Run opatch in silent mode in EBS R12.2

Sometimes, you want to apply patches to Oracle Home in a shell script. To do that, you do not want to run opatch interactively. Here is how to apply patches to an Oracle Home of Fusion Middleware in silent mode.

$ export ORACLE_HOME=$FMW_HOME/oracle_common

$ export PATH=$ORACLE_HOME/OPatch:$PATH

$ which opatch    <= make sure opatch is from oracle_common/OPatch

$ echo $ORACLE_HOME

$RUN_BASE/FMW_Home/oracle_common

First, run emocmrsp to create a response file ocm.rsp:

$ cd $ORACLE_HOME/OPatch/ocm/bin

$ ./emocmrsp

The ORACLE_HOME does not contain java.

The ORACLE_HOME does not contain a valid JDK/JRE.

Redefine JAVA_HOME to refer to a JDK/JRE 1.2.2 or greater.

$ export JAVA_HOME=$FMW_HOME/webtier/jdk   <= I chose this 64-bit JDK

$ echo $JAVA_HOME

$RUN_BASE/FMW_Home/webtier/jdk

$ ./emocmrsp

OCM Installation Response Generator 10.3.7.0.0 - Production

Copyright (c) 2005, 2012, Oracle and/or its affiliates.  All rights reserved.

Provide your email address to be informed of security issues, install and

initiate Oracle Configuration Manager. Easier for you if you use your My

Oracle Support Email address/User Name.

Visit http://www.oracle.com/support/policies.html for details.

Email address/User Name:

You have not provided an email address for notification of security issues.

Do you wish to remain uninformed of security issues ([Y]es, [N]o) [N]:  Y

The OCM configuration response file (ocm.rsp) was successfully created.

$ ls -al

-rwxr-x---. 1 userID Group 9063 Jul 21  2022 emocmrsp

-rw-rw-r--. 1 userID Group oaa  622 May 1 13:08 ocm.rsp

File ocm.rsp is created in $ORACLE_HOME/OPatch/ocm/bin by emocmrsp. It is a binary file, and can be copied to a shared location /path/to/sharedLocation for patching in other nodes or instances. 

Now, apply a patch to Oracle Common home without answering any opatch questions. For example, apply patch 33974106.

$ ps -ef | grep $LOGNAME     <= make sure EBS services are shutdown

$ cd /path/to/33974106

$ opatch apply -silent -ocmrf /path/to/sharedLocation/ocm.rsp

Oracle Interim Patch Installer version 11.1.0.12.9

Copyright (c) 2025, Oracle Corporation.  All rights reserved.

Oracle Home       : $RUN_BASE/FMW_Home/oracle_common

Central Inventory : /u03/app/oraInventoryDEVEBS

from                     : $RUN_BASE/FMW_Home/oracle_common/oraInst.loc

OPatch version    : 11.1.0.12.9

OUI version         : 11.1.0.11.0

Log file location : $RUN_BASE/FMW_Home/oracle_common/cfgtoollogs/opatch/33974106_May_1_2025_13_02_04/apply2025-05-1_13-02-04PM_1.log

OPatch detects the Middleware Home as "$RUN_BASE/FMW_Home"

Applying interim patch '33974106' to OH '$RUN_BASE/FMW_Home/oracle_common'

Verifying environment and performing prerequisite checks...

All checks passed.

Please shutdown Oracle instances running out of this ORACLE_HOME on the local system.

(Oracle Home = '$RUN_BASE/FMW_Home/oracle_common')

Is the local system ready for patching? [y|n]

Y (auto-answered by -silent)

User Responded with: Y

Backing up files...

Patching component oracle.jrf.thirdparty.jee, 11.1.1.9.0...

Verifying the update...

Patch 33974106 successfully applied

Log file location: $RUN_BASE/FMW_Home/oracle_common/cfgtoollogs/opatch/33974106_May_1_2025_13_02_04/apply2025-05-1_13-02-04PM_1.log

OPatch succeeded.

Script for upgrading JDK in EBS R12.2

EBS R12.2 uses different Java Homes. Upgrade JDK 7 in EBS R12.2 has details on manually upgrading JDK used in R12.2. I wrote below shell script to upgrade JDK in 4 JDK locations used by EBS R12.2. It can complete the upgrading in minutes after correct JDK files are downloaded and saved. 

This script is mainly used as part of quarterly CPU patching (such as January 2025 CPU and October 2024 CPU). It is important to download the right files for JDK upgrade. Since Java 1.7  is out of Oracle support, we have to follow Oracle quarterly CPU release to find the right version that can be used by current EBS R12.2. For example, for January 2025 CPU patching, document 3066051.1 (Oracle Critical Patch Update (CPU) Jan 2025 for Oracle Java SE) provides link (on the low end) for downloading JDK 7 Update 451 Restricted: Patch 37308812 for JDK 1.7.0_451. 

