APPS Blogs

Oracle Database 12c : Multitenant Architecture : Container or Pluggable Database CDB/PDB

Online Apps DBA - Wed, 2016-03-02 20:41

  With the launch of database 12c in 2013, Oracle introduced a new architectural concept called Multi-Tenancy, where you have a Container Database (CDB) and Pluggable Database (PDB). To explain I included video from Tom Kyte & Randy Urbano where Tom discuss about Pluggable Databases and challenges in Database Consolidation. Randy explains Architecture of PDB/CDB and […]

The post Oracle Database 12c : Multitenant Architecture : Container or Pluggable Database CDB/PDB appeared first on Oracle Trainings for Apps & Fusion DBA.

Categories: APPS Blogs

What is FAHRCS?

David Haimes - Sun, 2016-02-28 11:00

FAHRCS (pronounced farks) is the de facto acronym for the officially titled Accounting Hub Reporting Cloud Service.  Is Stands for Fusion Accounting Hub Reporting Cloud Service, which is quite difficult to say.  I have got pretty good at saying F.A.H.R.C.S quickly, but I think “farks” is probably the easiest.

If you are wondering what FAHRCS actually is, you can follow @FAHRCS on twitter, or check out https://cloud.oracle.com/en_US/accounting-hub-reporting-cloud for official documentation.

I’ll be presenting about it at the Higher Education User Group Conference, Alliance16 in March and again at OAUG Collaborate16 in April.  So I hope to see you there and help you learn more about FAHRCS.


Categories: APPS Blogs

Bundle Patch 3 Now Available for Application Management Pack 12.1.0.4

Steven Chan - Tue, 2016-02-23 14:53

Application Management Pack (AMP) 12.1.0.4.0 for Oracle E-Business Suite was released in June 2015. We have just released the third set of updates for AMP 12.1.0.4.0. These updates include enhancements as well as fixes for stability and performance issues.

We strongly recommend that you apply Bundle Patch 3 to your E-Business Suite environments and your Enterprise Manager server:

What's New in Bundle Patch 3?

  • Discover and monitor Oracle E-Business Suite targets hosted on Oracle Cloud.
  • Support is now enabled for discovering multiple instances with the same SID.
  • The naming convention of the Oracle E-Business Suite targets is changed. It no longer uses the DB SID as a prefix. The Database target name is used instead, which is passed for discovery.
  • The DB target name, which is passed to the EBS target discovery, can only contain alphanumeric characters and period ('.').
  • For a successful discovery, the preferred credentials must now be set for the host where the admin server is running. On Oracle E-Business Suite Release 12.2 or later, the preferred credentials setup must be completed on both the patch and run file system admin servers. If not, pre-validation will fail.
  • Host aliasing is now automated and will attempt to match the host name in the EBS context file and the discovered host name in Oracle Enterprise Manager. If this attempt fails, you will be prompted to perform the mapping manually.
  • Customization Manager and Patch Manager now support host aliasing.

References

Related Articles

Categories: APPS Blogs

Rapid Install StartCD 51 for EBS 12.2 Now Available

Steven Chan - Mon, 2016-02-22 16:41

We are pleased to announce the availability of Oracle E-Business Suite StartCD 12.2.0.51 (often just called StartCD 51). As the fundamental installation medium for EBS, the startCD is what you begin with when installing or upgrading to Release 12.2.

This latest startCD includes many important updates and fixes, as described in the README for the patch by which it is supplied. Obtaining startCD 51 is highly recommended for all customers who will use Rapid Install to perform an installation or upgrade to Release 12.2.

startCD 51

How Can I Obtain startCD 12.2.0.51?
  • You can download startCD 51 as Patch 22066363.

What's New in this Update?

Among other enhancements, startCD version 12.2.0.51:

  • Includes important fixes for fresh install and upgrade scenarios
  • Introduces EBS use of Oracle Database 12cR1 (12.1.0.2)
  • Introduces EBS use of Oracle Fusion Middleware Web Tier Utilities 11.1.1.9.0
  • Installs additional technology stack patches for Oracle Database 11g and Fusion Middleware
Do I Need A New Stage Area For startCD 12.2.0.51?

Yes, you must create a new stage area to use startCD 12.2.0.51. A stage area created with an earlier startCD will not work. This is because (as noted above) startCD 12.2.0.51 uses Oracle Database 12cR1 (12.1.0.2), while earlier startCDs used 11gR1 (11.2.0.3). In addition, startCD 12.2.0.51 uses a later patch set (11.1.1.9.0)  of Oracle Fusion Middleware Web Tier Utilities than the 11.1.1.7.0 patch set used by earlier startCDs.

How Can I Obtain Oracle Database 12.1.0.2 and Oracle Web Tier Utilities 11.1.1.9.0?

You can download Oracle Database 12.1.0.2 and Oracle Web Tier Utilities 11.1.1.9.0 from the Oracle Software Delivery Cloud as part of the Release 12.2.5 media:

  • Go to the Oracle Software Delivery Cloud and search for Oracle Financials for your platform (EBS is not shown as a product option, so you need to choose a listed product such as Financials).
  • Under Release 12.2.5, download the Zip files for "Oracle Database 12.1.0.2" and "Oracle Web Tier Utilities 11.1.1.9.0".

startCD 51 extras

Where Can I Find More Information About Installing EBS?

Refer to the following Release 12.2 Web Library book for more information about creating the stage area, other installation prerequisites, and the various available installation actions and options:

  • Oracle E-Business Suite Installation Guide: Using Rapid Install (Part No. E22950) (PDF or HTML)
References

As well as the Installation Guide mentioned above, you should refer to the following My Oracle Support knowledge documents as applicable:

Related Articles

Categories: APPS Blogs

Do E-Business Suite Users Need to Worry About Java 9?

