10 Manual Patching of Oracle Fusion Applications During Offline Patching

This chapter describes how Oracle Fusion Applications Patch Manager (Patch Manager) supports the patching of middleware and database artifacts. It also provides detailed steps for the manual deployment of artifacts, if needed.

The following topics are discussed:

Oracle Fusion Applications Patch Manager Middleware Artifact Support

The online mode of Oracle Fusion Applications Patch Manager (Patch Manager) supports most of the deployment actions required for patching middleware and database artifacts used by Oracle Fusion Applications. Depending on the type of artifact included in a patch, the artifact deployment may require manual actions. Some manual actions are required only if the patch is applied in offline mode, while others are always required. Before applying any patch, Oracle recommends to run the Patch Impact report to determine which artifact types are included in the patch and if manual actions are required by the patch. For more information, see the Patch Impact Report section.

Table 10-1 provides a quick reference that depicts how Patch Manager supports the Oracle Fusion Middleware artifacts that could be included in a patch. This table assumes that online patching is used unless otherwise specified.

An explanation of the information presented in this table follows:

Automated Actions Performed by Patch Manager

Patch Manager always copies the artifacts from the patch to the appropriate location on the system. This column describes additional actions that are performed automatically in online mode for each artifact.
Actions to Be Performed Manually in Online Mode

This column describes the actions that must be performed when the patch includes the specified artifact. These actions are described in more detail in this section.
Actions to Be Performed Manually in Offline Mode and in the Case of Failures

This column describes the actions that must be performed when the patch includes the specified artifact and the patch is applied in offline mode. If the patch is applied in online mode and there is a failure, these actions may also be required.
What Must Be Running During Online Patching Mode and Manual Actions

This column describes what must be running while applying the patch in online mode and when manual actions are performed.

After applying a patch, review the Diagnostics report to find out which manual steps are required for the artifacts included in the patch and where the artifacts were copied in FA_ORACLE_HOME. For more information, see the Diagnostics Report section. For more detailed information about manual actions for each artifact, refer to the relevant sections in this chapter.

The following table describes the Oracle Fusion Middleware artifacts:

Table 10-1 Oracle Fusion Middleware Artifacts Supported by Oracle Fusion Applications Patch Manager

Artifact Type	Automated Actions Performed by Oracle Fusion Applications Patch Manager	Actions to Be Performed Manually in Online Mode	Actions to Be Performed Manually in Offline Mode and in the Case of Failures	What Must Be Running During Online Patching Mode and Manual Actions
Applications Help Content (AHC)	Stop and start the HelpPortalServer for the Common Domain	None	Stop and start the HelpPortalServer for the Common Domain	Domain Administration Server, Node Manager, database, HelpPortalServer
Applications Policies (`system-jazn-data.xml`)	Deploy using the `patchPolicyStore` silent install command for JAZN	None	Deploy using Oracle Authorization Policy Manager	Oracle Authorization Policy Manager, OPSS Security Store
B2B Metadata	Deploy trading partner agreements	None	Deploy agreements if the change needs to be implemented	Database
Oracle Business Intelligence Publisher (Reports and Captions)	Shut down the BI Presentation server, deploy to the Business Intelligence repository using Catalog Manager, and start the BI Presentation server after patching	None	Shut down the BI Presentation server, deploy to the Business Intelligence repository using Catalog Manager, and start the BI Presentation server after patching	None
Oracle Business Process Management (Oracle BPM) Template	Publish template to the Oracle Metadata Services (MDS) repository	None	Publish template to the MDS repository	Database
C Artifact	None	None	None	Database must be running. Oracle Enterprise Scheduler Service server must be down.
Common Resource (Activity Strings)	None	Stop and start all Managed Servers in all domains after patching	Stop and start all Managed Servers in all domains after patching	Administration Server, Node Manager, database
Data Security	Run the `DSDataMigrator` utility to reconcile GUID in LDAP	None	Run the `DSDataMigrator` utility to reconcile GUID in LDAP	OPSS Security Store, database
Diagnostic Testing Framework JAR	None	None	None	None
E-Mail and Web Marketing (EWM)	Start and stop the relevant servers that host the Java EE application	None	Start and stop the relevant servers that host the Java EE application	Administration Server, Node Manager, database
Fatp JAR	Stop and start the relevant servers that host the Java EE application	None	Stop and start the relevant servers that host the Java EE application	Administration Server, Node Manager, database
Fatp C	None	None	None	Database must be running. Oracle Enterprise Scheduler Service server must be down.
Fatp directory	None	None	None	None
Flexfield	Stop and start the FNDSETUP Managed Servers and then deploy the flexfield	None	Stop and start the FNDSETUP Managed Servers and then deploy the flexfield	Administration Server, Managed Servers hosting `FndSetup` application, database
Group Space Template	Deploy template	None	Deploy template	WebCenter Managed Servers (`WC_Spaces, WC_Collaboration`), `ucm_server1`, OPSS Security Store, database
Image Routing (IPM)	Deploy to IPM servers	None	Deploy to IPM servers	See prerequisites in the Patch Image and Process Management (IPM) Artifacts in Offline Mode section
Java EE	Stop and start the relevant servers that host the Java EE application	None	Stop and start the relevant servers that host the Java EE application	Administration Server, Node Manager, database
Mobile Artifacts (MOBILE and MOBILESCRIPT)	Import MAF Artifact Archive (.maa) file into MDS	None	Start Common Domain Administration Server, CRM Domain Administration Server, SalesServer, and CRMCommonServer. Call the WLST command to import the mobile files.	Common Domain Administration Server, CRM Domain Administration Servier, SalesServer, CRMCommonServer
Oracle Data Integrator (ODI)	Import to ODI repository	None	Import to ODI repository	ODI repository import tool, database
Oracle Fusion Applications Patch Manager	None	Apply the patch with OPatch	Apply the patch with OPatch	None
Data Role Template (RGX)	Deploy the template	None	Deploy the template	Administration Server, Oracle Authorization Policy Manager, database
SOA Composite	Deploy and merge	Preserve any JDeveloper customizations	Deploy and merge	Administration Server, SOA-INFRA Managed Servers, database
SOAEXTENSION	None	Stop and restart all SOA-INFRA Managed Servers in all domains	Stop and restart all SOA-INFRA Managed Servers in all domains	None
SOA Resource Bundle	Deploy resource bundle and restart dependent composites	Reset SOA-INFRA `MBean` property if resource bundle contains human task-mapped attribute labels and standard view names	Deploy resource bundle and restart dependent composites	Administration Server, SOA-INFRA Managed Servers, Node Manager, database
SPE Inline Service	Deploy SPE files	None	Deploy SPE files	Oracle BI Server, database

