Before jumping into
the flow, lets brush up the role of APPLSYSPUB, GUEST, APPLSYS and APPS user.
When we login to applications,initially oracle applications connect to public schema, APPLSYSPUB. This schema has sufficient privileges to perform the authentication of an Applications User (FND user), which includes running PL/SQL packages to verify the username/password combination and the privilege to record the success or failure of a login attempt.
The public ORACLE username and password that grants access to the Oracle E-Business Suite initial sign-on form. The default is APPLSYSPUB/PUB.
Once we change the APPLSYSPUB password must propagate the change to application tier configuration files. If the instance is Autoconfig enabled, must edit the CONTEXT file on each tier prior to running Autoconfig.
When we login to applications,initially oracle applications connect to public schema, APPLSYSPUB. This schema has sufficient privileges to perform the authentication of an Applications User (FND user), which includes running PL/SQL packages to verify the username/password combination and the privilege to record the success or failure of a login attempt.
The public ORACLE username and password that grants access to the Oracle E-Business Suite initial sign-on form. The default is APPLSYSPUB/PUB.
Once we change the APPLSYSPUB password must propagate the change to application tier configuration files. If the instance is Autoconfig enabled, must edit the CONTEXT file on each tier prior to running Autoconfig.
In the CONTEXT file, locate the
autoconfig variable “s_gwyuid_pass” and set it to the new password, then run
AutoConfig in each applications nodes.
When Autoconfig is not being used:
If you are not using Autoconfig you must manually edit the following configuration files :
1) FND_TOP/resource/appsweb.cfg
2) OA_HTML/bin/appsweb.cfg
3) FND_TOP/secure/HOSTNAME_DBNAME.dbc
To change password of APPLSYSPUB with FNDCPASS:
$FNDCPASS APPS/[apps_pass] 0 Y SYSTEM/[system_pass] ORACLE APPLSYSPUB [new_passs].
0 & Y are flags for FNDCPASS
0 is request id (request ID 0 is assigned to request ID's which are not submitted via Submit Concurrent Request Form)
'Y' indicates that this method is directly invoked from the command-line and not from the Submit Request Form.
When Autoconfig is not being used:
If you are not using Autoconfig you must manually edit the following configuration files :
1) FND_TOP/resource/appsweb.cfg
2) OA_HTML/bin/appsweb.cfg
3) FND_TOP/secure/HOSTNAME_DBNAME.dbc
To change password of APPLSYSPUB with FNDCPASS:
$FNDCPASS APPS/[apps_pass] 0 Y SYSTEM/[system_pass] ORACLE APPLSYSPUB [new_passs].
0 & Y are flags for FNDCPASS
0 is request id (request ID 0 is assigned to request ID's which are not submitted via Submit Concurrent Request Form)
'Y' indicates that this method is directly invoked from the command-line and not from the Submit Request Form.
All application tier processes (Apaches)
must be restarted following the password change.
Role of GUEST user/schema in Oracle Applications:
GUEST is a dummy schema.
By default it has ORACLE as password.
GUEST/ORACLE password is present in DBC file at $FND_TOP/secure directory as well as at $FND_TOP/secure/SID_hostname directory.
If a user logs in without any role mappings, the user will get the Guest role, which has a default permission of "R".
GUEST user is used by JDBC Drivers and Oracle Self Service Web Applications like istore, irecruitment, iprocurement, ipayables, ireceivables etc to make initial Connection.
Role of APPLSYS & apps user/schema in Oracle Applications:
APPLSYS user is same as other oracle users like AP, AR, GL etc which hold their set of tables, views etc. In the same manner APPLSYS Account holds its set of tables like FND_USER and FND_APPLICATION, AD_APPLIED_PATCHES etc.
Applsys schema has applications technology layer products like FND and AD etc.
Apps is a universal schema, it has synonyms to all base product tables and sequences. This also has code objects for all products (triggers, views, packages, synonyms etc).
APPS is central Schema which holds synonyms for all other Users Database Objects.
