Kevin Kempf's Blog

October 17, 2014

Querying your 11i/R12 Context File from Oracle SQL*Plus

Filed under: 11i, R12.2 — kkempf @ 8:53 am

 

contextfile

Peeling back the layers of the context file, precipitated by MSCA

We all know that the context file holds information about virtually everything on the applications tier, and how important it is.  As a result of our upgrade effort from 11i to R12.2, I started getting incessant calls wanting to know that current dispatcher port for MSCA. While this post will be specific to MSCA as the reason for having to figure out how to do this query, the principles here can be used to obtain any value from the context file via SQL*Plus, for any reason.

Background

I should note a few things about the MSCA product for those (presumably the majority of you) who are unfamiliar with it.  The MSCA product is essentially a telnet front end, which runs on the application server on a specific port.  Users can either use telnet to connect to it, or the MSCA GUI client.  Either one requires a hostname and port.  MSCA actually runs on many ports, managed by a dispatcher to reduce the load on any one port.  So ideally, users connect to the dispatcher.  Thus one would think that when I created a new environment, it would be easy to just inform everyone of the port to connect to and the calls would end.  In my case, there’s two problems with that.  First, there’s a known R12.2 bug which switches the dispatcher port during an online patch session.  So if you’re running on filesystem1, it might be 10300, but if you’re on filesystem2, 10302.  Second, MSCA doesn’t like to stay running.  So it’s helpful for a user to confirm they’re trying to connect to the correct port before calling.

The good part

The bottom line is the query to accomplish this is as follows; the table fnd_oam_context_values stores entire context files as clobs in a field called text.

select
extractvalue( xmltype( text ),’//mwaDispatcherPort‘ )
from
fnd_oam_context_files
where
status = ‘S’
and name = ‘SID_hostname
and last_synchronized =
(select
max( last_synchronized )
from
fnd_oam_context_files
where
status = ‘S’
and name = ‘SID_hostname
) ;

Obviously, when you do it, you’re going to change a few things:

  • mwaDispatcherPort is the tag from the $CONTEXT_FILE you’re looking for the value of.  Examples include oa_context_name, jinit_ver_dot, platform, or whatever you’re looking for.
  • SID_hostname is the database SID followed by an underscore and the applications tier hostname.

Why the subquery?  There are many context files stored in this field as clobs.  You want the most recent one (presumably, tweak as desired, based on last_synched) and you want one which has a value of S (synched? not 100% sure about this column, just figured it out through trial and error)

Incidentally, there is a table called fnd_env_context which holds some, but not all of the values contained in the context file.

End Result

We’re gunning for a centralized APEX report which can query the databases and return the relevant port numbers for users, as appropriate, depending on their apps responsibility.  So they can stop calling me so I can blog more.

October 16, 2014

R12.2 Apps Password Changing

Filed under: Linux, R12.2 — kkempf @ 10:02 am

cloning

Staring down the barrel of an R12.2 upgrade

So we’re getting really, really close to pulling the trigger on this release.  I’m tying up loose ends from an admin perspective, and one of them was confirming I could clone under 12.2.

R12.2 Cloning

In general, I’d say cloning is easier than 11i.  That said, I currently have an SR open because after completing the clone in accordance with 1383621.1 I can’t run a patch cycle because of an issue with appltop_id.  I’m really hoping I missed something simple and it will be resolved soon.  Other than that, my clone worked great, I could log in and things were running right.  Although the cloning document isn’t what I would call a “roadmap” to a clone, it’s enough that if you used to know how to clone you can figure it out.  My favorite part is for the poor people running R12.2 on Windows (hopefully, nobody) where in order to prepare the source system, you have to shut down production to clone.

Password Changing

There’s a lot of moving parts in the E-Business suite, and Oracle did us a favor by providing the FNDCPASS utility again in R12.2 to facilitate apps password changes.  Well really any schema changes.  I grabbed Doc 1674462.1 and I have to say it’s well written and accurate!  In the old days of 11i, you had to run autoconfig to propogate the apps password change to a human-readable text file under the Apache install (among other reasons, I’m sure).  No, really, it’s out there source an 11i environment and type this:

cat ($IAS_HOME)/Apache/modplsql/cfg/wdbsvr.app|grep -m1 password|sed -re ‘s/(^.+= )//’

Well now that bit is buried under Weblogic, so it takes longer in that you have to log in to the admin server and use the web-based GUI to make the JDBC connection change.

