Oracle E-Business Suite provides two command line utilities, FNDCPASS and AFPASSWD, for setting Oracle E-Business Suite schema passwords. These utilities change the password registered in Oracle E-Business Suite tables and the schema password in the database. The utilities can also be used to change user passwords.
Several important considerations apply:
The Oracle E-Business Suite system must be shut down before you change a system schema (APPLSYS, APPS, APPS_NE) password.
It is recommended that the FND_USER and FND_ORACLE_USERID tables are backed up before system passwords are changed. Remove the backups after you have confirmed that the changes are successfully completed.
After changing a system schema password with either FNDCPASS or AFPASSWD, you should run AutoConfig to synchronize the application tier files.
If you are changing the APPLSYSPUB password using either FNDCPASS or AFPASSWD, you must change the value for the context variable s_gwyuid_pass and then run AutoConfig.
In Oracle E-Business Suite Release 12.2.3 and later, you can also use the AFPASSWD utility to migrate Oracle E-Business Suite user passwords to a non-reversible hash password scheme.
Important: Although still supported for backwards compatibility, FNDCPASS is a legacy tool. Entering passwords on the command line may be a security risk. Oracle recommends that all customers make the transition to its successor, AFPASSWD, as soon as they can, for which no passwords are entered on the command line.
The FNDCPASS utility can be used to change various types of passwords.
Type 2 - Passwords for schemas that are used by shared components of Oracle E-Business Suite (APPLSYS, APPS, APPS_NE); Also referred to as system passwords
Type 3 - Passwords for schemas that are provided by individual products within Oracle E-Business Suite
Note: You should always run AutoConfig after changing any system (type 2) password.
Here, all application tier services must first be shut down using the command $INST_TOP/admin/scripts/adstpall.sh. SYSTEM mode changes the APPS and APPS_NE passwords as well as the APPLSYS password, and thereby keeps them all synchronized.
Use this command to change passwords for schemas that are used by shared components of Oracle E-Business Suite:
FNDCPASS <logon> 0 Y <SYSTEM username>/<SYSTEM password> SYSTEM \ <username> <new_password>
Use the above command with the following arguments. When specifying the SYSTEM token, FNDCPASS expects the next arguments to be the APPLSYS user name and the new password.
| logon | The Oracle user name.
Note: You can provide just the Oracle user name and FNDCPASS will prompt you for the password. Alternatively, you can provide the <username>/<password> pair. |
| system/password | The user name and password for the SYSTEM DBA account. |
| username | The APPLSYS user name. For example, 'applsys'. |
| new_password | The new password. |
This command does the following:
Verifies the current APPLSYS password.
Re-registers password in Oracle E-Business Suite.
Changes the APPLSYS, APPS_NE, and all APPS passwords (for multi-APPS schema installations) to the same password.
ALTER USER is executed to change the ORACLE password for the above ORACLE users.
For example, the following command changes the APPLSYS password:
FNDCPASS <APPS username> 0 Y <SYSTEM username>/<SYSTEM password> SYSTEM APPLSYS <new_password>
After changing the APPLSYS password, you must also perform the steps listed in Important Additional Instructions to Update WLS Data Source.
You will then need to run AutoConfig (adautocfg.sh) using <new_password> as the APPS password, and finally restart application tier services using the command $INST_TOP/admin/scripts/adstrtal.sh.
Tip: For assistance in resolving any issues, refer to My Oracle Support Knowledge Document 1306938.1, FNDCPASS Troubleshooting Guide For Login and Changing Applications Passwords.
Use this command to change the password of a schema provided by an individual product in Oracle E-Business Suite:
FNDCPASS <logon> 0 Y <SYSTEM username>/<SYSTEM password> ORACLE \ <username> <new_password>
Use the above command with the following arguments. When specifying the ORACLE token, FNDCPASS expects the next arguments to be an ORACLE user name and the new password.
| logon | The Oracle user name.
