You are on page 1of 39

An Oracle White Paper May 2012

Oracle Fusion Applications Managing Passwords


Disclaimer
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracles products remains at the sole discretion of Oracle.

Fusion Applications Changing Passwords

Table of Contents
Introduction .................................................................................................................................................. 3 Administrators for Fusion Applications .................................................................................................... 3 Fusion Applications Super Administrator Users ....................................................................................... 5 Stop Fusion Applications ............................................................................................................................... 6 Changing APP ID Passwords .......................................................................................................................... 7 Changing Keystore Password ........................................................................................................................ 9 Changing Super User (FAdmin) Password................................................................................................... 13 Changing System/Policy Users Password ................................................................................................... 15 Account Lock and Password Expiration Policies ......................................................................................... 15 Changing Fusion Applications Database Passwords ................................................................................... 16 Changing JDBC Data Sources .................................................................................................................. 16 Changing Credential Store Mapping ....................................................................................................... 20 Updating ESS Spawned Job Wallet ......................................................................................................... 22 Changing ODI Repository Password ........................................................................................................ 23 Changing BI Repository Password........................................................................................................... 23 Updating ESSBase Registry...................................................................................................................... 26 Changing passwords in Oracle Metadata Repository schema ................................................................ 28 Changing Node Manager Password ............................................................................................................ 28 Changing BI System User Password ............................................................................................................ 29 Changing the Oracle Internet Directory Database Password ..................................................................... 29 Changing the Password for the ODSM Administrator Account .................................................................. 30 Restart Fusion Applications ........................................................................................................................ 30 Appendix A Fusion Apps RUP1 Schema ................................................................................................... 32

Copyright 2012 Oracle Corporation

Page 2

Fusion Applications Changing Passwords Appendix B Sample Python script ............................................................................................................ 34 Appendix C Sample Input file for Fusion Applications Schemas .............................................................. 36

Introduction
There are several types of administrative passwords that could be changed periodically based on security requirements and standard operating procedures. The scope of this document is to reflect how password changes in external components such as databases, IDMs, etc impacts Fusion Applications tier and how to reconfigure them. This document covers critical password changes such as Fusion Apps administrators, super users, Keystores, database schema, etc. This document does not include IDM and Oracle database related administrative user password changes. Also there is absolutely no attempt in this document on providing any best practices on password management and security policies. This document is targeted at experienced Fusion Applications System Administrators, Security Architects, and Operation teams. The sample code provided in any section is for demonstration purpose only.

Administrators for Fusion Applications


The application provisioning process bootstraps the provisioned environment with two administrator groups for each application family. These two administrator groups are:

A system administrator - A directory group representing the WebLogic Server domain administrators for all the domains. An application administrator - A directory group with an assigned enterprise role reflecting all the application roles and delegation privileges for all the applications in a given family.

The purpose of creating these "Super Administrators" during provisioning is to enable ongoing administration and/or delegation privileges. The above process facilitates separation of duties between system administration and application administration responsibilities, but you are free to assign the same user to both hierarchies ("system admin" and "application admin"). The following table shows the groups that are created for each family. Provisioned Administrator Groups

Copyright 2012 Oracle Corporation

Page 3

Fusion Applications Changing Passwords

Product Family/Product Oracle Fusion Supply Chain Management Oracle Fusion Customer Relationship Management Oracle Fusion Human Capital Management Oracle Fusion Financials Oracle Fusion Procurement Oracle Fusion Project Oracle Fusion Incentive Compensation

System Administrator Group FSCMSysAdmin CRMSysAdmin HCMSysAdmin FINSysAdmin PRCSysAdmin PRJSysAdmin OICSysAdmin

Application Administrator Group FSCMAppAdmin CRMAppAdmin HCMAppAdmin FINAppAdmin PRCAppAdmin PRJAppAdmin OICAppAdmin

In addition a single user, known as the super user, is set up to belong to all the administrator groups. That user becomes the administrator for all middleware and the application administrator for all product families. This is typically known as FAAdmin as per Enterprise document guide (EDG).

The following diagram illustrates the relationship between the two groups.

Copyright 2012 Oracle Corporation

Page 4

Fusion Applications Changing Passwords

Fusion Applications Super Administrator Users


It is important to distinguish between the two types of super-administrators that exist in the provisioning process.

Pre-seeded bootstrap user Designated super-user

Copyright 2012 Oracle Corporation

Page 5

Fusion Applications Changing Passwords In the context of the pre-seeded user, provisioning employs an identity known as the App ID that is required to bootstrap the WebLogic domains. The pre-configuration phase of provisioning automatically generates the credential needed for this App ID user. In the context of the designated super user, during the interview phase of provisioning, you are asked to specify the user ID of the designated "real" user who will be set up as the Middleware Administrator and Functional Setup Manager. As per EDG, this is FAAdmin user. Although FAAdmin user can be used for this purpose, a 'real' user should be used in bare metal provisioning for better security and auditing. This can be achieved by supplying the username of the 'real' user in the Provisioning Wizard instead of FAAdmin.

Stop Fusion Applications


To prepare the environment for the password changes: 1. Stop all user requests by stopping the Oracle HTTP server. 2. Stop all the Fusion Applications Servers (including Admin Servers). Please consult the following doc to start/stop Fusion Applications using fastartstop utility. 3. Stop all opmn processes such as BI, GOP, etc. depending on your Fusion Applications installation type. 4. Do not shutdown Node Manager. 5. Update user profiles in the Oracle Database to prevent account lockout: a. Log in to the database as a user with DBA privileges. b. Get a list of all profiles in the Oracle Database using SQL: c. SQL> SELECT profile, username FROM dba_users ORDER BY 1; You should see most schemas with profile 'DEFAULT' and a few other profiles, including the profile SEARCHSYS_PROF used by SEARCHSYS. d. Find existing settings for failed login attempts: e. SQL> SELECT * FROM dba_profiles WHERE resource_name = 'FAILED_LOGIN_ATTEMPTS'; At a minimum, write down the settings for DEFAULT and SEARCHSYS_PROF. f. Alter the default profile to have unlimited login attempts: g. SQL> ALTER PROFILE default LIMIT FAILED_LOGIN_ATTEMPTS UNLIMITED; h. Alter the SEARCHSYS_PROF profile to have unlimited login attempts: i. SQL> ALTER PROFILE searchsys_prof LIMIT FAILED_LOGIN_ATTEMPTS UNLIMITED; 6. Update the passwords you want to change in the Oracle Database using a tool such as SQL*Plus. 7. Start up only the Administration Servers of all the domains Please consult the following doc to start/stop Fusion Applications using fastartstop utility.

