Oracle Application Express – Installtion Guide

This article provides instructions for installing and configuring the Oracle Application Express (formerly HTML DB) software release 2.2. Please note that these instructions cover the standalone version only.

Installing Oracle Application Express is a two step process:

  1. Configure an Oracle HTTP Server (Release 9.0.3 or higher) with mod_plsql which is used to connect to the Oracle database where the Oracle Application Express objects will be installed. It is also possible to use Oracle 9i Application Server release 1 ( or higher.
  2. Install the database objects that make up Oracle Application Express to a pre-existing Oracle database (Oracle9i Release 2 ( or later).

Important Note: When installing Oracle Application Express, you will be required to install the Oracle HTTP Server which can be found on the Oracle10g Release 2 Companion CD. Although not a requirement, I will be installing the Oracle HTTP Server to the same machine which already includes an installation of the Oracle Database software.

The Oracle HTTP Server cannot be installed into an existing Oracle Home. It must be installed into a new Oracle Home!

Prerequisites for the Installation:

This section describes the requirements for installing Oracle Application Express, Release 2.2.

Browser Requirements

To view or develop Oracle Application Express applications, Web browsers must support Java Script and the HTML 4.0 and CSS 1.0 standards. The following browsers meet this requirement:

  • Microsoft Internet Explorer 6.0 or higher (Windows only)
  • Netscape Communicator 7.2 or higher
  • Mozilla 1.2 or higher
  • Firefox 1.0 or higher

Operating System Requirements

From what I have read and tested, Oracle Application Express can be installed on the following Operating System platforms:

Linux – Red Hat Enterprise version AS/ES 2.1 or higher; or SUSE Enterprise Server version SLES-8 or higher.

  • Solaris 9 or higher.
  • Windows 2000 Professions or higher (with service pack 3 or higher)
  • Windows XP Professional
  • Windows 2003 (32-bit systems)

Disk Space Requirements

Verify that the file system that contains the Oracle home directory contains at least 460MB of free disk space for the installation. Also during the installation process, about 110MB of temporary disk space will be required.

Database Requirements

For installing Application Express we need to have a database created before. Same database will be used for creating the objects required for Oracle Application Express.

The installation of Oracle Application Express requires certain objects to be created in an Oracle database. With Oracle Application Express 2.2, the database is required to be Oracle9i Release 2 ( or later. All of the Oracle Application Express database objects should be created in a separate tablespace which we will create later on in this article.

Shared Pool Size Requirements

Oracle Application Express requires the shared_pool_size of the target database to be at least 100 MB.

Determine the current value of the shared_pool_size parameter:

SQL> show parameter shared_pool_size


The initialization parameter JOB_QUEUE_PROCESSES for the Oracle database determines the maximum number of concurrently running jobs. Starting with Oracle Application Express Release 2.0, transactional support and SQL scripts require jobs. If JOB_QUEUE_PROCESSES is not enabled and working properly, you cannot successfully execute a script.

You can view the number of JOB_QUEUE_PROCESSES from SQL*Plus by running the following SQL statement:

SQL> SELECT VALUE FROM v$parameter WHERE NAME = ‘job_queue_processes’;

If you need to modify the JOB_QUEUE_PROCESSES initialization parameter, log into the database as SYSDBA using SQL*Plus and run the ALTER SYSTEM … statement. For example, to set the number of JOB_QUEUE_PROCESSES to 20, use:


Installing Oracle HTTP Server

When installing Oracle Application Express, you will be required to install the Oracle HTTP Server which can be found on the Oracle10g Release 2 Companion CD. Although not a requirement, I will be installing the Oracle HTTP Server to the same machine which already includes an installation of the Oracle Database.

Important Note: The Oracle HTTP Server cannot be installed into an existing Oracle Home. If another Oracle product is installed on the same server, you will need to create a new Oracle home name and location for the Oracle HTTP Server

This section assumes you have access to and will be installing the Oracle HTTP Server from the Oracle10g Release 2 Companion CD. Note that with a few minor modifications, you can also install an earlier version of the Oracle HTTP Server from the Oracle10g Release 1 Companion CD.

You can perform the install from the CD or download it from Oracle Technology Network (OTN)

After downloading and unzipping the Oracle10g Release 2 Companion CD software to a temporary directory, follow the instructions below to install the Oracle HTTP Server:

Step 1) Start the Oracle Universal Installer from the Oracle10g Release 2 Companion CD

./runInstaller -invPtrLoc /u01/app/orsbox/OHS/oraInst.Loc

On Select a product to Install Select Oracle Database 10g Companion Products

On Specify Home Details Select Different Oracle Home path and name (other then ORACLE_HOME for database)


On Available Product Components screen select ‘Apache Standalone’ product only


Pre-Requisite check will run. Check if you get any error here. If there is some error then correct the same and repeat the above steps again.


Check the summary screen and press in ‘Install‘ button


Installer will show you the progress for installation


Configuration Assistant will configure Apache HTTP server and OC4J component.


End of installation. Press Exit and come out of the wizard.

Test the Oracle HTTP Server Installation

After the installation of the Oracle HTTP Server is complete, you should test it. Point your browser to the URL that was displayed on the “End of Installation” screen by the Oracle Universal Installer. For me, the URL was

Starting / Stopping / Restarting Oracle HTTP Server:

Start All: $ORACLE_HOME/opmn/bin/opmnctl startall
Stop All : $ORACLE_HOME/opmn/bin/opmnctl stopall
Start HTTP Process: $ORACLE_HOME/opmn/bin/opmnctl startproc ias-component=HTTP_Server
Stop HTTP Process : $ORACLE_HOME/opmn/bin/opmnctl stopproc ias-component=HTTP_Server
Restart HTTP Process: $ORACLE_HOME/opmn/bin/opmnctl restartproc ias-component=HTTP_Server

Installing Oracle Application Express:

Download Oracle Application Express 2.2

APEX 2.2 can be downloaded from official OTN site

Oracle Application Express was previously known as HTML DB. With the release of 2.0, Oracle officially changed the name from HTML DB to Oracle Application Express (APEX) on January 30, 2006.

Important Note: Note that the version of HTML DB shipped on the Oracle10g Release 2 Companion CD is version 1.6. With Oracle10g Release 1, the version of HTML DB is 1.5.

After downloading the file from OTN, unzip the same.

You need to create a new tablespace for APEX application.

Create Tablespace for Oracle Application Express Database Objects:


Tablespace created.

Create Oracle Application Express Database Objects:

After the new tablespace has been created, the next step is to create all required database objects for Oracle Application Express. These database objects are all created by running a single SQL script that can be found in the Oracle Application Express software distribution downloaded earlier in this section. The SQL script to run is named apexins.sql and can be found in the apex directory created when unzipping the software distribution. For the purpose of this example, I ran the script as follows (note that this install script can take quite awhile to complete):

Change the directory to APEX directory you have unziped

[orsbox@ocvmrh2124 conf]$ cd apex

Connect to database as sysdba and run following command

@apexins welcome htmldb htmldb temp /i/ orcl

Below is the brief explanation for this command.

Parameters to APEX Database Object Creation SQL Script
welcome The password for the Oracle APEX administrator account, the APEX schema owner (FLOWS_020200), the APEX files schema owner (FLOWS_FILES), and the APEX public user schema (APEX_PUBLIC_USER). The APEX schema owner is the user or schema into which Oracle Application Express database objects will be installed. The APEX files schema owner is the user or schema where uploaded files are maintained in Oracle Application Express.
htmldb Name of the default tablespace for the APEX schema owner – (FLOWS_020200).
htmldb Name of the default tablespace for the APEX files schema owner – (FLOWS_FILES). Note that Oracle Application Express creates a table namedFLOWS_FILES.WWV_FLOW_FILE_OBJECTS$ in this tablespace used to store any uploaded files. Although this could have been a separate tablespace, it is just as easy having the all objects in a single tablespace.
temp Name of the temporary tablespace to be used for all schemas created by the Oracle Application Express install process.
/i/ Virtual directory that is used for images rendered by Oracle Application Express. To support future Oracle HTML DB upgrades, define the virtual image directory as/i/.
orcl Name of the Oracle Net connect string to the database where Oracle Application Express database objects are to be installed. If this is a local install, you can usenone or NONE.

