Best Practices from Oracle Development's A‑Team

Adding FA AppIDUsers to the no password expiry policy in R12


During provisioning of a new FA instance the passwords for FA AppIDUsers like FUSION_APPS_PROV_PATCH_APPID or similar users will expire after 120 days which is the standard value for normal OID users. This article is intended to describe how you can apply the no password expiry policy to all FA AppIDUsers in a newly provisioned R12 instance.


The FA start/stop script fails and during the failed startup you observe error messages in the AdminServer.out file like this : <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.

As you did not change anything this is quite unexpected. So you check what went wrong here. So you take the known password for FUSION_APPS_PROV_PATCH_APPID and check if they are correct in boot.properties and you see everything is ok.

As a next step you check the password in ldap to confirm that everything is ok there. To do that we run the following ldapsearch command using your known password “Password123”:


ldapsearch -h idmhost1.mycompany.com -p 3060 -D "cn=FUSION_APPS_BI_SYSTEM_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com" -w “Password123” -s base -b "cn=FUSION_APPS_BI_SYSTEM_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com" "objectclass=*" dn cn=FUSION_APPS_BI_SYSTEM_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com 

as a reply you will get :

ldap_bind: Invalid credentials

ldap_bind: additional info: Password Policy Error :9000: GSL_PWDEXPIRED_EXCP :Your Password has expired. Please contact the Administrator to change your password.

This error clearly shows your password has been expired.

To fix this problem we will show here how to add all FA appid’s to the existing oid password policy FAPolicy. This password policy will make sure that the passwords for all appid’s will never expire.

You can do that using ODSM and you will not even have to restart anything. The user can be used again after you have applied the needed change in ODSM.

Adding FA appids to password policy FAPolicy in ODSM

We need to start ODSM with : http://idmhost1.mycompany.com:7005/odsm

Please keep in mind that we will use the values dc=mycompany,dc=com as base entries in this example. Make sure that you use your correct environment values if you follow these advises!

Click on Connect to a directory :


Click on OID – OID_Connection


Click on Connect after filling in correct values for User Name and Password


Click on the tab Security


Click on Password Policy on the left


Now click on cn=FAPolicy on the left


Scroll down on the right side to check the value for Password expiry time


The value for “Password Expiry Time” should be 0 as seen here. That means the password will never expire. After checking that value please click on the tab Effective Subtree:


Click on the +-sign below Password Policy Effective Subtree


Click on Select


Click on the triangle before dc=com and after that on the triangle before dc=mycompany and then on the triangle before cn=users


Click on cn=AppIDUsers


Click on Select


Click on Apply to save the changes


Now you have successfully applied all AppIDUsers to the FAPolicy password policy


How to check the changes

Now you can check if the changes are working as expected by simply running the ldapsearch used before again

ldapsearch -h idmhost1.mycompany.com -p 3060 -D "cn=FUSION_APPS_BI_SYSTEM_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com" -w “Password123” -s base -b "cn=FUSION_APPS_BI_SYSTEM_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com" "objectclass=*" dn cn=FUSION_APPS_BI_SYSTEM_APPID,cn=AppIDUsers,cn=Users,dc=mycompany,dc=com 

this time the expected result will be:



That clearly proves that the password is working again and it will now never expire. This is valid for all users that you have in AppIDUsers.

As you can see no restart of any component is needed.

Even if you experience problems with other FA AppIDs inside of FA functions that should now work again.


Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha