Documente Academic
Documente Profesional
Documente Cultură
Table of Contents
Introduction .................................................................................................................................................. 3 Administrators for Fusion Applications .................................................................................................... 3 Fusion Applications Super Administrator Users ....................................................................................... 5 Stop Fusion Applications ............................................................................................................................... 6 Changing APP ID Passwords .......................................................................................................................... 7 Changing Keystore Password ........................................................................................................................ 9 Changing Super User (FAdmin) Password................................................................................................... 13 Changing System/Policy Users Password ................................................................................................... 15 Account Lock and Password Expiration Policies ......................................................................................... 15 Changing Fusion Applications Database Passwords ................................................................................... 16 Changing JDBC Data Sources .................................................................................................................. 16 Changing Credential Store Mapping ....................................................................................................... 20 Updating ESS Spawned Job Wallet ......................................................................................................... 22 Changing ODI Repository Password ........................................................................................................ 23 Changing BI Repository Password........................................................................................................... 23 Updating ESSBase Registry...................................................................................................................... 26 Changing passwords in Oracle Metadata Repository schema ................................................................ 28 Changing Node Manager Password ............................................................................................................ 28 Changing BI System User Password ............................................................................................................ 29 Changing the Oracle Internet Directory Database Password ..................................................................... 29 Changing the Password for the ODSM Administrator Account .................................................................. 30 Restart Fusion Applications ........................................................................................................................ 30 Appendix A Fusion Apps RUP1 Schema ................................................................................................... 32
Page 2
Fusion Applications Changing Passwords Appendix B Sample Python script ............................................................................................................ 34 Appendix C Sample Input file for Fusion Applications Schemas .............................................................. 36
Introduction
There are several types of administrative passwords that could be changed periodically based on security requirements and standard operating procedures. The scope of this document is to reflect how password changes in external components such as databases, IDMs, etc impacts Fusion Applications tier and how to reconfigure them. This document covers critical password changes such as Fusion Apps administrators, super users, Keystores, database schema, etc. This document does not include IDM and Oracle database related administrative user password changes. Also there is absolutely no attempt in this document on providing any best practices on password management and security policies. This document is targeted at experienced Fusion Applications System Administrators, Security Architects, and Operation teams. The sample code provided in any section is for demonstration purpose only.
A system administrator - A directory group representing the WebLogic Server domain administrators for all the domains. An application administrator - A directory group with an assigned enterprise role reflecting all the application roles and delegation privileges for all the applications in a given family.
The purpose of creating these "Super Administrators" during provisioning is to enable ongoing administration and/or delegation privileges. The above process facilitates separation of duties between system administration and application administration responsibilities, but you are free to assign the same user to both hierarchies ("system admin" and "application admin"). The following table shows the groups that are created for each family. Provisioned Administrator Groups
Page 3
Product Family/Product Oracle Fusion Supply Chain Management Oracle Fusion Customer Relationship Management Oracle Fusion Human Capital Management Oracle Fusion Financials Oracle Fusion Procurement Oracle Fusion Project Oracle Fusion Incentive Compensation
System Administrator Group FSCMSysAdmin CRMSysAdmin HCMSysAdmin FINSysAdmin PRCSysAdmin PRJSysAdmin OICSysAdmin
Application Administrator Group FSCMAppAdmin CRMAppAdmin HCMAppAdmin FINAppAdmin PRCAppAdmin PRJAppAdmin OICAppAdmin
In addition a single user, known as the super user, is set up to belong to all the administrator groups. That user becomes the administrator for all middleware and the application administrator for all product families. This is typically known as FAAdmin as per Enterprise document guide (EDG).
The following diagram illustrates the relationship between the two groups.
Page 4
Page 5
Fusion Applications Changing Passwords In the context of the pre-seeded user, provisioning employs an identity known as the App ID that is required to bootstrap the WebLogic domains. The pre-configuration phase of provisioning automatically generates the credential needed for this App ID user. In the context of the designated super user, during the interview phase of provisioning, you are asked to specify the user ID of the designated "real" user who will be set up as the Middleware Administrator and Functional Setup Manager. As per EDG, this is FAAdmin user. Although FAAdmin user can be used for this purpose, a 'real' user should be used in bare metal provisioning for better security and auditing. This can be achieved by supplying the username of the 'real' user in the Provisioning Wizard instead of FAAdmin.
