APPS Blogs

Multi-Element Arrangements

OracleApps Epicenter - Sat, 2015-11-07 07:10
Multi-element arrangement aka occurs when a vendor agrees to provide more than one product or a combination of products and services to a customer in an arrangement. Multi-element arrangements may include additional software products, rights to purchase additional software products at a significant incremental discount, specified upgrades or enhancements, hardware, PCS or other services. Multiple-element […]
Categories: APPS Blogs

How To Install Latest Verisign G5 Root Certificates

Vikram Das - Wed, 2015-10-21 16:48
Dhananjay pinged me today and told me that for their Paypal integration, they had to upgrade to Verisign G5 root certificate.  This was the message from Paypal:

Global security threats are constantly changing, and the security of our merchants continues to be our highest priority. To guard against current and future threats, we are encouraging our merchants to make the following upgrades to their integrations:
  1. Update your integration to support certificates using the SHA-256 algorithm. PayPal is upgrading SSL certificates on all Live and Sandbox endpoints from SHA-1 to the stronger and more robust SHA-256 algorithm.
  2. Discontinue use of the VeriSign G2 Root Certificate. In accordance with industry standards, PayPal will no longer honor secure connections that require the VeriSign G2 Root Certificate for trust validation. Only secure connection requests that are expecting our certificate/trust chain to be signed by the G5 Root Certificate will result in successful secure connections.
For detailed information on these changes, please reference the Merchant Security System Upgrade Guide. For a basic introduction to internet security, we also recommend these short videos on SSL Certificates and Public Key Cryptography.

There is a article published on October 16, 2015 which has detailed steps for 11i and R12.1:

How To Install Latest Verisign Root Certificates For Use With Paypal SDK 4.3.X (Doc ID 874433.1)

The Verisign G5 root certificate can be downloaded from:

Paypal Microsite about this change:

Useful Links
Categories: APPS Blogs

Apple Logo

iAdvise - Wed, 2015-10-21 08:00
As simple as it is the story about the Apple Logo inspiration is quite true because there are very many people who have done research on the same and ended up with this result. This actually triggered some emotions from a number of people who said that the story was quite touching and they would have never thought of it in that way. There are still a few people however who still believe that it is a myth. This is probably because there are very many theories that have been made up on the topic.

Apple is arguably one of the best mobile phone brands that are found in the market today. The company is always rolling out new versions of the phone which come with better specs so that they can fit in the ever changing technology world. There are numerous versions that people have come up with as to the origin of the Logo inspiration. Below however you will find the real story behind it to know how it really came about.

Apple LogoApple LogoApple LogoApple LogoApple LogoApple Logo

A gentleman by the name John Kates claimed that the Apple Logo found on the back of the Mac or iPhone was done as a tribute to another gentleman who was known as Alan Turing. Turing was the made who laid the foundations that are used for modern day computers. He pioneered research into artificial intelligence and also unlocked the codes used for German wartime. He died ten years after the war had ended and provided the links with the brand. Facing jail being charged with indecency, unrecognized for his great work and humiliated by the estrogen injections he was given in a bid to "cure" his sexuality are some of the frustrations that made him bit into an apple that had been laced with cyanide.

Alan Turing dies on 7th June 1954 in obscurity exactly ten years and a day after Normady landings. These made copious use of the intelligence that has been gleaned by his methods. Before iOS7 was introduced to the market the story goes on about how two entrepreneurs in Stanford were searching for a logo that would be used for their new computer company. After some time they remembered the contribution that Turing had made to the industry and thus decided to work with an Apple. This was not a full one but one that had been bitten.

Some of the theories that have been advanced in regards to apple is that the founders used the theme of the first people (Adam and Eve) when eve bit the apple. Others refer to the fruit as the one that helped Sir Isaac Newton to develop the concept of gravity. Supporters of the latter believe that the logo was first known as the Newton before it changed its name. This can however be challenged because it happened more than ten years after the logo had already been created. The developer however does away with the two theories and tends to agree with the Turing version and says that it is an incredible urban legend.
Categories: APPS Blogs

sftp failure due to newline character difference between windows and unix.