During the Oracle Application Express install process, three schemas will be created. A description of each of these schemas is provided in the following table:

Oracle Application Express Database Schema Accounts
FLOWS_020200 This is basically the schema owner of all objects (tables, views, packages, functions, etc.) used by Oracle Application Express. The only exception is the table installed in the FLOWS_FILES schema (FLOWS_FILES.WWV_FLOW_FILE_OBJECTS$) for storing uploaded files. Note that this account is locked at the end of the installation and cannot be used unless it is first unlocked.
FLOWS_FILES This schema is used to store uploaded files to Oracle Application Express. These can include scripts, documents, cascading style sheets, etc. Note that this account is locked at the end of the installation and cannot be used unless it is first unlocked.
APEX_PUBLIC_USER This schema is used by Oracle Application Express to login to the database and has access to database objects in the above two schemas for all application functionality.

Recompiling Invalid PL/SQL Packages:

After installing the Oracle Application Express database objects, it is recommended (however not required) to recompile all invalid PL/SQL packages now instead of when the packages are accessed for the first time.

Run the utlrp.sql script from the Oracle Database home:

SQL> @?/rdbms/admin/utlrp.sql

Install Oracle Application Express Database Images:

After successfully creating all of the required Oracle Application Express database objects, the next step is to copy the necessary images, templates, cascading style sheets, themes, java scripts, (and several other file types) into the directory tree of the Oracle HTTP Server. The Oracle HTTP Server was installed earlier in this article and is located at:

$ORACLE_HOME = /u01/app/orsbox/OHS

The images and other file types to copy can be found in the Oracle Application Express software distribution downloaded earlier under the …/apex/images directory.

The files will need to be copied to the $ORACLE_HOME/Apache/Apache/images directory as illustrated in the following examples:

[orsbox@ocvmrh2124 orsbox]$ cd apex
[orsbox@ocvmrh2124 orsbox]$ cp -R images $ORACLE_HOME/Apache/Apache

Configure Database Access Descriptor:

Now that the Oracle Application Express images are in place, the next step is to configure the Oracle Database Access Descriptor (DAD) file. The configuration file is named dads.conf and should be located in the $ORACLE_HOME/Apache/modplsql/conf directory. The DAD is used by the Oracle HTTP Server and mod_plsql extension module to connect to the Oracle database.

Change the below text according to your setup and copy the below text to dads.conf

Parameters to be changed in below text are

Alias -> This is the alias for images directory under Apache Home
PlsqlDatabasePassword -> This is the password for APEX user, you can set any password here, which will be used further
PlsqlDatabaseConnectString -> This is the connect string for your database. This is of the form HOST.DOMAIN:PORT:DB_NAME

=============================================================== Alias /i/ “/u01/app/orsbox/OHS/Apache/Apache/images/”
AddType text/xml xbl
AddType text/x-component htc

<Location /pls/apex>
SetHandler pls_handler
Order deny,allow
Allow from all
AllowOverride None
PlsqlDatabaseUsername APEX_PUBLIC_USER
PlsqlDatabasePassword welcome
PlsqlAuthenticationMode Basic
PlsqlDefaultPage apex
PlsqlDocumentTablename wwv_flow_file_objects$
PlsqlDocumentPath docs
PlsqlDocumentProcedure wwv_flow_file_mgr.process_download

For a complete description of each of the parameters used in the dads.conf configuration file, read through the file dads.README located in the same directory. The following table provides a brief description of the key parameters:

Oracle DAD Configuration Parameters and Description
Alias This is set to the virtual directory you specified when running theapexins.sql file to create the Oracle Application Express database objects. This value must match the value you specified which is recommended to be /i/. The virtual directory should refer to the location where you copied the Oracle Application Express images to in the Oracle HTTP Server directory tree.
<Location /pls/apex> This is the name of the virtual path that will be used to access application in Oracle Application Express. For example,http://linux3:7777/pls/apex/f?p=100.
PlsqlDatabaseUsername This is the database username that will be used by the mod_plsqlextension module to connect to Oracle database. The database username should be APEX_PUBLIC_USER – the schema created by theapexins.sql script. All connections coming from an Oracle Application Express application, regardless of their login id and password, will be connected to the database with this username. This even includes applications that use a different parsing schema! Consider an application that uses a parsing schema of DEV_WS. The session user will be APEX_PUBLIC_USER but the Current User will be set to DEV_WS

    sys_context('USERENV','SESSION_USER') "Session User"
  , sys_context('USERENV','CURRENT_USER') "Current User"
FROM dual;

Session User      Current User
----------------- ------------
PlsqlDatabasePassword This must match the password you provided during the creation of the Oracle Application Express database objects (@apexins.sql). This is the password used by the PlsqlDatabaseUsername (above) to connect to the Oracle database.
PlsqlDatabaseConnectString The connection URL string used to connect to the Oracle database in the format server.domain:port:sid. If the database is located on the same server, you can use localhost.

Obfuscate the PlsqlDatabasePassword Parameter:

Notice that when we configured the dads.conf file, we put in the plain text password for the Oracle database user. Exposing plain text passwords is never good security practice, especially for this sensitive database account. Fortunately, Oracle provides an obfuscation utility that targets and encrypts the PlsqlDatabasePassword entry in the dads.conf file. This utility is named and can be found in the $ORACLE_HOME/Apache/modplsql/conf directory.

Run the utility as follows:

[orsbox@ocvmrh2124 orsbox]$ export ORACLE_HOME=/u01/app/orsbox/OHS
[orsbox@ocvmrh2124 orsbox]$ echo $LD_LIBRARY_PATH

[orsbox@ocvmrh2124 orsbox]$ PATH=$ORACLE_HOME/Apache/modplsql/conf:$PATH;export PATH
[orsbox@ocvmrh2124 orsbox]$ PATH=$ORACLE_HOME/perl/bin:$PATH:.;export PATH
[orsbox@ocvmrh2124 orsbox]$ LD_LIBRARY_PATH=$ORACLE_HOME/lib;export LD_LIBRARY_PATH
[orsbox@ocvmrh2124 orsbox]$ PERL5LIB=$ORACLE_HOME/perl/lib:.;export PERL5LIB
[orsbox@ocvmrh2124 orsbox]$ cd $ORACLE_HOME/Apache/modplsql/conf
[orsbox@ocvmrh2124 conf]$ perl -o

Backed up older dads.conf as /u01/app/orsbox/OHS/Apache/modplsql/conf/dads.conf.orig.2007-07-13_09-04

All passwords successfully obfuscated. New obfuscations : 1
[orsbox@ocvmrh2124 conf]$

Restart the Oracle HTTP Server:

[orsbox@ocvmrh2124 conf]$ $ORACLE_HOME/opmn/bin/opmnctl restartproc ias-component=HTTP_Server
opmnctl: restarting opmn managed processes…

Now you can access your APEX URL:



Oracle – Stellent

Oracle – Stellent

Oracle announced that it has agreed to acquire Stellent, Inc. (NASDAQ: STEL), a global provider of enterprise content management (ECM) software solutions, through a cash tender offer for $13.50 per share, or approximately $440 million. On December 14, 2006, Oracle completed its acquisition of Stellent Inc., a global provider of enterprise content management (ECM) software solutions.

The combination of Oracle and Stellent offers customers secure, reliable, and highly scalable content management solutions that meet the day-to-day needs of all users across the enterprise, while also delivering sophisticated ECM capabilities to professional users.

More details about the same in press release

Oracle Enterprise Content Management:

Oracle Enterprise Content Management is the industry’s most unified enterprise content management platform that enables you to leverage industry-leading document management, Web content management, digital asset management, and records management functionality to build your business applications. Building a strategic enterprise content management infrastructure for content and applications helps you to reduce costs, easily share content across the enterprise, minimize risk, automate expensive, time-intensive and manual processes, and consolidate multiple Web sites onto a single platform.

Here we will see the installation and use of Oracle Universal Content Management.


UCM (Universal Content Management) uses any of the existing database like Oracle, IBM DB2, Sybase, SQL Server etc and creates repository for document management.
Also UCM needs apache installtion version 2.0 or more.

Pre-Installation Steps:

Before starting the installation, make sure to create a new tablespace in your database for conctent management. Also create a new user for content management. This will be the user used by tool for entry into the database.

SQL> create tablespace cs_tbs datafile ‘/u01/app/oracle/product/oradata/cs_tbs01.dbf’ size 500M extent management local
2  segment space management auto;

Tablespace created.

SQL> create user csuser identified by welcome
2  default tablespace cs_tbs
3  temporary tablespace temp
4  quota unlimited on cs_tbs account unlock;

User created.

