Tuesday, June 19, 2012

Starting with Fusion Applications

Developer > DBA > Apps 11i DBA > R12 DBA and now you want to become Fusion Apps DBA, then you are on correct page.

Here I shall try to provide some info you should be knowing before you start hands on.

OTN has all the Fusion Apps doc's . Latest version as of today (while writing this blog) is11g  Release 1, Update 3 (11.1.4) 

It involves lot of Oracle technology such as Database , Identity Management , WebLogic , SOA Suite , Oracle Data Integrator , ApplCore (ATG) , WebCenter , Secure Enterprise Search , Enterprise Content Management , Oracle Forms Recognition & Business Intelligence 

Currently supported platforms are Linux x86-64 (64 bit), Oracle Solaris SPARC (64 bit), Oracle Solaris x86-64 (64 bit), IBM AIX on POWER Systems (64 bit), Microsoft Windows x64 (64 bit)\

2 types of Installation types, one bare metal install, other is OVM templates

I think cloning and platform migration is currently not available

So lets start with Fusion Apps

Wednesday, June 13, 2012

Apps Security


Purpose:The purpose of this blog article is to cover security aspects of Oracle Apps and how to handle this. We need to look at all the layers, from the top to bottom, like Applications, DB, OS etc.

Changing database password (like APPS, SYSTEM, SYS etc)
Important Note: Please do not use special characters like @ / # / $ / % etc in any database passwords.

Changing password of SYS, SYSTEM, DBSNMP


Login to database server and issue following commands

Sqlplus “/as sysdba”
Alter user system identified by <new_password>;
Alter user sys identified by <new_password>;
Alter user dbsnmp identified by <new_password>;

Once the passwords are changed, these needs to be changed in EM (if its installed and used). For this, login to EM using sysman account. Then navigate to Preferences > Proffered Credentials > Database Instances > click on set credentials, then against appropriate Database change the passwords. Also change password of dbsnmp user in DB config form.


Document all the steps to perform the password change of DB users
General Guide lines regarding the Schema password.
1)    APPS password should be different than other Applications base schemas like AP, GL, AR etc.
2)    User called ROAPPS (Read Only APPS) should be created who need read access to APPS schema.
3)    Regarding base schemas (like AP, AR, GL) they can have same pattern like AP/AP2008, GL/GL2008 or they can have different passwords. This depends on, if some schema passwords are shared to others.
4)    Password change procedure should be tested in TEST instance first, documented and then only should be executed on PROD.
5)    Please don’t keep same password in TEST and PROD.
6)    Use relevant tools to change password, like FNDCPASS for APPS, GL etc.

Important: Also its is recommended to implement Oracle Applications Auditing feature, to track the changes in important tables.



Changing OS (Operating system passwords)

Document all the steps to be followed for changing OS Passwords
For those who need access to check log fines and stuff like that user called “viewer” in-group “viewer” and password as “viewer” should be created and given to the required user. Also we need to change the vncserver password if it’s started from root or normal unix user. And lastly, its recommended to have a separate username for each DBA, so that first he has to login to server using his own username and then su - <application / database owner user>. In this case the direct access to root, application / database user should be restricted.

Procedure to change Applications User Passwords (Like SYSADMIN)

Document the steps to change Applications passwords of SYSADMIN user.
SYSADMIN password should not be shared with any other user. This password should be with only DBA’s.

There are quite a few profile options available in Applications, which can be used to tighten the front-end security, such as,
a.    Signon Password Hard to Guess => Yes
The password contains at least one letter and at least one number.
The password does not contain the username.
The password does not contain repeating characters.

b.    Signon Password Length => 8 to 10
Signon Password Length sets the minimum length of an Applications signon password. If no value is entered the minimum length defaults to 5.

c.    Signon Password No Reuse  => 10000
This profile option specifies the number of days that a user must wait before being allowed to reuse a password.

d.    Signon Password Failure Limit =>3
The maximum number of login attempts before the user's account is disabled.

e.    ICX:Session Timeout => 20 Min / 60 min
Will prevent the misuse of unlocked desktop.
This profile option determines the length of time (in minutes) of inactivity in a user's session before the session is disabled. If the user does not perform any operation in Oracle Applications for longer than this value, the session is disabled. The user is provided the opportunity to re-authenticate and re-enable a timed-out session. If re-authentication is successful, the session is re-enabled and no work is lost. Otherwise, Oracle Applications exit without saving pendingwork.

f.     Sign-On:Notification => Yes
Displays a message at login that indicates:
If any concurrent requests failed since your last session,
How many times someone tried to log on to Oracle Applications with your username but an incorrect password, and
When the default printer identified in your user profile is unregistered or not specified.

