Skip Headers
Oracle® Real Application Clusters Installation Guide
11g Release 1 (11.1) for Linux and UNIX

B28264-07
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

5 Oracle Application Express Postinstallation Tasks

This section describes tasks that you need to complete Oracle Application Express configuration after you finish installing the Oracle Real Application Clusters (Oracle RAC) software.

This chapter contains the following topics:

5.1 Restarting Application Express Processes After an Upgrade

If you had a previous Oracle Application Express installation, then after the Oracle RAC installation completes, you need to restart the Oracle Application Express processes that you stopped before you began the installation, such as the listener. In addition, restart Oracle HTTP Server.

5.2 Patching Oracle Application Express 3.0

If you are already running Oracle Application Express 3.0, then check the Oracle Application Express page on the Oracle Technology Network (OTN) at the following URL for information about patch set releases or later versions of Oracle Application Express:

http://www.oracle.com/technology/products/database/application_express/index.html

Upgrading to Oracle Database 11g will not patch an Application Express 3.0 instance to Application Express 3.0.1.

5.3 Choosing an HTTP Server

Oracle Application Express requires access either to the embedded PL/SQL gateway, or to Oracle HTTP Server and mod_plsql. Review the following information to select an HTTP server.

This section contains the following topics:

5.3.1 Selecting an HTTP Server in an Oracle RAC Environment

Oracle recommends that you use Oracle HTTP Server with modplsql, as it permits you to specify a connection in the service name format, so that one HTTP Server can access all nodes. This section contains instructions for configuring that HTTP server.

Oracle recommends that you do not select the embedded PL/SQL gateway option for Oracle RAC installations. The embedded PL/SQL gateway uses an HTTP Server built into the database instance, and because of this, it does not take advantage of the Oracle RAC shared architecture.

To use an embedded PL/SQL gateway as the HTTP server with RAC, the gateway must be configured on each node, and users of Oracle Application Express would have to specify which node they would like to access in the URL. If the node fails, then the embedded PL/SQL gateway fails as well, and the service is not failed over to surviving nodes.

5.3.2 About Oracle HTTP Server and mod_plsql

Oracle HTTP Server uses the mod_plsql plug-in to communicate to the Oracle Application Express engine within Oracle Database. It functions as a communication broker between the Web server and the Oracle Application Express objects in Oracle Database. More specifically, it maps browser requests into database stored procedure calls over a SQL*Net connection.

Note that this configuration consists of three tier architecture: a Web browser, Oracle HTTP Server (ohs) with mod_plsql, and an Oracle database containing Oracle Application Express.

5.4 Copying the Images Directory

Whether you are loading a new installation or upgrading from a previous release, you must copy the images directory from the top level of the $ORACLE_HOME/apex directory to the location on the file system containing the Oracle home for Oracle HTTP Server.

This section includes the following topics:

5.4.1 Copying the Images Directory After an Upgrade

During an upgrade, you must overwrite your existing images directory. Before you begin the upgrade, to ensure that you can revert to the previous version, Oracle recommends that you create a copy of your existing images directory for Oracle Application Express, indicating the release number of the images (for example, images_2_0).

To locate the path to the images directory on the file system, locate the text alias /i/ in one of the following files, depending on your existing version release:

  • Oracle9i HTTP Server release 2—see the httpd.conf file.

  • Oracle HTTP Server 11g—see the dads.conf file.

  • Oracle Application Server 10g—see the marvel.conf file.

When you locate the images directory path, Oracle recommends that you copy the existing images directory to a backup location. Doing this enables you to revert to the previous release, if that becomes necessary.

After you copy the existing images directory, use the following command syntax to copy the apex\images directory from the Oracle Database 11g home to the existing images directory path, overwriting the existing images:

  • Existing Oracle Application Server 10g

    cp -rf ORACLE_BASE/ORACLE_HOME/apex/images\
    ORACLE_BASE/ORACLE_HTTPSERVER_HOME/Apache
    
  • Existing Oracle HTTP Server 11g:

    cp -rf ORACLE_BASE/ORACLE_HOME/apex/images\
    ORACLE_BASE/ORACLE_HTTPSERVER_HOME/ohs
    

In the preceding syntax examples:

  • ORACLE_BASE is an Oracle software base directory, in which Oracle home directories are installed, such as u01/app/oracle.

  • ORACLE_HTTPSERVER_HOME is the existing Oracle Application Server or Oracle HTTP Server Oracle home

  • ORACLE_HOME is the Oracle Database 11g Oracle home

For example:

cp -rf u01/app/oracle/10_2/db_1/apex/images \
u01/app/oracle/OAS_11_0/ohs

5.4.2 Copying the Images Directory After a New Installation

After installation, copy the directory apex/images, using a command similar to the following:

cp -rf ORACLE_BASE/ORACLE_HOME/apex/images\
ORACLE_BASE/ORACLE_HTTPSERVER_HOME/ohs

5.5 Configuring Oracle HTTP Server in a New Installation

This section describes how to configure different versions of Oracle HTTP Server with mod_plsql in a new installation.

Topics in this section include:

5.5.1 Security Considerations for Oracle HTTP Server

Oracle highly recommends that you configure and use a Secure Sockets Layer (SSL) to ensure that passwords and other sensitive data are not transmitted in clear text in HTTP requests. Without the use of SSL, passwords potentially could be exposed, compromising the security of your Application Express instance.

SSL is an industry standard protocol that uses RSA public key cryptography in conjunction with symmetric key cryptography to provide authentication, encryption, and data integrity.

5.5.2 Configuring Oracle HTTP Server Release 9.0.3 in a New Installation

In Oracle HTTP Server release 9.0.3, the file wdbsvr.app contains information about the Database Access Descriptor (DAD) to access Oracle Application Express. A DAD is a set of values that specify how the Oracle HTTP Server component modplsql connects to the database server to fulfill an HTTP request.

5.5.2.1 Changing the Password for the ADMIN Account

To change the password for the ADMIN account:

  1. Change your working directory to $ORACLE_HOME/apex.

  2. Start SQL*Plus and connect to the database where Oracle Application Express is installed as SYS. For example:

    $ sqlplus sys/SYS_password as sysdba
    
  3. Enter the following command followed by the new password:

    @apxxepwd.sql password
    

    For example to change the password to apex1234:

    @apxxepwd.sql password apex1234
    

5.5.2.2 Changing the Password for the APEX_PUBLIC_USER Database User

To specify the password in the DAD file, use the following procedure to the password for the database user APEX_PUBLIC_USER:

  1. Start SQL*Plus, and connect to the database where Oracle Application Express is installed as SYS. For example:

    $ sqlplus sys/SYS_password as sysdba
    
  2. Enter the following SQL statement, where PASSWORD is the new password:

    ALTER USER APEX_PUBLIC_USER IDENTIFIED BY PASSWORD
    

5.5.2.3 Modifying the wdbsvr.app File in a New Installation

To create the DAD, modify the file wdbsvr.app, and add an entry for Oracle Application Express.

To modify the wdbsvr.app file:

  1. Using a text editor, open the file wdbsvr.app, which is in the path ORACLE_BASE/ORACLE_HTTPSERVER_HOME/modplsql/cfg/

  2. Add an entry for Oracle Application Express using the following syntax. Only change the settings indicated in italics.

    [DAD_htmldb]
    connect_string = localhost:1521:orcl
    password = apex
    username = apex_public_user
    default_page = apex
    document_table = wwv_flow_file_objects$
    document_path = docs
    document_proc = wwv_flow_file_mgr.process_download
    reuse = Yes
    enablesso = No
    stateful = STATELESS_RESET
    nls_lang = American_America.AL32UTF8
    

    Where:

    • connect_string refers to the host ID, port number, and Oracle9i database where Oracle Application Express was installed. Use the format host:port:sid.

      If you have an Oracle9i version of Oracle HTTP Server you want to use, and it is installed in the same Oracle home as the database you specified for use with Oracle Application Express, then leave this parameter blank.

    • password is the password for the Oracle Application Express ADMIN account you specified in "Changing the Password for the APEX_PUBLIC_USER Database User".

    • nls_lang determines the language setting of the DAD. The character set portion of the nls_lang value must always be set to AL32UTF8, regardless of whether or not the database character set is AL32UTF8.

      If either the territory portion or the language portion of the NLS settings contains a space, then you must wrap the value in double quotes, as shown in the following example:

      nls_lang = "ENGLISH_UNITED KINGDOM.AL32UTF8"
      

      You can find information about your database's NLS settings by querying the view NLS_DATABASE_PARAMETERS as shown in the following example:

      SELECT parameter,value
      FROM nls_database_parameters
      WHERE PARAMETER = 'NLS_CHARACTERSET';
      
  3. Leave the remaining settings, including the username setting, as they appear in the preceding example.

  4. Save and exit the wdbsvr.app file.

5.5.2.4 Modifying the Oracle9i httpd.conf File

You need to modify the httpd.conf file to include an alias that points to the file system path where you copied the images directory. You may also need to modify the httpd.conf file to add two new MIME types to support SQL Workshop.

To modify the httpd.conf file:

  1. Using a text editor, open the following file:

    ORACLE_BASE/Apache/Apache/conf/httpd.conf
    
  2. Add an alias entry that points to the file system path where you copied the images directory. For example:

    alias /i/ "/home/oracle/OraHome1/Apache/Apache/images/"
    
  3. Add the following lines to the httpd.conf file, if they are not already in the file:

    AddType text/xml xbl
    AddType text/x-component htc
    

    If you are upgrading from Oracle HTML DB 2.0, then these MIME types should be defined in the file already.

  4. Save and exit the httpd.conf file.

  5. Restart the Oracle HTTP Server with the changed DAD setting.

    To stop and restart the Oracle HTTP Server, enter commands using the following syntax, where ORACLE_BASE is the path to the Oracle base directory:

    ORACLE_BASE/Apache/Apache/bin/apachectl stop
    ORACLE_BASE/Apache/Apache/bin/apachectl start
    

    Note:

    If Oracle HTTP Server is set to listen on port 1024 or lower, then you must run the stop and start commands as a privileged user, such as root.

    See Also:

    Oracle HTTP Server Administrator's Guide

5.5.3 Configuring Oracle HTTP Server or Oracle Application Server in a New Installation

Oracle Application Express must have access to Oracle HTTP Server with mod_plsql. Perform the postinstallation steps in this section if one of the following conditions is true:

  • You are running Oracle HTTP Server 11g or Oracle Application Server 10g.

  • Oracle HTTP Server is installed in an Oracle home.

  • You have not previously configured Oracle HTTP Server to work with Oracle Application Express.

These instructions do not apply if you are running Oracle HTTP Server release 9.0.3. For more information on configuring Oracle HTTP Server release 9.0.3, see "Configuring Oracle HTTP Server in a New Installation".

If these instructions do apply to your installation, then complete the following steps:

Note:

Within the context of this section, the Apache home directory (ORACLE_HTTPSERVER_HOME) is the location where Oracle HTTP Server is installed.

5.5.3.1 Changing the Password for the ADMIN Account

You must change the password for the Oracle Application Express ADMIN account.

