FNDCPASS Troubleshooting Guide For Login and Changing Applications Passwords
In this Document
| Goal |
| Solution |
| 1. Error Starting Application Services After Changing APPS Password Using FNDCPASS |
| 2. Log In Fails With: You Don't Have Permission To Access /pls/.../fnd_icx_launch.launch On This Server |
| 3. APP-FND-01564: ORACLE Error 6550 In changepassword With Portal/Login Server/SSO After Patch |
| 4. FNDCPASS Not Able To Decrypt Password For APPLSYSPUB When Changing The APPS Password |
| 5. Changing APPS Password Using FNDCPASS Gives 'not able to decrypt password' Message |
| 6. FNDCPASS Fails Changing Database Password: APP-FND-02704, APP-FND-01564, ORA-01403 |
| 7. FNDCPASS Fails With 'ORA-01017: invalid username/password; logon denied |
| 8. adpatch Errors: The Given ORACLE Password Is Not The Correct Password. |
| 9. APP-FND-01496 Received When Changing The APPLSYS Password With FNDCPASS |
| 10. Using FNDCPASS With The ALLORACLE Option, Why Doesn't It Change All User Passwords? |
| 11. Fndcpass Fails with 500 Internal Server Error After Migrating Database From Hp-Ux To Linux |
| 12. FNDCPASS Fails with APP-FND-02702 and APP-FND-02704 |
| 13. APP-FND-00434 Unable to Change Password Using FNDCPASS Utility |
| 14. FNDCPASS Gives: APP-FND-01502: Cannot Encrypt Application ORACLE Password |
| 15. Why FNDCPASS Fails With ORA-01005 Using Underscore or Dollar Sign in Passwords? |
| 16. FNDCPASS-CANNOT DECRYPT For Some Users |
| 17. Db Links Are Invalid After Changing The Apps User Password With FNDCPASS |
| 18. Is PASSWORD_VERIFY_FUNCTION Compatible with FNDCPASS in E-Business Suite? |
| 19. ORA-29541 Unable to Change Password Using FNDCPASS Utility |
| 20. FNDCPASS Updates FND_USER.LAST_LOGON_DATE with SYSDATE |
| 21. Why aren't users forced to change/reset passwords during next login after running FNDCPASS? |
| 22. FNDCPASS Was Not Able to Decrypt Password for User 'ABC' During APPLSYS Password Change |
| 23. FNDCPASS was not able to decrypt password for {User Name} during APPLSYS password change |
| 24. APP-FND-01496 Results From FNDCPASS Chaning The APPLSYS password |
| 25. APP-FND-1238: Cannot set value for field :USER.ENCRYPTED_USER_PASSWORD |
| 26. FRM-40200 Changing Users Password With The System Administrator Responsibility |
| 27. "Signon Password Failure Limit" Is Reached Unlocking Queries |
| 28. APP-FND-02704, APP-FND-01564, ORA-01403 changepassword Errors In Custom Schema |
| 29. FND Invalid Hash mode detected for user_id = &USERID When Changing Password |
| 30. After 12.1.3 Upgrade FNDCPASS Fails: Was Not Able To Decrypt Password For User 'Username' During Applsys Password Change |
| 31. APP-FND-01564: ORACLE error 6502 in changepassword |
| 32. Unable To Change APPLSYS Password Using FNDCPASS In Applications 12.1.3 |
| 33. AFPASSWD Relink Fails While Applying R12 Patch With Error Undefined Reference To `iifgcg' |
| Diagnostics & Utilities Community: |
| References |
APPLIES TO:
Oracle Application Object Library - Version 11.5.9 to 12.1.3 [Release 11.5 to 12.1]Information in this document applies to any platform.
GOAL
This is a consolidation of Top Documents to provide a Single Source for troubleshooting common problems with FNDCPASS.
SOLUTION
1. Error Starting Application Services After Changing APPS Password Using FNDCPASS
Cannot complete applications logon. You may have entered an invalid applications password, or there may have been a database connect error.
From the error, it's confirmed that the APPS password did not change correctly. Sometimes when changing the APPS password using FNDCPASS with a new APPS password, if able to log into SQLPLUS as the apps user, then it's thought that the password has changed correctly In every scenario, this is not true. If able to connect th SQLPLUS with the new APPS password, then it doesn't verify new APPS password completely. It is just one test for new APPS passwords. If able to start application services successfully, then one can confirm that the APPS password has changed successfully.
Points to keep in mind when changing the APPS password using the FNDCPASS utility:
Point 2: Always use FNDCPASS to change the APPS password. For an improved solution to FNDCPASS as of R12.1.2, click here.
Point 3: Before changing APPS password, it is strongly recommended to take a backup of FND_USER and FND_ORACLE_USERID.
Point 4: Always check FNDCPASS log for any kind of error. If there is any error in the FNDCPASS log, then DO NOT run autoconfig or try to change configuration file manually. Until and unless FNDCPASS log has no error please do not run autoconfig as you will get problem while logging in oracle application.
Point 5: If getting any error in the FNDCPASS log, then either replace from an original backup with FND_USER and FND_ORACLE_USERID to log into Applications or raise an SR to support with the FNDCPASS log.
