You are on page 1of 23

Oracle Application Express (APEX) 5.

0 Installation
This procedure should be followed for new installations and upgrades affecting the first two
numbers of the version (4.2 to 5.0) are done by doing a full installation. If the first two numbers of
the version are not affected (5.0.0 to 5.0.1) you must download and apply a patch, rather than do
the full installation.

If you are using the multitenant architecture in Oracle 12c, you should read this article before you
continue.

Setup
Installation
OHS Configuration
Embedded PL/SQL Gateway (EPG) Configuration
Network ACLS

Related articles.

Oracle Application Express (APEX) 4.2 Installation


Oracle Application Express (APEX) Patches
Multitenant : Uninstall APEX from the CDB in Oracle Database 12c Release 1 (12.1)
Oracle REST Data Services (ORDS) 3.0 Installation on Tomcat 7

Setup
Download the APEX software.

http://www.oracle.com/technetwork/developer-tools/apex/downloads/index.html

Unzip the software either on your client PC, if you intend to install it from there using the SQL*Plus
client on your PC, or on the database server if you intend to install it from there. The latter will be
more efficient as you will reduce the network traffic between the SQL*Plus client and the database
server.

Create a new tablespace to act as the default tablespace for APEX.

CREATE TABLESPACE apex DATAFILE SIZE 10M AUTOEXTEND ON NEXT 1M;

Installation
Change directory to the directory holding the unzipped APEX software.

$ cd /home/oracle/apex

Connect to SQL*Plus as the SYS user and run the "apexins.sql" script, specifying the relevant
tablespace names and image URL.
SQL> CONN sys@pdb1 AS SYSDBA
SQL> -- @apexins.sql tablespace_apex tablespace_files tablespace_temp images
SQL>
SQL> @apexins.sql APEX APEX TEMP /i/

Once complete, change the admin password by running the "apxchpwd.sql" scripts as the SYS
user.

SQL> CONN sys@pdb1 AS SYSDBA


SQL> @apxchpwd.sql

Create the APEX_LISTENER and APEX_REST_PUBLIC_USER users by running the


"apex_rest_config.sql" script.

SQL> CONN sys@pdb1 AS SYSDBA


SQL> @apex_rest_config.sql

OHS Configuration
Change the password and unlock the APEX_PUBLIC_USER account. This will be used for any
Database Access Descriptors (DADs).

SQL> ALTER USER APEX_PUBLIC_USER IDENTIFIED BY myPassword ACCOUNT UNLOCK;

If you don't want the password to expire you will need to create a new profile with password
expiration disabled and assign it to the user.

Create a DAD in the OHS:

Log into EM (http://server:port/em)


From the tree select "Farm_DomainName > Web Tier > ohs1"
On the resulting page select "Oracle HTTP Server > Administration > Advanced
Configuration"
From the dropdown list slect "dads.conf" and click the "Go" button.
Edit the "dads.conf" file, adding an entry like that shown below, then click the "Apply"
button.

<Location /apex>
Order deny,allow
PlsqlDocumentPath docs
AllowOverride None
PlsqlDocumentProcedure wwv_flow_file_mgr.process_download
PlsqlDatabaseConnectString pdb1 TNSFormat
PlsqlNLSLanguage AMERICAN_AMERICA.AL32UTF8
PlsqlAuthenticationMode Basic
SetHandler pls_handler
PlsqlDocumentTablename wwv_flow_file_objects$
PlsqlDatabaseUsername APEX_PUBLIC_USER
PlsqlDefaultPage apex
PlsqlDatabasePassword myPassword
PlsqlRequestValidationFunction wwv_flow_epg_include_modules.authorize
PlsqlPathAlias r
PlsqlPathAliasProcedure wwv_flow.resolve_friendly_url
Allow from all

</Location>

Select the "Oracle HTTP Server > Control > Restart" option.
Click the resulting "Restart" button.
Once restarted, click the "Close" button.

Alternatively, edit the "dads.conf" file directly. For the OHS that comes with Forms and Reports
Services, this is located here "$FR_INST/config/OHS/ohs1/mod_plsql/dads.conf". Once amended,
remember to restart the HTTP server.