The script assumes EBS apps services are shutdown and two JDK 1.7.0_451 files are saved to shared location /path/to/Jan2025_CPU/JDK: 

jdk-7u451-linux-x64.tar.gz

jdk-7u451-linux-i586.tar.gz

========== script JDK_upgrade1_7_xxx.sh ==========

# Upgrade JDKs in R12.2 by steps from Doc ID 1530033.1 

# (Using the Latest Java Update with Oracle E-Business Suite Release 12.2).

#

# currently Oracle quarterly CPU document gives a link (in Table 3?) for downloading the right JDK .gz files

# Specify 3 values:

# the location and file names for JDK 1.7.0_451  (downloaded from patch 37308812)

JDKfolder=/path/to/Jan2025_CPU/JDK

JDK_gz_file_64=jdk-7u451-linux-x64.tar.gz

JDK_gz_file_32=jdk-7u451-linux-i586.tar.gz

# Similarly, specify below values if upgrading JDK to JDK 7 Update 441 

# (downloaded from patch 37063192) as part of October 2024 CPU:

# JDKfolder=/path/to/Oct2024_CPU/JDK

# JDK_gz_file_64=jdk-7u441-linux-x64.tar.gz

# JDK_gz_file_32=jdk-7u441-linux-i586.tar.gz

DT=date +"%h_%Y"

curr=pwd

echo $curr

cd $JDKfolder

ls -al

echo ""

echo "Current JDK version:"

$ADJVAPRG -version

$AFJVAPRG -version

#--

echo "Backup two jdk folders at $COMMON_TOP/util"

cd $COMMON_TOP/util

tar -czf jdk64_BK_$DT.tar.gz jdk64  # without -v (to turn off output)

tar -czf jdk32_BK_$DT.tar.gz jdk32

rm -fr jdk64

rm -fr jdk32

cp -p $JDKfolder/*.tar.gz .

tar -xzf $JDK_gz_file_32      # Assume un-tar creates a new folder jdk1.7.0_XXX

mv jdk1.7* jdk32                   # if not, modify this line.

tar -xzf $JDK_gz_file_64      # Assume un-tar creates a new folder jdk1.7.0_XXX

mv jdk1.7* jdk64                 

ls -al jdk*

pwd

sleep 2

#--

echo "Backup the jdk64 folder at $FMW_HOME/webtier."

cd $FMW_HOME/webtier

tar -czf jdk64_BK_$DT.tar.gz jdk

rm -fr jdk

cp -p $JDKfolder/$JDK_gz_file_64 .

tar -xzf $JDK_gz_file_64

mv jdk1.7* jdk

ls -al jdk*

pwd

sleep 2

#--

echo "Backup the jdk32 folder at $ORACLE_HOME"

cd $ORACLE_HOME

tar -czf jdk32_BK_$DT.tar.gz jdk

rm -fr jdk

cp -p $JDKfolder/$JDK_gz_file_32 .

tar -xzf $JDK_gz_file_32

mv jdk1.7* jdk

ls -al jdk*

pwd

sleep 2

echo "New JDK version:"

$ADJVAPRG -version

$AFJVAPRG -version

echo "Compiling EBS Forms and Reports:"

cd $ORACLE_HOME/forms/lib

make -f ins_forms.mk sharedlib install

cd $ORACLE_HOME/reports/lib

make -f ins_reports.mk install

cd $curr

echo "Done"

============== End =================

After the script finished, run ejcpuc.sh from patch p37172035 to confirm the upgrades are successful. $RUN_BASE = /u01/app/EBSDEV/fs2, e.g.

# ./ejcpuc.sh

#############################################################

Checking Apptier Java 7 for CPU 2025.01 on Platform Linux_x64 - need 1.7.0_451

2025-0X-XX 11:43:27 EDT  on  server_name.domain.com

#############################################################

2025.01        action  Your Version    bitness Java Location

------------     -------    ---------------       --------    -----------------

1.7.0_451      OK      1.7.0_451       32-bit  $RUN_BASE/EBSapps/10.1.2/jdk/bin/java

1.7.0_451      OK      1.7.0_451       32-bit  $RUN_BASE/EBSapps/comn/util/jdk32/bin/java

1.7.0_451      OK      1.7.0_451       64-bit  $RUN_BASE/EBSapps/comn/util/jdk64/bin/java

1.7.0_451      OK      1.7.0_451       64-bit  $RUN_BASE/FMW_Home/webtier/jdk/bin/java

JVM & JDK version in Oracle database and EBS R12.2

A new utility, Oracle E-Business Suite Java Critical Patch Update Checker (EJCPUC, Patch 37171025), was released with the Oct 2024 CPU (Doc ID 3037725.1) to find the Java version of different components in Oracle products. It is a great tool to clean confusion. Patch 37171025 gets updated with the new release of quarterly CPU patches. EJCPUC Output on database server:

$ bash ejcpuc.sh

#######################################################

## Checking DB tier Java for CPU 2024.10 on Platform IBM_AIX

#######################################################

## Check Database Version

#######################################################

Your database version is 19.25.0.0.0

         ORACLE_HOME     $ORACLE_HOME

         ORACLE_SID          EBSDEV

         ORACLE_UNQNAME

## Check Java Version of OJVM, Database JDK and EBS's appsutil JRE

######################################################

 Latest Version  action  Your Version  bitness Java Location

 -------------- -------- ------------  ------- ---------------

 1.8.0_431       o)     _.__.101034000   64-bit   OJVM In database

 1.8.0_411                1.8.0_421             64-bit   $ORACLE_HOME/jdk/bin/java

 1.8.0_411        u)     1.8.0_271             64-bit   $ORACLE_HOME/appsutil/jre/bin/java

o) Apply the Database Release Update (DBRU) recommended by ETCC which will update the DB OJVM version to the latest

u) When the DB JDK version is updated to the latest - then follow section 3 of 1530033.1 to update this JRE

A SQL statement can verify the JDK version:

SQL> select dbms_java.get_jdk_version from dual.

GET_JDK_VERSION

----------------------------

1.8.0_411

OJVM, or Oracle Java Virtual Machine (JVM), is a component within the Oracle Database that allows user to run Java stored procedures and other Java modules directly within the database environment and without the need for external Java processes.

ejcpuc.sh can be executed on EBS application mid-tier to find the Java components version of EBS apps:

$ sh ejcpuc.sh

#########################################################

## Checking Apptier Java 7 for CPU 2024.10 on Platform Linux_x64 - need 1.7.0_441

#########################################################

 2024.10        action      Your Version    bitness  Java Location

 ------------   ------  ------------    ------- ---------------

 1.7.0_441      UPDATE   1.7.0_391    32-bit  $ORACLE_HOME/jdk/bin/java

 1.7.0_441      UPDATE   1.7.0_391    32-bit  $COMMON_TOP/util/jdk32/bin/java

 1.7.0_441      UPDATE   1.7.0_391    64-bit  $COMMON_TOP/util/jdk64/bin/java

 1.7.0_441      UPDATE   1.7.0_391    64-bit  $FMW_HOME/webtier/jdk/bin/java

Follow 1530033.1 to update the JDK(s). Your application tier JDK 7 is lower than the 1.7.0_441 update released in CPU 2024.10.

umask and default file permission in Linux

You can find the umask value in your Linux account by typing "umask" on the command line:

$ umask

0077

The value on umask in a Linux server level is defined in file /etc/login.defs (or maybe in /etc/profile, /etc/bashrc or /etc/cshrc). Note contents of those files (and so umask value) may be changed in RHEL8 when OS got upgraded from RHEL7.

$ more /etc/login.defs

MAIL_DIR                /var/spool/mail

PASS_MAX_DAYS   90

PASS_MIN_DAYS    7 

PASS_WARN_AGE  7

PASS_MIN_LEN     8

UID_MIN               1000

UID_MAX              60000

GID_MIN              1000

GID_MAX             60000

CREATE_HOME     yes

UMASK                  077

USERGROUPS_ENAB yes

ENCRYPT_METHOD   sha512

$ egerp -i umask /etc/bashrc

Under 0077, any file you created will have "-rw-------" permission, which means only yourself can read and write it.

$ touch test1.del

$ ls -al test1.del

-rw-------. 1 userID Group 0 Feb 02 13:25 test1.del

But you can set up your own umask in .profile for your account. Sometimes, it is necessary for other users to read or modify a file created by a service account or you want others to read your files. To change the default from server level, add one line to the account's .profile:

$ vi $HOME/.profile

umask u=rwx,g=rwx,o=rx

or

umask  0002

After re-login, umask will change to 0002 in the account. Then, any file created by that account will get "-rw-rw-r--" permission. 

$ umask

0002

$ touch test2.del

$ ls -al test2.del

-rw-rw-r--. 1 userID Group 0 Feb 02 13:55 test2.del

Now, other users can read it.

If you put "umask u=rwx,g=rwx,o=rwx" or "umask  0000" in .profile, any new file will get "-rw-rw-rw-" permission (666). 