Note: APPLSYS and APPS should have same password.
Reason why these contains same password.
Both apps & applsys need to have same password because when you sign on to apps, initially it connects to a public schema called APPLSYSPUB. This validates AOL name and password that we enter (operations/welcome). Once this is verified we select responsibility, this is validated by APPLSYS schema and then it connects to apps schema.
During signon process it uses both applsys and apps, hence this expects both the password to be identical. If the password for applsys & apps are not identical (Different) Try changing apps password to something else and try to login, the validation at the last stage would fail. This would result in failure of application login.
Difference B/W APPLSYSPUB & GUEST:
APPLSYSPUB/PUB - is DB user which is used by any utility to retrieve APPS schema password for further logins.
GUEST/ORACLE - is EBS user with no or max limited privileges to execute authorization function.
Role of GUEST user/schema in Oracle Applications:
GUEST is a dummy schema.
By default it has ORACLE as password.
GUEST/ORACLE password is present in DBC file at $FND_TOP/secure directory as well as at $FND_TOP/secure/SID_hostname directory.
If a user logs in without any role mappings, the user will get the Guest role, which has a default permission of "R".
GUEST user is used by JDBC Drivers and Oracle Self Service Web Applications like istore, irecruitment, iprocurement, ipayables, ireceivables etc to make initial Connection.
Role of APPLSYS & apps user/schema in Oracle Applications:
APPLSYS user is same as other oracle users like AP, AR, GL etc which hold their set of tables, views etc. In the same manner APPLSYS Account holds its set of tables like FND_USER and FND_APPLICATION, AD_APPLIED_PATCHES etc.
Applsys schema has applications technology layer products like FND and AD etc.
Apps is a universal schema, it has synonyms to all base product tables and sequences. This also has code objects for all products (triggers, views, packages, synonyms etc).
APPS is central Schema which holds synonyms for all other Users Database Objects.
Note: APPLSYS and APPS should have same password.
Reason why these contains same password.
Both apps & applsys need to have same password because when you sign on to apps, initially it connects to a public schema called APPLSYSPUB. This validates AOL name and password that we enter (operations/welcome). Once this is verified we select responsibility, this is validated by APPLSYS schema and then it connects to apps schema.
During signon process it uses both applsys and apps, hence this expects both the password to be identical. If the password for applsys & apps are not identical (Different) Try changing apps password to something else and try to login, the validation at the last stage would fail. This would result in failure of application login.
Difference B/W APPLSYSPUB & GUEST:
APPLSYSPUB/PUB - is DB user which is used by any utility to retrieve APPS schema password for further logins.
GUEST/ORACLE - is EBS user with no or max limited privileges to execute authorization function.
That is why Guest user cannot be end dated.
Now
lets jump into the login flow:
1.Webserver receives the user request for the particular port number. Web server Binds the request with the port number.
2.Based on the cookie webserver serves the request by sending login page
3.The application user name and password
is entered by the user(operations/welcome)
4.DB connection is established using APPLSYSPUB user. This user “APPLSYSPUB” is having access to fnd_user view and a small set of other public tables needed to establish the initial connection.
5.Once DB connection is established FND_USER table is used to get ENCRYPTED_FOUNDATION_PASSWORD.
6.Using GUEST/ORACLE password combination and ENCRYPTED_FOUNDATION_PASSWORD string obtained from 2 above, we get Apps schema password.
7.Internally it tries to connect to Apps schema with the password retrieved in step 3 above. If the connection fails, then
a)The GUEST username password is incorrect
b)The FNDNAM (APPS) environment variable is set incorrectly.
c)Some other problem prevented a connection
8.Using Apps password obtained in Step 3 and ENCRYPTED_USER_PASSWORD string from FND_USER table, password for Application user (e.g. SYSADMIN) is obtained.
9. The Application user password obtained in Step 5 is compared to the application user password entered by user in login screen. If both passwords match then user is allowed to get into self-service.