Vikram Das - Fri, 2015-10-09 21:36
Recently I spent almost a full day struggling to make out, why an sftp connection would not work without password, after setting up ssh equivalence.  The keys were correct, the permissions on the directories were correct.  The authorized_keys file looked ok.  I copied the authorized_keys file of another account that was working fine.  When I replaced the authorized_keys after taking backup of original authorized_keys, it started working.  So then I proceeded to check the contents in a hex editor

On the left side you have the authorized_keys file created in Windows.
On the right side you have the same authorized_keys file created in Unix.

If you notice the ends of the lines in the Windows file it shows CR LF, where as unix shows LF.

This difference is well described in the wikipedia article on newline character.

The one mistake I had done this time was create the authorized_keys file in Windows notepad, as I was teaching a Developer how to create authorized_keys file.  Once I used vi on unix to create the authorized_keys file and pasted the same ssh key, sftp started working without prompting for password.  I know that Windows/DOS and Unix have different newline characters.  However, I was not able to apply that knowledge, till I compared the files in hex editor.

Whenever, a techie is able to get to the root cause of a problem, a deep sense of satisfaction is experienced.  I am glad I got the opportunity to troubleshoot and fix the issue by getting to the root cause of the issue.
Categories: APPS Blogs

DAM tools, IBM Guardium, Oracle E-Business Suite, PeopleSoft and SAP

A question we have answered a few times in the last few months is whether or not, and if so, how easy do Database Activity Monitoring (DAM) tools such as IBM Guardium support ERP platforms such as the Oracle E-Business Suite, PeopleSoft and SAP. The answer is yes; DAM tools can support ERP systems. For example, IBM Guardium has out-of-the-box policies for both the E-Business Suite and SAP – see figures one and two below.

There are many advantages to deploying a DAM solution to protect your ERP platform, the first being additional defense-in-depth for one of your most critical assets. You can read more here ( Integrigy Guide to Auditing and Logging in Oracle E-Business Suite)  about Integrigy’s recommendations for database security programs. DAM solutions allow for complex reporting as well as 24x7 monitoring and easy relaying of alerts to your SIEM (e.g. Splunk or ArcSight).

Deploying DAM solutions to protect your SAP, PeopleSoft or E-Business Suite is a not-plug-and-play exercise. IBM Guardium’s out-of-the-box policies for the E-Business Suite require configuration to be of any value – see figure three below. The out-of-the-box DAM policies are a good starting point and Integrigy rarely sees them implemented as is. Integrigy also highly recommends, if at all possible, to complete a sensitive data discovery project prior to designing your initial DAM policies. Such projects greatly help to define requirements as well as offer opportunities for data clean up.

Overall, to design and implement an initial set of Guardium policies for the E-Business Suite (or any other ERP package) is usually a few weeks of effort depending on your size and complexity.

If you have any questions, please contact us at

Figure 1- Seeded Guardium Policies for EBS and SAP

Figure 2- Guardium E-Business Suite PCI Policy

Figure 3- Example of Blank Configuration




Auditing, Oracle E-Business Suite, IBM Guardium
Categories: APPS Blogs, Security Blogs

Copycat blog

Vikram Das - Tue, 2015-09-15 03:50
While doing a google search today I noticed that there is another blog that has copied all content from my blog and posted it as their own content and even kept a similar sounding name: .  I have made a DMCA complaint to google about this.  The google team asked me to provide a list of URLs.  I had to go through the copycat's whole blog and create a spreadsheet with two columns. One column with URL of my original post and second column with the URL of the copycat's blog.  There were 498 entries.  I patiently did it and sent the spreadsheet to google team and got a reply within 2 hours:

In accordance with the Digital Millennium Copyright Act, we have completed processing your infringement notice. We are in the process of disabling access to the content in question at the following URL(s):

The content will be removed shortly.

