user APPSMGR is not present in FND_USER table USER_ID of application user APPSMGR is5 That is why when you are trying to change the password of any applicationdatabase user using FNDCPASSutility then it errors out with invalid value 5 for user ID (see the error)

To implement the solution please execute the following steps

1 If a backup of the FND_USER table exists then restore the record for USER_ID=5 from the backup table to theexisting FND_USER table



Connect to SQLPLUS as APPS user

SQLgt insert into FND_USER select from FND_USER_BAK where USER_ID=5

Where FND_USER_BAK is backup table of FND_USER table

If a backup of the FND_USER table does not exist then thedata for the APPSMGR user must be inserted using thebelow SQL


SQLgt INSERT INTO FND_USER(USER_IDUSER_NAMELAST_UPDATE_DATELAST_UPDATED_BYCREATION_DATECREATED_BYLAST_UPDATE_LOGIN ENCRYPTED_FOUNDATION_PASSWORDENCRYPTED_USER_PASSWORDSESSION_NUMBERSTART_DATEEND_DATEDESCRIPTION)VALUES(5APPSMGRTO_DATE(10272004 60051 PMMMDDYYYY HHMISS PM) 0TO_DATE(0521198760051 PMMMDDYYYY HHMISS PM)10INVALIDINVALID0TO_DATE(01011951 60051 PMMMDDYYYYHHMISS PM)NULLUser for routine maintenance activities scheduled as concurrent requests Should be used for prescheduled requests and for requests submitted at the time of patching applications)

SQLgt Commit

2 Retest the issue

3 Migrate the solution as appropriate to other environments

DO NOT delete any seeded data from any of seeded table For example APPSMGR is a seeded application userand should not delete this record from the FND_USER table Deletion of seeded records from any seeded table isnot supported


APP-FND-01502 Cannot encrypt application ORACLE passwordApplication Object Library was unable encrypt your ORACLE passwordAction Contact your support representative (ORACLEUSER=APPS_SERV)

The table fnd_oracle_userid contain rows for schemas that does not exist Those rows must be deletedfrom the table




1 Execute the following select statement

select from fnd_oracle_useridwhere oracle_username not in

(select username from all_users)

If this returns any rows then delete them



Using the Underscore ( _ ) or Dollar Sign ( $ ) as well as Parentheses ( ) and Comma ( ) will cause the followingerror to be generated

Routine AFPCSQ encountered an ORACLE error ORA-01005 null password given logon deniedReview your error messages for the cause of the error (=ltPOINTERgt)

Only alphanumeric characters should be for passwords Bug 5239293 - UNABLE USE THE PUNCTUATION MARK INFNDCPASS UTILITY has been logged to address using special characters such as the _ and $


Getting error messages like

FNDCPASS-CANNOT DECRYPT (USER=CONCURRENT MANAGER)FNDCPASS-CANNOT DECRYPT (USER=ANONYMOUS)FNDCPASS-CANNOT DECRYPT (USER=APPLSYSPUB)

Patch (5846796) was created to fix the fnd_web_secvalidate_password to use the SIGNON_PASSWORD_CASEprofile setting for establishing new password criteria

According to Development Patch 5846796 will not be available standalone


1 Customers should apply 11iATG_PFHdelta6 (RUP 6) Patch 5903765 for this issue

WorkaroundThe error messages should disappear setting the System Profile Password Case Option to Insensitive





1 Since changing the apps password all the db links should have the new APPS password RunAutoConfig after changing the APPS password and this will update all Please note that there is no need to runautoconfig each time FNDCPASS is run only if changing any of the following users

- APPLSYS- APPS- APPS_MRC- APPLSYSPUB- PORTAL30 amp PORTAL30_SSO (For Oracle Log in Server and Portal 309 with E-Business Suite 11i)



1 Log a service request requesting to attach it to the existing enhancement Once this is done the service request willbe closed as its unknown when the enhancement will be integrated into Applications

2 Follow Enhancement Request Bug 3363011


Oracle error -29541 ORA-29541 class APPSoracleappsfndsecurityWebSessionManagerProc could not beresolved has been detected in FND_WEB_SECVALIDATE_PASSWORD


1 Unzip RDBMS $ORACE_HOMErdbmsjlibservletjar to a temporary location

2 cd to the lttemp locationgtjavaxservlet

loadjava -u sysltsyspwdgt -v -f -r ServletRequestclass

3 cd to the lttemp locationgtjavaxservlethttp

loadjava -u sysltsyspwdgt -v -f -r HttpServletRequestclass

4 If the above load is successful then try to compile the following java classes in this order

69cdcac5_URLTools9bcc02c9_GenericFileManager98ca471e_GenericFileManager7ef1f61b_AppsContextbe1b2bb2_ErrorStack4cc59dc8_AppsException4f323587_DataVerificationExceb3e79110_HTTPData50e4719a_AolSecurity3906534f_WebSessionManagerProc

For example



SQLgt conn appsappsConnected

SQLgt alter java class 69cdcac5_URLTools resolve

Java altered

5 Retest the issue


The FND_USERLAST_LOGON_DATE table is getting reset with SYSDATE when FNDCPASS command is run tochange the apps password on the database

Changing APPS APPLSYS and Oracle Apps schema passwords is updating FND_USERLAST_LOGON_DATE forApplication Users

eg FNDCPASS appsltpassgt 0 Y systemltpassgt SYSTEM APPLSYS ltnew passgt


1 The official fix is included in RUP7 Patch 6241631

As a workaround please disable the trigger

1 Connect to the apps schema using sqlplus

2 Alter trigger FND_USER_RESET DISABLE

21 Why arent users forced to changereset passwords during next login after runningFNDCPASS

This is expected functionality FNDCPASS does not force the user to reset their passwords during the next log in Users wanting to resetchange their passwords upon change should do so through the FNDSCAUSfmb (Define User)form When a password is changed in the Define User form the user is forced to reset their password

22 FNDCPASS Was Not Able to Decrypt Password for User ABC During APPLSYS PasswordChange

When attempting to run command FNDCPASS appsXXX 0 Y systemXXX SYSTEM APPLSYS XXXthe following error occurs

ERROR-----------------------FNDCPASS was not able to decrypt password for user GCC during applsys password changeFNDCPASS was not able to decrypt password for user APPS during applsys password changeFNDCPASS was not able to decrypt password for user APPLSYS during applsys password change



Debug line of code (fnd_preferenceremove) was found in a sql script that ran during the upgrade process -patch115sqlafsecctxsql This causes the error message when run FNDCPASS to change APPS password afterupgrading to 1213

This is justified in Bug 8764069 - POST USERMIGRATE TO HASH PASSWORDS AFTER 121 UPG FNDCPASS FAILSDECRYPT


1 Download and review the readme for Patch 8764069

2 Apply Patch 8764069 in a test environment

3 Confirm the following file versions

ltFND_TOPgtpatch115sqlafsecctxsql 1203120100002

You can use the commands like the following

strings -a $FND_TOP patch115sqlafsecctxsql | grep -i $Header

4 Retest the issue


WORKAROUND

1 Change password of All Oracle Applications Users (FND_USER) according to Note 4194751 Removing Credentialsfrom a Cloned EBS Production Database

2 Retest the issue

23 FNDCPASS was not able to decrypt password for User Name during APPLSYS passwordchange

The passwords were updated by a method other than the Define User form or FNDCPASS This is NOT supported


Re-run FNDCPASS for the specific failed User Name

Examples

FNDCPASS appsltpwdgt 0 Y systemltpasswrdgt ORACLE GL ltNEWPASSWORDgtFNDCPASS appsltpwdgt 0 Y systemltpasswrdgt USER JOEUSER ltNEWPASSWORDgt




AFTER manually using the alter user in sqlplus the following error occurs in the log for every application useraccount

ERRORAPP-FND-01496 Cannot access application ORACLE passwordCause Application Object Library was unable access your ORACLE password

The APPLSYS (APPS) password became corrupted using ALTER USER because an applications session was notmaintained at the same time This apps session is necessary to change the APPLSYS password in Securitygt Oraclegt Register WHILE being in SQLPLUS as the SYSTEM user

The supported method is use of FNDCPASS


1 Restore the FND_ORACLE_USERID and FND_USER tables from a backup

2 Then run FNDCPASS to change the APPLSYS password Ex

FNDCPASS appsltapps passwordgt 0 Y systemltsystem passwordgt SYSTEM APPLSYS WELCOME


When attempting to change a user password the error below is generated

APP-FND-1238 Cannot set value for field USERENCRYPTED_USER_PASSWORDReview your error messages (Help -gtDiagnostics -gt Display Database Error ) to see the cause of the error

Encrypted APPLSYS password was corrupted


Run FNDCPASS on the database tier and change the APPLSYS password to its original password value

