Thursday, March 3, 2022

Upgrade JDK 7 in EBS R12.2

EBS installation brings in low version of JDK. It is necessary to upgrade JDK to address security vulnerabilities and to meet the need of product support. The easiest way to find the latest JDK version that works with EBS is Oracle release document for quarterly CPU patches. Currently. EBS R12.2 is certified only with JDK 1.7.

EBS R12.2 uses both 64-bit and 32-bit JDK. Use below lines to find current JDK version in an EBS environment:

$ echo $CLASSPATH
$COMMON_TOP/util/jdk32/lib/dt.jar:/... ... etc
$ $ADJVAPRG -version
java version "1.7.0_85"
Java(TM) SE Runtime Environment (build 1.7.0_85-b15)
Java HotSpot(TM) Server VM (build 24.85-b06, mixed mode)

$ echo $AF_CLASSPATH
$COMMON_TOP/util/jdk64/lib/dt.jar:/... ... etc
$ $AFJVAPRG -version
java version "1.7.0_85"
Java(TM) SE Runtime Environment (build 1.7.0_85-b15)
Java HotSpot(TM) 64-Bit Server VM (build 24.85-b06, mixed mode)

The CLASSPATH and AF_CLASSPATH environment variable must contain the necessary Java 7.0 libraries, which should include:
[COMMON_TOP]/util/<Java7>/lib/dt.jar
[COMMON_TOP]/util/<Java7>/lib/tools.jar
[COMMON_TOP]/util/<Java7>/jre/lib/rt.jar

1.7.0_85 is the default version from R12.2 upgrade, and Weblogic console does give warning:
Warning: This server is not secure. Upgrade to Java 1.7.0_191 or higher.

Follow steps in Scenario 3.5.2 of Doc ID 1530033.1 (Using the Latest JDK 7.0 Update with Oracle E-Business Suite Release 12.2) to upgrade it. Currently, JDK 7 Update 331 is recommended by the most recent R12.2 CPU patch (January 2022, Doc ID 2815550.1)

1. First of all, use link in Doc ID 1439822.1 to download patch 33518566 (Oracle JDK 7 Update 331) for both 64 & 32 bit, and then save two files p33518566_170331_Linux-x86-64.zip & p33518566_170331_LINUX.zip to a shared location /u46/path/to/JDK331. After unzip, two files jdk-7u331-linux-x64.tar.gz & jdk-7u331-linux-i586.tar.gz provide two folders under /u46/path/to/JDK331 for staging:

$ tar vzxfp jdk-7u331-linux-x64.tar.gz
$ mv jdk1.7.0_331 jdk1.7.0_331_64
$ tar vzxfp jdk-7u331-linux-i586.tar.gz
$ mv jdk1.7.0_331 jdk1.7.0_331_32

UPDATES in February 2023:
Oracle ended support for JDK 7 after July 2022 (See NOTE:2809708.1 - Oracle Java SE 7 End of Extended Support). So, It is important to read CPU release documents to find where to download the right JDK file for upgrading JDK embedded in E-Business Suites. For example, January 2023 CPU document 2897309.1 ( Oracle E-Business Suite Release 12.2 Critical Patch Update Availability Document (January 2023)) points to Doc ID 2897309.1 (Oracle Critical Patch Update (CPU) Oct 2022 for Oracle Java SE), which has a link to download JDK 1.7.0_361 (patch 34569003) files p34569003_170361_LINUX.zip and p34569003_170361_Linux-x86-64.zip.

2. Confirmed below patches were applied to $ORACLE_HOME:
OracleAS 10.1.2 Patch 16271876
OracleAS 10.1.2 Patch 17907988
OracleAS 10.1.2 Forms Patch 17653437
OracleAS 10.1.2 Patch 16241466
OracleAS 10.1.2 Patch 17645157

Then, shutdown Apps services

$ { echo apps ; echo appsPWD; echo wlsPWD ; } | adstpall.sh @ -mode=allnodes -nopromptmsg

$ ps -ef | grep $LOGNAME
$ echo $FILE_EDITION
run

Make sure there is no open online patching cycle (which is started by "adop phase=prepare"):
$ adop -status
... ...
Node Name       Node Type  Phase           Status              Started            Finished      Elapsed
--------------- ------------------ --------------- ----------------- ---------------- -------------- ------------
node1       master            APPLY           ACTIVE             xxxxx            xxxxx            xxxxx
                                       CLEANUP     NOT STARTED
node2       slave              APPLY           ACTIVE              xxxxx            xxxxx           xxxxx
                                       CLEANUP     NOT STARTED

I upgraded JDK folders in RUN file system directly. I did not use ADOP patching cycle for that, and only ran FS_CLONE after JDK folders are replaced in RUN file system on all nodes.