Installating Apache (version 2.0 or more):

You need to have Apache http server installed for accessing this product. The version for Apache should be 2.0 or more. You can install apache by following this URL.

Universal Content Management Installation:

[oracle@ocvmrh2023 linux]$ ./

Please select your locale from the list.
*1. English-US
2. English-UK

Throughout the install, when entering a text value, you can press Enter to accept the default that appears between square brackets ([]). When selecting from a list, you can select the choice followed by an asterisk by pressing Enter.

Select installation type from the list.
*1. Install new server
2. Update a server

Content Server Installation Directory

Please enter the full pathname to the installation directory.
Content Server Core Folder [/stellent/server]:

Create Directory
*1. yes
2. no

Java virtual machine
*1. Sun Java 1.5.0_11 JDK
2. Specify a custom Java virtual machine
Installing with Java version 1.5.0_11.

Enter the location of the native file repository. This directory contains the native files checked in by contributors.
Content Server Native Vault Folder [/u01/app/oracle/product/UCM/stellent/server/vault/]:

Create Directory
*1. yes
2. no

Enter the location of the web-viewable file repository. This directory contains files that can be accessed through the web
Content Server Weblayout Folder [/u01/app/oracle/product/UCM/stellent/server/weblayout/]:

Create Directory
*1. yes
2. no

This server can be configured to manage its own authentication or to allow another master to act as an authentication proxy.
Configure this server as a master or proxied server.
*1. Configure as a master server.
2. Configure as server proxied by a local master server.

During installation, an admin server can be installed and configured to manage this server. If there is already an admin server
on this system, you can have the installer configure it to administrate this server instead.
Select admin server configuration.
*1. Install an admin server to manage this server.
2. Configure an existing admin server to manage this server.
3. Don’t configure an admin server.

Enter the location of an executable to start your web browser. This browser will be used to display the online help.
Web Browser Path [/usr/bin/mozilla]:

Content Server locale
*1. English-US
2. English-UK

Please select the region for your timezone from the list.
*1. Use the timezone setting for your operating system
2. Pacific
3. America
4. Atlantic
5. Europe
6. Africa
7. Asia
8. Indian
9. Australia

If you are working with multilingual content, you may want to set the file encoding for the content server to UTF-8. If not set
to UTF-8, the server will use the native encoding of your operating system.
Use UTF-8 file encoding
1. yes
*2. no

Please enter the port number that will be used to connect to the Content Server. This port must be otherwise unused.
Content Server Port [4444]:

Please enter the port number that will be used to connect to the Admin Server. This port must be otherwise unused.
Admin Server Port [4440]:

Enter a security filter for the Content Server port. Hosts which are allowed to communicate directly with the Content Server
port may access any Content Server managed resource. Insure that hosts which need access are included in the filter. See the
installation guide for more details.
Incoming connection address filter []:|

*** Content Server URL Prefix

The URL prefix specified here is used when generating HTML pages that refer to the contents of the weblayout directory within
the installation. This prefix must be mapped in the web server Additional Document Directories section of the Content Management
administration menu to the physical location of the weblayout directory.

For example, “/stellent/” would be used in your installation to refer to the URL which
would be mapped in the web server to the physical location /stellent/server/weblayout.
Web Server Relative Root [/idc/]:

Enter the name of the local mail server. The Content Server will contact this system to deliver email.
Company Mail Server [mail]:

Enter the e-mail address for the system administrator.
Administrator E-Mail Address [sysadmin@mail]:

*** Web Server Address

Many generated HTML pages refer to the web server you are using. The address specified here will be used when generating those
pages. The address should include the host and domain name in most cases. If your webserver is running on a port other than 80,
append a colon and the port number.

Web Server HTTP Address [ocvmrh2023]:

Enter the name for this instance. This name should be unique across your entire enterprise. It may not contain characters other
than letters, numbers, and underscores.
Content Server Instance Name [idc]:

Enter a short label for this instance. This label is used on web pages to identify this instance. It should be less than 12
characters long.
Content Server Instance Label [idc]:

Enter a long description for this instance.
Content Server Description [Content Server idc]:

Web Server
*1. Apache
2. Sun ONE
3. Configure manually

Please select a database from the list below to use with the Content Server.
Content Server Database
*1. Oracle
2. Microsoft SQL Server 2005
3. Microsoft SQL Server 2000
4. Sybase
5. DB2
6. Custom JDBC settings
7. Skip database configuration

Manually configure JDBC settings for this database
1. yes
*2. no

Manually configure JDBC settings for this database
1. yes
*2. no
Choice? n

Oracle Server Hostname [localhost]:ocvmrh2023

Oracle Listener Port Number [1521]:

*** Database User ID

The user name is used to log into the database used by the content server.
Oracle User [user]:csuser

*** Database Password

The password is used to log into the database used by the content server.
Oracle Password []:

Oracle Instance Name [ORACLE]:orcl

Configure the JVM to find the JDBC driver in a specific jar file
1. yes
*2. no

The installer can attempt to create the database tables or you can manually create them. If you choose to manually create the
tables, you should create them now.
Attempt to create database tables
1. yes
*2. no

The database you selected supports using Unicode (UCS-2) text fields instead of native encoded text fields. If you are working
with multilingual content, you may want to use Unicode text fields instead of native encoding text fields.
Use Unicode text fields
1. yes
*2. no

Select components to install.
1. CheckOutAndOpen: Checkout and Open component
*2. CheckSCSHealth: Content Server health checking support
*3. comptool: Command-line component installation tool
*4. ConfigMigrationUtility: Configuration packaging and installation utility
5. ExtranetLook: Extranet website support
6. FileStoreProvider: Alternate FileStoreProvider Implementation
7. LinkManager8: Hypertext link management support
8. OracleQueryOptimizer: Tool for configuring database query hints
*9. PopUpCalendar: Popup calendar for selecting dates
10. ProxyConnections8: Proxy connections plugin support
11. ThreadedDiscussions: Threaded discussion management
*12. CoreWebdav: Content Server Core WebDAV support
*13. WebUrlMapPlugin: Web URL mapping tool
*14. WsdlGenerator: WSDL generator tool
*15. YahooUserInterfaceLibrary: Yahoo User Interface components
16. DBSearchContainsOpSupport: Database Search ‘contains’ operator support.
Enter numbers separated by commas to toggle, 0 to unselect all, F to finish:

Checking configuration. . .

Configuration OK.

Review install settings. . .
Content Server Core Folder: /u01/app/oracle/product/UCM/stellent/server
Java virtual machine: Sun Java 1.5.0_11 JDK
Content Server Native Vault Folder: /u01/app/oracle/product/UCM/stellent/server/vault/
Content Server Weblayout Folder: /u01/app/oracle/product/UCM/stellent/server/weblayout/
Proxy authentication through another server: no
Install admin server: yes
Web Browser Path: /usr/bin/mozilla
Content Server locale: English-US
Content Server Port: 4444
Admin Server Port: 4440
Incoming connection address filter:|
Web Server Relative Root: /idc/
Company Mail Server: mail
Administrator E-Mail Address: sysadmin@mail
Web Server HTTP Address: ocvmrh2023
Content Server Instance Name: idc
Content Server Instance Label: idc
Content Server Description: Content Server idc
Web Server: Apache
Content Server Database: Oracle
Manually configure JDBC settings for this database: false
Oracle Server Hostname: ocvmrh2023
Oracle Listener Port Number: 1521
Oracle User: csuser
Oracle Password: zOM7/dPTbxKhdCRQzA4jSV9eBjlsXKu4A4fJY/StGPU=
Oracle Instance Name: orcl
Configure the JVM to find the JDBC driver in a specific jar file: false
Attempt to create database tables: yes
Use Unicode text fields: no


Proceed with install
*1. Proceed
2. Change configuration
3. Recheck the configuration
4. Abort installation
Finished install type Install at 7/26/07 8:20 AM.

Post Install Steps:

Carry out the following changes in Apache configuration file httpd.conf. Add following entry (after making the changes specific to your installation) at the end of file.

LoadModule IdcApacheAuth /u01/app/oracle/product/UCM/stellent/server/shared/os/linux/lib/
IdcUserDB idc “/u01/app/oracle/product/UCM/stellent/server/data/users/userdb.txt”

Also set the alias for weblayout directory present in install base. Add the below content (after making the changes specific to your installation) in the lines of “location” settings in configuration file.

Alias /idc “/u01/app/oracle/product/UCM/stellent/server/weblayout”
<Location /idc>
Order allow,deny
Allow from all
DirectoryIndex portal.htm
IdcSecurity idc

Login Access:

Enabling SSL in Oracle E-Business Suite Release 12


SSL stands for Secure Socket Layer which is protocol developed by Netscape. Data Transferred between Server & Client is secured (Encrypted).
Usually data transmitted between client machine & server (Web Server on http protocol & Forms Server on Sockets ) is clear text packets. Any one can put Packet Sniffer between Client machine & Server & can open & read all data transaction between your machine & Server (If he/she has network access) Hacker can get your Username/Password or any sensitive data. This become critical when you have Internet access to Oracle Applications 11i (Usually Self Service Implementation)

Communication between Client & Oracle Applications happens via three components.

  • Oracle Web Server (Initial Connection & all self service access is via Web Server/Apache). If your Form Server is in servlet Mode then Core Applications are also accessed via Web Server (oacore Component)
  • Oracle Form Server: For Core Oracle Application Access (Forms)
  • Database : You access web server which in turn talks to database Server via UTL_HTTP package via dad (/pls/$SID)

So You enable SSL on particular component depending on your requirement & component which is accessible over Internet & should be secured. You can Implement across all three component or only one or any two.


SSL is a technology that defines the essential functions of mutual authentication, data encryption, and data integrity for secure transactions. Exchange of data between the client and server in such secure transactions is said to use the Secure Sockets Layer (SSL).

SSL uses 2 types of Certificates:

1.  User certificates:

These are Certificates issued to servers or users to prove their identity in a public key/private key exchange.

2.  Trusted certificates:

These are Certificates representing entities that you trust – such as certificate authorities that sign the user certificates they issue.

How SSL works with Middle Tier Oracle HTTP Server:

  1. The client sends a request to the server using HTTPS connection mode.
  2. The server presents its certificate to the client. This certificate contains the server’s identifying information.
  3. The client checks its list of Trust points and compares the information in the certificate with the server’s public key. If it matches, the server is authenticated as a trusted server.
  4. The client sends the server a list of the encryption levels, or ciphers, that it can use.
  5. The server receives the list and selects the strongest level of encryption that they have in common.
  6. The client creates a session key which is used to encrypt the data and sends this session key to the server which can decrypt the data with its private key

How SSL works with Oracle Database Server:

  1. The UTL_HTTP package is used for making HTTP callouts from SQL and PL/SQL to a Web Node (Oracle HTTP server).
  2. When the package fetches data from a Web site using HTTPS, it specifies the location to the Oracle Wallet that resides on the database server. This wallet contains the certificate for the Certifying Authority (CA) who signed the Web node’s server certificate.


For converting the application into SSL we need to have a Digital certificate. A Certificate Authority is a trusted third party responsible for issuing, revoking, and renewing digital certificates. All digital certificates are signed with the Certificate Authority’s private key to ensure authenticity. The Certificate Authority’s Public Key is widely distributed.

A Certificate Signing Request (CSR) is a digital file, which contains your public key and your name. You send the CSR to a Certifying Authority (CA) to be converted into a real Certificate.

A digital certificate is an electronic document that binds an identity to a pair of electronic keys that can be used to encrypt and sign digital information. A trusted third party, called a Certification Authority (CA), issues certificates. The document is usually in a standard X509 format and contains three elements:

  1. Entity attributes (information about your organization)
  2. Public key (which is bound to your organization)
  3. Digital signature of the trusted CA private key

Verisign ( will allow your organization to apply for a free trial certificate, which will be valid for 2 weeks for testing purposes.

Private (Server) Key:

The private key file is a digital file that you generate and for use to decrypt messages sent to you. The certificate request (CSR) that you send to your Certificate Authority (CA) is derived from this private key. Therefore, the resulting digital certificate (containing your public key), which is issued by your CA, is bound to this private key.

We will now look into the actual procedure for enabling the application with SSL. Not that below explanation is based on metalink note ID376700.1.

Middle tier setup

To start with SSL setup we have to create a certification request through Oracle wallet manager.

Step 1) Create wallet on the apps side

  • Login to application tier with applmgr user ID and navigate to $INST_TOP/ora/10.1.3 directory and source .env file present at that location. This will make 10.1.3 (IAS_ORACLE_HOME) as your ORACLE_HOME.
  • Navigate to $INST_TOP/certs/Apache directory.
  • Backup Apache directory
  • Start Oracle wallet manager

bash-2.05$ owm &
[1] 16555

  • Navigate Wallet -> New
    Answer No to: “Your default wallet directory doesn’t exist. Do you wish to create it now?”
    Set the wallet manager password (example. Welcome)
  • Click Yes when prompted “A new empty wallet has been created. Do you wish to create a certificate request at this time”.

Following screen appears


Common Name           – Your hostname
Organization Unit       – Your department name
Organization                – Your company name
Location/City              – Your city name
State/Province            – Your state name
Country                     – Your country name

Press OK once you fill all information. Save wallet in $INST_TOP/certs/Apache folder with name (server_name).cer

Once saved, it will ask, “A wallet already exist, you want to override”. You can say yes.
Click on certificate Request in the list provided on left side of Oracle wallet manager window and you can see your request contents on right side as seen in below screen.


  • Wallet -> Autologin (Enable)
  • Wallet -> Save

Once you get the request content, you have to get the certificates from certifying Authority like verisign. Currently the certificate request that you created is your .cer file. Using this file you can get the actual certificate file, which will be .crt file. Along with that file you will also get your private key file (.key). So after getting certificate you will have 3 files with you

  1. Certificate request file (.cer)
  2. Actual certificate file (.crt)
  3. Private Key file (.key)

Once you get the certificate, you have to generate CA certification file. Since for any SSL certificate we need to have CA(Certifying Authority) file. Some of the certifying authority companies also provide CA files. But here we will see how to generate CA file from certificate file (.crt).

Step 2) Creating your certifying authority’s certificate

  • Copy/ftp (binary mode) .crt to the your PC desktop
  • Double-click the file and go to Certification Path tab
  • Double click on VeriSign/RSA Secure Server CA
  • Go to Details tab and press Copy to File…
  • Press Next and select “Base-64 encoded X.509(.CER)” and press next
  • Give the name as ca
  • Press Finish

A new ca.cer file will be present in your local PC. FTP back ca.cer file to your UNIX host.

Step 3) Converting the existing cert files

  • Source the .env file again present at location $INST_TOP/ora/10.1.3
  • Change dir to $INST_TOP/certs/Apache
  • Copy .crt, ca.crt, servername.key to the current dir.
  • Execute the following command:
    $ORACLE_HOME/Apache/Apache/bin/ssl2ossl -cert ./.crt -key ./.key -cafile ./ca.cer -wallet . -ssowallet yes

Step 4) Appstier setup
Edit the context xml file in $APPL_TOP/admin, change the SSL related variables to SSL values

SSL Related Variables in the Context File

Variable Non-SSL Value SSL Value
s_url_protocol http https
s_local_url_protocol http https
s_webentryurlprotocol http https
s_active_webport same as s_webport same as s_webssl_port
s_webssl_port not applicable default is 4443
s_https_listen_parameter not applicable same as s_webssl_port
s_help_web_agent url constructed with http protocol and s_webport for both non-SSL and SSL
s_login_page url constructed with http protocol and s_webport url constructed with https protocol and s_webssl_port
  • Execute autoconfig
  • Bounce the mid-tier services

Step 5) DB Tier Setup

Once you run autoconfig on Apps Tier, you need to do wallet setup on DB tier as well. Since R12 is autoconfig enabled, there will be a directory called appsutil in ORACLE_HOME on database side. Follow below steps to carry out the setup on database side.

  • Login to DB tier as oracle user
  • Change dir to $ORACLE_HOME/appsutil
  • Create a new dir with name as wallet
  • Start Oracle Wallet Manager (owm &)
  • Wallet -> New
  • Answer No to: “Your default wallet directory doesn’t exist. Do you wish to create it now?”
  • Click No when prompted “A new empty wallet has been created. Do you wish to create a certificate request at this time”
  • Save Wallet
  • Copy ca.crt from the appl_top to $ORACLE_HOME/appsutil/wallet
  • Navigate Operations-> Import Trusted Certificate
  • Navigate to ca.crt
  • Once import completed. Save wallet
  • Navigate wallet-> autologin (enable)
  • Save wallet

Step 6) Sanity check

  • New Appslogin url: https://(hostname):(port)/OA_HTML/AppsLogin
  • Notice the lock sign in the statusbar (bottom) of the browser. Click on the sign to verify the certificate
  • Sanity check all the components.
  • Login to db as sqlplus apps/(apps password)
  • select utl_http.request(‘https://(hostname):(port)’,null,’file:(path to ORACLE_HOME/appsutil/wallet)’, null) from dual;
  • It should display the first 2000 Chars of the html page.


Enabling OID/SSO for E-Business Suite R12

Following procedure shows registering Oracle E-Business suite R12 with OID and enabling SSO. This is based on metalink note ID 376811.1

There are three components that can be registered or de-registered in Release 12 with the SSO/OID registration utility. The utility automatically detects the registered components and performs registration for the un-registered components. So there is no need to pass individual registration arguments.

SSO-OID Registration can be done using a single command (Section 1.1). Even though it can be done in a single command it is divided into three parts.

  • Oracle Home Registration.
  • SSO Registration.
  • OID Registration.

Here we will see registering each component individually.

Also we need to have Oracle Application server 10g installed before proceeding for OID/SSO registration. Here are the list of component and supported version.


Oracle E-Business Suite R12
The following components must be used on the E-Business Suite instance:

Component Name
Oracle E-Business Suite Release 12
Oracle 10g Application Server
Oracle 10g Application Server
Oracle Developer 10g (includes Oracle Forms)
Oracle Application Server 10g Enterprise Edition

The following Oracle Application Server 10g Enterprise Edition components must be used on the standalone instance:

Component Name Release
Oracle Application Server 10g Enterprise Edition
Oracle Single Sign-On 10g
Oracle Internet Directory 10g
Oracle Portal 10g (optional) 10.1.4
Oracle Discoverer 10g (optional)

Before registering make sure to change the following profiles with the values give as below.

  • Applications SSO Type: SSWAw/SSO
  • Applications SSO Auto Link User: Enable
  • Applications SSO Login Types: Both
  • Application SSO LDAP Synchronization: Enable
  • Applications SSO Enable OID Identity Add Event: Enable
  • Link Applications user with OID user with same username: Enable

Once the profiles are set, go ahead with OID/SSO registration.

Registering with OID/SSO

Oracle Home Registration

bash-2.05$ $FND_TOP/bin/ \
> -script=SetSSOReg \
> -registerinstance=yes

You are registering ORACLE HOME only.

Enter the host name where Oracle iAS Infrastructure database is installed ?
Enter the LDAP Port on Oracle Internet Directory server ? 389
Enter SSL LDAP Port on Oracle Internet Directory server ? 636
Enter the Oracle Internet Directory Administrator (orcladmin) Bind password ? welcome1
Enter Oracle E-Business apps database user password ? apps


*** Log File = /dy/oracle/product/test12/inst/apps/test12_ap101fam/logs/appl/rgf/TXK/


Beginning input parameter validation for Oracle Home Instance registration.
Input parameter validation for Oracle Home Instance registration completed.

Oracle Home Instance preferences stored successfully.
Oracle Home Instance registered successfully.



End of /dy/oracle/product/test12/apps/apps_st/appl/fnd/12.0.0/patch/115/bin/ : No Errors encountered

SSO Registration

bash-2.05$ $FND_TOP/bin/ \
> -script=SetSSOReg \
> -registersso=yes

You are registering this instance with SSO Server.

Enter Oracle E-Business apps database user password ? apps


*** Log File = /dy/oracle/product/test12/inst/apps/test12_ap101fam/logs/appl/rgf/TXK/


Beginning input parameter validation for SSO registration.
Input parameter validation for SSO registration completed.

Beginning to register partner application.
Partner application has been registered successfully.
Configuration file uploaded successfully.
Single Sign-On partner application registered successfully.



End of /dy/oracle/product/test12/apps/apps_st/appl/fnd/12.0.0/patch/115/bin/ : No Errors encountered

OID Registration

bash-2.05$ $FND_TOP/bin/ \
> -script=SetSSOReg \
> -registeroid=yes

You are registering this instance with OID Server.

Enter LDAP Host name ?
Enter the LDAP Port on Oracle Internet Directory server ? 389
Enter the Oracle Internet Directory Administrator (orcladmin) Bind password ? welcome1
Enter the instance password that you would like to register this application instance with ? welcome1
Enter Oracle E-Business apps database user password ? apps


*** Log File = /dy/oracle/product/test12/inst/apps/test12_ap101fam/logs/appl/rgf/TXK/


Beginning input parameter validation for OID registration.
Input parameters validation for OID registration completed.


Beginning to register Application and Service containers if necessary.
Application and Service containers were created successfully if necessary.
Beginning to register application in Oracle Internet Directory.
Registration of application in Oracle Internet Directory completed successfully.
-> LOADING:  /dy/oracle/product/test12/apps/apps_st/appl/fnd/12.0.0/admin/template


Beginning to register provisioning profile in Oracle Internet Directory.
Registration of provisioning profile in Oracle Internet Directory completed successfully.
Application is now registered successfully with provisioning in Oracle Internet Directory.

End of /dy/oracle/product/test12/apps/apps_st/appl/fnd/12.0.0/patch/115/bin/ : No Errors encountered

Users are automatically synched up from local repository to OID repository. So when you create a user in local using AppsLocalLogin.jsp it will be automatically reflected in SSO.

Try to login to AppsLocalLogin.jsp and create a new user. Please note that if you dont give any numeric value in password then you may encounter following error.

Unable to call fnd_ldap_wrapper.create_user due to the following reason:
ORA-20001: Unable to call fnd_ldap_wrapper.create_user due to the following
An unexpected error occurred. Please contact your System Administrator

Example if you give your password as welcome, then you may get above error. For this, you need to give a numberic value in your password like welcome1. This behaviour is because while creating users in Apps (even via Forms) by logging via AppsLocalLogin.jsp, it will send the user to OID. In attempting to do so, it will check the OID’s password policies. According to the policies, a password should be alpha numeric.

De-Registrating OID/SSO

Deregister OID

bash-2.05$ $FND_TOP/bin/ \
> -script=SetSSOReg \
> -deregisteroid=yes

You are deregistering this instance from OID Server.


WARNING: You have selected to deregister individual components.
This might leave some components still at registered state
which might create inconsistencies at run time.
It is recommended that you use “-deregister=Yes” to completely deregister
the Oracle EBusiness instance from OID server
Individually deregister components using “-deregisteroid=Yes”,
“-deregistersso=Yes” and “-deregisterinstance=Yes”.

Enter Oracle E-Business apps database user password ? apps
Enter the Oracle Internet Directory Administrator (orcladmin) Bind password ? welcome1



*** Log File = /dy/oracle/product/test12/inst/apps/test12_ap101fam/logs/appl/rgf/TXK/


Beginning input parameter validation for OID de-registration.
Input parameters validation for OID de-registration completed.


Beginning to delete provisioning profile for this application.
Provisioning profile for this application has been deleted successfully.
Beginning to de-register this application from Oracle Internet Directory.
This application has been de-registered successfully from Oracle Internet Directory.
-> LOADING:  /dy/oracle/product/test12/apps/apps_st/appl/fnd/12.0.0/admin/template

Removing OID References Started.
Removing OID References Completed Successfully.

End of /dy/oracle/product/test12/apps/apps_st/appl/fnd/12.0.0/patch/115/bin/ : No Errors encountered

Deregister SSO

bash-2.05$ $FND_TOP/bin/ \
> -script=SetSSOReg \
> -deregistersso=yes

You are deregistering this instance from SSO Server.


WARNING: You have selected to deregister individual components.
This might leave some components still at registered state
which might create inconsistencies at run time.
It is recommended that you use “-deregister=Yes” to completely deregister
the Oracle EBusiness instance from OID server
Individually deregister components using “-deregisteroid=Yes”,
“-deregistersso=Yes” and “-deregisterinstance=Yes”.

Enter Oracle E-Business apps database user password ? apps



*** Log File = /dy/oracle/product/test12/inst/apps/test12_ap101fam/logs/appl/rgf/TXK/


Beginning input parameter validation for SSO de-registration.
Input parameters validation for SSO de-registration completed.

Partner application registered with SSO Server and will be de-registered.
Partner application has been de-registered successfully.
Configuration file deleted successfully.



End of /dy/oracle/product/test12/apps/apps_st/appl/fnd/12.0.0/patch/115/bin/ : No Errors encountered

Deregister Instance

bash-2.05$ $FND_TOP/bin/ \
> -script=SetSSOReg \
> -deregisterinstance=yes

You are deregistering ORACLE HOME only.


WARNING: You have selected to deregister individual components.
This might leave some components still at registered state
which might create inconsistencies at run time.
It is recommended that you use “-deregister=Yes” to completely deregister
the Oracle EBusiness instance from OID server
Individually deregister components using “-deregisteroid=Yes”,
“-deregistersso=Yes” and “-deregisterinstance=Yes”.

Enter the Oracle Internet Directory Administrator (orcladmin) Bind password ? welcome1
Enter Oracle E-Business apps database user password ? apps



*** Log File = /dy/oracle/product/test12/inst/apps/test12_ap101fam/logs/appl/rgf/TXK/


Beginning input parameter validation for Oracle Home Instance de-registration.
Input parameter validation for Oracle Home Instance de-registration completed.

Oracle Home Instance de-registered successfully from Infrastructure Host.
Oracle Home Instance preferences removed successfully



End of /dy/oracle/product/test12/apps/apps_st/appl/fnd/12.0.0/patch/115/bin/ : No Errors encountered

Once these 3 steps are done, bounce the application system middle tier, login to application and change the profile options back to original value. Following values should be made for the profile options.

  • Applications SSO Type: SSWAw/SSO
  • Applications SSO Auto Link User: Disable
  • Applications SSO Login Types: Local
  • Application SSO LDAP Synchronization: Disable
  • Applications SSO Enable OID Identity Add Event: Disable
  • Link Applications user with OID user with same username: Disable


Cloning Oracle AS10g

This post is about cloning an Oracle Application Server 10g R3. This was based on one of our requirement to clone AS10g instance. I have carried out those steps and sharing the same. Our instance was a simple J2EE & Webcache installation.

Release we used was oracle AS 10g R3 (

Cloning AS10g instance (only mid tier) consists of following simple steps

  1. Pre-Cloning
  2. Cloning
  3. Post-Cloning

Pre-Cloning Steps:

At the source, you run the script called This is a Perl script that prepares the source for cloning. It takes a snapshot of the information required for cloning.

During this phase, parses files in the source Oracle home to extract and store required values and backs up required files.

Then, you tar the Oracle home directories.

Example in our case:

-bash-3.00$ $ORACLE_HOME/perl/bin/perl ORACLE_HOME=$ORACLE_HOME
Can’t locate in @INC (@INC contains: /ade/smayer_perl58_main_linux/perl58/bin/Linux/Opt/lib/5.8.3/i686-linux-thread-multi /ade/smayer_perl58_main_linux/perl58/bin/Linux/Opt/lib/5.8.3 /ade/smayer_perl58_main_linux/perl58/bin/Linux/Opt/lib/site_perl/5.8.3/i686-linux-thread-multi /ade/smayer_perl58_main_linux/perl58/bin/Linux/Opt/lib/site_perl/5.8.3 /ade/smayer_perl58_main_linux/perl58/bin/Linux/Opt/lib/site_perl .) at line 59.
BEGIN failed–compilation aborted at line 59.

-bash-3.00$ export PERL5LIB=$ORACLE_HOME/perl/lib/5.8.3/i686-linux-thread-multi:$ORACLE_HOME/perl/lib/5.8.3:$ORACLE_HOME/perl/lib/site_perl/5.8.3/i686-linux-thread-multi/
-bash-3.00$ $ORACLE_HOME/perl/bin/perl ORACLE_HOME=$ORACLE_HOME

Clone log file location: /slot/ems2261/oracle/product/10.1.3/OracleAS_1/clone/logs/clone1219226546.log
Error log file location: /slot/ems2261/oracle/product/10.1.3/OracleAS_1/clone/logs/error1219226546.log
Wed Aug 20 03:02:26 2008  INFO: Starting with the Prepare Clone operation at the source
Wed Aug 20 03:02:26 2008  INFO: The temp directory being used is /tmp
Wed Aug 20 03:02:26 2008  INFO: The prepare clone operation completed successfully.

Once Pre-Cloning is done, you can tar the complete software installation file and ftp the same to target host.


Cloning step is to be done on target host. You can untar the tar file you created and FTPed to target host. Then you need run on target side.

On the target host, you might face a problem regarding the inventory. If /etc/oraInst.loc file is pointing to some inventory and you dont have permission to that inventory then it will throw the error.

-bash-3.00$ perl $ORACLE_HOME/clone/bin/ ORACLE_HOME=/slot/ems2599/oracle/product/10.1.3/OracleAS_1 -invPtrLoc $HOME/oraInst.loc ORACLE_HOME_NAME=ias_oracle_home -instance OAS -oc4jadmin_old_password dmtra123 -oc4jadmin_new_password dmtra123 -silent



Tue Aug 19 05:05:59 2008  INFO: backing up the dms.conf for instances.
Tue Aug 19 05:05:59 2008  INFO: backing up the httpd.conf for instances.
Tue Aug 19 05:05:59 2008  INFO: backing up the oracle_apache.conf for instances.
Tue Aug 19 05:05:59 2008  INFO: backing up the mod_oc4j.conf for instances.
Tue Aug 19 05:05:59 2008  INFO: backing up the ssl.conf for instances.
Tue Aug 19 05:05:59 2008  INFO: Done with the PreClone operation
You do not have sufficient permissions to access the inventory ‘/slot/ems2400/oracle/oraInventory’. Installation cannot continue. Make sure that you have read/write permissions to the inventory
directory and restart the installer.: Permission denied
Tue Aug 19 05:06:00 2008  INFO: Starting Oracle Universal Installer…

Tue Aug 19 05:06:00 2008  INFO: No pre-requisite checks found in oraparam.ini, no system pre-requ
Tue Aug 19 05:06:00 2008  ERROR: Error occured invoking OUI in the clone mode. Exiting with error
code 65280
Tue Aug 19 05:06:00 2008  ERROR: ………………..(START) Printing contents of file /tmp/silen
Tue Aug 19 05:06:00 2008  ERROR: ………………..(END) Printing contents of file /tmp/silentI

In this case you need to set the local inventory before stating the cloning. This can be done by editing the file present in ORACLE_HOME/clone/ias/config location.

In, you will find a line clone_command_line= -silent

Append -invptrloc <Local path for oraInst.loc>


clone_command_line= -silent -invptrloc /slot/ems2599/oracle/oraInst.loc

Once this is done, save the file and run the above clone command again.

perl $ORACLE_HOME/clone/bin/ ORACLE_HOME=/slot/ems2599/oracle/product/10.1.3/OracleAS_1 ORACLE_HOME_NAME=ias_oracle_home -instance dmntra4Pro -oc4jadmin_old_password dmtra123 -oc4jadmin_new_password dmtra123



Wed Aug 20 00:13:26 2008  INFO: Final Status:
Wed Aug 20 00:13:26 2008  INFO: ==============
Wed Aug 20 00:13:26 2008  INFO: The clone operation completed successfully.

This completes the clone for AS10g.


The postinstallation configuration assistants are not designed to be run again at clone time. Consequently, some of the instance-specific configuration files that should be updated by the configuration assistants are not updated at the end of the Oracle Universal Installer cloning session. Instead, Oracle has created a set of post-cloning scripts that update those files to bring the cloned home to a working state.

For more detail refer to Oracle Documentation on Post cloning steps

Hope this helps !!


Oracle Documentation

Tuning JVM in Oracle E-Business Suite


This post is based on an interesting article that I came across. I have provided the link to those articles in the reference section.

Also the main inspiration of this article are the performance issues that I am facing daily in my ST applications.

When we talk about JVM which are used for a wide variety of applications from small applets on desktops to web services on large servers. Each JVM will manage its memory using some or the other Garbage Collectors. In the J2SE platform version 1.4.2 there were four garbage collectors but there was no choice given to user to select one of them. In version 5 as well the choice was not given by intelligence was incorporated to select the correct GC based on the class of the machine on which the application is started.
Usually the choice of Garbage Collector (GC) does not matter as applications perform within there limits, but for some applications it does. For example large application that scales well to large number of threads, processors, sockets, and a large amount of memory. As with the past experience usaully smaller application has no problem with GC and works very smoothly even with “serial GC” however for large application this can become a major bottleneck. For a sufficiently large system it becomes well worthwhile to choose the right garbage collector and to tune it if necessary.

This post is based on the JVM present in Oracle E-Business suite R12. We will be talking about garbage collection in R12 and see an interesting tool which can make quick analysis about how GC is happening in our application.

Generational Collections:

An object is considered garbage when it can no longer be reached from any pointer in the running program. The most straightforward garbage collection algorithms simply iterate over every reachable object. Any objects left over are then considered garbage. The time this approach takes is proportional to the number of live objects, which is prohibitive for large applications maintaining lots of live data.
Beginning with the J2SE Platform version 1.2, the virtual machine incorporated a number of different garbage collection algorithms that are combined using generational collection. Lets understand what it is.

Past experience showed that objects are usually allocated for short span of time. The blue area in the diagram below is a typical distribution for the lifetimes of objects. The X axis is object lifetimes measured in bytes allocated. The byte count on the Y axis is the total bytes in objects with the corresponding lifetime. Sharp peak on the left represent that maximum number of live objects can be reclaimed within a short span of time after being allocated.

Some objects do live longer, and so the distribution stretches out to the the right. Some applications have very different looking distributions, but a surprisingly large number possess this general shape. Efficient collection is made possible by focusing on the fact that a majority of objects “die young”.

To optimize this scenario JVM divides the memory into different generations of we can say pools holding objects of different ages. Garbage collection occurs in each generation when the generation fills up. Initially objects are assigned to younger generation (of pool where young objects are placed) and once young generation fills up minor GC (Garbage Collection) will take place which will clean up the dead object (since by the time most of the short leaving objects will be dead). The left over objects which might be still alive are transferred to elder generation (called tenured generation). When tenured generation gets full, “FULL GC” will take place which is quite slow compared to minor GC as all the live objects will be checked.

Below figure shows different pools in memory. “Young Generation” consist of 3 sub generation one EDEN, and two survivor space. Objects are initially allocated in EDEN. One survivor space is empty at any time, and serves as a destination of the next, copying collection of any live objects in EDEN and the other survivor space. Objects are copied between survivor spaces in this way until they are old enough to be tenured, or copied to the tenured generation.

“Tenured Generation” is bigger then Young Generation.

The permanent generation holds data needed by the virtual machine to describe objects that do not have an equivalence at the Java language level. For example objects describing classes and methods are stored in the permanent generation.

JVM in Oracle E-Business Suite R12

Talking about Oracle E-Business Suite R12 we specify the minimum and maximum size of jvm memory to be used for different processes.
Example in CONTEXT_FILE of application we specify JVM for

  1. Forms process using – “forms_jvm_start_options” parameter
  2. OACore process using – “oacore_jvm_start_options” parameter
  3. OAFM process using – “oafm_jvm_start_options” parameter

Lets look at the various properties we specify for these parameter. Example for OACore

<oacore_jvm_start_options oa_var=”s_oacore_jvm_start_options”>-server -verbose:gc -Xmx1024M -Xms256M -XX:MaxPermSize=256M -XX:NewRatio=2  -XX:+PrintGCTimeStamps -XX:+UseTLAB -XX:+UseParallelGC  -XX:ParallelGCThreads=2$ORACLE_HOME/j2ee/oacore/config/java2.policy -Djava.awt.headless=true -Dhttp.webdir.enable=false</oacore_jvm_start_options>

-verbose:gc : This parameter is used to tell JVM to dump the log messages in oacore log file when ever garbage collection happens. The log file is located at $LOG_HOME/ora/10.1.3/opmn. We will refer/use this log file further down when I will demonstrate GCViewer tool.

-Xmx1024M : This is the maximum size of footprint of JVM

-Xms256M : This is the minimum size of footprint of JVM. So at the start “Young Generation” + “Tenure Generation” = -Xms value

-XX:MaxPermSize : This is the size of “Permanent Generation”

-XX:NewRatio : This is the ratio of “Tenure Generation”/”Young Generation”

-XX:+PrintGCTimeStamps : This parameter is going to print the time stamp when garbage collection is done.

In my case the log file path and location is $LOG_HOME/ora/10.1.3/opmn/default_group~oacore~default_group~1.log (This is the log file for oacore. Similarly there will be log file for forms and oafm in the same location).
The sample content of log file is as given below.

94562.018: [GC 670227K->595360K(892672K), 0.0221060 secs]
94617.600: [GC 672480K->617324K(799104K), 0.0307160 secs]
94648.483: [GC 694444K->623826K(872384K), 0.0405620 secs]
94706.754: [Full GC 756173K->264184K(790720K), 0.8990440 secs]
94718.575: [GC 458782K->424403K(737536K), 0.0471040 secs]
94740.380: [GC 501646K->436633K(793600K), 0.0656750 secs]
94817.197: [GC 512473K->441116K(795136K), 0.0749340 secs]

Here the first column 94562.018, 94617.600 shows the time in seconds when GC happened. Inside the square bracket it indicates whether its a minor GC or FULL GC. That is followed by some number 670227K->595360K. The number on left side of -> indicate original size of live objects before GC and number after -> indicate size of live objects after GC. Number in the bracket (892672K) indicates total size of live objects allocated. Number after comma indicates time it took to complete garbage collection. For example in the first rows it took 0.0221060 secs for completing GC.

Having known this much on information let me introduce you to a tool called GCViewer which is a java based tool and shows the content of this log file in the form of graph giving huge information which will help us tuning our application.

GC Viewer Tool

1) Download and installation :- You can download this tool from this location
While downloading and using in windows you can just download the bin file (no need to downlaod source file) –

unzip the file and you will get a folder consisting of a jar file. Double click on the jar file and an application will open as shown below.

2) Uploading the log file :- You can either ftp the oacore log file from $LOG_HOME/ora/10.1.3/opmn or you can give the URL for log file. For giving URL copy the log file to OA_HTML location as shown below.

-bash-3.00$ cp default_group~oacore~default_group~1.log $OA_HTML

In this case URL becomes – http://(hostname):(port)/OA_HTML/default_group~oacore~default_group~1.log
In my case it is

You can load this log file by giving URL to the tool as shown below and click on OK.

After loading the file the graph is shown below.

This is really not a good sign. In my case the FULL GC was happening at every second and thats why I have to go deep inside and think about tuning JVMs. The black portion that you see in the above fig are the FULL GC. You can see various matrix values and hide other matrix values using View button in the top menu. Black lines are most important for me as I want to avoid frequent FULL GC. Below fig shows continuous black lines every second indicating that FULL GC is happening.

View for FULL GC

Also another important things to look for are read and blue lines. The red line indicates the total heap size, the blue line shows how much of the heap is actually used.

If you observe carefully the blue line follows a saw-tooth pattern. This is because when new live objects are loaded the size of JVM increase steadily as shown by inclined lines and when minor collection happens the size reduces suddenly.

The green line shows time required for garbage collections (Shown below). Usually minor GC take less time and FULL GC takes more time.

Tuning Application

Finally after doing all this exercise we need to use this information for tuning our application. Based on the above observations we can make certain rules for tuning.

When ever a full GC happens the memory consumption (blue line) is reduced to more or less the same value as after the last full collection. This means that even though some objects were promoted to the older generation, most of them didn’t become very old either. Which means, that maybe they should not have been promoted to the older generation in the first place.

In that case it is beneficial to increase the size of “Younger Generation” to prevent the early promotion of medium-lived objects. The parameter -XX:NewRatio=<value> defines the ratio of “Tenure Generation”/”Young Generation”. So if we reduce this ration (lets say to 1) then in that case “Younger Generation” size will get increased and most of the live objects will stay and die in “Younger Generation” rather then shifting to Tenure Generation and dying. This will cause Tenure generation to get full after longer period and that will reduce FULL GC. So in case if there are huge number of FULL GC and heap size is getting reduced to more or less same level after FULL GC then you can consider reducing the value of -XX:NewRatio=<value> parameter in CONTEXT_FILE for oacore (we are concentrating more in oacore here). Disadvantage of this is that overall size of footprint will increase as Younger Generation size increased.

So initially it will start with 256M (as in my case) and then as the memory consumption increases it will gradually increase the size of JVM to accommodate more objects and it will increase the size until max upto -Xmx parameter value.

Usually it is recommended that we should allocate as much as memory as possible in the initial stage instead of waiting for JVM to increase it automatically. This will prevent application from suffering due to performance in the initial period of time.

Hope this helps !!!


Metalink Note ID : 342799.1
Tuning Garbage Collection with the 5.0 Java[tm] Virtual Machine
Java Performance Tuning using GC Viewer

Changing SMTP port in Oracle Collabsuite 10g

Some times we encounter a situation where we need to change the SMTP E-mail port after OCS (Oracle Collabsuite) is installed. For example, you have installed collabsuite 10g with SMTP port as 30 and after installation requirement comes to change SMTP port to 25. In such situation you can follow below steps to make the changes.

Also if you are changing the port to 25, make sure to stop sendmail process as it uses port 25.

You can stop sendmail process using following steps

  • login to OCS host as root user
  • run following command

/sbin/services sendmail stop

  • Login to OCS host and go to apps side.
  • Source the instance by setting ORACLE_HOME, ORACLE_SID etc.
  • go to $TNS_ADMIN and change ESSMI port from 30 to 25
  • Start oiadmin tool and navigate to following location

Entry Management -> OracleContext -> Services -> email -> VirtualServices -> smtp -> labeledUri

  • Change the port here from 30 to 25 and save. Exit oidadmin
  • Bounce LISTENER_ES

lsnrctl stop LISTENER_ES

lsnrctl start LISTENER_ES

  • Bounce all services of apps tier using opmnctl

opmnctl stopall

opmnctl startall

Hope this helps !!

Enabling SSL for Infra Tier – Oracle Application Server 10g

This small post is to let you know, how to enable SSL for for infrastructure tier in oracle application server 10g. When we start the apache server for infra tier, it runs in non SSL mode by default. However we can change from non SSL to SSL by doing a small change in opmn.xml file on infra tier.

Follow below steps for enabling SSL on infra tier.

1) Go to opmn.xml on infra tier.

cd $ORACLE_HOME/opmn/conf

2) make following changes in opmn.xml file

change ssl-disabled to ssl-enabled for HTTP_Server as given below

<ias-component id=”HTTP_Server”>
<process-type id=”HTTP_Server” module-id=”OHS”>
<category id=”start-parameters”>
<data id=”start-mode” value=”ssl-enabled“/>
<process-set id=”HTTP_Server” numprocs=”1″/>

3) Bounce HTTP Server of infra tier.

cd $ORACLE_HOME/opmn/bin

./opmnctl stopproc ias-component=HTTP_Server

./opmnctl startproc ias-component=HTTP_Server

Now you should be able to access the HTTP server on infra tier using 4443 port instead of 7777 port and using HTTPS protocol.


Hope this helps !!

Dealing with Oracle Certificate Authority – Oracle Application Server 10g


Digital certificates are essential to securing an enterprise infrastructure deployment. Oracle Application Server Certificate Authority generates and publishes X.509 v3 PKI certificates to support uses such as securing network connections, digital signatures, and strong user authentication methods. Key features of Oracle Application Server Certificate Authority include its easy, out-of-the-box deployment and a web-based, self service interface for certificate provisioning.

Requesting the web administrator certificate

For OCA, there is a web administrator which can manage and also approve the certificate requested by other users. Users can request either a server certificate of user certificate. Server certificate is required when a user want to enable SSL for his application deployed on server. User certificate is required for user to install the same in his browser. This user certificate can be used a an option for authentication when a user wants to login a SSL enabled application which is also a SSO enabled.

Before we get the administrator account for OCA (Oracle Certificate Authority), we need to first get the OCA certificate and install the same in out browser.

Follow below steps to get the certificate for you AS10g OCA installation.

1) Login to OCA self-service URL using https://(hostname):(port)/oca/admin

Example in my case

Remember here that port you will be using is “Oracle Certificate Authority SSL Server Authentication port” present in ORACLE_HOME/install/portlist.ini file of your infra tier. Click on “Click Here” link.

2) Enrollment form will appear next. Fill in the details as shown in example below.

Click on “Submit” button.

3) Once you submit the certificate will be issued immediately.

This is the certificate for web administrator of OCA. This will be issued by OCA to the web administrator which is going to administer the OCA in future. This is issued only once.

Serial Number:4
Signature Algorithm:RSA
Issuing Authority:O=oracle,C=US
Usage:Client Authentication, Signing, Encryption
Key Size::2048
Subject DN:CN=oca_admin,O=oracle,C=IN
Not Valid Before:Saturday, May 3, 2008 5:23:41 AM PDT
Not Valid After:Sunday, May 3, 2009 5:23:41 AM PDT

Once you get this information click on “Install in Browser”.

Once you install in browser you can check if the certificate has been installed correctly or not using

Tools -> Options -> Advanced Tab -> Encryption -> View Certificate

if you are using Mozilla fire fox browser. For other browsers, use the browser specific path.

Requesting Server Certificate

Once we get the OCA administrator certificate and we became the administrator, then any user who is needs the server certificate or user certificate will have to go through our approval for the same. The request for the certificate will come to us for approval and once we approve, user can download and implement SSL using that certificate. Lets see the process of requesting the certificate and approving the same.

1) Create a certificate request in OWM

  • If you are opening the wallet for the first time, it will ask you to create a new wallet and create a default directory for the same.
  • Also you need to set password for your wallet
  • Once this is done it will ask you if you want to create a new certificate request. Click on Yes.
  • A new window will open asking for the details as shown below.

Enter all the relevant information in the above screen and click on OK.

Once a certificate is created, you can export the same or you can copy the content to notepad.

2) Submitting the request to OCA

Click on submit. You will see the confirmation window as shown below.

3) Once you request for certificate, now you as an administrator can approve the certificate. Usually in production you have to request the certificate to some legeal certifying authority which will approve your certificate after a period of time and you will get your certificate. Here we being administrator for OCA, we can approve the certificate.

  • For this just go to https://(hostname):(port)/oca/admin Example :
  • “Certificate Management” tab
  • You can see that the certificate request is pendng for your approval. If you dont see any request, you can search using the search textbox on the top using the request ID you got when you requested the certificate.

  • You can click on View Details and at the bottom, there will be button called “Approve”. Click on Approve.
  • You will get the confirmation window as given below.

4) Now you need to download this certificate and import into your wallet.

  • For this again go to https://(hostname):(port)/oca/user. Example :
  • Server / SubCA Certificates tab and search for certificate with certificate number that is issued. Note that we have requested a certificate with a request number 4, but the issued certificate number is 5. So you have to search for certiifcate # 5.
  • Once you get it click on “View Details”
  • You should be able to see the certificate. Go down to the bottom of the page and click on “Save Certificate”.
  • There are 2 certificates in this. One is the CA certificate and one is the actual server certificate. The first one if the actual server certificate that you requested for and second one is the CA certificate.

5) You now have to import both server certificate and CA certificate.

  • For this go to OWM again and click on Operations -> Import User Certificate. It will give you 2 options 1) Paste the content 2) Upload as file.
  • In my case I am pasting the certificate as shown below.

  • When we click on OK, it might give following error
    User certificate import has failed because CA certificate does not exits. DO you want to import CA certificate?
  • Click on Yes and then paste CA certificate in new Textarea.
  • In the bottom of OWM window you will see a success message “Your certificate has been successfully imported“.

This is how we can import the certificate that can be used for SSL configuration for your application (like EBS).

Hope this helps !!

Start/Stop LISTENER_ES as Oracle User in Oracle Collabsuite 10g


When we install Oracle Collabsuite 10g, we can administer all the services using oracle user (user who has installed Oracle Collabsuite 10g) except one service, which is LISTENER_ES.

LISTENER_ES is a apps side listener which is mainly responsible for bringing up SMTP and IMAP ports. All the ports for apps tier are defined in ORACLE_HOME/network/admin/listener.ora file present on apps side.

We always have to start LISTENER_ES as a root user and we cannot by default start this using oracle user. However, there is a way to enable start/stop using oracle user. This post explains the same.

Follow below steps to enable oracle to start/stop LISTENER_ES

  • Login to OCS host as root user
  • Go to apps tier and Source the environment using .env file
  • Stop the LISTENER_ES as root user using following command

$ORACLE_HOME/bin/tnslsnr LISTENER_ES stop &

  • As a root user run the below commands

chown root tnslsnr
chmod 6751 tnslsnr

  • Exit and login to OCS host as OH owner, source the instance on apps side using.env file and Start/stop the listener

lsnrctl start LISTENER_ES
lsnrctl stop LISTENER_ES

Hope this helps !!


Metalink Note ID: 205298.1