$ $FR_INST/bin/opmnctl restartproc process-type=OHS

Copy the APEX images to your Oracle HTTP Server.

$ cp -R /tmp/apex/images $FR_INST/config/OHS/ohs1/htdocs/apex_images

Make them available from the "/i/" alias by adding the following alias to the virtual host defined in
the "ssl.conf" or "httpd.conf" file in the "$FR_INST/config/OHS/ohs1" directory.

Alias /i/ "/u01/app/oracle/middleware/FR_inst/config/OHS/ohs1/htdocs/apex_images/"

APEX should now be available from a URL like "http://machine:port/apex".

Embedded PL/SQL Gateway (EPG) Configuration


Run the "apex_epg_config.sql" script, passing in the base directory of the installation software as
a parameter.

SQL> CONN sys@pdb1 AS SYSDBA


SQL> @apex_epg_config.sql /home/oracle

Unlock the ANONYMOUS account.

SQL> ALTER USER ANONYMOUS ACCOUNT UNLOCK;

If this is an upgrade to an existing APEX installation, you will also have to run the following script,
to update the images.

SQL> @apxldimg.sql /home/oracle

Check the port setting for XML DB Protocol Server.

SQL> SELECT DBMS_XDB.gethttpport FROM DUAL;

GETHTTPPORT
-----------
0

1 row selected.

SQL>

If it is set to "0", you will need to set it to a non-zero value to enable it.

SQL> EXEC DBMS_XDB.sethttpport(8080);

PL/SQL procedure successfully completed.

SQL>

APEX should now be available from a URL like "http://machine:port/apex".


Fine-Grained Access to Network Services in Oracle Database
11g Release 1
Oracle allows access to external network services using several PL/SQL APIs
(UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP andUTL_INADDR), all of which are implemented using the
TCP protocol. In previous versions of the database, access to external services was effectively an
on/off switch based on whether a user was granted execute permissions on a specific package or
not. Oracle 11g introduces fine grained access to network services using access control lists
(ACL) in the XML DB repository, allowing control over which users access which network
resources, regardless of package grants.

Access control lists can be created, amended and deleted in the XML DB repository directly using
FTP or WebDav. In addition, Oracle provide
the DBMS_NETWORK_ACL_ADMIN andDBMS_NETWORK_ACL_UTILITY packages to allow ACL management
from PL/SQL. These APIs are the subject of this article.

Create an Access Control List (ACL)


Assign an ACL to a Network
ACL Views
Checking Privileges
Test the ACL
Other Security Considerations
Open ACL

Related articles.

Fine-Grained Access to Network Services Enhancements in Oracle Database 12c Release


1

Create an Access Control List (ACL)


Access control lists are manipulated using the DBMS_NETWORK_ACL_ADMIN package.
The CREATE_ACL procedure uses the following parameters to create a new ACL:

acl - The name of the access control list XML file, generated relative to the "/sys/acls"
directory in the XML DB Repository.
description - A description of the ACL.
principal - The first user account or role being granted or denied permissions. The text is
case sensitive.
is_grant - TRUE to grant, FALSE to deny the privilege.
privilege - Use 'connect' for UTL_TCP, UTL_SMTP, UTL_MAIL and UTL_HTTP access. Use
'resolve' forUTL_INADDR name/IP resolution. The text is case sensitive.
start_date - Default value NULL. When specified, the ACL will only be active on or after the
specified date.
end_date - An optional end date for the ACL.
The following code creates two test users to act as principals, then creates a new ACL.

CONN sys/password@db11g AS SYSDBA

CREATE USER test1 IDENTIFIED BY test1;


GRANT CONNECT TO test1;

CREATE USER test2 IDENTIFIED BY test2;


GRANT CONNECT TO test2;

BEGIN
DBMS_NETWORK_ACL_ADMIN.create_acl (
acl => 'test_acl_file.xml',
description => 'A test of the ACL functionality',
principal => 'TEST1',
is_grant => TRUE,
privilege => 'connect',
start_date => SYSTIMESTAMP,
end_date => NULL);

COMMIT;
END;
/

Once created, the ACL is visible in the "http://host:port/sys/acls/" directory.

Additional users or roles are added to the ACL using the ADD_PRIVILEGE procedure. Its parameter
list is similar to the CREATE_ACL procedure, with the omission of the DESCRIPTION parameter and the
addition of a POSITIONparameter, which sets the order of precedence.

BEGIN
DBMS_NETWORK_ACL_ADMIN.add_privilege (
acl => 'test_acl_file.xml',
principal => 'TEST2',
is_grant => FALSE,
privilege => 'connect',
position => NULL,
start_date => NULL,
end_date => NULL);

COMMIT;
END;
/

Each principal is defined as a separate access control element (ACE), within the ACL. When
multiple principles are defined, they are evaluated in order from top to bottom, with the last
relevant reference used to define the privilege. This means a role that denies access to a resource
can be granted to a user, but if the user is defined as a principal further down the file, that
definition will override the role definition for that user. Use the POSITIONparameter to ensure
privileges are evaluated in order.

Privileges are removed using the DELETE_PRIVILEGE procedure. If


the IS_GRANT or PRIVILEGE parameters are NULL, all grants or privileges for the ACL and principal
are removed.

BEGIN
DBMS_NETWORK_ACL_ADMIN.delete_privilege (
acl => 'test_acl_file.xml',
principal => 'TEST2',
is_grant => FALSE,
privilege => 'connect');

COMMIT;
END;
/

ACLs are deleted using the DROP_ACL procedure.

BEGIN
DBMS_NETWORK_ACL_ADMIN.drop_acl (
acl => 'test_acl_file.xml');

COMMIT;
END;
/

Assign an ACL to a Network


Access control lists are assigned to networks using the ASSIGN_ACL procedure, whose parameters
are listed below:

acl - The name of the access control list XML file.


host - The hostname, domain, IP address or subnet to be assigned. Hostnames are case
sensitive, and wildcards are allowed for IP addresses and domains.
lower_port - Defaults to NULL. Specifies the lower port range for the 'connect' privilege.
upper_port - Defaults to NULL. If the lower_port is specified, and the upper_port is NULL, it
is assumed the upper_port matches the lower_port.

The code below shows the ACL created previously being assigned to a specific IP address and a
subnet.

BEGIN
DBMS_NETWORK_ACL_ADMIN.assign_acl (
acl => 'test_acl_file.xml',
host => '192.168.2.3',
lower_port => 80,
upper_port => NULL);

DBMS_NETWORK_ACL_ADMIN.assign_acl (
acl => 'test_acl_file.xml',
host => '10.1.10.*',
lower_port => NULL,
upper_port => NULL);

COMMIT;
END;
/

Only one ACL can be assigned to a specific host and port-range combination. Assigning a new
ACL to a specific host and port-range results in the deletion of the previous assignment. You must
take care when making a new assignment that you are not opening ports that were closed by a
previous ACL assignment, or you could be opening yourself to attack. When wildcard usage
causes overlapping assignments, the most specific assignment will take precedence, so an ACL
assigned to 192.168.2.3:80 takes precedence over once assigned to 192.168.2.* etc.

The UNASSIGN_ACL procedure allows you to manually drop ACL assignments. It uses the same
parameter list as the ASSIGN_ACL procedure, with any NULL parameters acting as wildcards.

BEGIN
DBMS_NETWORK_ACL_ADMIN.unassign_acl (
acl => 'test_acl_file.xml',
host => '192.168.2.3',
lower_port => 80,
upper_port => NULL);

COMMIT;
END;
/

ACL Views
The DBA_NETWORK_ACLS, DBA_NETWORK_ACL_PRIVILEGES and USER_NETWORK_ACL_PRIVILEGES views
display the current ACL settings. The expected output below assumes none of the
delete/drop/unassign operations have been performed.

The DBA_NETWORK_ACLS view displays information about network and ACL assignments.

COLUMN host FORMAT A30


COLUMN acl FORMAT A30

SELECT host, lower_port, upper_port, acl


FROM dba_network_acls;

HOST LOWER_PORT UPPER_PORT ACL


------------------------------ ---------- ---------- -----------------------------
-
10.1.10.* /sys/acls/test_acl_file.xml
192.168.2.3 80 80 /sys/acls/test_acl_file.xml

2 rows selected.

SQL>

The DBA_NETWORK_ACL_PRIVILEGES view displays information about privileges associated with the
ACL.

COLUMN acl FORMAT A30


COLUMN principal FORMAT A30
SELECT acl,
principal,
privilege,
is_grant,
TO_CHAR(start_date, 'DD-MON-YYYY') AS start_date,
TO_CHAR(end_date, 'DD-MON-YYYY') AS end_date
FROM dba_network_acl_privileges;

ACL PRINCIPAL PRIVILE IS_GR START_


DATE END_DATE
------------------------------ ------------------------------ ------- ----- ------
----- -----------
/sys/acls/test_acl_file.xml TEST1 connect true 02-APR
-2008
/sys/acls/test_acl_file.xml TEST2 connect false

2 rows selected.

SQL>

The USER_NETWORK_ACL_PRIVILEGES view displays the current users network ACL settings.

CONN test1/test1@db11g

COLUMN host FORMAT A30

SELECT host, lower_port, upper_port, privilege, status


FROM user_network_acl_privileges;

HOST LOWER_PORT UPPER_PORT PRIVILE STATUS


------------------------------ ---------- ---------- ------- -------
10.1.10.* connect GRANTED
192.168.2.3 80 80 connect GRANTED

2 rows selected.
SQL>

CONN test2/test2@db11g

COLUMN host FORMAT A30

SELECT host, lower_port, upper_port, privilege, status


FROM user_network_acl_privileges;

HOST LOWER_PORT UPPER_PORT PRIVILE STATUS


------------------------------ ---------- ---------- ------- -------
10.1.10.* connect DENIED
192.168.2.3 80 80 connect DENIED

2 rows selected.

SQL>

Checking Privileges
In addition to the ACL views, privileges can be checked using
the CHECK_PRIVILEGE and CHECK_PRIVILEGE_ACLIDfunctions of
the DBMS_NETWORK_ACL_ADMIN package.

CONN sys/password@db11g AS SYSDBA

SELECT DECODE(
DBMS_NETWORK_ACL_ADMIN.check_privilege('test_acl_file.xml', 'TEST1', 'con
nect'),
1, 'GRANTED', 0, 'DENIED', NULL) privilege
FROM dual;

PRIVILE
-------
GRANTED

1 row selected.
SQL>

COLUMN acl FORMAT A30


COLUMN host FORMAT A30

SELECT acl,
host,
DECODE(
DBMS_NETWORK_ACL_ADMIN.check_privilege_aclid(aclid, 'TEST2', 'connect'),
1, 'GRANTED', 0, 'DENIED', NULL) privilege
FROM dba_network_acls;

PRIVILE
-------
DENIED

1 row selected.

SQL>

The DBMS_NETWORK_ACL_UTILITY package contains functions to help determine possible matching


domains. TheDOMAINS table function returns a collection of all possible references that may affect
the specified host, domain, IP address or subnet, in order of precedence.

SELECT *
FROM TABLE(DBMS_NETWORK_ACL_UTILITY.domains('oel5-11g.localdomain'));

COLUMN_VALUE
-------------------------------
oel5-11g.localdomain
*.localdomain
*

3 rows selected.
SQL>

SELECT *
FROM TABLE(DBMS_NETWORK_ACL_UTILITY.domains('192.168.2.3'));

COLUMN_VALUE
-------------------------------
192.168.2.3
192.168.2.*
192.168.*
192.*
*

5 rows selected.

SQL>

The DOMAIN_LEVEL function returns the level of the specified host, domain, IP address or subnet.

SELECT DBMS_NETWORK_ACL_UTILITY.domain_level('oel5-11g.localdomain')
FROM dual;

DBMS_NETWORK_ACL_UTILITY.DOMAIN_LEVEL('OEL5-11G.LOCALDOMAIN')
-------------------------------------------------------------
2

1 row selected.