To change the password for the ADMIN account:

  1. Change your working directory to $ORACLE_HOME/apex.

  2. Start SQL*Plus and connect to the database where Oracle Application Express is installed as SYS. For example:

    $ sqlplus sys/SYS_password as sysdba
    
  3. Using the following syntax, enter the new password:

    > @apxxepwd.sql password
    

    For example, to change the password to apex1234:

    > @apxxepwd.sql apex1234
    

5.5.3.2 Unlocking the APEX_PUBLIC_USER Database User

When configuring Oracle HTTP Server for Oracle Application Express in a new installation, the database user APEX_PUBLIC_USER must be an unlocked account. To unlock the account for database user APEX_PUBLIC_USER, complete the following steps:

  1. Start SQL*Plus and connect to the database where Oracle Application Express is installed as SYS. For example:

    $ $ORACLE_HOME/bin/sqlplus 
    SQL> CONNECT SYS as SYSDBA
    Enter password: SYS_password
    
  2. Run the following command:

    SQL> ALTER USER APEX_PUBLIC_USER ACCOUNT UNLOCK
    

5.5.3.3 Changing the Password for the APEX_PUBLIC_USER Database User

To specify the password in the DAD file, use the following procedure to change the password for the database user APEX_PUBLIC_USER:

  1. Start SQL*Plus, and connect to the database where Oracle Application Express is installed as SYS. For example:

    $ sqlplus sys/SYS_password as sysdba
    
  2. Enter the following SQL statement, where PASSWORD is the new password:

    ALTER USER APEX_PUBLIC_USER IDENTIFIED BY PASSWORD
    

5.5.3.4 Edit the dads.conf File

If this is a new installation of Oracle Application Express, then you must edit the dads.conf file.

To edit the dads.conf file:

  1. Using a text editor, open the dads.conf file for your release:

    • Oracle Application Server 10g

      ORACLE_HTTPSERVER_HOME/Apache/modplsql/conf/dads.conf
      

      For example:

      $ vi /u01/product/oas/Apache/modplsql/conf/dads.conf
      
      
    • Oracle HTTP Server 11g:

      ORACLE_HTTPSERVER_HOME/ohs/modplsql/conf/dads.conf
      

      For example:

      $ vi /u01/product/oas/ohs/modplsql/conf/dads.conf
      
  2. Copy the following code text into the dads.conf file.

    In the text, replace the variables $ORACLE_HOME, host, port, service_name, and apex_public_user_password with values appropriate for your system. Note that apex_public_user_password is the password that you defined in the section "Changing the Password for the APEX_PUBLIC_USER Database User".

    Alias /i/ "ORACLE_BASE/ORACLE_HTTPSERVER_HOME/ohs/images"
    AddType text/xml       xbl
    AddType text/x-component       htc
     
    <Location /pls/apex>
     Order deny,allow
     PlsqlDocumentPath docs
     AllowOverride None
     PlsqlDocumentProcedure      wwv_flow_file_mgr.process_download
     PlsqlDatabaseConnectString  host:port:service_name ServiceNameFormat
     PlsqlNLSLanguage            AMERICAN_AMERICA.AL32UTF8
     PlsqlAuthenticationMode     Basic
     SetHandler                  pls_handler
     PlsqlDocumentTablename      wwv_flow_file_objects$
     PlsqlDatabaseUsername       APEX_PUBLIC_USER
     PlsqlDefaultPage            apex
     PlsqlDatabasePassword       apex_public_user_password
     Allow from all
    </Location>
    
  3. Locate the line containing PlsqlNLSLanguage.

    The PlsqlNLSLanguage setting determines the language setting of the DAD. The character set portion of the PlsqlNLSLanguage value must be set to AL32UTF8, regardless of whether or not the database character set is AL32UTF8. For example:

    PlsqlNLSLanguage            AMERICAN_AMERICA.AL32UTF8
    
  4. Save and exit the dads.conf file.

5.5.4 Stopping and Restarting Oracle HTTP Server

To stop and restart Oracle HTTP Server, run the following commands:

ORACLE_HTTPSERVER_HOME/opmn/bin/opmnctl stopproc ias-component=HTTP_Server
ORACLE_HTTPSERVER_HOME/opmn/bin/opmnctl startproc ias-component=HTTP_Server

5.5.5 Installing Oracle Application Express in Other Languages

The Oracle Application Express interface is translated into German, Spanish, French, Italian, Japanese, Korean, Brazilian Portuguese, Simplified Chinese, and Traditional Chinese. A single instance of Oracle Application Express can be installed with one or more of these translated versions. At runtime, each user's Web browser language settings determine the specific language version.