Page 6
Get list of APPIDs from your Environment Run the following command to get the list of all the entries for which the passwords need to be set: Export ORACLE_HOME= $ORACLE_BASE/product/fmw/idm/bin ($ORACLE_BASE/product/fmw is a Fusion Middleware home). $ORACLE_HOME/bin/ldapsearch -h idmhost.mycompany.com -p 389 -D "cn=orcladmin" -w <password> -b 'cn=AppIdUsers,cn=Users,dc=mycompany,dc=com' -s sub 'objectclass=orclAppiduser' cn >& reset.txt
Page 7
Sample Content of reset.txt: cn=FUSION_APPS_BI_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com cn=FUSION_APPS_BI_APPID cn=FUSION_APPS_ATK_ADF_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com cn=FUSION_APPS_ATK_ADF_APPID cn=FUSION_APPS_CRM_ADF_SOAP_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com cn=FUSION_APPS_CRM_ADF_SOAP_APPID cn=FUSION_APPS_CRM_ECSF_SEARCH_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com cn=FUSION_APPS_CRM_ECSF_SEARCH_APPID
Changing APP IDs Passwords Changing APP IDs password has a ripple effect on various configurations including Credential Stores (CSF) in Fusion Applications. The App Id passwords are stored in the credential store (encrypted) and that is how Fusion Applications get the password values before talking to other applications/web services. Once the APPID passwords are changed in LDAP, the corresponding entries in CSF must be changed. Oracle does not support it as it is a manual, tedious and error prone process at this time. In future releases, Oracle may provide a utility to change these passwords that will automate the process. The APP ID passwords are generated randomly when Fusion Applications is provisioned. They are completely secured, encrypted and no human will ever have to use these APP IDs. Changing FUSION_APPS_PROV_PATCH_APPID using custom passwords The only exception is to change password of FUSION_APPS_PROV_PATCH_APPID (if absolutely necessary). The Fusion Applications uses FUSION_APPS_PROV_PATCH_APPID to manage life cycle of Weblogic Admin and Managed servers. The new password must be reflected in Weblogics boot.properties file of all the domains. You could change FUSION_APPS_PROV_PATCH_APPID password from Administrative Console of IDM or Weblogic; or using the following ldap command: Create ldif file as update_apps_prov_patch.ldif
cn= FUSION_APPS_PROV_PATCH_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com changetype: modify replace: userPassword userPassword: new_password
Page 8
Fusion Applications Changing Passwords $ORACLE_HOME/bin/ldapmodify -h oid_hostName -p oid_port -D cn=orcladmin -w orcladmin_password -f <update_apps_prov_patch.ldif> Note: $ORACLE_HOME= $ORACLE_BASE/product/fmw/idm/bin ($ORACLE_BASE/product/fmw is a Fusion Middleware home). Changing boot.properties file with new password Since FUSION_APPS_PROV_PATCH_APPID this APP IDs password is reset, the boot.properties of Admin Server must be modified with new password in all the domains respectively. Run the following command (for each domain) to get encrypted password string of FUSION_APPS_PROV_PATCH_APPID: Set environment: . $FUSION_APPS_HOME/wlserver_10.3/server/bin/setWLSenv.sh Go to each domain directory such as: $ORACLE_BASE/config/domains/<Host Name>/CommonDomain Run the following command: java weblogic.security.Encrypt Welcome1
This will echo the encrypt string that must be replaced in boot.properties. Modify boot.properties in AdminServer/security folder.
Note: The encrypted password string must be generated for each domain.
Page 9
Fusion Applications Changing Passwords Oracle Fusion Middleware provides these tools for keystore operations:
WLST, a command-line interface for JKS keystores and wallets orapki, a command-line tool for wallets Fusion Middleware Control, a graphical user interface the keytool utility
If an Oracle wallet or JKS keystore was created with tools such as orapki or keytool, it must be imported prior to using WLST and Fusion Middleware Control. Please consult the following doc for more information. Changing Keystore password using keytool utility Please follow the following steps to change the keystore password: 1. Change directory to $ORACLE_BASE/products/fusionapps/wlserver_10.3/server/lib 2. Run the following command to change the password used to protect the integrity of the keystore contents: keytool -storepasswd -new <NewPassword> -keystore fusion_trust.jks -storepass <Original Password>
3. Run the following command to change the password used which the private/secret key identified by alias is protected, from old_keypass to new_keypass: keytool -keypasswd {-alias alias} [-keypass old_keypass] [-new new_keypass] -keystore fusion_trust.jks [-storepass storepass] {-v} {-Jjavaoption} Once the password is changed, you must re-configure all Weblogic domain and respective servers to reflect new password. Configure Weblogic Domain default_keystore.jks Navigate to <Weblogic Domain>/<Domain Name>. Select Security Provider Configuration as shown here:
Page 10
Once the keystore password and paraphrase are changed, please change respectively the keystore and SSL configiration of all the servers in a domain.