Note: You can provide just the Oracle user name, and the system will prompt you for the password. Alternatively you can provide the <username>/<password> pair. |
| <SYSTEM username>/<SYSTEM password> | The user name and password for the SYSTEM DBA account. |
| username | The Oracle user name. For example, 'GL'. |
| new_password | The new password. |
For example, the following command changes the GL user password:
FNDCPASS <APPS username> 0 Y <SYSTEM username>/<SYSTEM password> ORACLE GL <new_password> ORACLE Password:
Note: The program prompts the user for the APPS password in the above example.
Use this command to change the passwords of all schemas provided by Oracle Application products that are registered as base product schemas in the FND_ORACLE_USERID table:
FNDCPASS <logon> 0 Y <SYSTEM username>/<SYSTEM password> ALLORACLE \ <new_password>
Use the above command with the following arguments. When specifying the ALLORACLE token, FNDCPASS expects the next argument to be the new password.
| logon | The Oracle user name.
Note: You can provide just the Oracle user name, and the system will prompt you for the password. Alternatively you can provide the <username>/<password> pair. |
| <SYSTEM username>/<SYSTEM password> | The user name and password for the SYSTEM DBA account. |
| new_password | The new password. |
For example, the following command changes all ORACLE schema passwords:
FNDCPASS <APPS username> 0 Y <SYSTEM username>/<SYSTEM password> ALLORACLE <new_password> ORACLE Password:
Note: The program prompts the user for the APPS password in the above example.
You can use this command to change an individual Oracle E-Business Suite user's password:
FNDCPASS <logon> 0 Y <SYSTEM username>/<SYSTEM password> USER \ <username> <new_password>
Use the above command with the following arguments. When specifying the USER token, FNDCPASS expects the next arguments to be an Oracle E-Business Suite user name and the new password.
| logon | The Oracle user name.
Note: You can provide just the Oracle user name, and the system will prompt you for the password. Alternatively you can provide the <username>/<password> pair. |
| <SYSTEM username>/<SYSTEM password> | The user name and password for the System DBA account. |
| username | The Oracle E-Business Suite user name. For example, 'VISION'. |
| new_password | The new password. |
For example, if you were changing the password for the user VISION, you would use the following command:
FNDCPASS <APPS username> 0 Y <SYSTEM username>/<SYSTEM password> USER VISION <new_password> ORACLE Password:
Note: The system prompts the user for the APPS password in the above example.
FNDCPASS prompts the user for the APPS user password if it is not given on the command line.
You can choose not to give the APPS password in the same command, as in the following example.
FNDCPASS APPS 0 Y <SYSTEM username>/<SYSTEM password> USER operations <password> ORACLE Password:
Here the APPS password is not provided on the command line, but instead you are prompted for it.
AFPASSWD is an enhanced version of FNDCPASS and includes the following features:
AFPASSWD only prompts for passwords required for the current operation, allowing separation of duties between applications administrators and database administrators. This also improves interoperability with Oracle Database Vault. In contrast, the FNDCPASS utility currently requires specification of the APPS and the SYSTEM user names and corresponding passwords, preventing separation of duties between applications administrators and database administrators.
As AFPASSWD prompts for all required passwords, it avoids the security risk incurred by entering passwords on the command line for FNDCPASS.
When changing a password with AFPASSWD, the user is prompted to enter the new password twice to confirm.
If you have not already done so, you should use the AFPASSWD utility to migrate Oracle E-Business Suite user passwords to a non-reversible hash password scheme.
FNDCPASS will continue to be shipped with Oracle E-Business Suite for use in changing passwords, and customers can switch to the AFPASSWD utility for this purpose at their discretion. However, note that as of Release 12.2.3, the USERMIGRATE mode of FNDCPASS described in My Oracle Support Knowledge Document 457166.1, FNDCPASS Utility New Feature: Enhance Security With Non-Reversible Hash Password is deprecated. You should now use AFPASSWD to migrate to a password hashing scheme.
Note: You should always run AutoConfig after changing any system (type 2) password.
The AFPASSWD command is used with the relevant command line options to perform the desired action.