1. If autoconfig was not run, did not make any change in configuration file manually and also have a valid backup of FND_USER and FND_ORACLE_USERID table, then recover from the original backup. Start application services.
If a valid backup of the FND_USER and FND_ORACLE_USERID table does not exist, then an export/import of table FND_USER and FND_ORACLE_USERID from a Instance that has the same patchset level must be used because autoconfig was not run. If the patchset level is not same, then the export/import of the tables will not work. For example: If facing the issue on a newly cloned instance, then export/import the source instance from which the clone instance was made.
2. If a valid backup of FND_USER and FND_ORACLE_USERID table exists, but have already run autoconfig then the application services cannot be started. Once autoconfig is run, then replacing the original backup of FND_USER and FND_ORACLE_USERID table will not work.
In this case, a backup of the FND_USER and FND_ORACLE_USERID table is not valid because autoconfig was already run and hence only two options left:
A. Follow the procedure mentioned in the below note to remove database credentials:
Note 419475.1: Removing Credentials from a Cloned EBS Production Database
B. Do a fresh clone. (In case the issue exists in a test instance.)
4. One should able to start application services without any error. If able to start the application services without any error, but still are not able to log in, then check a direct forms log in:
For Release 11i : http://<hostname>:<port>/dev60cgi/f60cgi
For Release 12: http://<hostname>:<port>/forms/frmservlet
For direct forms logging, below parameter in CONTEXT file should be set to OFF. If it is not set to OFF then make below changes and run autoconfig.
<appserverid_authentication oa_var="s_appserverid_authentication">OFF</appserverid_authentication>
5. Once able to log in in forms mentioned in step 4, but still personal home page log in is not working, then it's confirmed that the issue is now with personel home page log in only and no issue with the APPS password.
Run AOL/J Test. Use below URL to run AOL/J Test:
http://<hostname>:<port>/OA_HTML/jsp/fnd/aoljtest.jsp
2. Log In Fails With: You Don't Have Permission To Access /pls/.../fnd_icx_launch.launch On This Server
To implement the solution, execute the following steps:
1. Log-in as system owner and run:
SQL> alter user apps account unlock;
The first line (optional) results in preventing repeated failed log in attempts from locking the account.
The second line (required) simply unlocks the apps account.
2. Restart the services.
3. APP-FND-01564: ORACLE Error 6550 In changepassword With Portal/Login Server/SSO After Patch
Cause: changepassword failed due to ORA-06550: line 1, column 7:
PLS-00201: identifier 'FND_SSO_REGISTRATION.IS_OPERATION_ALLOWED' must be declared
ORA-06550: line 1, column 7:
PL/SQL: Statement ignored
ORA-06512: at "APPS.FND_LDAP_WRAPPER", line 1190
To implement the solution, execute the following step:
1. For instances integrated with Portal 3.0.9 from ATG_PF.H.RUP3 and above the profile option Applications SSO LDAP Synchronization (APPS_SSO_LDAP_SYNC) needs to be set to "Disabled".
4. FNDCPASS Not Able To Decrypt Password For APPLSYSPUB When Changing The APPS Password
However, Discoverer users have authentication problems.
The issue is caused by a data corruption issue in the fnd_user table.
To implement the solution, execute the following steps:
1. Use FNDCPASS to reset the APPLSYSPUB password.
e.g. FNDCPASS apps/<password> 0 Y system/<password> ORACLE APPLSYSPUB PUB
2. Retest for the issue.
5. Changing APPS Password Using FNDCPASS Gives 'not able to decrypt password' Message
Found in log:
FNDCPASS was not able to decrypt password for <testuser1> during applsys password change.
FNDCPASS was not able to decrypt password for <testuser2> during applsys password change.
Because the profile "Applications SSO Login Types" is set to 'SSO', the password is maintained by Oracle Internet Directory - OID and not Applications, FNDCPASS cannot update the OID data directly.
The FND_USER table record has the value 'EXTERNAL' in the encrypted password columns.
This can be confirmed using the following SQL:
select user_id, encrypted_foundation_password, encrypted_user_password
from fnd_user
where user_name = '{User Name from FNDCPASS log}' ;
To implement the solution, execute the following steps:
1. Set the profile "Applications SSO Login Types" to 'Both' or 'Local'.
Then change the identified User password using the Security / User / Define form..
2. Ignore the message and remember that the password is managed externally..
Note:
As long as the table value is 'EXTERNAL', the FNDCPASS utility will display the messages in the log.
6. FNDCPASS Fails Changing Database Password: APP-FND-02704, APP-FND-01564, ORA-01403
Note: It has been reported that the error may occur if the password starts with a number.
APP-FND-02704: Unable to alter user HR to change password.
APP-FND-01564: ORACLE error 1403 in changepassword
Cause: changepassword failed due to ORA-01403: no data found.
The SQL statement being executed at the time of the error was: and was executed from the file &ERRFILE.
The database profile DEFAULT was changed for the resource PASSWORD_REUSE_MAX.
To implement the solution, execute the following steps:
1. Revert back the resource of the database profile DEFAULT as:
FAILED_LOGIN_ATTEMPTS to UNLIMITED
PASSWORD_REUSE_MAX to UNLIMITED
PASSWORD_LOCK_TIME to UNLIMITED
PASSWORD_GRACE_TIME to UNLIMITED
PASSWORD_VERIFY_FUNCTION to NULL
2. Re-run FNDCPASS.
select profile from dba_users where username=<user with the error>';
Ex:
After finding the profile, one should set the options for this profile to UNLIMITED AS it is not always the DEFAULT profile.
7. FNDCPASS Fails With 'ORA-01017: invalid username/password; logon denied
The database SEC_CASE_SENSITIVE_LOGON parameter defaults to TRUE. When this occurs the password sensitivity conversion does not occur. Passwords that are input as lower case are automatically updated as upper case.
To implement the solution, execute the following steps:
1. Set the database SEC_CASE_SENSITIVE_LOGON parameter to FALSE in the init.ora.
2. Run autoconfig on the application tiers and bounce the database.
8. adpatch Errors: The Given ORACLE Password Is Not The Correct Password.
Working...
APP-FND-01496: Cannot access application ORACLE password
Cause: Application Object Library was unable access your ORACLE password.
Action: Contact your support representative. (USER=TWOODS)
APP-FND-01496: Cannot access application ORACLE password
Issue caused by user password corruption, which resulted in failure when running FNDCPASS in an attempt to re-encrypt the APPLSYS password.
To implement the solution, execute the following steps:
1. Use FNDCPASS to update each failing User password individually.
FNDCPASS apps/<password> 0 Y system/<password> ORACLE <oracle user> <new password>
Ex: FNDCPASS apps/<password> 0 Y system/<password> ORACLE GL GLPASSWORD
2. Rerun FNDCPASS again to successfully alter the APPLSYS password:
FNDCPASS apps/<password> 0 Y system/<password> SYSTEM APPLSYS <new password>
Ex: $FNDCPASS apps/<password> 0 Y system/<password> SYSTEM APPLSYS NEWPASSWORD
NOTE: Changing the APPLSYS password automatically changes the APPS password to match as these two must always agree.
9. APP-FND-01496 Received When Changing The APPLSYS Password With FNDCPASS
Cause: Application Object Library was unable access your ORACLE password.
The ALTER command was run manually against the APPS user before running FNDCPASS. The APPS and APPLSYS user passwords must be identical.
To implement the solution, execute the following steps:
1. Run the ALTER command against the APPS and APPLSYS users in sqlplus to change back to the old passwords:
sql>ALTER USER APPLSYS IDENTIFIED BY XXX;
sql>ALTER USER APPS IDENTIFIED BY XXX;
2. Afterwards run FNDCPASS:
FNDCPASS apps/<password> 0 Y system/<password> SYSTEM APPLSYS <new password>
Ex: $FNDCPASS apps/<password> 0 Y system/<password> SYSTEM APPLSYS NEWPASSWORD
Note: Changing the APPLSYS password automatically changes the APPS password to match as these two must always agree.
10. Using FNDCPASS With The ALLORACLE Option, Why Doesn't It Change All User Passwords?
To implement the solution, reference the following:
Usernames must appear in the FND_USER or FND_ORACLE_USERID tables. The FNDCPASS utility and ALLORACLE functionality was designed for applications users/schemas.
The following username passwords must be manually changed:
Account Name
--------------------------------
ABM
AHM
AMF
CSS
CUE
CUN
DBSNMP
EAA
EVM
FPT
IBA
IMT
IPD
JUNK_PS
MDSYS
ME
ODM
ODM_MTR
OKB
OKO
OKR
OLAPSYS
ORDPLUGINS
ORDSYS
OUTLN
OWAPUB
OZP
OZS
RHX
RLA
SCOTT
SSOSDK
SYS
VEH
XNC
XNI
XNM
XNS
For IBA, IMT, IPD, ODM_MTR, OKB, OKO, OKR, OLAPSYS, ABM, AHM, VEH, XNC, XNI, XNM, XNS, RHX, RLA schemas are part of the 6th category FNDCPASS should not be used.
Also development mentioned this:
The 38 users listed above do not exist in FND_ORACLE_USERID or FND_USER
tables.
FNDCPASS is not intended to change passwords for users who do not exist in
these tables.
For the users which are absent in FND_ORACLE_USERID , you can change the password using alter command.
11. Fndcpass Fails with 500 Internal Server Error After Migrating Database From Hp-Ux To Linux
500 Internal Server Error
oracle.apps.fnd.cache.CacheException
at oracle.apps.fnd.cache.AppsCache.get(AppsCache.java:228)......
The issue can be reproduced at will by attempting to log in.
Password Hash Migration (FNDCPASS USERMIGRATE) done prior to the data migration.
The cause of this issue is that the FND_USER_PREFERENCES table did not get exported properly due to password hash migration not being covered or accounted for in the existing procedure.