The Google Team 
Categories: APPS Blogs

A week with Apple Watch: From Cynic to Believer

David Haimes - Wed, 2015-07-01 09:50

I had convinced myself the Apple Watch was an overpriced fitness band and that it wasn’t for me and was set to get a Garmin to track my running instead.  Then out of the blue I was given an Apple Watch.  So you can certainly put me down as a cynic, but I certainly like to think I am open minded, so here are my thoughts after a week with the watch.

The experience of getting it set up was surprisingly frustrating, I had to upgrade my phone to iOS 8 before I could activate the watch and that meant deleting things to free a few Gb of memory (to upgrade my Operating System, really?).  So everything had to wait until after I got home and backed up my phone.

First I got this rather cool visual on my watch to scan with the phone and then it was paired and I got this screen telling me the model that I had bought.  OK so I still could not get the time from this watch and I have had the thing all day, I’m getting a little impatient at this point.

watch pairingwatch pairing 2

After waiting about 5 minutes for it to synch, suddenly a load of my apps, including my email, texts, calendar, twitter fitness apps and more are available on my watch.  This is about to get interesting.

The first thing I noticed is that it is actually really easy to ready and see at a glance the notifications that are sent to your watch, such as Calendar reminders, text messages and Oracle Social Network updates (glad to see we are quick to the new platform with our own mobile apps).  This is good for me, I get a lot of these alerts and I found a glance at my wrist was much nicer than pulling out my phone and unlocking it and starting at it.  This sounds like a very small thing, but it is these small improvements in frequent interactions that make for a great user experience.  I also agree with Jeremy Ashley about the huge value in being able to retain eye contact, notifications on my watch are far less obtrusive and the glance at my wrist it is a great experience.

So I wanted to try using it for some different things so I decided to test out text messages first, a quick SMS to respond to my wife’s text ‘ETA?’ to let her know what time I am planning to get home.

My wife and I prefer very efficient communications.

My wife and I prefer very efficient communications.

So I tap once on that nice Reply button


I can now either pick from a set of pre-defined responses and they would be sent without any other interaction from me. However I like the personal touch, this is my wife after all, so I decide I will click on the microphone icon to dictate a response.  I speak in my answer and see the sound wave at the bottom and the text comes up perfectly first time.


So now I click done and get a really option to either send the audio or to just tap on the text and send that.  This is a great feature if maybe the voice to text didn’t work properly and I don’t want to waste time correcting it or speaking it again.


After tapping on the text I am now done.  The whole interaction was very fast and felt very natural.  At this point I am really starting to like the Apple Watch.  In the next few days I try driving directions, twitter, my calendar, a variety of fitness apps and more and pretty much across the board I find the interactions are natural and quick and the fact I have to pull out my phone less is a much bigger deal than I expected.  I find I can glance down at my watch see a text or meeting reminder and carry on a conversation in a way that was not really possible if I had to pull my phone out.  The one app I haven’t yet mentioned is the time, I haven’t worn a watch for over 10 years and I have realized in the last week it’s much easier to glance at my wrist than to pull out my phone – who knew?

Categories: APPS Blogs

Server refused public-key signature despite accepting key!

Vikram Das - Mon, 2015-06-22 12:23
A new SFTP connection was not working, even though everything looked fine:

1. Permissions were correct on directories:
chmod go-w $HOME/
chmod 700 $HOME/.ssh
chmod 600 $HOME/.ssh/authorized_keys
chmod 600 $HOME/.ssh/id_rsa
chmod 644 $HOME/.ssh/
chmod 644 $HOME/.ssh/known_hosts

2. Keys were correctly placed

However, it still asked for password, whenever SFTP connection was done:

Using username "sftpuser".
Authenticating with public key "rsa-key-20150214"
Server refused public-key signature despite accepting key!
Using keyboard-interactive authentication.

I tried various things, none worked and I eventually went back to my notes for SFTP troubleshooting:

1. Correct Permissions
chmod go-w $HOME/
chmod 700 $HOME/.ssh
chmod 600 $HOME/.ssh/authorized_keys
chmod 600 $HOME/.ssh/id_rsa
chmod 644 $HOME/.ssh/
chmod 644 $HOME/.ssh/known_hosts

2. Make sure the owner:group on the directories and files is correct:

ls -ld  $HOME/
ls -ld  $HOME/.ssh
ls -ltr $HOME/.ssh

3. Login as root

chown user:group $HOME 
chown user:group $HOME/.ssh
chown user:group $HOME/.ssh/authorized_keys
chown user:group $HOME/.ssh/id_rsa
chown user:group $HOME/.ssh/
chown user:group $HOME/.ssh/known_hosts

4. Check for user entries in /etc/passwd and /etc/shadow

5. grep user /etc/shadow

When I did the 5th step, I found that /etc/shadow entry for the user didn't exist.  So I did these steps:

chmod 600 /etc/shadow
vi /etc/shadow
Insert this new line at the end
Save File
chmod 400 /etc/shadow

It started working after that.

Categories: APPS Blogs

java.sql.SQLException: Invalid number format for port number

Vikram Das - Wed, 2015-05-13 18:11
Jim pinged me with this error today:

on ./ i get
Creating the DBC file...
java.sql.SQLRecoverableException: No more data to read from socket raised validating GUEST_USER_PWD
java.sql.SQLRecoverableException: No more data to read from socket
Updating Server Security Authentication
java.sql.SQLException: Invalid number format for port number
Database connection to jdbc:oracle:thin:@host_name:port_number:database failed
to this point, this is what i've tried.
clean, autoconfid on db tier, autoconfig on cm same results
bounced db and listener.. same thing.. nothing i've done has made a difference

I noticed that when this error was coming the DB alert log was showing:

Wed May 13 18:50:51 2015
Exception [type: SIGSEGV, Address not mapped to object] [ADDR:0x8] [PC:0x10A2FFB
C8, joet_create_root_thread_group()+136] [flags: 0x0, count: 1]
Errors in file /r12.1/admin/diag/rdbms/erp/erp/trace/erp_ora_14528.trc  (incident=1002115):
ORA-07445: exception encountered: core dump [joet_create_root_thread_group()+136
] [SIGSEGV] [ADDR:0x8] [PC:0x10A2FFBC8] [Address not mapped to object] []
Incident details in: /r12.1/admin/diag/rdbms/erp/erp/incident/incdir_1002115/erp_ora_14528_i1002115.trc

Metalink search revealed this article:

Java Stored Procedure Fails With ORA-03113 And ORA-07445[JOET_CREATE_ROOT_THREAD_GROUP()+145] (Doc ID 1995261.1)

It seems that the post patch steps for a PSU OJVM patch were not done.  We followed the steps given in above note were note completed. We completed these and completed successfully after that.

1.set the following init parameters so that JIT and job process do not start.

If spfile is used:

SQL> alter system set java_jit_enabled = FALSE;
SQL> alter system set "_system_trig_enabled"=FALSE;
SQL> alter system set JOB_QUEUE_PROCESSES=0;

2. Startup instance in restricted mode and run postinstallation step.

SQL> startup restrict

3.Run the postinstallation steps of OJVM PSU(Step 3.3.2 from readme)
The following steps load modified SQL files into the database. For an Oracle RAC environment, perform these steps on only one node.
  1. Install the SQL portion of the patch by running the following command. For an Oracle RAC environment, reload the packages on one of the nodes.
2. cd $ORACLE_HOME/sqlpatch/19282015
3. sqlplus /nolog
5. SQL> @postinstall.sql
  1. After installing the SQL portion of the patch, some packages could become INVALID. This will get recompiled upon access or you can run utlrp.sql to get them back into a VALID state.
7. cd $ORACLE_HOME/rdbms/admin
8. sqlplus /nolog
SQL> @utlrp.sql

4. Reset modified init parameters

SQL> alter system set java_jit_enabled = true;
SQL> alter system set "_system_trig_enabled"=TRUE;
SQL> alter system set JOB_QUEUE_PROCESSES=10;
        -- or original JOB_QUEUE_PROCESSES value

5.Restart instance as normal
6.Now execute the Java stored procedure.

