Change Weblogic password in R12.2

Many posts on changing Weblogic password. Below steps worked for me.

1. Stop all EBS services

2. Start Admin Server on Primary node

$ $ADMIN_SCRIPTS_HOME/adadminsrvctl.sh start

3. Run below line to change Weblogic password.

WARNING: It does not prompt to confirm the new password. The safest way is to enter it by copy/paste. If you type it wrong, it will be a disaster because Oracle does not supply a way to decrypt passwords.

 

$ perl $FND_TOP/patch/115/bin/txkUpdateEBSDomain.pl -action=updateAdminPassword

Program: txkUpdateEBSDomain.pl started at Tue ... ...

AdminServer will be re started after changing WebLogic Admin Password

All Mid Tier services should be SHUTDOWN before changing WebLogic Admin Password

Confirm if all Mid Tier services are in SHUTDOWN state. Enter "Yes" to proceed or anything else to exit: Yes

Enter the full path of Applications Context File [DEFAULT - $CONTEXT_FILE]:

Enter the WLS Admin Password:

Enter the new WLS Admin Password:

Enter the APPS user password:

... ...

*************** IMPORTANT ****************

WebLogic Admin Password is changed.

Restart all application tier services using control scripts.

********************************************

----------------------------------------

Inside generateMimeMappingsPropFile()...

----------------------------------------

$FMW_HOME/user_projects/domains/EBS_domain/config/mimemappings.properties already exists, updating it.

--------------------------------------

Inside updateMimeMappingsPropFile()...

--------------------------------------

-------------------------------------

Inside resetExistingMimeMappings()...

-------------------------------------

Overwriting the value for the parameter: png

Overwriting the value for the parameter: xml

Overwriting the value for the parameter: js

Overwriting the value for the parameter: svg

Overwriting the value for the parameter: swf

Reset of mime mappings completed.

---------------------------

Inside addMimeMappings()...

---------------------------

Adding of mime mappings completed.

Taking backup of existing mimemappings.properties.

Copying the file

----------------

SOURCE : $FMW_HOME/user_projects/domains/EBS_domain/config/mimemappings.properties

TARGET : $FMW_HOME/user_projects/domains/EBS_domain/config/mimemappings.properties_bkp

Copying temporary file as mimemappings.properties.

Copying the file

----------------

SOURCE : $FMW_HOME/user_projects/domains/EBS_domain/config/mimemappings.properties_temp

TARGET : $FMW_HOME/user_projects/domains/EBS_domain/config/mimemappings.properties

$FMW_HOME/user_projects/domains/EBS_domain/config/mimemappings.properties updated successfully.

Program: txkUpdateEBSDomain.pl completed at Tue ... ...

4. Log onto Weblogic Console and EM as weblogic using the new password.

5. Start all EBS services

Different Weblogic version may have different way to change the password. Version info (for details, see Doc ID 1051959.1 How To Find the Full WebLogic Server Version and Full Patch Level):

$ cd $FMW_HOME/user_projects/domains/EBS_domain_${TWO_TASK}/servers/AdminServer/logs

$ grep WebLogic AdminServer.log

... ...

<WebLogic Server "AdminServer" version:

WebLogic Server 10.3.6.0.210119 PSU Patch for BUG32052267 Mon Nov 23 07:28:31 UTC 2020

WebLogic Server Temporary Patch for BUG13964737 Fri Dec 20 11:32:08 IST 2013

WebLogic Server Temporary Patch for BUG20474010 Sun Mar 01 17:22:18 IST 2015

WebLogic Server Temporary Patch for ${CRS} Mon Jul 30 16:45:20 EDT 2012

WebLogic Server Temporary Patch for ${CRS} Mon Jul 30 16:45:20 EDT 2012

WebLogic Server 10.3.6.0  Tue Nov 15 08:52:36 PST 2011 1441050  Copyright (c) 1995, 2011, Oracle and/or its affiliates. All rights reserved.>   ... ...

REFERENCES:

How to Change /Reset /Retrieve the WebLogic Server Administrator Password - All Versions (Doc ID 1082299.1)

How to Decrypt WLS Passwords using WLST? ( Doc ID 2732961.1 )

Use zip to address Apache log4j vulnerabilities

It was from an Oracle document by using zip/unzip to remove Java class from a JAR file. I put steps to a script for a quick execution. Notes: Oracle soon updated the document to use a patch to address this vulnerability, instead. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# CVE-2021-44228 Advisory for Oracle E-Business Suite (Apache log4j Vulnerabilities)

# (Doc ID 2827804.1)

# In R12.2.10 instances only

#

jars="$FND_TOP/java/3rdparty/stdalone/log4j_core.jar $COMMON_TOP/java/lib/log4j_core.jar"

echo "Before change"

# check the JAR files exist

for jar in $jars ;do ls -l $jar ;done

# verify whether the log4j JARs contain the affected JndiLookup class:

for jar in $jars ;do unzip -l $jar org/apache/logging/log4j/core/lookup/JndiLookup.class ;done

# backup file

mv $FND_TOP/java/3rdparty/stdalone/log4j_core.jar $FND_TOP/java/3rdparty/stdalone/log4j_core.jar.bak

cp $FND_TOP/java/3rdparty/stdalone/log4j_core.jar.bak $FND_TOP/java/3rdparty/stdalone/log4j_core.jar

echo "After backup"

ls -al $FND_TOP/java/3rdparty/stdalone/log4j_core.jar*

echo "After change"

# remove the JndiLookup class from the JAR files

for jar in $jars ;do zip -q -d $jar org/apache/logging/log4j/core/lookup/JndiLookup.class ;done

# verify that the JAR files have been recently modified and that their size has become smaller:

for jar in $jars ;do ls -l $jar ;done

# verify that the JndiLookup classes are no longer present:

for jar in $jars ;do unzip -l -q $jar org/apache/logging/log4j/core/lookup/JndiLookup.class ;done

echo DONE 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Check the result:

$ cd $FND_TOP/java/3rdparty/stdalone

$ ls -altr log4j_core.jar*

-rwxr-xr-x 1 users group 3887706 Apr 30  2021 log4j_core.jar.bak

-rwxr-xr-x 1 users group         624 Dec 21  2021 log4j_core.jar

Notes: unzip can be used to list classes of a .jar file:

$ unzip -l log4j_core.jar

Archive:  log4j_core.jar

$Header: log4j_core.jar 120.0.12020000.2 2021/12/14 22:42  srkumma $

  Length     Date   Time    Name

 --------    ----   ----    ----

      114  12-14-21 22:22   META-INF/JRIMETA.DAT

      186  12-14-21 22:02   README_log4j_core.txt

 --------                   -------

      300                   2 files

How to find the expiration date of certificate in EBS R12.2

Steps to find the expiration date of certificate file $NE_BASE/inst/$CONTEXT_NAME/certs/Apache/cwallet.sso

$ cd $NE_BASE/inst/$CONTEXT_NAME/certs/Apache

$ alias orapki=$FMW_HOME/oracle_common/bin/orapki

$ orapki wallet display -wallet ./cwallet.sso     

                                                          -- Note: file cwallet.sso does not ask for the password

Requested Certificates:

User Certificates:

Subject:        CN=siteName.domian.com,O=CompanyName,L=cityName,ST=AZ,C=US

Trusted Certificates:

Subject:        CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Subject:        CN=CompanyName Secure CA2,O=ComanyName,C=US

$ orapki wallet export -wallet ./cwallet.sso -dn "CN=siteName.domian.com,O=CompanyName,L=cityName,ST=AZ,C=U" -cert siteName_certs.cer