To implement the solution, reference the following:
1. Export of the fnd_user_preferences table separately using:
$ exp system/<PWD> TABLES=(APPLSYS.FND_USER_PREFERENCES) COMPRESS=Y DIRECT=Y FILE=fnd_user_preferences.dmp LOG=exp_fnd_user_preferences.log
2. Import the Applications database target
3. Import of the fnd_user_preferences table separately
$ imp system/<PWD> FILE=fnd_user_preferences.dmp
LOG=imp_fnd_user_preferences.log TABLES=FND_USER_PREFERENCES FROMUSER=APPLSYS IGNORE=Y
4. Reset Advanced Queues ( Note 362205.1 - Section 5)
5. Run adgrants (Note 362203.1 - After the Database Upgrade)
6. Run adctxprv.sql (Note 362203.1 - After the Database Upgrade)
7. Compile Invalid Objects running adadmin
8. Implement and run Autoconfig ( Note 362203.1)
9. Gather Statistics for SYS schema (Note 362203.1 - After the Database Upgrade)
10. Create ConText and Spatial Objects (Note 362205.1 - Section 5)
11. Compile Invalid Objects (Note 362205.1 - Section 5)
12. Maintain Applications database objects (Note 362205.1 - Section 5)
13. Restart Applications Server Processes (Note 362205.1 - Section 5)
12. FNDCPASS Fails with APP-FND-02702 and APP-FND-02704
FNDCPASS ends with the following error:
APP-FND-02702: ABM is not a valid oracle user
The list includes: ABM, AMF, CSS, CUE, CUN, EAA, EVM, FPT, IBA, IMT, IPD, ME, OKB, OKO, OKR, OZP, OZS, RHX, RLA, VEH, XNC, XNI, XNM, XNS.
Also tried to change password for EDWREP user which is not a Database user but is defined as Oracle Schema/User and FNDCPASS errored with:
APP-FND-02704: Unable to alter user EDWREP to change password
To implement the solution, reference the following:
1. EDWREP is not in the table DBA_USERS nor in FND_USER, so there is no password to change for this user as there is no possible connection to this user. This is explained in Orion Note 431272.1. EDWREP can be ignored as it is not an Oracle user nor an APPS user ( FND_USER ).
2. The list of others users provided ( ABM, ... ) is not in the table fnd_oracle_userid , so it cannot be changed with FNDCPASS, that's the normal behavior.
Note 461904.1 explains that ABM is now obsoleted.
Some Applications/Products are obsoleted in release 12:
cun, amf, jts, xni, oko, okb, ahm, imt, veh, rla, rhx, ozs, ozp, iba, cue, okr, fpt, xns, xnc, xnm, css, me, zfa, zsa, rcm, ipd, evm, abm, eaa
As obsoleted, using the alter command can be used to safely change the password of the above users.
13. APP-FND-00434 Unable to Change Password Using FNDCPASS Utility
Error:
APP-FND-00434: AFPRCP:Failed to initialize profile option values : FDWHOAMI environment variable contains invalid value 5 for user ID
Step to Reproduce:
Change password of application user "VISION" using below FNDCPASS command:
FNDCPASS apps/apps 0 Y system/manager USER VISION WELCOME
Seeded application user "APPSMGR" is not present in FND_USER table. USER_ID of application user "APPSMGR" is 5. That is why when you are trying to change the password of any application/database user using FNDCPASS utility then it errors out with invalid value 5 for user ID (see the error).
To implement the solution, please execute the following steps:
1. If a backup of the FND_USER table exists, then restore the record for USER_ID=5 from the backup table to the existing FND_USER table.
Connect to SQLPLUS as APPS user:
SQL> insert into FND_USER select * from FND_USER_BAK where USER_ID=5 ;
Where FND_USER_BAK is backup table of FND_USER table.
If a backup of the FND_USER table does not exist, then thedata for the 'APPSMGR' user must be inserted using the below SQL:
Connect to SQLPLUS as APPS user :
SQL> INSERT INTO FND_USER(
USER_ID,
USER_NAME,
LAST_UPDATE_DATE,
LAST_UPDATED_BY,
CREATION_DATE,
CREATED_BY,
LAST_UPDATE_LOGIN,
ENCRYPTED_FOUNDATION_PASSWORD,
ENCRYPTED_USER_PASSWORD,
SESSION_NUMBER,
START_DATE,
END_DATE,
DESCRIPTION)
VALUES(5,'APPSMGR',TO_DATE('10/27/2004 6:00:51 PM','MM/DD/YYYY HH:MI:SS PM') ,0,TO_DATE('05/21/1987 6:00:51 PM','MM/DD/YYYY HH:MI:SS PM'),1,0,'INVALID','INVALID',0,TO_DATE('01/01/1951 6:00:51 PM','MM/DD/YYYY HH:MI:SS PM'),NULL,'User for routine maintenance activities scheduled as concurrent requests. Should be used for pre scheduled requests and for requests submitted at the time of patching applications.')
SQL> Commit;
2. Retest the issue.
3. Migrate the solution as appropriate to other environments.
14. FNDCPASS Gives: APP-FND-01502: Cannot Encrypt Application ORACLE Password
Application Object Library was unable encrypt your ORACLE password.
Action: Contact your support representative. (ORACLEUSER=APPS_SERV)
The table fnd_oracle_userid contain rows for schemas that does not exist. Those rows must be deleted
from the table.
To implement the solution, please execute the following steps:
1. Execute the following select statement:
where oracle_username not in
(select username from all_users);
If this returns any rows, then delete them.