My Gift to you

Although I feel the document is accurate, I don’t want to have to go dig it out every time I do a clone (or rely on Metalink being up/accessible) and need to change my non-production system password to something different than production.  Besides, a working shell script means I don’t have to worry about standardizing my process.  In my cloning notes I simply say “change apps password with passwordchanger12.sh”.

So here’s my shell scripted version; I could have automated it more but I feel this script allows for you to walk through the steps without making it a complete “black box” in case it changes in the future.  I think the only caveat is that the directory you run it in needs to be writable.  You can chmod +x the script and just run it without arguments to get the “help” information.

########################
# apps password change #
########################

if [ $# -ne 6 ]
then
  echo "Usage:  passwordchanger12.sh"            
  echo "        -appspass    password             Current apps Password"
  echo "        -syspass     password             Current system Password"
  echo "        -newpass     password             New apps, apps schema's, non-apps and non-apps schema's Password"
  echo
  echo "example:  passwordchange.sh -appspass apps -syspass manager -newpass tayl0r"
  echo
  echo "General order of password changes IAW DOC ID 1674462.1:"
  echo "0) export fnd_users"
  echo "1) Stop everything with adsptall.sh and ensure it's down"
  echo "2) Run this script"
  echo "3) Start only the admin server with adadminsrvctl.sh"
  echo "4) Change the apps password in WLS Datasource" 
  echo "   a. Log in to WLS Administration Console"
  echo "   b. Click Lock & Edit in Change Center"
  echo "   c. In the Domain Structure tree, expand Services, then select Data Sources"
  echo "   d. On the Summary of JDBC Data Sources page, select EBSDataSource"
  echo "   e. On the Settings for EBSDataSource page, select the Connection Pool tab"
  echo "   f. Enter the new password in the Password field"
  echo "   g. Enter the new password in the Confirm Password field"
  echo "   h. Click Save"
  echo "   i. Click Activate Changes in Change Center"
  echo "5) Start everything with adstrtal.sh"
  echo "6) Check in the apps and WLS"
  echo "   a. Log in to WLS Administration Console"
  echo "   b. In the Domain Structure tree, expand Services, then select Data Sources"
  echo "   c. On the Summary of JDBC Data Sources page, select EBSDataSource"
  echo "   d. On the Settings for EBSDataSource page, select Monitoring > Testing"
  echo "   e. Select oacore_server1"
  echo "   f. Click Test DataSource"
  echo "   g. Look for the message Test of EBSDataSource on server oacore_server1 was successful."
  echo 
  exit 1
fi

for parm in `echo $*`
do
  if [ $1 = '-appspass' ]
  then
    shift
    APPSPASS=$1
  elif [ $1 = '-syspass' ]
  then
    shift
    SYSPASS=$1
  elif [ $1 = '-newpass' ]
  then
    shift
    NEWPASS=$1
  fi 

  if [ $2 ]
  then
    shift
  fi
done

echo "changing non apps passwords..."
$FND_TOP/bin/FNDCPASS apps/${APPSPASS} 0 Y SYSTEM/${SYSPASS} ALLORACLE ${NEWPASS}

echo "changing apps password..."
$FND_TOP/bin/FNDCPASS apps/${APPSPASS} 0 Y SYSTEM/${SYSPASS} SYSTEM APPLSYS ${NEWPASS}
  echo "Remaining Steps:"
  echo "3) Start only the admin server with adadminsrvctl.sh"
  echo "4) Change the apps password in WLS Datasource" 
  echo "   a. Log in to WLS Administration Console"
  echo "   b. Click Lock & Edit in Change Center"
  echo "   c. In the Domain Structure tree, expand Services, then select Data Sources"
  echo "   d. On the Summary of JDBC Data Sources page, select EBSDataSource"
  echo "   e. On the Settings for EBSDataSource page, select the Connection Pool tab"
  echo "   f. Enter the new password in the Password field"
  echo "   g. Enter the new password in the Confirm Password field"
  echo "   h. Click Save"
  echo "   i. Click Activate Changes in Change Center"
  echo "5) Start everything with adstrtal.sh"
  echo "6) Check in the apps and WLS"
  echo "   a. Log in to WLS Administration Console"
  echo "   b. In the Domain Structure tree, expand Services, then select Data Sources"
  echo "   c. On the Summary of JDBC Data Sources page, select EBSDataSource"
  echo "   d. On the Settings for EBSDataSource page, select Monitoring > Testing"
  echo "   e. Select oacore_server1"
  echo "   f. Click Test DataSource"
  echo "   g. Look for the message Test of EBSDataSource on server oacore_server1 was successful."

exit

September 5, 2014

11i Apache v 1.0.2.2.2 and Symbolic Links

Filed under: 11i — kkempf @ 10:48 am

asf-logo

Minding my own business

While cloning 11i environments to try to get to R12.2, I ran into this error when logging in after completing the clone:

Forbidden

You don’t have permission to access /OA_HTML/AppsLocalLogin.jsp on this server.

Wow that’s pretty serious looking.  What did I forget?  Bad values in the context file for ssl certs?  No.  Talking ssl over a port not allowed by our proxy server?  No.  It turns out, I got a little creative in trying to re-arrange environments (on an old 32-bit front end Oracle Linux 5 box) and I built this particular 11i front end off of a symbolic link in Linux pointing to an unused 11i disk path (which has already been converted to R12, on a 64-bit front end Oracle Linux 6 box).  Sometimes you have to do strange things in the name of expediency, and also because the guy who allocates disk from the SAN is out today.

 

The fix

Edit your context file in $APPL_TOP/admin, and change s_options_symlinks from Options -FollowSymLinks to Options +FollowSymLinks.  This writes to httpd.conf and httpd_pls.conf under your IAS Home.

Shut down your services, run autoconfig and restart services.

Use at your own caution, as it’s probably violating 10 different security rules, but I don’t care I am throwing this environment away within 3 days.

September 3, 2014

Fun with R12

Filed under: R12.2 — kkempf @ 2:38 pm

Awesomeness

Some genius at Oracle decided to land a user-owned lock file in /tmp for the Weblogic admin server in R12.2.  This would be OK, except it doesn’t have any unique identifier in it such as PID, instance name, etc.  It’s just called .ovdlock.tmp.  It’s even funnier because they make it a hidden file so it’s challenging to find.  

Regardless, as a result, if you have multiple instances running on one (Linux) host with separate OS users for each, one will start just fine, while the other will say

Starting server AdminServer …
Error Starting server AdminServer: weblogic.nodemanager.NMException: Exception while starting server ‘AdminServer’

Without much other explanation…. the fix is to su and chown 777 /tmp/.ovdlock.tmp and retry adstrtal.sh on the host which wouldn’t start.  There was a Weblogic bug for this, and maybe even a fix, but I haven’t applied it because it didn’t appear to be for my version (10.3.6) of WLS.  Read about it at 1906029.1

August 7, 2014

Changing the JRE version pushed by R12.2

Filed under: Java, R12.2 — kkempf @ 12:02 pm

Giving credit where credit is due

In light of all the recent fervor about Java, it’s appropriate that I give credit to Oracle when they get something right.

Changing JRE push version (minimum) in 12.2

It’s unbelievably easy.  Follow 393931.1

  • Download whatever version of Java you want to run this week for your enterprise </sarcasm> to /tmp
    • The way they’re pushing updates, I think I could script this whole thing to pull the latest version every week and install it….
  • cp /tmp/jre-7u67-windows-i586.exe $COMMON_TOP/webapps/oacore/util/javaplugin/j2se17067.exe
    • land it in the “push” directory
  • $FND_TOP/bin/txkSetPlugin.sh 17067
    • run this utility to link the AD utilities and your context file to the new version
  • adop phase=fs_clone
    • make sure it gets sync’d to both fs1 and fs2

Done.  That’s it.  10 minutes tops.  Your EBS now pushes 1.7 update 67.