SQL>

SELECT DBMS_NETWORK_ACL_UTILITY.domain_level('192.168.2.3')
FROM dual;

DBMS_NETWORK_ACL_UTILITY.DOMAIN_LEVEL('192.168.2.3')
----------------------------------------------------
4
1 row selected.

SQL>

These functions may be useful for when querying the ACL views for possible matches to a specific
host, domain, IP address or subnet.

SELECT host,
lower_port,
upper_port,
acl,
DECODE(
DBMS_NETWORK_ACL_ADMIN.check_privilege_aclid(aclid, 'TEST1', 'connect'),
1, 'GRANTED', 0, 'DENIED', null) PRIVILEGE
FROM dba_network_acls
WHERE host IN (SELECT *
FROM TABLE(DBMS_NETWORK_ACL_UTILITY.domains('10.1.10.191')))
ORDER BY
DBMS_NETWORK_ACL_UTILITY.domain_level(host) desc, lower_port, upper_port;

HOST LOWER_PORT UPPER_PORT ACL


PRIVILE
------------------------------ ---------- ---------- -----------------------------
- -------
10.1.10.* /sys/acls/test_acl_file.xml
GRANTED

1 row selected.

SQL>

Test the ACL


The TEST1 and TEST2 users have the ACL allowed and denied respectively. This means we can
test the ACL functionality by comparing their responses to calls to external network services. The
following code grants execute permission on the UTL_HTTP package to both users, then attempts to
access a web page from each user.
CONN sys/password@db11g AS SYSDBA
GRANT EXECUTE ON UTL_HTTP TO test1, test2;

CONN test1/test1@db11g

DECLARE
l_url VARCHAR2(50) := 'http://192.168.2.3:80';
l_http_request UTL_HTTP.req;
l_http_response UTL_HTTP.resp;
BEGIN
-- Make a HTTP request and get the response.
l_http_request := UTL_HTTP.begin_request(l_url);
l_http_response := UTL_HTTP.get_response(l_http_request);
UTL_HTTP.end_response(l_http_response);
END;
/

PL/SQL procedure successfully completed.

SQL>

CONN test2/test2@db11g

DECLARE
l_url VARCHAR2(50) := 'http://192.168.2.3:80';
l_http_request UTL_HTTP.req;
l_http_response UTL_HTTP.resp;
BEGIN
-- Make a HTTP request and get the response.
l_http_request := UTL_HTTP.begin_request(l_url);
l_http_response := UTL_HTTP.get_response(l_http_request);
UTL_HTTP.end_response(l_http_response);
END;
/
DECLARE
*
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1029
ORA-24247: network access denied by access control list (ACL)
ORA-06512: at line 7

SQL>

From this we can see that the TEST1 user was able to access the web page, while the TEST2
user was denied access by the ACL.

The default action of the server is to deny access to external network service, as shown by the
following test on a new user.

CONN sys/password@db11g AS SYSDBA

CREATE USER test3 IDENTIFIED BY test3;


GRANT CONNECT TO test3;
GRANT EXECUTE ON UTL_HTTP TO test3;

CONN test3/test3@db11g

DECLARE
l_url VARCHAR2(50) := 'http://192.168.2.3:80';
l_http_request UTL_HTTP.req;
l_http_response UTL_HTTP.resp;
BEGIN
-- Make a HTTP request and get the response.
l_http_request := UTL_HTTP.begin_request(l_url);
l_http_response := UTL_HTTP.get_response(l_http_request);
UTL_HTTP.end_response(l_http_response);
END;
/
DECLARE
*
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1029
ORA-24247: network access denied by access control list (ACL)
ORA-06512: at line 7

SQL>

This may cause some confusion when upgrading databases that access external network services
from 10g to 11g. In these situations, it will be necessary to implement suitable access control lists
before your original functionality is possible.