Page 11
Note: Repeat the above steps for all the domains Configure Admin and managed Servers for each domain to reflect new keystore password
Please login to Weblogic Administrative Console and navigate it to Environment/Servers. For each server select Configuration and then Keystore tab. Please see the following screens to update Passphrase. (Repeat for all servers and respective domains)
Page 12
Note: The keystore password can only be changed if old password is available.
Changing FAAdmin password Using ODSM console To change the password of the Oracle Fusion Middleware administrative user using ODSM Console: Navigate to the ODSM Console. (For example, from the home page of the domain in Fusion Applications Control, select To configure and managed this WebLogic Domain, use the Oracle WebLogic Server Administration Console.)
Page 13
Changing FAAdmin password Using LDIF Command Create a LDIF file such as updatePassword.ldif with the following entries dn: cn=FAAdmin,cn=Users,dc=mycompany,dc=com changetype: modify replace: userPassword userPassword: new_password Use LDAPMODIFY command $ORACLE_HOME/bin/ldapmodify -h oid_hostName -p oid_port -D cn=orcladmin -w orcladmin_password -f updatePassword.ldif Note: $ORACLE_HOME= $ORACLE_BASE/product/fmw/idm/bin ($ORACLE_BASE/product/fmw is a Fusion Middleware home).
Changing the Oracle Fusion Middleware Administrative User Password Using the WLST Command Line To change the Oracle Fusion Middleware administrative user password or other user passwords using the command line, you invoke the UserPasswordEditorMBean.changeUserPassword method, which is extended by the security realm's AuthenticationProvider MBean.
Example:
Page 14
Fusion Applications Changing Passwords nmConnect('bootstrap_admin','welcome','<hostname>','5556', 'CommonDomain','/oracle/fusion/top/instance/domains/weblogic1.company. com/CommonDomain') WLST Script from weblogic.management.security.authentication import UserPasswordEditorMBean print "Changing password ..." atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthentica tionProvider("DefaultAuthenticator") atnr.changeUserPassword('my_user','my_password','new_password') print "Changed password successfully"
Page 15
When Fusion Applications is provisioned, the APP IDs container do not have password expiration policy, but system (or policy) users such as PolicyRWUser, PolicyROUser, IDRWUser, IDROUser have password expiration policy. These are the following alternatives to handle password expiration policy: 1. Disable password expiration policy. If password is already expired then change the password to same old password and disable the expiration policy to prevent it in future. This ensures that no changes are required in respective Credential Stores. 2. Change the password and then consult the following section to change the respective Credential Stores (CSF) keys. Option 1 is recommended until in future releases Oracle provides complete listing of Credential Stores Mappings (similar to APP IDs). Please consult the following doc to manage Password Policies.
Page 16
Fusion Applications Changing Passwords The following Python script demonstrates how to change the password of jdbc data sources: import sys import os import ConfigParser import time from datetime import datetime _wlsUsername = 'weblogic_fa' _wlsPassword = 'Welcome1' _domainT3UrlProperty = 'domain.url.t3' _schemaSectionName = 'SCHEMAS' _fsSectionName = 'CommonDomain' def updateDatasourcesInOneDomain(_wlsUsername, _wlsPassword, _domainT3Url, _parser): connect(_wlsUsername,_wlsPassword,_domainT3Url) _dsNames = ls('/JDBCSystemResources', returnMap='true', returnType='c') edit() startEdit() for _dsName in _dsNames: jdbcSR = lookup(_dsName,"JDBCSystemResource") theJDBCResource = jdbcSR.getJDBCResource() driverParams = theJDBCResource.getJDBCDriverParams() driverProperties = driverParams.getProperties() # update schema password if schema user is specified in the input file _userprop = driverProperties.lookupProperty('user') _userval = _userprop.getValue() #print '***user is:' + _userval if _parser.has_option(_schemaSectionName, _userval): print '*** Updating the password of datasource ' + _dsName + ' (username=' + _userval + ')' _dbPassword = _parser.get(_schemaSectionName, _userval) print 'password is:' + _dbPassword driverParams.setPassword(_dbPassword) save() activate(block="true") disconnect() Read the input file as follows: # read the input file try: _inputFile = sys.argv[1]
Page 17
Fusion Applications Changing Passwords print '********************************************************************* ************************' print '* Input file: ' + _inputFile print '*** Reading ' + str(_inputFile) + '...' _parser = ConfigParser.ConfigParser() _parser.optionxform = str _parser.read(_inputFile) except: print '********************************************************************* ************************' print '* Error:' sys.exit(2)