15. Why FNDCPASS Fails With ORA-01005 Using Underscore or Dollar Sign in Passwords?
To implement the solution, please execute the following steps:
Using the Underscore ( _ ) or Dollar Sign ( $ ) as well as Parentheses ( ) and Comma ( , ) will cause the following error to be generated:
Routine AFPCSQ encountered an ORACLE error. ORA-01005: null password given; logon denied
Review your error messages for the cause of the error. (=<POINTER>)
Only alphanumeric characters should be for passwords. Bug 5239293 - UNABLE USE THE PUNCTUATION MARK IN FNDCPASS UTILITY has been logged to address using special characters such as the _, #, and $.
16. FNDCPASS-CANNOT DECRYPT For Some Users
FNDCPASS-CANNOT DECRYPT (USER=CONCURRENT MANAGER)
FNDCPASS-CANNOT DECRYPT (USER=ANONYMOUS)
FNDCPASS-CANNOT DECRYPT (USER=APPLSYSPUB)
Patch (5846796) was created to fix the fnd_web_sec.validate_password to use the SIGNON_PASSWORD_CASE profile setting for establishing new password criteria.
According to Development Patch 5846796 will not be available standalone.
To implement the solution, please execute the following steps:
1. Customers should apply 11i.ATG_PF.H.delta.6 (RUP 6) Patch 5903765 for this issue.
Workaround
The error messages should disappear setting the System Profile 'Password Case Option' to 'Insensitive'.
17. Db Links Are Invalid After Changing The Apps User Password With FNDCPASS
To implement the solution, please execute the following steps:
1. Since changing the apps password all the db links should have the new APPS password. Run
AutoConfig after changing the APPS password and this will update all. Please note that there is no need to run autoconfig each time FNDCPASS is run, only if changing any of the following users:
- APPLSYS
- APPS
- APPS_MRC
- APPLSYSPUB
- PORTAL30 & PORTAL30_SSO (For Oracle Log in Server and Portal 3.0.9 with E-Business Suite 11i)
18. Is PASSWORD_VERIFY_FUNCTION Compatible with FNDCPASS in E-Business Suite?
To implement the solution, please execute the following steps:
1. Log a service request requesting to attach it to the existing enhancement. Once this is done, the service request will be closed as it's unknown when the enhancement will be integrated into Applications.
2. Follow Enhancement Request: Bug 3363011.
19. ORA-29541 Unable to Change Password Using FNDCPASS Utility
To implement the solution, please execute the following steps:
1. Unzip RDBMS $ORACE_HOME/rdbms/jlib/servlet.jar to a temporary location.
2. cd to the <temp location>/javax/servlet
loadjava -u sys/<syspwd> -v -f -r ServletRequest.class
3. cd to the <temp location>/javax/servlet/http
loadjava -u sys/<syspwd> -v -f -r HttpServletRequest.class
4. If the above load is successful, then try to compile the following java classes in this order:
/69cdcac5_URLTools
/9bcc02c9_GenericFileManager
/98ca471e_GenericFileManager
/7ef1f61b_AppsContext
/be1b2bb2_ErrorStack
/4cc59dc8_AppsException
/4f323587_DataVerificationExce
/b3e79110_HTTPData
/50e4719a_AolSecurity
/3906534f_WebSessionManagerProc
For example :
SQL> conn apps/apps
Connected.
SQL> alter java class "/69cdcac5_URLTools" resolve;
Java altered.
5. Retest the issue.
20. FNDCPASS Updates FND_USER.LAST_LOGON_DATE with SYSDATE
Changing APPS, APPLSYS and Oracle Apps schema passwords is updating FND_USER.LAST_LOGON_DATE for Application Users.
eg FNDCPASS apps/<pass> 0 Y system/<pass> SYSTEM APPLSYS <new pass>
To implement the solution, please execute the following steps:
1. The official fix is included in RUP7 Patch 6241631.
As a workaround, please disable the trigger:
1. Connect to the apps schema using sqlplus.
2. Alter trigger FND_USER_RESET DISABLE;
21. Why aren't users forced to change/reset passwords during next login after running FNDCPASS?
This is expected functionality. FNDCPASS does not force the user to reset their passwords during the next log in. Users wanting to reset/change their passwords upon change should do so through the FNDSCAUS.fmb (Define User) form. When a password is changed in the Define User form, the user is forced to reset their password.
22. FNDCPASS Was Not Able to Decrypt Password for User 'ABC' During APPLSYS Password Change
the following error occurs:
ERROR
-----------------------
FNDCPASS was not able to decrypt password for user 'GCC' during applsys password change.
FNDCPASS was not able to decrypt password for user 'APPS' during applsys password change.
FNDCPASS was not able to decrypt password for user 'APPLSYS' during applsys password change.
Debug line of code (fnd_preference.remove) was found in a sql script that ran during the upgrade process - patch/115/sql/afsecctx.sql. This causes the error message when run FNDCPASS to change APPS password after upgrading to 12.1.3 .
