Kevin Kempf's Blog

April 28, 2015

Security Patch Releases with EBS: Mission Impossible

Filed under: R12.2, Security — kkempf @ 12:33 pm

Regression Test Time

We’re about to enter our first R12.2 regression test.  High on my list is to get to Delta 6 on the AD/TXK side, and since the security patches just came out I figured I’d get up to date there.  For pretty good reason, we’re still running 11.2.0.4 base, and it took me some time to get the ETCC (patch 17537119) happy that I’ve got all the required patches.

Per 1967243.1 I figured I’d start with the core database.  Now we have combo PSU’s for database, OJVM, and GI, in addition to SPU’s and stand-alone PSU’s for each component.  It’s gotten complicated since I looked last!  The patches are all opatch installed; ideally I’d get the OJVM, SPU and PSU applied to the database home.

OJVM (20406239)

This is a documented problem on MOS.  Apparently, it’s not really cumulative, because I have to be on Oct 2014 or better security set to apply this.  Next.

The following make actions have failed :

Re-link fails on target “jox_refresh_knlopt ioracle”.

Do you want to proceed? [y|n]
n
User Responded with: N

 

PSU (20299013)

This one was even worse!

There are no patches that can be applied now.

Following patches have conflicts. Please contact Oracle Support and get the merged patch of the patches :
20488666, 20299013, 19791273, 19730032, 18260550, 17420796

Following patches are not required, as they are subset of the patches in Oracle Home or subset of the patches in the given list :
17811789, 19393542, 18828868, 18614015, 17892268, 17600719, 17468141, 16992075, 16929165

Following patches will be rolled back from Oracle Home on application of the patches in the given list :
20488666, 17811789, 19791273, 19730032, 19393542, 18260550, 18828868, 17420796, 18614015, 17892268, 17600719, 17468141, 16992075, 16929165

Conflicts/Supersets for each patch are:

Patch : 20299013

Bug Conflict with 20488666
Conflicting bugs are:
17912217 ETCC R12.2 requirement per 1594274.1

Bug Superset of 17811789
Super set bugs are:
17811789

Conflict with 19791273 ETCC R12.2 requirement per 1594274.1
Conflict details:
/u01/apptest/oracle/testdb/11.2.0.4/lib/libserver11.a:/ktsp.o
/u01/apptest/oracle/testdb/11.2.0.4/lib/libserver11.a:/kdc.o
/u01/apptest/oracle/testdb/11.2.0.4/lib/libserver11.a:/kdt.o
/u01/apptest/oracle/testdb/11.2.0.4/lib/libserver11.a:/ktsk.o
/u01/apptest/oracle/testdb/11.2.0.4/lib/libserver11.a:/ktsp.o
/u01/apptest/oracle/testdb/11.2.0.4/lib/libserver11.a:/ktsplb.o
/u01/apptest/oracle/testdb/11.2.0.4/lib/libserver11.a:/ktspsrch.o
/u01/apptest/oracle/testdb/11.2.0.4/lib/libserver11.a:/ktsp.o
/u01/apptest/oracle/testdb/11.2.0.4/lib/libserver11.a:/kdt.o
/u01/apptest/oracle/testdb/11.2.0.4/lib/libserver11.a:/ktsp.o

Bug Conflict with 19730032 ETCC R12.2 requirement per 1594274.1
Conflicting bugs are:
17174582,  18282562,  18244962,  17614134,  18674024,  17050888,  17478145,  18331850,  18964939,  17883081,  18436307

Bug Superset of 19393542
Super set bugs are:
19393542

Conflict with 18260550 ETCC R12.2 requirement per 1594274.1
Conflict details:
/u01/apptest/oracle/testdb/11.2.0.4/lib/libserver11.a:/kzd.o
/u01/apptest/oracle/testdb/11.2.0.4/lib/libserver11.a:/kzd.o

Bug Superset of 18828868
Super set bugs are:
18828868

Conflict with 17420796 ETCC R12.2 requirement per 1594274.1
Conflict details:
/u01/apptest/oracle/testdb/11.2.0.4/bin/lxinst

Bug Superset of 18614015
Super set bugs are:
18614015

Bug Superset of 17892268
Super set bugs are:
17892268

Bug Superset of 17600719
Super set bugs are:
17600719

Bug Superset of 17468141
Super set bugs are:
17468141

Bug Superset of 16992075
Super set bugs are:
16992075

Bug Superset of 16929165
Super set bugs are:
16929165

Security Patch Update 11.2.0.4.0 (20299015)

Surprise!

Conflicts/Supersets for each patch are:

Patch : 18203837

Conflict with 18260550 ETCC R12.2 requirement per 1594274.1
Conflict details:
/u01/apptest/oracle/testdb/11.2.0.4/lib/libserver11.a:/kzd.o

Patch : 19972566

Conflict with 18614015 ETCC R12.2 requirement per 1594274.1
Conflict details:
/u01/apptest/oracle/testdb/11.2.0.4/rdbms/admin/prvtutil.plb

Patch : 20506715

Conflict with 19730032 ETCC R12.2 requirement per 1594274.1
Conflict details:
/u01/apptest/oracle/testdb/11.2.0.4/lib/libgeneric11.a:/qcs.o

Patch : 20631274

Bug Superset of 17600719 ETCC R12.2 requirement per 1594274.1
Super set bugs are:
17600719

Following patches have conflicts: [   18260550   18203837   18614015   19972566   19730032   20506715 ]
Refer to My Oracle Support Note 1299688.1 for instructions on resolving patch conflicts.

Security or Compatibility: Why are these two at odds?

I’m trying to do the right thing, but Oracle is making it so hard to do that I’ve lost interest.  I don’t have a month to figure out what merged patches I need, what patch can go and what can stay. Why can’t there be a single note for EBS by version, with all patches for all components?  A database patch set which already deconflicted all the oddball ETCC requirements and delivered something which you could actually install out of the gate would make life much easier.

 

April 7, 2015

ADOP intelligent warnings, the ever-fluid recommended tech patches, and multiple versions of the truth

Filed under: R12.2 — kkempf @ 1:34 pm

So there I was..

Running adop phase=prepare in my production R12.2 environment, and I notice a warning on the screen and in the logs:

[WARNING]   The following required database bug fixes <19393542> are missing from this node, <database hostname>. Refer to My Oracle Support Knowledge Document 1594274.1 to identify the patch that delivers this bug fix.

This raises some questions:  How did adop know I needed a patch?  How serious is this?

Consolidated ≠ Updated

I went and pulled Consolidated List of Patches and Technology Bug Fixes (aka Doc ID 1594274.1) and it’s changed a bit since we went live.  Mind you, I expected to find patches in there we hadn’t applied as part of our go live; we locked our code last October before the upgrade.  What I didn’t expect was to find 14 patches on the database alone.  After some tedious cross checking of my inventory versus the document, I remembered checkDBpatch.sh (patch 17537119).

checkDBpatch.sh

Patch 17537119 is really cool. This little gem compares an .xml file in the patch with your inventory, and tells you what you’re missing.  Sweet!

$ unzip p17537119_R12_GENERIC.zip
Archive:  p17537119_R12_GENERIC.zip
inflating: README.txt
inflating: checkDBpatch.cmd
inflating: txk_R1220_DB_base_bugs.xml
inflating: checkDBpatch.sh
$ ./checkDBpatch.sh
+===============================================================+
|    Copyright (c) 2005, 2014 Oracle and/or its affiliates.     |
|                     All rights reserved.                      |
|               EBS Technology Codelevel Checker                |
+===============================================================+
Executing Technology Codelevel Checker version: 120.23
Enter ORACLE_HOME value : /u01/appprod/oracle/proddb/11.2.0.4
Is this a RAC environment [y/n] : n
Enter ORACLE_SID value : PROD
Bugfix XML file version: 120.0.12020000.20
Proceeding with the checks…
Getting the database release …
Setting database release to 11.2.0.4
DB connectivity successful.
Table to store Technology Codelevel Checker results exists in the database.
STARTED Pre-req Patch Testing : Tue Apr  7 14:29:20 EDT 2015
Log file for this session : ./checkDBpatch_6400.log
Got the list of bug fixes to be applied and the ones to be rolled back.
Checking against the given ORACLE_HOME
Opatch is at the required version.
Found patch records in the inventory.
All the required one-offs are not present in the given ORACLE_HOME
List of missing bug fixes:
14046443
14255128
16299727
16359751
17250794
17401353
18260550
18282562
18331812
18331850
18440047
18485835
18604144
18689530
18730542
18828868
19291380
19393542
19472320
19487147
19791273
19896336
19949371
** Please refer to MOS Doc ID “1594274.1:Oracle E-Business Suite Release 12.2: Consolidated List of Patches and Technology Bug Fixes” to find the corresponding patch that delivers the bug fix. If an overlay patch is needed for any particular patch listed, the footnote for that patch also applies to the overlay patch.**
Stored Technology Codelevel Checker results in the database successfully.
Apply the missing bug fixes and run the script again to confirm.
FINISHED Pre-req Patch Testing : Tue Apr  7 14:29:24 EDT 2015
=========================================================

One lies, one tells the truth

I realized that the output of checkDBpatch.sh did not agree with 1594274.1.  In fact, it contained more patches than 1594274.1.  I would have assumed they were aligned, and this is really confusing as a customer: Which one is the definitive source?

In the end, I went with the checkDBpatch.sh, since it was a superset of the information contained in the Consolidated List of Patches and Technology Bug Fixes.  Perhaps a name change is in order?

Create a free website or blog at WordPress.com.