4.DB connection is established using APPLSYSPUB user. This user “APPLSYSPUB” is having access to fnd_user view and a small set of other public tables needed to establish the initial connection.
5.Once DB connection is established FND_USER table is used to get ENCRYPTED_FOUNDATION_PASSWORD.
6.Using GUEST/ORACLE password combination and ENCRYPTED_FOUNDATION_PASSWORD string obtained from 2 above, we get Apps schema password.
7.Internally it tries to connect to Apps schema with the password retrieved in step 3 above. If the connection fails, then
a)The GUEST username password is incorrect
b)The FNDNAM (APPS) environment variable is set incorrectly.
c)Some other problem prevented a connection
8.Using Apps password obtained in Step 3 and ENCRYPTED_USER_PASSWORD string from FND_USER table, password for Application user (e.g. SYSADMIN) is obtained.
9. The Application user password obtained in Step 5 is compared to the application user password entered by user in login screen. If both passwords match then user is allowed to get into self-service.
10. A list of responsibilities assigned
to that user is shown. The user picks one of the responsibilities listed.
11. The responsibility and application name is validated by connecting to Applsys schema(fnd_Responsibility, fnd_application…….)
Note: Here we should remember the difference between applsys and apps schema. Applsys schema contains ad,fnd objects whereas apps schema is a global schema contains all application objects.
12. Once the application is validated , Connecting to apps schema to get access application tables. This is the reason why we should have apps and applsys passwords should be same
13. Once a particular form is selected the .dbc file is accessed to get the information about the GUEST username/pwd
============
Note: Oracle doesn't store the hash value of the passwords. It just store the whole password in the encrypted format and get stored in FND_USER table(encrypted_user_password). Thus during authentication of a front end user, it is done on the stored password. Decryption of the stored password takes place FND_WEB_SEC package which is found under apps schema. The decryption key for the user password is the decrypted “ENCRYPTED_FOUNDATION_PASSWORD” of the guest user. Meaning that the first step to decrypt the user password is to decrypt the foundation password of the guest user.
There are certain changes for EBS 12.2 as 10.1.3 application server is replaced by Weblogic server. Thus the login flow will be slight different
When a HTTP request is made for EBS, the request is received by the Oracle HTTP Server (OHS).
When the configuration of OHS is for a resource that needs to be processed by Java, such as logging into EBS, the OHS configuration will redirect the request to the Web Logic Server (WLS) Java process (OACore in this case).
WLS determines the J2EE application that should deal with the request, which is called “oacore”.
This J2EE application needs to be deployed and available for processing requests in order for the request to succeed. The J2EE application needs to access a database and does this via a datasource which is configured within WLS.
Here is the processing in terms of URL(Login HTTP headers)
When the EBS login works OK, the browser will be redirected to various different URLs in order for the login page to be displayed. The page flow below shows the URLs that will be called to display the login page:
/OA_HTML/AppsLogin
EBS Login URL
/OA_HTML/AppsLocalLogin.jsp
Redirects to local login page
/OA_HTML/RF.jsp?function_id=1032925&resp_id=-1&resp_appl_id=-1&security_group_id=0&lang_code=US&oas=3TQG_dtTW1oYy7P5_6r9ag..¶ms=5LEnOA6Dde-bxji7iwlQUg
Renders the login page
The URLs after the user enters username and password, then clicks the “login” button are shown below/OA_HTML/OA.jsp?page=/oracle/apps/fnd/sso/login/webui/MainLoginPG&_ri=0&_ti=640290175&language_code=US&requestUrl=&oapc=2&oas=4hoZpUbqVSrv9IE0iJdY1g..
