Share the content if you found it is useful (You can share using 300 community websites) click "share" at the end of the post.

You are encouraged to leave a comment.

Thursday, December 18, 2008

FNDCPASS Tricks and Methods

In Oracle Application 11i and R12, we have an FND functionality for changing the passwords for either application user, or product schema password or most important the “APPS” password. The FND binary which will help us is doing these things is FNDCPASS.

This is present in $FND_TOP/bin directory.

This post explains the usage of FNDCPASS, best practices that needs to be followed while using FNDCPASS and some tricks when FNDCPASS screws up the instance :))


Below is the usage for FNDCPASS
Usage: FNDCPASS logon 0 Y system/password mode username new_password

where logon is username/password[@connect]

system/password is password of the system account of that database


username is the username where you want to change its password

new_password is the new password in unencrypted format

FNDCPASS apps/apps 0 Y system/manager SYSTEM APPLSYS WELCOME

FNDCPASS apps/apps 0 Y system/manager ORACLE GL GL1
FNDCPASS apps/apps 0 Y system/manager USER VISION WELCOME

You can just type FNDCPASS and press enter, it will give you these details.

The first usage

FNDCPASS apps/apps 0 Y system/manager SYSTEM APPLSYS WELCOME

is for changing the password for apps and applsys. These are the database schema users
(most important for application to work). Password for both these users should be in synch. You can change the password of these users using this command. Note that this is the only way to change the password for apps and applsys. Please do not try any other method for changing apps and applsys password. Oracle recomends using FNDCPASS only to change apps and applsys password. Also note that using this command will change the password for both apps and applsys.

Following activities will take place

(1) applsys validation. (make sure APPLSYS name is correct)
(2) reencrypt all password in FND_USER
(3) reencrypt all password in FND_ORACLE_USERID
(4) update applsys’s password in FND_ORACLE_USERID table.
(5) Update apps password in FND_ORACLE_USERID table. Also changes are made in DBA_USERS table.

The second usage
FNDCPASS apps/apps 0 Y system/manager ORACLE GL GL1

is for changing password for any other product schema like MSC, GL etc.

Following activities will take place
(1) update GL’s password in FND_ORACLE_USERID table. The new password is reencrypted
with the current applsys password. If GL does not exists, step (2) below does not happen. Message for invalid oracle user is written in the log file.

(2) alter user to change GL’s password.

The third usage
FNDCPASS apps/apps 0 Y system/manager USER VISION WELCOME

is for changing the application level passwords like sysadmin etc used for logging into

Following activities will take place
(1) update VISION’s password in FND_USER table. The new password is reencrypted
with the current applsys password.

If VISION does not exist, message for invalid application user is written in the log file.
No products affected by the patch When you run FNDCPASS command it will check the integrity of all schema password in the application. If any of the password is corrupt then this will through and error and will not change the password.

The tables that it uses is FND_USER and FND_ORACLE_USERID. All the application
passwords and schema passwords are stored in these two tables. Ofcourse DBA_USERS
will have the schema users and password stored as well.

When we run FNDCPASS it will update all the above 3 tables.

Best practices for using FNDCPASS

Before using FNDCPASS and changing the passwords from default to some thing else,
always follow the following best practices.
1) Always, Always, Always keep the back of tables FND_USER and FND_ORACLE_USERID. You can take back of these tables using CREATE TABLE —

You must have backup of these tables before running FNDCPASS. In case if FNDCPASS fails then it might corrupt the passwords of your application and worst can happen that the application wont come up. So always be cautions about this command.

2) If possible also keep an export dump of these two tables.

3) Verify each arguement you are providing to FNDCPASS. Like verify that apps and system passwords you are providing is correct.

4) Never update apps, applsys or any schema password directly from database using the alter command. Always use FNDCPASS. System password can be set directly using ALTER command in database.

Issue with APPLSYS and APPS password

Scenario 1:
As you know that apps and applsys password should be in synch and should be changed
There can be situation where a novice user changes applsys password from the backend
database. In that case when you try to start the services it will show following error

Cannot access application ORACLE password

Cause: Application Object Library was unable access your ORACLE password.

You can even reproduce this issue (ofcourse after taking the backup of FND_USER and
FND_ORACLE_USERID table) using the following steps:

1. Use the ALTER USER command to change the APPLSYS password
2. Try to run the script to start Apps services.
3. You will get an error “Cannot complete applications logon. You may have entered an invalid applications password, or there may have been a database connect error.”
4. Then try FNDCPASS to fix password and you will get the error the APPFND01496

If this situation happens then you cannot access the application. In fact the services even wont start.
Resolution to such problem is to rollback the 2 tables FND_USER and FND_ORACLE_USERID. Once you rollback the tables, apps and applsys passwords will be in synch and password will be older one. You can then run FNDCPASS and change the password.

Scenario 2:

Some times when you run FNDCPASS, you get following error
APPFND01502: Cannot encrypt application ORACLE password

Cause: Application Object Library was unable encrypt your ORACLE password.

Action: Contact your support representative. (ORACLEUSER=APPS_SERV)

The error comes because the table fnd_oracle_userid contain rows for schemas that does
not exist. Those rows must be deleted from the table.

Use the following query to get the details of the schema that doest not exists
select * from fnd_oracle_userid
where oracle_username not in
(select username from all_users);

The rows returned by this query can be deleted from FND_ORACLE_USERID table.
This will resolve this issue.