Steven Chan - Thu, 2016-02-18 14:06

No, Oracle E-Business Suite users do not need to worry about changes coming in Java 9. The Java team recently published their plans for removing the Java browser plugin in a future version of Java. The announcement states (key words highlighted for emphasis):

Oracle plans to deprecate the Java browser plugin in JDK 9. This technology will be removed from the Oracle JDK and JRE in a future Java SE release.

What does "deprecate" mean?

"Deprecate" means that there will still be a JRE 9 browser plug-in. Users will still be able to run Java-based applications using the JRE 9 browser plug-in.

What does this mean for E-Business Suite users running JRE 9?

The release of Java 9 will not have any effect on E-Business Suite users. JRE 9 will continue to work with the E-Business Suite in browsers that support Java (via the NPAPI protocol). 

What browsers will support the JRE 9 plug-in?

Internet Explorer, Firefox ESR, and Safari will continue to support NPAPI -- and, therefore, Java and Forms.  We recommend that customers who need to use Forms-based products in the E-Business Suite use those browsers.

Alphabet (Google) Chrome and Microsoft Edge do not support NPAPI, so Java-based apps cannot run in those browsers.  

Will E-Business Suite still require Java?

Yes.  Our ongoing use of Forms for high-volume professional users of the E-Business Suite means that power users will continue to have a need to run Java.  We replicate, simplify, or migrate selected Forms-based flows to OA Framework-based (i.e. web-based HTML) equivalents with every EBS update, but I would imagine that Forms will continue to be part of the E-Business Suite technology stack for the foreseeable future.  I expect that this will apply to both the EBS 12.1 and 12.2 release streams.

Will E-Business Suite change how it starts Java?

Yes, it's very likely. We're working on what happens in the "future Java SE release" that follows Java 9.  We are actively reviewing options for future updates to Java, EBS, and Forms to address Forms compatibility via Java Web Start right now. 

Oracle will do everything possible to ensure that customers can continue to run all parts of the E-Business Suite.

When will EBS do this?

Oracle's Revenue Recognition rules prohibit us from discussing certification and release dates.  You're welcome to monitor or subscribe to this blog for updates, which as soon as they're available.  

Related Articles

The preceding is intended to outline our general product direction.  It is intended for information purposes only, and may not be incorporated into any contract.   It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision.  The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

Categories: APPS Blogs

ETCC Tool Enhanced for Finding Mandatory EBS 12.2 Patches

Steven Chan - Thu, 2016-02-11 10:48

Contributing author: Paul Holman

The E-Business Suite Technology Codelevel Checker (ETCC) tool has been provided to help you identify missing database or middle tier patches that may need to be applied to your E-Business Suite Release 12.2 system.

The utility has now been significantly enhanced to map bug fixes to patches, generating a Patch Recommendation Summary that lists the patches (including versions and associated filenames) that are required for your system.

The following example shows part of an ETCC run, where the DB-ETCC script is used to identify missing database patches.

DB-ETCC Example

Why Does This Matter?

As the last section of the above example shows, there is a difference between bug fixes and patches. A bug fix ID for an issue does not change, but the patch ID that delivers the fix might: for example, the original patch could be superseded by another patch. So you need to not only know what bug fix you require, but which patch currently delivers it.

With previous versions of ETCC, the relevant patches (including Patch Set Updates and Exadata patches) had to be identified manually, by referring to the relevant documentation.  In this latest version, bug fix to patch mapping is done for you, avoiding the need for manual identification and the risk of misidentifying the patch needed. That is the principal enhancement in this version of ETCC.

Coverage

This new version of ETCC maps missing bug fixes to corresponding patches for the latest and latest but one quarterly bundles supported by EBS 12.2. You can use this version of ETCC with older bundles, but it will only list missing bug fixes (as previous versions did), and you will see a message saying "Patch mapping not available".

Obtaining ETCC

The ETCC utility can be downloaded via Patch 17537119 from My Oracle Support.

References Related Articles
Categories: APPS Blogs

JRE 1.8.0_73/74 Certified with Oracle E-Business Suite

Steven Chan - Mon, 2016-02-08 13:07

Java logo

Java Runtime Environment 1.8.0_73 (a.k.a. JRE 8u73-b2) and JRE 1.8.0_74 (8u74-b2) and later updates on the JRE 8 codeline are now certified with Oracle E-Business Suite 12.1 and 12.2 for Windows desktop clients.

All JRE 6, 7, and 8 releases are certified with EBS upon release

Our standard policy is that all E-Business Suite customers can apply all JRE updates to end-user desktops:

  • From JRE 1.6.0_03 and later updates on the JRE 6 codeline
  • From JRE 1.7.0_10 and later updates on the JRE 7 codeline 
  • From JRE 1.8.0_25 and later updates on the JRE 8 codeline
We test all new JRE releases in parallel with the JRE development process, so all new JRE releases are considered certified with the E-Business Suite on the same day that they're released by our Java team. 

You do not need to wait for a certification announcement before applying new JRE 6, 7, or 8 releases to your EBS users' desktops.

What's new in this release?

Oracle now releases a Critical Patch update (CPU) at the same time as the corresponding Patch Set Update (PSU) release for Java SE 8.

  • CPU Release:  JRE 1.8.0_73
  • PSU Release:  JRE 1.8.0_74

Oracle recommends that Oracle E-Business Suite customers use the CPU release (JRE 1.8.0_73) and only upgrade to the PSU release (1.8.0_74) if they require a specific bug fix.  For further information and bug fix details see Java CPU and PSU Releases Explained.

Internet Explorer users are advised to upgrade to the JRE 1.8.0_74 rather than JRE 1.8.0_73 due to a known performance issue.

32-bit and 64-bit versions certified

This certification includes both the 32-bit and 64-bit JRE versions for various Windows operating systems. See the respective Recommended Browser documentation for your EBS release for details.