The translated version of Oracle Application Express should be loaded into a database that has a character set that can support the specific language. If you attempt to install a translated version of Oracle Application Express into a database that does support the character encoding of the language, the installation may fail or the translated Oracle Application Express instance may appear corrupt when run. The database character set AL32UTF8 supports all the translated versions of Oracle Application Express.

You can manually install translated versions of Oracle Application Express using SQL*Plus. The installation files are encoded in AL32UTF8.

Note:

Regardless of the target database character set, to install a translated version of Oracle Application Express, you must set the character set value of the NLS_LANG environment variable to AL32UTF8 prior to starting SQL*Plus.

The following examples illustrate valid NLS_LANG settings for loading Oracle Application Express translations:

American_America.AL32UTF8
Japanese_Japan.AL32UTF8

5.5.6 Installing a Translated Version of Oracle Application Express

Whether you are installing for the first time or upgrading from a previous release, you must run the script load_lang.sql to run a translated version of Oracle Application Express.

To install a translated version of Oracle Application Express:

  1. Set the NLS_LANG environment variable, making sure that the character set is AL32UTF8. For example:

    Bourne or Korn Shell

    $ NLS_LANG=American_America.AL32UTF8$ export NLS_LANG
    

    C Shell

    % setenv NLS_LANG American_America.AL32UTF8
    
  2. Start SQL*Plus and connect to the target database as SYS.

  3. Run the following statement:

    > ALTER SESSION SET CURRENT_SCHEMA = FLOWS_03000;
    
  4. Run the appropriate language specific script. For example:

    > @load_de.sql
    

    The installation scripts are located in subdirectories identified by a language code in the unzipped distribution $ORACLE_HOME/apex/builder. For example, the German version is located in $ORACLE_HOME/apex/builder/de and the Japanese version is located in $ORACLE_HOME/apex/builder/ja. Within each of these directories, there is a language loading script identified by the language code (for example, load_de.sql or load_ja.sql).

5.5.7 Managing JOB_QUEUE_PROCESSES

JOB_QUEUE_PROCESSES determines the maximum number of concurrently running jobs. In Oracle Application Express release 3.0, transactional support and SQL scripts require jobs. If JOB_QUEUE_PROCESSES is not enabled and working properly, then you cannot successfully run a script.

This section includes the following topics:

5.5.7.1 Viewing the Number of JOB_QUEUE_PROCESSES

You can view the number of number of JOB_QUEUE_PROCESSES using one of the following methods:

5.5.7.1.1 Viewing JOB_QUEUE_PROCESSES in the Installation Log File

After installing or upgrading Oracle Application Express to release 3.0, you can view the number of JOB_QUEUE_PROCESSES in the installation log files.

5.5.7.1.2 Viewing JOB_QUEUE_PROCESSES in Oracle Application Express

You can view the number of JOB_QUEUE_PROCESSES on the About Application Express page.To view the About Application Express page:

  1. Log in to Oracle Application Express.

  2. On the Administration list, click About Application Express.

    The current number JOB_QUEUE_PROCESSES displays at the bottom of the page.

5.5.7.1.3 Viewing JOB_QUEUE_PROCESSES from SQL*Plus

You can view the number of JOB_QUEUE_PROCESSES from SQL*Plus by running the following SQL statement:

> SELECT VALUE FROM v$parameter WHERE NAME = 'job_queue_processes'

5.5.7.2 Changing the Number of JOB_QUEUE_PROCESSES

You can change the number of JOB_QUEUE_PROCESSES by running a SQL statement in SQL*Plus, using the following procedure:

  1. Log in to the database as SYSDBA using SQL*Plus.

  2. In SQL*Plus run the following SQL statement, where the variable number represents the number of processes you want to set:

    > ALTER SYSTEM SET JOB_QUEUE_PROCESSES = number
    

    For example, running the statement ALTER SYSTEM SET JOB_QUEUE_PROCESSES = 20 sets JOB_QUEUE_PROCESSES to 20.