Copyright 2012 Oracle Corporation

Page 6

Fusion Applications Changing Passwords

Changing APP ID Passwords


When invoking Web services, Oracle Fusion Applications must rely on a type of credential known as the Application ID or App ID. Each application has its own App ID which is initially provisioned for the application. The following sample Application Identities are predefined. For complete list, please consult the following doc (http://docs.oracle.com/cd/E28271_01/fusionapps.1111/e16689/F323386AN14D2F.htm#F114032AN16 31A).

Application Identity Code


FUSION_APPS_ECSF_SES_ADMIN_APPID FUSION_APPS_OBIA_BIEE_APPID FUSION_APPS_OIM_SPML_APPID FUSION_APPS_CRM_SOA_APPID FUSION_APPS_FIN_SOA_APPID FUSION_APPS_HCM_SOA_APPID FUSION_APPS_PRC_SOA_APPID FUSION_APPS_PRJ_ESS_APPID FUSION_APPS_PRJ_SOA_APPID FUSION_APPS_SCM_SOA_APPID FUSION_APPS_SETUP_ESS_APPID

Application Identity Name


Oracle Fusion Search Administrator Application Identity (CRM) Business Intelligence Applications Extract Transform and Load Application Identity Oracle Identity Manager Application Identity Web Services Application Identity (CRM) Web Services Application Identity (Financials) Web Services Application Identity (HCM) Web Services Application Identity (Procurement) Enterprise Scheduler Job Application Identity (Projects) Web Services Application Identity (Projects) Web Services Application Identity (SCM) Enterprise Scheduler Job Application Identity (Setup)

Get list of APPIDs from your Environment Run the following command to get the list of all the entries for which the passwords need to be set: Export ORACLE_HOME= $ORACLE_BASE/product/fmw/idm/bin ($ORACLE_BASE/product/fmw is a Fusion Middleware home). $ORACLE_HOME/bin/ldapsearch -h idmhost.mycompany.com -p 389 -D "cn=orcladmin" -w <password> -b 'cn=AppIdUsers,cn=Users,dc=mycompany,dc=com' -s sub 'objectclass=orclAppiduser' cn >& reset.txt

Copyright 2012 Oracle Corporation

Page 7

Fusion Applications Changing Passwords

Sample Content of reset.txt: cn=FUSION_APPS_BI_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com cn=FUSION_APPS_BI_APPID cn=FUSION_APPS_ATK_ADF_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com cn=FUSION_APPS_ATK_ADF_APPID cn=FUSION_APPS_CRM_ADF_SOAP_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com cn=FUSION_APPS_CRM_ADF_SOAP_APPID cn=FUSION_APPS_CRM_ECSF_SEARCH_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com cn=FUSION_APPS_CRM_ECSF_SEARCH_APPID

Changing APP IDs Passwords Changing APP IDs password has a ripple effect on various configurations including Credential Stores (CSF) in Fusion Applications. The App Id passwords are stored in the credential store (encrypted) and that is how Fusion Applications get the password values before talking to other applications/web services. Once the APPID passwords are changed in LDAP, the corresponding entries in CSF must be changed. Oracle does not support it as it is a manual, tedious and error prone process at this time. In future releases, Oracle may provide a utility to change these passwords that will automate the process. The APP ID passwords are generated randomly when Fusion Applications is provisioned. They are completely secured, encrypted and no human will ever have to use these APP IDs. Changing FUSION_APPS_PROV_PATCH_APPID using custom passwords The only exception is to change password of FUSION_APPS_PROV_PATCH_APPID (if absolutely necessary). The Fusion Applications uses FUSION_APPS_PROV_PATCH_APPID to manage life cycle of Weblogic Admin and Managed servers. The new password must be reflected in Weblogics boot.properties file of all the domains. You could change FUSION_APPS_PROV_PATCH_APPID password from Administrative Console of IDM or Weblogic; or using the following ldap command: Create ldif file as update_apps_prov_patch.ldif
cn= FUSION_APPS_PROV_PATCH_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com changetype: modify replace: userPassword userPassword: new_password

Use LDAPMODIFY command as

Copyright 2012 Oracle Corporation

Page 8

Fusion Applications Changing Passwords $ORACLE_HOME/bin/ldapmodify -h oid_hostName -p oid_port -D cn=orcladmin -w orcladmin_password -f <update_apps_prov_patch.ldif> Note: $ORACLE_HOME= $ORACLE_BASE/product/fmw/idm/bin ($ORACLE_BASE/product/fmw is a Fusion Middleware home). Changing boot.properties file with new password Since FUSION_APPS_PROV_PATCH_APPID this APP IDs password is reset, the boot.properties of Admin Server must be modified with new password in all the domains respectively. Run the following command (for each domain) to get encrypted password string of FUSION_APPS_PROV_PATCH_APPID: Set environment: . $FUSION_APPS_HOME/wlserver_10.3/server/bin/setWLSenv.sh Go to each domain directory such as: $ORACLE_BASE/config/domains/<Host Name>/CommonDomain Run the following command: java weblogic.security.Encrypt Welcome1

This will echo the encrypt string that must be replaced in boot.properties. Modify boot.properties in AdminServer/security folder.

Note: The encrypted password string must be generated for each domain.

Changing Keystore Password


There are multiple Keystores used in Fusion Apps including in IDM, database and OHS. These are the following sample Keystores instructions to change their password: 1. Keystore to store public and private keys for all secure web services connections within the domain: <domain_directory><domain_name>/config/fmwconfig/default-keystores.jks 2. Keystore to enable host name verification for the Node Manager a. Custom Trust Keystore : $ORACLE_BASE/products/fusionapps/wlserver_10.3/server/lib/fusion_trust.jks b. Custom Identity Keystore for each machine: $ORACLE_BASE/products/fusionapps/wlserver_10.3/server/lib/<hostname>_fusion_tru st.jks (Alias is <hostname>_fusion).