Where are the official patch requirements documented?

All patches required for ensuring full compatibility of the E-Business Suite with JRE 8 are documented in these Notes:

For EBS 12.1 & 12.2

EBS + Discoverer 11g Users

This JRE release is certified for Discoverer 11g in E-Business Suite environments with the following minimum requirements:

Implications of Java 6 and 7 End of Public Updates for EBS Users

The Oracle Java SE Support Roadmap and Oracle Lifetime Support Policy for Oracle Fusion Middleware documents explain the dates and policies governing Oracle's Java Support.  The client-side Java technology (Java Runtime Environment / JRE) is now referred to as Java SE Deployment Technology in these documents.

Starting with Java 7, Extended Support is not available for Java SE Deployment Technology.  It is more important than ever for you to stay current with new JRE versions.

If you are currently running JRE 6 on your EBS desktops:

  • You can continue to do so until the end of Java SE 6 Deployment Technology Extended Support in June 2017
  • You can obtain JRE 6 updates from My Oracle Support.  See:

If you are currently running JRE 7 on your EBS desktops:

  • You can continue to do so until the end of Java SE 7 Deployment Technology Premier Support in July 2016
  • You can obtain JRE 7 updates from My Oracle Support.  See:

If you are currently running JRE 8 on your EBS desktops:

Will EBS users be forced to upgrade to JRE 8 for Windows desktop clients?

No.

This upgrade is highly recommended but remains optional while Java 6 and 7 are covered by Extended Support. Updates will be delivered via My Oracle Support, where you can continue to receive critical bug fixes and security fixes as well as general maintenance for JRE 6 and 7 desktop clients. Note that there are different impacts of enabling JRE Auto-Update depending on your current JRE release installed, despite the availability of ongoing support for JRE 6 and 7 for EBS customers; see the next section below.

Impact of enabling JRE Auto-Update

Java Auto-Update is a feature that keeps desktops up-to-date with the latest Java release.  The Java Auto-Update feature connects to java.com at a scheduled time and checks to see if there is an update available.

Enabling the JRE Auto-Update feature on desktops with JRE 6 installed will have no effect.

With the release of the January Critical patch Updates, the Java Auto-Update Mechanism will automatically update JRE 7 plug-ins to JRE 8.

Enabling the JRE Auto-Update feature on desktops with JRE 8 installed will apply JRE 8 updates.

Coexistence of multiple JRE releases Windows desktops

The upgrade to JRE 8 is recommended for EBS users, but some users may need to run older versions of JRE 6 or 7 on their Windows desktops for reasons unrelated to the E-Business Suite.

Most EBS configurations with IE and Firefox use non-static versioning by default. JRE 8 will be invoked instead of earlier JRE releases if both are installed on a Windows desktop. For more details, see "Appendix B: Static vs. Non-static Versioning and Set Up Options" in Notes 290807.1 and 393931.1.

What do Mac users need?

JRE 8 is certified for Mac OS X 10.8 (Mountain Lion), 10.9 (Mavericks), and 10.10 (Yosemite) desktops.  For details, see:

Will EBS users be forced to upgrade to JDK 8 for EBS application tier servers?

No.

JRE is used for desktop clients.  JDK is used for application tier servers.

JRE 8 desktop clients can connect to EBS environments running JDK 6 or 7.

JDK 8 is not certified with the E-Business Suite.  EBS customers should continue to run EBS servers on JDK 6 or 7.

Known Iusses

Internet Explorer Performance Issue

Launching JRE 1.8.0_73 through Internet Explorer will have a delay of around 20 seconds before the applet starts to load (Java Console will come up if enabled).

This issue fixed in JRE 1.8.0_74.  Internet Explorer users are recommended to uptake this version of JRE 8.

Form Focus Issue

Clicking outside the frame during forms launch may cause a loss of focus when running with JRE 8 and can occur in all Oracle E-Business Suite releases. To fix this issue, apply the following patch:

References

Related Articles
Categories: APPS Blogs

Car Logos

iAdvise - Mon, 2016-01-25 21:02
Symbols and elaborate images for car logos can be confusing. So many famous brands use the same animals or intricate images that may seem appealing at first but are actually so similar to each other that you can't tell one company apart from the other unless you're really an expert in the field.

How many auto brands do you know that have used a jungle cat or a horse or a hawk's wings in their trademark?

There're just too many to count.

So how can you create a design for your automobile company that is easy to remember and also sets you apart from the crowd?

Why not use your corporation name in the business mark?

How many of us confuse the Honda trademark with Hyundai's or Mini's with Bentley's?

But that won't happen if your car logos and names are the same.

Remember the Ford and BMW's business image or MG's and Nissan's? The only characteristic that makes them easier to remember is their company name in their brand mark.

Car LogosCar LogosCar LogosCar LogosCar LogosCar LogosCar LogosCar Logos

But it's not really that easy to design a trademark with the corporation name. Since the only things that can make your car brand mark appealing are the fonts and colors, you need to make sure that you use the right ones to make your logo distinct and easy to remember.

What colors to use?

When using the corporation name in trademark, the rule is very simple. Use one solid color for the text and one solid color for the background. Text in silver color with a red or a dark blue background looks appealing but you can experiment with different colors as well. You can also use white colored text on a dark green background which will make your design identifiable from afar. Don't be afraid to use bright colored background but make sure you use the text color that complements the background instead of contrasting with it.

What kind of fonts to use?

Straight and big fonts may be easier to read from a distance but the font style that looks intricate and appealing to the customers and give your design a classic look are the curvier fonts. But make sure that the text is not too curvy that it loses its readability. You can even use the Times Roman font in italic effect or use some other professional font style with curvy effect to make sure that the text is readable and rounded at the same time.

