Steps to Re-configure Oracle Fusion Middleware 11.1.1.9 Components for Oracle E-Business Suite specially after clone

 

Overview

OPMN will log the following errors when attempting to start the patched opmn process with a default MD5withRSA signed certificate:

[opmn] [ERROR:1] [] [ons-secure] Connection server SSL set credentials failed (43084)
[opmn] [ERROR:1] [222] [ons-secure] SSL initialization failed

Generating and Deploying a New Wallet for TLS Enabled Release 12.2 Environments


Log in as the user that owns the application tier installation (this is usually applmgr or oracle).

Source the run file system environment and the $FMW_HOME/SetWebtier.env file.
  • $ source <EBS base install directory>/EBSapps.env run
  • $ source $FMW_HOME/SetWebtier.env
For a new Oracle E-Business Suite Release 12.2 installation, all steps must be performed on the run edition file system, which is sourced by running the following command:
  • $ source <EBS base install directory>/fs1/EBSapps/appl/APPS<CONTEXT_NAME>.env

Set an alias for the correct orapki.
  • $ alias orapki=$FMW_HOME/oracle_common/bin/orapki

Create a new wallet with an acceptable self-signed certificate in $HOME/ss. For example:


$ mkdir ~/ss
$ cd ~/ss
$ orapki wallet create -wallet ./ -auto_login_only
$ orapki wallet add -wallet . -dn "CN=FMWSmallCircleOfTrust" -asym_alg RSA -keysize 2048 -sign_alg sha256 -self_signed -validity 3652 -auto_login_only
$ orapki wallet display -wallet .


The last command (orapki wallet display -wallet .) allows you to verify that the wallet was properly created.

Find the instanceName of this environment and save in an environment variable for later use.


tr < $CONTEXT_FILE '<>' '  ' | awk '/"s_ohs_instance"/ {print $(NF-1)}'
EBS_web_OHS1
iName=$(tr < $CONTEXT_FILE '<>' '  ' | awk '/"s_ohs_instance"/ {print $(NF-1)}' )
cd $FMW_HOME/webtier/instances/$iName
Find the default wallets used by this instance.
find . -name cwallet.sso | fgrep -v /webgate/
./config/OPMN/opmn/wallet/cwallet.sso
./config/OHS/EBS_web/proxy-wallet/cwallet.sso
./config/OHS/EBS_web/keystores/default/cwallet.sso
Verify that each wallet only contains the self-signed certificate.
find . -name cwallet.sso | fgrep -v /webgate/ | while read w ; do echo -e "\n$w"; orapki wallet display -nologo -wallet $w ; done
If it is a default wallet, each wallet should list one "User Certificate" and an identical "Trusted Certificate", as shown in the following example:
./config/OPMN/opmn/wallet/cwallet.sso
Requested Certificates:
User Certificates:
Subject: CN=Self-Signed Certificate for EBS_web_OHS1\20,OU=OAS,O=ORACLE,L=REDWOODSHORES,ST=CA,C=US
Trusted Certificates:
Subject: CN=Self-Signed Certificate for EBS_web_OHS1\20,OU=OAS,O=ORACLE,L=REDWOODSHORES,ST=CA,C=US

Note: If a wallet is not a default wallet, make a backup copy of that wallet before proceeding.
Copy the new SHA-256 signed wallet to all default wallet locations.

find . -name cwallet.sso | fgrep -v /webgate/ | while read w ; do echo $w; cp -p ~/ss/cwallet.sso $w ; done
You have now copied the new self-signed wallet to the default locations in the run file system. This avoids modifying the OPMN and OHS configuration files to point to a different wallet (or wallet directory).
Prepare to make the changes to the patch file system by modifying adop_sync.drv located under $APPL_TOP_NE/ad/custom to include the following:
#Oracle HTTP Server Wallet - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.sso
#OPMN Wallet - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/proxy-wallet/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/proxy-wallet/cwallet.sso

The changes will be propagated to the patch file system when you perform the steps in Section 3 during the prepare phase (adop phase=prepare) of online patching and will take effect after a successful cutover (adop phase=cutover).


