OLSNODES command in RAC:

 The olsnodes command provides the list of nodes and other information for all nodes participating in the cluster.You can use this command to quickly check that your cluster is operational, and all nodes are registered as members of the cluster. This command also provides an easy method for obtaining the node numbers.

oracle@vgeb07hr:/dev/mapper [+ASM1]# olsnodes -h

Syntax:

olsnodes [[-n] [-i] [-s] [-t] [node_name | -l [-p]] | [-c]] [-g] [-v]

Command Description

-n Lists all nodes participating in the cluster and includes the assigned node numbers.

-i Lists all nodes participating in the cluster and includes the Virtual Internet Protocol (VIP) address assigned to each node.

-s Displays the status of the node: active or inactive.

-t Displays node type: pinned or unpinned.

node_name Displays information for a particular node.

-l [-p] Lists the local node and includes the private interconnect for the local node. The -p option is only valid when you specify along with the -l option.

-c Displays the name of the cluster.

-g Logs cluster verification information with more details.

-v Logs cluster verification information in verbose mode. Use in debug mode and only at the direction of My Oracle Support.

To find all node in clusters:

# olsnodes -i -n -s -t

To find local node name with private interconnect.

 olsnodes -l -p

To find cluster name:

olsnodes -c

Refrence:

http://oracle-help.com/oracle-rac/olsnodes-command-rac/

https://dbaclass.com/article/olsnodes-commands-rac/

Interview Question/Answer-Application 11i/R12/R12.2:

 Why do you need GUEST/ORACLE To connect to database?

GUEST account is used to obtain the decrypted value of the apps password for internal processes (i.e. when there is a need to connect as apps internally).

when the account gets locked/end-dated then you will see a blank page when you try to login to the instance.In that scenario you will have to correct this situation from the back-end as you will not be able to login to the application.

*******

The GUEST user account is used in the application internally ( it is an application user). One of the major needs of this account is when there is a need to decrypt the APPS password (which is stored in an encrypted format in the apps tables). In order to decrypt the APPS password, the GUEST username/password is used to accomplish this task (using “Guest User Password” profile option).

GUEST account is used to obtain the decrypted value of the apps password for internal processes (i.e. when there is a need to connect as apps internally).

when the account gets locked/end-dated then you will see a blank page when you try to login to the instance.In that scenario you will have to correct this situation from the back-end as you will not be able to login to the application.

You will not find much details about the GUEST account documented anywhere ( may be coz of security reasons).

Key points :

s_guest_user is GUEST and s_guest_pwd is EXPORT in adconfig xml file.

select fnd_web_sec.validate_login(‘GUEST’,’ORACLE’) FROM DUAL;  ( to validate if guest user is corrrect)

select fnd_profile.value(‘GUEST_USER_PWD’) from dual; (to find the current guest user password)

Check the GUEST/ORACLE password is present in DBC file at $FND_TOP/secure directory as well as at $FND_TOP/secure/SID_hostname directory.

What happen if “alter user apps identified by password” is fired for apps user?

We cannot change apps password through alter user statement because Oracle Application use APPS PASSWORD to encrypt end users password in FND_USER and oracle users password in FND_ORACLE_USERID. So using FNDCPASS to change password of APPS, changes the column encrypted_oracle_password in these two tables, but alter dont do this actions. FNDCPASS update DBA_USERS table as well.While when you run alter user apps identified by password it will update only DBA_USERS.

If you have mistakenly did used alter user, you may see below error:

APP-FND-01496: Cannot access application ORACLE password

Cause: Application Object Library was unable access your ORACLE password.

It is very difficult to recover the application at this stage.

What is Actualize all, How it works?

When the number of old database editions reaches 25 or more, we should consider dropping all old database editions by running the adop actualize_all.

What is difference between finalize_mode=full & finalize_mode=quick ?

$ adop phase=finalize

$ adop phase=finalize finalize_mode=quick == This is Default Mode

$ adop phase=finalize finalize_mode=full    

Finalize can be run in 2 modes: “QUICK” or “FULL”

FULL gathers database dictionary statistics (not transaction tables statistics)

QUICK skips gathering database dictionary statistics.

How to change weblogic password from Backend in EBS 12.2.x?

On EBS 12.2.X environments , if you are on R12.AD.C.Delta.7 and R12.TXK.C.Delta.7 or later, we can change Weblogic admin server password using the below script.

1. Startup admin server. Do not start any other services

$. ./EBSapps.env RUN

$ cd $ADMIN_SCRIPTS_HOME

$adadminsrvctl.sh start

2. Run the below script  

perl $FND_TOP/patch/115/bin/txkUpdateEBSDomain.pl -action=updateAdminPassword

[The script will prompt for Current and New Weblogic Password and restarts Weblogic admin server using the new password.]