Remember the ford logo? It may just be white text on a red background, but it's the curvy font style that sets it apart from the rest. Remember the Ford business mark or the smart car logo?

What shapes to use?

The vehicle business image has to be enclosed in a shape, of course. The shape that is most commonly used is a circle. You can use an oval, a loose square or even the superman diamond shape to enclose your design. But make sure that your chosen shape does not have too many sides that make the mark complicated.

The whole idea of a car corporation mark is to make it easily memorable and recognizable along with making it a classic. Using the above mentioned ideas can certainly do that for your trademark.

Beverly Houston works as a Senior Design Consultant at a Professional Logo Design Company. For more information on car logos and names find her competitive rates at Logo Design Consultant.
Categories: APPS Blogs

Oracle Critical Patch Update January 2016 E-Business Suite Analysis

To start, the January 2016 Critical Patch Update (CPU) for Oracle E-Business Suite (EBS) is significant and high-risk

First, this CPU with 78 EBS security fixes has 10x the number of EBS security fixes than an average CPU.  For the previous 44 CPUs released since 2005, an average of 7.5 security bugs are fixed per quarter for EBS.  Second, there are a significant number of SQL injection and other high risk bugs, such as the ability to read arbitrary files from the EBS applications servers.  Third, the security bugs are in a wide-range of over 30 technical and functional modules, therefore, every EBS implementation is at significant risk.  Even if you don't have the module installed, configured, or licensed, in almost all cases the vulnerability can still be exploited. Finally, at least 10 security vulnerabilities can be readily exploited in EBS Interface-facing self-service modules.

Integrigy is credited with discovering 40 of the security bugs fixed this quarter.  We have additional security bugs open with Oracle which we except to be resolved in the next few quarters.

Due to the high number of vulnerabilities affecting Oracle E-Business Suite 11.5.10, Oracle changed the stated 11.5.10 support policy for the January 2016 CPU from requiring an Advanced Support Contract (ACS) to being available for all customers with valid support contracts.  For the April 2016 through October 2016 CPUs, Oracle E-Business Suite 11.5.10 CPU patches will only be available for customers with an Advanced Support Contract (ACS).  After October 2016, there will be no more CPUs for 11.5.10.

Vulnerability Breakdown

An analysis of the security vulnerabilities shows the 78 security fixes resolve 35 SQL injection bugs, 17 unauthorized access issues, 9 cross-site scripting (XSS) bugs, 5 XML External Entity (XXE) bugs, and various other security issues and weaknesses.  The most critical are the SQL injection bugs as these may permit unauthenticated web application users to execute SQL as the application database account (APPS).  Many of these SQL injection bugs allow access to sensitive data or the ability to perform privileged functions such as changing application or database passwords, granting of privileges, etc.

Also, several of the bugs allow an attacker with unauthenticated web application access to retrieve arbitrary files from the application server.  With some knowledge of EBS, it may be possible to download files with the APPS database password.

EBS Version Breakdown

23 vulnerabilities are found in all versions of Oracle E-Business Suite.  The remainder are mostly specific to the different web architectures found in each version.  The following is the breakdown of the 78 vulnerabilities by EBS version --

11.5.10 12.0.x 12.1.x 12.2.x 66 38 40 22

For 11.5.10, there are 22 vulnerabilities in web pages implemented using mod_plsql.  mod_plsql is an Oracle specific web architecture where the web application is implemented using database PL/SQL packages.  mod_plsql was removed from EBS starting with 12.0.  For information on mitigating some of the mod_plsql vulnerabilities, see the section below "EBS 11i mod_plsql Mitigation."

Many of the R12 (12.0, 12.1, 12.2) specific vulnerabilities are in Java Server Pages (JSP) and Java servlets, which are not found in 11i.

I have included 12.0.x in the listing of versions to show even though this version is not supported for the January 2016 CPU, a significant number of the security bugs affect this version.

January 2016 Recommendations

As with all Critical Patch Updates, the most effective method to resolve the vulnerabilities is to apply the patches in a timely manner. 

The most at risk implementations are those running Internet facing self-service modules (i.e., iStore, iSupplier, iSupport, etc.) and Integrigy rates this CPU as a critical risk due to the number of SQL injection vulnerabilities that can be remotely exploited without authentication.   These implementations should (1) apply the CPU as soon as possible and (2) ensure the DMZ is properly configured according to the EBS specific instructions and the EBS URL Firewall is enabled and optimized.

If the CPU can not be applied in a timely manner, Integrigy's AppDefend, an application firewall for the Oracle E-Business Suite, should be implemented.  AppDefend provides virtual patching and can effectively replace patching of EBS web security vulnerabilities.

EBS 11i mod_plsql Mitigation

In order to mitigate some mod_plsql security vulnerabilities, all Oracle EBS 11i environments should look at limiting the enabled mod_plsql web pages.  The script /patch/115/sql/txkDisableModPLSQL.sql can be used to limit the allowed pages listed in FND_ENABLED_PLSQL.  This script was introduced in 11i.ATG_PF.H and the most recent version is in 11i.ATG_PF.H.RUP7 or the January 2016 CPU.  This must be thoroughly tested as it may block a few mod_plsql pages used by your organization.  Review the Apache web logs for the pattern '/pls/' to see what mod_plsql pages are actively being used.  This fix is included and implemented as part of the January 2016 CPU.

Oracle E-Business Suite, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Oracle Database Critical Patch Update (CPU) Planning for 2016

With the start of the new year, it is now time to think about Oracle Critical Patch Updates for 2016.  Oracle releases security patches in the form of Critical Patch Updates (CPU) each quarter (January, April, July, and October).  These patches include important fixes for security vulnerabilities in the Oracle Database.  The CPUs are only available for certain versions of the Oracle Database, therefore, advanced planning is required to ensure supported versions are being used and potentially mitigating controls may be required when the CPUs can not be applied in a timely manner.