Apart from this, Customer should monitor the list of users who has powerful responsibilities like GL super user, System Administrator etc and reduce such users as far as possible.
Lastly the inactive users should be locked from in the system if they don’t login in last 3-6 months.


Other guidelines for DBA’s:

  • Do Not Allow Shared Accounts
  • Do Not Use Generic Passwords
  • Treat All Non-Production Instances With The Security As Production
  • Restrict Network Access - Set Password on Database Listener
  • Minimize Passwords Contained In OS Files
  • Secure Default Database Accounts
  • Be Proactive!
  • Apply all prior, and plan in advance to apply any new Oracle Security Patches
  • Limit Access To Forms Allowing SQL Entry
  • Stop isqlplus process on server side (if started)
  • Restrict Network Access - Limit Direct Access To The Database
  • Change the passwords at least once in 3 months

Oracle Apps SYSADMIN Concurrent Requests


Purpose: Purpose of this blog entry is to list SYSADMIN Related concurrent requests. In this document, generic instructions and parameters are provided, which needs to be reviewed and decided based on particular customer needs.

Oracle SYSADMIN related Concurrent Requests:

1) Gather Schema Statistics
 Schedule: Every Weekend (Preferably on every Sat 6:00 pm server time). If this is not sufficient (if performance is not good), it can be done 2/3 times a week.
OR, Weekend for ALL schemas and 2/3 times during the week for only few important schemas where in there is heavy insert / update / delete happening.

Parameters:
Schema name: ALL
Parallel Worker: Number of CPUs + 2
Estimate Percent: 30
Other parameters: Default

How to submit: Login to Applications using SYSADMIN account, navigate to System Administrator responsibility, then navigate to Requests > Run


2) Purge Concurrent Request and/or Manager Data
Schedule: Every day, nighttime, say 11:00 PM Server time

Parameters:
Age=30 (Purge concurrent request data older than 30 days)
Other parameters: Default

Note: Age parameter needs to be agreed with Business / Customer.

How to submit: Login to Applications using SYSADMIN account, navigate to System Administrator responsibility, then navigate to Requests > Run

3) Purge Concurrent Request and/or Manager Data
 Schedule: Every day night time, say 11:30 Server time

Parameters:
Count: 5
Program Application: Application Object Library
Program: Workflow Background Process
Other parameters: Default

Note: Count Parameter needs to be agreed with Business / Customer.

How to submit: Login to Applications using SYSADMIN account, navigate to System Administrator responsibility, then navigate to Requests > Run

4) Workflow Background Process
 Schedule: Every 10 min

Parameters:
Process Deferred: Yes
Process Timeout: No

How to submit: Login to Applications using SYSADMIN account, then navigate to Oracle Applications Manager responsibility, then navigate to Workflow Manager, then use “Submit Request for “ facility (top – right hand side) (Select “Background Engines” from drop down)

5) Workflow Background Process
 Schedule: Every 60 min

Parameters:
Process Deferred Yes
Process Timeout: Yes

How to submit: Login to Applications using SYSADMIN account, then navigate to Oracle Applications Manager responsibility, then navigate to Workflow Manager, then use “Submit Request for “ facility (top – right hand side) (Select “Background Engines” from drop down)

6) Workflow Control Queue Cleanup
 Schedule: Every day, night time / early morning hours

Parameters: Default

How to submit: Login to Applications using SYSADMIN account, then navigate to Oracle Applications Manager responsibility, then navigate to Workflow Manager, then use “Submit Request for “ facility (top – right hand side) (Select “Control Queue Cleanup” from drop down)

7) Purge Obsolete Workflow Runtime Data
 Schedule: Every weekend

Parameters:
Age: 30
Other parameters: Default

Note: Age parameter needs to be agreed with Business / Customer.

