ERP on DB

Thursday, April 15, 2021

Enable TLS 1.2 in R12.2 right after it is upgraded from R12.1.3

This post assume all cert files are good and TLS 1.2 was enabled in R12.1.3. After it was upgraded to R12.2, SSL and TLS1.2 were not enabled automatically. It is optional, but is normally required by company's Security to enable it. Here are steps to enable them only for inbound connections as described in Doc ID 1367293.1 (Enabling TLS in Oracle E-Business Suite Release 12.2). The use of TLS 1.2 requires Java 7 at a minimum and Oracle Fusion Middleware (FMW) 1.1.1.9.

Since all wallet files and cert files exist in old $INST_TOP/certs/Apache folder, that saves a lot of time from generating them. I also verified all necessary patches exist in my new R12.2.10 instances. Here is what I did.

1. Copy Apache folder from R12.1.3 $INST_TOP/certs/Apache to R12.2.10 $NE_BASE/inst/$CONTEXT_NAME/certs/Apache (the same as <s_web_ssl_directory>/Apache).

$ cd $NE_BASE/inst/$CONTEXT_NAME/certs

$ ls

$ cp -rp $HOME/$TWO_TASK/inst_R12.1/apps/$CONTEXT_NAME/certs/Apache .

(assume R12.1 folder inst was renamed to inst_R12.1 right after R12.2 upgrade completed. Possible files in R12.1.3 includes:)

$ ls -al Apache

-rw-r--r-- 1 user group 1367 Mar 17 2020 ca.crt

-rw------- 1 user group 6377 Jul 17 2020 cwallet.sso

-rw-r--r-- 1 user group 6349 Jul 17 2020 ewallet.p12

-rw-r--r-- 1 user group 1684 Mar 17 2020 intermediate.crt

-rw-r--r-- 1 user group 5389 Jul 17 2020 opmn.crt

-rw-r--r-- 1 user group 2338 Jul 17 2020 server.crt

-rw-r--r-- 1 user group 1675 Jul 17 2020 server.key

Notes: Section 5.2 Step 2 says "The s_web_ssl_directory location is still used by some Oracle E-Business Suite Release 12.2 components (for example, XML Gateway Transportation Agent OXTA) and during the Oracle Fusion Middleware cloning process". Step 6 says Apache folder "is not used by the Oracle HTTP Server" (Apache).

In my instances, cert files worked in R12.1 are still worked in R12.2. So, I did not need to do any additional steps but use orapki in R12.2 to verify its password.

$ which orapki <= do not use the one in 10.1.2 ORACLE_HOME

$FMW_HOME/oracle_common/bin/orapki

$ orapki wallet display -wallet $NE_BASE/inst/$CONTEXT_NAME/certs/ewallet.p12

If it expired, it has to be renewed first because Apache and opmn will not start by error: [opmn] [ERROR:1] [] [internal] $FMW_HOME/webtier/opmn/bin/opmn: unexpected exit: status 4200

2. Copy cwallet.sso to 2 locations: HTTP Server & OPMN

$ grep s_ohs_instance_loc $CONTEXT_FILE

Define Linux variables for scripting:

$ iName=$(tr < $CONTEXT_FILE '<>' ' ' | awk '/"s_ohs_instance"/ {print $(NF-1)}' )

$ echo $iName <== this tells EBS_web_OHS1 or EBS_web_OHS2 is used, e.g.

$ SUBiName=${iName%?????}

$ echo $SUBiName

EBS_web

Modify the Oracle HTTP Server wallet:

$ cd $FMW_HOME/webtier/instances/$iName/config/OHS/$SUBiName/keystores/default

$ mv cwallet.sso cwallet.sso_ORIG

$ cp -p $NE_BASE/inst/$CONTEXT_NAME/certs/Apache/cwallet.sso .

$ ls

Modify the OPMN wallet:

$ cd $FMW_HOME/webtier/instances/$iName/config/OPMN/opmn

$ mv wallet wallet_ORIG

$ mkdir wallet

$ cd wallet

$ cp -p $NE_BASE/inst/$CONTEXT_NAME/certs/Apache/cwallet.sso .

$ ls

3. Modify 3 files: opmn.xml, and admin.conf & ssl.conf in folder <s_ohs_instance_loc>/config/OHS/<s_ohs_component> (see Section 6.1.2 Configure Inbound Connections)

NOTES:

1) If the environment is cloned from another instance, those configuration files will be copied from the Source instance and so their contents may not be the same as in below.

2) Unlike R12.1, WebLogic configuration files in R12.2 can be edited and AutoConfig may not update them. For more details on modifying OHS port values, see Doc ID 1905593.1 (Managing Configuration of Oracle HTTP Server and Web Application Services in Oracle E-Business Suite Release 12.2).

Configure the OPMN Cipher Suites:

$ cd ..

