How to change APPS password in 11.5.10.2 & R12

How to change APPS password in 11.5.10.2 & R12

Oracle Application 11i and R12, we have an FND functionality for changing the passwords for either application user, or product schema password or most important – the “APPS” password. The FND binary which will help us is doing these things is FNDCPASS.

This is present in $FND_TOP/bin directory.
This post explains the usage of FNDCPASS, best practices that needs to be followed while using FNDCPASS and some tricks when FNDCPASS screws up the instance )
Using FNDCPASS
Below is the usage for FNDCPASS
$ source environment for example $SOURCE APPSORA.env
$ FNDCPASS (FNDPASS Utility)Usage: FNDCPASS logon 0 Y system/password mode username new_passwordwhere logon is username/password[@connect]system/password is password of the system account of that databasemode is SYSTEM/USER/ORACLEusername is the username where you want to change its passwordnew_password is the new password in unencrypted formatexample FNDCPASS apps/apps 0 Y system/manager SYSTEM APPLSYS SHAHAB

FNDCPASS apps/apps 0 Y system/manager ORACLE GL SHAHAB12

FNDCPASS apps/apps 0 Y system/manager USER VISION SHAHAB1
You can just type FNDCPASS and press enter, it will give you these details.
The first usage
FNDCPASS apps/apps 0 Y system/manager SYSTEM APPLSYS SHAHAB is for changing the password for apps and applsys. These are the database schema users (most important for application to work). Password for both these users should be in synch. You can change the password of these users using this command. Note that this is the only way to change the password for apps and applsys. Please do not try any other method for changing apps and applsys password. Oracle recomends using FNDCPASS only to change apps and applsys password. Also note that using this command will change the password for both apps and applsys.
Following activities will take place
(1) applsys validation. (make sure APPLSYS name is correct)

(2) re-encrypt all password in FND_USER

(3) re-encrypt all password in FND_ORACLE_USERID

(4) update applsys’s password in FND_ORACLE_USERID table.

(5) Update apps password in FND_ORACLE_USERID table.
Also changes are made in DBA_USERS table.
The second usage
FNDCPASS apps/apps 0 Y system/manager ORACLE GL SHAHAB12 is for changing password for any other product schema like MSC, GL etc.Following activities will take place
(1) update GL’s password in FND_ORACLE_USERID table. The new password is re-encrypted with the current applsys password.
If GL does not exists, step

(2) below does not happen. Message for invalid oracle user is written in the log file.
(3) alter user to change GL’s password.
The Third usage
FNDCPASS apps/apps 0 Y system/manager USER VISION SHAHAB1is for changing the application level passwords like sysadmin etc used for logging into application.
Following activities will take place
(1) update VISION’s password in FND_USER table. The new password is re-encrypted with the current applsys password.
If VISION does not exist, message for invalid application user is written in the log file.No products affected by the patch
When you run FNDCPASS command it will check the integrity of all schema password in the application. If any of the password is corrupt then this will through and error and will not change the password.
The tables that it uses is FND_USER and FND_ORACLE_USERID. All the application passwords and schema passwords are stored in these two tables. Ofcourse DBA_USERS will have the schema users and password stored as well.
When we run FNDCPASS it will update all the above 3 tables.
Best practices for using FNDCPASS
Before using FNDCPASS and changing the passwords from default to some thing else, always follow the following best practices.
1) Always, Always, Always keep the back of tables FND_USER and FND_ORACLE_USERID. You can take back of these tables using CREATE TABLE — AS SELECT * FROM —.You must have backup of these tables before running FNDCPASS. In case if FNDCPASS fails then it might corrupt the passwords of your application and worst can happen that the application wont come up. So always be cautions about this command.
2) If possible also keep an export dump of these two tables.
3) verify each arguement you are providing to FNDCPASS. Like verify that apps and system passwords you are providing is correct.
4) Never update apps, applsys or any schema password directly from database using the alter command. Always use FNDCPASS. System password can be set directly using ALTER command in database.

NOTE 4: VERY IMPORTANT:-
When changing the password for APPS it is important to manually change the APPS
password in the following files as well as necessary:

1. $ORACLE_HOME/listener/cfg/wdbsvr.app file as well. Otherwise users will not be able to login to the Personal Home Page or Self-service web apps.

2.This may also be necessary in the $IAS_ORACLE_HOME\Apache\modplsql\cfg\wdbsvr.app file

3. Workflow Notification Mailer - $FND_TOP/resource/wfmail.cfg

4. The concurrrent manager start script.4. $OA_HTML/bin/appsweb.cfg

5. $AD_TOP/admin/template/CGIcmd.dat may contain the password if it is being used.Please refer to note:159033.1 How to Setup Oracle Reports in Portal to Use CGICMD.DAT File

6. If you instance is Multi-node and Autoconfig enabled, it may be necessary to invoke Autoconfig to implement the above changes.

Once these updates are done, try your luck by running FNDCPASS and it should work fine.
Hope this help !!!
References
Metalink note ID 159244.1
Metalink note ID 445153.1
Metalink note ID 429244.1

Syed Shabuddin

Oracle Apps-DBA