This is justified in Bug 8764069 - POST USERMIGRATE TO HASH PASSWORDS, AFTER 12.1 UPG, FNDCPASS FAILS DECRYPT
To implement the solution, please execute the following steps:
1. Download and review the readme for Patch 8764069.
2. Apply Patch 8764069 in a test environment.
3. Confirm the following file versions:
<FND_TOP>/patch/115/sql/afsecctx.sql 120.3.12010000.2
You can use the commands like the following:
strings -a $FND_TOP/ patch/115/sql/afsecctx.sql | grep -i '$Header'
4. Retest the issue.
5. Migrate the solution as appropriate to other environments.
WORKAROUND
1. Change password of All Oracle Applications Users (FND_USER) according to Note 419475.1 Removing Credentials from a Cloned EBS Production Database.
2. Retest the issue.
23. FNDCPASS was not able to decrypt password for {User Name} during APPLSYS password change
To implement the solution, please execute the following steps:
Re-run FNDCPASS for the specific failed {User Name}.
Examples:
FNDCPASS apps/<pwd> 0 Y system/<passwrd> ORACLE GL <NEWPASSWORD>
FNDCPASS apps/<pwd> 0 Y system/<passwrd> USER JOEUSER <NEWPASSWORD>
24. APP-FND-01496 Results From FNDCPASS Chaning The APPLSYS password
ERROR
APP-FND-01496: Cannot access application ORACLE password
Cause: Application Object Library was unable access your ORACLE password.
The APPLSYS (APPS) password became corrupted using ALTER USER because an applications session was not maintained at the same time. This apps session is necessary to change the APPLSYS password in:
'Security> Oracle> Register' WHILE being in SQL*PLUS as the SYSTEM user.
The supported method is use of FNDCPASS.
To implement the solution, please execute the following steps:
1. Restore the FND_ORACLE_USERID and FND_USER tables from a backup.
2. Then run FNDCPASS to change the APPLSYS password. Ex.
FNDCPASS apps/<apps password> 0 Y system/<system password> SYSTEM APPLSYS WELCOME
25. APP-FND-1238: Cannot set value for field :USER.ENCRYPTED_USER_PASSWORD
APP-FND-1238: Cannot set value for field :USER.ENCRYPTED_USER_PASSWORD.
Review your error messages (Help ->Diagnostics -> Display Database Error ...) to see the cause of the error.
Encrypted APPLSYS password was corrupted.
To implement the solution, please execute the following steps:
Run FNDCPASS on the database tier and change the APPLSYS password to its original password value.
For example:
FNDCPASS apps/<password> 0 Y system/<password> SYSTEM APPLSYS <new password>
Ex: $FNDCPASS apps/<password> 0 Y system/<password> SYSTEM APPLSYS NEWPASSWORD
NOTE: Changing the APPLSYS password automatically changes the APPS password to match as these two must always agree.
26. FRM-40200 Changing Users Password With The System Administrator Responsibility
FRM-40200 Field is protected against update
The fnd_user.encrypted_user_password column = 'EXTERNAL'.
In FND_USER, if the fnd_user.encrypted_user_password column = 'EXTERNAL', then:
1. The Change Password menu entry should be disabled on the Forms menu.
2. The Password field should be disabled on the Users form.
This is expected behavior for the column being set to EXTERNAL.
To implement the solution, please execute the following steps:
1. Use FNDCPASS to change the password as required.
Example: FNDCPASS apps/<password> 0 Y system/<password> USER VISION WELCOME
2. Reference: Note 303621.1 - How to Change and Which Apps Database Users Passwords Can Be Changed in a Multi-Node Apps Installation?
27. "Signon Password Failure Limit" Is Reached Unlocking Queries
Q2: After the account is locked because of "Signon Password Failure Limit", can it be automatically unlocked after 24hrs (or a set # of hrs)?
To implement the solution, please execute the following step:
A1. No. To elaborate:
'Signon Password Failure Limit' invalidates the user account by updating the fnd_user encrypted password columns with value INVALID. In order to reinstate (unlock) the account these INVALID password values must be again populated with encrypted values. This ONLY happens when the password is reset.
A2. No. To elaborate:
There is no such automatic functionality within EBusiness Suite Apps to do this. The reinstatement (unlocking) of the application user account must be done by resetting the password which is done by the administrator either thru the FNDSCAUS (Security > User > Define) form or by FNDCPASS.
28. APP-FND-02704, APP-FND-01564, ORA-01403 changepassword Errors In Custom Schema
APP-FND-02704: Unable to alter user XXINT to change password.
APP-FND-01564: ORACLE error 1403 in changepassword
Cause: changepassword failed due to ORA-01403: no data found.
FND does not support case sensitive passwords for ORACLE accounts. FND expects database level passwords to be in uppercase. The SQL Reference manual, under Object Naming Rules, states that passwords can only contain alphanumeric characters from your database's character set and the characters _, $, and #.
Using $ and # is strongly discouraged.
When "Hard to Guess" functionality is activated, the password cannot contain repeating characters. (By repeating characters, it is meant *consecutively* repeating characters. Hence oracleo passes this criteria, while oraclee does not.) The ORACLE password is converted to all upper case internally and then "Hard to Guess" is validated, if enabled.
To implement the solution, please execute the following step:
Only use single case (upper suggested) passwords for ORACLE passwords. If the "Hard to Guess" functionality is activated, verify that the selected password meets all the requirements.