For example

FNDCPASS appsltpasswordgt 0 Y systemltpasswordgt SYSTEM APPLSYS ltnew passwordgt Ex $FNDCPASS appsltpasswordgt 0 Y systemltpasswordgt SYSTEM APPLSYS NEWPASSWORD



Unable to change a users password with the System Administrator responsibility The password field is notaccessible and the following message appears at the bottom of the window

FRM-40200 Field is protected against update



The fnd_userencrypted_user_password column = EXTERNAL

In FND_USER if the fnd_userencrypted_user_password column = EXTERNAL then

1 The Change Password menu entry should be disabled on the Forms menu2 The Password field should be disabled on the Users form

This is expected behavior for the column being set to EXTERNAL


1 Use FNDCPASS to change the password as required

Example FNDCPASS appsltpasswordgt 0 Y systemltpasswordgt USER VISION WELCOME

2 Reference Note 3036211 - How to Change and Which Apps Database Users Passwords Can Be Changed in a Multi-Node Apps Installation


Q1 A user account is locked after Signon Password Failure Limit is reached Can it be unlocked withoutresetting the password

Q2 After the account is locked because of Signon Password Failure Limit can it be automatically unlocked after24hrs (or a set of hrs)

To implement the solution please execute the following step

A1 No To elaborateSignon Password Failure Limit invalidates the user account by updating the fnd_user encrypted password columnswith value INVALID In order to reinstate (unlock) the account these INVALID password values must be again populatedwith encrypted values This ONLY happens when the password is reset

A2 No To elaborateThere is no such automatic functionality within EBusiness Suite Apps to do this The reinstatement (unlocking) of theapplication user account must be done by resetting the password which is done by the administrator either thru theFNDSCAUS (Security gt User gt Define) form or by FNDCPASS


When attempting to modify a custom schemas (XXINT) password with FNDCPASS the following error messageoccurred

APP-FND-02704 Unable to alter user XXINT to change passwordAPP-FND-01564 ORACLE error 1403 in changepasswordCause changepassword failed due to ORA-01403 no data found



FND does not support case sensitive passwords for ORACLE accounts FND expects database level passwords to bein uppercase The SQL Reference manual under Object Naming Rules states that passwords can only containalphanumeric characters from your databases character set and the characters _ $ and

Using $ and is strongly discouraged

When Hard to Guess functionality is activated the password cannot contain repeating characters (By repeatingcharacters it is meant consecutively repeating characters Hence oracleo passes this criteria while oracleedoes not) The ORACLE password is converted to all upper case internally and then Hard to Guess is validated ifenabled


Only use single case (upper suggested) passwords for ORACLE passwords If the Hard to Guess functionality isactivated verify that the selected password meets all the requirements


Occurs when1 Go to Navigator Menu Editgt Preference gt Change Password2 Enter Old Password and New PasswordRe-enter password3 Press OK Button

This issue has been fixed in the file fnd srcsecurity fdspwdlc in version 11533This is explained in the following bugBUG 7304220 - 1OFF6658428ATG RUP6115102UNABLE TO RESET PASSWORD AFTER IMPLEMENTING NON-REVERSIBLE HASH PASSWD(FNDCPASS)


1 Download and review the readme and pre-requisites for Patch 73042202 Ensure that you have taken a backup of your system before applying the recommended patch3 Apply the patch in a test environment4 Please log a Service Request for support to post you the password5 Retest the issue6 Migrate the solution as appropriate to other environments

WORKAROUNDS

1 a The SSWAFramework Preferences page b Security gt Define gt User form

OR

2 FNDCPASS appsltpasswordgt 0 Y systemltpasswordgt USER ltusernamegt ltpasswordgt

30 After 1213 Upgrade FNDCPASS Fails Was Not Able To Decrypt Password For User UsernameDuring Applsys Password Change



SymptomsIn 1213 When attempting to change password using FNDCPASS the following error is encountered Anothersymptom could be FNDCPASS fails with Unable to connect as applsys

