Scribd
Upload
257 views4 pages

FNDCPASS Utility New Feature Non-Reversible Hash Password

This document explains how to use the FNDCPASS utility to migrate Oracle Applications user passwords to a non-reversible hash scheme for enhanced security. Running the FNDCPASS USERMIGRATE command migrates all local user passwords to this new scheme. Several client and desktop applications require updates to work with the new password scheme.

Uploaded by

praphul
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
257 views4 pages

FNDCPASS Utility New Feature Non-Reversible Hash Password

This document explains how to use the FNDCPASS utility to migrate Oracle Applications user passwords to a non-reversible hash scheme for enhanced security. Running the FNDCPASS USERMIGRATE command migrates all local user passwords to this new scheme. Several client and desktop applications require updates to work with the new password scheme.

Uploaded by

praphul
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

11/27/2014

Document457166.1

R12:FNDCPASSUtilityNewFeature:EnhanceSecurityWithNonReversibleHashPassword
(DocID457166.1)
Modified: 22May2014

Type: HOWTO

InthisDocument
Goal
Solution

ClientPrerequisites:

KnownIssues

References

APPLIESTO:
OracleApplicationObjectLibraryVersion12.0.4to12.2[Release12to12.2]
Informationinthisdocumentappliestoanyplatform.
PATCHSET:11I.ATG_PF.H.DELTA.6
OracleApplicationsRelease:12.0.4
***Checkedforrelevanceon25NOV2012***

GOAL
ThisnoteexplainstheusageofanewFNDCPASSUtilityintroducedin11.5.10RUP6and12.0.4tomigrateOracle
ApplicationsUserpasswordstoanonreversiblehashpasswordschemewithasinglecommandlineinvocation.
StartingwithReleases11.5.10RUP6and12.0.4,asinglecommandlineinvocationofFNDCPASSUSERMIGRATEutility
migratestheencryptedpasswordsforalllocalOracleApplicationUsers(i.e.passwordsforallusersstoredin
FND_USER)toanonreversiblehashpasswordscheme.Thisutilitydoesnotaffectexistingpasswordschemesfor:
UserswhosepasswordsaremanagedexternallyinOracleInternetDirectory
UserswhosepasswordsaremanagedexternallyinathirdpartyLDAPdirectory(e.g.MicrosoftActiveDirectory)
OracleApplicationsDatabaseusers
ThisfeaturewasprovidedaspartofaninitiativetoenhancethesecurityofOracleApplicationsUserPasswords.This
SystemAdministrativeutilitymigrateslocalOracleApplicationsUserPasswordsfromtheircurrentencryptionscheme
toanonreversiblehashthusmakingOracleApplicationUserPasswordsnonrecoverable.Thisisanoptional,
manuallyexecutedutilityprovidedforSystemAdministratorswhowishtoconverttheApplicationsUserstoamore
secureencryptedpasswordscheme.
Note:Migrationtohashpasswordsisonetime,onewayoperationthatcannotbeundonewithoutasystem
restorefrombackup.PleasemakesureyouhaveabackupofyoursystempriortorunningFNDCPASS
USERMIGRATE.

Systemswhichremainwiththeexistingpasswordencryptionschemewillexperiencenoimpactfromthecode
supportingthenonreversiblehashpasswordscheme.Formigratedsystems,theeffectsofthemigrationshouldbe
transparent.

Note:Thecodesupportingthenonreversiblehashpasswordschemeisdeliveredincompatibilitymode,i.e.hash
https://support.oracle.com/epmos/faces/DocContentDisplay?_adf.ctrlstate=aruznbwad_4&id=457166.1

1/4

11/27/2014

Document457166.1

modeis"turnedoff"bydefaultuntilexplicitlyactivated.

OraclerecommendsyouimplementthenonreversiblehashpasswordschemetoenhanceFND_USERpassword
security.However,ifyourinstallationusesDesktopClientslistedbelowandnoupdatepathismentioned,pleaseloga
ServiceRequestviaMetalinkagainsttheaffectedproductstoverifythattheyhavebeentestedwiththenewFNDPUB,
andtoverifythatyouhaveanyrequiredinteroperabilityfixesandclientupdatespriortomigratingtothepassword
hashscheme.

Note:Ifyourinstallationisona11.5.10CU2upgradedto11i.ATG_PF.HRUP6(#5903765)withScheduler(CSR)
implementedandSSOorHashPasswordisconfigured,whenavailable,downloadandapplyPatch5997218(CSR).
Also,RUP6alonedoesNOTcausethisissueforCSR,butaftermigrationtohashedpasswordsorifintegratedwith
SSO.

Note:Ifyourinstallationisona11.5.10CU2upgradedto11i.ATG_PF.HRUP6(#5903765)withCADView3D
implementedandHashPasswordisconfigured,whenavailable,downloadandapplyPatch6378800(Oracle
CADView3D)asapostHashmigrationstep.

Note:WhenupgradingtoOracleEBusinessSuiteRelease12.1.1,ifyouhavealreadyruntheFNDCPASSUtilityto
useEnhancedSecurityWithNonReversibleHashPasswordsyoumustmergeorpreinstallPatch
8764069:R12.FND.Bbeforeyouupgrade.PleasefollowtheinstructionsintheREADMEofthatpatch.