Ran and it worked fine.
Categories: APPS Blogs

R12.2 Single file system

Vikram Das - Thu, 2015-04-30 00:21
With the release of AD and TXK Delta 6, Oracle has provided the feature of single file system on development instances for R12.2. Here's what they have mentioned in article: Oracle E-Business Suite Applications DBA and Technology Stack Release Notes for R12.AD.C.Delta.6 and R12.TXK.C.Delta.6 (Doc ID 1983782.1)
Enhancements in AD and TXK Delta 6

4. New and Changed Features
Oracle E-Business Suite Technology Stack and Oracle E-Business Suite Applications DBA contain the following new or changed features in R12.AD.C.Delta.6 and R12.TXK.C.Delta.6.
4.1 Support for single file system development environments
  • A normal Release 12.2 online patching environment requires one application tier file system for the run edition, and another for the patch edition. This dual file system architecture is fundamental to the patching of Oracle E-Business Suite Release 12.2 and is necessary for production environments and test environments that are meant to be representative of production. This enhancement makes it possible to have a development environment with a single file system, where custom code can be built and tested. A limited set of adop phases and modes are available to support downtime patching of such a development environment. Code should then be tested in standard dual file system test environments before being applied to production.
More details are provided in Oracle E-Business Suite Maintenance Guide, Chapter: Patching Procedures): 

Support for Single File System Development Environments
A normal Release 12.2 online patching environment requires two application tier file systems, one for the run edition and another for the patch edition. This dual file system architecture is fundamental to patching of Oracle E-Business Suite Release 12.2, and is necessary both for production environments and test environments that are intended to be representative of production. This feature makes it possible to create a development environment with a single file system, where custom code can be built and tested. The code should then always be tested in a standard dual file system test environment before being applied to production.
You can set up a single file system development environment by installing Oracle E-Business Suite Release 12.2 in the normal way, and then deleting the $PATCH_BASE directory with the command:
$ rm -rf $PATCH_BASE
A limited set of adop phases and modes are available to support patching of a single file system development environment. These are:
·         apply phase in downtime mode
·         cleanup phase
Specification of any other phase or mode will cause adop to exit with an error.
The following restrictions apply to using a single file system environment:
·         You can only use a single file system environment for development purposes.
·         You cannot use online patching on a single file system environment.
·         You can only convert an existing dual file system environment to a single file system: you cannot directly create a single file system environment via Rapid Install or cloning.
·         There is no way to convert a single file system environment back into a dual file system.

·         You cannot clone from a single file system environment.
Categories: APPS Blogs

You Are Trying To Access a Page That Is No Longer Active.The Referring Page May Have Come From a Previous Session. Please Select Home To Proceed

Vikram Das - Wed, 2015-04-15 17:06
Shahed pinged me about this error.  It was coming after logging in.  This R12.1.3 instance had just migrated from an old server to a new one. Once you logged in this error would be displayed:

You Are Trying To Access a Page That Is No Longer Active.The Referring Page May Have Come From a Previous Session. Please Select Home To Proceed

The hits on were not helpful, but a gave a clue that it may have something to do with session cookie.  So I used Firefox to check http headers.  If you press Ctrl+Shift+K, you will get a panel at the bottom of the browser. Click on Network tab, click on the AppsLocalLogin.jsp and on the right side of the pane, you'll see a cookie tab.

The domain appearing in the cookie tab was from the old server.  So I checked:

select session_cookie_domain from icx_parameters;

So I nullified it:

update icx_parameters set session_cookie_domain=null;


Restarted Apache

cd $ADMIN_SCRIPTS_HOME stop start

No more error.  I was able to log in and so was Shahed.
Categories: APPS Blogs

Chrome and E-Business Suite

Vikram Das - Wed, 2015-04-15 13:23
Dhananjay came to me today.  He said that his users were complaining about forms not launching after upgrading to the latest version of Chrome. On launching forms they got this error:

/dev60cgi/oracle forms engine Main was not found on this server

I recalled that Google Chrome team had announced that they would not support java going forward. Googling with keywords chrome java brought this page:

It states that:

NPAPI support by Chrome
The Java plug-in for web browsers relies on the cross platform plugin architecture NPAPI, which has long been, and currently is, supported by all major web browsers. Google announced in September 2013 plans to remove NPAPI support from Chrome by "the end of 2014", thus effectively dropping support for Silverlight, Java, Facebook Video and other similar NPAPI based plugins. Recently, Google has revised their plans and now state that they plan to completely remove NPAPI by late 2015. As it is unclear if these dates will be further extended or not, we strongly recommend Java users consider alternatives to Chrome as soon as possible. Instead, we recommend Firefox, Internet Explorer and Safari as longer-term options. As of April 2015, starting with Chrome Version 42, Google has added an additional step to configuring NPAPI based plugins like Java to run — see the section Enabling NPAPI in Chrome Version 42 and later below.
Enabling NPAPI in Chrome Version 42 and later
As of Chrome Version 42, an additional configuration step is required to continue using NPAPI plugins.
  1. In your URL bar, enter:
  2. Click the Enable link for the Enable NPAPI configuration option.
  3. Click the Relaunch button that now appears at the bottom of the configuration page.
Developers and System administrators looking for alternative ways to support users of Chrome should see this blog, in particular "Running Web Start applications outside of a browser" and "Additional Deployment Options" section.
Once Dhananjay did the above steps, Chrome started launching forms again.  He quickly gave these steps to all his users who had upgraded to the latest version of Chrome (version 42) and it started working form them too.
Oracle doesn't certify E-Business Suite forms on Chrome.  Only self service pages of E-Business Suite are certified on Google Chrome.
Categories: APPS Blogs

opatch hangs on /sbin/fuser oracle

Vikram Das - Sat, 2015-04-11 19:30
Pipu pinged me today about opatch hanging. The opatch log showed this:

[Apr 11, 2015 5:24:13 PM]    Start fuser command /sbin/fuser $ORACLE_HOME/bin/oracle at Sat Apr 11 17:24:13 EDT 2015

I had faced this issue once before, but was not able to recall what was the solution.  So I started fresh.

As oracle user:

/sbin/fuser $ORACLE_HOME/bin/oracle hung

As root user

/sbin/fuser $ORACLE_HOME/bin/oracle hung

As root user

lsof hung.

Google searches about it brought up a lot of hits about NFS issues.  So I did df -h.

df -h also hung.

So I checked /var/log/messages and found many messages like these:

Apr 11 19:44:42 erpserver kernel: nfs: server not responding, still trying

That server has a mount called /R12.2stage that has the installation files for R12.2.

So I tried unmounting it:

umount /R12.2stage
Device Busy

umount -f /R12.2stage
Device Busy

umount -l /R12.2stage

df -h didn't hang any more.

Next I did strace /sbin/fuser $ORACLE_HOME/bin/oracle and it stopped here:

open("/proc/12854/fdinfo/3", O_RDONLY)  = 7
fstat(7, {st_mode=S_IFREG|0400, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b99de014000
read(7, "pos:\t0\nflags:\t04002\n", 1024) = 20
close(7)                                = 0
munmap(0x2b99de014000, 4096)            = 0
getdents(4, /* 0 entries */, 32768)     = 0
close(4)                                = 0
stat("/proc/12857/", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
open("/proc/12857/stat", O_RDONLY)      = 4
read(4, "12857 (bash) S 12853 12857 12857"..., 4096) = 243
close(4)                                = 0
readlink("/proc/12857/cwd", " (deleted)"..., 4096) = 27
rt_sigaction(SIGALRM, {0x411020, [ALRM], SA_RESTORER|SA_RESTART, 0x327bc30030}, {SIG_DFL, [ALRM], SA_RESTORER|SA_RESTART, 0x327bc30030}, 8) = 0
alarm(15)                               = 0
write(5, "@\20A\0\0\0\0\0", 8)          = 8
write(5, "\20\0\0\0", 4)                = 4
write(5, "/proc/12857/cwd\0", 16)       = 16
write(5, "\220\0\0\0", 4)               = 4

It stopped here. So I did Ctrl+C
# ps -ef |grep 12857
oracle   12857 12853  0 Apr10 pts/2    00:00:00 -bash
root     21688  2797  0 19:42 pts/8    00:00:00 grep 12857

Killed this process

# kill -9 12857

Again I did strace /sbin/fuser $ORACLE_HOME/bin/oracle and it stopped at a different process this time that was another bash process.  I killed that process also.

