FNDCPASS doesn’t always use the SYSTEM password

FNDCPASS is a command line utility used in Oracle Applications (Oracle E-Business Suite) for changing user and schema passwords. It is one of two command line utilities (along with AFPASSWD) used for this purpose. These utilities are essential for managing user passwords, schema passwords, and system schema passwords in Oracle E-Business Suite environments.

FNDCPASS does not check the system password when used to change an application’s user account. We can check this with a simple test.

First, we’ll change the SYSTEM password to the default value “manager”:

[applmgr@appsrv01 ~]$ sqlplus system

SQL*Plus: Release 8.0.6.0.0 – Production on Thu Apr 23 13:10:17 2009

(c) Copyright 1999 Oracle Corporation. All rights reserved.

Enter password:

Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 – Production With the Partitioning, OLAP and Data Mining Scoring Engine options

SQL> alter user system identified by manager;

User altered.

SQL> exit Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 – Production With the Partitioning, OLAP and Data Mining Scoring Engine options [applmgr@appsrv01 ~]$

The SYSTEM password is a system schema password. Changing passwords for system schemas or application schemas (such as APPLSYS, APPS, GL) requires different tokens and procedures, and may involve the use of the SYSTEM token, ORACLE token, or USER token depending on the type of account.

Next, we’ll use FNDCPASS to change the SYSADMIN application password using an incorrect value for the SYSTEM password:

[applmgr@appsrv01 ~]$ FNDCPASS apps/apps 0 Y system/badpassword USER SYSADMIN sysadmin Log filename : L4203491.log

Report filename : O4203491.out

In this command, the ‘USER’ token is used for user operations, specifically to change user passwords for Oracle users such as SYSADMIN. The FNDCPASS utility updates the user password registered in the system.

If we cat the log file, we can see the password change was successful:

[applmgr@appsrv01 ~]$ cat L4203491.log +—————————————————————————+ Application Object Library: Version : 11.5.0

Copyright (c) 1979, 1999, Oracle Corporation. All rights reserved.

module: +—————————————————————————+

Current system time is 23-APR-2009 13:11:39

+—————————————————————————+

+—————————————————————————+ Concurrent request completed successfully Current system time is 23-APR-2009 13:11:39

+—————————————————————————+

FNDCPASS re-registers the password in the Oracle Applications tables, ensuring synchronization across apps schemas and system schemas.

Next, we’ll try to change the GL schema password using the same incorrect SYSTEM password:

[applmgr@appsrv01 ~]$ FNDCPASS apps/apps 0 Y system/badpassword ORACLE GL gl

Log filename : L4203493.log

Report filename : O4203493.out

Here, the GL user password is an example of an applications password, and the ORACLE token is used for changing passwords for Oracle users or schemas.

This time, the log shows failure because of an inability to connect as SYSTEM:

[applmgr@appsrv01 ~]$ cat L4203493.log +—————————————————————————+ Application Object Library: Version : 11.5.0

Copyright (c) 1979, 1999, Oracle Corporation. All rights reserved.

module: +—————————————————————————+

Current system time is 23-APR-2009 13:12:15

+—————————————————————————+

SECURITY-UNABLE TO CONNECT TO SYSTEM APP-FND-01564: ORACLE error 1403 in changepassword

Cause: changepassword failed due to ORA-01403: no data found.

The SQL statement being executed at the time of the error was: and was executed from the file &ERRFILE.

+—————————————————————————+ Concurrent request completed Current system time is 23-APR-2009 13:12:15

+—————————————————————————+

It appears that FNDCPASS only uses the SYSTEM password when changing a database account, which makes sense, since only the APPS password is required to execute FND_WEB_SEC and change a password in FND_USER.

Changing passwords for Oracle database accounts (such as SYSTEM, SYS, and other Oracle database accounts) may require the use of the ALTER USER SQL statement. Case sensitive passwords and mixed case passwords are supported if the initialization parameter SEC_CASE_SENSITIVE_LOGON is enabled.

For enhanced security, Oracle E-Business Suite supports a password hashing scheme, and the APPLSYSPUB password must always be in uppercase.

After changing schema passwords, it is necessary to update the context variable and run AutoConfig to synchronize application tier files and application tier services, including the WLS data source and other application tier services.

It is important to update the WLS data source and test the datasource connection in the WLS administration console (navigating via the domain structure tree and JDBC data sources page) after password changes. Use the click test datasource feature to verify connectivity.

In multi apps schema installations or environments with a primary node and run/patch file system, password changes must be synchronized across all nodes and file systems.

The FNDCPASS utility can be used in system mode (using the SYSTEM token) to change the same password for multiple schemas, and above Oracle users in the hierarchy may require special attention.

Database administrators and application administrators should coordinate to ensure all passwords required for Oracle Applications are updated and registered correctly. User vision and expand services may require additional configuration steps.