3. Run fs_clone to propagate the changes to the alternate file system (Patch File system).

How to Update APPS password in EBS Datasource (EBS 12.2.x)?

 From EBS 12.2.x versions, whenever we change apps password we need to update the new apps password in EBS Datasource.

Otherwise managed servers wont come up.

Steps to update apps password in Weblogic datasource for EBS 12.2x, post AD-TXK 7:

1. Start Only Admin server,Do not start any other services

$. ./EBSapps.env RUN

$ cd $ADMIN_SCRIPTS_HOME

$adadminsrvctl.sh start

2. Update apps password in Datasource from backend:

$perl $FND_TOP/patch/115/bin/txkManageDBConnectionPool.pl

When prompted select the "updateDSPassword" option.

Sample screen output:

perl $FND_TOP/patch/115/bin/txkManageDBConnectionPool.pl

Please select from list of valid options

        updateDSPassword - Update WebLogic Datasource Password

        updateDSJdbcUrl  - Update WebLogic Datasource Connection String

Enter Your Choice : updateDSPassword

Enter the full path of Applications Context File [DEFAULT -]:

Enter weblogic admin server password:

Enter the APPS user password:

Note: We can also update the apps password in EBS Datasource from Weblogic console. 

What if we missed to run adpreclone.pl and copy completed?

What will happened to scheduled request if submitted used end dated?

How to monitor CM with OEM?

What do do if patch fails in relinking?

what is batch size in adpatch?

While applying a patch, the patch may contain scripts that update data in batches. This prompt allows you to specify how many rows will be updated at a time. It is recommended that you accept the default unless you know your system well.If you enter a negative or an invalid number, adpatch will use the default value (in this case a value of 1000).

(Or)

The Batch Size refers to the number of rows to commit at a time when cerrtain scripts run.If we dno't enter a specific value, Auto Patch takes the default, Which is normall set to a relatively smaller value to accommodate systems with a small rollback segment.

+++++++++++++Doc ID 1311402.1+++++++++++

What is the difference between CPU patch and PSU patch.Can we apply CPU patch over psu patch?

patch conflict

Different types of Patch Conflicts - Superset/Subset/Duplicate/Bug/File [ID 563656.1]

Patch:

Patch is a piece of software or code designed to fix the problems of the existing software.  These fixes can be security vulnerability fixes or bug fixes.In certain cases the patches increases or enhances the functionality of the software as well

Interim patch:

Interim patches are also known as “one of patches”. Interim patches are released in between the release of CPU or PSU patch to fix a specific issue. These patches generally address specific bug’s fixes for a specific customer and should not be applied unless specified by Oracle support services.

Critical patch update (CPU):

These are the cumulative patches consisting of security fixes. 

Patch set update (PSU):

These are quarterly cumulative patches that contain security fixes as well as additional fixes sometimes, PSU includes feature enhancements as well.  So we can say that PSU includes the security fixes of the CPU plus additional fixes.PSUs contain CPUs plus other bug fixes. Which path your choose (CPUs only or PSUs only) depends on your requirements and needs. Systems that store sensitive information and/or are exposed to the internet (or are more susceptible to attack) will need to go the CPU route (where patches are released on a quarterly basis).

Once the PSU is applied only PSUs can be applied in future quarters until the database is upgraded to knew base version

Can we apply CPU patch over psu patch?

Depend.

But OPATCH ultilty handle with confilct of patchset installed.

Patch Conflicts

All patches may not be compatible with one another. For example, if a patch has been applied, all the bugs fixed by that patch could reappear after another patch is applied. This is called a conflict situation. OPatch detects such situations and raises an error when a it detects a conflict.

http://docs.oracle.com/cd/B19306_01/em.102/b16227/oui8_opatch.htm

Logo change in EBS:

https://www.funoracleapps.com/2023/01/how-to-changeadd-custom-logo-at-top-of.html

What are the high level steps for upgrading 11i to R12.1.3?

Restart the failed patch from place you left

adop phase=apply patches=patch restart=yes

Restart the failed patch from beginning

adop phase=apply patches=patch abandon=yes

Ignore Failed Patch and Apply New Patch

adop phase=apply patches=NewPatch abandon=yes

Reapply a previously applied Patch 

adop phase=apply options=forceapply patches=patch

How to abort a patching cycle

adop phase=abort

Post step run below command

adop phase=cleanup cleanup_mode=full

adop phase=fs_clone

If the system crashes and unable to proceed the patch then what to do

We will see error as 

Error: Unable to continue as already another user is using adzdoptl.pl.