$ orapki cert display -cert ./siteName_certs.cer -summary

Subject:       CN=siteName.domian.com,O=CompanyName,L=cityName,ST=AZ,C=US  

Issuer:         CN=CompanyName Secure CA2,O=ComanyName,C=US

Valid Until:    Fri Jul 16 19:59:59 EDT 2021

How to start a R12.2 OHS (Apache) after ssl certificate expired

When ssl certificate expired (or something is wrong in the certificate .sso file),  Apache will not start by adapcctl.sh in R12.2. Possible error message in adapcctl.txt (or adopmnctl.txt) under $LOG_HOME/appl/admin/log:

[opmn] [ERROR:1] [] [internal] $FMW_HOME/webtier/opmn/bin/opmn: unexpected exit: status 4200

opmnctl start: opmn failed to start.

ias-component/process-type/process-set:  EBS_web/OHS/OHS/

Error

--> Process (index=1,uid=1246640827,pid=29336)

  failed to start a managed process after the maximum retry limit

  Log: $FMW_HOME/webtier/instances/EBS_web_OHS1/diagnostics/logs/OHS/EBS_web/console~OHS~1.log

... ... :: adapcctl.sh: exiting with status 204

$FMW_HOME/webtier/instances/EBS_web_OHS1/diagnostics/logs/OHS/EBS_web/EBS_web.log may give errors from starting Apache:

[OHS] [ERROR:32] [] [core.c] [host_id: node_name.domain.com] [host_addr: 167.69.xx.xx] [pid: 1851] [tid: 139696124196736] [user: applmgr] [VirtualHost: site_name.domain.com:0] Init: (site_name.domain.com:443) Unable to initialize SSL environment, nzos call nzosSetCredential returned 28791

[OHS] [ERROR:32] [] [core.c] [host_id: node_name.domain.com] [host_addr: 167.69.xx.xx] [pid: 1851] [tid: 139696124196736] [user: applmgr] [VirtualHost: site_name.domain.com:0] NZ Library Error: Unknown error

"adopmnctl.sh start" can be used to get more error message in $FMW_HOME/webtier/instances/EBS_web_OHS1/diagnostics/logs/OPMN/opmn/opmn.log, such as  errors (that matches Doc ID 2676628.1):

[opmn] [ERROR:1] [] [ons-secure] Connection server SSL set credentials failed (28791)

[opmn] [ERROR:1] [222] [ons-secure] SSL initialization failed

Note: If cert file .../config/OPMN/opmn/wallet/cwallet.sso is a wrong file, "adapcctl.sh start" will fail quickly and may give misleading error in adapcctl.txt:

[opmn] [ERROR:1] [] [internal] $FMW_HOME/webtier/opmn/bin/opmn: unexpected exit: status 4200

opmnctl start: opmn failed to start.

So its first webpage and so the entire EBS site is not accessible. The error messages in the log do not point out the real problem. Most likely (but not 100% true), the cert expired. 

I tried to renew the cert file. But if the new one did not make Apache start, it is impossible to tell whether CA software webpage (such as Venafi) gave me a valid cert file. At that situation, there is no good way to test the cert renewal. It became an urgent problem. 

The solution is to create a temporary cert to bring the site up.  Doc ID 2555355.1 (Prerequisite Steps to Configure Oracle Fusion Middleware 11.1.1.9 Components for Oracle E-Business Suite Release 12.2 Before Applying the July 2019 and Later FMW OSS Security Patch) gives steps for creating a temporary cert file. I had to keep Admin Server ("adadminsrvctl.sh start") up during this process in R12.2.10.

First of all, make sure to use the right orapki:

$ alias orapki=$FMW_HOME/oracle_common/bin/orapki

$ cd /u01/app/temp

$ mkdir ss

$ cd ss

Create a new wallet with an acceptable self-signed certificate in /u01/app/temp/ss:

$ orapki wallet create -wallet ./ -auto_login_only

Oracle PKI Tool : Version 11.1.1.9.0

Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved.