Call the above function as: # update the datasource passwords for _sectionName in _parser.sections(): if _parser.has_option(_sectionName, _domainT3UrlProperty): # get domain t3 url _domainT3Url = _parser.get(_sectionName, _domainT3UrlProperty) print '*** Retrieved ' + _sectionName + ' domain t3 url: ' + _domainT3Url try: print '************Update Datasource password' updateDatasourcesInOneDomain(_wlsUsername, _wlsPassword, _domainT3Url, _parser) except: dumpStack() sys.exit(1) print '***Successfully updated datasource ' exit()
The sample input file is: [SCHEMAS] ########## jrd1=newWelcome1 jrd2=newWelcome1 jrd3=newWelcome1 [CommonDomain] # The WLS admin URL for the Common Domain
Page 18
Fusion Applications Changing Passwords domain.url.t3=t3://scmhost1as1.us.oracle.com:7001 [HCMDomain] # The WLS admin URL for the Common Domain domain.url.t3=t3://scmhost1as1.us.oracle.com:9401 Run the Python script as follows: $FA_HOME/wlserver_10.3/common/bin/wlst.sh $SCRIPT_PATH/<script_name>.py $ SCRIPT_PATH/<input_filename>.ini Please see the following screen shots for output:
Page 19
Fusion Applications Changing Passwords Note: The password output value is for debugging only. You should remove it from your production script. You can modify Fusion Applications data sources based on the input file provided in Appendix C.
Log in to Fusion Middleware Control and navigate to Domain > Security > Credentials, to display the Credentials page
Page 20
Creating WLST script to automate CSF mappings Enhanced the database schema password script to include CSF updates. Create another Python function as follows:
def updateCredentialPasswords(_wlsUsername, _wlsPassword, _domainT3Url, _parser): if _parser.has_option(_fsSectionName, _domainT3UrlProperty): _domainT3Url = _parser.get(_fsSectionName, _domainT3UrlProperty) connect(_wlsUsername,_wlsPassword,_domainT3Url) for _sectionName in _parser.sections(): # only look at section whose name is an expected credential map name if _sectionName in _expectedCredMapList: _map = _sectionName for _key in _parser.options(_map): _schemaUsername = _parser.get(_map, _key) _password = '' if _parser.has_option(_schemaSectionName, _schemaUsername): _password = _parser.get(_schemaSectionName, _schemaUsername) if _password.__len__() > 0: _credFound = 'false' try: print '*** Deleting existing credential with map [' + _map + '] and key [' + _key + ']. Failure indicates that no such credential exists.' deleteCred(map=_map, key=_key) _credFound = 'true' except: dumpStack() if _credFound == 'true': _now = str(datetime.now()) _desc = 'Reset at ' + _now
Page 21
Syntax to Update Wallet: mkstore wrl walletLocation modifyCredential dbName dbUser dbPassword Run the following command: 1. Go to command prompt $TNS_ADMIN 2. Execute mkstore wrl $ORACLE_CSF_WALLET_LOC modifyCredential $TWO_TASK fusion_runtime <NewPassword>
Page 22
Double-click the work repository. The Work Repository Editor opens. On the Definition tab of the Work Repository Editor click Change password. Enter the current password and the new one. Click OK.
The obieerpdpwdchg utility is especially useful when you want to change the repository password on Linux and UNIX systems where the Administration Tool is not available. You cannot change the repository password when the repository is open in online mode. After you change the repository password in the Administration Tool, you must also publish the updated repository and specify the new password in Fusion Middleware Control. Specifying the repository password in Fusion Middleware Control enables the password to be stored in an external credential store, so that the Oracle BI Server can retrieve it to load the repository.
Page 23
Fusion Applications Changing Passwords Changing the Oracle BI Repository password using Administration Tool 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Open the repository in the Administration Tool in offline mode. Select File, then select Change Password. Enter the current (old) password. Enter the new password and confirm it. The repository password must be longer than five characters and cannot be empty. Click OK. Save and close the repository. Open a Web browser and log in to Fusion Middleware Control from the computer where the updated repository is located. In the navigation tree, expand Business Intelligence and then click coreapplication to display the Business Intelligence Overview page. Display the Repository tab of the Deployment page. Click Lock and Edit Configuration. Click Browse next to Repository File. Then, select the updated repository file and click Open. Enter the new (updated) repository password in the Repository Password and the Confirm Password fields. Make sure to specify the password that has been set in the repository. If the passwords do not match, the Oracle BI Server fails to start, and an error is logged in nqserver.log. 13. Click Apply, then click Activate Changes. 14. Return to the Business Intelligence Overview page and click Restart.