Previous session exist, cannot continue as per user input

Steps:

➢ Run the following statement to find out the session that is in running state:

 select adop_session_id from ad_adop_sessions where status='R';

➢ Set the status to Completed 'C' for that session to re- try the phase that was interrupted

 update ad_adop_sessions set status='C' where status='R’

ADOP question : https://www.funoracleapps.com/2021/11/ebs-122-adop-interview-questions.html

Undo Tablespace/Undo Management in Oracle:

Oracle Database keeps records of actions of transactions, before they are committed and Oracle needs this information to rollback or undo the changes to the database. These records are called rollback or undo records.

These records are used to:

Rollback transactions - when a ROLLBACK statement is issued, undo records are used to undo changes that were made to the database by the uncommitted transaction.

Recover the database - during database recovery, undo records are used to undo any uncommitted changes applied from the redolog to the datafiles.

Provide read consistency - undo records provide read consistency by maintaining the before image of the data for users who are accessing the data at the same time that another user is changing it.

UNDO_RETENTION:

This value specifies the amount of time, undo is kept in the tablespace.The parameter undo_retention to set the amount of time you want undo information retained in the database.

The default value for the UNDO_RETENTION parameter is 900.

If an active transaction requires undo space and the undo tablespace does not have available space, then the system starts reusing unexpired undo space (if retention is not guaranteed). This action can potentially cause some queries to fail with the ORA-01555 "snapshot too old" error message.

UNDO_MANAGEMENT = AUTO

ADOP Interview Questions:

 Does Online Patching increase the network port requirements on an Oracle E-Business Suite instance?

Yes. Online patching requires an additional set of network ports for the Oracle WebLogic Server managed servers on the second file system. During the cutover phase, the managed servers run simultaneously on the patch file system and run file system for a brief period, in a rolling transition process.

What is Actualize all, How it works?

When the number of old database editions reaches 25 or more, we should consider dropping all old database editions by running the adop actualize_all.

How to execute an empty patching cycle?

adop fails a lot, especially when you’re building a regression test environment.  Remember the old DOS days when you yanked out the floppy disk but still had a: on the screen and DOS said (a)bort, (r)etry, (f)ail?  And abort and fail always seemed like the same thing, but somehow they weren’t?  Same thing with adop, only it calls them abandon and restart.

adop defaults to abandon=no restart=yes if not specified, but to me, that’s still a bit unclear.  For example, what the heck would abandon=yes restart=no do?  Here’s what I came up with

(1) abandon and cleanup (I strongly urge you to do a full cleanup, or you may be asking for trouble)

adop phase=abort,cleanup cleanup_mode=full

adop phase=fs_clone

(2) fix the problem via whatever means (adctrl in the patch environment, drop the index the patch is trying to re-create, etc) and retry from where it failed

adop phase=apply patches=17020683 restart=yes [abandon=no is implied and not required]

(3) fix what’s wrong but retry from the beginning of the patch, or try a new patch (why you would do the latter, I have no idea)

adop phase=apply patches=17020683 abandon=yes [restart=yes is implied and not required]   (same patch)

adop phase=apply patches=17893964,18497540 abandon=yes          (new patch)

what happens in cutover phase of adop in R12.2:

 Cutover phase of adop is downtime phase of Online patching cycle. Once cutover is complete, it is not possible to revert to the previous edition.

Cutover phase  of adop has following steps:

1.Shut down internal concurrent manager: 

cm_wait=<maximum_minutes_to_wait> 

$FND_TOP/bin/txkADOPCutOverPhaseCtrlScript.pl script

2.Shut down application tier services:

$FND_TOP/bin/txkADOPCutOverPhaseCtrlScript.pl script

3.Cutover database: Promote patch database edition to become the new run database edition, using adzdpmgr.pl script.

This task is performed by $FND_TOP/bin/txkADOPCutOverPhaseCtrlScript.pl script 

4.Cutover file system: Promote patch file system to become the new run file system, switching the $FILE_EDITION values in the patch and run enviroments. The current patch APPL_TOP becomes the new run APPL_TOP, and the current run APPL_TOP becomes the new patch APPL_TOP.This task is completed by Autoconfig.

5.Terminate old database sessions: Terminate any database connections to the old run edition of the database.

This task is performed by $FND_TOP/bin/txkADOPCutOverPhaseCtrlScript.pl script

6.Start application tier services: Application tier services are restarted, on the new run edition. The system is now available again to users.

This task is performed by $FND_TOP/bin/txkADOPCutOverPhaseCtrlScript.pl script

Refrence:

https://techgoeasy.com/happens-cutover-phase-adop-r12-2/

How to rollback the patch after failed cutover phase in R12.2:

There may be scenario  when  cutover phase failed . It is possible to go back to previous state of cutover(rollback the patch) ,if flashback database is either enabled in the database or we have taken full backup prior to cutover:

We having Flashback enabled in the database:

SQL>select FLASHBACK_ON from v$database;

Scenario1:

You are running an Online Patching cycle:

$ adop phase=prepare

$ adop phase=apply patches=99999999

$ adop phase=finalize

$ adop phase=cutover

Cutover fails, and you need to go back to the state of the system before you ran the cutover phase.