AFPASSWD [-c <APPSUSER>[@<TWO_TASK>]] -f <FNDUSER>
AFPASSWD [-c <APPSUSER>[@<TWO_TASK>]] -o <DBUSER>
AFPASSWD [-c <APPSUSER>[@<TWO_TASK>]] -a
AFPASSWD [-c <APPSUSER>[@<TWO_TASK>]] -l <ORACLEUSER> {TRUE|FALSE}
AFPASSWD [-c <APPSUSER>[@<TWO_TASK>]] -L {TRUE|FALSE}
AFPASSWD [-c <APPSUSER>[@<TWO_TASK>]] -s <APPLSYS>
AFPASSWD [-c <APPSUSER>[@<TWO_TASK>]] -h
These options have the following functions:
-c <APPSUSER>[@<TWO_TASK>] - Specifies the connection string to use, the Oracle E-Business Suite user, and/or the value of TWO_TASK. This option can be use in combination with others. If it is not specified, default values from the environment will be used.
Note: The password will be prompted for, and should not be provided in the connection string.
-f <FNDUSER> - Changes the password for an Oracle E-Business Suite user. Specify the user name. A user name that contains spaces or special characters must be enclosed in double quotation marks; for example, "JOHN SMITH" or "JOHN.DOE@EXAMPLE.COM"..
-o <DBUSER> - Changes the password for an Oracle E-Business Suite database user. Specify the user name.
Note: This only applies to users listed in the FND_ORACLE_USERID table, not database users in general.
-a - Changes all Oracle passwords for schemas that are registered as base product schemas in the FND_ORACLE_USERID table (excluding the passwords of APPS, APPLSYS, and APPS_NE) to the same password, in the same way as the ALLORACLE mode does in FNDCPASS.
-l - Locks or unlocks an individual Oracle E-Business Suite database user (ORACLE_USER) (except required schemas). Specify TRUE to lock or FALSE to unlock.
-L - Locks or unlocks all Oracle E-Business Suite database users (except required schemas). Specify TRUE to lock or FALSE to unlock.
-s <APPLSYS> - Changes the password for the APPLSYS user, the APPS user, and the APPS_NE user. This requires the execution of AutoConfig on all tiers. After changing the APPLSYS password, you must also perform the steps listed in Important Additional Instructions to Update WLS Data Source.
-h - Displays help.
Whenever you use FNDCPASS or AFPASSWD in SYSTEM mode to change the APPS or APPLSYS schema passwords, you must also perform the actions listed below.
Note: Using SYSTEM mode with either APPLSYS or APPS will simultaneously update both the APPLSYS and APPS schemas: the respective passwords are kept in sync by both FNDCPASS and AFPASSWD.
Important: These steps must be performed on the run file system of the primary node.
Shut down the application tier services using the $INST_TOP/admin/scripts/adstpall.sh script.
Change the APPLSYS password, as described for the utility you are using.
Start AdminServer using the $INST_TOP/admin/scripts/adadminsrvctl.sh script. Do not start any other application tier services.
Change the APPS password in WLS Data Source by running the the following script as shown:
$ perl $FND_TOP/patch/115/bin/txkManageDBConnectionPool.pl
When prompted, select 'updateDSPassword' to change the APPS password in the WLS Datasource.
Start all the application tier services using the $INST_TOP/admin/scripts/adstrtal.sh script.
Verify the WLS data source changes as follows:
Log in to the WLS Administration Console.
In the Domain Structure tree, expand Services, then select Data Sources.
On the Summary of JDBC Data Sources page, select EBSDataSource.
On the Settings for EBSDataSource page, select Monitoring > Testing.
Select "oacore_server1".
Click Test DataSource.
Look for the message "Test of EBSDataSource on server oacore_server1 was successful".
Important: Steps 4, 5, and 6 are only applicable when changing the APPLSYS password. They are not applicable when changing passwords for product schemas or the SYSTEM schema.
In the next prepare phase after the password change, adop will invoke EBS Domain Configuration to ensure that the WLS data source on the patch file system will be synchronized with the new APPS password.