CPU Supported Database Versions

As of the October 2015 CPU, the only CPU supported database versions are 11.2.0.4, 12.1.0.1, and 12.1.0.2.  The final CPU for 12.1.0.1 will be July 2016.  11.2.0.4 will be supported until October 2020 and 12.1.0.2 will be supported until July 2021.

11.1.0.7 and 11.2.0.3 CPU support ended as of July 2015. 

Database CPU Recommendations
  1. When possible, all Oracle databases should be upgraded to 11.2.0.4 or 12.1.0.2.  This will ensure CPUs can be applied through at least October 2020.
     
  2. [12.1.0.1] New databases or application/database upgrade projects currently testing 12.1.0.1 should immediately look to implement 12.1.0.2 instead of 12.1.0.1, even if this will require additional effort or testing.  With the final CPU for 12.1.0.1 being July 2016, unless a project is implementing in January or February 2016, we believe it is imperative to move to 12.1.0.2 to ensure long-term CPU support.
     
  3. [11.2.0.3 and prior] If a database can not be upgraded, the only effective mitigating control for many database security vulnerabilities is to strictly limit direct database access.  In order to restrict database access, Integrigy recommends using valid node checking, Oracle Connection Manager, network restrictions and firewall rules, and/or terminal servers and bastion hosts.  Direct database access is required to exploit database security vulnerabilities and most often a valid database session is required.
     

Regardless if security patches are regularly applied or not, general database hardening such as changing database passwords, optimizing initialization parameters, and enabling auditing should be done for all Oracle databases. 

 

Oracle Database, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Oracle E-Business Suite Critical Patch Update (CPU) Planning for 2016

With the start of the new year, it is now time to think about Oracle Critical Patch Updates for 2016.  Oracle releases security patches in the form of Critical Patch Updates (CPU) each quarter (January, April, July, and October).  These patches include important fixes for security vulnerabilities in the Oracle E-Business Suite and its technology stack.  The CPUs are only available for certain versions of the Oracle E-Business Suite and Oracle Database, therefore, advanced planning is required to ensure supported versions are being used and potentially mitigating controls may be required when the CPUs can not be applied in a timely manner.

For 2016, CPUs for Oracle E-Business Suite will become a significant focus as a large number of security vulnerabilities for the Oracle E-Business Suite will be fixed.  The January 2016 CPU for the Oracle E-Business Suite (EBS) will include 78 security fixes for a wide range of security bugs with many being high risk such as SQL injection in web facing self-service modules.  Integrigy anticipates the next few quarters will have an above average number of EBS security fixes (average is 7 per CPU since 2005).  This large number of security bugs puts Oracle EBS environments at significant risk as many of these bugs will be high risk and well publicized.

Supported Oracle E-Business Suite Versions

Starting with the April 2016 CPU, only 12.1 and 12.2 will be fully supported for CPUs moving forward.  11.5.10 CPU patches for April 2016, July 2016, and October 2016 will only be available to customers with an Advanced Customer Support (ACS) contract.  There will be no 11.5.10 CPU patches after October 2016.  CPU support for 12.0 ended as of October 2015.

11.5.10 Recommendations
  1. When possible, the recommendation is to upgrade to12.1 or 12.2.
  2. Obtaining an Advanced Customer Support (ACS) contract is a short term (until October 2016) solution, but is an expensive option.
  3. An alternative to applying CPU patches is to use Integrigy's AppDefend, an application firewall for Oracle EBS, in proxy mode which blocks EBS web security vulnerabilities.  AppDefend provides virtual patching and can effectively replace patching of EBS web security vulnerabilities.

In order to mitigate some mod_plsql security vulnerabilities, all Oracle EBS 11i environments should look at limiting the enabled mod_plsql web pages.  The script /patch/115/sql/txkDisableModPLSQL.sql can be used to limit the allowed pages listed in FND_ENABLED_PLSQL.  This script was introduced in 11i.ATG_PF.H and the most recent version is in 11i.ATG_PF.H.RUP7.  This must be thoroughly tested as it may block a few mod_plsql pages used by your organization.  Review the Apache web logs for the pattern '/pls/' to see what mod_plsql pages are actively being used.  This fix is included and implemented as part of the January 2016 CPU.

12.0 Recommendations
  1. As no security patches are available for 12.0, the recommendation is to upgrade to 12.1 or 12.2 when possible.
  2. If upgrading is not feasible, Integrigy's AppDefend, an application firewall for Oracle EBS, provides virtual patching for EBS web security vulnerabilities as well as blocks common web vulnerabilities such as SQL injection and cross-site scripting (XSS).  AppDefend is a simple to implement and cost-effective solution when upgrading EBS is not feasible.
12.1 Recommendations
  1. 12.1 is supported for CPUs through October 2019 for implementations where the minimum baseline is maintained.  The current minimum baseline is the 12.1.3 Application Technology Stack (R12.ATG_PF.B.delta.3).  This minimum baseline should remain consistent until October 2019, unless a large number of functional module specific (i.e., GL, AR, AP, etc.) security vulnerabilities are discovered.
  2. For organizations where applying CPU patches is not feasible within 30 days of release or Internet facing self-service modules (i.e., iSupplier, iStore, etc.) are used, AppDefend should be used to provide virtual patching of known, not yet patched web security vulnerabilities and to block common web security vulnerabilities such as SQL injection and cross-site scripting (XSS).
12.2 Recommendations
  1. 12.2 is supported for CPUs through July 2021 as there will be no extended support for 12.2.  The current minimum baseline is 12.2.3 plus roll-up patches R12.AD.C.Delta.7 and R12.TXK.C.Delta.7.  Integrigy anticipates the minimum baseline will creep up as new RUPs (12.2.x) are released for 12.2.  Your planning should anticipate the minimum baseline will be 12.2.4 in 2017 and 12.2.5 in 2019 with the releases of 12.2.6 and 12.2.7.  With the potential release of 12.3, a minimum baseline of 12.2.7 may be required in the future.
  2. For organizations where applying CPU patches is not feasible within 30 days of release or Internet facing self-service modules (i.e., iSupplier, iStore, etc.) are used, AppDefend should be used to provide virtual patching of known, not yet patched web security vulnerabilities and to block common web security vulnerabilities such as SQL injection and cross-site scripting (XSS).
EBS Database Recommendations
  1. As of the October 2015 CPU, the only CPU supported database versions are 11.2.0.4, 12.1.0.1, and 12.1.0.2.  11.1.0.7 and 11.2.0.3 CPU support ended as of July 2015.  The final CPU for 12.1.0.1 will be July 2016.
  2. When possible, all EBS environments should be upgraded to 11.2.0.4 or 12.1.0.2, which are supported for all EBS versions including 11.5.10.2.
  3. If database security patches (SPU or PSU) can not be applied in a timely manner, the only effective mitigating control is to strictly limit direct database access.  In order to restrict database access, Integrigy recommends using the EBS feature Managed SQLNet Access, Oracle Connection Manager, network restrictions and firewall rules, and/or terminal servers and bastion hosts.
  4. Regardless if security patches are regularly applied or not, general database hardening such as changing database passwords, optimizing initialization parameters, and enabling auditing should be done for all EBS databases.
Oracle E-Business Suite, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Extranet login redirects to intranet URL

Vikram Das - Thu, 2016-01-14 10:15
For an old 11.5.10.2 ERP, we are moving from the architecture of "EBS application server in DMZ" to the architecture of "Reverse Proxy in DMZ and EBS application server in intranet".  After doing all configurations, we hit the classic issue where, you login through extranet url visible on public internet which redirects to intranet url.

So https://extranet.example.com asks for SSO details and after keying in SSO username and password goes to http://intranet.example.com.

The support.oracle.com article DMZ Configuration with Oracle E-Business Suite 11i (Doc ID 287176.1) has listed 4 checks which could be the reason for this issue:

H6: Redirection to an Incorrect Server During Login
If you are getting redirected to an incorrect server during the login process, check the following:
  • Whether the hirearchy type of the profile options mentioned in Section 5.1 is set to SERVRESP .
  • select PROFILE_OPTION_NAME,HIERARCHY_TYPE from fnd_profile_options where profile_option_name in 
    ('APPS_WEB_AGENT','APPS_SERVLET_AGENT','APPS_JSP_AGENT','APPS_FRAMEWORK_AGENT' ,'ICX_FORMS_LAUNCHER','ICX_DISCOVERER_LAUNCHER','ICX_DISCOVERER_VIEWER_LAUNCHER','HELP_WEB_AGENT','APPS_PORTAL','CZ_UIMGR_URL','ASO_CONFIGURATOR_URL','QP_PRICING_ENGINE_URL','TCF:HOST');
    PROFILE_OPTION_NAME                               HIERARCHY_TYPE
    ----------------------------------------                               --------------------------------
    APPS_FRAMEWORK_AGENT                         SERVRESP
    APPS_JSP_AGENT                                         SERVRESP
    APPS_PORTAL                                         SERVRESP
    APPS_SERVLET_AGENT                                 SERVRESP
    APPS_WEB_AGENT                                         SERVRESP
    ASO_CONFIGURATOR_URL                         SERVRESP
    CZ_UIMGR_URL                                         SERVRESP
    HELP_WEB_AGENT                                         SERVRESP
    ICX_DISCOVERER_LAUNCHER                 SERVRESP
    ICX_DISCOVERER_VIEWER_LAUNCHER SERVRESP
    ICX_FORMS_LAUNCHER                         SERVRESP
    QP_PRICING_ENGINE_URL                         SERVRESP
    TCF:HOST                                                 SERVRESP

    All good on this point

  • Whether the profile option values for the fnd profile options (APPS_FRAMEWORK_AGENT, APPS_WEB_AGENT, APPS_JSP_AGENT, APPS_SERVLET_AGENT) are pointing to the correct node. Replace the node_id with the node_id of the external and internal web tier. For example:
  • select fnd_profile.value_specific('APPS_FRAMEWORK_AGENT',null,null,null,null,) from dual;
    This query returned https://extranet.example.com

  • Whether the dbc file pointed to by the JVM parameter (JTFDBCFILE) in jserv.properties exists.
  • wrapper.bin.parameters=-DJTFDBCFILE=
    This was incorrect.  It was pointing to the intranet jdbc file location.

  • Whether the value of the parameter APPL_SERVER_ID set in the dbc file for the node is the same as the value of the server_id in the fnd_nodes table.
    select node_name,node_id,server_id from fnd_nodes;
    This was overwritten in the dbc file, with appl_server_id of intranet when autoconfig was done on intranet and overwritten with appl_server_id of extranet when autoconfig was done on extranet, as the DBC file location and name were same for both intranet and extranet.
I asked the DBA team to manually correct the dbc file name inside $IAS_CONFIG_HOME/Apache/Apache/Jserv/etc/jserv.properties
and create a file of that name in $FND_SECURE/$CONTEXT_NAME.dbc on the extranet node and bounce services.  Once that was done, we tested and it worked. No more redirection to intranet URL.

Then I asked them to correct the s_dbc_file_name variable in the context file of extranet node. Run autoconfig on extranet, verify the value of dbcfile in jserv.properties DJTFDBCFILE parameter, verify that the DBC file had the server_id of the extranet node.  Restart all services.
Checked again, and it worked again.