Copyright 2012 Oracle Corporation

Page 9

Fusion Applications Changing Passwords Oracle Fusion Middleware provides these tools for keystore operations:

WLST, a command-line interface for JKS keystores and wallets orapki, a command-line tool for wallets Fusion Middleware Control, a graphical user interface the keytool utility

If an Oracle wallet or JKS keystore was created with tools such as orapki or keytool, it must be imported prior to using WLST and Fusion Middleware Control. Please consult the following doc for more information. Changing Keystore password using keytool utility Please follow the following steps to change the keystore password: 1. Change directory to $ORACLE_BASE/products/fusionapps/wlserver_10.3/server/lib 2. Run the following command to change the password used to protect the integrity of the keystore contents: keytool -storepasswd -new <NewPassword> -keystore fusion_trust.jks -storepass <Original Password>

3. Run the following command to change the password used which the private/secret key identified by alias is protected, from old_keypass to new_keypass: keytool -keypasswd {-alias alias} [-keypass old_keypass] [-new new_keypass] -keystore fusion_trust.jks [-storepass storepass] {-v} {-Jjavaoption} Once the password is changed, you must re-configure all Weblogic domain and respective servers to reflect new password. Configure Weblogic Domain default_keystore.jks Navigate to <Weblogic Domain>/<Domain Name>. Select Security Provider Configuration as shown here:

Copyright 2012 Oracle Corporation

Page 10

Fusion Applications Changing Passwords

Change password by clicking Configure under Keystore section as shown below:

Once the keystore password and paraphrase are changed, please change respectively the keystore and SSL configiration of all the servers in a domain.

Copyright 2012 Oracle Corporation

Page 11

Fusion Applications Changing Passwords

Note: Repeat the above steps for all the domains Configure Admin and managed Servers for each domain to reflect new keystore password

Please login to Weblogic Administrative Console and navigate it to Environment/Servers. For each server select Configuration and then Keystore tab. Please see the following screens to update Passphrase. (Repeat for all servers and respective domains)

Copyright 2012 Oracle Corporation

Page 12

Fusion Applications Changing Passwords

Note: The keystore password can only be changed if old password is available.

Changing Super User (FAdmin) Password


This is a super user that was provided during Fusion Applications Provisioning plan typically FAAdmin as per EDG. You can change the password of the administrative user using the Oracle WebLogic Server Administration Console, WLST command line, ODSM (Oracle Directory Service Manager) console or LDIF (LDAP Data Interchange Format) command. Since Fusion Applications users are provisioned through OID, the best practice is to change the password from ODSM console or using LDIF command.

Changing FAAdmin password Using ODSM console To change the password of the Oracle Fusion Middleware administrative user using ODSM Console: Navigate to the ODSM Console. (For example, from the home page of the domain in Fusion Applications Control, select To configure and managed this WebLogic Domain, use the Oracle WebLogic Server Administration Console.)

Copyright 2012 Oracle Corporation

Page 13

Fusion Applications Changing Passwords

Changing FAAdmin password Using LDIF Command Create a LDIF file such as updatePassword.ldif with the following entries dn: cn=FAAdmin,cn=Users,dc=mycompany,dc=com changetype: modify replace: userPassword userPassword: new_password Use LDAPMODIFY command $ORACLE_HOME/bin/ldapmodify -h oid_hostName -p oid_port -D cn=orcladmin -w orcladmin_password -f updatePassword.ldif Note: $ORACLE_HOME= $ORACLE_BASE/product/fmw/idm/bin ($ORACLE_BASE/product/fmw is a Fusion Middleware home).

Changing the Oracle Fusion Middleware Administrative User Password Using the WLST Command Line To change the Oracle Fusion Middleware administrative user password or other user passwords using the command line, you invoke the UserPasswordEditorMBean.changeUserPassword method, which is extended by the security realm's AuthenticationProvider MBean.

Start a WLST session as follows: Run wlst.sh from <path_to_domain_home_of_the_domain>/fusionapps/oracle_common/common/bin.

Connect to the domain. nmConnect('<node_manager_user_name>','<node_manager_password>','<node_ manager_machine_name>','< node_manager_machine_port>', '<domain name>','<path_to_domain_home_of_the_domain>')

Example:

Copyright 2012 Oracle Corporation

Page 14

Fusion Applications Changing Passwords nmConnect('bootstrap_admin','welcome','<hostname>','5556', 'CommonDomain','/oracle/fusion/top/instance/domains/weblogic1.company. com/CommonDomain') WLST Script from weblogic.management.security.authentication import UserPasswordEditorMBean print "Changing password ..." atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthentica tionProvider("DefaultAuthenticator") atnr.changeUserPassword('my_user','my_password','new_password') print "Changed password successfully"

Please consult the following doc (http://docs.oracle.com/cd/E23943_01/web.1111/e13715/config_wls.htm#i1019970) for more information.

Changing System/Policy Users Password


These are the following system (or Policy) users provisioned by Fusion Applications: PolicyRWUser, PolicyROUser, IDRWUser, IDROUser. The passwords are changed like any other OID user through ODSM console or LDAP as described earlier. However, changing some of these passwords impacts CSF (Credential Stores) keys. The map and key for PolicyRWUser and IDROUser respectively are as follows: oracle.patching, FUSION_APPS_PATCH_POLICY_STORE-KEY oracle.patching, FUSION_APPS_PATCH_ID_STORE-KEY

Please consult the following section to change CSF keys.

Account Lock and Password Expiration Policies


The default password policy for Oracle Internet Directory enforces: Password expiration in 120 days Account lockout after 10 login failures. Except for the superuser account, all accounts remain locked for a duration of 24 hours unless the passwords are reset by the directory administrator. A user account stays locked even after the lockout duration has passed unless the user binds with the correct password.

Copyright 2012 Oracle Corporation

Page 15

Fusion Applications Changing Passwords

When Fusion Applications is provisioned, the APP IDs container do not have password expiration policy, but system (or policy) users such as PolicyRWUser, PolicyROUser, IDRWUser, IDROUser have password expiration policy. These are the following alternatives to handle password expiration policy: 1. Disable password expiration policy. If password is already expired then change the password to same old password and disable the expiration policy to prevent it in future. This ensures that no changes are required in respective Credential Stores. 2. Change the password and then consult the following section to change the respective Credential Stores (CSF) keys. Option 1 is recommended until in future releases Oracle provides complete listing of Credential Stores Mappings (similar to APP IDs). Please consult the following doc to manage Password Policies.