Oracle Fusion Applications Patch Manager Database Artifact Support

The following table provides a quick reference that displays the Oracle Fusion Applications database artifacts that could be included in a patch. Database artifacts typically do not require manual actions be performed during online mode, as they are copied and deployed automatically in online mode. In offline mode, database artifacts are copied but they are not deployed. Before patching database artifacts, the database must be in an idle state with no locks being held on any of the database objects. All background jobs, including jobs in the database, must be terminated before patching to avoid locks on patched objects. There should not be any active processes, such as Oracle Enterprise Scheduler Service jobs running against the database. This is to prevent locking and other data issues during patching.

The following table describes the Oracle Fusion Database artifacts:

Table 10-2 Oracle Fusion Applications Database Artifacts Supported by Oracle Fusion Applications Patch Manager

Artifact Type	Description	Actions to be Performed Manually
Applications Seed Data (XML,XLIFF files)	Examples include static lists of values, functional or error messages, and lookup values. Any non-transactional data values loaded into the database can be considered seed data	Oracle recommends that patches containing seed data be applied from a machine that is co-located in the same subnetwork as the database server to maximize performance
Applications Database schema changes (SXML)	Examples include tables, triggers, views, sequences, synonyms, queues, queue tables, policies, and contexts	None
PL/SQL objects (pkh, pkb files)	Package headers and bodies	Manually shut down the Oracle Enterprise Scheduler Service servers before applying patches that contain PL/SQL changes
SQL scripts	Scripts that update the database	None

Patch Applications Help Content (AHC) Artifacts

Oracle recommends to patch AHC artifacts in online mode. When AHC artifacts are patched in online mode, no manual steps are required, except to ensure that the following are running:

Administration Server for the Common Domain
Node manager
Database
HelpPortalServer (In the case of Scaled out server any one of the servers must be up)

In offline mode, the impacted Managed Servers that host the FndSetup.ear application, such as the HelpPortalServer, must be manually stopped, patched, and restarted. To determine which product family is affected by the patch being applied, run the Patch Impact report. For more information, see the Patch Impact Report section. The Patch Impact report indicates the domain and the corresponding managed server that will be impacted by this patch. Examples of artifacts in this category include the accompanying graphics and PDF files referenced by the content in the Seed Data Framework (SDF) files.

Patch Oracle B2B Metadata in Offline Mode

Oracle recommends to patch Oracle B2B metadata in online mode. When updates to Oracle B2B metadata are introduced in a patch, no manual steps are required in online mode to redeploy all Trading Partner Agreements that are affected by the metadata change.