5.5.8 Obfuscating PlsqlDatabasePassword Parameter

The parameter PlsqlDatabasePassword specifies the password for logging in to the database. You can use the utility dadTool.pl to obfuscate passwords in the dads.conf file.

You can find the dadTool.pl utility in the following directory:

ORACLE_HTTPSERVER_HOME/ohs/modplsql/conf

5.5.8.1 Obfuscating Passwords

To obfuscate passwords, run dadTool.pl by following the instructions in the dadTool.README file.

5.5.9 Logging In to Oracle Application Express

You access the Oracle Application Express home page in a Web browser. To view or develop Oracle Application Express applications, the Web browser must support JavaScript and the HTML 4.0 and CSS 1.0 standards.

This section contains the following topics

5.5.9.1 Oracle Application Express User Roles

In the Oracle Application Express development environment, users log in to a shared work area called a workspace. Users are divided into four primary roles:

  • Workspace administrators are users who perform administrator tasks specific to a workspace such as managing user accounts, monitoring workspace activity, and viewing log files.

  • Developers are users who create and edit applications. Developers can have their own workspace or share a workspace.

  • End users have no development privileges. You define end users so that they can access applications that do not use an external authentication scheme.

  • Oracle Application Express administrators are superusers that manage an entire hosted instance using the Application Express Administration Services application.

5.5.9.2 Setting Up Your Local Environment

How you set up Oracle Application Express depends upon your user role. If you are a developer accessing a hosted development environment, then an administrator must grant you access to a workspace. If you are an Oracle Application Express administrator, then you must perform the following steps:

  1. Log in to Oracle Application Express Administration Services. Oracle Application Express Administration Services is a separate application for managing an entire Oracle Application Express instance. You log in using the ADMIN account and password created or reset during the installation process.

  2. Specify a provisioning mode. In Oracle Application Express Administration Services, you need to determine how the process of creating (or provisioning) a workspace will work in your development environment.

  3. Create a Workspace. A workspace is a virtual private database allowing multiple users to work within the same Oracle Application Express installation while keeping their objects, data and applications private. Each workspace has a unique ID and name. An Oracle Application Express administrator can create a workspace manually or have users submit requests.

  4. Log in to a Workspace. Once you create a workspace in Oracle Application Express Administration Services, return to the Oracle Application Express Login page and log in to that workspace.

    See Also:

    Oracle Database 2 Day + Application Express Developer's Guide or "Quick Start" on Oracle Database Application Express User's Guide

5.6 Enabling Network Services in Oracle Database 11g

By default, the ability to interact with network services is disabled in Oracle Database 11g release 1 (11.1). To use Oracle Application Express with Oracle Database 11g release 1 (11.1), you need to use the new DBMS_NETWORK_ACL_ADMIN package to grant connect privilege to any host for the FLOWS_03000 database user. Failing to grant these privileges results in issues with the following:

5.6.1 Granting Connect Privileges

The following example demonstrates how to grant connect privileges to any host for the FLOWS_03000 database user:

Note:

To run the examples, the compatible initialization parameter of the database must be set at least to 11.1.0.0.0. In Oracle 11g Database, the parameter is already set by default. However, you will have to set this parameter if you are upgrading to Oracle 11g Database from a prior version.