FNDCPASS appsltapps_passwdgt 0 Y systemmanager SYSTEM APPLSYS ltNew Passwdgt

ERRORFNDCPASS was not able to decrypt password for user EDWREP during applsys password changeFNDCPASS was not able to decrypt password for user CTXSYS during applsys password changeFNDCPASS was not able to decrypt password for user PORTAL30_SSO during applsys password changeFNDCPASS was not able to decrypt password for user PORTAL30 during applsys password changeFNDCPASS was not able to decrypt password for user XNB during applsys password changeFNDCPASS was not able to decrypt password for user ZFA during applsys password changeFNDCPASS was not able to decrypt password for user ZSA during applsys password changeFNDCPASS was not able to decrypt password for user APPS during applsys password changeFNDCPASS was not able to decrypt password for user APPLSYS during applsys password change

CauseThe cause of this problem has been identified and verified in an unpublished Bug 11845888 After upgrade to 1213apply the Patch 11845888 before changing the password to avoid these problems This fixes the issues in FNDCPASSand issues with username length


1 Download and review the readme and pre-requisites for Patch 11845888

2 Ensure that you have taken a backup of your system before applying the recommended patch

3 Apply the patch in a test environment


afspwdo 1205120100008

fdscpwdo 12024120100008


strings -a $FND_TOPbinFNDCPASS | grep afspwd

strings -a $FND_TOPbinFNDCPASS | grep fdscpwd

5 Retest the issue and migrate to appropriate environments

After the Patch is applied the following errors might still occurThe below messages can be ignored Those areoracle seeded users to be used by the FNDLOAD They do not have login capabilities So it is normal that they areshown in the FNDCPASS log files

FNDCPASS was not able to decrypt password for user INDUSTRY DATA during applsys password change



FNDCPASS was not able to decrypt password for user ORACLE1200 during applsys password change FNDCPASS was not able to decrypt password for user ORACLE1210 during applsys password change FNDCPASS was not able to decrypt password for user ORACLE1220 during applsys password change FNDCPASS was not able to decrypt password for user ORACLE1230 during applsys password change FNDCPASS was not able to decrypt password for user ORACLE1240 during applsys password change FNDCPASS was not able to decrypt password for user ORACLE1250 during applsys password change FNDCPASS was not able to decrypt password for user ORACLE1260 during applsys password change FNDCPASS was not able to decrypt password for user ORACLE1270 during applsys password change FNDCPASS was not able to decrypt password for user ORACLE1280 during applsys password change

FNDCPASS was not able to decrypt password for user ORACLE1290 during applsys password change

120 customers can apply equivalent Patch 11854373


When attempting to run FNDCPASS the following error occurs

ERROR-----------------------FNDCPASS appspwd 0 Y systempwd USER sysadmin pwd

Current system time is 25-JUN-2012 014224+---------------------------------------------------------------------------+

APP-FND-01564 ORACLE error 6502 in changepassword

Cause changepassword failed due to ORA-06502 PLSQL numeric or value error character stringbuffer too smallORA-06512 at APPSFND_WEB_SEC line 1372ORA-06512 at line 1

The SQL statement being executed at the time of the error was begin r =fnd_web_secchange_password(up) end and was executed from the file ampERRFILE

The likely cause for this error is that the profile option value for SIGNON_PASSWORD_CASE is wrongly set toINSENSITIVE it should be set to value 1 Possible values are INSENSITIVE - 1 and SENSITIVE - 2

To check the value of this profile option do the followiing

1 SQLgt select profile_option_idapplication_id from fnd_profile_options whereprofile_option_name=SIGNON_PASSWORD_CASEThen from the profile_option_id returned

2SQLgt select profile_option_valuelevel_idlevel_value from fnd_profile_option_valueswhere profile_option_id=[VALUE RETURNED FROM ABOVE QUERY] and application_id=0

If PROFILE_OPTION_VALUE returned is INSENSITIVE (-1) then execute the following steps



1 Declarevalue BooleanBeginvalue = FND_PROFILESAVE(SIGNON_PASSWORD_CASE 1 SITE)End

2 Retry the fndcpass


Patch 11845888 delivers a new option that the customer can control whether or not they want to perform the invalid-check The OS variable FND_CHECK_INVALID was created to activateinactivate this new functionality That is whenone runs the FNDCPASS those records are marked so the program will not process the invalid-records again meaningthe next time that FNDCPASS runs it will not show those records in the report To Activate the option set the environment variable before running FNDCPASS

export FND_CHECK_INVALID=TRUE

To Inactivate the option Unset the environment variable before running FNDCPASS

export FND_CHECK_INVALID=FALSE

OR

Comment it out or unset FND_CHECK_INVALID


DiagnosticsPlease access the EbusinessSecurity section on security diagnostics for the latest releases as reflected inDocument 4212451 E-Business Suite Diagnostics References for R12Utilities CommunityVisit the Utilities community for help from industry experts or to share knowledge