(or, $ cd $FMW_HOME/webtier/instances/$iName/config/OPMN/opmn )

$ cp -p opmn.xml opmn.xml_ORIG

$ vi opmn.xml

$ diff opmn.xml opmn.xml_ORIG

< <ssl enabled="true" wallet-file="....../config/OPMN/opmn/wallet" ssl-versions="TLSv1.2" ssl-ciphers="SSL_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA"/>

---

> <ssl enabled="true" wallet-file="....../config/OPMN/opmn/wallet" ssl-versions="TLSv1.0" ssl-ciphers="SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>

110c110

< </opmn>

---

> </opmn>

\ No newline at end of file

$ cd ../../OHS/$SUBiName

(cd $FMW_HOME/webtier/instances/$iName/config/OHS/$SUBiName )

$ cp -p admin.conf admin.conf_ORIG

$ vi admin.conf

$ diff admin.conf admin.conf_ORIG

< SSLCipherSuite SSL_RSA_WITH_AES_256_CBC_SHA:SSL_RSA_WITH_AES_128_CBC_SHA

< SSLProtocol nzos_Version_1_2

---

> SSLCipherSuite SSL_RSA_WITH_AES_128_CBC_SHA:SSL_RSA_WITH_3DES_EDE_CBC_SHA

> SSLProtocol nzos_Version_1_0

$ cp -p ssl.conf ssl.conf_ORIG

$ vi ssl.conf

$ diff ssl.conf ssl.conf_ORIG

< SSLProtocol TLSv1.2

< SSLCipherSuite HIGH:MEDIUM:!aNULL:!RC4:!3DES:!SEED:!IDEA:!CAMELLIA:+HIGH:+MEDIUM

---

> SSLProtocol all +TLSv1 +SSLv3 <= the file may have slightly different entries

> SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

Notes: Section 6.5.2 indicates that edit ssl.conf is acceptable.

Also, if entry in ssl.conf is wrong, adapcctl.sh will fail to start Oracle HTTP Server (OHS). Its logs are at $FMW_HOME/webtier/instances/$iName/diagnostics/logs/OHS/$SUBiName .

And opmn.log is at $FMW_HOME/webtier/instances/$iName/diagnostics/logs/OPMN/opmn

If want to make WLS console use SSL, more changes may be needed.

4. Confirm "Listen <port_number>" in ssl.conf and <s_webssl_port> in $CONTEXT_FILE are the same. In this post, it is 4480.

$ grep Listen ssl.conf

$ grep s_webssl_port $CONTEXT_FILE

5. Keep WLS Admin Server running on Primary node (to avoid java.net.ConnectException error), and run below line (on each application tier nodes) to propagate the changes made to the context file variables. (Optional?)

$ perl $AD_TOP/bin/adSyncContext.pl contextfile=$CONTEXT_FILE

Enter the APPS user password:

Enter the WebLogic AdminServer password:

Log file $INST_TOP/logs/appl/rgf/Wed_XXX_14_17_47_45_2021/adSyncContext.log says

... ...

Time taken for adSyncContext.pl to complete: 0 mins 24 secs

The program exited with status 0

6. Edit $CONTEXT_FILE to change value for variables as asked in Section 5.2 step 9. Here is the settings in my EBS site https://example.domain.com:

s_url_protocol => https

s_local_url_protocol => https

s_webentryurlprotocol => https

s_active_webport => 443 (4480 when no mapping)

s_https_listen_parameter => 4480

s_login_page, => https://example.domain.com/OA_HTML/AppsLogin

(copy it from R12.1.3 which worked)

s_webentryhost => example

(without it, login page will direct to a wrong URL)

s_external_url => https://example.domain.com

I do not enter port 443 to any files hold port info in OHS configuration folder when F5 is used for load balance. F5 may map port 443 to port 4480. (But in R12.1.3, line "Port 443" is in files ssl.conf and httpd.conf)

Some context variables will be changed to default by R12.2 upgrade. Update or confirm below variables in $CONTEXT_FILE before running adautocfg.sh.

sitename (a Profile reads it), s_smtphost (company-wide smtp server for mailer), s_forms_tmpdir (do not use /tmp for production instance), s_sesstimeout (a Profile reads it), s_appcpnam (to REQID.OUT - see Doc ID 134007.1 to set output file type), s_forms_catchterm to 0 (FORMS_CATCHTERM - see Doc ID 745711.1 to avoid forms LOVs consume 100% CPU. R12.2 default is 1).

Notes: in multi-node instance, enabling TLS 1.2 is not necessary (or is optional) on concurrent node. But if it is enabled, ssl cert file has to be renewed before it expires (to avoid error in starting Apache from running FS_CLONE on that node).

7. Additional notes.

cwallet.sso can be found in other 3 folders for Fusion Middleware Control Wallets. But my instance does not use them (TLS 1.0 may use them):

$ iDomain=$(tr < $CONTEXT_FILE '<>' ' ' | awk '/"s_wls_domain_name"/ {print $(NF-1)}' )

$ echo $iDomain

EBS_domain <== e.g.

$ ls -al $FMW_HOME/webtier/instances/$iName/config/OHS/$SUBiName/proxy-wallet

(Notes: during one troubleshooting, copying the right cwallet.sso file to above folder fixed the failure in starting Apache. Not sure why).

$ ls -al $FMW_HOME/user_projects/domains/$iDomain/opmn/$iName/wallet

$ ls -al $FMW_HOME/user_projects/domains/$iDomain/opmn/$iName/$SUBiName/wallet

8. Run adautocfg.sh.

Note: R12.2 autoconfig does not update files opmn.xml, admin.conf, ssl.conf in Step 3.

