Getting Credentials in Fusion Applications

Introduction

Oracle Fusion Applications is configured to save normal user names and credentials in Oracle Internet Directory (OID) and used for authentication purposes. Many of the applications store connection usernames and credentials they need in the credential store and retrieve these from the store when required. This article shows how Fusion Applications Administrators can retrieve this information from the Credential Store.

Main Article

Oracle Fusion Applications uses several application roles and associated usernames (usually called APPIDs) that are used by various services to interconnect. Many of these are only used internally within the applications and are created and maintained as part of the Applications provisioning and not exposed to the end users or administrators. Often when troubleshooting or configuring integrations one needs to know the credentials for these APPIDs. The steps here can be used to retrieve the passwords from the credential store.

Note : The steps in this article require mid-tier stack access typically restricted only to Fusion Applications Administrators. So the steps here are not possible for customers to do it by themselves in the Oracle SaaS Cloud environments which are administered internally within the Oracle Cloud.

Getting the Credentials

The first task to get to the Credential Store is to locate it. This is different in Fusion Applications Release 12 and later compared to earlier versions.

Till Release 11 of Fusion Applications, the Credential Store was stored in the Oracle Internet Directory (OID) under a top level jpsroot entry for Fusion Applications. Typically this is cn=FAPolicies and the credential store location would be under the LDAP DN “cn=CredentialStore,cn=FusionDomain,cn=JPSContext,cn=FAPolicies” with further subtrees (called orclCSFAlias) used by different applications. These in turn will host the credential key entries (LDAP attributes named orclCSFKey) which contain the user / pass pairs under LDAP attributes named orclCSFName / orclCSFPassword.

In Release 12 and later versions of Fusion Applications the IDM has been consolidated further and along with the policy store, the credential store has been moved to reside in the Fusion Applications Database itself under the FUSION_OPSS schema.

The first task to get a credential for example for the AppID user FUSION_APPS_HCM_ODI_SUPERVISOR_APPID which is used for HCM File Loader activities, one needs to locate the orclCSFKey that contains this AppID user details. Often a quick search of Oracle Support website will provide this information. You also get this information from the Fusion Applications Enterprise Manager (EM).

In this case, one would open the CommonDomain EM and in the left pane, navigate to -> “Farm_CommonDomain” -> “Weblogic Domain” and then right click on “CommonDomain” and navigate to “Security -> Credentials” to see the Credential Store listing in the right pane.

EM Credential Store Naviagation

EM Credential Store Naviagation

There, use the field named “Credential Key Name” to search for an entry. So in this example, you should enter the AppID user name FUSION_APPS_HCM_ODI_SUPERVISOR_APPID and search to see the credential subtree name (orclCSFAlias) oracle.apps.security. Expanding this will reveal the orclCSFKey name FUSION_APPS_HCM_ODI_SUPERVISOR_APPID-KEY.

You can click on the key and choose “edit” to see the username (orclCSFName) and the password (orclCSFPassword) stored within the key. However, for security reasons, the password is obscured.

EM Credential Key Details

EM Credential Key Details

Now that you have the critical information of orclCSFAlias and orclCSFKey you need to get the password for FUSION_APPS_HCM_ODI_SUPERVISOR_APPID, you can get the password using the Fusion Applications weblogic midtier. The steps vary with Fusion Applications Release as noted below.

List Credential in FA Release 11 and earlier

For this, log into the Fusion Application midtier host and do the following :

  1. 1. Use the FA wlst (change /u01/APPLTOP to suit your FA base directory) :  sh  /u01/APPLTOP/fusionapps/oracle_common/common/bin/wlst.sh

  2. 2. Connect to the Domain Server :  connect(‘FAAdmin’,'<password>’,’t3://<CommonDomainAdminServerHost>:<port>’)

  1. 3. Get the Credential :  listCred(map=”oracle.apps.security”,key=”FUSION_APPS_HCM_ODI_SUPERVISOR_APPID-KEY”)

to get the password for this user from the credential store.

List Credential in FA Release 12 and later

To do the same steps in FA Release 12 and later, log into the Fusion Application midtier host and do the following (change /u01/APPLTOP to suit your needs) :

/u01/APPLTOP/fusionapps/jdk/bin/java \
-classpath "/u01/APPLTOP/fusionapps/oracle_common/modules/oracle.jrf_11.1.1/jrf.jar:\
/u01/APPLTOP/fusionapps/oracle_common/modules/oracle.jps_11.1.1/jps-se.jar:\
/u01/APPLTOP/fusionapps/wlserver_10.3/server/lib/weblogic.jar:\
/u01/APPLTOP/fusionapps/bi/bifoundation/provision/scripts/bidomain/lib/bifaprovision.jar" \
-Doracle.security.jps.config=/u01/APPLTOP/instance/domains/bi.oracleoutsourcing.com/BIDomain/config/fmwconfig/jps-config-jse.xml \
oracle.bi.faprovisioning.CredUtil \
oracle.apps.security</span> \
FUSION_APPS_HCM_ODI_SUPERVISOR_APPID-KEY

to get the password for this user from the credential store in FA Database.

Note the space char just before the \ char at end of only some lines – keep these as is since they separate the command parameters.

Since the credential store also has many non-AppID users this helps with other users as well. For example, a common FA Release 12 password sought is the password for the schema user FUSION_OPSS, who is also the credential store owner, but whose password may be randomized.

Summary

Getting and using various passwords from Fusion Applications credential store is a basic Administrator task that is often done in time crunch. This article show how to do that quickly.

Add Your Comment