How to submit: Login to Applications using SYSADMIN account, then navigate to Oracle Applications Manager responsibility, then navigate to Workflow Manager, then use “Submit Request for “ facility (top – right hand side) (Select “Purge” from drop down)

8) Synchronize WF LOCAL tables
 Schedule: Every day, night time / early morning hours

Parameters: Default

How to submit: Login to Applications using SYSADMIN account, navigate to System Administrator responsibility, then navigate to Requests > Run


Note: As per metalink id 1158212.1, after E-business version 11.5.10 this request generally does not need to be run.

9) OAM Applications Dashboard Collection
 Schedule: Every 30 min

Parameters: Default

How to submit: Login to Applications using SYSADMIN account, navigate to System Administrator responsibility, then navigate to Requests > Run

10) Purge Signon Audit data
 Schedule: Can no schedule needs to be run manually, say every week Monday / Friday morning.

Parameters: Date (By default system date)

Note: Most of customer wants this date to be, 2 to 3 months old

How to submit: Login to Applications using SYSADMIN account, navigate to System Administrator responsibility, then navigate to Requests > Run

Note for DBA’s: There will be check box “Increment data parameter for each run” which must be checked.


11) Purge Debug Log
 Schedule: Every day / weekend.

Parameters: Date (By default system date)

Note: Most of customer wants this date to be, 2 weeks to 3 month old

How to submit: Login to Applications using SYSADMIN account, navigate to System Administrator responsibility, then navigate to Requests > Run

Note for DBA’s: There will be check box “Increment data parameter for each run” which must be checked.

12) Resend Failed/Error Workflow Notifications
 Schedule: Run every 6 hours.

Parameters: ERROR / FAILED (One request for each parameter)

How to submit: Login to Applications using SYSADMIN account, navigate to System Administrator responsibility, then navigate to Requests > Run

Note for DBA’s: As this request takes date as parameter, it cannot be scheduled easily. You may have to run this physically on one particular day of week, say Monday morning.

DB Jobs

Purge old snapshots from PREFSTAT schema


Other relevant document’s.

732713.1 Purging Strategy for eBusiness Suite 11i
298550.1 Troubleshooting Workflow Data Growth Issues

Monday, June 11, 2012

Apps and Database review areas / points

Oracle Database Server Review Points / Areas

Initialization & listener parameter
AWR, Alert.log, listener log, OS watcher, RDA
Invalid Objects, Indexes and fragmentation
Tablespaces, Data files, log files and control files
Custom objects in SYSTEM tablespace & SYSTEM tablespace as default tablespace
Stats job schedule
Chained rows
Workload balancing/distribution in clustered environments
Database Patch level, de-support, and patching strategy (CPU, one off)
Server disk space for DB growth, Archive log, backup destination
Server level pre-req’s, errors, warnings & background jobs
Database Backup and Recovery
Database Monitoring and alerting system
Database Disaster Recovery solution
Debugging latch contention, hangs, crashes & locking issues

Oracle Applications Infrastructure Review (eBS) Points / Areas

Database review as per earlier slide
Application Technical Architecture
Application Backup and Recovery
Application Security, Audit, and security profile options
Standard Manager programs and it’s parameters
Application Monitoring and alerting system
Application Disaster Recovery solution
Application Patch level, de-support, and patching strategy
Network (Latency and Bandwidth)
JVM’s
JDBC connection parameters
Forms & Reports server
Standard Concurrent Manager
Recommendation on best practices for routine administrative tasks etc.

Sunday, April 15, 2012

Quick DBA update on Oralce Applications R12 install, upgrade and admin scripts..

Hi to all,
In this blog I will discuss some of the main points which an Apps dba should know about Install, Upgrade and admin scripts. So lets begin with Installer

