ERP on DB

Thursday, November 17, 2016

FNDCPASS and APP-FND-02704

When I tried to change apps password by FNDCPASS in R12.1.3, it hang for a while and then the log file shows APP-FND-02704 error.
$ FNDCPASS apps/oldAppsPWD 0 Y system/system_PWD SYSTEM APPLSYS N3WAqt_$EBS
APP-FND-02704: Unable to alter user APPS to change password.

The error does not tell the true cause. The problem in my case is the new password does not meet new rules added by DBA to APPS' profile for password security or single quotes are necessary to make FNDCPASS work with special character in the password.

Below line changes apps password to N3WAqt_$EBS. Note the single quotes.

$ FNDCPASS apps/oldAppsPWD 0 Y system/system_PWD SYSTEM APPLSYS 'N3WAqt_$EBS'

If the system_PWD has special character with it, single quotes are necessary. Otherwise FNDCPASS may not throw out an meaningful error but just does not change apps password.

Also when the password includes $ character, single quotes around it are needed to make sqlplus connection on Linux prompt work. Without it, it will give ORA-01017 error.

$ sqlplus apps/N3WAqt_$EBS
SQL*Plus: Release 10.1.0.5.0 - Production on Thu Nov 17 18:57:12 2016
Copyright (c) 1982, 2005, Oracle. All rights reserved.
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
$ sqlplus apps/'N3WAqt_$EBS'
Connected to: ....

Or, get into sqlplus first and then connect to apps
$ sqlplus /nolog
SQL> conn apps/N3WAqt_$EBS
Connected.

If the password does not include $ character, the single quotes are not necessary for sqlplus:

$ FNDCPASS apps/'N3WAqt_$EBS' 0 Y system/system_PWD SYSTEM APPLSYS 'Cr8ze#p0Wd'
$ sqlplus apps/Cr8ze#p0Wd
Connected to: ....

Craze $

Additional notes:

1. FNDCPASS may also give misleading error from changing password when db parameter sec_case_sensitive_logon is set to TRUE.

2. If the new password does not meet the complexity requirements by Oracle database, FNDCPASS will not change APPS password and does not tell what is the real problem. It only says

Working...

APP-FND-02704: Unable to alter user APPS to change password.

Oracle error 28003: has been detected in alterpassword2.

You have to have more complexity in the new password to make it work!

3. When I used FNDCPASS to change APPS password, it refused to do so and give strange error:

FNDCPASS was not able to decrypt password for user 'ABCD1' during applsys password change.

FNDCPASS was not able to decrypt password for user 'ABCD2' during applsys password change.

FNDCPASS was not able to decrypt password for user 'ABCD3' during applsys password change.

ABCD1, ABCD2 and ABCD3 are not database account at all. But they are EBS users in inactive status for many years. Apparently FNDCPASS does not like their EBS password or security. The fix is to change their EBS password first, and then FNDCPASS is able to change APPS password.

Tuesday, November 15, 2016

EBS Mailer status and troubleshooting

Some times, users do not get emails/alerts from EBS R12.1.3 even workflow Mailer is up and running. Table wf_notifications may give different status:
RECIPIENT_ROLE MESSAGE_TYPE   STATUS   MAIL_STATUS   TO_USER
APINVGR                 APINVAPR               OPEN       FAILED                AP GROUP
APINVGR                 APINVAPR               OPEN       MAIL                AP GROUP
APINVGR                 APINVAPR               OPEN       SENT             AP GROUP
APINVGR                 APINVAPR               CLOSED SENT             AP GROUP

Seems to me that only mails with MAIL_STATUS "SENT" were sent out successfully. If it stays in "MAIL", the Mailer may get stuck somewhere and may need a re-start.

Below query checks the email status:

SELECT notification_id N_ID, to_char(begin_date, 'mm-dd-yyyy hh24:mi:ss') beginDate, recipient_role, message_type, message_name, status, mail_status, context, to_user, subject
   FROM wf_notifications
WHERE begin_date > sysdate - 5   -- List only emails within 5 days
  ORDER by notification_id desc;

Here is a notification with FAILED status. Note: the record values could be dynamically changed with approval workflow's move.
N_ID          RECIPIENT_ROLE MESSAGE_TYPE STATUS MAIL_STATUS CONTEXT                                       TO_USER
15331513 APINVGR                  APINVAPR              OPEN FAILED               APINVAPR:11345495_1:116020    AP GROUP

To troubleshoot the failed notification, find and check the Workflow status first to see if any error.

