Troubleshooting Login Problems in Oracle Applications 11i The fact you are unable to login to Oracle Applications 11i

can be a symptom of a completely different underlying problem. So it is important you determine the root cause of the login failure. The troubleshooting steps provided are intended to help reach that root cause. Login issues can be divided into 2 broad categories. The first category is where login page does not render at all. In other words the main page is completely inaccessible or unuseable. The second category of problem is issues encountered after entering a username & password combination. In this category are things like: • Errors received because the system is unable to process the login request, or • After login the homepage is not rendered. Approach to Troubleshooting Error messages will not necessarily indicate the root cause of the problem so it is important to collate information on the scope and nature of the problem. • Was it working previously? If so, what has changed, are all the Server processes running? • Are all users affected? If not, what is common link to users with problem? • If this is a single user issue, does it only affect the one PC or user id? What are the user level profile options for this particular user? • Is the problem confined to one network segment or one PC? • Do you get different behaviour in Internet Explorer to Netscape browser? • What is your instance architecture? Are you using load balancing, RAC, SSO, etc.? The troubleshooting tips below have been split into the quick checks that can be done easily on the fly, and detailed checks that may involve bouncing servers and may require editing files/packages so will need to ensure they can be restored if required.

1. Validate TNS Connectivity a. Make sure you can TNSPING and sqlplus the database alias used from the APPL_TOP (i.e. After running APPSORA.env). Do:tnsping [sid] sqlplus appsun/appspw sqlplus appsun/appspw@[sid] Also, validate that APPLSYSPUB/PUB can connect b. Change to the $IAS_ORACLE_HOME, run the [sid]_[host].env file. This will set the $ORACLE_HOME to be iAS. Now check that you can TNSPING and sqlplus the database alias. 2. Determine the DBC file in use and make sure it is valid: b. Validate the OS location & permissions of the dbc file. Do: ls –al $FND_SECURE/*.dbc (11.5.10+). If $FND_SECURE is not set, then the dbc filebr> This should return the value from step 1ad. The permissions on the file should be 644 and it should be owned my the “applmgr” user. c. Verify the contents of the dbc file with the AdminAppServer utility. Do:java oracle.apps.fnd.security.AdminAppServer appsun/appspw STATUS DBC=[path to dbc]/[dbc_name].dbc This should return STATUS: VALID and the current status of AUTHENTICATION: [SECURE/ON/OFF/null] among other values. d. Validate the autoconfig context file (11.5.8+) uses the correct dbc file. Your context file is located in $APPL_TOP/admin and is typically named [SID]_[host].xml. Review the value for s_dbc_file_name, it should match the dbc just tested in 1c. 3. Is the web server running and able to render static html?

a. Are you able to access the page: http:// <host><domain>:<port>/aplogon.html b. If not, then do: ps –fu [applmgr] | grep http (or ps –fu [applmgr] | grep http | wc –l ) This should return at least 5 http processes running … otherwise you webserver may not be started…Make sure you are using the Oracle provided start script in: $COMMON_TOP/admin/scripts/[SID]_[host] If these tests fail you need to review your iAS installation and/or log a TAR. 4. Use the following programs to verify the installation and check that the servlets are functioning. a. http(s)://<host><domain>:<port>/servlets/IsItWorking (11.5.10) This may fail with: Forbidden You don't have permission to access /servlets/IsItWorking on this server. This is due to enhanced security delivered with the autoconfig templates. Please try test 4b instead. b.http(s)://<host><domain>:<port>/servlets/Hello If this one fails, this indicates an issue with your Jserv set-up. You then need to follow Note:230688.1 to drill down into this problem. 5. Validate that jsp work. a. http(s)://<host><domain>:<port>/OA_HTML/jsp/fnd/aoljtest.jsp If this one fails to render, this indicates an issue with your Jserv set-up. You then need to follow Note:230688.1 to drill down into this problem.Otherwise you enter the values requested, and follow the link at the bottom of the first page to run through this set of diagnostic tests. Report all tests that fail in a TAR.