You can optionally use AFPASSWD to migrate Oracle E-Business Suite user passwords to a password hashing scheme. The migration converts the passwords for local Oracle E-Business Suite users (that is, users stored in the FND_USER table) from their current encryption to a non-reversible password hashing scheme, thus making the passwords non-recoverable. This feature provides additional protections against brute forcing of hashes in case the password hashes in the database are compromised. You can select SHA-2 algorithms (SHA-256, SHA-384, and SHA-512) defined by NIST FIPS 180-4 which are combined internally with the use of the PBKDF2 derivation function as defined by NIST 800-132 to make calculating the hashes computationally more difficult.
Note: The option to migrate to the SHA hash mode is deprecated in Release 12.2.3 and higher. You should now migrate only to SHA-256, SHA-384, or SHA-512. However, if you previously migrated to the SHA hash mode, you can use AFPASSWD to perform another migration to one of the advanced hash modes.
Migration to a password hashing scheme is a one-way operation that cannot be undone without a system restore from backup. This migration is optional and is not implemented unless you manually execute it to take advantage of this feature. Oracle recommends that you do implement an advanced password hashing scheme to enhance Oracle E-Business Suite user password security.
Using an advanced hash algorithm adds a small delay to the login process for users due to the additional computation. Oracle recommends that you use advanced password hashing with the strongest SHA-2 algorithm that provides acceptable login performance.
Note: The AFPASSWD migration option does not affect existing password schemes for the following types of users:
Users whose passwords are managed externally in Oracle Directory Services
Users whose passwords are managed externally in a third-party LDAP directory, such as Microsoft Active Directory
Oracle E-Business Suite database users
Before migrating, back up your Oracle E-Business Suite instance so that you can restore it from the backup if necessary.
Also, before migrating, verify that you have upgraded all desktop clients to a version supported with Release 12.2 to ensure that these clients can continue to connect to your Oracle E-Business Suite instance. These clients include the following:
Oracle Collaboration Suite - See Oracle Collaboration Suite Installation Guide for your platform.
Oracle Configurator - See Oracle Configurator Installation Guide.
Oracle Discoverer - See the following My Oracle Support Knowledge Documents:
1380591.1, Using Discoverer 11.1.1 with Oracle E-Business Suite Release 12.2
2277369.1, Oracle E-Business Suite Support Implications for Discoverer 11gR1
If you plan to export Oracle E-Business Suite users for bulk loading into Oracle Directory Services, you should perform the export and bulk load before you migrate Oracle E-Business Suite user passwords to a password hashing scheme. After you implement password hashing, the AppsUserExport utility can no longer include the passwords when exporting Oracle E-Business Suite user information. For more information, refer to: Migrating Data between Oracle E-Business Suite and Oracle Directory Services.
To migrate Oracle E-Business Suite user passwords to a password hashing scheme, specify the AFPASSWD command with the following options.
AFPASSWD [-c <APPSUSER>[@<TWO_TASK>]] -m <HASH_MODE> {FULL|BACKGROUND|PARTIAL}
-c <APPSUSER>[@<TWO_TASK>] - Specify the connection string to use, the Oracle E-Business Suite user, and/or the value of TWO_TASK. This option can be use in combination with others. If it is not specified, default values from the environment will be used.
Note: The password will be prompted for, and should not be provided in the connection string.
-m - Migrates records in the FND_USER table to hash mode using the specified algorithm.
Specify the hash mode to use. You can specify any of the following advanced hash algorithms:
SHA256
SHA384
SHA512
Note: The SHA hash mode is deprecated in Release 12.2.3 and higher. Do not specify SHA as the hash mode for AFPASSWD; instead, specify one of the advanced SHA-2 hash algorithms.
Specify the type of advanced hash migration to perform.
FULL - A full migration migrates all the records in the FND_USER table to the selected hash mode. If you do not specify a migration type, then a full migration is performed by default.
BACKGROUND - A background migration migrates all the records in the FND_USER table to the selected advanced hash mode in the background as a concurrent program named Advanced Hash Migration (AFPASSWD_MIGRATION).