$ orapki wallet add -wallet . -dn "CN=FMWSmallCircleOfTrust" -asym_alg RSA -keysize 2048 -sign_alg sha256 -self_signed -validity 3652 -auto_login_only

Oracle PKI Tool : Version 11.1.1.9.0

Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved.

$ orapki wallet display -wallet .               <== to verify/see the new wallet

Oracle PKI Tool : Version 11.1.1.9.0

Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:

User Certificates:

Subject:        CN=FMWSmallCircleOfTrust

Trusted Certificates:

Subject:        CN=FMWSmallCircleOfTrust

Define useful OS variable $iName for next steps:

$ tr < $CONTEXT_FILE '<>' '  ' | awk '/"s_ohs_instance"/ {print $(NF-1)}'

EBS_web_OHS1

$ iName=$(tr < $CONTEXT_FILE '<>' '  ' | awk '/"s_ohs_instance"/ {print $(NF-1)}' )

$ pwd

/u01/app/temp/ss

$ cd $FMW_HOME/webtier/instances/$iName

$ pwd

$FMW_HOME/webtier/instances/EBS_web_OHS1

$ find . -name cwallet.sso                   <== to find cwallet.sso is used in 3 locations

./config/OPMN/opmn/wallet_ORIG/cwallet.sso

./config/OPMN/opmn/wallet/cwallet.sso

./config/OHS/EBS_web/keystores/default/cwallet.sso

./config/OHS/EBS_web/proxy-wallet/cwallet.sso

Back up the existing cwallet.sso and replace it by the temporary cert file in 3 locations.

$ find . -name cwallet.sso | fgrep -v /webgate/ | while read w ; do echo $w; cp -p /u01/app/temp/ss/cwallet.sso $w ; done

./config/OPMN/opmn/wallet/cwallet.sso

./config/OHS/EBS_web/keystores/default/cwallet.sso

./config/OHS/EBS_web/proxy-wallet/cwallet.sso

$ ls -al ./config/OPMN/opmn/wallet

total 12

-rw------- 1 user group 3853 Oct  1 16:44 cwallet.sso

-rw------- 1 user group 4365 May 28 15:53 cwallet.sso_BK_1001

-rw------- 1 user group    0 May 28 15:53 cwallet.sso.lck

$ ls -al

drwx------ 3 user group 17 May 28 15:54 auditlogs

drwx------ 2 user group 21 May 28 15:53 bin

drwx------ 4 user group 29 May 28 15:53 config

drwx------ 3 user group 18 May 28 15:53 diagnostics

drwx------ 3 user group 21 May 28 15:53 OHS

drwx------ 3 user group 23 Jun 14 03:24 tmp

$ find . -name cwallet.sso | fgrep -v /webgate/ | while read w ; do echo -e "\n$w"; orapki wallet display -nologo -wallet $w ; done

./config/OPMN/opmn/wallet_ORIG/cwallet.sso

Requested Certificates:

User Certificates:

Subject:        CN=Self-Signed Certificate for EBS_web_OHS1\20,OU=OAS,O=ORACLE,L=REDWOODSHORES,ST=CA,C=US

Trusted Certificates:

Subject:        CN=Self-Signed Certificate for EBS_web_OHS1\20,OU=OAS,O=ORACLE,L=REDWOODSHORES,ST=CA,C=US

./config/OPMN/opmn/wallet/cwallet.sso

Requested Certificates:

User Certificates:

Subject:        CN=FMWSmallCircleOfTrust

Trusted Certificates:

Subject:        CN=FMWSmallCircleOfTrust

./config/OHS/EBS_web/keystores/default/cwallet.sso

Requested Certificates:

User Certificates:

Subject:        CN=FMWSmallCircleOfTrust

Trusted Certificates:

Subject:        CN=FMWSmallCircleOfTrust

./config/OHS/EBS_web/proxy-wallet/cwallet.sso

Requested Certificates:

User Certificates:

Subject:        CN=FMWSmallCircleOfTrust

Trusted Certificates:

Subject:        CN=FMWSmallCircleOfTrust

Re-register OHS and its new certificate with Fusion Middleware Control. Seems to me this step is necessary (while I do not know what it really does).