Verify some info:

$ cd $FMW_HOME/webtier/instances/$iName/config/OHS/$SUBiName

$ grep 4480 *.*

ssl.conf:Listen 4480
ssl.conf: <VirtualHost _default_:4480>

$ grep 443 *.*
trusted.conf:#RedirectMatch ^/OA_HTML/fwk/t/(.*) https://example.domain.com:443/OA_IMAGE/fwk/t/$1
url_fw.conf:RewriteRule ^/$ https://example.domain.com:443/OA_HTML/AppsLogin [R,L]

$ grep example *.*
trusted.conf:#RedirectMatch ^/OA_HTML/fwk/t/(.*) https://example.domain.com:443/OA_IMAGE/fwk/t/$1
url_fw.conf:RewriteRule ^/$ https://example.domain.com:443/OA_HTML/AppsLogin [R,L]

$ nslookup example.domain.com
Server: 1XX.121.153.1XX
Address: 1XX.121.153.1XX#53

example.domain.com canonical name = example.np.vip.domain.com.
Name: example.np.vip.domain.com
Address: 16X.63.75.6X

9. Run adstpall.sh/adstrtal.sh script in $ADMIN_SCRIPTS_HOME directory to stop and restart all services.

Now, my R12.2.10 site is SSL and TLS 1.2 enabled. All webpages can be accessed in https from browsers, and EBS Form can be launched (if JWS was enabled) by login URL from below line:

$ grep login $CONTEXT_FILE

In additional, one way to verify the TLS/SSL is enabled on web node(s) is to run SQL statement:

SQL> select substr(fnd_web_config.protocol,1,5) from dual;

SUBST

-----

https

10. Doc ID 1367293.1 Section 5.2 Step 12 gives details on using $APPL_TOP_NE/ad/custom/adop_sync.drv to synchronize the TLS setup between the two file systems. I found that all .conf files are synchronized automatically, but .sso files are not. Adding below lines to file adop_sync.drv will synchronize them. But, if FS_CLONE is executed after this change, all settings are copied to PATCH file system and this step can be skipped. Note File b64InternetCertificate.txt is used if Oracle® Application Management Pack for Oracle E-Business Suite is used to monitor EBS instance.

#TLS SECTION - START

# Required for TLS setup migration from RUN to PATCH file-system.

# Please alter the commands in the event that rsync is not available or the platform does not support the example syntax.

#Oracle HTTP Server Wallet - cwallet.sso

rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.sso

#OPMN Wallet - cwallet.sso

rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso

#Fusion Middleware Control Wallets - cwallet.sso

rsync -zr %s_current_base%/FMW_Home/user_projects/domains/%s_wls_domain_name%/opmn/%s_ohs_instance%/%s_ohs_component%/wallet/cwallet.sso %s_other_base%/FMW_Home/user_projects/domains/%s_wls_domain_name%/opmn/%s_ohs_instance%/%s_ohs_component%/wallet/cwallet.sso

rsync -zr %s_current_base%/FMW_Home/user_projects/domains/%s_wls_domain_name%/opmn/%s_ohs_instance%/wallet/cwallet.sso %s_other_base%/FMW_Home/user_projects/domains/%s_wls_domain_name%/opmn/%s_ohs_instance%/wallet/cwallet.sso

rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/proxy-wallet/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/proxy-wallet/cwallet.sso

11. Above changes are on RUN file system only. Run FS_CLONE to sync up it to PATCH file system.

Wednesday, April 14, 2021

Enable Java Web Start with Oracle E-Business Suite R12.2

After R12.1.3 is upgraded to R12.2.10, I see JRE 1.6.0_27 is the version in the new R12.2.10 instance. It is a low version, which makes R12.2 GUI Forms work only with IE browser. For R12.2 to work with MS Edge and Google Chrome browsers, we have to upgrade JRE and enable JWS.

1) First, per Doc ID 2188898.1 (Using Java Web Start with Oracle E-Business Suite), confirmed patch 26825525 (replaces 25441839 Merge Request On Top Of 10.1.2.3.2 PSU, Doc ID 2554599.1) was applied during R12.2.10 upgrade. (Section 4.2.2).

$ opatch lsinventory | grep 26825525

Patch 26825525 applied on xxxx, 2021

2) Confirmed ALL below 13 patches were applied (Section 4.2.3). Some patches may show up twice in below query.

SQL> SELECT bug_number, creation_date, ad_patch.is_patch_applied('R12',-1, bug_number) status
FROM ad_bugs
where bug_number in (
'24498616', -- AD: Add Java Web Start support to Oracle E-Business Suite
'25449925', -- TXK: Add Java Web Start support to Oracle E-Business Suite
'25380324', -- Oracle E-Business Suite Java Applets launching with Java Web Start
'29058008', -- Oracle E-Business Suite Java Applets Launching with JWS rel 2
'29024389', -- WS: New Preference To Indicate Launch of New Forms Session
'28713780', -- 12.2.6+:Oracle Workflow Java Applets launching with Java Web Start
'23645622', -- GL: Add Java Web Start Support to AHM Java applet
'23586286', -- MSC: Add Java Web Start Support to PS/SNO 12.2.6
'26100397', -- R12.TXK.C (see Doc ID 393931.1 for deploying JRE)
'22806350', -- R12.OWF.C (see Doc ID 1367293.1 for enabling TLS 1.2)
'21473055', -- R12.ICX.D (iProcurement, Doc ID 1937220.1 for TLS1.2)
'22522877', -- R12.IBY.C (iPayment)
'22326911' -- R12.ECX.C (Oracle XML Gateway)
) order by bug_number;