BUG8764069 - POST USERMIGRATE TO HASH PASSWORDS AFTER 121 UPG FNDCPASS FAILS DECRYPTNOTE13776701 - After 1213 Upgrade FNDCPASS Fails With Error - Was Not Able To Decrypt Password For UserUsername During Applsys Password ChangeNOTE3036211 - How to Change and Which Apps Database Users Passwords Can Be Changed in a Multi-Node AppsInstallationNOTE3622031 - Oracle Applications Release 11i with Oracle 10g Release 2 (1020)NOTE3622051 - 10g Release 2 ExportImport Process for Oracle Applications Release 11iNOTE4194751 - Removing Credentials from a Cloned EBS Production DatabaseNOTE4312721 - EDWREP And ODM Schemas Does Not Exist In DDA_USERS Table



NOTE4372601 - How to Change Applications Passwords using Applications Schema Password Change Utility(FNDCPASS or AFPASSWD)NOTE4546161 - ExportImport Process for Oracle E-Business Suite Release 12 using 10gR2NOTE4568381 - When Running FNDCPASS with ALLORACLE Option Why Doesnt It Change All User PasswordsNOTE4619041 - Can the ABM Schema andor EAA Schema and Objects Be Dropped in R12

NOTE7615671 - Oracle E-Business Suite Installation and Upgrade Notes Release 12 (1211) for Microsoft Windows

Server (32-bit)NOTE7628941 - Oracle E-Business Suite Installation and Upgrade Notes Release 12 (1211) for HP-UX PA-RISC (64-

bit)NOTE7628911 - Oracle E-Business Suite Installation and Upgrade Notes Release 12 (1211) for HP-UX ItaniumBUG12985552 - FNDCPASS WAS NOT ABLE TO DECRYPT PASSWORD FOR USER USERNAME DURING APPLSYS PASBUG12365915 - NOT ABLE TO CHANGE APPLSYS PASSWORD USING FNDCPASS IN R1213NOTE4212451 - E-Business Suite Diagnostics References for R12

BUG5239293 - UNABLE USE THE PUNCTUATION MARK IN FNDCPASS UTILITY



Applies to

Oracle Application Object Library - Version 1159 to 1213 [Release 115 to 121]Information in this document applies to any platform

Goal

This is a consolidation of Top Documents to provide a Single Source for troubleshooting common problems withFNDCPASS

Fix


ErrorCannot complete applications logon You may have entered an invalid applications password or there may havebeen a database connect error

From the error its confirmed that the APPS password did not change correctly Sometimes when changing the APPSpassword using FNDCPASS with a new APPS password if able to log into SQLPLUS as the apps user then its thoughtthat the password has changed correctly In every scenario this is not true If able to connect th SQLPLUS with thenew APPS password then it doesnt verify new APPS password completely It is just one test for new APPS passwordsIf able to start application services successfully then one can confirm that the APPS password has changedsuccessfully

Points to keep in mind when changing the APPS password using the FNDCPASS utility

Point 1 Changing APPS password using an alter user command is not supported and should not be used forchanging the apps password in any case

Point 2 Always use FNDCPASS to change the APPS password For an improved solution to FNDCPASS as ofR1212 click here

Point 3 Before changing APPS password it is strongly recommended to take a backup of FND_USER andFND_ORACLE_USERID

Point 4 Always check FNDCPASS log for any kind of error If there is any error in the FNDCPASS log then DONOT run autoconfig or try to change configuration file manually Until and unless FNDCPASS log has no errorplease do not run autoconfig as you will get problem while logging in oracle application

Point 5 If getting any error in the FNDCPASS log then either replace from an original backup with FND_USER andFND_ORACLE_USERID to log into Applications or raise an SR to support with the FNDCPASS log

1 If autoconfig was not run did not make any change in configuration file manually and also have a valid backup ofFND_USER and FND_ORACLE_USERID table then recover from the original backup Start application services





