$ aHost=$( tr < $CONTEXT_FILE '<>' '  ' | awk '/"s_wls_admin_host"/ {print $(NF-1)}' )

$ aPort=$( tr < $CONTEXT_FILE '<>' '  ' | awk '/"s_wls_adminport"/ {print $(NF-1)}' )

$ aUser=$( tr < $CONTEXT_FILE '<>' '  ' | awk '/"s_wls_admin_user"/ {print $(NF-1)}' )

$ echo $aHost

node_name

$ echo $aPort

7032

$ echo $aUser

weblogic

$ cd $FMW_HOME/webtier/instances/$iName/bin

$ ./opmnctl unregisterinstance -adminHost $aHost -adminPort $aPort -adminUsername $aUser -instanceName $iName

Command requires login to weblogic admin server (node_name):

  Username: weblogic

  Password:

Unregistering instance

Command succeeded.

$ ./opmnctl registerinstance -adminHost $aHost -adminPort $aPort -adminUsername $aUser

Command requires login to weblogic admin server (node_name ):

  Username: weblogic

  Password:

Registering instance

Command succeeded.

I logged onto EM site at http://node_name.domain.com:7032/em (vs. Console) and saw OHS was still down (Somehow, my EM always shows Web Tier sites are down), and adopmnctl.sh reported OHS in Down status.

Now, when I ran adapcctl.sh, it started Apache successfully and the webpage worked in "unsafe" mode!  Then, I shutdown everything and ran an autoConfig before started all EBS services. 

$ cd $ADMIN_SCRIPTS_HOME

$ ./adapcctl.sh start

$ ./adopmnctl.sh status

You are running adopmnctl.sh version 120.0.12020000.2

Checking status of OPMN managed processes...

Processes in Instance: EBS_web_OHS1

----------------------+--------------------+---------+---------

ias-component | process-type | pid | status

----------------------+--------------------+---------+---------

EBS_web        | OHS              | 1166 | Alive

With that, I had the R12.2.10 site available to test the certificate renewal and got the expired cert renewed after replacing the temporary cert.

TROUBLESHOOTING

If Apache does still not start, check console~OHS~1.log under  $FMW_HOME/webtier/instances/$iName/diagnostics/logs/OHS/EBS_xxx

If Apache started in Alive status, but the login webpage is still not available, below line shall return "connected"

$ wget http://node_name.domain.com:s_webport

If the login page shows ERR_SSL_PROTOCOL_ERROR, most likely some parameter in .xml file(s) for enabling TLS 1.2 is wrong. 

If the login page shows ERR_CONNECTION_RESET, one of the possibilities is F5 listens to a wrong port if F5 is used in company network. It shall listen to s_webssl_port. Also check Oracle Doc ID 2771703.1 for other possible causes.

Notes: ADOP will not automatically copy cert file cwallet.sso from RUN file system to PATCH file system. You have to modify adop_sync.drv located under $APPL_TOP_NE/ad/custom to include the followings:

#Oracle HTTP Server Wallet - cwallet.sso

rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.sso

#OPMN Wallet - cwallet.sso

rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso

rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/proxy-wallet/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/proxy-wallet/cwallet.sso

2021 January CPU patches for R12.2

Below are steps for applying R12.2 CPU patches to a R12.2.10 instance. This instance was newly upgraded from R12.1 and all technology patches were already applied during the upgrade as requirement by ETCC script. The document for this CPU patch set is Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (January 2021) (Doc ID 2737201.1)

(a) Apply EBS patch 32071646

SQL> select ad_patch.is_patch_applied('R12',-1,32071646) from dual;

