FNDCPASS
FNDCPASS
TRICKS
In Oracle Application 11i and R12, we have an FND functionality for changing the passwords for either application user,
or product schema password or most important – the “APPS” password. The FND binary which will help us is doing these
This post explains the usage of FNDCPASS, best practices that needs to be followed while using FNDCPASS and some
Using FNDCPASS
-bash-2.05b$ FNDCPASS
mode is SYSTEM/USER/ORACLE
You can just type FNDCPASS and press enter, it will give you these details.
is for changing the password for apps and applsys. These are the database schema users (most important for application to
work). Password for both these users should be in synch. You can change the password of these users using this command.
Note that this is the only way to change the password for apps and applsys. Please do not try any other method for
changing apps and applsys password. Oracle recomends using FNDCPASS only to change apps and applsys password.
Also note that using this command will change the password for both apps and applsys.
is for changing password for any other product schema like MSC, GL etc.
If GL does not exists, step (2) below does not happen. Message for invalid oracle user is written in the log file.
is for changing the application level passwords like sysadmin etc used for logging into application.
(1) update VISION’s password in FND_USER table. The new password is re-encrypted with the current applsys
password.
If VISION does not exist, message for invalid application user is written in the log file.
When you run FNDCPASS command it will check the integrity of all schema password in the application. If any of the
password is corrupt then this will through and error and will not change the password.
The tables that it uses is FND_USER and FND_ORACLE_USERID. All the application passwords and schema passwords
are stored in these two tables. Of course DBA_USERS will have the schema users and password stored as well.
Before using FNDCPASS and changing the passwords from default to something else, always follow the following best
practices.
1) Always, Always, Always keep the back of tables FND_USER and FND_ORACLE_USERID. You can take back of
You must have backup of these tables before running FNDCPASS. In case if FNDCPASS fails then it might corrupt the
passwords of your application and worst can happen that the application wont come up. So always be cautions about this
command.
3) verify each argument you are providing to FNDCPASS. Like verify that apps and system passwords you are providing
is correct.
4) Never update apps, applsys or any schema password directly from database using the alter command. Always use
FNDCPASS. System password can be set directly using ALTER command in database.
Issue with APPLSYS and APPS password
Scenario 1:
As you know that apps and applsys password should be in synch and should be changed using FNDCPASS.
There can be situation where a novice user changes applsys password from the backend database. In that case when you
Cause: Application Object Library was unable access your ORACLE password.
You can even reproduce this issue (of course after taking the backup of FND_USER and FND_ORACLE_USERID table)
3. You will get an error “Cannot complete applications logon. You may have entered an invalid applications password, or
4. Then try FNDCPASS to fix password and you will get the error the APP-FND-01496 error.
If this situation happens then you cannot access the application. In fact the services even won't start.
Resolution to such problem is to rollback the 2 tables FND_USER and FND_ORACLE_USERID. Once you rollback the
tables, apps and applsys passwords will be in synch and password will be older one. You can then run FNDCPASS and
Some times when you run FNDCPASS, you get following error
Cause: Application Object Library was unable encrypt your ORACLE password.
The error comes because the table fnd_oracle_userid contain rows for schemas that does not exist. Those rows must be
Use the following query to get the details of the schema that doesn't not exists
The rows returned by this query can be deleted from FND_ORACLE_USERID table. This will resolve this issue.
Scenario 3:
There can be situation where users has update APPLSYS password using ALTER command in database directly and also
you dont have backup of those tables. Under such situation, it is very difficult to recover the application and make it
working. Still following methodology is proposed which might help you to restore the password back and make your
For this to work you should have some other application (may be debug or UAT) which is having the same passwords or
default passwords for schemas. If you have such application the following the below steps in the application which is
This method is for resetting apps and applsys passwords. Below are the SQL statements that will help you reset the APPS
and APPLSYS passwords to APPS, the APPLSYSPUB password to PUB, and the SYSADMIN password to SYSADMIN.
WARNING: This procedure will cause all user passwords to become invalid. ALL users passwords will need to be reset
Step 1)
Open a SQL*Plus as SYSTEM and reset the passwords for the APPS, APPLSYS, and the APPLSYSPUB Oracle user ID:
Step 2)
Backup the FND_ORACLE_USERID and FND_USER tables (even though these tables are right now corrupted, do take a
Step 3)
update FND_ORACLE_USERID
set ENCRYPTED_ORACLE_PASSWORD =
‘ZGA34EA20B5C4C9726CC95AA9D49EA4DBA8EDB705CB7673E645EED570D5447161491D78D444554655B874
86EF537ED9843C8′
commit;
This encrypted string we are updating is the default encrypted string for apps. So if your application is having apps
password the encrypted string will look like this. We are updating this encrypted string here directly.
select ENCRYPTED_ORACLE_PASSWORD
from FND_ORACLE_USERID
Step 4)
update FND_ORACLE_USERID
set ENCRYPTED_ORACLE_PASSWORD =
‘ZG31EC3DD2BD7FB8AD2628CE87DDDF148C1D2F248BE88BE987FDF82830228A88EF44BC78BC7A9FAD4B
FB8F09DAD49DF7280E’
commit;
The above encrypted string is the encrypted string for password pub. If your applsyspub password is pub then the
select ENCRYPTED_ORACLE_PASSWORD
from FND_ORACLE_USERID
Once these updates are done, try your luck by running FNDCPASS and it should work fine.