PARTIAL - A partial migration allows users with an earlier encryption mode to co-exist with users creating new passwords with the selected advanced hash mode. Users on the earlier encryption mode can still log in, but subsequent password changes will switch these users to the selected advanced hash mode.
Note: Partial migration is used to change between advanced hash modes and should be performed only after a full or background migration. If you perform a partial migration first, then you cannot perform a full migration in the future.
If you are already using an advanced hash mode (SHA256, SHA384, or SHA512), then you can only migrate to another advanced hash mode, and you can only specify the migration type PARTIAL.
The AFPASSWD log file is written to the directory where AFPASSWD was executed. You should review this log file to verify the status of the migration.
Note: After you have migrated to a password hashing scheme, you may encounter an issue when using the expdp database export utility in which the FND_USER_PREFERENCES table is not properly exported. As a workaround to resolve this issue, you can re-export and re-import the FND_USER_PREFERENCES table separately using the exp and imp utilities, after initially running expdp and impdp.
Immediately after running expdp and impdp, use the exp utility to export the FND_USER_PREFERENCES table from the source database with the following command:
exp TABLES=(<APPLSYS SCHEMA NAME>.FND_USER_PREFERENCES) COMPRESS=Y DIRECT=Y
For example:
exp TABLES=(APPLSYS.FND_USER_PREFERENCES) COMPRESS=Y DIRECT=Y
When prompted, enter the user to run the utility, such as SYSTEM, and the password for that user.
Then import this data into the target database using the following command:
imp FILE=expdat.dmp LOG=imptab.log TABLES=FND_USER_PREFERENCES FROMUSER=<APPLSYS SCHEMA NAME> IGNORE=Y
For example:
imp FILE=expdat.dmp LOG=imptab.log TABLES=FND_USER_PREFERENCES FROMUSER=APPLSYS IGNORE=Y
When prompted, enter the user to run the utility, such as SYSTEM, and the password for that user.
To help meet increasing and often mandatory requirements for complex passwords, Oracle E-Business Suite now supports the use of Oracle Database 11g case-sensitive passwords. This is in contrast to the traditional Oracle Application Library behavior of storing and validating all database passwords as uppercase, regardless of the case in which they are entered.
Case-sensitive database passwords can be employed with any Oracle E-Business release that uses Oracle Database 11g. Using mixed case enables more secure application schema passwords to be specified.
There are two possible situations:
Case sensitivity disabled (default) - For new database accounts or changed database passwords, Oracle automatically records the case in which the password was originally specified and stores it as a hash value in the data dictionary table that holds user information. However, new or changed database account passwords will continue to not be case-sensitive unless and until the mixed-case feature is explicitly enabled.
Case sensitivity enabled - After the feature is enabled, database passwords created or changed since the upgrade to Oracle Database 11g will need to be entered in the case specified originally. Only database passwords that remain unchanged in Oracle Database 11g will continue to not be case-sensitive. The database stores a case-sensitive version of the password created or changed in Oracle Database 11g, whether the mixed-case feature is enabled or not. The case-sensitive version of the password is therefore ready for immediate use as soon as the feature is enabled.
For example:
When the initialization parameter SEC_CASE_SENSITIVE_LOGON is set to FALSE, dogfood, DogFood, and DoGFooD are all the same password.
When SEC_CASE_SENSITIVE_LOGON, is set to TRUE, dogfood, DogFood, and DoGFooD are 3 different passwords.
The case sensitivity capability for Oracle E-Business Suite database passwords is analogous to the way the SIGNON_PASSWORD_CASE profile is used to determine how new or changed Oracle E-Business Suite user passwords will be stored.
The following table shows the applicable versions of Oracle E-Business Suite and Oracle Database for the Case Sensitivity feature:
| Software Component | Applicable Version(s) | Additional Patches |
|---|---|---|
| Oracle E-Business Suite | 12.2.2, 12.2.3, 12.2.4 | None |
| Oracle E-Business Suite | 12.1.1+ | 12964564 |
| Oracle Database | 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2 |
Case sensitivity is controlled by the setting of the Oracle Database 11g initialization parameter SEC_CASE_SENSITIVE_LOGON. The default for Oracle E-Business Suite databases is FALSE, which means that new, existing (pre-11g), and changed database passwords will all remain not case-sensitive.