$ vi $HOME/.profile

umask u=rwx,g=rwx,o=rwx

$ umask

0000

$ touch test3.del

$ ls -al test3.del

-rw-rw-rw-. 1 userID Group 0 Feb 02 15:55 test3.del

If you have "umask  0022" in the profile, new file will get permission "-rw-r--r--".

Note that "x" in the .profile only applies to new folder creation. Linux allows only manually to grant executable to a file.

Connect to a remote server using the private key credential

When a 3rd party tool, such as PPM (Project and Portfolio Management) and Venafi (ssl cert tool), needs to access Oracle EBS server to perform tasks, Oracle EBS server becomes a remote server for the 3rd party server. We usually have to share applmgr password to other teams. The bigger challenge is that when the password is changed periodically by security requirement on EBS server, 3rd party's process will fail. The good and efficient way is to provide them with the private key for them to log onto EBS server without entering the password. Steps to accomplish that on RHEL8 servers:

On Oracle EBS server ebs2d (local server):

1. Generate a pair of key files

$ hostname

ebs2d

$ echo $USER

applmgr

$ ssh-keygen -t rsa -b 2048 -f $HOME/.ssh/Venafi_id_rsa

Generating public/private rsa key pair.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /u06/app/.ssh/Venafi_id_rsa.

Your public key has been saved in /u06/app/.ssh/Venafi_id_rsa.pub.

The key fingerprint is:

SHA256:3y1+M95Js+4k383juI/qSsxxxxxxx   applmgr@ebs2d.domain.com

The key's randomart image is:

+---[RSA 2048]----+

|      .   .                   |

|      ... ...                 |

+----[SHA256]-----+ 

$ cd .ssh

$ ls -alZ

-rw-------.  1 applmgr grp unconfined_u:object_r:unlabeled_t:s0 1843 Jun  4 20:27 Venfi_id_rsa

-rw-------.  1 applmgr grp unconfined_u:object_r:unlabeled_t:s0  409 Jun  4 20:27 Venafi_id_rsa.pub

-rw-------.  1 applmgr grp system_u:object_r:unlabeled_t:s0     3563 Jan 16 11:35 known_hosts

2. Make file authorized_keys as a copy of public key file Venafi_id_rsa.pub (or, add the key to file authorized_keys)

$ cat id_rsa.pub >> authorized_keys    # (if authorized_keys exists, back it up first)

$ chmod 600 authorized_keys       # <= right permission is important

3. Change the labels on file authorized_keys (when SELinux label is enabled in RHEL8 OS)

$ chcon -u system_u authorized_keys

$ chcon -t user_home_t authorized_keys

$ ls -alZ

-rw-------.  1 applmgr grp system_u:object_r:user_home_t:s0 409 Jun  4 20:29 authorized_keys

-rw-------.  1 applmgr grp unconfined_u:object_r:unlabeled_t:s0 1843 Jun  4 20:27 Venafi_id_rsa

-rw-------.  1 applmgr grp unconfined_u:object_r:unlabeled_t:s0  409 Jun  4 20:27 Venafi_id_rsa.pub

-rw-------.  1 applmgr grp system_u:object_r:unlabeled_t:s0     3563 Jan 16 11:35 known_hosts

$ echo $HOME

/u06/app

$ ls -ald /u06    # <= to make sure permission on folder app is not 777.

4. Copy private key Venafi_id_rsa to remote server venafi1p and name it meaningfully. Or, send file Venafi_id_rsa to other trusted teams if requested.

$ scp -p Venafi_id_rsa usrID@venafi1p:/path/to/applmgr_ebs2d_Venafi_key

Password:

Venafi_id_rsa                                                           100% 1843   903.2KB/s   00:00

NOTES: if get errors, such as " The ECDSA host key for venafi1p has changed, ...", run

$ ssh-keygen -R venafi1p

On remote server venafi1p (host of 3rd party tool):  

After received the private key applmgr_ebs2d_Venafi_key, other team can use ssh, scp or sftp to connect to Oracle EBS server ebs2d using the private key credential (i.e. without entering applmgr's password).

$ hostname 

venafi1p

$ echo $USER

usrID

$ cd /path/to

$ ls -alZ

-rw-------. 1 usr group unconfined_u:object_r:unlabeled_t:s0 1843 Jun  4 20:27 applmgr_ebs2d_PPM_key

$ ssh -i /path/to/applmgr_ebs2d_Venafi_key applmgr@ebs2d

Connected!

$ hostname

ebs2d

$ echo $USER

applmgr

The goal is reached: Venafi server can set up a process or a script (using sftp or scp) to send ssl certificate to EBS server ebs2d smoothly for periodical cert renewal.

My old post has more details on running ssh, sftp, scp between servers without a password.