Main points about Installer:
1) config.txt is now configSID.txt , for adding node, you can use configSID.txt or get details from database directly using host.domain:port:sid format
2) Install types: Standard and Express
3) Shared APPL_TOP, COMN_TOP and tech stack as well, but not for Windows
4) Easy load balancing of CP and Web communications
5) Technology Stack Components : Oracle 10g R2 Database home, Oracle Developer 10i (forms, reports) and Oracle 10g Application Server 10.1.2 (http server)
6) Java Development Kit (JDK) 5.0 is automatically installed by Rapid Install
7) Disk Space : Applications node 28 GB , Fresh DB 45 GB, Vision DB 133 GB, Stage for fresh install 33 GB, TEMP 500 Mb
8) Create Stage : CD's are in DVD Format, and run adautostg.pl to create dir structure, which requires perl 5.0053 in PATH, and creates subdirectories startCD, oraApps, oraDB, oraAS, and oraAppDB under stage12
9) Want to install on virtual hostname, use -servername as command line parameter with rapidwiz. There are 2 more command line parameters, -restart to restart any failed install, and -techstack to install only technology stack.
10) Incase of multiuser installation, start installer using root account
11) For additional language, you must use OAM (oracle applications manager)
12) There is new concept of INST_TOP which mainly stores instance specific files including runtime files, log files and configuration files
13) In R12 there are Services concept instead of nodes (forms/web/concurrent). Following is the list of services in R12 :
* Root Service Group which supports • Oracle Process Manager (OPMN)
* Web Entry Point Services which supports • HTTP Server
* Web Application Services which supports • OACORE OC4J • Forms OC4J • OAFM OC4J
Batch Processing Services which supports • Applications TNS Listener • Concurrent Managers • Fulfillment Server
Other Service Group which supports • Oracle Forms Services • Oracle MWA Service
* : Thses services must be installed on same / one machine (which is nothing but Web node, according to 11i )
14) Regardless of type of services confugured on perticular server, all files (forms, reports, jsp) are stored in APPL_TOP (Unified), basically to have pure 3 tier arch
15) Installer gives option to configure OCM (Oracle configuration manager) where in OCM keeps track of key Oracle and OS stats. This collected data is sent to oracle support via https for better understanding of issues and quick resulations to any issues reported

Main points about Upgrade:
1) You can only upgrade to R12 from 11i, if you are at older version (like 10.7 or 11.0.3 etc), you must upgrade first to 11i, and then upgrade to R12
2) High level R12 Upgrade process :
• Run rapid installer first time to layout new file structure and tech stack
• Migrate or Upgrade database to 10g R2
• Run Autopatch to run database driver to bring DB to R12 level
• Run rapid installer second time to configure and start services

Admin Scripts:

adautocfg.sh - run autoconfig
adstpall.sh - stop all services
adstrtal.sh - start all services
adapcctl.sh - start/stop/status Apache only
adformsctl.sh - start/stop/status OC4J Forms
adformsrvctl.sh - start/stop/status Forms server in socket mode
adoacorectl.sh - start/stop/status OC4J oacore
adoafmctl.sh - start/stpp/status OC4J oafm
adopmnctl.sh - start/stop/status opmn
adalnctl.sh - start/stop RPC listeners (FNDFS/FNDSM)
adcmctl.sh - start/stop Concurrent Manager
gsmstart.sh - start/stop FNDSM
jtffmctl.sh - start/stop Fulfillment Server
adpreclone.pl - Cloning preparation script
adexecsql.pl - Execute sql scripts that update the profiles in an AutoConfig run
java.sh - Call java executable with additional args, (used by opmn, Conc. Mgr)

Note: To understand this page, you should have prior knowledge or background of APPS 11i

Oracle APPS R12 File system structure

In this blog I will show you the new R-12 file system tree structure.

As you can see in above tree structure, we have db, apps and inst as top level dir's

Under DB we have tech_st which is DB home and apps_st which holds DB datafiles.

Under apps, again we have tech_st which holds 1012 and 1013 homes, and apps_st holds APPL_TOP and OAD_TOP.

And finally inst which mainly stores instance specific files including runtime files, log files and configuration files

Note: If image is not been displayed fully, you can save the image to your desktop and open locally to see the full size image.


Using OEM, want to know database growth pattern of last one month/year ?

Here are the steps to know Database growth pattern for last one month/year using OEM

1) Login to OEM and Click on the Reports Tab
2) Navigate to Reports-->Storage-->Oracle Database Space Usage path and Click on Oracle Database Space Usage link.
3) Select the Target database and here we are getting Oracle Database space usage for last one Month.
4) Also we can get one year Database growth by setting Set Time Period Button.
5) Also we can find Oracle Database Tablespace Monthly Space Usage by Navigating Reports-->Storage-->Oracle Database Space Usage path and click on Oracle Database Tablespace Monthly Space Usage link.

I hope this helps DBA's to plan for future disk space requirements.