29. FND Invalid Hash mode detected for user_id = &USERID When Changing Password
1. Go to Navigator Menu Edit> Preference > Change Password.
2. Enter Old Password and New Password/Re-enter password.
3. Press OK Button.
This issue has been fixed in the file "fnd src/security fdspwd.lc" in version "115.33"
This is explained in the following bug:
BUG 7304220 - 1OFF:6658428:ATG RUP6:11.5.10.2:UNABLE TO RESET PASSWORD AFTER IMPLEMENTING NON-REVERSIBLE HASH PASSWD(FNDCPASS)
To implement the solution, please execute the following step:
1. Download and review the readme and pre-requisites for Patch 7304220.
2. Ensure that you have taken a backup of your system before applying the recommended patch.
3. Apply the patch in a test environment.
4. Please log a Service Request for support to post you the password.
5. Retest the issue.
6. Migrate the solution as appropriate to other environments.
WORKAROUNDS
1. a. The SSWA/Framework Preferences page.
b. Security > Define > User form.
OR
2. FNDCPASS apps/<password> 0 Y system/<password> USER <username> <password>.
30. After 12.1.3 Upgrade FNDCPASS Fails: Was Not Able To Decrypt Password For User 'Username' During Applsys Password Change
Symptoms
In 12.1.3, When attempting to change password using FNDCPASS the following error is encountered. Another symptom could be, FNDCPASS fails with Unable to connect as applsys.
ERROR
FNDCPASS was not able to decrypt password for user 'EDWREP' during applsys password change.
FNDCPASS was not able to decrypt password for user 'CTXSYS' during applsys password change.
FNDCPASS was not able to decrypt password for user 'PORTAL30_SSO' during applsys password change.
FNDCPASS was not able to decrypt password for user 'PORTAL30' during applsys password change.
FNDCPASS was not able to decrypt password for user 'XNB' during applsys password change.
FNDCPASS was not able to decrypt password for user 'ZFA' during applsys password change.
FNDCPASS was not able to decrypt password for user 'ZSA' during applsys password change.
FNDCPASS was not able to decrypt password for user 'APPS' during applsys password change.
FNDCPASS was not able to decrypt password for user 'APPLSYS' during applsys password change.
Cause
The cause of this problem has been identified and verified in an unpublished Bug 11845888. After upgrade to 12.1.3, apply the Patch 11845888 before changing the password to avoid these problems. This fixes the issues in FNDCPASS and issues with username length.
To implement the solution, please execute the following steps:
1. Download and review the readme and pre-requisites for Patch 11845888.
2. Ensure that you have taken a backup of your system before applying the recommended patch.
3. Apply the patch in a test environment.
4. Confirm the following file versions
fdscpwd.o 120.24.12010000.8
You can use the commands like the following:
strings -a $FND_TOP/bin/FNDCPASS | grep fdscpwd
5. Retest the issue and migrate to appropriate environments.
FNDCPASS was not able to decrypt password for user 'INDUSTRY DATA' during applsys password change.
FNDCPASS was not able to decrypt password for user 'ORACLE12.0.0' during applsys password change.
FNDCPASS was not able to decrypt password for user 'ORACLE12.1.0' during applsys password change.
FNDCPASS was not able to decrypt password for user 'ORACLE12.2.0' during applsys password change.
FNDCPASS was not able to decrypt password for user 'ORACLE12.3.0' during applsys password change.
FNDCPASS was not able to decrypt password for user 'ORACLE12.4.0' during applsys password change.
FNDCPASS was not able to decrypt password for user 'ORACLE12.5.0' during applsys password change.
FNDCPASS was not able to decrypt password for user 'ORACLE12.6.0' during applsys password change.
FNDCPASS was not able to decrypt password for user 'ORACLE12.7.0' during applsys password change.
FNDCPASS was not able to decrypt password for user 'ORACLE12.8.0' during applsys password change.
FNDCPASS was not able to decrypt password for user 'ORACLE12.9.0' during applsys password change.
31. APP-FND-01564: ORACLE error 6502 in changepassword
When attempting to run FNDCPASS, the following error occurs.
-----------------------
FNDCPASS apps/pwd 0 Y system/pwd USER sysadmin pwd
Current system time is 25-JUN-2012 01:42:24
+---------------------------------------------------------------------------+
APP-FND-01564: ORACLE error 6502 in changepassword
Cause: changepassword failed due to ORA-06502: PL/SQL: numeric or value error: character string buffer too small
ORA-06512: at "APPS.FND_WEB_SEC", line 1372
ORA-06512: at line 1.
The SQL statement being executed at the time of the error was: begin :r := fnd_web_sec.change_password(:u,:p); end; and was executed from the file &ERRFILE.
The likely cause for this error is that the profile option value for 'SIGNON_PASSWORD_CASE' is wrongly set to INSENSITIVE , it should be set to value 1. Possible values are : INSENSITIVE - 1 and SENSITIVE - 2.
To check the value of this profile option do the followiing:
1. SQL> select profile_option_id,application_id from fnd_profile_options where profile_option_name='SIGNON_PASSWORD_CASE';
Then from the profile_option_id returned
2.SQL> select profile_option_value,level_id,level_value from fnd_profile_option_values
where profile_option_id=[VALUE RETURNED FROM ABOVE QUERY] and application_id=0;
If PROFILE_OPTION_VALUE returned is INSENSITIVE (-1), then execute the following steps:
1. Declare
value Boolean;
Begin
value := FND_PROFILE.SAVE('SIGNON_PASSWORD_CASE', '1', 'SITE');
End;
2. Retry the fndcpass
32. Unable To Change APPLSYS Password Using FNDCPASS In Applications 12.1.3
Patch 11845888 delivers a new option that the customer can control whether or not they want to perform the invalid-check. The OS variable: FND_CHECK_INVALID was created to activate/inactivate this new functionality. That is when one runs the FNDCPASS those records are marked, so the program will not process the invalid-records again, meaning the next time that FNDCPASS runs it will not show those records in the report.
To Activate the option set the environment variable before running FNDCPASS:
To Inactivate the option Unset the environment variable before running FNDCPASS:
OR
Comment it out # or unset FND_CHECK_INVALID.
33. AFPASSWD Relink Fails While Applying R12 Patch With Error Undefined Reference To `iifgcg'
On Oracle Applications 12.1.3,
when applying R12.1 patches relinking AFPASSWD, the following error occurs:
12362384/fnd/lib/afpsslbm.c:(.text+0x51c): multiple definition of `ShowUsage'
APPL_TOP/fnd/12.0.0/lib/afpasswd.o:8974458/fnd/lib/a
fpasswd.c:(.text+0x0): first defined here
APPL_TOP/fnd/12.0.0/lib/libfnd.a(afwaol.o): In
function `afwtogi':
5069629/fnd/src/sqf/afwaol.c:(.text+0x11): undefined reference to `iifgcg'
5069629/fnd/src/sqf/afwaol.c:(.text+0x56): undefined reference to `iifwru'
APPL_TOP/fnd/12.0.0/lib/libfnd.a(afwaol.o): In
function `afwfmdi':
5069629/fnd/src/sqf/afwaol.c:(.text+0x91): undefined reference to `iifgcg'
5069629/fnd/src/wnd/afwdev.c:(.text+0xbe3): undefined reference to `uigrsw'
5069629/fnd/src/wnd/afwdev.c:(.text+0xbfe): undefined reference to `uioarc'
5069629/fnd/src/wnd/afwdev.c:(.text+0xc21): undefined reference to `uigrsa'
...
5069629/fnd/src/wnd/afwdev.c:(.text+0x3768): undefined reference to `uioim'
collect2: ld returned 1 exit status
make: *** [/APPL_TOP/fnd/12.0.0/bin/AFPASSWD] Error 1
Done with link of fnd executable 'AFPASSWD' on Wed Oct 3 15:52:12 EDT 2012
Cause
The issue is caused by the following setup :
Incorrect version of file afwdev.c
This cause is outlined in the following notes/bugs :
Bug 13954129 - INCOMPLETE INFORMATION SHOWN IN DELIVERY TO SCREEN IF SUBMIT REQUEST BY COPYING
This can occur for other R12.1 patches needing to relink AFPASSWD.
Solution
1. Ensure that you have taken a backup of your environment.
2. Download and review the readme of Patch 13855823.
3. Apply the patch in a test instance and retest the issue.
4. Migrate the solution as appropriate to other environments.
Diagnostics & Utilities Community:
- Diagnostics
Please access the EbusinessSecurity section on security diagnostics for the latest releases as reflected in Document 421245.1 E-Business Suite Diagnostics References for R12. - Utilities Community
Visit the Utilities community for help from industry experts or to share knowledge.
NOTE:437260.1 - How to Change Applications Passwords using Applications Schema Password Change Utility (FNDCPASS or AFPASSWD)
NOTE:454616.1 - Export/Import Process for Oracle E-Business Suite Release 12 using 10gR2
NOTE:762891.1 - Oracle E-Business Suite Installation and Upgrade Notes Release 12 (12.1.1) for HP-UX Itanium
NOTE:431272.1 - EDWREP And ODM Schemas Does Not Exist In DDA_USERS Table.
BUG:5239293 - UNABLE USE THE PUNCTUATION MARK IN FNDCPASS UTILITY
NOTE:461904.1 - Can the ABM Schema and/or EAA Schema and Objects Be Dropped in R12?
BUG:8764069 - POST USERMIGRATE TO HASH PASSWORDS, AFTER 12.1 UPG, FNDCPASS FAILS DECRYPT
NOTE:1377670.1 - After 12.1.3 Upgrade FNDCPASS Fails With Error - Was Not Able To Decrypt Password For User 'Username' During Applsys Password Change
NOTE:303621.1 - How to Change and Which Apps Database Users Passwords Can Be Changed in a Multi-Node Apps Installation?
NOTE:362203.1 - Oracle Applications Release 11i with Oracle 10g Release 2 (10.2.0)
NOTE:362205.1 - 10g Release 2 Export/Import Process for Oracle Applications Release 11i
NOTE:419475.1 - Removing Credentials from a Cloned EBS Production Database
BUG:12985552 - FNDCPASS WAS NOT ABLE TO DECRYPT PASSWORD FOR USER 'USERNAME' DURING APPLSYS PAS
NOTE:456838.1 - When Running FNDCPASS with ALLORACLE Option Why Doesn't It Change All User Passwords?