So apart from checking the values of context file variables like s_webentryhost, s_webentrydomain, s_active_port, you also need to check the value of s_dbc_file while verifying the setups for extranet configuration. This can happen in 11i , R12.1 and R12.2 also.
Categories: APPS Blogs

Legal Entity Document Sequencing in Receivables

OracleApps Epicenter - Thu, 2016-01-07 02:55
You need to consider these points when you are trying setup Legal Entity Document Sequencing in Receivables You can set up your primary ledger to allow document sequencing at the legal entity level instead of at the ledger level. This means if you have more than one legal entity assigned to the same ledger, you […]
Categories: APPS Blogs

Happy New Year 2016 , best wishes to all

OracleApps Epicenter - Sat, 2016-01-02 01:49
This the season to be jolly! Time truly flies when you are doing the things you love and with another year behind us, we can't help but feel a little nostalgic and look back at what the past twelve months have brought us. It was a busy year at personal and professional side .In terms […]
Categories: APPS Blogs

Oracle Management Cloud : The Next Generation Real-Time Monitoring and Analytics IT Tool

OracleApps Epicenter - Sat, 2016-01-02 01:21
Oracle Management Cloud (OMC) is a suite of next-generation integrated monitoring, management, and analytics cloud services built on a scalable big data platform that provides real-time analysis and deep technical and business insights. With OMC you can eliminate disparate silos across end-user and infrastructure data, troubleshoot problems quickly,and run IT like a business OCM meets […]
Categories: APPS Blogs

Calling all Apps DBAs doing 11i to R12.x upgrades

Vikram Das - Tue, 2015-12-22 09:02
At this time of the year during holidays, the Apps DBA community is busy doing upgrades as longer downtimes are possible.  In case you are facing any issues, please feel free to write to me at my email: oracleappstechnology@gmail.com .  I will be glad to hear from you and help you.
Categories: APPS Blogs

11i pre-upgrade data fix script ap_wrg_11i_chrg_alloc_fix.sql runs very slow

Vikram Das - Wed, 2015-12-16 20:51
We are currently upgrading one of our ERP instances from 11.5.10.2 to R12.2.5.  One of the pre-upgrade steps is to execute the data fix script ap_wrg_11i_chrg_alloc_fix.sql.  However, this script has been running very very slow. After 4 weeks of monitoring, logging SRs with Oracle, escalating etc., we started a group chat today with our internal experts.  We had Ali, Germaine, Aditya, Mukhtiar, Martha Gomez and Zoltan.  I also invited our top notch EBS Techstack expert John Felix. After doing explain plan on the sql, Based on the updates being done by the query I predicted that it will take 65 days to complete.

John pointed out that the query was using the index AP_INVOICE_DISTRIBUTIONS_N4  that had a very high cost.  We used an sql profile that replaced AP_INVOICE_DISTRIBUTIONS_N4  with AP_INVOICE_DISTRIBUTIONS_U1.  The query started running faster and my new prediction was that it would complete in 5.45 days.

John mentioned that now another select statement was using the same index AP_INVOICE_DISTRIBUTIONS_N4 that had a very high cost.

After discussing among ourselves, we decided to drop the index, run the script and re-create the index. Aditya saved the definition of the index and dropped it.

DBMS_METADATA.GET_DDL('INDEX','AP_INVOICE_DISTRIBUTIONS_N4','AP')
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

  CREATE INDEX "AP"."AP_INVOICE_DISTRIBUTIONS_N4" ON "AP"."AP_INVOICE_DISTRIBUTIONS_ALL" ("ACCOUNTING_DATE")
  PCTFREE 10 INITRANS 11 MAXTRANS 255 COMPUTE STATISTICS
  STORAGE(INITIAL 131072 NEXT 131072 MINEXTENTS 1 MAXEXTENTS 2147483645
  PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1
  BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT)
  TABLESPACE "APPS_TS_TX_IDX"

1 row selected.

SQL> drop index AP.AP_INVOICE_DISTRIBUTIONS_N4;

Index dropped.

The updates started happening blazing fast.  The whole thing got done in 39 minutes and we saw the much awaited:

SQL> set time on
16:34:16 SQL> @ap_wrg_11i_chrg_alloc_fix.sql
Enter value for resp_name: Payables Manager
Enter value for usr_name: 123456
-------------------------------------------------------------------------------
/erp11i/applcsf/temp/9570496-fix-16:34:40.html is the log file created
-------------------------------------------------------------------------------

PL/SQL procedure successfully completed.

17:13:36 SQL>

From 65 days to 5.45 days to 39 minutes.  Remarkable.  Thank you John for your correct diagnosis and solution.
Categories: APPS Blogs

sqlplus core dumps with segmentation fault error in OEL 6.6 when you connect to DB

Vikram Das - Mon, 2015-11-16 16:23
We have used OEL 6.6 image in our latest build.  When we cloned an EBS R12.2 instance that was on OEL 5.7 to this new server that has OEL 6.6, During the clone, adcfgclone.pl was failing. On further checks, we discovered that sqlplus is crashing with segmentation fault error whenever we tried to connect to database:

sqlplus /nolog
conn apps/apps
Segmentation Fault

So, I suggested the DBAs to do strace sqlplus apps/apps.  The strace revealed many missing libraries:

We had another working OEL 6.4 instance where we checked for these libraries, and all of them were present.

The locate command was used to locate the full directory paths of the missing libraries

locate libnss_sss.so.2
/lib/libnss_sss.so.2

/lib/libnss_sss.so.2
/lib/libnss_files.so.2
/lib/libociei.so
/lib/libc.so.6
/lib/libgcc_s.so.1
/lib/libnsl.so.1
/lib/libpthread.so.0

Then rpm -qf command was used to find out the rpm that would have the library:

$ rpm -qf /lib/libnss_sss.so.2
sssd-client-1.11.6-30.el6_6.3.i686
$ rpm -qf /lib/libnss_files.so.2
glibc-2.12-1.149.el6_6.9.i686
$ rpm -qf /lib/libociei.so
error: file /lib/libociei.so: No such file or directory
$ rpm -qf /lib/libc.so.6
glibc-2.12-1.149.el6_6.9.i686
$ rpm -qf /lib/libgcc_s.so.1
libgcc-4.4.7-3.el6.i686
$ rpm -qf /lib/libnsl.so.1
glibc-2.12-1.149.el6_6.9.i686
$ rpm -qf /lib/libpthread.so.0
glibc-2.12-1.149.el6_6.9.i686
$ rpm -qf /lib/libm.so.6
glibc-2.12-1.149.el6_6.9.i686
$ rpm -qf /lib/libdl.so.2
glibc-2.12-1.149.el6_6.9.i686

Since 10.1.2 home is 32-bit in EBS R12.1 and 12.2, all the libraries needed to be 32-bit.

Except for sssd-client, the other rpms were present.  64-bit version of sssd-client was present and whenver we tried to install the 32-bit rpm it would give this error, as the operating system thinks that it is already installed:

# yum install sssd-client.i686
Loaded plugins: security
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package sssd-client.i686 0:1.12.4-47.el6 will be installed
--> Finished Dependency Resolution
Error:  Multilib version problems found. This often means that the root
       cause is something else and multilib version checking is just
       pointing out that there is a problem. Eg.:

         1. You have an upgrade for sssd-client which is missing some
            dependency that another package requires. Yum is trying to
            solve this by installing an older version of sssd-client of the
            different architecture. If you exclude the bad architecture
            yum will tell you what the root cause is (which package
            requires what). You can try redoing the upgrade with
            --exclude sssd-client.otherarch ... this should give you an error
            message showing the root cause of the problem.

         2. You have multiple architectures of sssd-client installed, but
            yum can only see an upgrade for one of those arcitectures.
            If you don't want/need both architectures anymore then you
            can remove the one with the missing update and everything
            will work.

         3. You have duplicate versions of sssd-client installed already.
            You can use "yum check" to get yum show these errors.

       ...you can also use --setopt=protected_multilib=false to remove
       this checking, however this is almost never the correct thing to
       do as something else is very likely to go wrong (often causing
       much more problems).

       Protected multilib versions: sssd-client-1.12.4-47.el6.i686 != sssd-client-1.11.6-30.el6_6.4.x86_64


# rpm -qa | grep sssd-client
sssd-client-1.11.6-30.el6_6.4.x86_64

Eventually we installed it with force option

# rpm -Uvh --force /tmp/sssd-client-1.11.6-30.el6_6.3.i686.rpm

# rpm -qa | grep sssd-client
sssd-client-1.11.6-30.el6_6.3.i686
sssd-client-1.11.6-30.el6_6.4.x86_64

pam-ldap was one of the other rpms that was installed for other missing libraries.  Surprisingly, sssd-client and pam-ldap rpms are not mentioned as pre-requisites in support.oracle.com article:
Oracle E-Business Suite Installation and Upgrade Notes Release 12 (12.2) for Linux x86-64 (Doc ID 1330701.1) 
Categories: APPS Blogs

twm: unable to open fontset "-adobe-helvetica-bold-r-normal--*-120-*-*-*-*-*-*"

Vikram Das - Mon, 2015-11-16 15:59
While launching twm, it gives this error and exits to unix prompt:

twm: unable to open fontset "-adobe-helvetica-bold-r-normal--*-120-*-*-*-*-*-*"

I found a solution on http://ubuntuforums.org/archive/index.php/t-1596636.html :

It was reported here for fedora: https://bugzilla.redhat.com/show_bug.cgi?id=509639. The workaround is to execute it with a specific shell variable:

$ LANG=C
$ export LANG
twm &

twm launches fine after this.
Categories: APPS Blogs

Oracle SSO Failure - Unable to process request Either the requested URL was not specified in terms of a fully-qualified host name or OHS single sign-on is incorrectly configured

Vikram Das - Sat, 2015-11-14 14:57
Today, during a cutover when we were moving one of our ERP instance on Cisco UCS VMware VMs to Exalogic and Exadata, I got a call from Bimal.  The extranet iSupplier URL had been configured, but whenever any user logged in, they were seeing the following error instead of the iSupplier OAF Home page:

Oracle SSO Failure - Unable to process request Either the requested URL was not specified in terms of a fully-qualified host name or OHS single sign-on is incorrectly configured

A search on support.oracle.com showed many hits.  I went through a few of them and ruled out the solutions given. This article sounded promising: Oracle SSO Failure - Unable to process request Either the requested URL was not specified in terms of a fully-qualified host name or OHS single sign-on is incorrectly configured (Doc ID 1474474.1).

The solution suggested:

There is  a hardware load-balancer for a multi-tier environment on place, as well as an SSL accelerator.

     For R12, there is a context variable, s_enable_sslterminator, that was set to "#".

     This should be null for e-Business R12 using specific hardwarementioned before.


1. Set  context variable, s_enable_sslterminator to null,

2. Re-ran autoconfig,

3. Re-test Single sign-ons via IE and Firefox now works as expected.

I asked the DBAs to check the value of s_enable_sslterminator:

grep s_enable_sslterminator

and sure enough the value was #

As per article Enabling SSL or TLS in Oracle E-Business Suite Release 12 (Doc ID 376700.1), the value of s_enable_sslterminator should be made null if you are using an SSL accelerator.  In our case we use SSL certificate on the Load Balancer and never on Web servers.

The DBAs removed the #
Ran autoconfig
Deregistered SSO
Registered SSO

The user was able to login after that.



Categories: APPS Blogs

Pages

Subscribe to Oracle FAQ aggregator - APPS Blogs