When a patch containing Oracle B2B metada updates is applied in offline mode, and the change is implemented, Trading Partner Agreements that are affected by the metadata change must be manually redeployed. If the redeployment is not performed, the runtime continues to use the older metadata. The agreements can be deployed using the B2B User Interface (UI) or by running the b2bdeploy utility from the command line.

Deploy Agreements from the User Interface

To deploy all agreements from the UI, follow the steps in ”Deploying an Agreement" in the User's Guide for Oracle B2B.

Deploy Agreements from the Command Line

To import the patched metadata and deploy the agreements, follow these steps:

Follow the steps in the Prerequisites for Running the Command-line Tools section in User's Guide for Oracle B2B with one exception. In Step 2 under "Create jndi.properties", this command must be used:
```
cd FMW_HOME/soa/bin
```
instead of this command:
```
cd $ORACLE_HOME\bin
```
Export the entire repository for backup purposes. Before running the following command, set ANT_HOME to /APPTOP/fusionapps/modules/org.apache.ant_1.7.1 and set the PATH to include ANT_HOME/bin.
```
ant -f ant-b2b-util.xml b2bexport -Dexportfile=/local_directory/backup_export.zip
```

Import the patched export file.

ant -f ant-b2b-util.xml b2bimport -Dexportfile=/local_directory/patch_export.zip -Dlocalfile=true -Doverwrite=true

Run the b2bdeploy command. If there is no Trading Partner Agreement found, this step is not needed.
```
ant -f ant-b2b-util.xml b2bdeploy -
Dtpanames="Agreement_name,Agreement_name"
```
If the patch introduces new documents for Trading Partner agreements, the document definition must be added.

Patch Oracle Business Intelligence Publisher Artifacts in Offline Mode

When the Oracle Business Intelligence Publisher (BI Publisher) artifacts (Reports and Captions) are patched in online mode, Patch Manager shuts down the BI Presentation Server before the patch applies and restarts it after successful patch application. No manual steps are required in online patching mode. If the shutdown of this server fails for any reason, the BI Publisher artifacts must be manually deployed.

Oracle recommends not to use offline mode when a patch contains BI Publisher artifacts. If applying a patch in offline mode is decided, the changes to the Oracle Business Intelligence repository must be manually deployed, in addition to stopping and restarting the BI Presentation server. These manual steps are required to keep the Oracle home and the Oracle Instance versions of the Oracle Business Intelligence Presentation Catalog synchronized. If these manual steps are not followed as described, subsequent patches containing BI Publisher artifacts may fail.

Perform the following steps to manually deploy BI Publisher artifact after applying a patch in offline mode:

The opmn process must be running. Follow these steps:
1. To verify if the process is running, go to the FA_ORACLE_HOME/instance/BIInstance/bin directory and run this command:
```
opmnctl status
```
2. If the opmn process is not Alive, start it with this command:
```
opmnctl start 
```
Patch Manager must have copied one or more Oracle BI Presentation Catalog files into the Oracle home-based catalog.
Within the patch, there are some catalog diff files. These files are used with the Oracle Business Intelligence Catalog Manager tool to apply changes to a catalog. These changes must be applied to:
- The run-time, or Oracle Instance, Oracle BI Presentation Catalog
- The Oracle home Oracle BI Presentation Catalog
Special care must be taken when the patch being applied is a standard patch. With a standard patch, OPatch may choose to copy only a subset of the total files in the patch archive.

Before performing the following steps, first determine exactly which files were actually copied to the Oracle home during the OPatch apply stage. Review the Patch Impact report to get this list of files. Capture the list of files from the messages sent to the console and to the FAPatchManager_apply_timestamp.log file.

After the list is done, apply only the diff files that correspond to the files that were actually copied to the Oracle home. The diff files are named the same as the original files, except they have a .diff extension added. If additional diff files are applied beyond the files that were actually copied to the Oracle home, then previous patch updates may be undone and the Oracle BI Presentation Catalog may be in an unsupportable state. Basically, a previous patch have been partially rolled back.
Shut down the BI Presentation server.
Unzip the middleware portion of the patch, the OPatch archive file, into a temporary location, such as C:\patch. To see which files are included in the patch, run the Patch Impact report. For more information, see the Patch Impact Report section.
Using the example in the previous step, go to the C:\patch\custom\scripts directory.
Locate the Catalog Manager diff files listed in the subdirectories under the directory in the previous step. These files have .diff extensions. This is referred to as diff_file_location in subsequent steps.
Use Catalog Manager to apply each of these diff files to the Oracle home Oracle BI Presentation Catalog, using the following commands:
1. Create the Catalog Manager patch file, as follows:
```
oracle-instance/runcat.sh -cmd createPatch -inputFile diff_file_location
 -production webcat_location -outputFile webcat_patch.out -winsConflict latest
```
  - diff_file_location refers to the file from the previous step
  - webcat_location is the Oracle home Oracle BI Presentation Catalog location
  - webcat_patch.out is a temporary file created by this step and used in Step 5b
    