Found in log






















2 Re-run FNDCPASS



Ex





profile






WORKAROUND




FNDCPASS fails with




















































































SQLgt Commit

2 Retest the issue














































For example





Java altered

5 Retest the issue


























4 Retest the issue


WORKAROUND


2 Retest the issue





Examples



















For example





































WORKAROUNDS


OR














afspwdo 1205120100008

fdscpwdo 12024120100008

































OR
















































Found in log






















2 Re-run FNDCPASS



Ex





profile






WORKAROUND




FNDCPASS fails with




















































































SQLgt Commit

2 Retest the issue














































For example





Java altered

5 Retest the issue


























4 Retest the issue


WORKAROUND


2 Retest the issue





Examples



















For example





































WORKAROUNDS


OR














afspwdo 1205120100008

fdscpwdo 12024120100008

































OR




























Found in log






















2 Re-run FNDCPASS



Ex





profile






WORKAROUND




FNDCPASS fails with




















































































SQLgt Commit

2 Retest the issue














































For example





Java altered

5 Retest the issue


























4 Retest the issue


WORKAROUND


2 Retest the issue





Examples



















For example





































WORKAROUNDS


OR














afspwdo 1205120100008

fdscpwdo 12024120100008

































OR




























2 Re-run FNDCPASS



Ex





profile






WORKAROUND




FNDCPASS fails with




















































































SQLgt Commit

2 Retest the issue














































For example





Java altered

5 Retest the issue


























4 Retest the issue


WORKAROUND


2 Retest the issue





Examples



















For example





































WORKAROUNDS


OR














afspwdo 1205120100008

fdscpwdo 12024120100008

































OR














profile






WORKAROUND




FNDCPASS fails with




















































































SQLgt Commit

2 Retest the issue














































For example





Java altered

5 Retest the issue


























4 Retest the issue


WORKAROUND


2 Retest the issue





Examples



















For example





































WORKAROUNDS


OR














afspwdo 1205120100008

fdscpwdo 12024120100008

































OR






















































































SQLgt Commit

2 Retest the issue














































For example





Java altered

5 Retest the issue


























4 Retest the issue


WORKAROUND


2 Retest the issue





Examples



















For example





































WORKAROUNDS


OR














afspwdo 1205120100008

fdscpwdo 12024120100008

































OR

































































SQLgt Commit

2 Retest the issue














































For example





Java altered

5 Retest the issue


























4 Retest the issue


WORKAROUND


2 Retest the issue





Examples



















For example





































WORKAROUNDS


OR














afspwdo 1205120100008

fdscpwdo 12024120100008

































OR

























































SQLgt Commit

2 Retest the issue














































For example





Java altered

5 Retest the issue


























4 Retest the issue


WORKAROUND


2 Retest the issue





Examples



















For example





































WORKAROUNDS


OR














afspwdo 1205120100008

fdscpwdo 12024120100008

































OR







































SQLgt Commit

2 Retest the issue














































For example





Java altered

5 Retest the issue


























4 Retest the issue


WORKAROUND


2 Retest the issue





Examples



















For example





































WORKAROUNDS


OR














afspwdo 1205120100008

fdscpwdo 12024120100008

































OR




















SQLgt Commit

2 Retest the issue














































For example





Java altered

5 Retest the issue


























4 Retest the issue


WORKAROUND


2 Retest the issue





Examples



















For example





































WORKAROUNDS


OR














afspwdo 1205120100008

fdscpwdo 12024120100008

































OR




















































For example





Java altered

5 Retest the issue


























4 Retest the issue


WORKAROUND


2 Retest the issue





Examples



















For example





































WORKAROUNDS


OR














afspwdo 1205120100008

fdscpwdo 12024120100008

































OR






























For example





Java altered

5 Retest the issue


























4 Retest the issue


WORKAROUND


2 Retest the issue





Examples



















For example





































WORKAROUNDS


OR














afspwdo 1205120100008

fdscpwdo 12024120100008

































OR
















Java altered

5 Retest the issue


























4 Retest the issue


WORKAROUND


2 Retest the issue





Examples



















For example





































WORKAROUNDS


OR














afspwdo 1205120100008

fdscpwdo 12024120100008

































OR























4 Retest the issue


WORKAROUND


2 Retest the issue





Examples



















For example





































WORKAROUNDS


OR














afspwdo 1205120100008

fdscpwdo 12024120100008

































OR




























For example





































WORKAROUNDS


OR














afspwdo 1205120100008

fdscpwdo 12024120100008

































OR











































WORKAROUNDS


OR














afspwdo 1205120100008

fdscpwdo 12024120100008

































OR
























WORKAROUNDS


OR














afspwdo 1205120100008

fdscpwdo 12024120100008

































OR























afspwdo 1205120100008

fdscpwdo 12024120100008

































OR






































OR





















OR

