Changing Fusion Applications Database Passwords


Changing Fusion Applications database schema passwords impact several components in middle tier stack, such as JDBC data sources, Credential Store mappings, and various repositories. Please follow the Oracle database documentation on how to change schema passwords in the database.

Changing JDBC Data Sources


These objects contain properties such as the URL or user name and password. Application components use data sources to obtain connections to a relational database. They are known as Weblogic Data Sources. Please see Appendix A of database schemas based on Fusion Applications RUP1 (New schemas could be added in later Fusion Apps versions). The best approach is to create a WLST script to modify JDBC data sources with new password. The alternative option is to change it for each data source from Weblogic Console. Sample WLST Script for demonstration purpose only Once the schema password is changed in the database, please see the following sample to update respective data sources: Sample Lets assume there are 3 schemas jrd1, jrd2 and jrd3 with password Welcome1. There are 3 respective jdbc data sources. The CommonDomain has jrdtest1 and jrdtest2; and HCMDomain has jrdtest3. All 3 data sources for the sample are targeted to soa_server1 respectively by domain.

Copyright 2012 Oracle Corporation

Page 16

Fusion Applications Changing Passwords The following Python script demonstrates how to change the password of jdbc data sources: import sys import os import ConfigParser import time from datetime import datetime _wlsUsername = 'weblogic_fa' _wlsPassword = 'Welcome1' _domainT3UrlProperty = 'domain.url.t3' _schemaSectionName = 'SCHEMAS' _fsSectionName = 'CommonDomain' def updateDatasourcesInOneDomain(_wlsUsername, _wlsPassword, _domainT3Url, _parser): connect(_wlsUsername,_wlsPassword,_domainT3Url) _dsNames = ls('/JDBCSystemResources', returnMap='true', returnType='c') edit() startEdit() for _dsName in _dsNames: jdbcSR = lookup(_dsName,"JDBCSystemResource") theJDBCResource = jdbcSR.getJDBCResource() driverParams = theJDBCResource.getJDBCDriverParams() driverProperties = driverParams.getProperties() # update schema password if schema user is specified in the input file _userprop = driverProperties.lookupProperty('user') _userval = _userprop.getValue() #print '***user is:' + _userval if _parser.has_option(_schemaSectionName, _userval): print '*** Updating the password of datasource ' + _dsName + ' (username=' + _userval + ')' _dbPassword = _parser.get(_schemaSectionName, _userval) print 'password is:' + _dbPassword driverParams.setPassword(_dbPassword) save() activate(block="true") disconnect() Read the input file as follows: # read the input file try: _inputFile = sys.argv[1]

Copyright 2012 Oracle Corporation

Page 17

Fusion Applications Changing Passwords print '********************************************************************* ************************' print '* Input file: ' + _inputFile print '*** Reading ' + str(_inputFile) + '...' _parser = ConfigParser.ConfigParser() _parser.optionxform = str _parser.read(_inputFile) except: print '********************************************************************* ************************' print '* Error:' sys.exit(2)

Call the above function as: # update the datasource passwords for _sectionName in _parser.sections(): if _parser.has_option(_sectionName, _domainT3UrlProperty): # get domain t3 url _domainT3Url = _parser.get(_sectionName, _domainT3UrlProperty) print '*** Retrieved ' + _sectionName + ' domain t3 url: ' + _domainT3Url try: print '************Update Datasource password' updateDatasourcesInOneDomain(_wlsUsername, _wlsPassword, _domainT3Url, _parser) except: dumpStack() sys.exit(1) print '***Successfully updated datasource ' exit()

The sample input file is: [SCHEMAS] ########## jrd1=newWelcome1 jrd2=newWelcome1 jrd3=newWelcome1 [CommonDomain] # The WLS admin URL for the Common Domain

Copyright 2012 Oracle Corporation

Page 18

Fusion Applications Changing Passwords domain.url.t3=t3://scmhost1as1.us.oracle.com:7001 [HCMDomain] # The WLS admin URL for the Common Domain domain.url.t3=t3://scmhost1as1.us.oracle.com:9401 Run the Python script as follows: $FA_HOME/wlserver_10.3/common/bin/wlst.sh $SCRIPT_PATH/<script_name>.py $ SCRIPT_PATH/<input_filename>.ini Please see the following screen shots for output:

Copyright 2012 Oracle Corporation

Page 19

Fusion Applications Changing Passwords Note: The password output value is for debugging only. You should remove it from your production script. You can modify Fusion Applications data sources based on the input file provided in Appendix C.

Changing Credential Store Mapping


In Oracle Fusion Applications, credentials used for various components such as patching, BI Enterprise, Security, etc are stored securely, based in the Lightweight Directory Access Protocol (LDAP) Credential Store Framework (CSF), where they can be retrieved when required transparently. Some of this credential mapping contains database schema and password keys. Hence when schema passwords are changed, the respective CSF mapping must be updated. The CSF mappings are in CommonDomain. They can be managed from Fusion Middleware Control (EM). However, one should create WLST scripts to automate the process. The following screens shots provide the reference on how to browse CSF maps from EM:

Log in to Fusion Middleware Control and navigate to Domain > Security > Credentials, to display the Credentials page

Copyright 2012 Oracle Corporation

Page 20

Fusion Applications Changing Passwords

Creating WLST script to automate CSF mappings Enhanced the database schema password script to include CSF updates. Create another Python function as follows:
def updateCredentialPasswords(_wlsUsername, _wlsPassword, _domainT3Url, _parser): if _parser.has_option(_fsSectionName, _domainT3UrlProperty): _domainT3Url = _parser.get(_fsSectionName, _domainT3UrlProperty) connect(_wlsUsername,_wlsPassword,_domainT3Url) for _sectionName in _parser.sections(): # only look at section whose name is an expected credential map name if _sectionName in _expectedCredMapList: _map = _sectionName for _key in _parser.options(_map): _schemaUsername = _parser.get(_map, _key) _password = '' if _parser.has_option(_schemaSectionName, _schemaUsername): _password = _parser.get(_schemaSectionName, _schemaUsername) if _password.__len__() > 0: _credFound = 'false' try: print '*** Deleting existing credential with map [' + _map + '] and key [' + _key + ']. Failure indicates that no such credential exists.' deleteCred(map=_map, key=_key) _credFound = 'true' except: dumpStack() if _credFound == 'true': _now = str(datetime.now()) _desc = 'Reset at ' + _now

