Startseite 5 Techblog 5 Accessing SYS, EBS_SYSTEM, APPS and weblogic password in Cloud Manager Post-Clone scripts

Accessing SYS, EBS_SYSTEM, APPS and weblogic password in Cloud Manager Post-Clone scripts

9. Januar 2024

Johannes Michler PROMATIS Horus Oracle


Executive Vice President – Head of Platforms & Development

Oracle E-Business Suite Cloud Manager provides a powerful way to run and manage E-Business Suite environments on Oracle Cloud Infrastructure OCI.

While the tooling covers many parts of the usual cloning steps, it is sometimes necessary to add some "custom stuff", e.g. modifying the ALLORACLE password, registering monitoring solutions, pausing some concurrent requests and so on.

Luckily, for quite some time, Cloud Manager has allowed to register custom scripts as (final) cloning steps in Cloud Manager.

Unfortunately, it is not possible to access the environment passwords in those scripts. So far, I've worked around this in two (suboptimal) ways:

  • Ask for the relevant passwords as parameters of the post-clone script. Of course this is inconvenient since the user must then enter the passwords three times (two times during the standard steps, where there is also a confirmation) and one more time for the post-clone. Imagine if there was a typo in there...
  • Extract APPS and WebLogic password with some WLST tools out of the running environment. For me, this approach has worked for quite some time; but actually, it qualifies as "kind-of-hacking", and it is furthermore not possible to get the SYS(TEM) or EBS_SYSTEM password in that way.

With Release 23.3.1, Oracle finally allowed to change all those passwords conveniently during cloning, so I figured there has to be a better way to solve this.

This is how I modified Cloud Manager to be able to access those passwords.

Be aware: This is a potential security risk. But on the other side: If you're able to run a custom script on the EBS apps/db tier as part of cloning, you probably have other means of causing harm as well anyway.

Modification of seeded extensible-task-executor.rb

Modify the /u01/install/APPS/apps-unlimited-ebs/resources/chef-repo/cookbooks/oracle-ebs-ext-fwk/recipes/extensible-task-executor.rb file as follows:

....
else
input_array.push(Shellwords.escape(arg_name) + "=" + Shellwords.escape(arg_value))
end

end

#Hack JMichler:
enc_ebs_system_pass = getNewEBSSystemUserPassword("#{node['chef_environment']}")
ebs_system_password = `echo '#{enc_ebs_system_pass}'| base64 -d`.strip
password_array.push(Shellwords.escape('ebs_system_password') + "=" + Shellwords.escape(ebs_system_password))

enc_apps_pass = getNewAppsPwd("#{node['chef_environment']}")
apps_password = `echo '#{enc_apps_pass}'| base64 -d`.strip
password_array.push(Shellwords.escape('apps_password') + "=" + Shellwords.escape(apps_password))

enc_wls_pass = getNewWeblogicPassword("#{node['chef_environment']}")
wls_password = `echo '#{enc_wls_pass}'| base64 -d`.strip
password_array.push(Shellwords.escape('wls_password') + "=" + Shellwords.escape(wls_password))

enc_sys_pass = getDbcsSysDBAPwd("#{node['chef_environment']}")
sys_password = `echo '#{enc_sys_pass}'| base64 -d`.strip
password_array.push(Shellwords.escape('sys_password') + "=" + Shellwords.escape(sys_password))

#HACK END
# Download the task zip file, unzip and copy the script
setSubTaskStartedInConvergence("#{currentTask}")
....

Then, you need to load this modified script as follows:

knife cookbook upload -a -V -o /u01/install/APPS/apps-unlimited-ebs/resources/chef-repo/cookbooks

This will pass the 4 seeded parameter of APPS, SYS, EBS_SYSTEM and WebLogic to your custom extensibility scripts.

Accessing the new parameters

You can then use those parameters in your custom tasks/scripts. See https://docs.oracle.com/cd/E26401_01/doc.122/f35809/T679330T681843.htm#cmg_extfwk_crwrapper for the general documentation on this. I modified that sample script and replaced the getSensitiveParameters function as follows:

function getSensitiveParameters(){
while read key_password;
do
user_key=`{ echo "$key_password"; } | awk -F '=' '{print $1}'`;

# In task-definition - parameter names are "appsPassword" and "systemPassword"

if [[ "${user_key}" == "apps_password" ]]; then
newAppsPassword=`{ echo "$key_password"; } | awk -F '=' '{print $2}'`
elif [[ "${user_key}" == "ebs_system_password" ]]; then
newEbsSystemPassword=`{ echo "$key_password"; } | awk -F '=' '{print $2}'`
elif [[ "${user_key}" == "wls_password" ]]; then
newWeblogicPassword=`{ echo "$key_password"; } | awk -F '=' '{print $2}'`
elif [[ "${user_key}" == "sys_password" ]]; then
newSysPassword=`{ echo "$key_password"; } | awk -F '=' '{print $2}'`
else
echo "Incorrect arguments password for Sensitive Parameters"
exitWithUsage
fi
done
}

Summary

The above procedure allows to access the seeded password parameters from your custom scripts. I've created an enhancement request to add this modification to the next release of Cloud Manager.