R12.2, Oracle Java, Microsoft, Google and Security

Filed under: Java, Oracle, Windows 7 — kkempf @ 11:51 am

JavaUpdatePrompt

The Playing Field

It’s no secret Google hates Microsoft (M$) hates Oracle hates Google hates Oracle hates Microsoft.  But EBS users are caught in the crossfire this time, and it’s not pretty.

M$ recently announced here they were going to start blocking Java launches out of IE.  You know, because they’re looking out for us.

Java started squalking about unsigned Jar files awhile back, but if your version was old enough, you wouldn’t see this message because it was too dumb to know it.  It also pesters you incessantly if you’re not running the latest version.  Always.

Google started stopping Java from running in Chrome which I noted here.  It was technically never certified with Oracle EBS, so I hold them least culpable at the moment.

Security

I appreciate that all of these players are protecting their own interests and implementing these changes in the name of security.  People complain about Java security?  Great, now Oracle will issue an update every week, and if you’re more than 2 updates behind it will nag you forever.  Launching EBS which doesn’t have signed JAR files?  Big scary window pops up warning the user.  Want to run old Java on Windows 7?  Microsoft says nope.

I’m in the middle of an R12.2 upgrade.  I have the luxury of taking the time to go get a certificate from Thawte and sign my jar files, and test it.  The truth is that it’s pretty easy.  But so is the process of getting a certificate.  Meaning, nothing against Thawte, but by signing my jar files all I’ve done is satisfy the JRE plug in.  I haven’t really enhanced my security, in my opinion.  Same thing with upgrading to the latest version of Java.

Meanwhile, here in the real world

I work for a manufacturer.  The floor workers who interact with Oracle EBS don’t know/care/understand what Java is, what a signed jar file is, what version of Java they’re running, etc.  They just want to get into Oracle EBS.  We’re not internet-exposed.  Sure there’s risk of someone exploiting a security hole, but it would probably have to come from the inside.  This is a known risk we’re probably more willing to take than the risk of having to deal with hours and hours of confusion every time M$ makes a unilateral decision about Java, or Oracle delivers yet another Java update.   We’ve been running EBS 11i on Java 1.6_12 for over 5 years now.  Never caused a problem.  It’s ancient, but it works.  Much like, I suspect, many companies, we have a lot of legacy Java running.  The effort required to push a newer version of Java to these machines is not insignificant, since they’re all locked down on the manufacturing floor.

Battle of the sexes

I’m sick of it.  Java consumers (and I’m not talking about coffee here) are stuck in the crossfire between M$ and Oracle.  Here’s what I see happening:

1. We regression test and deliver R12.2 with Java 1.7.0 update 67 in 6 months

2. Oracle issues 25 more versions of Java 7 thus every user gets the “Update (Recommended), Block or Later” dialogue box

3. Some users block, some update, some say later.  66.66% of these scenarios cause IT problems

4. Microsoft, not to be outdone, declares Java 1.7 update 67 obsoleted, and thus adds it to a block list

Managing the Mess

Sure, we can manage Win7 updates through policy, and the same for Java updates.  But are we actually improving security, in any way?  Or just creating busy work for ourselves, where the version which runs on our isolated network is largely immaterial?

 

 

June 10, 2014

Let the games begin!

Filed under: 11i, R12.2, Ubuntu — kkempf @ 8:34 am

R12.2.3

R12.2.3 Testing has begun

R12.2 changes a LOT of things, especially for an applications DBA.  We’re underway with our upgrade plans to 12.2, and I was happy to see if you have the patience to make all the pieces work (Chrome, Ubuntu, Java, PopUp Blocker, Chrome Plug-In for Oracle R12) you can actually launch forms from Ubuntu.

Initial Upgrade Impressions

There’s a lot of work to upgrade from 11i to 12.2.3.  The upgrade documents are extensive, and not light reading.  Customizations are a bugger to bring over, the whole landscape has changed with edition based redefinition.  Much of this revolves around the changes to the techstack (Weblogic), and online patching.  The new patching utility, adop, works in conjunction with other old favorite ad utilities, but it’s not terribly intuitive.  There was something reassuring watching my workers progress and run; maybe there’s a way to do it and I just haven’t figured out the appropriate CLI switch.  You can still look at them via adctrl, but it’s not the same, I don’t get the reassurance of knowing I only have 123,000 jobs left to finish.  Mostly, though, things look the same.  More to follow.