Other Security Considerations


Pete Finnigan commented on his blog and in his security presentations about the fact that the
ACLs are not tied to a specific package. This means opening a port on a server with the 'connect'
privilege makes it accessible byUTL_TCP, UTL_SMTP, UTL_MAIL and UTL_HTTP. With this in mind there
are some things to consider:

The use of fine-grained access to network services is not an excuse to ignore basic security
measures, likerevoking unnecessary privileges on network service related packages.
Control over the services you make available is possible by limiting access to the specific
ports. If you only need HTTP access to port 80, specify the port rather than opening access
to all ports on the server.
Wildcards can be dangerous as you may be granting access to more servers that you
should.
You must protect your ACLs. If people can alter them, they become useless as a protection
mechanism. Prevent direct access to the ACLs in the XML DB repository and make sure
users don't have access to the management APIs.

Thanks to Pete Finnigan for his input.

Open ACL
From a security standpoint, it's not a good idea to allow complete network access from the
database, but for testing features I sometimes find it useful to create an open ACL for an instance.

CONN / AS SYSDBA
BEGIN
DBMS_NETWORK_ACL_ADMIN.create_acl (
acl => 'open_acl_file.xml',
description => 'A test of the ACL functionality',
principal => 'TEST',
is_grant => TRUE,
privilege => 'connect',
start_date => SYSTIMESTAMP,
end_date => NULL);

DBMS_NETWORK_ACL_ADMIN.assign_acl (
acl => 'open_acl_file.xml',
host => '*',
lower_port => 1,
upper_port => 9999);

COMMIT;
END;
/
Oracle REST Data Services (ORDS) 3.0 Installation on
Tomcat 7
Oracle REST Data Services (ORDS), formerly known as the APEX Listener, allows APEX
applications to be deployed without the use of Oracle HTTP Server (OHS) and mod_plsql or
theEmbedded PL/SQL Gateway. ORDS version 3.0 also includes JSON API support to work in
conjunction with the JSON support in the 12c database. ORDS can be deployed on WebLogic,
Glassfish or Tomcat. This article describes the installation of ORDS on Tomcat 7.

Assumptions
Downloads
ORDS Installation
Tomcat Deployment

Related articles.

Oracle Application Express (APEX) 4.2 Installation


Oracle Application Express (APEX) 5.0 Installation
Apache Tomcat 7 Installation on Linux (RHEL and clones)

Assumptions
You have a server with Tomcat 7 installed on it. In this case I used a server with Oracle
Linux 6 and Tomcat 7 installed on it.
You have a database with APEX 4.2 installed.

Downloads
Download the following software.

Oracle REST Data Services 3.0

ORDS Installation
Make sure the APEX_PUBLIC_USER account is unlocked.

ALTER USER APEX_PUBLIC_USER IDENTIFIED BY Password1 ACCOUNT UNLOCK;

Unzip the ORDS distribution. In this case we are doing this as the "tomcat" user on the server.

# su - tomcat
$ mkdir ords-3.0.0
$ cd ords-3.0.0
$ unzip /tmp/ords.3.0.0.343.07.58.zip
Make a directory to hold the configuration. If you have any failures during the installation,
remember to delete the contents of this directory before trying again.

$ mkdir -p /home/tomcat/ords-3.0.0-conf

Edit the "params/ords_params.properties" file provided with the ORDS software, setting the
appropriate parameters for your installation. In this case my file contents were as follows.

db.hostname=ol6-121.localdomain
db.port=1521
db.servicename=pdb1
db.username=APEX_PUBLIC_USER
migrate.apex.data=false
rest.services.apex=true
schema.tablespace.default=APEX
schema.tablespace.temp=TEMP
user.tablespace.default=APEX
user.tablespace.temp=TEMP

Use the "ords.war" file to specify the configuration directory using the following command.