AD_PATCH.IS_PATCH_APPLIED('R12',-1,32071646)

-------------------------------------------------------------------

NOT_APPLIED

SQL> SELECT adb.bug_number, aat.name appl_top_name, adb.language, adb.creation_date,

decode(ad_patch.is_patch_applied('R12',aat.appl_top_id,adb.bug_number,adb.language),'EXPLICIT','APPLIED','NOT_APPLIED','NOT APPLIED') status

 FROM ad_bugs adb,

(select aat.name, aat.appl_top_id

from applsys.ad_appl_tops aat,

(select distinct fat.name from applsys.fnd_appl_tops fat) fat

where aat.name=fat.name ) aat

where adb.bug_number in (

'32071646',

'32163187',

'32004048'

) order by adb.bug_number,aat.name,adb.language;

no rows selected

$ echo APPL_TOP

$ cd $PATCH_TOP

$ unzip p32071646_12.2.0_R12_LINUX.zip

$ adop phase=apply apply_mode=downtime patches=32071646

$ unzip p32163187_R12.FWK.C_R12_GENERIC.zip

$ unzip p32004048_R12.OKC.C_R12_GENERIC.zip

$ adop phase=apply apply_mode=downtime patches=32163187,32004048

... ...

Applying patch 32163187.

    Log:  $NE_BASE/EBSapps/log/adop/4/.../32163187/log/u32163187.log

Applying patch 32004048.

    Log: $NE_BASE/EBSapps/log/adop/4/.../32004048/log/u32004048.log

Running finalize actions for the patches being applied.

    Log: @ADZDSHOWLOG.sql "2021/07/13 12:05:43"

Running cutover actions for the patches being applied.

    Creating workers to process cutover DDL in parallel

... ... 

The apply phase completed successfully.

adop exiting with status = 0 (Success)

Run SQL statement again to confirm 3 patches are applied.

(b) WebLogic PSU patch 32052267 was applied as a ETCC requirement.

See Doc ID 1306505.1 for more on Oracle WebLogic Server PSUs (Patch Set Updates).

(c) Oracle Fusion Middleware 11.1.1.9 OSS - Web Tier Home

Patch 31304503 (OSS Security Patch Update CPUJul2020): applied

$ export ORACLE_HOME=$IAS_ORACLE_HOME

$ export PATH=$IAS_ORACLE_HOME/OPatch:$PATH

$  opatch lsinventory | grep 31304503

Patch  31304503     : applied on Sat Jun 26 12:07:37 EDT 2021

(d) Oracle Fusion Middleware 11.1.1.9 OHS - Web Tier Home

Patch 31047338 (OHS Security Patch Update CPUApr2020)

$ opatch lsinventory | grep -i 31047338

Patch  31047338     : applied on Sat Jun 26 12:20:11 EDT 2021

(e) Oracle Fusion Middleware 11.1.1.9 - Oracle Common Home

Patch 30368663 (Security Patch Update CPUOct2019)

Note: Patch 31985571 is a superset of patch 30368663 in Oct 2020

$ export ORACLE_HOME=$FMW_HOME/oracle_common

$ export PATH=$ORACLE_HOME/OPatch:$PATH

$ opatch lsinventory | grep 30368663

Patch  30368663     : applied on Sat Jun 26 12:31:37 EDT 2021

$ adop -status

Enter the APPS password:

Connected.

==================================================

ADOP (C.Delta.12)

Session Id: 4

Command: status

Output: $NE_BASE/EBSapps/log/adop/4/20210X13_130234/adzdshowstatus.out

==================================================

Node Name       Node Type  Phase           Status          Started                        Finished             Elapsed

--------------- ---------- --------------- --------------- ------------------------------- -------------------- ------------

node_name     master     APPLY           ACTIVE      2021/0X/12 10:50:40  2021/0X/13 12:55:03  26:04:23

                                       CLEANUP     NOT STARTED