Patching E-Business Suite with more comfort - Part 1 Password Passing

14. August 2024

Johannes Michler PROMATIS Horus Oracle


Executive Vice President – Head of Platforms & Development

Every quarter Oracle releases a bunch of Critical Patch Updates that have to be applied to (often many) E-Business Suite instances. While the patch application is highly automated through the adop utility, there are two (little) things that always annoyed me when patching:

  • You have to provide the apps, ebs_system and weblogic password on every adop command
  • You have to re-check your terminal connection to check if a certain step completed

This first part of this blog post series will cover how we can easily pass the passwords to adop; in the second part I will show how notifications can be brought to your attention quickly once the patching is completed.

Setting passwords to environment variables

First of all (regarding security): I assume that whoever is able to access the E-Business Suite apps tier does usually know the apps, weblogic and ebs_system password. Who made it that fare can do more harm anyway. But keep in mind: if you really permanently store that credsEnv.sh on your server that file will also be in backups or P2T copies. So you might want to set them only temporarily or go for the OCI Vault approach described further down!

I've created a small script credsEnv.sh as follows:

[oracle@prod122app01 ~]$ cat credsEnv.sh
export XX_APPS_PWD=apps
export XX_WEBLOGIC_PWD=Welcome1
export XX_EBS_SYSTEM_PWD=manager

Hopefully in the real world you have more fancy passwords, even though those passwords are not unseen 🙁

I'm using that script for fancy stop/start scripts that I'll describe in another blog post as well.

Of course you could also outsource storing of the passwords from this file to OCI Vault service (and secrets) that are described over there: https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingsecrets_topic-To_create_a_new_secret.htm#createnewsecret

Then you could replace the above mentioned with something like:

export XX_APPS_PWD=$(oci secrets secret-bundle get --secret-id ocid1.vaultsecret.oc1.eu-frankfurt-1.12345 --query "data.\"secret-bundle-content\".content" --raw-output | base64 -d)

(where ocid1.vaultsecret.oc1.eu-frankfurt-1.12345 is the OCID of the secret storing the apps password)

Creating a custom myadop.sh script

Based on this I created a custom myadop.sh script as follows:

[oracle@prod122app01 ~]$ cat /home/oracle/myadop.sh
source /home/oracle/credsEnv.sh
{ echo ${XX_APPS_PWD};echo ${XX_EBS_SYSTEM_PWD};echo ${XX_WEBLOGIC_PWD} ; } | adop "$@"

Using this simple command I'm then able to run something like:

 ./myadop.sh phase=apply patches=36117775,36117775_D:u36117775.drv

This will result in something like:


Call to custom adop wrapper

Summary

While the procedure shown above is not "officially certified/documented" I made got experience with those commands; I'll also leverate them for "better" start/stop scripts for E-Business Suite that I'll show in a related blog post soon to be published.