$ JDKfolder=/u46/path/to/JDK331
$ cd $JDKfolder
$ ls
jdk1.7.0_331_32  jdk-7u331-linux-i586.tar.gz  p33518566_170331_Linux-x86-64.zip  readme.txt
jdk1.7.0_331_64  jdk-7u331-linux-x64.tar.gz   p33518566_170331_LINUX.zip

3. Install New JDK 7.0 and Replace the Existing JDK Home Contents
$ echo $COMMON_TOP/util
$RUN_BASE/EBSapps/comn/util
$ cd $COMMON_TOP/util
$ mv jdk64 jdk64_OLD_2022        <== Or, tar it up by "tar -cvzf jdk64_OLD.tar.gz jdk64"
                                                         <== then delete old folder jdk64
$ mv jdk32 jdk32_OLD_2022

$ cp -rp $JDKfolder/jdk1.7.0_331_64 jdk64
$ cp -rp $JDKfolder/jdk1.7.0_331_32 jdk32

4. Upgrade Java (64 bit) in Oracle Fusion Middleware 11g Web Tier
$ echo $FMW_HOME/webtier
$RUN_BASE/FMW_Home/webtier
$ cd $FMW_HOME/webtier
$ mv jdk jdk_OLD_2022
$ cp -rp $JDKfolder/jdk1.7.0_331_64 jdk  

5. Upgrade Java (32 bit) in OracleAS 10.1.2 Oracle_Home
$ echo $ORACLE_HOME
$RUN_BASE/EBSapps/10.1.2
$ cd $ORACLE_HOME
$ mv jdk jdk_OLD_2022
$ cp -rp $JDKfolder/jdk1.7.0_331_32 jdk

6. Rebuild Forms and Reports Executables (For UNIX/Linux Only)
Make sure ORACLE_HOME points to 10.1.2 Oracle Home before relinking forms and reports executables.

$ cd $ORACLE_HOME/forms/lib
$ make -f ins_forms.mk sharedlib install
... ...
/usr/bin/ld: warning: -z lazyload ignored.

$ cd $ORACLE_HOME/reports/lib
$ make -f ins_reports.mk install

7. Repeat the steps in other nodes

8. Run autoconfig on all apps-tier nodes
$ cd $ADMIN_SCRIPTS_HOME
$ ./adautocfg.sh

9. Verify and start Apps services
$ $ADJVAPRG -version
java version "1.7.0_331"
Java(TM) SE Runtime Environment (build 1.7.0_331-b06)
Java HotSpot(TM) Server VM (build 24.331-b06, mixed mode)

$ $AFJVAPRG -version
java version "1.7.0_331"
Java(TM) SE Runtime Environment (build 1.7.0_331-b06)
Java HotSpot(TM) 64-Bit Server VM (build 24.331-b06, mixed mode)

$ { echo apps ; echo appsPWD ; echo wlsPWD ; } | adstrtal.sh @ -mode=allnodes -nopromptmsg

A JSP file can be used as a test.
$ cd $OA_HTML
$ vi JDKtest.jsp
$ more JDKtest.jsp
The JDK version is: <%= System.getProperty("java.version") %>
$ perl -x $FND_TOP/patch/115/bin/ojspCompile.pl --compile -s 'JDKtest.jsp' 

Access the JSP file from a browser, using the URL:
http://[web server]:[port]/OA_HTML/JDKtest.jsp

10. If no other changes, sync patch file system by fs_clone:
$ adop phase=fs_clone

Additional NOTES:

A)  If downtime is not allowed, the upgrade has to be in PATCH file system first. The upgrade steps are in the Oracle document. 

a) Check that there is no open online patching cycle
$ adop -status
$ adop phase=prepare
b) Source the EBS environment with the patch file system
$ cd <EBS_BASE_HOME> 
         /* <EBS_BASE_HOME>  is where fs1, fs2, and others are installed. */
$ . EBSapps.env PATCH
$ echo $FILE_EDITION
c) Complete sames steps 3 - 7 above.
d) Run AutoConfig on PATCH file system on all nodes
e) Cut over to the newly installed JDK 7.0 patch file system
$ adop phase=cutover

B)  I used the same way to upgrade old JDK in an Oracle 11g Client by replacing the jdk folder under $ORACLE_HOME to address vulnerability found by Qualys scan report.

C)  JDK is also installed by rpm on Linux server level. I am not sure EBS needs it or not. Here is from one of my EBS servers:

$ rpm -qa | grep jdk
copy-jdk-configs-3.3-11.el7_9.noarch
java-1.8.0-openjdk-1.8.0.382.b05-1.el7_9.x86_64
java-1.8.0-openjdk-headless-1.8.0.382.b05-1.el7_9.x86_64
jdk1.7-1.7.0_391-fcs.x86_64

$ which java
/bin/java

$ java -version
openjdk version "1.8.0_382"      <== It is the OS Java
OpenJDK Runtime Environment (build 1.8.0_382-b05)
OpenJDK 64-Bit Server VM (build 25.382-b05, mixed mode)

$ cd /usr/java                              <== It is for apps. I guess it may not be used
$ ls -altr
lrwxrwxrwx   1 root root          16 Feb 19  2020 default -> /usr/java/latest
drwxr-xr-x      8 root root      4096 Aug  3 09:27 jdk1.7.0_391-amd64
lrwxrwxrwx   1 root root           28 Aug  3 09:27 latest -> /usr/java/jdk1.7.0_391-amd64
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)