After this procedure is complete, do not remove or alter the updated adop_sync.drv file.


To use the Oracle Fusion Middleware Control Enterprise Manager (EM) Console at http://<app01>:7001/em to manage OHS, you may have to re-register OHS and its new certificate with Fusion Middleware Control. This must be done on both the run and patch file systems.


To use the Oracle Fusion Middleware Control Enterprise Manager (EM) Console at http://<app01>:7001/em to manage OHS, you may have to re-register OHS and its new certificate with Fusion Middleware Control. This must be done on both the run and patch file systems.





If you have determined that OHS reports as down in the Oracle Fusion Middleware EM Console, perform these steps to re-register OHS

a. Obtain the host, port, and user name variables for WLS Admin from CONTEXT_FILE:

aHost=$( tr < $CONTEXT_FILE '<>' '  ' | awk '/"s_wls_admin_host"/ {print $(NF-1)}' )
aPort=$( tr < $CONTEXT_FILE '<>' '  ' | awk '/"s_wls_adminport"/ {print $(NF-1)}' )
aUser=$( tr < $CONTEXT_FILE '<>' '  ' | awk '/"s_wls_admin_user"/ {print $(NF-1)}' )


b. Re-register OHS using the following commands:

cd $FMW_HOME/webtier/instances/$iName/bin
./opmnctl unregisterinstance -adminHost $aHost -adminPort $aPort -adminUsername $aUser -instanceName $iName
./opmnctl registerinstance -adminHost $aHost -adminPort $aPort -adminUsername $aUser




For reference Oracle Metalink Doc ID:  2555355.1

Comments

Post a Comment

Popular posts from this blog

How to fix Oracle SQL Developer connection issue "Got minus one from a read call"

Image
 During connection from SQL Developer to EBS database got below error message: Status : Failure - Test failed: IO Error: Got minus one from a read call Following solution can be done : 1. Go to directory $ORACLE_HOME / network / admin 2. Modify sqlnet.ora file with following parameter : tcp.validnode_checking = no 3. If you don 't want to disable this, you can put the machine names as follows: tcp.invited_nodes=(machine1, machine2) 3. Bounce the listener. Due to security enhancements it is not good to put tcp.validnode_checking = no or comment out will through error when we start listener like below: Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=shsebs7idb1.appsolworld.com)(PORT=1522))) TNS-00584: Valid node checking configuration error TNS-12560: TNS:protocol adapter error Better plan is to add localhost or IP address of client (Local Computer) in the sqlnet.ora file That will solve the problem NAMES.DIRECTORY_PATH=(TNSNAMES, ONAMES, HOSTNAME) SQLNET.EXPI
Read more

How to troubleshoot Long Running Concurrent Request in EBS 12.2

 The following points need to answer before jumping into troubleshooting: Are there any recent code changes done in the concurrent program?           Check long_running_sid and verify the recent code change of last_ddl_timestamp after a             discussion with the developer. Was this running long in the last few run as well, or was this time only?            ==> Check the program history. How much time does it take to complete?           Once again program history can give us some idea. Are these jobs fetching higher data compared to the last run           ===> Confirm on data change . Query Plan change will indicate this issue. Does this job runs at any specific time or it can be run anytime           ===> The nature of the job can help to understand the job's nature. Does this job fetch data using DB Link          ====> Check whether the DB link is involved or not. The below-given approach would help to conclude the gray areas. Check the load of the server using t
Read more

How to drop index and before dropping it how to get the DDL.

