Solution Beacon, LLC, Oracle Applications, consulting, database administration, oracle application implementation, implementation, upgrade, resource, resources

News

Whitepapers

Best Practices

Links

Solution Beacon Security Best Practice #11 - Regularly Change System Passwords

Regularly change the Applications default passwords on the Oracle database (APPS, GL, PO, etc.) at least quarterly. Also change the SYS and SYSTEM Oracle database passwords and the OS Applications password(s) for your oracle and applmgr accounts quarterly. A best practice is to set every account to have a unique password. However, the reality is that most organizations don’t do that, and will set multiple accounts to the same password value for ease of administration. While I don’t recommend that as a Security consultant, I do recognize that this ‘practice’ is used quite frequently. Here are some guidelines if you do:

Set the SYS, SYSTEM passwords to different password values
Set the oracle and applmgr OS accounts to different password values
Set APPLSYS and APPS passwords to be different from the Application Module passwords like INV, AR, AP, etc.

The FNDCPASS program, described in MetaLink Note 159244.1, “How To Use FNDCPASS to Change The Oracle Users, APPS, APPLSYS and Application Module Passwords (INV, AR, AP, etc.) For Applications 11.5 in UNIX”, greatly simplifies the password change process. While in earlier 11i versions you originally had to change these passwords one at a time (even with FNDCPASS), Oracle added has added new functionality to this utility with the “ALLORACLE mode” introduced with 11i.ATG_PF.H.RUP4. The ALLORACLE mode enhances the FNDCPASS functionality so that you can change almost all Oracle schema passwords at the same time, using the syntax:

FNDCPASS apps/pass 0 Y system/pass ALLORACLE <new password>

There are a few caveats, of course:

1. You should run FNDCPASS from the database tier to avoid any possible problems with database encryption.

2. You should change the APPLSYS password first. It will automatically change the APPS password, as they have to be the same. The syntax to change the APPLSYS password is:

FNDCPASS apps/pass 0 Y system/pass SYSTEM APPLSYS <new password>

3. If you run FNDCPASS against the other Oracle accounts without first updating APPLSYS, the APPLSYS password will be “undecodable by the Applications”. In other words, you’ll break the ability to log in via the APPLSYS account. You might recover from such an error by importing the fnd_users table from an export, or recovering the database from a backup.

4. Schemas that are not changed by the ALLORACLE mode are APPLSYS, APPS, the external account and the public account. Although those passwords aren’t changed by the ALLORACLE command, that doesn’t mean that you shouldn’t change those passwords as well.

5. There are a number of files documented in MetaLink Note 159244.1 that need to have the APPS password manually updated after you’ve run FNDCPASS to change the APPS password.

Notes Regarding Oracle Database Password Values

Remember that the Applications passwords are set both within the E-Business Suite and the database itself. Database passwords have more constraints and restrictions than the Applications, so you have to be careful when changing these passwords that you select a password value that is a valid database password. Here are some notes to remember regarding database password values:

If the database password is not enclosed in quotes in the ALTER USER command, then it can include any letter, any digit, or any of the three following special characters: "_", "#" or "$". Only a letter can be used in the first character, the other characters can be used after that.
If the database password is enclosed in quotes in the ALTER USER command, then it can include any letter, any digit, or any special characters. A letter does not have to be used in the first character. Here is an example of: “Just because you can, does not mean that you should do”. I would exercise caution with using special characters (especially when you put them in scripts), as some of the characters (e.g. $, <, >, single quote, etc.) will likely provide you with results you are not intending.
It is also important to remember that Oracle passwords are not case sensitive (i.e. "a" is the same as "A"), so the effective alphabet is reduced by 26 characters. This is true even if the password is enclosed in quotes.

The below shows some examples of the previous three bullet points:

SQL*Plus: Release 10.2.0.2.0 - Production on Tue Mar 13 19:04:00 2007
SQL>
SQL> ALTER USER rgiefer IDENTIFIED BY 1*^Df2!
*
ERROR at line 1:
ORA-00988: missing or invalid password(s)

SQL> ALTER USER rgiefer IDENTIFIED BY “1*^Df2!”
User altered.

$ sqlplus
Enter user-name: rgiefer
Enter password: 1*^dF2! <<< Notice the differing case sensitivity: ‘dF’ vs. ‘Df’
Connected

> back to list