Copyright 2012 Oracle Corporation

Page 21

Fusion Applications Changing Passwords


createCred(map=_map, key=_key, user=_schemaUsername, password=_password, desc=_desc) print '*** Credential with map [' + _map + '] and key [' + _key + '] has been reset at ' + _now else: print '*** Skipping reset of credential with map [' + _map + '] and key [' + _key + ']. Credential does not exist.' else: print '*** Skipping reset of credential with map [' + _map + '] and key [' + _key + ']. Input file does not contain password for schema username "' + _schemaUsername + '"' else: print '*** Skipping reset of credential with map [' + _map + '] and key [' + _key + ']. Input file does not contain schema username "' + _schemaUsername + '"' disconnect() else: print '*** Cannot find section [CommonDomain] with property "' + _domainT3UrlProperty + '". Skipping credential store password reset.' # update the credential store passwords updateCredentialPasswords(_wlsUsername, _wlsPassword, _domainT3Url, _parser)

Updating ESS Spawned Job Wallet


A configured Oracle wallet enables spawned jobs to connect to the database at the command line. A provisioned Fusion applications environment will have this wallet pre-configured. Configuring a spawned job involves creating an environment file and configuring an Oracle wallet. This wallet stores fusion_runtime schema password used by ESS jobs. The environment.properties is located at $ORACLE_BASE/config/ess/config. This property file includes critical properties that are required to update Wallet such as: Wallet Location Database Name TNSAdmin Path $ORACLE_CSF_WALLET_LOC $TWO_TASK $TNS_ADMIN

Syntax to Update Wallet: mkstore wrl walletLocation modifyCredential dbName dbUser dbPassword Run the following command: 1. Go to command prompt $TNS_ADMIN 2. Execute mkstore wrl $ORACLE_CSF_WALLET_LOC modifyCredential $TWO_TASK fusion_runtime <NewPassword>

Copyright 2012 Oracle Corporation

Page 22

Fusion Applications Changing Passwords

Changing ODI Repository Password


There are two database schemas FUSION_ODI and FUSION_ODI_STAGE that must be updated in ODI work repository. Oracle Fusion Applications Provisioning does not install ODI Studio. You must install ODI Studio to change work repository password. To change the ODI work repository password from ODI Studio:
1. 2. 3. 4. 5. 6. 7. 8. Start the ODI Studio and, in the Connection profile, uncheck the Work Repository Verify that the password of Master Repository database is OK In ODI Studio, go to the Topology Manager > Work Repositories Edit the Work Repository, click on the "Connection" icon button, and set the appropriate password.

Double-click the work repository. The Work Repository Editor opens. On the Definition tab of the Work Repository Editor click Change password. Enter the current password and the new one. Click OK.

Changing BI Repository Password


Each repository has a password that is used to encrypt its contents. You create the repository password when you create a new repository file, or when you upgrade a repository from a previous release of Oracle Business Intelligence. You can change the repository password using the Administration Tool in offline mode, or using the obieerpdpwdchg utility. You cannot change the repository password when the repository is open in the Administration Tool in online mode.

The obieerpdpwdchg utility is especially useful when you want to change the repository password on Linux and UNIX systems where the Administration Tool is not available. You cannot change the repository password when the repository is open in online mode. After you change the repository password in the Administration Tool, you must also publish the updated repository and specify the new password in Fusion Middleware Control. Specifying the repository password in Fusion Middleware Control enables the password to be stored in an external credential store, so that the Oracle BI Server can retrieve it to load the repository.

Copyright 2012 Oracle Corporation

Page 23

Fusion Applications Changing Passwords Changing the Oracle BI Repository password using Administration Tool 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Open the repository in the Administration Tool in offline mode. Select File, then select Change Password. Enter the current (old) password. Enter the new password and confirm it. The repository password must be longer than five characters and cannot be empty. Click OK. Save and close the repository. Open a Web browser and log in to Fusion Middleware Control from the computer where the updated repository is located. In the navigation tree, expand Business Intelligence and then click coreapplication to display the Business Intelligence Overview page. Display the Repository tab of the Deployment page. Click Lock and Edit Configuration. Click Browse next to Repository File. Then, select the updated repository file and click Open. Enter the new (updated) repository password in the Repository Password and the Confirm Password fields. Make sure to specify the password that has been set in the repository. If the passwords do not match, the Oracle BI Server fails to start, and an error is logged in nqserver.log. 13. Click Apply, then click Activate Changes. 14. Return to the Business Intelligence Overview page and click Restart.

Copyright 2012 Oracle Corporation

Page 24

Fusion Applications Changing Passwords

Changing the Oracle BI Repository Password Using obieerpdpwdchg Utility

Follow these steps to change the repository password using the obieerpdpwdchg utility, and then publish the modified repository in Fusion Middleware Control:
1.

Run bi-init to launch a command prompt or shell window that is properly initialized. For Example:
Linux:ORACLE_INSTANCE/bifoundation/OracleBIApplication/coreapplication/setup/bi-init.sh Windows Client Installation: ORACLE_HOME/bifoundation/server/bin/bi-init.bat Windows All other Installation Types: ORACLE_INSTANCE/bifoundation/OracleBIApplication/coreapplication/setup/bi-init.cmd

2. At the command prompt, type obieerpdpwdchg with the following arguments: o -I name_and_path_of_existing_repository

Copyright 2012 Oracle Corporation

Page 25

Fusion Applications Changing Passwords


o

-O path_of_new_repository

Then, enter the current (old) password and the new password when prompted. The repository password must be longer than five characters and cannot be empty. For example:
obieerpdpwdchg -I my_repos.rpd -O my_changed_repos.rpd Please enter the repository password: my_old_password Please enter a new repository password: my_new_password

Note that passwords are masked on the command line unless you include the -C option to disable masking. 3. Open a Web browser and log in to Fusion Middleware Control from the computer where the updated repository is located. 4. In the navigation tree, expand Business Intelligence and then click coreapplication to display the Business Intelligence Overview page. 5. Display the Repository tab of the Deployment page. 6. Click Lock and Edit Configuration. 7. Click Browse next to Repository File. Then, select the updated repository file and click Open. 8. Enter the new (updated) repository password in the Repository Password and the Confirm Password fields. Make sure to specify the password that has been set in the repository. If the passwords do not match, the Oracle BI Server fails to start, and an error is logged in nqserver.log. 9. Click Apply, then click Activate Changes. 10. Return to the Business Intelligence Overview page and click Restart.

