Oracle Application Server 10.1.2.0.2 patch howto

[apad]

Apply 10.1.0.5 patch set 3 4505133

SQL> ALTER SYSTEM SET SHARED_POOL_SIZE='512M' SCOPE=spfile;
SQL> ALTER SYSTEM SET JAVA_POOL_SIZE='512M' SCOPE=spfile;
SQL> ALTER SYSTEM SET SGA_TARGET='2G' SCOPE=spfile;

Known Issues Applying Oracle Database 10.1.0.5 Patch Set to OracleAS 10g
(10.1.2)
Note:359362.1

Reference section 5030985 : OIDLDAPD COULD NOT BE STARTED AFTER APPLYING DB
PSR 10.1.0.5

1.    Take the following file from AS 10.1.2.0.2 CD #1 ("Disk1"):
stage/Component/oracle.rsf.ldap_rsf/10.1.2.1.0/1/DataFiles/lib.1.1.jar

2.   Execute the following command for getting "libldapclnt10.a0":
> jar xvf lib.1.1.jar

3.   Back up the "libldapclnt10.a":
> mv $ORACLE_HOME/lib32/libldapclnt10.a $ORACLE_HOME/lib32/libldapclnt10.a_10.1.0.5

4.   Copy the "libldapclnt10.a0":
> cp -p libldapclnt10.a0 $ORACLE_HOME/lib32/libldapclnt10.a

5.   You will need to edit the $ORACLE_HOME/bin/relink script with the following:

a. Update $ORACLE_HOME/ldap/lib/ to $ORACLE_HOME/ldap/lib32
b. Ensure make points to correct location of make executable on the OS

Before:
MAKE="/usr/bin/make" # full path to make
After:
#MAKE="/usr/bin/make" # full path to make
MAKE="/usr/ccs/bin/make" # full path to make

6.   Run the following command to relink:

cd $ORACLE_HOME/ldap/lib32
make -f ins_ldap.mk install


Apply fix in Note:361800.1
Verify that $ORACLE_HOME/bin/oidldapd is owned by root, and not by the oracle
user. Permissions for oidldapd and oidmon should be as follows:

    -rwsr-x--- 1 root dba 2570620 Apr 27 14:15 oidldapd
    -rws------ 1 oracle dba 2662384 Apr 27 14:15 oidmon
    -rws------ 1 oracle dba 2704172 Apr 27 14:15 oidrepld

chmod 4750 oidldapd
chmod 4700 oidmon
chmod 4700 oidrepld

Oracle Application Server 10g Release 2 (10.1.2) Support Status and Alerts
Note:329361.1

Steps to Maintain Oracle Application Server 10g Release 2 (10.1.2)
Note:415222.1

Apply patch 4960210

[apad]

When OID goes down (and it will) here's how to recover it.

$ORACLE_HOME/bin/oidmon start
SQL> select * from ods.ods_process;
SQL> delete from ods.ods_process;
oidctl server=oidldapd configset=0 instance=1 start
opmnctl startall

[apad]

Here's the sequence of patches in the correct order of installation for a datawarehouse build.

1) 2617419 - OPatch Version: 1.0.0.0.52
2) 4505133 - 10.1.0.5 DB patch for AS
3) 5255249 - AS10122SUN:060526.0600:OID NOT STARTING DUE TO INCORRECT LIBLDAPCLNT
4) 4960210 - 10.1.2.2 DB patch for AS
4) 3060499 - Discoverer bulk load patch
5) 4707854 - Discoverer patch: time field shown as zeros
5) 5732133 - 10.1.2.2 DB fixit patch for AS
7) 5700154 - CPU 10.1.2.2 for AS
8) 5901894 - MLR bug for 10.1.2.2 AS
6) 6395024 - CPUOCT2007

[apad]

The security guy doesn't like HTTP TRACE being open on the Oracle HTTP server. Here's how to test it to make sure the error is there.

Code:

[adbeepat@curry ~/wrk] telnet server 7777
Trying xxx.xxx.xxx.xxx...
Connected to server.
Escape character is '^]'.
TRACE / HTTP/1.0
Host: foo
A: b
C: d^]

HTTP/1.1 200 OK
Date: Mon, 08 Oct 2007 19:06:43 GMT
Server: Oracle-Application-Server-10g/10.1.2.2.0 Oracle-HTTP-Server
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
A: b
C: d^]
Host: foo

Connection closed by foreign host.