You shall verify user APINVGR status and email address are correct.

Also try the Mailer logs in $APPLCSF/$APPLLOG to see if you are lucky to get some errors.
$ ls -lrt $APPLCSF/$APPLLOG/FNDCP*.txt
$ grep ":ERROR:" $APPLCSF/$APPLLOG/FNDCPGSC*.txt > mlrerr.log
$ grep "Exception:" $APPLCSF/$APPLLOG/FNDCPGSC*.txt > mlrexc.log
$ grep ":UNEXPECTED:" $APPLCSF/$APPLLOG/FNDCPGSC*.txt > mlrunexp.log

If the logs do not tell much, Doc ID 1051421.1 is a good document to follow on enabling debug for Mailer Service Component :
- In OAM : Site Map (or, WF Manager) > Notification Mailer > Edit > Advanced > Go to Step 2 > Change "Log Level" to "Statement" > Apply
- Bounce the Mailer container to generate a fresh log file
In OAM: Site Map > Generic Services > under Status Overview > Next (twice) > Generic Service Component Container > select Workflow Mailer Service > Restart (from the dropdown on the top).
(or, Dashboard > dropdown "Application Services" Go > Next ... to find Generic Service Component Container > ... )
Note it may take 5 minutes or so for a re-start cycle.

Even Workflow Mailer Service is running, Notification Mailer could be down if two $CONTEXT_FILE parameters are not right, because autoconfig will overwrite them if company's SMTP server name, e.g. mail.comany_name.com, is only entered under Outpound EMail Account section on OAM webpage. The correct way is to define them in $CONTEXT_FILE:
      <oa_smtp_server>
         <hostname oa_var="s_smtphost">mail</hostname>
         <domain oa_var="s_smtpdomainname">company_name.com</domain>
      </oa_smtp_server>

If individual users do not receive notifications or their mails have Failed status, check two tables to see if their preference is turned off (disabled)which could happen when the Workflow Mailer attempts to send a notification to an invalid email address or when email server crashed and caused an outage of hours (Doc ID 360541.1).

SQL> select * from FND_USER_PREFERENCES where preference_value = 'DISABLED';
SQL> select * from WF_LOCAL_ROLES where notification_preference = 'DISABLED';

To enable it in FND_USER_PREFERENCES: log onto EBS as user who has the issue > click on Preferences > scroll down to Notifications > Email Style > dropdown "HTML mail with attachments"

To populate above change to WF_LOCAL_ROLES and WF_ROLES:
as System Administrator Responsibility > Define User form> query up user with issue:
a. Remove the Person Field > save.
b. Re-query the same user > add back the Person Field > Save
c. This effort does an internal synchronization for the particular user.

Notes on synchronizing workflow tables:
1. In my R12.1.3 instances, above actions synchronizes Status column in tables FND_USER and WF_LOCAL_ROLES. Doc 1213304.1 has info on three sync concurrent programs. In 11i, the synchronization seems more difficult. See Doc 728331.1 and Doc 364647.1.
2. Two steps are necessary to change a user's email address and synchronize it to workflow tables. Prior to about steps on Define User form, go to Setup (mostly under a Purchase/PO responsibility) > Personal > Employee form > update user's email address first.
3. If the Description column is out-of-date in table wf_local_roles, most likely newer data in table PER_ALL_PEOPLE_F is not populated to WF tables. The solution is to run concurrent program 'Synchronize WF LOCAL tables' with parameter FND_USR. That synchronized WF tables in my instances.

After this, run concurrent program Resend Failed/Error Workflow Notifications to resend those FAILED notifications.

This program should send FAILED records out from table wf_notifications. In my case, account APINVGR uses a service email address and each time after Mailer sends a notification to it, its notification_preference becomes DISABLED for unknown reason. After I replace that email address with a real user's email address, the problem is resolved.