Scenario 3:
There can be situation where users has update APPLSYS password using ALTER command in database directly and also you dont have backup of those tables. Under such situation, it is very difficult to recover the application and make it working. Still following methodology is proposed which might help you to restore the password back and make your application work fine.

For this to work you should have some other application (may be debug or UAT) which is having the same passwords or default passwords for schemas. If you have such application the following the below steps in the application which is affected by password mismatch.

This method is for resetting apps and applsys passwords. Below are the SQL statements that will help you reset the APPS and APPLSYS passwords to APPS, the APPLSYSPUB password to PUB, and the SYSADMIN password to SYSADMIN.

WARNING: This procedure will cause all user passwords to become invalid. ALL users
passwords will need to be reset through the sysadmin responsibility.

Step 1) Reset the Oracle User IDs

Open a SQL*Plus as SYSTEM and reset the passwords for the APPS, APPLSYS, and the
APPLSYSPUB Oracle user ID:


Step 2) Backup the FND_ORACLE_USERID and FND_USER tables (even though these tables are right now corrupted, do take a backup. You can restore the same when ever you want).

Open a SQL*Plus session as APPLSYS and backup the tables:
create table FND_ORACLE_USERID_BAK as (select * from FND_ORACLE_USERID);
create table FND_USER_BAK as (select * from FND_USER);

Step 3) Reset the APPS and APPLSYS application encrypted passwords
Open a SQL*Plus session as APPLSYS and update the FND_ORACLE_USERID table.

This encrypted string we are updating is the default encrypted string for apps. So if your

application is having apps password the encrypted string will look like this. We are
updating this encrypted string here directly.

Verify the table update:

Step 4) Reset the APPLSYSPUB application encrypted password
Open a SQL*Plus session as APPLSYS and update the FND_ORACLE_USERID table.


The above encrypted string is the encrypted string for password pub. If your applsyspub
password is pub then the encrypted string in FND_ORACLE_USERID will look like
Verify the table update:

Once these updates are done, try your luck by running FNDCPASS and it should work

No comments:

Related Posts Plugin for WordPress, Blogger...

Let us be Friends...

Share |

Popular Posts


11.5.1. to 11.5.5 Cloning Procedure. 11g 11i 11i and R12 11i Autoconfig 11i Cloning 12.1.1 SSL 2 Node RAC errors out adop Advanced Replication Apache version Apex Apex for Oracle database Apex Installation Apex Installation on Oracle E Business Suite. 11i with Apex Apex on 11i Apex on Oracle 11i Apex402 apexins.sql APPL_TOP Character Application Express Application server Issue APPLSYS password Apps Password Asynchronous Replication Autoconfig Autoconfig Managed Beehive Bit of operating system Block block media corrupt BPEL Central Inventory Character Set Conversion Cloning of 11i Cloning of Oracle Applications Clusterware Concurrent CPU 2011 CPU 2012 April CPU 2012 January. CPU 2012 October CRS custom top Custom Top Creation Database . Database Query Dataguard DBMS_REPAIR Demantra . Domain Name E Business Suite Migration EBS 12.2 EPM exp/imp Oracle Applications Flashback table flows_020200 FND_TOP/resource FNDCPASS FNDCPUCF Forms server upgrade Forms startup FRM-92101 Fusion Middleware Hostname Hot Backup Hot cloning HotBackup Hotbackup Cloning of Oracle Apps hrglobal.drv. NLS Saudi Arabian HRMS hyperion Import and Export Oracle Applications Install Oracle Installation of R12 Installation Steps integration Oracle EBS Issues Database issues Oracle EBS Issues with Upgrade 12.1.1 Java Mission Control Java Upgrade java/sql/SavePoint JInitiator Junk Characters Language Translation Linux Linux Migration listener trace Listner version Local Inventory Login Page Master-Master Replication Memory Tuning Multiple Language NLS Non-Autoconfig Enabled OBIEE 11g Installation OBIEE Issues OIM Opatch version OpenSSL ora-01031 Oracle oracle 11g Oracle Announcement Oracle Application servers Oracle Application services Oracle Applications Oracle Applications 11i oracle applications 12.2 Oracle Applications Cloning Oracle Applications Upgrade Oracle Applications. Oracle Apps cloning Oracle BPEL oracle certifications oracle database Oracle Database RMAN Oracle Database upgradation Oracle DB oracle E Business suite 12.2 Oracle EBS oracle EPM Oracle Forms Logo oracle Fusion Applications Oracle Inventory oracle news Oracle OUI Oracle R12 oracle Sun Solaris Oracle Tuning Oracle Virtual Box Oracle Webgate Oracle WMA configuration orcladmin password for Oracle Applications Pasta Configuration pasta.cfg patch PDF Performance Physical Standby Platform migration Printer Configuration Profile Option R12 RAC Rapid Install Rapidwiz Real Application Clusters 10g Recovery RMAN RMAN Recovery SA Gosi Service Oriented Architecture SOA SQLTXPLAIN SSL Configuration step-by-step upgrade Sun solaris Swap Tablespace Trace Enable Trace file Translation Synchronization Patch transport tablespace tuning Tuning SGA uifont.ali Underscore Universal Content Management Upgradation of 12.0.5 to 12.1.1 Upgrade Upgrade 11g Upgrade Apps Upgrade DB Upgrade to 11g UTF8 version of oracle applications versions Web server upgrade weblogic windows workflow version XML Publisher version