Updating ESSBase Registry


Essbase Server uses a database schema password stored in the reg.properties file. Change ESSBase Registry properties as follows: The updateRegProperties.py is located at: $ORACLE_BASE/products/fusionapps/bi/bifoundation/install Syntax is:

Copyright 2012 Oracle Corporation

Page 26

Fusion Applications Changing Passwords updateRegProperties.py biHome biInstance DbUrl DbUserName DbNewPassword DbDriverClass Run the following command to update registry:

wlst.sh $ORACLE_BASE/products/fusionapps/bi/bifoundation/install/updateR egProperties.py $BIHOME $BIINST jdbc:oracle:thin:@<dbhostname>:1592/ems2671 FUSION_BI_PLATFORM newpasss oracle.jdbc.OracleDriver


Where $BIHOME is $ORACLE_BASE/products/fusionapps/bi and BIInstance is <INSTANCE_DIR>/config/BIInstance/config

Change EPM Registry as follow: $BIInstance/config/foundation/11.1.2.0/epmsys_registry.sh updateencryptedproperty HOST/database_conn/@dbPassword DbNewPassword Example of $BIInstance is <INSTANCE_DIR>/config/BIInstance/config/foundation/11.1.2.0

Change ESSBase Monitoring Credential as follows:

Copyright 2012 Oracle Corporation

Page 27

Fusion Applications Changing Passwords

Changing passwords in Oracle Metadata Repository schema


Oracle Metadata Services (MDS) repository contains metadata for the Oracle Fusion Applications and some Oracle Fusion Middleware component applications. The schema passwords are stored in the Oracle database. Since, MDS is configured to use JDBC data sources no action is required.

Changing Node Manager Password


The Node Manager account authenticates the connection between a client (for example, the Administration Server) and Node Manager. In an Oracle Fusion Applications installation, this user is specified on the Installation Location page of the Provisioning Wizard. Please consult the "Specify Node Manager Username and Password" section in the Oracle Fusion Middleware Node Manager Administrator's Guide for Oracle WebLogic Server.

Copyright 2012 Oracle Corporation

Page 28

Fusion Applications Changing Passwords

Changing BI System User Password


The BISystemUser account provides access to the Oracle Business Intelligence system components. Please consult "Default Users and Passwords" section in the Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition

Changing the Oracle Internet Directory Database Password


The Oracle Internet Directory uses a password when connecting to its own designated Oracle database. The default for this password when you install Oracle Internet Directory is the same as that for the Oracle Fusion Middleware administrator. You can change this password by using oidpasswd. The following example shows how to change the Oracle Internet Directory database password, assuming the database in on the same machine. oidpasswd connect=dbs1 change_oiddb_pwd=true current password: oldpassword new password: newpassword confirm password: newpassword password set. Changing the OID Super user Password by Using Fusion Middleware Control To change the password for the superuser by using Oracle Enterprise Manager Fusion Middleware Control: 1. 2. 3. 4. 5. 6. Select Administration, then Shared Properties from the Oracle Internet Directory menu. Click the Change Superuser Password tab. Specify the old password. Specify the new password. Confirm the new password. Click Apply.

Changing the Superuser password Using ldapmodify To set or modify a user name or password for the superuser, use ldapmodify to modify the attribute orclsuname or orclsupassword, respectively, in the DSE root. Changing the user name of the superuser can have serious repercussions and is not recommended. To change the password of the superuser to superuserpassword, use an LDIF file such as the following:

Copyright 2012 Oracle Corporation

Page 29

Fusion Applications Changing Passwords dn: changetype:modify replace:orclsupassword orclsupassword:superuserpassword

Changing the Password for the ODSM Administrator Account


Oracle Internet Directory connects to its Oracle Database, using the password specified for the ODS schema during schema creation. It also connects to retrieve its metrics using the ODSSM schema password, given during schema creation as well.The Oracle Enterprise Manager Fusion Middleware Control default password, at the end of install, is the same as the ODSSM password. To change the password for the ODSSM administrator, you must change it in the Oracle Database and then change it on both the WebLogic domain server and on each Oracle instance in the domain. Use the following procedure: 1. Use SQLPlus or a similar tool to alter the password in the database. 2. Invoke wlst and connect to the WebLogic server. 3. java weblogic.WLST 4. connect('weblogic', 'weblogic_user_password', 'protocol:host:port') 5. Run the following WLST command: 6. upupdateCred(map='odssm',keu='ODSSM_instance_name', password='newpassword',user='ODSSM') 7. On each Oracle instance in the WebLogic domain, execute the following command line: 8. ORACLE_HOME/ldap/bin/oidcred odssm update [instanceName] 9. Update the component registration of the Oracle instance, as described in "Updating the Component Registration of an Oracle Instance by Using opmnctl"

Restart Fusion Applications


Restore the User Profiles in the Oracle Database and restart the Oracle Fusion Applications Environment Please bounce all Managed Servers after the tool runs, so that the Managed Servers read the updated configuration information. To restart the Managed Servers: 1. Restore values of user profiles in the Oracle Database: a. Log in to the database as a user with DBA privileges.

Copyright 2012 Oracle Corporation

Page 30

Fusion Applications Changing Passwords b. Alter the default profile to have unlimited login attempts. The following syntax assumes the original value was 10. c. ALTER PROFILE default LIMIT FAILED_LOGIN_ATTEMPTS 10; d. Restore the SEARCHSYS_PROF. The following syntax assumes the original value was 10. e. ALTER profile DEFAULT LIMIT FAILED_LOGIN_ATTEMPTS 10; Shut down the Administration Servers. Start all the Admin and Managed Servers. Please consult the following doc to start/stop Fusion Applications using fastartstop utility. Start all opmn processes such as BI, GOP, etc depending on your Fusion Applications installation type. Start Oracle HTTP Server, so users can resume sending requests.

2. 3. 4. 5.