If you had not run the cutover phase, you would have been able to roll back the patch by running the adop abort phase. However, this is not possible once cutover has been run.

Two main parts to rollback the patch:

(1) Database Restore : Here we can use either Flashback or database restore technique.

Flashing Back the Database:

First, shut down the database, then start it up in mount state:

SQL>shutdown immediate

Database closed.

Database dismounted.

ORACLE instance shut down.

SQL>startup mount

ORACLE instance started.

Restore the flashback to the specified time.

SQL>flashback database to time to_data(<time before teh cutover>;

Start the database in read-only mode:

Shut down the database, start it up in mount state, then open it with the resetlogs option:

SQL>shutdown immediate

Database closed.

Database dismounted.

ORACLE instance shut down.

SQL>startup mount

ORACLE instance started.

Database mounted.

SQL>alter database open resetlogs;

Database altered.

2) Filesystem restore:

check  whether cutover failed before the file systems were switched. referring to the cutover logs.

Case 1:

If  cutover failed before the file systems were switched,then clean shutdown of any services that are running. Then restart all the services using the normal startup script.

Case 2 :

If cutover failed after the file systems were switched:

Shut down services started from new run file system, in multi-node environment, repeat  on all nodes.

Switch file systems back onall nodes:

$ perl $AD_TOP/patch/115/bin/txkADOPCutOverPhaseCtrlScript.pl \

-action=ctxupdate \

-contextfile=<full path to new run context file> \

-patchcontextfile=<full path to new patch file system context file> \

-outdir=<full path to out directory>

Start up all services from the old run file system.

After the restore is complete:

For example:

$ adop phase=prepare

$ adop phase=apply patches=9999999

$ adop phase=abort

$ adop phase=cleanup cleanup_mode=full

$ adop phase=fs_clone

$ adop phase=abort,cleanup cleanup_mode=full

Refrence:

https://techgoeasy.com/rollback-patch-cutover-phase-r12-2/

Upgrade Oracle Grid from 12c to 19c:12C (12.1.0.2) to 19C (19.7.0) :

 Steps to upgrade Grid

1.Review the pre-upgrade checklist.

2.Download 19c Grid software.

3.Run the Orachk readiness assessment.

4.Apply mandatory 19c patches.

5.Run the cluster verification utility.

6.Dry-run upgrade.

7.Upgrade Grid.

8.Verify Grid upgrade.

1.Review the pre-upgrade checklist.

According to the Oracle Document 2539751.1, you must apply the 28553832 patch in the 12C Grid home directory as a prerequisite:

[grid@norlathrac01 OPatch]$ ./opatch lsinventory |grep -i 28553832

28553832, 20883009, 21678268

2.Download 19c Grid software.

You can download the 19c Grid software from the following link:

https://www.oracle.com/database/technologies/oracle19c-linux-downloads.html

Create a directory on both the RAC (Real Application Cluster) nodes:

mkdir -p /u01/app/grid/product/19.3.0/grid

Copy the 19c grid software to the first node of RAC and unzip it.:

cd /u01/app/grid/product/19.3.0/grid

unzip -q <19c Grid Software location >

3.Run the Orachk readiness assessment.

According to Oracle document 1457357.1, the user that owns Grid needs to run the Orachk tool.

Make sure to download the latest version of Orachk from document 1457357.1 , then run the following commands:

cd /u01/app/grid/product/19.3.0/grid/suptools/orachk

export GRID_HOME= /u01/app/grid/product/19.3.0/grid

export RAT_PROMPT_WAIT_TIMEOUT=15

export RAT_ORACLE_HOME=/u01/app/grid/12.1.0

export RAT_DB=12.1.0.2.0

cd /u01/app/grid/product/19.3.0/grid/suptools/orachk

./orachk -u -o pre -profile clusterware,asm

This process generates an HTML report.Make sure to review the report for all failed, critical, and warning checks and resolve them before you move to the next step.

4.Apply mandatory 19c patches.

You need to apply the mandatory patch 30899722 in the 19c home directory, as recommended by this Oracle Documant:

[grid@norlathrac01 grid]$ pwd

/u01/app/grid/product/19.3.0/grid

[grid@norlathrac01 grid]$ ./gridSetup.sh -silent -applyRU

Execute the following command on node [norlathrac01] as root:

/u01/app/grid/product/19.3.0/grid/root.sh 

Successfully Setup Software.

Finally, it asks to run root.sh. Do not run the script yet because you need to run it at the end of the upgrade.