I executed it for 3rd time: strace /sbin/fuser $ORACLE_HOME/bin/oracle

This time it completed.

Ran it without strace

/sbin/fuser $ORACLE_HOME/bin/oracle

It came out in 1 second.

Then I did the same process for lsof

strace lsof

and killed those processes were it was getting stuck.  Eventually lsof also worked.

Pipu retried opatch and it worked fine.

Stale NFS mount was the root cause of this issue.  It was stale because the source server was down for Unix security patching during weekend.

Categories: APPS Blogs

Come See Integrigy at Collaborate 2015

Come see Integrigy's session at Collaborate 2015 in Las Vegas ( Integrigy is presenting the following paper:

IOUG #763
Detecting and Stopping Cyber Attacks against Oracle Databases
Monday, April 13th, 9:15 - 11:30 am
North Convention, South Pacific J

If you are going to Collaborate 2015, we would also be more than happy to talk with you about your Oracle security or questions. If you would like to talk with us while at Collaborate, please contact us at

Categories: APPS Blogs, Security Blogs hangs

Vikram Das - Fri, 2015-04-03 20:26
Rajesh and Shahed called me about this error where after a reboot of the servers, wouldn't start.  It gave errors like these:

You are running version 120.6.12000000.3 
Starting OPMN managed OAFM OC4J instance ... exiting with status 152 check the logfile 
$INST_TOP/logs/appl/admin/log/adoafmctl.txt for more information

adoafmctl.txt showing:
--> Process (index=1,uid=349189076,pid=15039)
time out while waiting for a managed process to start
07/31/09-09:14:28 :: exiting with status 152
07/31/09-09:14:40 :: version 120.6.12000000.3
07/31/09-09:14:40 :: Checking the status of OPMN managed OAFM OC4J instance
Processes in Instance: SID_machine.machine.domain
ias-component | process-type | pid | status
default_group | oafm | N/A | Down


1. Shutdown all Middle tier services and ensure no defunct processes exist running the following from the operating system:
# ps -ef | grep

If one finds any, kill these processes.
2. Navigate to $INST_TOP/ora/10.1.3/opmn/logs/states directory. It contains hidden file .opmndat:
# ls -lrt .opmndat
3. Delete this file .opmndat after making a backup of it:
# rm .opmndat
4. Restart the services.

5. Re-test the issue.

This resolved the issue.
Categories: APPS Blogs

R12.2 Documentation link in html format

Vikram Das - Mon, 2015-03-23 20:35
This link has the R12.2 documentation in HTML format: 
Categories: APPS Blogs

The EBS Technology Codelevel Checker (available as Patch 17537119) needs to be run on the following nodes

Vikram Das - Sun, 2015-03-01 14:53
I got this error while upgrading an R12.1.3 instance to R12.2.4, when I completed AD.C.Delta 5 patches with November 2014 bundle patches for AD.C and was in the process of applying TXK.C.Delta5 with November 2014 bundle patches for TXK.C :

Validation successful. All expected nodes are listed in ADOP_VALID_NODES table.
[START 2015/03/01 04:53:16] Check if services are down
        [INFO] Run admin server is not down
     [WARNING]  Hotpatch mode should only be used when directed by the patch readme.
  [EVENT]     [START 2015/03/01 04:53:17] Performing database sanity checks
    [ERROR]     The EBS Technology Codelevel Checker (available as Patch 17537119) needs to be run on the following nodes: .
    Log file: /erppgzb1/erpapp/fs_ne/EBSapps/log/adop/adop_20150301_045249.log

[STATEMENT] Please run adopscanlog utility, using the command

"adopscanlog -latest=yes"

to get the list of the log files along with snippet of the error message corresponding to each log file.

adop exiting with status = 1 (Fail)

I was really surprised as I had already run EBS technology codelevel checker (patch 17537119) script on racnode1.