3) Backup CNOTEXT_FILE

$ cd (to a folder for backup folder)

$ cp -p $CONTEXT_FILE ${CONTEXT_NAME}.xml_BK_JRE

Replace "browser" by "jws" for <s_forms_launch_method>

$ vi $CONTEXT_FILE

Optionally, stop EBS services by adstpall.sh if they are running.

4) Follow ID 393931.1 (Deploying JRE for Windows Clients, go to a long table in Appendix E section) to download patch 30425890 - p30425890_180241_WINNT.zip (Oracle JRE 8 Update 241 for Windows 32-bit). I used JRE 1.8.0_241 because it is the version installed currently on all users' Window PC. If a higher version on the apps server is deployed, all users have to remove the lower version and re-install a matching version on their PC. (Note: later, I used p32140627_180281_WINNT.zip after users' PC got a newer JRE).

$ cd $COMMON_TOP/webapps/oacore/util/javaplugin

$ unzip p32140627_180281_WINNT.zip
Archive: p32140627_180281_WINNT.zip
inflating: jre-8u281-windows-i586.exe
inflating: jre-8u281-windows-i586.tar.gz
inflating: readme.txt

$ mv jre-8u281-windows-i586.exe j2se18281.exe

$ echo $FILE_EDITION

run

$ $FND_TOP/bin/txkSetPlugin.sh 18281

/u02/app/$TWO_TASK/fs1/EBSapps/appl/fnd/12.0.0/bin

Starting interoperability upgrade script...

Sending logfile output to:
$INST_TOP/logs/txkSetPlugin.log
etc … …

AutoConfig completed successfully.
Done

$ sh $ADMIN_SCRIPTS_HOME/adautocfg.sh (optional)

Go to the backup folder and confirm the configuration changes:

$ diff $CONTEXT_NAME.xml_BK_JRE $CONTEXT_FILE

< <config_option type="techstack" oa_var="s_forms_launch_method">browser</config_option>
> <config_option type="techstack" oa_var="s_forms_launch_method">jws</config_option>

< <sun_plugin_ver oa_var="s_sun_plugin_ver">1.6.0_27</sun_plugin_ver>
> <sun_plugin_ver oa_var="s_sun_plugin_ver">1.8.0_281</sun_plugin_ver>

< <sun_clsid oa_var="s_sun_clsid">CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA</sun_clsid>
> <sun_clsid oa_var="s_sun_clsid">CAFEEFAC-0018-0000-0281-ABCDEFFEDCBA</sun_clsid>

... ...

$ cat $FORMS_WEB_CONFIG_FILE|grep sun_plugin_version| cut -c 1-35

sun_plugin_version=1.8.0_281

Next is to sign JAR file. Otherwise, launching EBS Forms will give a popup with Exception: JAR resources in JNLP file are not signed by same certificate.

5) Jar signing

Follow Doc ID 1591073.1 (Enhanced Jar Signing for Oracle E-Business Suite)

a) copy two files adkeystore.dat and adsign.txt (from old $APPL_TOP/admin of R12.1.3) to folder $NE_BASE/EBSapps/appl/ad/admin, assuming JAR signing worked in R12.1.3 instance. Verify basic info:

SQL> set serveroutput on

SQL> declare

spass varchar2(30);

kpass varchar2(30);

begin

ad_jar.get_jripasswords(spass, kpass);

dbms_output.put_line(spass);

dbms_output.put_line(kpass);

end;

$ keytool -list -keystore adkeystore.dat

Enter keystore password:

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 3 entries

ebsdev_nodename, April 10, 2021, PrivateKeyEntry, ...

... ...

If necessary, use command to create/re-new .dat file from the one for instance1 on the node1:

$ keytool -changealias -alias instance1Name_node1Name -destalias EBSDEV_nodeName -keystore adkeystore.dat

b) Make sure all apps services are stopped

c) $ adadmin

=> 1 (Generate Applications Files menu)
=> 4 (Generate product JAR files)

Do you wish to force regeneration of all jar files? [No] ? Yes

Forcing generation of all product jar files.
Creating and signing every jar file can take about thirty minutes depending on the hardware being used.
You can watch the file $NE_BASE/EBSapps/log/adadmin/log/Gen_JAR.log to see the progress of jar file generation.

Recording Adadmin action :ADADMIN_GEN_JARS
Tokens:FORCE_JAR_GENERATION=Yes

Signing product JAR files in JAVA_TOP - $JAVA_TOP
using entity $CONTEXT_NAME and certificate 1.

Successfully created javaVersionFile.

Generating product JAR files in JAVA_TOP -
$JAVA_TOP with command:

adjava -mx2048m -nojit oracle.apps.ad.jri.adjmx @$APPL_TOP/admin/$TWO_TASK/out/genjars.cmd

Successfully generated product JAR files in JAVA_TOP -

$JAVA_TOP.