See how it gave me back everything I gave it? Apparently that's bad form peter. So lets fix it.

Here's how to shut it off. Just add these lines to the bottom of $ORACLE_HOME/Apache/Apache/conf/httpd.conf. And when I say the bottom, I mean they have to be the very last lines in the file.

Code:

# Disable HTTP TRACE
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

Now just restart the HTTP server and you should be good to go. In my experience, I had to stop everything and restart it.

Code:

opmnctl stopall
opmnctl startall

Let's test it then.

Code:

[adbeepat@curry ~/mda/img] telnet server 7777
Trying xxx.xxx.xxx.xxx...
Connected to server.
Escape character is '^]'.
TRACE / HTTP/1.0
Host: foo
A: b
C: d^]

HTTP/1.1 403 Forbidden
Date: Mon, 08 Oct 2007 19:19:40 GMT
Server: Oracle-Application-Server-10g/10.1.2.2.0 Oracle-HTTP-Server
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
You don't have permission to access /
on this server.<P>
<HR>
<ADDRESS>Oracle-Application-Server-10g/10.1.2.2.0 Oracle-HTTP-Server Server at portside.valdosta.edu Port 7777</ADDRESS>
</BODY></HTML>
Connection closed by foreign host.

Further reading...
http://publib.boulder.ibm.com/httpserv/ihsdiag/http_trace.html
http://www.apacheweek.com/issues/03-01-24#news

[apad]

Still testing this...taken from ALERT: Required and Recommended Patch Levels For All Discoverer Versions Doc ID:    Note:237607.1

Discoverer 10g (10.1.2.0.2):
This is the current base release, and is part of "Premier Support". It is the same code level as version 10.1.2.1. Both versions 10.1.2.1 and 10.1.2.0.2 provide the same Discoverer version 10.1.2.48.18.

For new installations, we recommend that you also apply the Application Server 10g 10.1.2.2 patchset Patch 4960210 plus Discoverer "cumulative patch IV" ( Patch 6357481 ). This will provide Discoverer version 10.1.2.54.25. 

...

New (as of September 2007): For Discoverer 10g, Oracle development is moving to a cumulative patching model. This is being done to reduce the patching times for our customers and to provide the most relevant, highest impact, critical patches in a single patch.

These cumulative patches will only be applied on over the 10.1.2.2 patchset (i.e., not 10.1.2.0, 10.1.2.1, 10.1.2.0.2) and will not include every bug fix, but they will include the most relevant, highest impact, critical issues including E-Business Suite certification and integration patches.

Cumulative patches are discussed in more detail in:

Note 466058.1 'Introduction To Discoverer 10g (10.1.2.2) And Higher Cumulative Patches'

Now, my AS is 10.1.2.2.0, and my Discoverer install is 10.1.2.0.2 (10.1.2.48.18). What I'm trying to do is install patch 5758865 which is the discoverer patch for IE7. It says I need Discoverer 10.1.2.54.25 (iAs 10.1.2.2.). So according to the above documentation...

Discoverer "cumulative patch IV" ( Patch 6357481 ). This will provide Discoverer version 10.1.2.54.25. 

...I need to install 6357481 before I can install 5758865.

Update! --- It seems you need to contact oracle for a password in order to download the 6357481 patch. Furthermore, the available versions do not include one for Solaris 64bit SPARC. More to come...

...Process in testing...