After applying the patch, run the following command and make sure the command shows as supported:

[grid@norlathrac01 bin]$ pwd

/u01/app/grid/product/19.3.0/grid/usm/install/Oracle/EL7UEK/x86_64/4.1.12-112.16.4/4.1.12-112.16.4-x86_64/bin

[grid@norlathrac01 bin]$ ./acfsdriverstate -orahome /u01/app/grid/product/19.3.0/grid supported

ACFS-9200: Supported

5.Run the cluster verification utility.

Log in as the Grid OS owner user and run the following commands:

[grid@norlathrac01 ~]$ cd /u01/app/grid/product/19.3.0/grid/

[grid@norlathrac01 grid]$ ./runcluvfy.sh stage -pre crsinst -upgrade -rolling -src_crshome /u01/app/grid/12.1.0 -dest_crshome /u01/app/grid/product/19.3.0/grid -dest_version 19.0.0.0.0 -fixup -verbose

This operation should pass all the following checks:

Verifying node application existence ...PASSED

Verifying check incorrectly sized ASM disks ...PASSED

Verifying ASM disk group free space ...PASSED

Verifying network configuration consistency checks ...PASSED

Verifying file system mount options for path GI_HOME ...PASSED

Verifying /boot mount ...PASSED

Verifying OLR Integrity ...PASSED

Verifying Verify that the ASM instance was configured using an existing ASM parameter file. ...PASSED

Verifying User Equivalence ...PASSED

Verifying RPM Package Manager database ...INFORMATION (PRVG-11250)

Verifying Network interface bonding status of private interconnect network interfaces ...PASSED

Verifying /dev/shm mounted as temporary file system ...PASSED

Verifying file system mount options for path /var ...PASSED

Verifying DefaultTasksMax parameter ...PASSED

Verifying zeroconf check ...PASSED

Verifying ASM filter driver configuration ...PASSED

verifying Systemd login manager IPC parameter ...PASSED

Verifying Kernel retpoline support ...PASSED

6.Dry-run upgrade.

As mentioned earlier, Oracle introduced this new feature in 19c Grid. You can execute a dry-run upgrade before the actual upgrade. Dry-run upgrades verify all the steps similar to a real upgrade without making any real changes. Run the following commands:

unset ORACLE_BASE

unset ORACLE_HOME

unset ORACLE_SID

cd /u01/app/grid/product/19.3.0/grid 

gridsetup.sh -dryRunForUpgrade 

Finally, the process prompts you to run rootupgrade.sh. Run this on only a local node.

7.Upgrade Grid.

In the earlier step, our dry-run upgrade was a success. Now, you can go for the real upgrade.

Before starting the real upgrade, run the following command to bring down the Grid services and ensure that the remaining services are running on the cluster servers. Make sure cluster upgrade status is normal:

[grid@norlathrac01 bin]$ ./crsctl query crs activeversion -f

Oracle Clusterware active version on the cluster is [12.1.0.2.0]. The cluster upgrade

state is [NORMAL]. The cluster active patch level is [2653232555].

cd /u01/app/grid/product/19.3.0/grid

unset ORACLE_BASE

 unset ORACLE_HOME

 unset ORACLE_SID 

./gridSetup.sh 

Run rootupgrade.sh first on the local node and then on the remote node.

At this point, the process upgrades Grid to 19c, and all the cluster services are running.

8.Verify Grid upgrade.

Atter Grid upgrades, run the following commands to verify the upgraded version of Grid:

[grid@norlathrac01 bin]$ crsctl query crs activeversion

Oracle clusterware active version on the cluster is [19.0.0.0.0]

[grid@norlathrac01 bin]$

[grid@norlathrac01 bin]$ ./crsctl query crs softwareversion

Oracle Clusterware version on node [norlathrac03] is [19.0.0.0.0]

Verify all the CRS services are running on both the cluster nodes:

[grid@norlathrac01 bin]$ crsctl check crs

CRS-4638: Oracle high availability services is online

CRS-4537: Cluster ready services is online

CRS-4529: Cluster synchronization services is online

CRS-4533: Event manager is online

Refrence:

https://docs.rackspace.com/blog/upgrade-oracle-grid-from-12c-to-19c/

https://docs.oracle.com/en/database/oracle/oracle-database/19/cwsol/applying-patches-during-oracle-grid-infrastructure-install-or-upgrade.html#GUID-D10C7B8D-A120-48A2-8237-36809D0DB21E

Enabling SSL or TLS in Oracle E-Business Suite Release 12.2

 The main steps for setting up SSL on the application tier are outlined below:

3.1 Set Your Environment

3.2 Create a Wallet

3.3 Create a Certificate Request

3.4 Submit the Certificate Request to a Certificate Authority

3.5 Import Server Certificate to the Wallet

3.6 Modify the Oracle HTTP Server Wallet

3.7 Modify the OPMN Wallet

3.8 Fusion Middleware Control Console

3.9 Update the JDK Cacerts File

3.10 Update the Context File and Config Files

3.11 Run AutoConfig

3.12 Customizations (Optional)

3.13 Restart the Application Tier Services

3.14 Synchronization Between Run and Patch File System

3.15 Renewing Revoked or Expired Certificates

Enable SSL for EBS R12.1:

1.Create New Wallet

2.Create a Certificate Request

3.Upload Certificate to Wallet

4.Modify the OPMN wallet

5.Import certs to cacerts

6.Update the Context File

7.Settings for DB Tier

What is SSL certificates?