Copying Registry.dat from the Forms Java directory to $JAVA_TOP ...

Generating customall.jar ...

Not creating customall.jar as no custom java directories found under JAVA_TOP.

customall.jar generated successfully.

** Updating appsborg.zip ...

Reading adjborg.txt...

adearea();
No files listed in $APPL_TOP/admin/adjborg.txt
Ignoring ...
adjborg.txt file seems to be empty.

Done reading adjborg.txt.
As adjborg.txt file is empty, skipping the generation of appsborg.zip

** Updating appsborg2.zip ...

Reading adjborg2.txt...

adearea();
No files listed in $APPL_TOP/admin/adjborg2.txt
Ignoring ...
adjborg.txt file seems to be empty.

Done reading adjborg2.txt.
As adjborg2.txt file is empty, skipping the generation of appsborg2.zip

Review the messages above, then press [Return] to continue.

Notes from Doc ID 2065496.1: In release 12.2 the files appsborg.zip and appsborg2.zip have been replaced with file ebsAppsborgManifest.jar. The new file ebsAppsborgManifest.jar should appear in the CLASSPATH. In summary for R12.2 the files appsborg.zip and appsborg2.zip are not used. The messages are expected and can be safely ignored.

$ echo $CLASSPATH | grep ebsAppsborgManifest

will give a long list

$ cd $FMW_HOME/Oracle_EBS-app1/shared-libs/ebs-appsborg/WEB-INF/lib

$ ls -al

-rw-r--r-- 1 user group 806 Feb 23 16:32 ebsAppsborgManifest.jar

d) To verify the digital signature of the Jar file:

$ jarsigner -verify -verbose -certs $AD_TOP/java/jar/adxlib.jar

… …

sm 6924 Fri Jan 14 03:00:00 EST 2011 oracle/apps/ad/util/zip/ZipOutputStream.class

      X.509, CN=Company_name Inc., O=Company_name Inc., L=City, ST=State, C=US
      [certificate is valid from 1/3/19 7:00 PM to 1/12/22 7:00 AM]
      X.509, CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
      [certificate is valid from 10/22/13 8:00 AM to 10/22/28 8:00 AM]
      X.509, CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
      [certificate is valid from 11/9/06 7:00 PM to 11/9/31 7:00 PM]

      X.509, CN=nodename, O=nodename, OU=apps, L=, ST=, C=US
      [certificate is valid from 2/12/21 12:02 PM to 2/2/61 12:02 PM]
      [CertPath not validated: Path does not chain with any of the trust anchors]

s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope

jar verified.

Warning:
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2022-01-12) or after any future revocation date.

If you see message "This jar contains entries whose certificate chain is not validated.", it had a signing problem.

e) Start apps services by adstrtal.sh (or, start them later after TLS1.2 is enabled).

After about steps, R12.2.10 webpage and Forms can be launched from MS Edge and Google Chrome. The file download may be slow, and so do not click too quick. If EBS forms does not open up in the 1st launch, you may go the downlead directory in Window's Explore and double click on file frmservlet.jnlp to fire the Java form up.

6) Useful commands

- To view the keystore contents

$ keytool -list -v -keystore $NE_BASE/EBSapps/appl/ad/admin/adkeystore.dat
Enter keystore password: <== get it by a SQL if forgot.

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: <ebsdev_nodename> <== all are lower case and $TWO_TASK is EBSDEV
Creation date: Apr 2, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:

etc ... …

- To sign a single jar file fndgantt.jar:

$ jarsigner -keystore $NE_BASE/EBSapps/appl/ad/admin/adkeystore.dat $FND_TOP/java/jar/fndgantt.jar ebsdev_nodename
Enter Passphrase for keystore:
Enter key password for <ebsdev_nodename>:
jar signed.

Warning:
No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2022-01-12) or after any future revocation date.

- Another way to to verify a digital signing by adding option "-keystore":

$ jarsigner -verify -verbose -keystore $NE_BASE/EBSapps/appl/ad/admin/adkeystore.dat -certs $JAVA_TOP/oracle/apps/fnd/jar/fndaol.jar

- In custom development by Java, use below line to generate and sign mycustom.jar file, assuming mycustom.zip has all .class files and .xml files (and .xml file was imported to database by java oracle.jrad.tools.xml.importer.XMLImporter):

$ adjava oracle.apps.ad.jri.adjmx -areas $JAVA_TOP/mycustom.zip -outputFile $JAVA_TOP/mycustom.jar -jar $CONTEXT_NAME 1 CUST jarsigner -storePass <KeyStore Password> -keyPass <Key Password>

Monday, March 22, 2021

12.2.10 patch 30399999 failed on POS_SUPPLIER_SEARCH_INDEX.sql

After all pre-steps were completed and conditions met the requirement, I downloaded zip files for 12.2.10 patch 30399999 and unzipped to folder /path/to/R12210_Patches. Command line to apply it:

$ adop phase=apply apply_mode=downtime patches=30399999 patchtop=/path/to/R12210_Patches

ADOP failed and exited with error after ran for hours:

You should check the file

$NE_BASE/EBSapps/log/adop/.../apply/node_name/30399999/log/u30399999.log

for errors.