Note:Oncemigratedtohashedpasswords,youmayencounterBug7034106ifyouusethe10GExportutility,
expdp.ThecauseofthisissueisthattheFND_USER_PREFERENCEStabledoesnotgetexportedproperlyduetoa
newfeaturethatisnotcoveredoraccountedforinNote362205.1.Theworkaroundistoimmediatelygobackand
reexport/reimporttheFND_USER_PREFERENCEStableseparatelyaftertheinitialexpdpandimpdparerun.Using
theold(9.2)exputility,exporttheFND_USER_PREFERENCEStablefromthesourcedb.
expsystem/<systempwd>TABLES=(<APPLSYSSCHEMANAME>.FND_USER_PREFERENCES)COMPRESS=Y
DIRECT=Y

Forexample,
expsystem/managerTABLES=(APPLSYS.FND_USER_PREFERENCES)COMPRESS=YDIRECT=Y
Then,importthisdataintothetargetdbusingthiscommand:
impsystem/<systempwd>FILE=expdat.dmpLOG=imptab.logTABLES=FND_USER_PREFERENCES
FROMUSER=<APPLSYSSCHEMANAME>IGNORE=Y

Forexample,
impsystem/managerFILE=expdat.dmpLOG=imptab.logTABLES=FND_USER_PREFERENCES
FROMUSER=APPLSYSIGNORE=Y

https://support.oracle.com/epmos/faces/DocContentDisplay?_adf.ctrlstate=aruznbwad_4&id=457166.1

2/4

11/27/2014

Document457166.1

ALERT:OracleFinancialAnalyzerVersion:6.4orOracleSalesAnalyzerVersion:6.4usingtheSingleSignOn
(SSO)mechanism,pleaseseeNote735814.1.

SOLUTION

ClientPrerequisites:
BeforemigratingyoumustupgradeALLDesktopclientstothelatestversionoftheFNDPUBDLL/Librariesorthey
willnolongerbeabletoconnectuntilupdated.PleasecontactrespectiveClientteamforthelatestDLL/Libandany
requiredclientupdates.
IfyourclientswillalsobeconnectingtopreATG.11i.RUP5systems,forthenewclientDLL/Libtoconnectthose
systemsyouwillneedtoapplyPatch6430269(ClientInteroperabilityPatchforFNDPUBDLLdatabase
compatibility).FormoreinformationpleaseseetheincludedDocumentreferences.
OracleDiscoverer
NOTE:313418.1UsingDiscoverer10.1.2withOracleEBusinessSuite11i
OracleConfigurator
11i10ConfiguratorCustomersusingLimitedEditionVBdeveloper,upgradetoConfiguratorbuild
11.5.10.25.43A(Patch7505626)orlateranduptakeLtdEditionVBdeveloperbuild2540A(Patch7189809)
R12ConfiguratorCustomersusingLimitedEditionVBdeveloper,upgradetoRelease12RUP4orlaterand
uptakeLtdEditionVBdeveloperbuild276(Patch6683830)
OracleApplicationsDesktopIntegrator(NOTWebADI)
CustomersusingADIwillneedtoupgradetoADI7.2RollupPatch10(Patch6455020)orlaterafter
upgradingto11i.ATG.RUP6.
OracleBalancedScorecard
OracleFilesOnline
Express
OracleDemandPlanning
OptimalFlexibleArchitecture
OracleSalesAnalyzer
UsethiscommandtoconvertalllocalOracleApplicationUserencryptedpasswordstoanonreversible,non
recoverablehashscheme
BourneshellorKornshell:
FNDCPASS<logon>0Y<system/password><mode><algorithm>

Usetheabovecommandwiththefollowingarguments.
logon:TheOracleFNDschemausername/password.
system/password:TheusernameandpasswordfortheSYSTEMDBAaccount.
https://support.oracle.com/epmos/faces/DocContentDisplay?_adf.ctrlstate=aruznbwad_4&id=457166.1

3/4

11/27/2014

Document457166.1

mode:USERMIGRATE
algorithm:SHA
Note:CurrentlyonlytheSHAhashalgorithmissupported.Otherhashalgorithmsmaybesupportedinthefuture.
Forexample,thefollowingcommandmigratesthepasswordsofallusersinFND_USER(exceptSSOusers,invalid
usersandcorruptusers)tononreversible,nonrecoverablehashpasswords.
FNDCPASSapps/apps0Ysystem/managerUSERMIGRATESHA

TheFNDCPASSlogfileiswrittentothedirectorywhereFNDCPASSwasexecuted.Pleasecheckthislogfileforthe
statusofthemigration.ThislogfilecontainsinformationregardingtheresultsofUSERMIGRATE.Thisincludesany
problemsencounteredandcontainsinformationaboutthenumberofusersmigratedsuccessfullyandindicateswhy
otheruserswerenotmigratedsuccessfully.
Forexample,hereisanexcerptfromasamplelogfile:
Usersmigratedsuccessfully:1847
UserswithExternalpasswords:0
UserswithInvalidpasswords:4
Usersnotmigrated:1of1852
Systemwassuccessfullyconvertedtohashmode.

KnownIssues
1.OracleFinancialAnalyserandOracleSalesAnalyzerdonotwork
ThisisdescribedinNote735814.1NewApplicationsFNDCPASSUtilityFeatureBreaksOFAandOSASingleSignOn
2.JDevelopergiveserror"oracle.apps.fnd.framework.OAException:Application:FND,MessageName:
FNDSECURITY_APPL_USER_NOTAUTH"
ThisisresolvedinPatch67392359IJDeveloperWithOAExtensionARUFOR11i10RUP6
3.OAMPatchWizard"RecomendedPatches"fails
ThisisresolvedwithPatch6898133PatchWizard:SupportHashPassword

REFERENCES
NOTE:313418.1UsingDiscoverer10.1.2withOracleEBusinessSuite11i
NOTE:735814.1NewApplicationsFNDCPASSUtilityFeatureBreaksOFAandOSASingleSignOn
PATCH:5997218
PATCH:6378800
PATCH:6430269

https://support.oracle.com/epmos/faces/DocContentDisplay?_adf.ctrlstate=aruznbwad_4&id=457166.1

4/4

You might also like