$ $JAVA_HOME/bin/java -jar ords.war configdir /home/tomcat/ords-3.0.0-conf


Dec 23, 2014 11:37:06 AM oracle.dbtools.auth.crypto.CryptoKeysGenerator startup
INFO: No encryption key found in configuration, generating key
Dec 23, 2014 11:37:06 AM oracle.dbtools.auth.crypto.CryptoKeysGenerator startup
INFO: No mac key found in configuration, generating key
Dec 23, 2014 11:37:06 AM oracle.dbtools.common.config.file.ConfigurationFilesBase
update
INFO: Updated configurations: defaults
Dec 23, 2014 11:37:06 AM oracle.dbtools.auth.crypto.CryptoKeysGenerator startup
INFO: Updated configuration with generated keys
Dec 23, 2014 11:37:06 AM oracle.json.ords.SodaShared startup
INFO: Starting up ORDS JSON service
Dec 23, 2014 11:37:06 AM oracle.dbtools.cmdline.ModifyConfigDir execute
INFO: Set config.dir to /home/tomcat/ords-3.0.0-conf in: /home/tomcat/ords-3.0.0/o
rds.war
Dec 23, 2014 11:37:09 AM oracle.json.ords.SodaShared shutdown
INFO: Shutting down ORDS JSON service
$
Configure ORDS using the following command. This is the equivalent of specifying the "install
simple" command line parameters.

$ $JAVA_HOME/bin/java -jar ords.war


Dec 23, 2014 11:37:35 AM oracle.dbtools.auth.crypto.CryptoKeysGenerator startup
INFO: No encryption key found in configuration, generating key
Dec 23, 2014 11:37:35 AM oracle.dbtools.auth.crypto.CryptoKeysGenerator startup
INFO: No mac key found in configuration, generating key
Dec 23, 2014 11:37:35 AM oracle.dbtools.common.config.file.ConfigurationFilesBase
update
INFO: Updated configurations: defaults
Dec 23, 2014 11:37:35 AM oracle.dbtools.auth.crypto.CryptoKeysGenerator startup
INFO: Updated configuration with generated keys
Dec 23, 2014 11:37:35 AM oracle.json.ords.SodaShared startup
INFO: Starting up ORDS JSON service
Enter the database password for APEX_PUBLIC_USER:
Confirm password:
Enter the database password for ORDS_PUBLIC_USER:
Confirm password:
Enter the database password for APEX_LISTENER:
Confirm password:
Enter the database password for APEX_REST_PUBLIC_USER:
Confirm password:

Please login with SYSDBA privileges to verify Oracle REST Data Services schema. In
stallation may be required.

Enter the username with SYSDBA privileges to complete the installation [SYS]:
Enter the database password for SYS AS SYSDBA:
Confirm password:
Dec 23, 2014 11:38:01 AM oracle.dbtools.rt.config.setup.SchemaSetup addSchemaParam
s
INFO:
Oracle REST Data Services schema does not exist and will be created.
Dec 23, 2014 11:38:02 AM oracle.dbtools.common.config.file.ConfigurationFilesBase
update
INFO: Updated configurations: defaults, apex, apex_pu, apex_al, apex_rt
Dec 23, 2014 11:38:02 AM oracle.dbtools.installer.Installer installORDS
INFO:
Installing Oracle REST Data Services version 3.0.0.343.08.03
... Log file written to /home/tomcat/ords-3.0.0/logs/ordsinstall_2014-12-23_113802
_00114.log
... Verified database prerequisites
... Created Oracle REST Data Services schema
... Granted privileges to Oracle REST Data Services
... Created Oracle REST Data Services database objects
... Created Oracle REST Data Services proxy user
Dec 23, 2014 11:38:14 AM oracle.dbtools.installer.Installer installORDS
INFO: Completed installation for Oracle REST Data Services version 3.0.0.343.08.03
. Elapsed time: 00:00:12.106

Dec 23, 2014 11:38:14 AM oracle.json.ords.SodaShared shutdown


INFO: Shutting down ORDS JSON service
$

Tomcat Deployment
Copy the APEX images to the Tomcat "webapps" directory.

$ mkdir $CATALINA_HOME/webapps/i/
$ cp -R /tmp/apex/images/* $CATALINA_HOME/webapps/i/

Copy the "ords.war" file to the Tomcat "webapps" directory.

$ cd ~/ords-3.0.0
$ cp ords.war $CATALINA_HOME/webapps/

ORDS should now be accessible using the following type of URL.

http://server-name:8080/ords/

If you want to change the URL from "ords" to something else, simply rename the "ords.war" file
while copying it to the "webapps" directory.
$ cd ~/ords-3.0.0
$ cp ords.war $CATALINA_HOME/webapps/apex.war