Note: The initial page of this test may show some "missing" files. Depending on your configuration the following missing files are acceptable: apps.zip (is normal to be missing since it has been exploded on $JAVA_TOP (ref : Note 220188.1 ))iAS/mp/jlib/opreopi-rt.jar (Used for Oracle Personalization. Can be ignored if you are not using MP.)iAS/mp/jlib/dmtutil.jar (Used for Data Mining) iAS/dm/jlib/odmapi.jar (Used for Data Mining - If you are using Data Mining, and these are listed as missing, please see Note 281739.1 ) iAS/portal30/jpdk/lib/partnerApp.jar (If you are not using Portal, this can be ignored.) 6. Check the "session.topleveldomain" setting in the $IAS_ORACLE_HOME/Apache/Jserv/etc/zone.properties This should match the domain you are using as defined in the SESSION_COOKIE_DOMAIN column in ICX_PARAMETERS table. From sqlplus do: select SESSION_COOKIE_DOMAIN from ICX_PARAMETERS; Notes: It is acceptable to have SESSION_COOKIE_DOMAIN set to null You MUST have a valid domain that is composed of 2 or more components (see Bug:2510732). I.e: .oracle is an INVALID domain, but .oracle.com IS a valid domain. Environment Checks 7. Check the profile options Use the Query in Appendix A in sqlplus to get the profile option values for the following profiles (hint: you can simply enter AGENT when prompted) APPS_FRAMEWORK_AGENT (Application Framework Agent), APPS_JSP_AGENT (Applications JSP Agent), APPS_SERVLET_AGENT (Apps Servlet Agent), APPS_WEB_AGENT (Applications Web Agent)…And for ICX_FORMS_LAUNCHER (ICX: Forms Launcher), POR_SERVLET_VIRTUAL_PATH (POR: Servlet Virtual Path), GUEST_USER_PWD (Guest User Password)

Application Framework Agent should be of the format: http://myHost.myDomain.com:8000 Applications JSP Agent http://myHost.myDomain.com:8000 Applications Web Agent should be of the format: http://myHost.myDomain.com:8000/pls/SID Apps Servlet Agent should be of the format: http://myHost.myDomain.com:8000/oa_servlets POR: Servlet Virtual Path should be of the format: oa_servlets ICX: Forms Launcher should be of the format: http:/myHost.myDomain.com:8000/dev60er Password should match the GUEST_USER_PWD value in the DBC file (see step 2) For a basic single node install these should be set at the site level and should all be pointing at the same server. For a load balanced or a DMZ setup, this may vary. See Note:217368.1 and Note:287176.1 for more details on these advanced configurations. Internet Explorer can give 'Your session is no longer valid' if the domain name is not specified in these profile options or in the login URL. You MUST have a valid domain that is composed of 2 or more components (see Bug:2510732). I.e. apps.oracle is an INVALID host.domain combination, but apps.oracle.com IS a valid host.domain. 8. Is the system in Maintenance Mode? Run the following sql to verify: select fnd_profile.value('APPS_MAINTENANCE_MODE') from dual; If this returns Y, then run adadmin to disable maintenance mode (see Note:291901.1) 9. Are there any additional errors other than that reported directly on screen?

Use the 'View Source' option within your Web Browser to see if any additional information is shown.

10. Check browser settings: a. Ensure your browser has cookies enabled. In Netscape this can be checked from Edit -> Preferences -> Advanced. In Internet Explorer, this can be checked from Tools -> Internet Options -> Security Then select the correct zone for your Web Server and click on 'Custom Level' Scroll down to the 'Cookies' section. Oracle Applications uses 'per-session' cookies. It is worth verifying the same problem occurs in both IE and Netscape. Try setting the cookies setting to "prompt" to ensure they are being set correctly. b. With Internet Explorer, you must add your Web Server to the list of 'trusted sites'. You must enter the fully qualified hostname (hostname, plus domain name) of the Release 11i HTTP server node or nodes in the "Trusted sites" security zone, and you must leave the security level of that zone at its default setting of Low. Security levels are set on the Security tab of the Internet Options window. 11. Are there any uncomitted changes in your Autoconfig context file? Run: $AD_TOP/bin/adchkcfg.sh This will create output in: $APPL_TOP/admin/[SID]_[host]/out/[timestamp] Review the report for any pending changes. Run autoconfig (see Note:165195.1) as required. 12. Do you have any symbolic links in your installed file system?

If so, make sure your iAS configuration is setup to follow sym links. For security reasons, by default this is disabled. If you are unsure please see step 32 in the detailed checks. RDBMS Checks 13. Check the GUEST user information. a. Run following SQL: select user_name, start_date, end_date from fnd_user where user_name = 'GUEST'; This should return one row, end_date should be NULL or in advance of today's date, and start_date should be before today's date. b. Validate the GUEST username/password combinations from the DBC file. Using the GUEST_USER_PWD value in the DBC file (see step 2) run the following sql: select fnd_web_sec.validate_login('GUEST',' <GuestPassword>') from dual ; This should return Yes If this returns N, then do: select fnd_message.get from dual; This should give a reason why the validation failed, or an error message. If this fails with a database error, confirm the problem is not specific to the GUEST user. Redo the SQL command with a different userid (like sysadmin) select fnd_web_sec.validate_login('SYSADMIN','<SYSADMIN PASSWORD>') from dual; Again, this command should return 'Y' if it is working OK. If not, you should reload the jar files to the database using adadmin.