  Oracle DROP INDEX statement DROP INDEX [schema_name.]index_name; DECLARE index_count INTEGER; BEGIN SELECT COUNT(*) INTO index_count FROM USER_INDEXES WHERE INDEX_NAME = 'index_name' ; IF index_count > 0 THEN EXECUTE IMMEDIATE 'DROP INDEX index_name' ; END IF; END; / In case want to check whether index exists and then delete it. If try to drop a non-existing, you will get the following error: SQL Error : ORA -01418 : specified index does not exist In SQLplus, set these before running the commands set long 100000 set longchunksize 100000 select DBMS_METADATA.GET_DDL( 'INDEX' , 'index_name') from all_indexes where owner in ( USER , 'USER_OTHER_THAN_LOGGED_IN_USER' ); Use below script to fetch metadata other information. SELECT DBMS_METADATA,GET_GRANTED_DDL('SYSTEM_GRANT','SSO******') from dual;
Read more

How to autopopulate user_guid in fnd_user table ( EBS Blank Page)

  Issue:  EBS Local Login url is working fine. When accessing sso url, users are getting error as below appended to the url. And login page will be blank. One of the reason could be : OAM Authentication is fine but during authorization process, OAM is unable to map guid from oid to user_guid in fnd_user. This can be due to user_guid being null in fnd_user table. As per the process, when user logins for the first time, user_guid need to be populated automatically (from oid) Query guid from oid and update fnd_user table with that. ldapsearch -h oidhost.appsolworld.com -p 3060 -D "cn=orcladmin" -w orcladmpwd -b "cn=Users,dc=dc,dc=online,dc=org" -s sub "(uid=$1)" orclsamaccountname krbprincipalname mail orcluserprincipalname orclguid Pass userid to this command which gives guid along with other details. Update fnd_user table with above guid : update fnd_user  set user_guid=' ' where user_name like ' '; Solution:  As per the process,  when user
Read more

Opatch is getting faild for GI patch with error code 2 while doing prereq

OPatch failed with error code 2  When checked the patch conflict for a patch, got below error. ]$opatch prereq CheckConflictAgainstOHWithDetail -ph ./ Oracle Interim Patch Installer version 12.2.0.1.29 Copyright (c) 2020, Oracle Corporation.  All rights reserved. PREREQ session Oracle Home       : /u01/oracle/product/19.0.0.0 Central Inventory : /u01/oracle/oraInventory    from           : /u01/oracle/product/19.0.0.0/oraInst.loc OPatch version    : 12.2.0.1.29 OUI version       : 12.2.0.1.4 Log file location : /oragrid/orahome/product/19.3.0/cfgtoollogs/opatchauto/core/opatch/opatch2023-12-22_09-37-15AM_1.log Invoking prereq "checkconflictagainstohwithdetail" Prereq "checkConflictAgainstOHWithDetail" is not executed. The details are: Unable to create Patch Object. Exception occured : /orastage/OCT23_GRID_CPU/35642822/33575402/etc/config/actions.xml with Version field of the component "delete" in actions file cannot be <null> or empty. Please check p
Read more

Few Important steps of Oracle Database Clone

 Make Sure oraInst.loc location is correct and accessble. [demantra@dsiddem ~]$ cat /etc/oraInst.loc inventory_loc=/orastage/oraInventory inst_group=dba [demantra@dsiddem ~]$ cd /orastage/oraInventory [demantra@dsiddem oraInventory]$ ls -ltr total 16 drwxrwx---. 5 demantra dba 4096 Jul 22 19:37 backup drwxrwx---. 2 demantra dba 4096 Jul 22 19:37 ContentsXML drwxrwx---. 2 demantra dba 4096 Jul 22 19:37 locks drwxrwx---. 3 demantra dba 4096 Jul 23 10:08 logs Remove Oracle Home from Inventory [demantra@dsiddem oraInventory]$ cd $ORACLE_HOME/oui/bin [demantra@dsiddem bin]$ ./runInstaller -detachHome ORACLE_HOME=$ORACLE_HOME Starting Oracle Universal Installer... Checking swap space: must be greater than 500 MB.   Actual 3039 MB    Passed The inventory pointer is located at /etc/oraInst.loc Run Clone.pl [demantra@dsiddem bin]$ echo $ORACLE_HOME /dnbsid/demantra/oracle/19.0.0 [demantra@dsiddem bin]$ echo $ORACLE_BASE /dnbsid/demantra [demantra@dsiddem bin]$ E01=ORACLE_HOME=$ORACLE_HOME [dema
Read more