Copyright 2012 Oracle Corporation

Page 31

Fusion Applications Changing Passwords

Appendix A Fusion Apps RUP1 Schema


These are the database schemas implemented based on Fusion Applications RUP1 (New schemas could be added in later Fusion Apps versions).
CRM_FUSION_MDS_SOA CRM_FUSION_SOAINFRA FIN_FUSION_MDS_SOA FIN_FUSION_SOAINFRA FUSION FUSION_ACTIVITIES FUSION_APM FUSION_AQ FUSION_BI FUSION_BIPLATFORM FUSION_DISCUSSIONS FUSION_DISCUSSIONS_CRAWLER FUSION_DQ FUSION_DYNAMIC FUSION_IPM FUSION_MDS FUSION_MDS_ESS FUSION_MDS_SPACES FUSION_OCSERVER11G FUSION_ODI FUSION_ODI_STAGE FUSION_ORA_ESS FUSION_ORASDPLS FUSION_ORASDPM FUSION_ORASDPSDS FUSION_ORASDPXDMS FUSION_OTBI FUSION_PORTLET FUSION_RUNTIME FUSION_WEBCENTER HCM_FUSION_MDS_SOA HCM_FUSION_SOAINFRA OIC_FUSION_MDS_SOA OIC_FUSION_SOAINFRA PRC_FUSION_MDS_SOA PRC_FUSION_SOAINFRA PRJ_FUSION_MDS_SOA PRJ_FUSION_SOAINFRA SCM_FUSION_MDS_SOA SCM_FUSION_SOAINFRA SEARCHSYS SETUP_FUSION_MDS_SOA

Copyright 2012 Oracle Corporation

Page 32

Fusion Applications Changing Passwords


SETUP_FUSION_SOAINFRA

Copyright 2012 Oracle Corporation

Page 33

Fusion Applications Changing Passwords

Appendix B Sample Python script


import sys import os import ConfigParser import time from datetime import datetime _wlsUsername = 'weblogic_fa' _wlsPassword = 'Welcome1' _domainT3UrlProperty = 'domain.url.t3' _wlstSectionName = 'WLS' _schemaSectionName = 'SCHEMAS' _servicenameName = 'servicename' _fusionruntimeName = 'fusion_runtime' _fsSectionName = 'CommonDomain' def updateDatasourcesInOneDomain(_wlsUsername, _wlsPassword, _domainT3Url, _parser): connect(_wlsUsername,_wlsPassword,_domainT3Url) _dsNames = ls('/JDBCSystemResources', returnMap='true', returnType='c') edit() startEdit() for _dsName in _dsNames: jdbcSR = lookup(_dsName,"JDBCSystemResource") theJDBCResource = jdbcSR.getJDBCResource() driverParams = theJDBCResource.getJDBCDriverParams() driverProperties = driverParams.getProperties() # update schema password if schema user is specified in the input file _userprop = driverProperties.lookupProperty('user') _userval = _userprop.getValue() #print '***user is:' + _userval if _parser.has_option(_schemaSectionName, _userval): print '*** Updating the password of datasource ' + _dsName + ' (username=' + _userval + ')' _dbPassword = _parser.get(_schemaSectionName, _userval) print 'password is:' + _dbPassword driverParams.setPassword(_dbPassword) save() activate(block="true") disconnect() # read the input file try: _inputFile = sys.argv[1] print '*** Reading ' + str(_inputFile) + '...' _parser = ConfigParser.ConfigParser() _parser.optionxform = str _parser.read(_inputFile) except: print '* Error:' sys.exit(2) # update the datasource passwords for _sectionName in _parser.sections(): if _parser.has_option(_sectionName, _domainT3UrlProperty): # get domain t3 url _domainT3Url = _parser.get(_sectionName, _domainT3UrlProperty) print '*** Retrieved ' + _sectionName + ' domain t3 url: ' + _domainT3Url try: print '************Update Datasource password' updateDatasourcesInOneDomain(_wlsUsername, _wlsPassword, _domainT3Url, _parser) except: dumpStack() sys.exit(1) print '***Successfully updated datasource '

Copyright 2012 Oracle Corporation

Page 34

Fusion Applications Changing Passwords


exit()

Copyright 2012 Oracle Corporation

Page 35

Fusion Applications Changing Passwords

Appendix C Sample Input file for Fusion Applications Schemas


[SCHEMAS] # # Passwords for all schemas in the Fusion Apps database which # are used by Fusion Apps and could have corresponding # data sources or CSF entries. # # Used to update data sources and CSF entries to contain # the new schema passwords. # # This list is static for a given Fusion Apps version. # New schemas could be added in later Fusion Apps versions. # ------------------------------------------------------------# CRM_FUSION_MDS_SOA=crm_fusion_mds_soa CRM_FUSION_SOAINFRA=crm_fusion_soainfra FIN_FUSION_MDS_SOA=fin_fusion_mds_soa FIN_FUSION_SOAINFRA=fin_fusion_soainfra FUSION=fusion FUSION_ACTIVITIES=fusion_activities FUSION_APM=fusion_apm FUSION_AQ=fusion_aq FUSION_BI=fusion_bi FUSION_BIPLATFORM=fusion_biplatform FUSION_DISCUSSIONS=fusion_discussions FUSION_DISCUSSIONS_CRAWLER=fusion_discussions_crawler FUSION_DQ=fusion_dq FUSION_DYNAMIC=fusion_dynamic FUSION_IPM=fusion_ipm FUSION_MDS=fusion_mds FUSION_MDS_ESS=fusion_mds_ess FUSION_MDS_SPACES=fusion_mds_spaces FUSION_OCSERVER11G=fusion_ocserver11g FUSION_ODI=fusion_odi FUSION_ODI_STAGE=fusion_odi_stage FUSION_ORA_ESS=fusion_ora_ess FUSION_ORASDPLS=fusion_orasdpls FUSION_ORASDPM=fusion_orasdpm FUSION_ORASDPSDS=fusion_orasdpsds FUSION_ORASDPXDMS=fusion_orasdpxdms FUSION_OTBI=fusion_otbi FUSION_PORTLET=fusion_portlet FUSION_RUNTIME=fusion_runtime FUSION_WEBCENTER=fusion_webcenter HCM_FUSION_MDS_SOA=hcm_fusion_mds_soa HCM_FUSION_SOAINFRA=hcm_fusion_soainfra OIC_FUSION_MDS_SOA=oic_fusion_mds_soa OIC_FUSION_SOAINFRA=oic_fusion_soainfra PRC_FUSION_MDS_SOA=prc_fusion_mds_soa PRC_FUSION_SOAINFRA=prc_fusion_soainfra PRJ_FUSION_MDS_SOA=prj_fusion_mds_soa PRJ_FUSION_SOAINFRA=prj_fusion_soainfra SCM_FUSION_MDS_SOA=scm_fusion_mds_soa SCM_FUSION_SOAINFRA=scm_fusion_soainfra SEARCHSYS=searchsys SETUP_FUSION_MDS_SOA=setup_fusion_mds_soa SETUP_FUSION_SOAINFRA=setup_fusion_soainfra SYS=sys # # # # # # # #