If Workflow Mailer stopped, workflow notification will not be sent. Below query shows Workflow Mailer is not running, it needs a fix:
SQL> SELECT component_name, component_status, component_status_info
FROM fnd_svc_components_v
WHERE component_name like 'Workflow%';

component_name                                               component_status   component_status_info
-------------------------------------------------------------  ----------------------- --------------
Workflow Deferred Agent Listener                      RUNNING
Workflow Deferred Notification Agent Listener RUNNING
Workflow Error Agent Listener                            RUNNING
Workflow Inbound JMS Agent Listener               STOPPED
Workflow Inbound Notifications Agent Listener RUNNING
Workflow Java Deferred Agent Listener              RUNNING
Workflow Java Error Agent Listener RUNNING
Workflow Notification Mailer DEACTIVATED_SYSTEM xxxxx

Doc ID 562551.1 has useful queries. If you want to check into an individual notification, get the NOTIFICATION_ID from above query result and run below quest to see its status from tables WF_NOTIFICATIONS, WF_DEFERRED and WF_NOTIFICATION_OUT.
NOTE: a Failed notification will not reach WF_NOTIFICATION_OUT table
SQL> SELECT
n.begin_date, n.status, n.mail_status, n.recipient_role, de.def_enq_time, de.def_deq_time,
de.def_state, ou.out_enq_time, ou.out_deq_time, ou.out_state
FROM   applsys.wf_notifications n,
       (SELECT d.enq_time def_enq_time,
               d.deq_time def_deq_time,
               TO_NUMBER((SELECT VALUE
                           FROM TABLE(d.user_data.parameter_list)
                         WHERE NAME = 'NOTIFICATION_ID')) d_notification_id,
              msg_state def_state
          FROM applsys.aq$wf_deferred d
         WHERE d.corr_id = 'APPS:oracle.apps.wf.notification.send') de,
       (SELECT o.deq_time out_deq_time,
               o.enq_time out_enq_time,
               TO_NUMBER((SELECT str_value
                          FROM TABLE(o.user_data.header.properties)
                          WHERE NAME = 'NOTIFICATION_ID')) o_notification_id,
               msg_state out_state
         FROM applsys.aq$wf_notification_out o) ou
WHERE n.notification_id = 15331600
   AND n.notification_id = de.d_notification_id(+)
   AND n.notification_id = ou.o_notification_id(+) ;

Check if there are stuck messages in The PROCESS Folder:
SQL> SELECT trunc(win.enq_time) PROCESSED_TIME, wfn.status NOTIFICATION_STATUS, COUNT(*) NO_EMAILS
FROM (select wi.msgid, wi.corrid, wi.enq_time, wi.state, wi.sender_name,
(select str_value from table(wi.user_data.header.properties) where name = 'NOTIFICATION_ID') notification_id
from apps.WF_NOTIFICATION_IN wi) win, apps.WF_ERROR werr, apps.wf_notifications wfn
where win.notification_id = wfn.notification_id
and win.msgid = werr.msgid (+)
--and win.enq_time >= sysdate - 4/24 -- In the Process Folder for more than 4 hours
and wfn.status = 'OPEN'
group by trunc(win.enq_time), wfn.status;

Wednesday, October 19, 2016

FTP and SFTP

1. Run ftp using a specific account interactively

$ ftp -inv remote_host.domain.com
Connected to remote_host.domain.com (10.133.67.38).
220 Microsoft FTP Service
Remote system type is Windows_NT.
ftp> user ftpuser
331 Password required for ftpuser.
Password:
230 User logged in.
ftp>

Note below line does not work:
$ ftp ftpuser@remote_host.domain.com
ftp: ftpuser@remote_host.domain.com: Name or service not known
ftp> exit

2. Run FTP in a shell script

Assume FTP login info is saved in file $HOME/.netpw in format:

machine WintEdi.domain.COM login ANET/userID password userPWD

REMOTE_PATH=......
LOCAL_PATH=......
REMOTE_MACHINE=WintEdi.domain.COM

function ftp_to_remote

{

ftpuserid=`grep $REMOTE_MACHINE $HOME/.netpw|cut -f4 -d' '`

ftpuserpwd=`grep $REMOTE_MACHINE $HOME/.netpw|cut -f6 -d' '`

ftp -inv <<EndFTP

open $REMOTE_MACHINE

user $ftpuserid $ftpuserpwd

cd $REMOTE_PATH
put $LOCAL_PATH/output.txt ouput1.txt
bye
EndFTP
}

3. Try "man ftp" for help.

4. SFTP options:

$ sftp -oport=2222 ftpuser@remote_host.domain.com
Connecting to remote_host.domain.com...
WARNING: Logon attempts are audited. Access and use allowed for authorized purposes only. Violators will be prosecuted

$ sftp -oIdentityFile=/path/to/sftp_key/id_dsa ftpuser@remote_host.domain.com
Also see https://erpondb.blogspot.com/2015/11/run-scp-or-sftp-without-password.html

Troubleshhot UTL_FILE error

Ran a PL/SQL code and got error message:

ORA-06512: at
"SYS.UTL_FILE", line 536
ORA-29283: invalid file ope
declare
*
ERROR at line 1:
ORA-29283: invalid file operation
ORA-06512: at "SYS.UTL_FILE", line 536
ORA-29283: invalid file operation
ORA-06512: at line 90

Two steps to troubleshoot the error:

A. Find which directory it tries to write the file to, and verify it is defined in the database:

SQL> set pages 100 lines 100

SQL> select * from dba_directories where directory_name='FTPOUT';

The directory could be owned by SYS. But APPS should be granted READ and WRITE.
SQL> SELECT * FROM dba_tab_privs WHERE table_name = 'FTPOUT';

B. Run a short code as APPS to test it. If it works, file test_UTL.txt shall create in the directory.
SQL> set serveroutput on

DECLARE
fileHandler UTL_FILE.FILE_TYPE;
v_error_msg varchar2(1000);
BEGIN
fileHandler := UTL_FILE.FOPEN('FTPOUT', 'test_UTL.txt', 'W');
UTL_FILE.PUT_LINE(fileHandler, 'Writing TO a test file\n');
UTL_FILE.PUTF(fileHandler, 'Writing 2nd line to test file\n');
UTL_FILE.FCLOSE(fileHandler);
EXCEPTION
WHEN utl_file.invalid_path THEN
     raise_application_error(-20001, 'ERROR: Invalid PATH for the file.');
when others then
     v_error_msg := substr(sqlerrm,1,100);
     utl_file.fclose(fileHandler);
     dbms_output.put_line('Error message is - ' || v_error_msg);
     raise;
END;
/

A MAX linesize written into file test_UTL.txt can be specified in the call:
UTL_FILE.FOPEN('FTPOUT', 'test_UTL.txt', 'W', 32767)

In EBS environment, the path for $APPLPTMP is not necessary to be in DBA_DIRECTORIES.

UPDATES in 2018:
During a database 12c upgrade, somehow the OS env variable ORA_NLS10 was unset. That made " utl_file.fcopy ('FTPOUT','test.txt','FTPOUT','test_copy.txt'); ", which is used by Export of AAD rules using Oracle Forms Lock/Unlock option, generate file test_copy.txt 0 in size and UTL_FILE.PUT_LINE fail if output file test_UTL.txt is larger than 1 MB with below errors:

declare
*
ERROR at line 1:
ORA-29282: invalid file ID
ORA-06512: at "SYS.UTL_FILE", line 77
ORA-06512: at "SYS.UTL_FILE", line 690
ORA-06512: at line 256
ORA-29285: file write error

or

Also check the init parameter file and value for
utl_file_dir in v$parameter table.
declare
*
ERROR at line 1:
ORA-29285: file write error
ORA-06512: at line 258

The fix is to set env variable ORA_NLS10 on database server to $ORACLE_HOME/nls/data/9idata

By the way, the quick way to test $APPLPTMP and UTL_FILE_DIR in EBS is to run one line:

SQL> exec FND_FILE.PUT_LINE(fnd_file.log, 'Hello World!');

A new file with a name like l0009966.tmp shall be created in the first directory specified in the db parameter utl_file_dir, containing 'Hello World!'.

Friday, September 9, 2016

EBS login page get frozen and then timed out

A R12 EBS web site stayed frozen and did not re-direct to the login page. It seems it was waiting something or was trying to gain an access, until timed-out with Internal error. The message in Apache log:

[Thu Sep 8 07:17:03 2016] [warn] [client 172.xxx.xx.xxx] oc4j_socket_recvfull timed out
[Thu Sep 8 07:17:03 2016] [error] [client 172.xxx.xx.xxx] [ecid: xxx] mod_oc4j: request to OC4J hostname.domain.com:21700 failed: Connect failed

I checked around and saw errors in below log file:

$LOG_HOME/ora/10.1.3/j2ee/oacore/oacore_default_group_1/application.log

16/09/07 16:01:54.978 10.1.3.5.0 Started
16/09/07 16:02:03.327 html: 10.1.3.5.0 Started
16/09/07 16:15:40.920 html: Error initializing servlet
java.lang.NoClassDefFoundError: Could not initialize class oracle.apps.fnd.profiles.Profiles    at oracle.apps.fnd.sso.AppsLoginRedirect.AppsSetting(AppsLoginRedirect.java:239)
        at oracle.apps.fnd.sso.AppsLoginRedirect.init(AppsLoginRedirect.java:287)
        at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.HttpApplication.loadServlet(HttpApplication.java:2529)
        at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.HttpApplication.findServlet(HttpApplication.java:5008)
        at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.HttpApplication.findServlet(HttpApplication.java:4932)
        at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.HttpApplication.getRequestDispatcher(HttpApplication.java:3140)
        at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:775)
        at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:458)
        at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.AJPRequestHandler.run(AJPRequestHandler.java:313)
        at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.AJPRequestHandler.run(AJPRequestHandler.java:199)
        at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
        at oracle.oc4j.network.ServerSocketAcceptHandler.procClientSocket(ServerSocketAcceptHandler.java:234)
        at oracle.oc4j.network.ServerSocketAcceptHandler.access$700(ServerSocketAcceptHandler.java:29)
        at oracle.oc4j.network.ServerSocketAcceptHandler$AcceptHandlerHorse.run(ServerSocketAcceptHandler.java:879)
        at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
        at java.lang.Thread.run(Thread.java:619)

This error could be port for s_java_object_cache_port is not available.

$ grep s_java_object_cache_port $CONTEXT_FILE
      <jcache_port oa_var="s_java_object_cache_port" oa_type="PORT" base="12345" step="1" range="-1" label="Java Object Cache Port">12385</jcache_port>

I verified port 12385 was in use:
$ netstat -an | grep 12385
tcp     1480      0 ::ffff:157.121.53.0:12385   ::ffff:167.69.38.184:1571   ESTABLISHED

Then, I asked System Admin to run below lines as root to get the detail:
# lsof -i :12385
COMMAND PID     USER     FD   TYPE DEVICE SIZE/OFF NODE NAME
java             7135   ebsdev2 194u IPv6 156352      0t0 TCP hostname.domain.com:12385->dbHost.domian.com:rdb-dbs-disp (ESTABLISHED)

# ls -l /proc/7135/exe
lrwxrwxrwx 1 applmgr2 users 0 Sep 7 13:31 /proc/7135/exe -> /path/to/apps/tech_st/10.1.3/appsutil/jdk/bin/java

It appears port 12385 was used by another EBS instance EBSDEV2 on the same server.

The fix is easy. I stopped all EBS services for instance EBSDEV2, and then started the ones that was frozen first. All worked fine.

Additional Notes:
- In my R12.1.3 instances, I experienced EBS site is inaccessible with below errors in EBS first webpage. The cause could be a change in network switch or some interruption on host/database. The fix in my cases is to make sure apps account in database is not locked and recycle EBS services.

Unable to generate forwarding URL. Exception: oracle.apps.fnd.common.AppsException: oracle.apps.jtf.base.resources.FrameworkException

Unable to generate forwarding URL. Exception: java.lang.NullPointerException

- Same fix for intermittent and sporadic login issue with error
You have encountered an unexpected error. Please contact the System Administrator for assistance.

- Below error in EBS first webpage could be caused by database error (e.g. database is down or a tablespace is full):
Unable to generate forwarding URL. Exception: oracle.apps.fnd.common.AppsException: oracle.apps.fnd.common.PoolException: Exception creating new Poolable object.

- Got below error on 2nd page (login page) from re-directing 1st webpage on IE browser. The problem went away after deleted IE cache files.
Unable to authenticate session

- After Apps nodes rebooted unexpectedly, EBS site webpage does not work even Apache started fine without any error. The problem was related to some kind of cache issue. The final fix is to bounce the database (surprisingly).

- After DBA applied patches and made changes to Java on database server, EBS site re-directs to login page that is not coming up, instead a blank page is being displayed. I check around and get below result:

SQL> select fnd_web_sec.validate_password('GUEST','oracle') from dual;

FND_WEB_SEC.VALIDATE_PASSWORD('GUEST','ORACLE')
--------------------------------------------------------------------------------
N

SQL> select fnd_message.get from dual;

GET
--------------------------------------------------------------------------------
Oracle error -29548: ORA-29548: Java system class reported: release of Java system classes in the database (12.1.0.2.200714 1.6) does not match that of the oracle executable (12.1.0.2.171017 1.6) has been detected in FND_WEB_SEC.VALIDATE_PASSWORD.

It matches exact same error as in Doc ID 1673030.1, which says "If it shows ORA-29548 errors, then issue is with the database OJVM. Rebuild it using Note 2149019.1 How to Install, Remove, Reload, Validate and Repair the JVM Component in an Oracle Database". DBA had to fix the problem.