当我们对EBS生产环境克隆出一套测试环境,怎么清楚生产上所有的密码认证呢?
确保应用层的进程都停下来了,数据库是OPEN的。
第一步,清除生产密码 Step1 - Clear All Credentials
su - ora
如果还没克隆,那么在<RDBMS_ORACLE_HOME>下还没生成<SID>.env文件,那么至少要有这些环境变量:
export ORACLE_SID=<sid>
export ORACLE_HOME=<db-oraclehome>
export PATH=$ORACLE_HOME/bin
unset TWO_TASK
sqlplus ‘as sysdba‘<<EOF
REM Clear all production credentials from the cloned database
update SYS.user$ set
password = translate(password,‘0123456789ABCDEF‘,‘0000000000000000‘)
where type#=1 and length(password) = 16
/
update APPLSYS.FND_ORACLE_USERID set
ENCRYPTED_ORACLE_PASSWORD=‘INVALID‘
/
update APPLSYS.FND_USER set
ENCRYPTED_FOUNDATION_PASSWORD=‘INVALID‘,
ENCRYPTED_USER_PASSWORD=‘INVALID‘
/
commit;
EOF
第二步,重新建立密码认证,确保期间没有报错,并且最后两个输出都是Y。Step 2 - Re-establish Bootstrap Credentials
The database at the moment has no credentials. Now log on as "SYS" with operation system authentication. This will allow you to establish new credentials.
su - ora
sqlplus ‘/as sysdba‘<<EOF
REM Set a new password for a few initial database users
alter user SYS identified by CLONE;
alter user SYSTEM identified by CLONE;
alter user APPLSYSPUB identified by CLONE;
alter user APPLSYS identified by CLONE;
alter user APPS identified by CLONE;
update APPLSYS.FND_ORACLE_USERID set
ENCRYPTED_ORACLE_PASSWORD=‘CLONE‘
where ORACLE_USERNAME = ‘APPLSYSPUB‘
/
REM Provide boot-strap info for FNDCPASS...
update APPLSYS.FND_ORACLE_USERID set
ENCRYPTED_ORACLE_PASSWORD=‘ZG‘ ||
‘B27F16B88242CE980EF07605EF528F9391899B09552FD89FD‘ ||
‘FF43E4DDFCE3972322A41FBB4DDC26DDA46A446582307D412‘
where ORACLE_USERNAME = ‘APPLSYS‘
/
update APPLSYS.FND_ORACLE_USERID set
ENCRYPTED_ORACLE_PASSWORD=‘ZG‘ ||
‘6CC0BB082FF7E0078859960E852F8D123C487C024C825C0F9‘ ||
‘B1D0863422026EA41A6B2B5702E2299B4AC19E6C1C23333F0‘
where ORACLE_USERNAME = ‘APPS‘
/
commit;
conn APPS/CLONE
select APPS.fnd_web_sec.change_guest_password( ‘CLONE‘, ‘CLONE‘ ) "RES" from dual;
commit;
select APPS.fnd_web_sec.change_password(‘SYSADMIN‘,‘CLONE‘) "RES" from dual;
commit;
EOF
第三步,产生修改其余用户的脚本,假如不想修改其他用户的密码,可以不做。
ATTENTION :
It has been identified, that some Customers running into an error for the SQL PLus command
select APPS.fnd_web_sec.change_password(‘SYSADMIN‘,‘CLONE‘) "RES" from dual;
In this case, please check Note 1350776.1 for the solution, before your are going ahead with the next steps !
Now we have completed establishing a set of bootstrap EBS credentials in the database.
现在我们已经完成一系列的在数据库中的EBS引导认证。
Step 3 - Prepare Scripts for Setting Additional Passwords
su - ora
sqlplus ‘/as sysdba‘ <<EOF
REM Prepare SQL and SHELL scripts to set more passwords later
spool step3.lst
REM Generate a sql script to set password for db users not managed with EBS
select ‘alter user "‘|| USERNAME ||‘" identified by CLONE; ‘
from SYS.DBA_USERS
where USERNAME not in (select ORACLE_USERNAME from APPLSYS.FND_ORACLE_USERID)
and USERNAME not in (‘SYS‘,‘SYSTEM‘);
REM Generate a shell script to set password for all base product schemas
select ‘FNDCPASS apps/clone 0 Y system/clone ALLORACLE clone‘ from dual;
REM Generate a shell script to set password for non-EBS db users managed with EBS
select ‘FNDCPASS apps/clone 0 Y system/clone ORACLE "‘ ||
replace(ORACLE_USERNAME,‘$‘,‘\$‘) || ‘" clone‘
from APPLSYS.FND_ORACLE_USERID
where READ_ONLY_FLAG = ‘X‘
and ORACLE_USERNAME in (select USERNAME from SYS.DBA_USERS);
REM Generate a shell script to set password for APPS/APPLSYS/APPM_mrc db users
select ‘FNDCPASS apps/clone 0 Y system/clone SYSTEM APPLSYS clone‘ from dual;
REM Generate scripts for steps 4 & 5
spool off
HOST grep ‘^alter user ‘ step3.lst > dbusers4.sql
HOST grep ‘^FNDCPASS ‘ step3.lst > dbusers5.sh
exit
EOF
第四步,跑第3步产生的脚本dbusers4.sql
su - ora
sqlplus ‘/as sysdba‘<<EOF
start dbusers4.sql
exit
EOF
第五步,Step 5 - Assign New Passwords to All Schemas Managed with EBS
在应用层,用appl用户跑第3步做出的脚本,dbusers5.sh
This step uses the "FNDCPASS" command to set the passwords for all the EBS managed schemas and all the base product schemas. The "FNDCPASS" must be run from an application tier node.(Any node with an APPL_TOP file
system.)
You will need to locate and copy the "dbusers5.sh" script from the directory where it was created in Step 3. Again, as with any dynamcially generated scripts that you run on your system, you should review the contents
of the file before running it.
To verify that you have assigned passwords to all the database users, run the following query and ensure that it does not return any rows:
select USERNAME,PASSWORD from DBA_USERS where PASSWORD=‘0000000000000000‘;
为了验证所有数据库用户的密码都被改过来了,可以用
select USERNAME,PASSWORD from DBA_USERS where PASSWORD=‘0000000000000000‘;
当然,如果你不喜欢用clone作为密码,可以登陆form的define user或者用fndcpass工具再将密码改过来。
su - appl
FNDCPASS apps/clone 0 Y system/clone USER <username> <password>
第六步,在你真正启动应用层进程前,还要做这些配置,然后执行autoconfig。
[[email protected] erpp1]# su - appl
[[email protected] ~]$ echo $GWYUID
APPLSYSPUB/PUB
[[email protected] ~]$
[[email protected] ~]$ echo $CONTEXT_FILE
/u01/erpp1/inst/apps/erpp1_erpp1/appl/admin/erpp1_erpp1.xml
[[email protected] ~]$ vi $CONTEXT_FILE
查找APPLSYSPUB,将后面的密码PUB改为CLONE,保存退出。
应用层执行dbconfig
[[email protected] ~]$ cd $ADMIN_SCRIPTS_HOME
[[email protected] scripts]$ pwd
/u01/erpp1/inst/apps/erpp1_erpp1/admin/scripts
[[email protected] scripts]$ ls
adalnctl.sh adautocfg.sh adexecsql.pl adformsctl.sh adoacorectl.sh adopmnctl.sh adstpall.sh gsmstart.sh java.sh msc mwactlwrpr.sh
adapcctl.sh adcmctl.sh adforms-c4wsctl.sh adformsrvctl.sh adoafmctl.sh adpreclone.pl adstrtal.sh ieo jtffmctl.sh mwactl.sh
[[email protected] scripts]$ sh adautocfg.sh
重新加载环境变量
[[email protected] erpp1]# su - appl
[[email protected] ~]$ echo $GWYUID
APPLSYSPUB/CLONE
[[email protected] ~]$
停应用再启。
参考文档:419475.1 《Removing Credentials
from a Cloned EBS Production Database》
EBS克隆后彻底清除生产密码