The [*Domain] sections list all Fusion Apps WLS domains that contain data sources to be updated. The list will not change in a given Fusion Apps release, but could change in future releases. -------------------------------------------------------------

Copyright 2012 Oracle Corporation

Page 36

Fusion Applications Changing Passwords


[CommonDomain] # # The WLS admin URL for the Common Domain # domain.url.t3=t3://fa-internal.us.oracle.com:7001 [FinancialDomain] # The WLS admin URL for the Financials Domain domain.url.t3=t3://fa-internal.us.oracle.com:7401 [SCMDomain] # The WLS admin URL for the SCM Domain domain.url.t3=t3://fa-internal.us.oracle.com:7801 [HCMDomain] # The WLS admin URL for the HCM Domain domain.url.t3=t3://fa-internal.us.oracle.com:9401 [CRMDomain] # The WLS admin URL for the CRM Domain domain.url.t3=t3://fa-internal.us.oracle.com:9001 [PRJDomain] # The WLS admin URL for the PRJ Domain domain.url.t3=t3://fa-internal.us.oracle.com:8601 [BIDomain] # The WLS admin URL for the BI Domain domain.url.t3=t3://fa-internal.us.oracle.com:10201 [oracle.apps.security] # # CSF key names and corresponding schema names for the CSF map # oracle.apps.security. # # Used to update the password stored along with the schema name # for each listed CSF entry. # # You should not need to change these values. # ------------------------------------------------------------# FUSION_APPS_ECSF_SES_ADMIN-KEY=SEARCHSYS FUSION-DB-KEY=FUSION_RUNTIME [oracle.patching] # # CSF key names and corresponding schema names for the CSF map # oracle.patching. # # Used to update the password stored along with the schema name # for each listed CSF entry. # # You should not need to change these values. # ------------------------------------------------------------# FUSION_ACTIVITIES-KEY=FUSION_ACTIVITIES FUSION_APM-KEY=FUSION_APM FUSION_APPS_BIPLATFORM-KEY=FUSION_BIPLATFORM FUSION_APPS_CRM_MDS_SOA_SCHEMA-KEY=CRM_FUSION_MDS_SOA FUSION_APPS_CRM_SOAINFRA-KEY=CRM_FUSION_SOAINFRA FUSION_APPS_DBA-KEY=SYS FUSION_APPS_FIN_MDS_SOA_SCHEMA-KEY=FIN_FUSION_MDS_SOA FUSION_APPS_FIN_SOAINFRA-KEY=FIN_FUSION_SOAINFRA FUSION_APPS_HCM_MDS_SOA_SCHEMA-KEY=HCM_FUSION_MDS_SOA FUSION_APPS_HCM_SOAINFRA-KEY=HCM_FUSION_SOAINFRA FUSION_APPS_MDS-KEY=FUSION_MDS FUSION_APPS_MDS_ESS-KEY=FUSION_MDS_ESS FUSION_APPS_MDS_SPACES-KEY=FUSION_MDS_SPACES

Copyright 2012 Oracle Corporation

Page 37

Fusion Applications Changing Passwords


FUSION_APPS_ODI_SCHEMA-KEY=FUSION_ODI FUSION_APPS_OIC_MDS_SOA_SCHEMA-KEY=OIC_FUSION_MDS_SOA FUSION_APPS_OIC_SOAINFRA-KEY=OIC_FUSION_SOAINFRA FUSION_APPS_PATCH_FUSION_DYNAMIC_SCHEMA-KEY=FUSION_DYNAMIC FUSION_APPS_PATCH_FUSION_RUNTIME_SCHEMA-KEY=FUSION_RUNTIME FUSION_APPS_PATCH_FUSION_SCHEMA-KEY=FUSION FUSION_APPS_PRC_MDS_SOA_SCHEMA-KEY=PRC_FUSION_MDS_SOA FUSION_APPS_PRC_SOAINFRA-KEY=PRC_FUSION_SOAINFRA FUSION_APPS_PRJ_MDS_SOA_SCHEMA-KEY=PRJ_FUSION_MDS_SOA FUSION_APPS_PRJ_SOAINFRA-KEY=PRJ_FUSION_SOAINFRA FUSION_APPS_SCM_MDS_SOA_SCHEMA-KEY=SCM_FUSION_MDS_SOA FUSION_APPS_SCM_SOAINFRA-KEY=SCM_FUSION_SOAINFRA FUSION_APPS_SETUP_MDS_SOA_SCHEMA-KEY=SETUP_FUSION_MDS_SOA FUSION_APPS_SETUP_SOAINFRA-KEY=SETUP_FUSION_SOAINFRA FUSION_APPS_UCM-KEY=FUSION_OCSERVER11G FUSION_APPS_WEBCENTER-KEY=FUSION_WEBCENTER FUSION_ORA_ESS-KEY=FUSION_ORA_ESS SEARCHSYS-KEY=SEARCHSYS

[oracle.bi.enterprise] # # CSF key names and corresponding schema names for the CSF map # oracle.bi.enterprise. # # Used to update the password stored along with the schema name # for each listed CSF entry. # # You should not need to change these values. # ------------------------------------------------------------# scheduler.schema=FUSION_BIPLATFORM

Copyright 2012 Oracle Corporation

Page 38

Fusion Applications Changing Passwords

Oracle Fusion Applications: Managing Passwords May 2012 Author: Jack Desai, A-Team

Copyright 2011, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. UNIX is a registered trademark licensed through X/Open Company, Ltd. 1010

Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A.

Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com

Copyright 2012 Oracle Corporation

Page 39