[UNEXPECTED]Error occurred executing "adpatch workers=16 options=hotpatch console=no interactive=no defaultsfile=/path/to/R12210_Patches//30399999 driver=u30399999.drv logfile=u30399999.log"

[UNEXPECTED]Refer to the log files for more information.

[UNEXPECTED]Apply phase has failed.

[STATEMENT] Please run adopscanlog utility, using the command

"adopscanlog -latest=yes"

to get the list of the log files along with snippet of the error message corresponding to each log file.

adop exiting with status = 1 (Fail)

Check adwork001.log file and see the real error:

sqlplus -s APPS/***** @$AD_TOP/patch/115/sql/adsqlwrapper.sql '$POS_TOP/patch/115/sql/POS_SUPPLIER_SEARCH_INDEX.sql '

Connected.

PL/SQL procedure successfully completed.

DECLARE

ERROR at line 1:

ORA-20000: possearchindex.sql(500): ORA-20000: Exception at

POS_SUPPLIER_SEARCH_INDEX_PKG.create_index(1800): ORA-20000: Exception at

POS_SUPPLIER_SEARCH_INDEX_PKG.create_index(1800): ORA-29855: error occurred in

the execution of ODCIINDEXCREATE routine

ORA-20000: Oracle Text error:

DRG-10754: Size (in bytes) must be between 1024 and 52428800

ORA-06512: at line 56

Time when worker failed: Fri Sep 24 2021 13:56:21

SQL> select index_name, table_name, index_type, status, domidx_opstatus

from all_indexes where domidx_opstatus != 'VALID';

Control

Worker Code Context Filename Status

------ -------- ----------------- -------------------------- --------------

1 Done AutoPatch R120 POS_SUPPLIER_SEARCH_INDEX. FAILED

At this stage, we do not want to make any changes to the instance. The only option is to skip this SQL code and then to re-start the adop session.

Fortunately adctrl still shows the workers' status, while ADOP session already exited by the error. I choose option #8 to skip the failed worker.

After that, I ran below line to re-start from where it failed and it completed:

$ adop phase=apply apply_mode=downtime patches=30399999 patchtop=/path/to/R12210_Patches restart=yes

$ vi u30399999.log

... ...

Worker process 15 started.

Worker process 16 started.

Checking if all jobs have their actual and symbolic arguments in sync....

Done.

Reading jobs from FND_INSTALL_PROCESSES table ...

Fixed: file POS_SUPPLIER_SEARCH_INDEX.sql on worker 1 for product pos username POS.

Time is: Fri Sep 24 2021 16:22:18

Done reading jobs from FND_INSTALL_PROCESSES table ...

Telling workers to read 'todo' restart file.

Done.

Completed: file POS_SUPPLIER_SEARCH_INDEX.sql on worker 1 for product pos username POS.

Time is: Fri Sep 24 2021 16:22:18

Connecting to APPS......Connected successfully.

Even u30399999.log says file POS_SUPPLIER_SEARCH_INDEX.sql was completed. But the worker log shows it was skipped. Index table still shows a failure as well.

$ vi adwork001.log

... ...

Ready to run jobs.

Setting parallel context: PARALLEL AUTOPATCH AT R120

Restarting job that failed - will skip a single step.

Time when worker restarted job: Fri Sep 24 2021 16:22:18

Skipping step POS_SUPPLIER_SEARCH_INDEX.sql.

Step skipped at time: Fri Sep 24 2021 16:22:18

Time when worker completed job: Fri Sep 24 2021 16:22:18

SQL> select index_name, table_name, index_type, status, domidx_opstatus

from all_indexes where domidx_opstatus != 'VALID';

INDEX_NAME TABLE_NAME INDEX_TYPE STATUS DOMIDX_OPSTATUS

--------------------------------------------- -------------------------------------------- ------------------ ------------ ----------------------------

POS_SUPPLIER_SEARCH_INDEX POS_SUPPLIER_ENTITY_DATA DOMAIN VALID FAILED

I believe our instance does not use this index and just ignored it. I do not know exactly what causes the failure on creating the index. I believe it relates to the 0 value on two database init parameters:

SQL> show parameter PGA_AGGREGATE_TARGET;

NAME TYPE VALUE

----------------------------- ----------- ------------------------------

pga_aggregate_target big integer 0 (Note: 0 means unlimited )

SQL> show parameter SGA_TARGET;

NAME TYPE VALUE

------------------------------ ----------- ------------------------------

sga_target big integer 0

Sunday, March 21, 2021

Run ADSplice in R12.2

ADSplice is the only way to create custom tops in EBS R12.2. Steps of running it is in Doc ID 1577707.1 (Creating a Custom Application in Oracle E-Business Suite Release 12.2). If it is a multi-node instance, you have to run it on each node.