How to Check AD and TXK code levels in your EBS environment

Below query can be used in finding out current AD and TXK code levels.  [ap******@shsd*** 22989949]$ sqlplus apps SQL*Plus: Release 10.1.0.5.0 - Production on Fri Sep 30 01:00:25 2022 Copyright (c) 1982, 2005, Oracle.  All rights reserved. Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production SQL> col ABBREVIATION for a10 set lines 1000 col NAME for a50 col CODELEVEL for a20 SELECT ABBREVIATION,NAME,codelevel FROM AD_TRACKABLE_ENTITIES WHERE abbreviation in ('txk','ad');SQL> SQL> SQL> SQL> ABBREVIATI NAME                                               CODELEVEL ---------- -------------------------------------------------- -------------------- ad         Oracle Applications DBA                            C.13 txk        Oracle Applications Technology Stack               C.13 Check fwk in r12.2 select abbreviation ,codelevel from ad_trackable_entities where abbreviation in( 'fwk') order by abbreviation; SELECT codelevel
Read more

The Server is not able to service this request: [Socket:000445]Connection rejected, filter blocked Socket, weblogic.security.net.FilterException

Image
  Connection Filters allow one to deny access to UNWANTED Connections at the network level. Connection Filters can be used to protect server resources on individual servers, server clusters, or an entire internal network or Intranet. Connection filters are particularly useful when using the Administration port. Depending on the network firewall configuration, it may be possible to use a connection filter to further restrict administration access. A typical use might be to restrict access to the Administration port to only the servers and machines in the domain. WebLogic Server provides a default connection filter called  weblogic.security.net.ConnectionFilterImpl . This default connection filter accepts all incoming connections except the ones defined in the Administration Console as a Connection filter rule. Custom connection filters may be written  by implementing the classes in the weblogic.security.net package. This post will demonstrate the steps to configure Weblogic Connection F
Read more

PRVG-11250 : The check "RPM Package Manager database" was not performed because

Following message reported from cluvfy while performing pre-requisite for Clusterware Installation:  Verifying RPM Package Manager database ...INFORMATION PRVG-11250 : The check "RPM Package Manager database" was not performed because it needs 'root' user privileges. SOLUTION Execute runcluvfy manually with "-method root" option and enter root password when prompted : Example: $/runcluvfy.sh stage -pre crsinst -n <HOSTNAME1>,<HOSTNAME2> -method root Enter "ROOT" password: For reference metalink doc id :  2548970.1
Read more

CPU Patch Analysis

 Oracle CPU patch analysis Identifying the Latest Critical Patch Update for Oracle E-Business Suite Release 12.2 (Doc ID 2484000.1) Database Quick-Link If you only care about the database patches, this MOS note steps you through really easily. Assistant: Download Reference for Oracle Database/GI Update, Revision, PSU, SPU(CPU), Bundle Patches, Patch sets and Base Releases (Doc ID 2118136.2) https://www.oracle.com/security-alerts/ Critical Patch Updates Critical Patch Updates provide security patches for supported Oracle on-premises products. They are available to customers with valid support contracts. Starting in April 2022, Critical Patch Updates are released on the third Tuesday of January, April, July, and October (They were previously published on the Tuesday closest to the 17th day of January, April, July, and October). The next four dates are: 16 April 2024 16 July 2024 15 October 2024 21 January 2025 A pre-release announcement will be published on the Thursday preceding each Cr
Read more