R12.0.4 new feature: FNDCPASS Security With Non-Reversible Hash Password

Hi Everyone!!

R12.0.4 got released yesterday. Visible fnd feature is "FNDCPASS will enable you to safeguard passwords with advanced Non-Reversible Hash Password encryptions. As of now only SHA algorithm is implemented. It may support other algorithms in future.

FNDCPASS USERMIGRATE utility migrates the encrypted passwords for all FND_USER to a non-reversible hash password scheme.

Migration to hash passwords is one-time, one-way operation that cannot be undone without a system restore from backup. Take backup before running " FNDCPASS USERMIGRATE"

This feature is already part of ATG RUP6 for 11i users.

More details can be found at Note:457166.1

Related Articles:

Removing credentials from cloned EBS system

Keep your system safe.

Happy Learning!!


karnvivek said...

Thats really a good blog ! Thanks for putting in the effort :-)

- karnvivek

Finberg Victor said...

I am dealing with FNDCPASS USERMIGRATE new utility
do you know if fnd_user_pkg.updateuser also keeps
passwords - non-reversible hash password
after installing atg-rup6 ?

Finberg Victor-BVF003 from motorola

Suresh Lakshmanan said...


Nope, I do not see packages keeping passwords in it.


Ravikumar said...

Hi Suresh,

i am currently working in 10g and we have recently implemented rup6 in our applications(11i). i need to use this feature FNDCPASS USERMIGRATE to Enhance Security With Non-Reversible Hash Password.

1) what are the test involved in this.
2) what are the prechecks and post checks involved.
3) will this impact the functioning of the application if we move this with out any proper testing.

waiting for your answer.

Thanks & Regards

Suresh Lakshmanan said...

Hi Ravikumar,

Do not make any changes without testing in prod.
This is high impact intrusive change. Check the known issues section in the note 457166.1.
If your instance has configurator or ADI you have some special tasks.
Note is pretty straight forward. Take care of each action item mentioned in the note.
Thank you.


Anonymous said...

Thanks for such an informative blog.

I am not an Oracle DBA. i recently installed an R12 instance. I am trying to apply the patches to upgrade to 12.1.1. i guess I have forgotten the SYSTEM oracle schema password. How can i handle such a situation. PLease help me.

Suresh Lakshmanan said...

Hi Anonymous,

you can login as
sqlplus '/as sysdba' and reset the password using

'alter userer system identified by secretpassword;'

command. leave your name when you give comment to address you.

thank you :)

ram said...

what s the frequency for clooning

Suresh Lakshmanan said...


Thanks for the comment. Cloning depends on situation, sometime once in few days(during upgrade testing) or could be weekly once or adhoc - ie. whenever required - say for testing a patch. It varies depends on the request on client.


Mohamed Sahal said...

Hi lakshaman,
I have a stuation here. i did hashing of passwords on r12.1.3 ebus instance. The change was successfull. Users are able to login ebs and ebs works fine. However discoverer plus (10.1.2) integration with ebus does not work. When users enter application credentials on discoverer plus, the message is invalid username/password. The discoverer setup is correct, as i can connect another ebus r12.1.3 instance (without password hasing) and users are able to login. Are u aware of any such issues with discover integration with ebus "after" password hasging? Seems after password hashing, discoverer plus/viewer not able to decrypt ebus user passwords.

Suresh Lakshmanan said...

Hi Sahal,

this is the only one note i see which is closer. You might have to create Oracle SR and ask them to route to ATG team.

What version of Discoverer Desktop has the latest FNDPUB for E-Business Suite Password Hash [ID 1088956.1]

with best wishes.