1. Before running ADSplice, make sure latest AD and TXK for R12.2 patches were applied already:

SQL> select abbreviation ,codelevel from ad_trackable_entities

where abbreviation in( 'ad','txk') order by abbreviation;

ABBREVIATION CODELEVEL

--------------------- ---------

ad C.12

txk C.12

2. For a regular/normal custom top, it is not difficult to follow the Oracle document for creating or modifying it. Three files are required by ADSplice in folder $APPL_TOP/admin for one custom top $XXFS_TOP, for example

xxefprod.txt
xxefterr.txt
newprods.txt

3. Then run adsplice. It will ask for SYSTEM and APPS password. It also give option to run AutoConfig. So, it is better to shut down apps services before running adsplice.

$ echo $FILE_EDITION

run

$ cd $APPL_TOP/admin

$ adsplice

ADSplice will create folder structure for $XXFS_TOP under $APPL_TOP.

For multiple nodes, run adsplice on all nodes. After 1st node, adsplice runs much faster because it knows all database part was completed.

4. Most custom top has custom codes/files. Migrate custom codes/files to the correct new folder, and then compile them or link them to right executable files.

5. After ADSplice worked, add entries for all your custom files to the custom synchronization driver file located at $APPL_TOP_NE/ad/custom/adop_sync.drv. I used below line which works well in copying folder xxfs in <s_current_base> (source) to <s_other_base> (target)

rsync -a --delete %s_current_base%/EBSapps/appl/xxfs %s_other_base%/EBSapps/appl

The option -a is very powerful, it will copy the directory and all its sub-directories recursively, and preserve symbolic links, modification times, group, ownership, and permissions. It is a combination of a bunch of other options:

-r Recurse into directories

-l Copy symlinks as symlinks

-p Preserve file permissions

-t Preserve modification times

-g Preserve group

-o Preserve owner

-D Preserve device and special files

-- delete option will delete files and sub-directories in target folder but not in source folder.

6. Run FS_CLONE

ADSplice creates folders only in RUN Edition file system. You must run "adop phase=fs_clone". This ensures that all custom products are synchronized/copied to PATCH file system. Doc ID 2167878.1 indicates FS_CLONE does use adop_sync.drv.

I ran into a error with "adop phase=prepare". ADOP does not tell what is the specific problem at all!

=============================

Inside evalADPATCHStatus()...

=============================

message_status: ERROR

Adsplice action did not go through successfully.

*******FATAL ERROR*******

PROGRAM : ($AD_TOP/patch/115/bin/txkADOPPreparePhaseSynchronize.pl)

TIME : Wed Jul 20 14:00:36 2022

FUNCTION: main::execADSPLICE [ Level 1 ]

ERRORMSG: Adsplice action did not go through successfully.

Before the error, log file txkADOPPreparePhaseSynchronize.log posts a SQL statement similar to below lines to check table AD_ADOP_SESSION_PATCHES:

SELECT * FROM ad_adop_session_patches

WHERE bug_number like 'ADSPLICE%' AND

ORDER BY TO_CHAR(end_date,'YYYY.MM.DD:HH24:MI:SS') DESC

Without running fs_clone, column PATCH_FILE_SYSTEM_BASE is empty for one CUSTOM TOP. I think that causes ADOP PREPARE failed.

After "adop phase=prepare" failed, "adop phase=fs_clone" will not work. You have to below steps in order:

$ adop phase=abort

$ adop phase=cleanup cleanup_mode=full

$ adop phase=fs_clone

Notes: Similarly, anytime after a change was made in RUN file system, e.g. a patch applied in HOTPATCH mode, you have to run "adop phase=fs_clone" to sync the change to PATCH file system.

7. A useful query to verify if a new custom top in R12.2 was created by ADSplice

SQL> set linesize 300

set pagesize 300

col APPL_ID format 99999;

col app_short_name format a15

col basepath format a 15

col basepath format a15

col application_name format a35

col inst_status format a10

col product_version a20

col product_version format a20

col patchset format a25

col oracle_id format 99999

SQL> SELECT fav.application_id APPL_ID, fav.application_short_name app_short_name, fav.basepath, fav.application_name,

decode(fpi.status,'I','Installed','S','Shared','N','No', fpi.status) inst_status, fpi.product_version,

nvl(fpi.patch_level, 'Not Available') patchset, fpi.oracle_id

FROM apps.fnd_application_vl fav, apps.fnd_product_installations fpi

WHERE fav.application_id = fpi.application_id

and (fav.application_short_name like 'XX%' )

ORDER BY app_short_name asc;

- TROUBLESHOOTING and lessons learned on ADSplice:

1. We had a custom top that was created in 9i with mismatch between SHORT_NAME and BASEPATH (the name of custom top):

SQL> select ORACLE_USERNAME,ORACLE_ID, dba.USERNAME

from fnd_oracle_userid fnd, dba_users dba

where fnd.oracle_username = dba.username and lower(oracle_username) in ('xxfs') ;

ORACLE_USERNAME ORACLE_ID USERNAME

------------------------------ ---------------- ----------------

XXFS 20024 XXFS

SQL> select application_id,application_short_name short_name,

last_update_date, basepath, product_code

from fnd_application

where application_short_name like '%XXFS%' or application_id = 20024;

APPLICATION_ID SHORT_NAME LAST_UPDATE BASEPATH PRODUCT_CODE

------------------------ -------------------- -------------------- --------------- ------------------------

20024 XXFFS 16-DEC-97 XXFS_TOP XXFFS

We tried to keep it as the old way to minimize the re-write of custom codes, by putting below lines in file xxefprod.txt

# Product specific Product ID's

xxfs 20024

END_OF_PRODUCT_ABBREVIATIONS -999

# ##################################################

# Oracle Support Diagnostic Tools

# ##################################################

# application id, abbreviation, shortname, prefix

20024 aefs XXFFS APP

# multiple product installations for msob, "controlled release", shared only

# optional fourth field is "stub product". default is No

No No No No

# multilingual, has NLADD.sql

Yes Yes

# install oracle id, default ORACLE username, default ORACLE password

20024 XXFS XXFS

Note: In above line, XXFS is not necessarily the current db password. If it does not exist in database, adsplice will create it.

ADSplice does not complain it and created $XXFS_TOP. But when I later applied patches, "adop phase=prepare" failed with error:

Custom product XXFS entry is NOT there in FND_APPLICATIONS table

ERROR: The following custom products have not been correctly added: XXFS

We also tried to created two custom tops $XXFFS_TOP and $XXFS_TOP (with a new application id assigned, such as 30034), while they share same existing database account XXFS. ADSplice also created two without complain. But "adop phase=prepare" failed again without giving a specific error:

message_status: ERROR

Adsplice action did not go through successfully.

*******FATAL ERROR*******

PROGRAM : ($AD_TOP/patch/115/bin/txkADOPPreparePhaseSynchronize.pl)

TIME : Wed Xxx 5 11:52:14 2021

FUNCTION: main::execADSPLICE [ Level 1 ]

ERRORMSG: Adsplice action did not go through successfully.

I had to de-register $XXFFS_TOP first and then de-register $XXFS_TOP by using

$ perl $AD_TOP/bin/adDeregisterCustomProd.pl

After de-register them, ADOP worked in the full patching cycle.

Before that, I tried the suggestion in Doc ID 1932207.1 (Adop Prepare ERRORMSG: Adsplice Action Did Not Go Through Successfully After Add new Custom Application in R12.2). But I was not sure (do not remember) it helped or not.

SQL> UPDATE FND_ORACLE_USERID SET ENABLED_FLAG = 'N'

WHERE ORACLE_USERNAME in ('XXFS') ; -- from "(null)"

2. "perl $AD_TOP/bin/adDeregisterCustomProd.pl" will delete data from tables FND_OAM_CONTEXT_CUSTOM, FNS_APPLICATION. But it will not delete the row in table FND_PRODUCT_INSTALLATION.

3. If the password of Oracle database account XXEF was changed not by FNDCPASS, ADSplice will give ORA-01017 error. The fix is to use below line to change its password:

$ FNDCPASS apps/apps_PWD 0 Y system/'systemPWD' ORACLE xxef xxef_PWD

4. "adop phase=abort,cleanup cleanup_mode=full" failed with error message:

AutoPatch - aidafoGetFileDbVersion: INFO: ORA-01403: no data found

AutoPatch error:

Unable to get APPS_DDL package version from db <XXFS> <APPS_DDL> <PACKAGE>

AutoPatch error:

adpmrp: Error while installing apps_ddl packages.

Run below query to see its status. The fix is to run an UPDATE on the row.

SQL> select oracle_username, read_only_flag from fnd_oracle_userid

where read_only_flag <> 'A';

ORACLE_USERNAME READ_ONLY_FLAG

------------------------------ ---------------------------

APPLSYS E

APPS U

XXFS D

APPLSYSPUB C

APPS_NE Z

SQL> update fnd_oracle_userid set read_only_flag='A'

where ORACLE_USERNAME='XXFS';

Then "adop phase=abort" worked. (Note: In my another instance, it has the same status, but ADOP does not fail).

5. After a custom top is created, if it is used by a Responsibility or concurrent jobs, run autoconfig and bounce apps services to avoid error/message:

APP-FND-00362: Routine afpbep cannot execute request &REQUEST for program &PROGRAM, because the environment variable &BASEPATH is not set for the application to which the concurrent program executable &EXECUTABLE belongs.

Shut down the concurrent managers. Set the basepath environment variable for the application. Restart the concurrent managers. (VARIABLE=)

Routine AFPEOT cannot construct the name of an executable file for your concurrent request 430346.

Check that the file name components are correct and valid on your system. Check that the environment for the person who started the concurrent manager

6. R12.2 GUI forms will not create a custom top, because navigation Application => Register gives message:

Forms Registration for Custom Application or Schema is now blocked. Please consult ADSplice documentation for the current standards for deploying Customizations in EBS

Doc ID 2272551.1 says this is intended functionality. Application Forms cannot be used to add or remove applications. This is restricted in 12.2 and going forward.

7. If a custom top is not necessary but an env variable is needed as a pointer to a folder under $APPL_TOP, modify file $FND_TOP/fndenv.env by adding lines:

#Begin Customizations

AEUT_TOP=${APPL_TOP}/xxedi/12.0.0; export XXEDI_TOP

#End Customizations

With the use of adsplice, I am not sure if modifying Forms file is necessary in R12.2

$INST_TOP/ora/10.1.2/forms/server/default.env:

#Begin Customizations

XXEDI_TOP=/path/to/appl/xxedi/12.0.0

#End Customizations