[apad]

Can't start EM because ora-28000 account locked error.

http://forums.oracle.com/forums/thread.jspa?threadID=368185&start=0&tstart=0

Ensure that ORACLE_HOME is set to the correct home

1. Stop the standalone dbconsole
on Unix
$ emctl stop dbconsole
on Windows
Stop the Windows Service Oracle<oracle_home_name>DBConsole
Or
Open a DOS Command Window and type
C> emctl stop dbconsole

2. Check that the standalone dbconsole is stopped
on Unix
$ emctl status dbconsole
on Windows
Check the status of the Windows Service Oracle<oracle_home_name>DBConsole
Or
Open a DOS Command Window and type
C> emctl status dbconsole

3. Connect to the database as a user with DBA privilege with SQL*Plus
and execute
SQL> alter user sysman identified by <new_password> ;

4. Check the new password
SQL> connect sysman/<new_password>@database_alias

5. Go to $ORACLE_HOME/host_sid/sysman/config
5.1 Save the file emoms.properties to emoms.properties.orig
5.2 Edit the file emoms.properties
a. Search for the line beginning with:
oracle.sysman.eml.mntr.emdRepPwd=
Replace the encrypted value by the new password value
b. Search for the line:
oracle.sysman.eml.mntr.emdRepPwdEncrypted=TRUE
Replace TRUE by FALSE

6. Restart the standalone dbconsole
on Unix
$ emctl start dbconsole
on Windows
Start the Windows Service Oracle<oracle_home_name>DBConsole
Or
Open a DOS Command Window and type
C> emctl start dbconsole

7. Check that the password has been encrypted
Edit the file emoms.properties
7.1 Search for the line beginning with:
oracle.sysman.eml.mntr.emdRepPwd=
Check that the password is encrypted
7.2 Search for the line beginning with:
oracle.sysman.eml.mntr.emdRepPwdEncrypted=
Check that the value is TRUE

[apad]

More...

http://forums.oracle.com/forums/thread.jspa?threadID=521389

We shouldn't worry about the ORA-28000, ORA-28001 errors - these are misleading errors caused by the "scott" DB account that it's not used by OID/SSO.

The real problem appears to be the OC4J_SECURITY process being forcefully stopped/crashing.

First of all, let's check id the OID is working as expected:

Check the ports on /app/oracle/product/comp/infra10g/install/portlist.ini

1. ps -ef | grep oidldapd

2. $ORACLE_HOME/bin/ldapbind -h <oid_host> -p <oid_nonSSL_port>
-> $ORACLE_HOME/bin/ldapbind -h zus95d-4403.tszrh.csfb.com -p 389
Cannot connect to the LDAP server

3. $ORACLE_HOME/bin/ldapbind -h <oid_host> -p <oid_SSL_port> -U 1
-> $ORACLE_HOME/bin/ldapbind -h zus95d-4403.tszrh.csfb.com -p 636 -U 1
Cannot connect to the LDAP server

Stop and restart OID on this way:
4. $ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=OID

5. check if there are still running oidldap processes ps -ef | grep oidldapd
In this case just kill them

6. Connect as SYS user to the Metadata repository database and issue the following statements:
+ delete ods.ods_process where serverid=2;
+ commit;

7. $ORACLE_HOME/opmn/bin/opmnctl startproc process-type=OID

8. after some minutes check OID again:
$ORACLE_HOME/bin/ldapbind -h zus95d-4403.tszrh.csfb.com -p 389
bind successful
$ORACLE_HOME/bin/ldapbind -h zus95d-4403.tszrh.csfb.com -p 636 -U 1
bind successful

9. Try to start OC4J_SECURITY:
$ORACLE_HOME/opmn/bin/opmnctl startproc process-type=OC4J_SECURITY

10. Try to login on SSO:
http://servername.host:port/portal/page/portal/TOPLEVELSITE/Welcome

11. Connection works

Note/Conclustion:
- The Oracle processes should be always cleanly stopped before rebooting the server
- You should access the OID tables (from ODS schema) only if requested by the Oracle Support.
- serverid=2 is the entry corresponding to the OID Server process (oidldapd)
- serverid=7 is the entry corresponding to the OID Sinchronization and Provisioning Server.
- The "state=2" means "up and running", "state=1" means "starting", "state=4" means "stopped".

ods_process table:
INSTANCE   PID    SERVERID   FLAGS    HOSTNAME   STATE   LASTWAKETIME    RETRYCOUNT
1.00    3'997.00   7.00    instance=1 configset=0 "SERVERNAME"   2.00   06.18.2007 18:13:16   0.00
1.00    3'996.00   2.00    -i 1 -conf 0    "SERVERNAME"   2.00   06.19.2007 17:28:47   0.00