/OA_HTML/OA.jsp?OAFunc=OANEWHOMEPAGE
/OA_HTML/RF.jsp?function_id=MAINMENUREST&security_group_id=0
Renders user home page
Once the users home page is displayed, the logout flow also redirects to several different URL before returning to the login page:
/OA_HTML/OALogout.jsp?menu=Y
Logout icon has been clicked
/OA_HTML/AppsLogout
/OA_HTML/AppsLocalLogin.jsp?langCode=US&_logoutRedirect=y
Redirects to the login page
/OA_HTML/RF.jsp?function_id=1032925&resp_id=-1&resp_appl_id=-1&security_group_id=0&lang_code=US&oas=r6JPtR7-a4n5U2H3–ytEg..¶ms=1JU-PCsoyAO7NMAeJQ.9N6auZoBnO8UYYXjUgSPLHdpzU3015KGHA668whNgEIQ4
11. The responsibility and application name is validated by connecting to Applsys schema(fnd_Responsibility, fnd_application…….)
Note: Here we should remember the difference between applsys and apps schema. Applsys schema contains ad,fnd objects whereas apps schema is a global schema contains all application objects.
12. Once the application is validated , Connecting to apps schema to get access application tables. This is the reason why we should have apps and applsys passwords should be same
13. Once a particular form is selected the .dbc file is accessed to get the information about the GUEST username/pwd
============
Note: Oracle doesn't store the hash value of the passwords. It just store the whole password in the encrypted format and get stored in FND_USER table(encrypted_user_password). Thus during authentication of a front end user, it is done on the stored password. Decryption of the stored password takes place FND_WEB_SEC package which is found under apps schema. The decryption key for the user password is the decrypted “ENCRYPTED_FOUNDATION_PASSWORD” of the guest user. Meaning that the first step to decrypt the user password is to decrypt the foundation password of the guest user.
There are certain changes for EBS 12.2 as 10.1.3 application server is replaced by Weblogic server. Thus the login flow will be slight different
When a HTTP request is made for EBS, the request is received by the Oracle HTTP Server (OHS).
When the configuration of OHS is for a resource that needs to be processed by Java, such as logging into EBS, the OHS configuration will redirect the request to the Web Logic Server (WLS) Java process (OACore in this case).
WLS determines the J2EE application that should deal with the request, which is called “oacore”.
This J2EE application needs to be deployed and available for processing requests in order for the request to succeed. The J2EE application needs to access a database and does this via a datasource which is configured within WLS.
Here is the processing in terms of URL(Login HTTP headers)
When the EBS login works OK, the browser will be redirected to various different URLs in order for the login page to be displayed. The page flow below shows the URLs that will be called to display the login page:
/OA_HTML/AppsLogin
EBS Login URL
/OA_HTML/AppsLocalLogin.jsp
Redirects to local login page
/OA_HTML/RF.jsp?function_id=1032925&resp_id=-1&resp_appl_id=-1&security_group_id=0&lang_code=US&oas=3TQG_dtTW1oYy7P5_6r9ag..¶ms=5LEnOA6Dde-bxji7iwlQUg
Renders the login page
The URLs after the user enters username and password, then clicks the “login” button are shown below/OA_HTML/OA.jsp?page=/oracle/apps/fnd/sso/login/webui/MainLoginPG&_ri=0&_ti=640290175&language_code=US&requestUrl=&oapc=2&oas=4hoZpUbqVSrv9IE0iJdY1g..
/OA_HTML/OA.jsp?OAFunc=OANEWHOMEPAGE
/OA_HTML/RF.jsp?function_id=MAINMENUREST&security_group_id=0
Renders user home page
Once the users home page is displayed, the logout flow also redirects to several different URL before returning to the login page:
/OA_HTML/OALogout.jsp?menu=Y
Logout icon has been clicked
/OA_HTML/AppsLogout
/OA_HTML/AppsLocalLogin.jsp?langCode=US&_logoutRedirect=y
Redirects to the login page
/OA_HTML/RF.jsp?function_id=1032925&resp_id=-1&resp_appl_id=-1&security_group_id=0&lang_code=US&oas=r6JPtR7-a4n5U2H3–ytEg..¶ms=1JU-PCsoyAO7NMAeJQ.9N6auZoBnO8UYYXjUgSPLHdpzU3015KGHA668whNgEIQ4
No comments:
Post a Comment