See Also:

"Creating and Configuring an Oracle Database" in the Oracle Database Administrator's Guide for information about changing database compatible initialization parameters
  SELECT ACL INTO ACL_PATH FROM DBA_NETWORK_ACLS
   WHERE HOST = '*' AND LOWER_PORT IS NULL AND UPPER_PORT IS NULL;
 
  -- Before checking the privilege, make sure that the ACL is valid
  -- (for example, does not contain stale references to dropped users).
  -- If it does, the following exception will be raised:
  --
  -- ORA-44416: Invalid ACL: Unresolved principal 'FLOWS_03000'
  -- ORA-06512: at "XDB.DBMS_XDBZ", line ...
  --
  SELECT SYS_OP_R2O(extractValue(P.RES, '/Resource/XMLRef')) INTO ACL_ID
    FROM XDB.XDB$ACL A, PATH_VIEW P
   WHERE extractValue(P.RES, '/Resource/XMLRef') = REF(A) AND
         EQUALS_PATH(P.RES, ACL_PATH) = 1;
 
  DBMS_XDBZ.ValidateACL(ACL_ID);
   IF DBMS_NETWORK_ACL_ADMIN.CHECK_PRIVILEGE(ACL_PATH, 'FLOWS_03000', 
     'connect') IS NULL THEN 
      DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(ACL_PATH, 
     'FLOWS_03000', TRUE, 'connect'); 
  END IF;
 
EXCEPTION
  -- When no ACL has been assigned to '*'.
  WHEN NO_DATA_FOUND THEN
  DBMS_NETWORK_ACL_ADMIN.CREATE_ACL('power_users.xml',
    'ACL that lets power users to connect to everywhere',
    'FLOWS_03000', TRUE, 'connect');
  DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL('power_users.xml','*');
END;
/
COMMIT;

5.7 Troubleshooting an Invalid ACL Error

If you receive the error ORA-44416: Invalid ACL, then use the following query to identify the invalid access control list (ACL):

REM Show the dangling references to dropped users in the ACL that is assigned
REM to '*'.
 
SELECT ACL, PRINCIPAL
  FROM DBA_NETWORK_ACLS NACL, XDS_ACE ACE
 WHERE HOST = '*' AND LOWER_PORT IS NULL AND UPPER_PORT IS NULL AND
       NACL.ACLID = ACE.ACLID AND
       NOT EXISTS (SELECT NULL FROM ALL_USERS WHERE USERNAME = PRINCIPAL);
 

After you identify the invalid ACL, run the following script to fix the ACL:

DECLARE
  ACL_ID   RAW(16);
  CNT      NUMBER;
BEGIN
 
  -- Look for the object ID of the ACL currently assigned to '*'
  SELECT ACLID INTO ACL_ID FROM DBA_NETWORK_ACLS
   WHERE HOST = '*' AND LOWER_PORT IS NULL AND UPPER_PORT IS NULL;
 
  -- If just some users referenced in the ACL are invalid, remove just those
  -- users in the ACL. Otherwise, drop the ACL completely.
  SELECT COUNT(PRINCIPAL) INTO CNT FROM XDS_ACE
   WHERE ACLID = ACL_ID AND
         EXISTS (SELECT NULL FROM ALL_USERS WHERE USERNAME = PRINCIPAL);
 
  IF (CNT > 0) THEN
 
    FOR R IN (SELECT PRINCIPAL FROM XDS_ACE
               WHERE ACLID = ACL_ID AND
                     NOT EXISTS (SELECT NULL FROM ALL_USERS
                                  WHERE USERNAME = PRINCIPAL)) LOOP
      UPDATE XDB.XDB$ACL
         SET OBJECT_VALUE =
               DELETEXML(OBJECT_VALUE,
                         '/ACL/ACE[PRINCIPAL="'||R.PRINCIPAL||'"]')
       WHERE OBJECT_ID = ACL_ID;
    END LOOP;
 
  ELSE
    DELETE FROM XDB.XDB$ACL WHERE OBJECT_ID = ACL_ID;
  END IF;
 
END;
/
 
REM commit the changes.
 
COMMIT;

When the ACL has been fixed, run the first script in this section to apply the ACL to the FLOWS_03000 user. See "Granting Connect Privileges".