SSL stands for Secure Sockets Layer, 

It refers to a protocol for encrypting and securing communications that take place on the Internet.

SSL was replaced by an updated protocol called TLS (Transport Layer Security) 

The main use case for SSL/TLS is securing communications between a client and a server, but it can also secure email, VoIP, and other communications over unsecured networks.

TLS vs SSL

Both TLS and SSL are protocols. help in securely authenticate and transport data on the Internet. 

TLS, short for Transport Layer Security, and SSL, short for Secure Socket Layers, are both cryptographic protocols that encrypt data and authenticate a connection when moving data on the Internet.

The main difference between Secure Socket Layer and Transport Layer Security is that, in SSL (Secure Socket Layer), the Message digest is used to create a master secret and It provides the basic security services which are Authentication and confidentiality. while In TLS (Transport Layer Security), a Pseudo-random function is used to create a master secret. 

 TLS is actually just a more recent version of SSL. It fixes some security vulnerabilities in the earlier SSL protocols.

How Do TLS and SSL Work to Secure Data?

Here’s the high-level process for how both SSL and TLS work.

When you install an SSL/TLS certificate on your web server (often just called an “SSL certificate), it includes a public key and a private key that authenticate your server and let your server encrypt and decrypt data.

When a visitor goes to your site, their web browser will look for your site’s SSL/TLS certificate. Then, the browser will perform a “handshake” to check the validity of your certificate and authenticate your server. If the SSL certificate is not valid, your users may be faced with the “your connection is not private” error, which could cause them to leave your website.

Once a visitor’s browser determines that your certificate is valid and authenticates your server, it essentially creates an encrypted link between it and your server to securely transport data.

This is also where HTTPS comes in (HTTPS stands for “HTTP over SSL/TLS”).

HTTP, and the more recent HTTP/2, are application protocols that play an essential role in transferring information over the Internet.

With plain HTTP, that information is vulnerable to attacks. But when you use HTTP over SSL or TLS (HTTPS), you encrypt and authenticate that data during transport, which makes it secure.

This is why you can safely process credit card details over HTTPS but not over HTTP, and also why Google Chrome is pushing so hard for HTTPS adoption..

Why the SSL certificate is required for Oracle EBS R12 what impact he does business

How to implement / configure SSL on Oracle EBS R12 (Server DMZ, HTTP Server etc.,)

What are the pre-requisites and studies required for SSL Certication

How to replace the SSL Certification expiring in force with a New Server DMZ

Refrences:

https://balajiabhi.blogspot.com/2009/08/configuring-ssl-in-1211-step-by-step.html

https://www.funoracleapps.com/2013/03/enable-ssl-for-ebs-r121.html

http://dbafix.blogspot.com/2019/08/enabling-ssl-or-tls-in-oracle-e.html

Enabling SSL or TLS in Oracle E-Business Suite Release 12.2 (Doc ID 2143101.1)

Enabling TLS in Oracle E-Business Suite Release 12.1 (Doc ID 376700.1)

Enabling TLS in Oracle E-Business Suite Release 12.2 (Doc ID 1367293.1)

How to Create a New Wallet and Add a Signed Certficate Using orapki (Doc ID 331092.1)

DMZ setup on Oracle EBS R12

Highlighted steps :

1. Copy the Application to the DMZ server

2. Clone the Application Tier using adcfgclone.pl

3. Run the txkChangeProfH.sql under FND_TOP/patch/115/sql

@txkChangeProfH.sql SERVRESP

4. Run the Autoconfig all nodes

1. Database.

2. DMZ.

3. Internal Application server.

5. Change the profile Node Trust Level at the Server level to "External".

6. Change the profile Responsibility Trust Level at the desired responsibility level to "External".

7. Test both the DMZ and Internal URL's.

1.Pre-Clone Steps on Internal Server:

Run adpreclone.pl on MINEJand MINEZ with applcrp3 and oracrp3 users.

Take a backup of /d21/applcrp/CRP3 folder on MINEJ

Restore the Backup into MINE8 server under /d21 mount point.

Setup Host File:

Put the following entries in the Hosts File (/etc/hosts).