June 9, 2014

Google’s message to Ubuntu users of Chrome 35 and JRE

Filed under: Chrome, Ubuntu — kkempf @ 10:59 am

mf

Take that Chrome Users!

OK, they really didn’t do that.  But they might as well have.

Ubuntu at Work

I like using Ubuntu as my primary desktop at work.  I have to keep Windoze around for compatibility issues, but Linux is much faster and more reliable.  Recently, I found that I kept getting the error “Java Plugin Not Installed”.  I finally had time to dig into it, and it turns out it was due to an upgrade from Chrome 34 to Chrome 35.  The sym link in my /opt/google/chrome/plugins directory was still good, but Chrome 35 just ignores it.  I found all this out (ironically) with a lot of Googling, I found this

http://askubuntu.com/questions/470485/java-plugin-issue-on-chrome-browser

I won’t say I understand all the jargon, but the gist of it is this: for whatever reason, Chrome on Linux no longer supports Oracle JDK/JRE as of a few weeks ago.  Here’s a funny thread showing me I’m not the only one unamused by this:

https://code.google.com/p/chromium/issues/detail?id=375909

The Fix

If you find yourself in this spot, just use Ubuntu software center to uninstall Chrome, go pull version 34 here and reinstall.  Then it magically works again, and I can get into the EBS forms.  Google, I know you don’t care what I think, but seriously?  It’s Oracle Java.  Pretty universal, and this open source Iced Tea stuff doesn’t cut it for big boy applications.  Please restore this functionality, or I’ll have to move to the F-browser and nobody wants that!

April 24, 2014

Simplifying an R12 Install

Filed under: R12 — kkempf @ 7:18 am

Pre-validation RPMs

I’d discussed installing an RPM to check your kernel settings and do other trivial OS/Linux tasks before installing an Oracle database here.  Now Oracle has officially released the same mechanism to validate an R12 (12.1, 12.2) environment; I caught wind of it on Steven Chan’s blog here.  This is a nice touch, since the requirements (especially on the application server side) include many x86 packages which are a pain to get.  You can read about it here in Doc ID 1330701.1.  Essentially, you ensure your yum settings allow you to be subscribed to Oracle add-on’s (I’m assuming Oracle Linux here, if you’re not on OL I guess you could point to the public repositories?).  

yum install oracle-ebs-server-R12-preinstall 


 

 

April 16, 2014

Password Reset Error

Filed under: 11i, Cloning, R12 — kkempf @ 12:31 pm

Just minding my business

I received an email saying the following error occurs in an 11i cloned instance.  Mind you, this is because we added users to the environment, and by rule Oracle requires them to change their password the first time they login so the password is different than what the system administrator assigned.

Internet Explorer error message:

jsp

 

I’ll spell out a few keywords to the search engines can index this one: AppsChangePassword.jsp java.lang.NoClassDefFoundError JSP Error

If you’re running Chrome, here’s your error message

 

 

 

 

That Was Supposed to be a Joke

From Chrome, I just got a white page, no error, no nothing.  I had to debug this from IE, which just pains me.  Oh yeah, I’m not supposed to use Chrome for Ebusiness suite, even though it works fine and I’ve been using it from a Linux desktop for 8 years now.  Incidentally, there’s a plug in for Chrome to make R12 work, it turns out it does work fine though I have some privacy concerns… you can find it here.

The Fix

First I tried to bounce apache, but that did nothing, so I opened an SR.  I think I found this fix on MOS before the analyst gave it to me, but it didn’t seem like a great fit based on the description in the doc so I didn’t do it until he told me to.  Hat tip to MOS and the ATG team, they identified a fix for an issue quickly and without asking me 10 irrelevant questions first.  Anyways, run this script

$JTF_TOP/admin/scripts/ojspCompile.pl –compile -s ‘AppsChangePassword.jsp’ –flush

Older Posts »

Theme: Silver is the New Black. Get a free blog at WordPress.com

Follow

Get every new post delivered to your Inbox.

Join 33 other followers