FNDCPASS doesn’t always use the SYSTEM password

FNDCPASS does not check the system password when used to change an applications user account. We can check this with a simple test.

First, we’ll change the SYSTEM password to the default value “manager”:

[code language=”plain”][applmgr@appsrv01 ~]$ sqlplus system

SQL*Plus: Release 8.0.6.0.0 – Production on Thu Apr 23 13:10:17 2009

(c) Copyright 1999 Oracle Corporation. All rights reserved.

Enter password:

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 – Production
With the Partitioning, OLAP and Data Mining Scoring Engine options

SQL> alter user system identified by manager;

User altered.

SQL> exit
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 – Production
With the Partitioning, OLAP and Data Mining Scoring Engine options
[applmgr@appsrv01 ~]$ [/code]

Next, we’ll use FNDCPASS to change the SYSADMIN application password using an incorrect value for the SYSTEM password:

[code language=”plain”][applmgr@appsrv01 ~]$ FNDCPASS apps/apps 0 Y system/badpassword USER SYSADMIN sysadmin
Log filename : L4203491.log

Report filename : O4203491.out[/code]

If we cat the log file, we can see the password change was successful:

[code language=”plain”][applmgr@appsrv01 ~]$ cat L4203491.log
+—————————————————————————+
Application Object Library: Version : 11.5.0

Copyright (c) 1979, 1999, Oracle Corporation. All rights reserved.

module:
+—————————————————————————+

Current system time is 23-APR-2009 13:11:39

+—————————————————————————+

+—————————————————————————+
Concurrent request completed successfully
Current system time is 23-APR-2009 13:11:39

+—————————————————————————+
[/code]

Next, we’ll try to change the GL schema password using the same incorrect SYSTEM password:

[code language=”plain”][applmgr@appsrv01 ~]$ FNDCPASS apps/apps 0 Y system/badpassword ORACLE GL gl

Log filename : L4203493.log

Report filename : O4203493.out[/code]

This time, the log shows failure because of an inability to connect as SYSTEM:

[code language=”plain”][applmgr@appsrv01 ~]$ cat L4203493.log
+—————————————————————————+
Application Object Library: Version : 11.5.0

Copyright (c) 1979, 1999, Oracle Corporation. All rights reserved.

module:
+—————————————————————————+

Current system time is 23-APR-2009 13:12:15

+—————————————————————————+

SECURITY-UNABLE TO CONNECT TO SYSTEM
APP-FND-01564: ORACLE error 1403 in changepassword

Cause: changepassword failed due to ORA-01403: no data found.

The SQL statement being executed at the time of the error was: and was executed from the file &ERRFILE.

+—————————————————————————+
Concurrent request completed
Current system time is 23-APR-2009 13:12:15

+—————————————————————————+
[/code]

It appears that FNDCPASS only uses the SYSTEM password when changing a database account, which makes sense, since only the APPS password is required to execute FND_WEB_SEC and change a password in FND_USER.