Prior to enabling case sensitivity, database passwords may be in an unknown case depending on the codelevel of your Oracle E-Business Suite instance when they were changed. This includes the APPS, APPLSYS, and APPS_NE passwords. Therefore, before you enable the Case Sensitivity feature, you must change the APPLSYS/APPS/APPS_NE password with the FNDCPASS or AFPASSWD tool, ensuring that you use all uppercase when typing the password values to force the passwords to be stored in uppercase. This will normalize your system to a known state prior to conversion to Oracle Database 11g case-sensitive passwords for Oracle E-Business Suite database users. After changing the APPLSYS/APPS/APPS_NEW passwords, you should also change the passwords of the other schemas used in your Oracle E-Business Suite instance to be all uppercase as well.
The Case Sensitivity feature is enabled as follows:
Set the Oracle Database 11g initialization parameter SEC_CASE_SENSITIVE_LOGON to TRUE.
Note: The default for Oracle E-Business Suite databases is FALSE, which means that new, existing (pre-11g), and changed database passwords will remain not case-sensitive.
Shut down and restart the database. New and changed database passwords will now be case-sensitive.
Change the APPLSYS, APPS, and APPS_NE passwords to ensure that the database password is stored in the expected case. Use uppercase for the old password value on the first password change after setting the parameter.
For more information about using the Oracle E-Business Suite provided command line utilities, FNDCPASS and AFPASSWD, to change your passwords, refer to the "Oracle E-Business Suite Password Management" section in the Oracle E-Business Suite System Administrator's Guide - Configuration Release 12.1.
In addition, change any other Oracle E-Business Suite database passwords. Use all uppercase for the old password value on the first password change after setting the parameter.
Warning: Three failed login attempts with the APPS user will result in the APPS user account being locked. This is the default behavior of the Oracle Database 11g user profile. Before running FNDCPASS or AFPASSWD with the APPS password, verify you have the correct APPS password by logging into SQL*Plus with the APPS user successfully.
After the APPS password is successfully changed by FNDCPASS or AFPASSWD, it is case-sensitive.
Warning: The APPLSYSPUB password is unique in that it must be maintained as an uppercase password. This means that if you opt to change the APPLSYSPUB password in Oracle Database 11g, you must enter the new password in all uppercase to preserve system functionality.
After Oracle Database 11g password case-sensitivity has been enabled, a DBA should immediately change the passwords of the database administrative accounts such as SYS and SYSTEM. The DBA may also wish to employ a password management policy (profile) to ensure system administrators change the Oracle E-Business Suite database passwords within a reasonable time.
Existing database passwords that were never changed in Oracle Database 11g will remain case-insensitive until changed, after which they will become case-sensitive.
Be aware of the following points:
We recommend that the APPLSYSPUB password should be changed on all Release 12.x systems, using either AFPASSWD or FNDCPASS. AutoConfig should be run after changing the password, to synchronize all the application tier files.
Important: The APPLSYSPUB password is an exception to the standardization of mixed case passwords, and must always be in upper case. This is true even if case-sensitive passwords have been enabled in Oracle Database 11g (SEC_CASE_SENSITIVE_LOGON=true).
For more information, refer to About Oracle E-Business Suite Secure Configuration.
If you are on Oracle E-Business Suite Release 12.1 or 12.2, ensure that your sqlnet_ifile.ora has the line SQLNET.ALLOWED_LOGON_VERSION_SERVER = 8 (if the initialization parameter SEC_CASE_SENSITIVE_LOGON is set to FALSE) SQLNET.ALLOWED_LOGON_VERSION_SERVER = 10 (if SEC_CASE_SENSITIVE_LOGON is set to TRUE)
Passwords with special characters or multibyte characters are not currently supported with Oracle E-Business Suite.
Although the parameter is deprecated with Oracle Database 12c, it is still supported for backwards compatibility.