Change the owner Ship of /d21/oracrp3 folder and the file under it to applcrp3

Creating External Web Tier:

Create XML file for External Server:

Run adpreclone.pl to add the MINE8 server as a node to CRP3:

CONTEXT_FILE configuration:

Modify the following CONTEXT_FILE parameters:

s_applcsf

s_applptmp

s_appltmp

s_formshost

s_chronosURL

s_external_url

s_webentryhost

s_login_page

Run AutoConfig on al l the Nodes(Database,DMZ,Internal Application server.).

Configuring MINE8 for DMZ

Run the script txkChangeProfH.sql for the Profile option setup:

@$FND_TOP/patch/115/sql/txkChangeProfH.sql SERVRESP

Update Node Trust Level

Set the value of this profile option to External at the server level. The site level value should remain set to Normal.

Update List of Responsibility:

To change the value of the Responsibility Trust Level profile option at the responsibility level for a particular responsibility, 

Environment Name: VISPRD

Machine: 

Database/Conc/Admin Node: dbprd

Internal web/Form Node: appintprd

External Web Node: appextprd

Pre-Clone Steps on Internal Server

Run adpreclone.pl on appintprdand dbprd with applVISPRD and oraVISPRD users.

As oraVISPRD user:

cd $ORACLE_HOME/appsutil/scripts/VISPRD_dbprd

perl adpreclone.pl dbTier

As applVISPRD user:

cd $ADMIN_SCRIPTS_HOME

perl adpreclone.pl appsTier

Take a backup of /u01/applcrp/VISPRD folder on appintprd

Restore the Backup into appextprd server under /u01 mount point.

Setup Host File:

Put the following entries in the Hosts File (/etc/hosts)

10.211.16.92            dbprd.sonapglobal.com dbprd

10.223.18.72           appintprd.bn.sonap.net appintprd.bn

Change the owner Ship of /u01/oraVISPRD folder and the file under it to applVISPRD

cd /u01

chown –R oraVISPRD:dba oraVISPRD

Creating External Web Tier

Note:          Your steps should be more specific than the examples shown.

Create XML file for External Server:

su – applVISPRD

cd /u01/applVISPRD/VISPRD/apps/apps_st/comn/clone/bin

perl adclonectx.pl contextfile=/u01/applVISPRD/VISPRD/inst/apps/VISPRD_appintprd/appl/admin/VISPRD_appintprd.xml

Enter the APPS password: sonapVISPRD

Target System Hostname (virtual or normal) [appextprd]:

Do you want the inputs to be validated (y/n) [n]? :

Target System Database SID: VISPRD

Target System Database Server Node [appextprd]: dbprd

Target System Base Directory: /u01/oraVISPRD/VISPRD

Target System Forms ORACLE_HOME Directory [/u01/oraVISPRD/VISPRD/apps/tech_st/10.1.2]:

Target System Web ORACLE_HOME Directory [/u01/oraVISPRD/VISPRD/apps/tech_st/10.1.3]:

Target System APPL_TOP Mountpoint [/u01/oraVISPRD/VISPRD/apps/apps_st/appl]:

Target System COMMON_TOP Directory [/u01/oraVISPRD/VISPRD/apps/apps_st/comn]:

Target System Instance Home Directory [/u01/oraVISPRD/VISPRD/inst]:

Username for the Applications File System Owner [applVISPRD]:

Group for the Applications File System Owner [dba]:

Target System Root Service [enabled]:

Target System Web Entry Point Services [enabled]:

Target System Web Application Services [enabled]:

Target System Batch Processing Services [disabled]:

Target System Other Services [enabled]:

Do you want to preserve the Display [appintprd:0.0] (y/n)? : n

Target System Display [appextprd:0.0]:

Do you want the the target system to have the same port values as the source system (y/n) [y]? : n

Target System Port Pool [0-99]: 1

Choose a value which will be set as APPLPTMP value on the target node [1]: 2

New context path and file name [/u01/oraVISPRD/VISPRD/inst/apps/VISPRD_appextprd/appl/admin/VISPRD_appextprd.xml]:

Cross Check if the Context File generated is correct or not, check with following command if the respective components are enabled on appextprd:

grep –i status $CONTEXT_FILE

Run adpreclone.pl to add the appextprd server as a node to VISPRD:

su - applVISPRD

cd /u01/applVISPRD/VISPRD/apps/apps_st/comn/clone/bin

perl adcfgclone.pl appsTier /u01/applVISPRD/VISPRD/inst/apps/VISPRD_appextprd/appl/admin/VISPRD_appextprd.xml

Enter the APPS password:

Check the logfile for any error.