Page 24
Follow these steps to change the repository password using the obieerpdpwdchg utility, and then publish the modified repository in Fusion Middleware Control:
1.
Run bi-init to launch a command prompt or shell window that is properly initialized. For Example:
Linux:ORACLE_INSTANCE/bifoundation/OracleBIApplication/coreapplication/setup/bi-init.sh Windows Client Installation: ORACLE_HOME/bifoundation/server/bin/bi-init.bat Windows All other Installation Types: ORACLE_INSTANCE/bifoundation/OracleBIApplication/coreapplication/setup/bi-init.cmd
2. At the command prompt, type obieerpdpwdchg with the following arguments: o -I name_and_path_of_existing_repository
Page 25
-O path_of_new_repository
Then, enter the current (old) password and the new password when prompted. The repository password must be longer than five characters and cannot be empty. For example:
obieerpdpwdchg -I my_repos.rpd -O my_changed_repos.rpd Please enter the repository password: my_old_password Please enter a new repository password: my_new_password
Note that passwords are masked on the command line unless you include the -C option to disable masking. 3. Open a Web browser and log in to Fusion Middleware Control from the computer where the updated repository is located. 4. In the navigation tree, expand Business Intelligence and then click coreapplication to display the Business Intelligence Overview page. 5. Display the Repository tab of the Deployment page. 6. Click Lock and Edit Configuration. 7. Click Browse next to Repository File. Then, select the updated repository file and click Open. 8. Enter the new (updated) repository password in the Repository Password and the Confirm Password fields. Make sure to specify the password that has been set in the repository. If the passwords do not match, the Oracle BI Server fails to start, and an error is logged in nqserver.log. 9. Click Apply, then click Activate Changes. 10. Return to the Business Intelligence Overview page and click Restart.
Page 26
Fusion Applications Changing Passwords updateRegProperties.py biHome biInstance DbUrl DbUserName DbNewPassword DbDriverClass Run the following command to update registry:
Change EPM Registry as follow: $BIInstance/config/foundation/11.1.2.0/epmsys_registry.sh updateencryptedproperty HOST/database_conn/@dbPassword DbNewPassword Example of $BIInstance is <INSTANCE_DIR>/config/BIInstance/config/foundation/11.1.2.0
Page 27
Page 28
Changing the Superuser password Using ldapmodify To set or modify a user name or password for the superuser, use ldapmodify to modify the attribute orclsuname or orclsupassword, respectively, in the DSE root. Changing the user name of the superuser can have serious repercussions and is not recommended. To change the password of the superuser to superuserpassword, use an LDIF file such as the following:
Page 29
Page 30
Fusion Applications Changing Passwords b. Alter the default profile to have unlimited login attempts. The following syntax assumes the original value was 10. c. ALTER PROFILE default LIMIT FAILED_LOGIN_ATTEMPTS 10; d. Restore the SEARCHSYS_PROF. The following syntax assumes the original value was 10. e. ALTER profile DEFAULT LIMIT FAILED_LOGIN_ATTEMPTS 10; Shut down the Administration Servers. Start all the Admin and Managed Servers. Please consult the following doc to start/stop Fusion Applications using fastartstop utility. Start all opmn processes such as BI, GOP, etc depending on your Fusion Applications installation type. Start Oracle HTTP Server, so users can resume sending requests.
2. 3. 4. 5.
Page 31
Page 32
Page 33
Page 34
Page 35
The [*Domain] sections list all Fusion Apps WLS domains that contain data sources to be updated. The list will not change in a given Fusion Apps release, but could change in future releases. -------------------------------------------------------------
Page 36
Page 37
[oracle.bi.enterprise] # # CSF key names and corresponding schema names for the CSF map # oracle.bi.enterprise. # # Used to update the password stored along with the schema name # for each listed CSF entry. # # You should not need to change these values. # ------------------------------------------------------------# scheduler.schema=FUSION_BIPLATFORM
Page 38
Oracle Fusion Applications: Managing Passwords May 2012 Author: Jack Desai, A-Team
Copyright 2011, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. UNIX is a registered trademark licensed through X/Open Company, Ltd. 1010
Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A.
Page 39