Adding FA AppIDUsers to the no password expiry policy in R12

Introduction

During provisioning of a new FA instance the passwords for FA AppIDUsers like FUSION_APPS_PROV_PATCH_APPID or similar users will expire after 120 days which is the standard value for normal OID users. This article is intended to describe how you can apply the no password expiry policy to all FA AppIDUsers in a newly provisioned R12 instance.

Background

The FA start/stop script fails and during the failed startup you observe error messages in the AdminServer.out file like this : <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.

As you did not change anything this is quite unexpected. So you check what went wrong here. So you take the known password for FUSION_APPS_PROV_PATCH_APPID and check if they are correct in boot.properties and you see everything is ok.

As a next step you check the password in ldap to confirm that everything is ok there. To do that we run the following ldapsearch command using your known password “Password123”:

 

ldapsearch -h idmhost1.mycompany.com -p 3060 -D "cn=FUSION_APPS_BI_SYSTEM_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com" -w “Password123” -s base -b "cn=FUSION_APPS_BI_SYSTEM_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com" "objectclass=*" dn 
cn=FUSION_APPS_BI_SYSTEM_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com

as a reply you will get :

ldap_bind: Invalid credentials

ldap_bind: additional info: Password Policy Error :9000: GSL_PWDEXPIRED_EXCP :Your Password has expired. Please contact the Administrator to change your password.

This error clearly shows your password has been expired.

To fix this problem we will show here how to add all FA appid’s to the existing oid password policy FAPolicy. This password policy will make sure that the passwords for all appid’s will never expire.

You can do that using ODSM and you will not even have to restart anything. The user can be used again after you have applied the needed change in ODSM.

Adding FA appids to password policy FAPolicy in ODSM

We need to start ODSM with : http://idmhost1.mycompany.com:7005/odsm

Please keep in mind that we will use the values dc=mycompany,dc=com as base entries in this example. Make sure that you use your correct environment values if you follow these advises!

Click on Connect to a directory :

Info_odsm_intro_screen

Click on OID – OID_Connection

Info_odsm_oid_conn_1

Click on Connect after filling in correct values for User Name and Password

Info_odsm_oid_conn_2

Click on the tab Security

Info_odsm_home_screen

Click on Password Policy on the left

Info_odsm_security_first_screen

Now click on cn=FAPolicy on the left

Info_odsm_security_second_screen

Scroll down on the right side to check the value for Password expiry time

Info_FAPolicy_init_standard

The value for “Password Expiry Time” should be 0 as seen here. That means the password will never expire. After checking that value please click on the tab Effective Subtree:

Info_FAPolicy_pw_expire_standard

Click on the +-sign below Password Policy Effective Subtree

Info_FAPolicy_subtree_standard

Click on Select

Info_FAPolicy_subtree_select_screen

Click on the triangle before dc=com and after that on the triangle before dc=mycompany and then on the triangle before cn=users

Info_FAPolicy_subtree_ldap_tree

Click on cn=AppIDUsers

Info_FAPolicy_subtree_ldap_tree_fa_appid

Click on Select

Info_FAPolicy_subtree_ldap_tree_fa_appid_select

Click on Apply to save the changes

Info_FAPolicy_subtree_ldap_tree_fa_appid_select_2

Now you have successfully applied all AppIDUsers to the FAPolicy password policy

Info_FAPolicy_subtree_ldap_tree_fa_appid_select_saved

How to check the changes

Now you can check if the changes are working as expected by simply running the ldapsearch used before again

ldapsearch -h idmhost1.mycompany.com -p 3060 -D "cn=FUSION_APPS_BI_SYSTEM_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com" -w “Password123” -s base -b "cn=FUSION_APPS_BI_SYSTEM_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com" "objectclass=*" dn 
cn=FUSION_APPS_BI_SYSTEM_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com

this time the expected result will be:

cn=FUSION_APPS_PROV_PATCH_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com

 

That clearly proves that the password is working again and it will now never expire. This is valid for all users that you have in AppIDUsers.

As you can see no restart of any component is needed.

Even if you experience problems with other FA AppIDs inside of FA functions that should now work again.

 

Add Your Comment