 CONTEXT_FILE configuration:

Modify the following CONTEXT_FILE parameters:

Context File Variable

Existing Value

New Value

s_applcsf

/u01/applVISPRD/VISPRD/inst/apps/VISPRD_appextprd/logs/appl/conc

/u01/applVISPRD/VISPRD/conc

s_appltmp

/u01/applVISPRD/VISPRD/inst/apps/VISPRD_appextprd/temp

/VISPRD_appltmp

s_applptmp

/u01/applVISPRD/VISPRD/inst/apps/VISPRD_appextprd/ptemp

/VISPRD_applptmp

s_formshost

appextprd

VISPRDext

s_chronosURL

http://appextprd.sonapglobal.com:8001/oracle_smp_chronos/oracle_smp_chronos_sdk.gif

http://VISPRDext.sonapglobal.com:8001/oracle_smp_chronos/oracle_smp_chronos_sdk.gif

s_external_url

http://appextprd.sonapglobal.com:8001

http://VISPRDext.sonapglobal.com:8001

s_webentryhost

appextprd

VISPRDext

s_login_page

http://appextprd.sonapglobal.com:8001/OA_HTML/AppsLogin

http://VISPRDext.sonapglobal.com:8001/OA_HTML/AppsLogin

Run AutoConfig on al l the Nodes.

Configuring appextprd for DMZ  

Run the script txkChangeProfH.sql for the Profile option setup:

# sonapssh dbprd

$ su – applVISPRD

$ sqlplus appUpdate Hierarchy Types/sonapVISPRD @$FND_TOP/patch/115/sql/txkChangeProfH.sql SERVRESP

Run AutoConfig on all nodes.

q   Update Node Trust Level

To change the value of the Node Trust Level profile option value to External for a particular node, perform the following steps:

1.       Login to Oracle E-Bsonapness Suite as sysadmin user sonapng the internal URL

2.       Select the System Administrator Responsibility

3.       Select Profile / System

4.       From the 'Find system profile option Values' window, select the server and get the valie appextprd into it.

5.       Query for %NODE%TRUST%. You will see a profile option named 'Node Trust Level'. The value for this profile option at the site level will be Normal. Leave this setting unchanged.

6.       Set the value of this profile option to External at the server level. The site level value should remain set to Normal

q   Update List of Responsibility

To change the value of the Responsibility Trust Level profile option at the responsibility level for a particular responsibility, perform the following steps:

7.       Login to Oracle E-Bsonapness Suite as sysadmin user sonapng the internal URL

8.       Select System Administrator Responsibility

9.       Select Profile / System

10.    From the 'Find system profile option Values' window, select the responsibility that you want to make available to users logging in via the external web tier

11.    Query for %RESP%TRUST%. You will see a profile option named 'Responsibility trust level'. The value for this profile option at site level will be Normal.  Leave this setting unchanged.

12.    Set the value of this profile option for the chosen responsibility to External at the responsibility level. The site-level value should remain Normal.

13.    Repeat for all responsibilities that you want to make available from the external web tier.

List of Responsibilities which can be enabled on External Server is as followed:

Product Name

Externally Accessible Responsibilites

Additional Profile Options

iSupplier

POS Supplier Guest User

Plan to Pay Supplier View

Plan, Source, Pay Supplier View

Source to Pay Supplier View

Supplier Profile Manager

Procure to Pay Supplier View

POS: External URL

POS: Internal URL

Oracle Sourcing

Sourcing Supplier

PON: External Applications Framework Agent

PON: External login URL

Oracle iProcurement

Self Registered Employee Default Responsibility

Self Registered New User Default Responsibility 

q   Enable Oracle E-Business Suite Application Server Security

1.       Set the value of Application Server Security Authentication (s_appserverid_authentication) to SECURE, in the CONTEXT_FILE on all the nodes.

2.       Run AutoConfig on each Applications middle tier to complete the configuration.

3.       After AutoConfig completes successfully, restart Oracle HTTP Server and OC4J processe

q   Increase JVM Size

Change the following JVM parameter in the CONTEXT_FILE as mentioned in the below table:

Note: Take a backup of Context File before Changing.

Variable

Exisiting Value

New Value

s_oacore_jvm_start_options

-server -verbose:gc -Xmx512M -Xms128M -XX:MaxPermSize=160M

-server -verbose:gc –Xmx1024M –Xms521M -XX:MaxPermSize=256M

q   Run Autoconfig

Run AutoConfig from ADMIN_SCRIPTS_HOME sonapng adautocfg.sh.

Enable SSL Login

Note:Include a subset of test steps that will confirm that the customization has been installed properly.

Reference

Metalink Document: “Oracle E-Bsonapness Suite R12 Configuration in a DMZ” Document ID: 380490.1

http://knoworacleappsdba.blogspot.com/2012/04/dmz-setup-on-oracle-ebs-r12.html