14. Run the following script to ensure there are no invalid objects:

select owner, object_name, object_type from all_objects where status != 'VALID' order by owner, object_type, object_name; Ideally, this should return no rows, but some invalid objects may be acceptable, depending on what they are. 15. Check Tablespace free space: Ensure that the database tablespaces have not run out of room. This can result in '1' errors and/or 'Session expired' errors if the system cannot add data to the ICX tables. To test that rows can be succesfully inserted, you can run the script below: REM Start of script insert into icx_sessions (session_id, user_id, created_by, creation_date,last_updated_by, last_update_date) values (-99999, -99, -1, sysdate, -1, sysdate) / insert into icx_failures (created_by, creation_date,last_updated_by, last_update_date) values (-1, sysdate, -1, sysdate) / rollbak / REM - End of script Note - ensure these two insert statements are rolled back - you do not want these dummy records saved. 16. Review your Alert.log. Does the RDBMS alert log show any errors? What are they? Report them in a TAR. 17. Review any database trace files.

cd to the directory specified by user_dump_dest in the init<sid>.ora file. Look for recent .trc files. Each failed attempt at login may create a .trc file 18. Validate the FND_NODES table: Run the following sql: select NODE_NAME, NODE_ID , SERVER_ID , SERVER_ADDRESS from FND_NODES; Each SERVER_ID and NODE_ID should be unique. The Node Name for all servers involved for the instance should appear here. We typically expect this to be e hostname or virtual hostname (alias), not the IP address. If the servers do not appear, use OAM to register them. The SERVER_ADDRESS is optional, but if present should reflect the IP of the host. If necessary, update the IP using the system administrator responsibility. For 11.5.2 – 11.5.9 this should return 56 rows. For 11.5.10 this should return 131 rows. (11.5.10+) Note: in 11.5.10 the required plsql packages can be quickly enabled using the script: $FND_TOP/patch/sql/txkDisableModPLSQL.sql Y 19. Validate the FND_ENABLED_PLSQL table Run the script in Appendix B. For 11.5.2 – 11.5.9 this should return 56 rows. For 11.5.10 this should return 131 rows. (11.5.10+) Note: in 11.5.10 the required plsql packages can be quickly enabled using the script: $FND_TOP/patch/sql/txkDisableModPLSQL.sql Y : 20. Clear the iAS cache. To clear the jsp & modplsql caches either rename or delete the sub-directories below following directories and restart apache. This will clear out the compiled JSP classes and cached modplsql modules causing them to be automatically recompiled next time they are accessed. rm -Rf $OA_HTML/_pages/* rm -Rf $COMMON_TOP/_pages/*

rm -Rf $IAS_ORACLE_HOME/Apache/modplsql/cache/* Note: Depending on your configuration and patch level all directories may not exist. 21. Check the sqlnet.ora setup in the database Oracle Home. Edit the $ORACLE_HOME/network/admin/<SID>/sqlnet.ora Is tcp.validnode_checking enabled (i.e. = yes)? If so, make sure the parameter tcp.invited_nodes contains an entry for all the nodes involved in your configuration. This parameter, in conjunction with tcp.validnode_checking determines which clients can connect to the database. Or you can temporarily disable node checking by removing the tcp.validnode_checking and retest. This is enabled for security reasons. 22. Modify AppsLocalLogin.jsp to trap exceptions. If you get java error while using the login page like NoClassDefFound or NullPointerException, we need to trap the context of the message. Backup and edit your: $OA_HTML/AppsLocalLogin.jsp. On the line that reads } catch(Exception e) {} Change to: } catch(Exception e) { } catch(Throwable t) { System.err.println("OSS: Caught throwable in AppsLocalLogin.jsp : " + t.toString()); t.printStackTrace(); }

