Every quarter Oracle releases a bunch of Critical Patch Updates that have to be applied to (often many) E-Business Suite instances. While the patch application is highly automated through the adop utility, there are two (little) things that always annoyed me when patching:
- You have to provide the apps, ebs_system and weblogic password on every adop command
- You have to re-check your terminal connection to check if a certain step completed
This first part of this blog post series will cover how we can easily pass the passwords to adop; in the second part I will show how notifications can be brought to your attention quickly once the patching is completed.
Setting passwords to environment variables
First of all (regarding security): I assume that whoever is able to access the E-Business Suite apps tier does usually know the apps, weblogic and ebs_system password. Who made it that fare can do more harm anyway. But keep in mind: if you really permanently store that credsEnv.sh on your server that file will also be in backups or P2T copies. So you might want to set them only temporarily or go for the OCI Vault approach described further down!
I've created a small script credsEnv.sh as follows:
[oracle@prod122app01 ~]$ cat credsEnv.sh export XX_APPS_PWD=apps export XX_WEBLOGIC_PWD=Welcome1 export XX_EBS_SYSTEM_PWD=manager
Hopefully in the real world you have more fancy passwords, even though those passwords are not unseen 🙁
I'm using that script for fancy stop/start scripts that I'll describe in another blog post as well.
Of course you could also outsource storing of the passwords from this file to OCI Vault service (and secrets) that are described over there: https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingsecrets_topic-To_create_a_new_secret.htm#createnewsecret
Then you could replace the above mentioned with something like:
export XX_APPS_PWD=$(oci secrets secret-bundle get --secret-id ocid1.vaultsecret.oc1.eu-frankfurt-1.12345 --query "data.\"secret-bundle-content\".content" --raw-output | base64 -d)
(where ocid1.vaultsecret.oc1.eu-frankfurt-1.12345 is the OCID of the secret storing the apps password)
Creating a custom myadop.sh script
Based on this I created a custom myadop.sh script as follows:
[oracle@prod122app01 ~]$ cat /home/oracle/myadop.sh source /home/oracle/credsEnv.sh { echo ${XX_APPS_PWD};echo ${XX_EBS_SYSTEM_PWD};echo ${XX_WEBLOGIC_PWD} ; } | adop "$@"
Using this simple command I'm then able to run something like:
./myadop.sh phase=apply patches=36117775,36117775_D:u36117775.drv
This will result in something like:
Call to custom adop wrapper
Summary
While the procedure shown above is not "officially certified/documented" I made got experience with those commands; I'll also leverate them for "better" start/stop scripts for E-Business Suite that I'll show in a related blog post soon to be published.