iRecruitment Index Synchronization - All Details

iRecruitment Index Synchronization - All Details

Why iRecruitment Index Synchronization?

To keep the text indexes up to date for iRecruitment documents and job postings run the iRecruitment Index Synchronization process. Oracle iRecruitment uses Oracle Text to perform content-based searches on resumes and job posting details. When candidates upload resumes or managers post new job details, you must synchronize the index at a regular interval to keep the user searches accurate.

Recommended way to run iRecruitment Index Synchronization(from MOS Documents)

• Posting Index indicates index of job postings that managers post.
• Document Index indicates index of candidates' resumes.
• Online index rebuild - to run every 5 minutes

Online index rebuild - to run every 5 minutes
Note: If the online synchronization process starts before the previous one has completed, then the process will display an error. Ensure that you set it to run 5 minutes after completion, and not the start.
In the Online mode, the process adds new entries to the index, enabling simultaneous searches.

Full index rebuild - to run each night
In the Full mode, the process defragments the index, reducing its size, and optimizing the performance. The process does not add new entries to the index.

Impact if Not Done

This is recommended to enhance the performance of iRecruitment and should be done, as it is a very normal DBA Activity.

opatch auto - 11gR2

opatch auto - 11gR2

The OPatch utility has automated the patch application for the Oracle Grid Infrastructure (GI) home and the Oracle Database home.

On an 11gR2 RAC installation, if there is no existing database associated to the RDBMS home, when applying a patch using "opatch auto" command, OPatch will patch the Grid Infrastructure home but not the RDBMS home.
But, one or more database exists associated to the RDBMS home, then OPatch will patch both the Grid Infrastructure home and the RDBMS Home.

The opatch auto retrieves the db home information from the configured databases. So, if there is no existing database, then "OPatch auto" will skip that RDBMS Home while patching.

In order to patch the RDBMS home that has no database configured, use "-oh" option in opatch auto.   For example:
opatch auto < Patch Location > -oh /ora/oh1,/ora/oh2,/ora/oh3

Exadata Storage Server Patching - Some details

Exadata Storage Server Patching

●● Exadata Storage Server patch is applied to all cell nodes.
●● Patching is launched from compute node 1 and will use dcli/ssh to remotely patch each cell node.

●● Exadata Storage Server Patch zip also contains Database Minimal Pack or Database Convenience Pack, which are applied to all compute nodes. This patch is copied to each compute node and run locally.

●● Applying the storage software on the cell nodes will also change the Linux version and applying the database minimal pack on the compute nodes does NOT change the Linux version
To upgrade the Linux on Compute Node follow MOS Note: 1284070.1

Non rolling patch apply is much faster as you are applying the patch on all the cell nodes simultaneously, also there are NO risk to single disk failure. Please note, this would require full outage.

In case of rolling patch apply, database downtime is not required, but patch application time is very high. Major risk: ASM high redundancy to reduce disk failure exposure

Grid disks offline >>> Patch Cel01 >>> Grid disks online
Grid disks offline >>> Patch Cel02 >>> Grid disks online
Grid disks offline >>> Patch Cel..n>>> Grid disks online

Rolling Patch application can be risky affair, please be appraised of the followings:
Do not use -rolling option to patchmgr for rolling update or rollback without first applying required fixes on database hosts
./patchmgr -cells cell_group -patch_check_prereq -rolling >>> Make sure this is successful and review spool carefully.
./patchmgr -cells cell_group -patch –rolling

Non-rolling Patching Command:
./patchmgr -cells cell_group -patch_check_prereq
./patchmgr -cells cell_group -patch


How to Verify Cell Node is Patched Successfully

# imageinfo

Output of this command gives some good information, including Kernel Minor Version.

Active Image Version: 11.2.2.3.1.110429.1
Active Image Status: Success

If you get anything in "Active Image Status" except success, then you need to look at validations.log and vldrun*.log. The image status is marked as failure when there is a failure reported in one or more validations.
Check the /var/log/cellos/validations.log and /var/log/cellos/vldrun*.log files for any failures.

If a specific validation failed, then the log will indicate where to look for the additional logs for that validation.

How to find the Cell Group in Exadata Storage Servers

How to find the Cell Group in Exadata Storage Servers

cd /opt/oracle.SupportTools/onecommand
cat cell_group

#cat cell_group
xxxxxcel01
xxxxxcel02
xxxxxcel03
#

This means, when you would start the patching, it would apply the patch in Cell Node xxxxxcel01 and then in xxxxxcel02, and finally in xxxxxcel03.
As I have Exadata Quarter Rack, there are only 3 Storage Servers(Cell Node) and all would be patched during Cell Node Patching.

From this number of cells you can determine, whether Quarter/Half/Full rack exadata is in place.

Exadata and Exalogic - Roadmap

Recently I have been working on Exadata/Exalogic related stuffs, so would be putting brief details here.

Earlier I was involved in a PoC, 2 years back, would try to put practical details also from the same, at that time I did not start this blog.

Let me take you through the high Level architecture of a full rack Exadata:

In a full rack Exadata database machine, there are 8 database servers, 14 storage servers(7 cells at bottom and 7 cells at top), 3 InfiniBand Switches, 1 Cisco Switch, KVM and 2 PDUs is available.

There are 3 Infiniband Switches in a Exadata Full Rack System. Lower one is know as spine switch.
Most of the Exadata full racks have 2 leaf switches and 1 spine switch. 1/4 racks and 1/2 racks may or may not have a spine switch.

There are one Ethernet Switch in between 2 leaf infiniband switches, which has 48 ports. This is used as management network, and all the Exadata systems are plugged into this for management purpose. Ethernet switch for remote administration and monitoring of the Database Machine.

Storage Servers are also known as Cell Node, and Database Servers are also known as Compute node.

Tuning of HTTP WebTier for Access Manager SSO Implementation

Tuning of HTTP WebTier for Access Manager SSO Implementation

. $HOME/webtierenv.sh
opmnctl status -l

. $HOME/webtierenv.sh
cd $MW_HOME/Oracle_WT1/instances/instance1/diagnostics/logs/OPMN/opmn
grep 'Process Unreachable' opmn.log

. $HOME/webtierenv.sh
cd $MW_HOME/Oracle_WT1/instances/instance1/diagnostics/logs/OHS/ohs1
grep 'still did not exit, sending a SIGKILL' ohs1.log

Make sure no latest OHS Restart has happened.

$MW_HOME/Oracle_WT1/instances/instance1/config/OHS/ohs1/httpd.conf
Look for mpm_worker_module and change MaxClients to 300, ThreadsPerChild to 50

There are multiple tuning recommedtation for HTTP WebTier in the following link, and should be carried out as recommended performance tuning activities:
http://docs.oracle.com/cd/E23943_01/core.1111/e10108/http.htm

Find the complete Fusion Middleware tuning guide at:
http://docs.oracle.com/cd/E23943_01/core.1111/e10108/toc.htm

You have encountered an unexpected PLSQL Error, Please contact System Administrator

You have encountered an unexpected PLSQL Error, Please contact System Administrator

Enable FND Debug using followin profile options:

FND: Debug Log Enabled Yes
FND: Debug Log Filename <empty>
FND: Debug Log Level STATEMENT
FND: Debug Log Mode Asynchronous with Cross-Tier Sequencing
FND: Debug Log Module %

2. Run the following SQL and and write down this number
SQL> select max(log_sequence) from fnd_log_messages;

3. Reproduce the issue and run the following SQL again to get the relevant information:
SQL> select * from fnd_log_messages where log_sequence > NUMBER_IDENTIFIED_BEFORE_IN_SQL_STATEMENT_AT_STEP_2 order by log_sequence;

Verify in the fnd_log_messages, you can see the following:

106500495|fnd.plsql.oid.fnd_ldap_wrapper.create_user: |ORA-31202: DBMS_LDAP: LDAP client/server error: Invalid credentials|
106500496|fnd.plsql.oid.fnd_ldap_wrapper.create_user: |l_err_code :FND_SSO_UNEXP_ERROR, l_tmp_str :ORA-31202: DBMS_LDAP: LDAP client/server error: Invalid credentials|
106500497|fnd.plsql.APP_EXCEPTION.RAISE_EXCEPTION.dict_auto_log|Unabled to call fnd_ldap_wrapper.create_user due to the following reason:
An unexpected error occurred. Please contact your System Administrator. (USER_NAME=SHARMAJ1)|

If this is the case, then during cloing, DBAs must have screwed up OID registration from your live system.

Do a fresh registration using txkrun.pl:
SQL> delete from fnd_user_preferences where user_name='#INTERNAL'
$FND_TOP/bin/txkrun.pl -script=SetSSOReg -registerinstance=yes
$FND_TOP/bin/txkrun.pl -script=SetSSOReg -registeroid=yes -provisiontype=3

Set the DataSource Connection Continuity to avoid Admin/Managed Service Restart

Set the DataSource Connection Continuity to avoid Admin/Managed Service Restart

In a IDM domain, if AdminServer is started before the DB is up and running and subsequently DB is brought up, OPSS data source does not refresh and hence prevents access to application on Admin Server

Connection Creation Retry Frequency >>> This is needed if the Datasource will be down before the Admin server starts
Test Connections on Reserve >>> This is required if the datasource goes down after successful start

Navigation: WebLogic Console >>> Services >>> Data Sources >>> Click on the Data Sources >>> Connection Pool >>> Advanced

This should be done for OAM, OID and eBusiness AccessGate datasources.

Understanding "Managed Server Independence" in WebLogic Configuration

Understanding "Managed Server Independence" in WebLogic Configuration

"Managed Server Independence" specifies whether this Managed Server can be started when the Administration Server is unavailable.

Check that all managed servers have "Managed Server Independence" Enabled (by default it is)
Navigation: WebLogic Console >>> Environment >>> Servers >>> Click on the Name of the Managed Server >>> Configuration >>> Tuning >>> Advanced
Check if Managed Server Independence is Enabled

If you have "Managed Server Independence" Enabled on all managed servers, 
You can restart AdminServer without any problem (the managed servers will continue to work)

I did work for this for OAM Domain, IDM Domain, and eBusiness AccessGate Domain. So if any of the admin server is down, you eBusiness SSO Login would continue to work.

How to Configure OAM to Use Load Balancer URL

How to Configure OAM to Use Load Balancer URL

Navigation: OAM Console >>> System Configuration >>> Access Manager >>> Access Manager Settings

Put the Load Balancer details in this screen.

For me it was BigIP F5 iRule setup, make sure following is already in place and done by F5 Team:
https://mkktestLBR1.lbrdomain.local >>> Redirects to mkktestOAMserver1.unixdomain.local at 14100 port with SSL terminated at F5 Level

After Fusion/OID Installation /em URL is not Accessible

After Fusion/OID Installation /em URL is not Accessible

While trying to access http://mkktestOIDserver1.unixdomain.local:7001/em after installation, it is giving me following error:

Error 503--Service Unavailable 
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.5.4 503 Service Unavailable
The server is currently unable to handle the request due to a temporary overloading or maintenance of the server. The implication is that this is a temporary condition which will be alleviated after some delay. If known, the length of the delay may be indicated in a Retry-After header. If no Retry-After is given, the client SHOULD handle the response as it would for a 500 response.

Note: The existence of the 503 status code does not imply that a server must use it when becoming overloaded. Some servers may wish to simply refuse the connection.

Locate targets.xml file and take a backup of the original file:
$DOMAIN_HOME/sysman/state/targets.xml

Immediately after 1st line of <Targets> add the following line:
<Target TYPE="oracle_ias_farm" NAME="Farm_IDMDomain" DISPLAY_NAME="Farm_IDMDomain">
<Property NAME="MachineName" VALUE="mkktestOIDserver1.unixdomain.local"/>
<Property NAME="Port" VALUE="7001"/>
<Property NAME="Protocol" VALUE="t3"/>
<Property NAME="isLocal" VALUE="true"/>
<Property NAME="serviceURL" VALUE="service:jmx:t3://mkktestOIDserver1.unixdomain.local:7001/jndi/weblogic.management.mbeanservers.domainruntime"/>
<Property NAME="WebLogicHome" VALUE="/opt/oracle/IDMLIVE_MW_HOME/WebLogic/wlserver_10.3"/>
<Property NAME="DomainHome" VALUE="/opt/oracle/IDMLIVE_MW_HOME/WebLogic/user_projects/domains/IDMDomain"/>

Restart Admin Server.

This resolved the issue.

How to Dump Provisioning and Synchronisation Profile from OID

How to Dump Provisioning and Synchronisation Profile from OID

How to Dump Provisioning Profile from OID

This would help you understand what are the Provisioning Profile exists in OID, configuration and status of all those.

ldapsearch -h mkktestserver1.unixdomain.local -p 3060 -D "cn=orcladmin" \
-w MalayFalsePass -L -s sub -b "cn=provisioning profiles,cn=changelog subscriber,cn=oracle internet directory" objectclass=*

Accordingly you can take a call on either enabling or disabling those, or changing the interval or troubleshooting purpose.
orclstatus: ENABLED
orclodipprovisioningappname: ebusl
orclodipprovisioningappname: ebsgold

How to Dump Synchronisation Profile from OID

manageSyncProfiles list -h mkktestserver1.unixdomain.local -p 7005 -D weblogic

Output of this would be something like:
Following are the registered profile(s):
ADtoOIDSynch >>> This is the synch profile that is in place.....

manageSyncProfiles get -h mkktestserver1.unixdomain.local -p 7005 -D weblogic -pf ADtoOIDSynch

Output of this would be something like(I have given only the important fields and removed the attribute part)

If these are configured in OID DIP Synch Profile AD to OID Synch should be issueless.

Profile ADtoOIDSynch details are :
odip.profile.condirfilter = searchfilter=(|(objectclass=group)(objectclass=organizationalUnit)(&(objectclass=user)(!(objectclass=computer))))
odip.profile.status = ENABLE

odip.profile.syncmode = IMPORT
odip.profile.version = 4.0
odip.profile.configfile = [INTERFACEDETAILS]
Reader: oracle.ldap.odip.gsi.ActiveChgReader
CheckAllEntries: false
SkipErrorToSyncNextChange: true
UpdateSearchCount: 100
SearchDeltaSize: 500

odip.profile.lastchgnum = 122685657
odip.profile.debuglevel = 0

You can Validate Synch Profile using following Command:

manageSyncProfiles validateProfile -h mkktestserver1.unixdomain.local -p 7005 -D weblogic -pf ADtoOIDSynch

Sample output for validateProfile
Map rules "orclodipattributemappingrules" have the following warnings:
Attribute rule "2" has warning: Source attribute 'cn' is optional for a required destination attribute 'cn'
Attribute rule "7" has warning: Source attribute 'samaccountname' is optional for a required destination attribute 'orclsamaccountname'
Attribute rule "22" has warning: Source attribute 'employeeid' is optional for a required destination attribute 'sn'
Attribute rule "25" has warning: Source attribute 'samaccountname' is optional for a required destination attribute 'orclsamaccountname'
Attribute rule "25" has warning: Source attribute 'userprincipalname' is optional for a required destination attribute 'orclsamaccountname'.

You can test Synch Profile using following Command:

You need to disable the profile temporarily to do this testProfile.
manageSyncProfiles testProfile -h mkktestserver1.unixdomain.local -p 7005 -D weblogic -pf ADtoOIDSynch

SynchronizationStatus : Synchronization Successful
SynchronizationErrors :
ECID : 39cb4812cad10e7e:-123fc09f:1401eaa2992:-8000-0000000000005981
View the related logs using the above ECID with the wlst command :
displaylogs(target=<ManagedServer_Name>, ecid='39cb4812cad10e7e:-123fc09f:1401eaa2992:-8000-0000000000005981')

Now this ECID you can look in wls_ods1-diagnostic.log, in my case it was warning only. This report that "SynchronizationStatus : Synchronization Successful", this means, synch is going okay...

In the wls_ods1-diagnostic.log, you can see this ECID in warning as reported in validateProfile.

Following Commands are also very useful to troubleshoot Synch Profile Issues:

ldapsearch -p 389 -h mkktestADserver1.addomain.local -D "AdtoOidSyncUser@vaa.vtg.local" -w "MalayFalsePass" -b "" -s base "objectclass=*" highestCommittedUSN
ldapsearch -h mkktestOIDserver1.unixdomain.local -p 3060 -D "cn=orcladmin" -w MalayFalsePass -b "" -s base "objectclass=*" lastchangenumber
ldapsearch -h mkktestOIDserver1.unixdomain.local -p 3060 -D "cn=orcladmin" -w MalayFalsePass \

-b "cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" -s sub "objectclass=*"

Ad to OID Synch Issue

Ad to OID Synch Issue

By default, Microsoft Active Directory Connector retrieves changes to all objects in the container configured for synchronization. If you are interested in retrieving only a certain type of change, for example only changes to users and groups, then you should configure an LDAP search filter. This filter screens out changes that are not required when Microsoft Active Directory Connector queries Microsoft Active Directory. The filter is stored in the searchfilter attribute in the synchronization profile.

To troubleshout this kind of DIP issue enable TRACE:32 Logging for the following components:
oracle.dip.config
oracle.dip.mbean.prov
oracle.dip.mbean.sync
oracle.dip.util

You can achive this using enterprise manager console:
Navigation: http://mkktestserver1.unixdomain.local:7003/em >>> Click on wls_ods1 >>> Drop down WebLogic Server >>> Logs >>> Log Configuration

Monitor the managed server log to capture the issue.

Users are not getting synchronised from AD to OID.

Put a searchfilter in ADtoOIDSynch profile definition.
searchfilter=(|(objectclass=group)(objectclass=organizationalUnit)(&(objectclass=user)(!(objectclass=computer))))

In wls_ods1 log you would see a message like following after this change:
[2013-07-28T13:34:15.178+01:00] [wls_ods1] [NOTIFICATION] [DIP-10252] [oracle.dip] [tid: ADtoOIDSynch] [userId: <anonymous>] [ecid: 0000K0Uebzv03zD_R9c9yd1Hwpv2000002,0] [APP: DIP#11.1.1.2.0] Found Search Filter : ((|(objectclass=group)(objectclass=organizationalUnit)(&(objectclass=user)(!(objectclass=computer))))).

To verify if synchronisation is properly happening or not you can follow this link:
http://mkkoracleapps.blogspot.com/2013/07/how-to-check-ad-to-oid-synch-is.html

Remove Dangling DNs from OID

Remove Dangling DNs from OID

. $HOME/oidenv.sh
oiddiag collect_all=true
cd $MW_HOME/asinst_1/diagnostics/logs/OID/tools

In this directory, a LDIF File with Dangling DNs entries would be created, run ldapmodify to delete these. This would delete the entries, and is a recommended steps to improve the OID Performance.

ldapmodify -h mkktestserver1.unixdomain.local -p 3060 -D cn=orcladmin -w MalayFalsePass -v -f oiddiag20130824212502_FixMembrAttr.ldif

Putting one sample entry from the LDIF File below:
dn: cn=gs_apps_essbase_live_businesuser,ou=groups,ou=united kingdom,cn=users,dc=mkkaddomain,dc=root,dc=local
changetype: modify
delete: uniquemember
uniquemember: cn=amit joggarish,ou=itadmin,ou=united kingdom,dc=mkkaddomain,dc=root,dc=local

>>> This means that the groups would be deleted from the user's unique member group. This is noted as Dangling DN as the same group doesnot exist in OID, but this has come from Microsoft AD.

Assigned Responsibilities are not visible to User

Assigned Responsibilities are not visible to User

Following shortcut solution worked many times in 11i and R12 as well

1. Run the following requests in the order below:
a. "Create FND_RESP WF Roles"
b. "Sync responsibility role data into the WF table.(obsolete in R12)"
c. "Synchronize WF LOCAL tables"
d. "Workflow Directory Services User/Role Validation"

2. End date and associated userid, un-end date it, and change the password.

3. Retest the issue.

There is an exhaustive troubleshooting steps for this issue, but above solution has worked in most of the cases for me, except very few, where I had to walk that extra mile.

Make sure Workflow Background Process is properly Scheduled. Follow this for best practice on this:
http://mkkoracleapps.blogspot.com/2012/12/workflow-related-scheduled-concurrent.html

eBusiness Suite Data Masking/Data Scrambling/Data Anonymization

eBusiness Suite Data Masking/Data Scrambling/Data Anonymization

Recently I got a chance to work on a eBusiness Data Masking requirement. Generally, few members try to differentiate between Data Masking, Data Scrambling and Data Anonymization, unfortunately that is bit misconception.

Definition what Oracle Provides:
Data masking, also known as data scrambling or data anonymization, is the process of obscuring sensitive information copied from a production database with realistic, scrubbed data based on masking rules, to a test or non-production database

I would like to share some learnings from this masking exercise:

1. FND_USER_MASKING_EXEMPTIONS/Exempt Users From Masking

By default seeded users(like SYSADMIN, GUEST) whose USER_ID is less than 1000 are exempted from masking. But if all other usernames are masked then testing users would be impacted, so prepare the list, who need access in the eBusiness and put them in FND_USER_MASKING_EXEMPTIONS.

Data Masking Pack Provides two SQLs
fndusmaexcr.sql - Creates the FND_USER_MASKING_EXEMPTIONS table.
fndusmaexpo.sql - Provides examples of how to populate the table.

FND_USER_MASKING_EXEMPTIONS >>> Definition >>> USER_ID, SOURCE, CURRENT_NAME, NEW_NAME, NEW_PASSWD
The CURRENT_NAME column contains the name of the user to exempt from standard masking.

2. What template needs to be used, JE(Standard) or JG, is decided by the table JE_ES_MODELO_190_ALL.
select OWNER  from all_tables  where TABLE_NAME = 'JE_ES_MODELO_190_ALL';

Use the standard version of the template if your production database includes the table JE_ES_MODELO_190_ALL in the JE schema. Use the JG version of the template if your production database includes the table JE_ES_MODELO_190_ALL in the JG schema.

High Level Steps for Data Masking is as follows

1. Compile all the objects before you start Generate Mask.
2. Generate Masks Include, Patching Activity for Data Masking Template Patch, Steps for Exempt Users, Create Tables using Pre Generate SQL, Edit Masking Definition, Remove Errors/Warnings.
3. If Environment is SSO Enabled, remove SSO using txkrun.pl deregister OR Delete Directly from FND_USER_PREFERENCES. If any LDAP operation is running like DIP(like OID to eBusiness synch), then there can be deadlock in the database and ORA-00060: deadlock detected while waiting for resource would be reported.
4. Execute the Mask.
5. Save the masking script and template, so that you can run on all instances where masking is required, and after each clone.

*** If You Forget to Provide Required Grant
Provide DBMS_CRYPTO/EXEMPT ACCESS POLICY Grant to SYSTEM, missing this become problemetic, as you need to recreate various triggers, taking the code from some other instance. Otherwise masking would not happen.
GRANT EXECUTE ON DBMS_CRYPTO TO SYSTEM;
GRANT EXEMPT ACCESS POLICY TO SYSTEM;

*** Stop the application, and start the Concurrent Managers Only
Note that several concurrent requests are started during the mask (Employee Update Program and DQM Staging Program). Verify that these programs complete successfully after bringing up the Concurrent Manager. Note that the Employee Update Program may log errors of "Update of Name was not done as the update would result in a duplicate supplier record".

In the Masking execution spool, you would see like following:
Completed Data Masking. Starting cleanup phase.                                 
Starting cleanup of generated procedures                                        
Completed cleanup of generated procedures                                       
Script execution complete                                                       
Program: fndusmaexpr                                                            
Process FND_USER_MASKING_EXEMPTIONS                                             
======================================                                          
... setup context.                                                              
... process records.                                                            
======================================                                          
End program - successful                                                        
request_id = 1152548                                                            
request_id = 1152549                                                            
request_id = 1152550                                                            
EBS drop table - map_scl_dk                                                     
EBS drop table - map_scl_nl_1                                                   

Make sure all these requests are completed successfully.

*** Customisation On Data Masking Template
For Custom columns you can add in this template rule, You can remove if you do not need the seeded template to mask some columns.

*** Add Datafile to SYSTEM Tablespace
ALTER TABLESPACE APPS_TS_TX_IDX ADD DATAFILE '+DATA01' SIZE 100M AUTOEXTEND ON NEXT 10M MAXSIZE 4096M;
ALTER TABLESPACE APPS_TS_TX_IDX ADD DATAFILE '+DATA01' SIZE 100M AUTOEXTEND ON NEXT 10M MAXSIZE 4096M;

*** Add Tempfile to Temp Tablespace
ALTER TABLESPACE TEMP11 add tempfile '+DATA01' SIZE 1024M;
ALTER TABLESPACE TEMP11 add tempfile '+DATA01' SIZE 1024M;

**** Rebuild all INVALID/UNUABLE Indexes
ALTER INDEX <OWNER>.<INDEX_NAME> REBUILD;

**** After Masking None of the Business Users are able to Access the System
If I remove the employee from the user and reset the password then that was able to access the system. You can reassign back the employee to the user. This is not a feasible solution if NONLIVE instances are accessed by many users.

"Workflow Directory Services User/Role Validation" Parameters : 100000, Yes, No, No
"Workflow Directory Services User/Role Validation" Parameters : 100000, No, Yes, No   

1. Run the following requests in the order below: 
a. "Create FND_RESP WF Roles"
b. "Sync responsibility role data into the WF table.(obsolete in R12)"
c. "Synchronize WF LOCAL tables"
d. "Workflow Directory Services User/Role Validation"

Make sure Workflow Background Process is properly Scheduled. Follow this for best practice on this:
http://mkkoracleapps.blogspot.com/2012/12/workflow-related-scheduled-concurrent.html

SQLPLUS APPS Connection is intermittently failing

SQLPLUS APPS Connection is intermittently failing

Reason for this Issue: Invalid TNS address supplied or destination is not listening. This error can also occur because of underlying network transport problems.

For my case it was wrong gateway configuration.

Successful:

mkkebstestu1@mkktestserver1:/home/mkkebstestu1>sqlplus apps/*************

SQL*Plus: Release 8.0.6.0.0 - Production on Mon Oct 29 15:42:35 2012

(c) Copyright 1999 Oracle Corporation.  All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> Disconnected from Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

Unsuccessful Attempts:

mkkebstestu1@mkktestserver1:/home/mkkebstestu1>sqlplus apps/************

SQL*Plus: Release 8.0.6.0.0 - Production on Mon Oct 29 15:46:49 2012

(c) Copyright 1999 Oracle Corporation.  All rights reserved.

ERROR:
ORA-12203: TNS:unable to connect to destination


Enter user-name: 

mkkebstestu1@mkktestserver1:/home/mkkebstestu1>netstat -rn
Routing tables
Destination        Gateway           Flags   Refs     Use  If   Exp  Groups

Route Tree for Protocol Family 2 (Internet):
default            172.30.0.1        UG        1     34949 en2      -      -   =>
default            172.30.0.10       UG        7    795361 en2      -      -
60.60.60.1         127.0.0.1         UGHS      0      1733 lo0      -      -   =>
60.60.60.1         60.60.60.1        UHSb      0      1733 en2      -      -   =>
60.60.60.1/24      60.60.60.1        U         0         0 en2      -      -
60.60.60.255       60.60.60.1        UHSb      0         4 en2      -      -
127/8              127.0.0.1         U        14    781913 lo0      -      -
172.30.0.0         172.30.0.92       UHSb      0         0 en2      -      -   =>
172.30/24          172.30.0.92       U         2   6576453 en2      -      -
172.30.0.92        127.0.0.1         UGHS      1       458 lo0      -      -
172.30.0.255       172.30.0.92       UHSb      0         4 en2      -      -

Route Tree for Protocol Family 24 (Internet v6):
::1                ::1               UH        0        92 lo0      -      -
mkkebstestu1@mkktestserver1:/home/mkkebstestu1>

>>>> If you notice the netstat spool there are two gatways are defined. This is not a correct configuration. Highlighted in RED.


Solution: Flush the Gateway from smitty

mkktestserver1[/] # smitty route

Press Enter AFTER making all desired changes.

                                                        [Entry Fields]
  Flush Routing Table in the Current Running System   yes                                                                          +
  Flush IPV4 Routes in the Configuration Data Base    yes                                                                          +
  Flush IPV6 Routes in the Configuration Data Base    no                                                                           +
   (effective in the next system restart)

RMAN Active/Standby Duplicate Hangs

RMAN Active/Standby Duplicate Hangs

Recently, I was doing a DataGuard set-up for 11gR2 database. After doing the preliminary steps and database level preparation, I started the RMAN Standby Duplicate command.
I wait for long, almost 4 hours, but still the datafile copy didn't start from primary to standby(source to target).

Similar issue I have faced earlier too for 11gR1 database while doing implementation of DR Site for eBusiness Suite, OBIEE and some Oracle Retail Applications(RMS, WMS, RIB, SIM etc), but documenting here this time for benefits.

Connect to Primary(Source) database using RMAN:

$ RMAN
RMAN> CONNECT TARGET;
RMAN> SHOW ALL;

Check what is the setting for BACKUP OPTIMIZATION.

Switch backup optimisation off before starting the RMAN Duplicate command, otherwise, RMAN would internally decide the optimization plan for the duplicate process.
This would take lot of time if the DB Size is high to start the datafile copy. Database size in this case was 1.7TB.

In Primary(Source) Database execute the following command:
RMAN> CONFIGURE BACKUP OPTIMIZATION OFF;

---- Revert back the change in Primary when RMAN duplicate finished.

This solve the issue for me, but would like to highlight few more reasons which can cause RMAN Active Duplicate to hang.

1. SGA and Pool Size can Impact your Duplicate Performance

Large pool size plays an important role in RMAN Recovery, SGA decides how many channel you can use your RMAN Duplicate command.

I was having ample sizing for the primary/standby database, so set the following in both:
*.sga_target = 14G
*.shared_pool_size = 3G
*.shared_pool_reserved_size = 300M
*.streams_pool_size = 150M
*.java_pool_size = 1G
*.pga_aggregate_target = 20G
*.result_cache_max_size = 150M
*.db_cache_size = 2G
*.large_pool_size=300M
*.db_keep_cache_size = 500M
*.db_writer_processes = 3
*.processes = 2500
*.sessions = 5000
*.open_cursors = 1500

2. RMAN Duplicate can hang if Compatible setting in both target and auxiliary database is not same. Refer MOS Note 816094.1 for the same. 

Significance of "Sign-On:Audit Level" Profile Option

Significance of "Sign-On:Audit Level" Profile Option

Sign-On: Audit Level can be set at 4 different levels.  The level you specify will determine which Change Tracking information Oracle eBusiness would Capture

The four levels (from lowest to highest level of audit) and the information that they capture are:

1. When Site Level Value is None
Tracks no additional info.

2. When Site Level Value is User
Tracks: who signs on to Oracle Apps, the time users log on and off, the terminals in use

3. When Site Level Value is Responsibility
Tracks: User Info, the responsibilities user choose, how much time users spend using each responsibility

4. When Site Level Value is Form
Tracks: User Info, Responsibility Info, the forms users choose, how long users spend using each form

Based on the level chosen, the information captured gets stored in the following tables:
FND_LOGINS 
FND_LOGIN_RESPONSIBILITIES 
FND_LOGIN_RESP_FORMS 

Truncate Login Related Tables in NONLIVE Instance/Cloned Instance

Truncate Login Related Tables in NONLIVE Instance/Cloned Instance

This I generally do a post clone steps to purge the login related information.

$ADMIN_SCRIPTS_HOME/adopmnctl.sh stopall

truncate table APPLSYS.FND_LOGINS;
truncate table APPLSYS.FND_LOGIN_RESP_FORMS;
truncate table APPLSYS.FND_LOGIN_RESPONSIBILITIES;
truncate table APPLSYS.FND_UNSUCCESSFUL_LOGINS;
truncate table ICX.ICX_SESSIONS;
truncate table ICX.ICX_FAILURES;
truncate table ICX.ICX_SESSION_ATTRIBUTES;
truncate table ICX.ICX_TEXT;
truncate table ICX.ICX_CONTEXT_RESULTS_TEMP;
truncate table ICX.ICX_TRANSACTIONS;
truncate table APPLSYS.FND_SESSION_VALUES;

$ADMIN_SCRIPTS_HOME/adopmnctl.sh startall

Also if you are not able to execute purge signon conc prog, due to huge volume of data in the underlying tables then truncate is an option that you can pursue. OR you have to delete in multiple iterations.

Relevant Concurrent Program to Purge: Purge Signon Audit Data

Purge Inactive Sessions E-Business suite R12: $FND_TOP/sql/FNDDLTMP.sql

Performance Issue on a AP Workflow Approval(Custom Package)

Performance Issue on a AP Workflow Approval(Custom Package)

Few days back I got a chance to work for a performance issue on a AP Workflow Approval Package.
An adhoc request from the team, though there are huge scope of performance improvement on the whole database, I concentrated only on the AP Workflow Approval part.

Firstly I analysed AWRs for some days during business hours and noticed the following:
1. Multiple Procedures of the same package was present in "SQL ordered by Elapsed Time" and in "SQL ordered by CPU Time" with SQL IDs: v9yxuzfup5w3, 05jrjvak9tkry, 5cdb5xwmdggu2
2. Procedure of the same package was present in "SQL ordered by User I/O Wait Time" with SQL IDs: 05jrjvak9tkry
3. Multiple Procedures of the same package was present in "SQL ordered by Gets" with SQL IDs: 05jrjvak9tkry, 2v9yxuzfup5w3
4. Procedure of the same package was present in "SQL ordered by Reads" with SQL IDs: 05jrjvak9tkry

It is always a good practice that DBAs should look into the section of "SQL ordered by Gets" and tune them accordingly.
"SQL ordered by Gets" are always candidate of tuning and that is first thumb rule of SQL performance tuning based on AWR analysis.

In this case following two procedures were bottleneck for the whole package:
1. GET_APPROVER
2. AME_SUPERVISOR_LEVELS

So my initial target was to improve the performance for GET_APPROVER and AME_SUPERVISOR_LEVELS procedures. Needless to say both of these are present in "SQL ordered by Gets".

Now, there is a constraint  you cannot ask the developers to change the logic of the code for this kind of packages, as you never know, while changing what else can be screwed up. Also, Project manager may come to beat you :)
If something goes wrong business can be impacted, and thorough testing on a already live infrastructure is also not possible due to various constraints.

Started analysing the details of the two procedures, using SQLT and Explain Plan.

Solution#1: Reorder WHERE Clause for PER_ALL_ASSIGNMENTS_F/PER_ASSIGNMENTS_X in the Custom Code

First important observation from the analysis: Most of the bottleneck is coming from PER_ALL_ASSIGNMENTS_F.
It was noticed that, from the table PER_ALL_ASSIGNMENTS_F/PER_ASSIGNMENTS_X, the where clause in SELECT statement was very haphazard.
In some cases developers used the columns in where clause in one order and in other case it was in different order.
It is always a best practice, that first condition in the where clause should start with PK. So requested the developer to reorder the where cluase.

<<<<<<<<<<
You have used per_all_assignments_f/ per_assignments_x in various select statement.. Put the where clause in this order:
Select whatever from per_all_assignments_f/ per_assignments_x
Where 
person_id = …….
position_id = …..
assignment_type = …..
primary_flag = …..
effective_start_date = …..
effective_end_date = ……
supervisor_id = ….
>>>>>>>>>>>>>>

As this is a very minor change, and doesn't require any functional testing to be done, it is very much acceptable.
So this is the first change that is done.

Solution#2: CREATE Index on PER_ALL_ASSIGNMENTS_F, PAY_USER_ROWS_F, PAY_USER_COLUMNS, PAY_USER_TABLES

Now, started looking at what is happening inside the code, specially for FULL TABLE SCAN. This means that there is a need of INDEX. 

It is always good for DBAs to keep on checking to understand what are the tables having FULL TABLE SCAN
and if table size is high DBAs should take action to minimise that. Specially look for COST, CPU_COST and IO_COST.

Now a need has come to create an INDEX on PER_ALL_ASSIGNMENTS_F, as this a standard/very important table of core HR, Composite Index is always a safest bet.
As the developer has rearranged the where clause order in the whole package, just created a composite INDEX as follows:
CREATE INDEX HR.PER_ALL_ASSIGNMENTS_F_XXMKK_N1 ON HR.PER_ALL_ASSIGNMENTS_F 
(PERSON_ID, POSITION_ID , ASSIGNMENT_TYPE, PRIMARY_FLAG, EFFECTIVE_START_DATE, EFFECTIVE_END_DATE, SUPERVISOR_ID);

In the code, there were 3 more tables where existing Indexes(created as part of eBusiness Installation) were not sufficient:
1. PAY_USER_ROWS_F
2. PAY_USER_COLUMNS
3. PAY_USER_TABLES

Index need could have been eliminated(though not fully), if the where cluase was properly written/ordered, for example PAY_USER_COLUMNS select was done on following order:
USER_TABLE_ID, USER_COLUMN_NAME, USER_COLUMN_ID

Now let me explain, USER_TABLE_ID is FK, USER_COLUMN_ID is PK and USER_COLUMN_NAME is UK.
So in this case order should have been, USER_COLUMN_ID, USER_TABLE_ID, USER_COLUMN_NAME.

Now eBusiness by default has one index for USER_COLUMN_ID(PK), USER_TABLE_ID(FK1) and
PAY_USER_COLUMNS_UK2 UNIQUE (USER_COLUMN_NAME, USER_TABLE_ID, BUSINESS_GROUP_ID, LEGISLATION_CODE).

So it is difficult to utilise the above indexes mentioned.

Created following 3 indexes understanding the need(analysis was almost same with little difference for all three tables)

create index HR.PAY_USER_ROWS_F_XXMKK_N1 on HR.PAY_USER_ROWS_F (USER_TABLE_ID, USER_ROW_ID, EFFECTIVE_START_DATE, EFFECTIVE_END_DATE);
CREATE INDEX HR.PAY_USER_TABLES_XXMKK_N1 ON HR.PAY_USER_TABLES (USER_TABLE_ID, USER_TABLE_NAME);
CREATE INDEX HR.PAY_USER_COLUMNS_XXMKK_N1 ON HR.PAY_USER_COLUMNS (USER_TABLE_ID, USER_COLUMN_NAME, USER_COLUMN_ID);

Now the big question, how to make sure if this indexes are getting used or not. Requested the developer to test the performance of the approval package.

You can set the index usage monitoring in following way:
ALTER INDEX HR.PER_ALL_ASSIGNMENTS_F_XXMKK_N1 MONITORING USAGE;
SELECT * FROM V$OBJECT_USAGE;
ALTER INDEX HR.PER_ALL_ASSIGNMENTS_F_XXMKK_N1 NOMONITORING USAGE;

There is one more way to monitor the usage of INDEX, which I would incorporate in subsequent post.

Solution#3: De-fragment the tables periodically to reclaim unused space / improve performance

Should be done every quarter/half year

WF_LOCAL_ROLES is highly fragmented and causing a lot of performance problem, even I executed the most eligible candidate for de-fragmentation SQL and there is a huge benefit noticed for WF_LOCAL_ROLES.

ALTER TABLE APPLSYS.WF_NOTIFICATIONS MOVE;
ALTER TABLE APPLSYS.WF_LOCAL_ROLES MOVE;
ALTER TABLE APPLSYS.WF_LOCAL_USER_ROLES MOVE;
ALTER TABLE APPLSYS.WF_USER_ROLE_ASSIGNMENTS MOVE;
ALTER TABLE AP.AP_INVOICES_ALL MOVE;

ALTER TABLE <TABLE_NAME> ENABLE ROW MOVEMENT;
ALTER TABLE <TABLE_NAME> SHRINK SPACE CASCADE;
ALTER TABLE <TABLE_NAME> DISABLE ROW MOVEMENT;

I would like to mention one more point on AP Performance where AP.AP_LIABILITY_BALANCE, this table is also highly fragmented, if defrag is done, some other code would be benefited.

ALTER TABLE AP.AP_LIABILITY_BALANCE MOVE;

Solution#4: Rebuild Indexes for Better Performance/After Row Movement

Should be done every quarter/half year

You need to rebuild the indexes associated with these tables, as the status would be unusable.

SELECT TABLE_OWNER, INDEX_NAME FROM dba_ind_columns WHERE INDEX_NAME IN
(SELECT DISTINCT INDEX_NAME FROM dba_ind_columns WHERE TABLE_NAME IN
('WF_NOTIFICATIONS','WF_LOCAL_ROLES','WF_LOCAL_USER_ROLES', 'WF_USER_ROLE_ASSIGNMENTS', 'AP_INVOICES_ALL','AP_LIABILITY_BALANCE'))
ORDER BY INDEX_NAME;

alter index <owner>.<index_name> rebuild online;

Solution#5: Gather Stats On Relevant Tables

In Live, Gathers Stats conc program is scheduled to run every 15 days. There is no need to do this additionally, but every time 3/4 is done, it is recommended to perform.

exec fnd_stats.gather_table_stats('HR','PER_ALL_ASSIGNMENTS_F');
exec fnd_stats.gather_table_stats('HR','PER_ALL_PEOPLE_F');
exec fnd_stats.gather_table_stats('HR','PER_POSITION_EXTRA_INFO');
exec fnd_stats.gather_table_stats('HR','PAY_USER_ROWS_F');
exec fnd_stats.gather_table_stats('HR','PAY_USER_TABLES');
exec fnd_stats.gather_table_stats('AP','AP_INVOICES_ALL');
exec fnd_stats.gather_table_stats('HR','PAY_USER_COLUMNS');
exec fnd_stats.gather_table_stats('HR','PAY_USER_COLUMN_INSTANCES_F');
exec fnd_stats.gather_table_stats('APPLSYS','WF_LOCAL_ROLES');
exec fnd_stats.gather_table_stats('APPLSYS','WF_LOCAL_ROLES_TL');
exec fnd_stats.gather_table_stats('AP','AP_INV_APRVL_HIST_ALL');
exec fnd_stats.gather_table_stats('APPLSYS','WF_NOTIFICATIONS');
exec fnd_stats.gather_table_stats('APPLSYS','WF_LOCAL_USER_ROLES');
exec fnd_stats.gather_table_stats('APPLSYS','WF_USER_ROLE_ASSIGNMENTS');

And finally the result is good, from 50 seconds of approval time we could manage to take it down to 10 seconds.
There is a further scope of improvement and we can work towards to make below 5 seconds...

That would follow very soon, only the analysis part.....