Then bounce Apache and reload the page and more detail should show up in the OACoreGroup.0.stderr file. < status of the Server Security, which was verified in step 2c, is anything other then OFF, try toggling the current setting to see if the nature of the problem changes. Use the following command to temporarily disable the Security Server After bouncing the apps services and retesting it is important to re-enable the Security. Use the command: java oracle.apps.fnd.security.AdminAppServer appsun/appspw AUTHENTICATION ON DBC=<full path to DBC file name> 23. Check file permissions are not causing any problems. Check file permissions are appropriate. In particular, the liboci806jdbc.so (.sl on HP, .DLL on NT) shared library should have read, write and execute permissions. It may be advisable to temporarily change all permissions in $JAVA_TOP to read, write and execute to see if it resolves the problem. On UNIX, you can use the command 'chmod -R 777 $JAVA_TOP', assuming $JAVA_TOP has been set correctly in your environment. 24. Regenerate JAVA_TOP: Ensure you have a full backup of your system! To run this process, run adadmin and select Maintain Applications Files then Copy Files to Destinations. 25. Generate database trace and SQL*Net traces. To set-up SQL*Net Trace on the Web Server set TRACE_LEVEL_CLIENT = 16 in the $TNS_ADMIN/SQLNET.ORA file. This should be in the iAS file system and not in the 8.0.6. Oracle Home. By default the SQL*Net trace file will be called 'sqlnet.trc'. Logging a TAR or SR - Checklist of things to send to Oracle Support

****************************************************************** *************** IMPORTANT NOTE - the majority of the information required by Oracle Support for troubleshooting these types of issues can be obtained easily by using the Applications Remote Diagnostic Agent (APPS RDA) This utility is available from and described in Note:161474.1 Please use this mechanism where possible to send Oracle Support the required configuration and log file information. ****************************************************************** *************** 1. Files should be sent as a SINGLE attachment. 2. Identify any other external influences: Are there any proxy servers or firewalls between the Database Server to Web Server, and the Web Server to the client PC? If so, try using a different PC within the firewall or temporarily disable the Proxy for that particular client. The more detail you can provide about the architecture of the instance the better. 3. Are you using any external authentication (i.e. SSO) or portal? Does the issue reproduce when using direct login (i.e. by-passing sso/portal) 4. Are you using SSL? If using SSL, does not using SSL change or resolve the problem? What services are running in ssl mode? Load balancer, forms, iAS, sqlnet, etc.? 5. Screen output should ideally be sent in as screen dumps inserted into MS Word or similar package. This can be achieved by pressing the <Printscreen> key in Windows. This puts the screen into the Windows Clipboard, which can then be pasted into another application as a graphic image. Otherwise if output required is from a browser screen, the text can be highlighted then copied/pasted. 6. Upload the Apache log files (see Appendix C, step 2) 7.Does changing the value of APPLICATIONS_HOME_PAGE (Self Service Personal Home Page mode) profile option result in any change in the issue? Upload the results of each step in this document. Setting up detailed logging on the web server:

1. Shut the HTTP Server (Apache/iAS) down. - You can grep for the 'httpd' process to verify it is down 2. Rename (or delete) the following files so we get a fresh copy of them: <IAS_ORACLE_HOME>/Apache/Jserv/logs/jserv.log <IAS_ORACLE_HOME>/Apache/Jserv/logs/forms.log <IAS_ORACLE_HOME>/Apache/Jserv/logs/mod_jserv.log <IAS_ORACLE_HOME>/Apache/Jserv/logs/jvm (the whole directory if it exists) <IAS_ORACLE_HOME>/Apache/Apache/logs/access_log* <IAS_ORACLE_HOME>/Apache/Apache/logs/error_log <IAS_ORACLE_HOME>/Apache/Apache/logs/error_log_pls (if it exists) Now we will turn on debugging in the log files: 3. Modify the $IAS_ORACLE_HOME/Apache/Jserv/etc/jserv.conf file. Search for the parameter: ApJServLogLevel notice Change the 'notice' to 'info' 4. Modify the $IAS_ORACLE_HOME/Apache/Jserv/etc/jserv.properties file. Search for the following section: log=false Change this to be log=true and Change log.channel=false To be: log.channel=true

5. Modify the $IAS_ORACLE_HOME/Apache/Jserv/etc/forms.properties file. Search for the following section: log=false Change this to be log=true and Change: log.channel=false To be log.channel=true 6. Modify the $IAS_ORACLE_HOME/Apache/Apache/conf/httpd.conf file. Search for: LogLevel Set the LogLevel to 'info' from its current value. 7. Modify the $IAS_ORACLE_HOME/Apache/Apache/conf/httpd_pls.conf file (if it exists). Search for the following parameter LogLevel Set the LogLevel to 'info' from its current value. 8. Modify the: $IAS_ORACLE_HOME/Apache/modplsql/cfg/wdbsrv.app add the line: debugModules=Info immediatly after the line: custom_auth = CUSTOM 9. Start the HTTP Server. 10. Run a test to recreate the error, then upload the log files from step 2.

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer: Get 4 months of Scribd and The New York Times for just $1.87 per week!

Master Your Semester with a Special Offer from Scribd & The New York Times