To investigate I checked inside and found that it create a table called TXK_TCC_RESULTS.  

SQL> desc txk_tcc_results
 Name                                      Null?    Type
 ----------------------------------------- -------- ----------------------------
 TCC_VERSION                               NOT NULL VARCHAR2(20)
 BUGFIX_XML_VERSION                        NOT NULL VARCHAR2(20)
 NODE_NAME                                 NOT NULL VARCHAR2(100)
 DATABASE_NAME                             NOT NULL VARCHAR2(64)
 COMPONENT_NAME                            NOT NULL VARCHAR2(10)
 COMPONENT_VERSION                         NOT NULL VARCHAR2(20)
 COMPONENT_HOME                                     VARCHAR2(600)
 CHECK_DATE                                         DATE
 CHECK_RESULT                              NOT NULL VARCHAR2(10)
 CHECK_MESSAGE                                      VARCHAR2(4000)

SQL> select node_name from txk_tcc_results;


I ran again, but the patch failed again with previous error:

   [ERROR]     The EBS Technology Codelevel Checker (available as Patch 17537119) needs to be run on the following nodes: .

It was Saturday 5 AM already working through the night.  So I thought, it is better to sleep now and tackle this on Sunday.  On Sunday morning after a late breakfast, I looked at the problem again.  This time, I realized that the error was complaining about racnode1 (in lower case) and the txk_tcc_results table had RACNODE1(in upper case).  To test my hunch, I immediately updated the value:

update txk_tcc_results
set node_name='racnode1' where node_name='RACNODE1';


I restarted the patch, and it went through.  Patch was indeed failing because it was trying to look for a lower case value.  I will probably log an SR with Oracle, so that they change their code to make the node_name check case insensitive.

Further, I was curious, why node_name was stored in all caps in fnd_nodes and txk_tcc_results.  The file /etc/hosts had it in lowercase.  I tried the hostname command on linux prompt:

$ hostname

That was something unusual, as in our environment, hostname always returns the value in lowercase.  So I further investigated.
[root@RACNODE1 ~]# sysctl kernel.hostname
kernel.hostname = RACNODE1

So I changed it

[root@RACNODE1 ~]# sysctl kernel.hostname=RACNODE1
kernel.hostname = racnode1
[root@RACNODE1 ~]# sysctl kernel.hostname
kernel.hostname = racnode1
[root@RACNODE1 ~]#
[root@RACNODE1 ~]# hostname

Logged in again to see if root prompt changed:

[root@racnode1 ~]#

I also checked
[root@tsgld5811 ~]# cat /etc/sysconfig/network

Changed it here also:
[root@tsgld5811 ~]# cat /etc/sysconfig/network

I also changed it on racnode2.
Categories: APPS Blogs

cannot set user id: Resource temporarily unavailable or Fork: Retry: Resource Temporarily Unavailable

Vikram Das - Tue, 2015-02-24 10:01
Amjad reported this error while trying to login to the server:

cannot set user id: Resource temporarily unavailable

In the past he had reported this error:

Fork: Retry: Resource Temporarily Unavailable

This is due to the fact that the user has run out of free stacks.  In OEL 6.x , the stack setting is not done in /etc/security/limits.conf but in the file:


The default content in the file is:

cat /etc/security/limits.d/90-nproc.conf
# Default limit for number of user's processes to prevent
# accidental fork bombs.
# See rhbz #432903 for reasoning.

*          soft    nproc     1024
root       soft    nproc     unlimited

I changed this to:

$ cat /etc/security/limits.d/90-nproc.conf
# Default limit for number of user's processes to prevent
# accidental fork bombs.
# See rhbz #432903 for reasoning.

*          soft    nproc     16384
root       soft    nproc     unlimited

As soon as this change was made, Amjad was able to login.

Categories: APPS Blogs


Subscribe to Oracle FAQ aggregator - APPS Blogs