    Example of oracle-instance on Unix:
```
APPLICATIONS_BASE/instance/BIInstance/bifoundation
/OracleBIPresentationServicesComponent/coreapplication_obips1/catalogmanager
```
2. Apply the Catalog Manager patch file, as follows:
```
oracle-instance/runcat.cmd -cmd applyPatch -inputFile webcat_patch.out
-outputFile  -persistNewApplicationsRoles webcat_applypatch.out
```
  - webcat_patch.out is the file created in Step 5a
  - webcat_applypatch.out is the output file from this deployment process
Repeat the previous step for the run-time catalog.

Restart the Oracle Business Intelligence system components using opmnctl:

cd APPLICATIONS_CONFIG/BIInstance/bin/opmnctl
./opmnctl stopall
./opmnctl startall

For more information, see the ”Starting and Stopping Oracle Business Intelligence" section in the System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.

Patching Oracle Business Process Management (Oracle BPM) Templates in Offline Mode

Oracle recommends to patch Oracle BPM templates in online mode. When updates to Oracle BPM templates are introduced in a patch, no manual steps are required in online mode to publish the new Oracle BPM Template to the Oracle Metadata Services (MDS) repository.

If a patch containing updates to Oracle BPM templates is applied in offline mode, the new Oracle BPM Template must be manually published to the Oracle MDS repository supporting the Oracle BPM Composer instance after the patch is applied. Use the publish_template WebLogic Scripting Tool (WLST) command from the WLST shell. The WLST publish_template command connects to the SOA MDS data using the mds-config.xml configuration file created. Provide the location of the mds-config.xml configuration file as one of the input parameters of the publish_template command.

Perform the following steps to create the mds-config.xml configuration file:

Copy the mds-config-template.xml file from the SOA server installation to a local directory, as follows:
```
cp SOA_ORACLE_HOME/bpm/config/mds-config-template.xml /local_directory/mds-config.xml
```
Modify the following properties in the recently copied file to the temporary directory:
1. Set jdbc.userid to the database user name of the SOA MDS database
2. Set jdbc.passwd to the database password of the SOA MDS database
3. Set jdbc.url to the connection URL of the SOA MDS database, for example, jdbc:oracle:thin:@host2:1525:mds
4. Set partition.name to obpm

Perform the following steps to publish the new Oracle BPM template to the MDS repository:

Review the Diagnostics report to find the location of the archive file that contains the BPM template. For more information, see the Diagnostics Report section.
Expand the archive that contains the new BPM template, so the publish_template command can find the template, as follows:
1. Create or use an existing local directory.
2. Untar the patched archive file, as shown in this example:
```
cd /local_directory
mkdir preboardWorker
cd preboardWorker
jar xf FA_ORACLE_HOME/hcm/deploy/bta_HcmCommonProcessesPreboardWorkerComposite.jar
```

Access the WLST shell, as follows:

(UNIX) SOA_ORACLE_HOME/common/bin/wlst.sh

Deploy the Oracle BPM template, passing the temporary directory, /local_directory/preboardWorker, as the directory containing the template in the example in Step 2.
Generic command syntax follows:
```
publish_template(templateName, fsLocation, mdsconfigLocation, [Override], [oracleHome] )
```
Note that the publish_template command simply updates the existing Oracle BPM template with a newer version. It has no impact on the projects deployed or instantiated from the existing template.

For more information about the publish_template command syntax, see the ”publish_template" section in the WLST Command Reference for WebLogic Server.

Patch C Artifacts

When updates to C artifacts are introduced in a patch, no manual steps are required in either online or offline mode. Note that before applying C artifacts, all C executable files and the Oracle Enterprise Scheduler Service servers that host the C files must be shut down and the database must be running.

Patching Common Resource (Activity Strings) Artifacts

When updates to Common Resource artifacts are introduced in a patch, the Administration Server, Node Manager, and database must be running. Stop and restart all Managed Servers in all domains after the patch is applied.

Patch Customized Seed Data

A conflict between Oracle supplied seed data and customized seed data may occur when applying a patch that uploads seed data. The following types of conflicts may occur:

When uploaded seed data conflicts with a primary unique index, the customer record is preserved and the Oracle seed data is not uploaded.
When uploaded seed data conflicts with a non-primary unique index, a uniqueness violation occurs and an automatic conflict resolution feature prevents a seed data upload failure by appending numeric values, such as _1, _2, _3, to the display value.

For more information, see the Understand the Impact of Automatic Conflict Resolution for Seed Data section.

Patch Diagnostic Test Framework (DTF) JAR Files

No manual steps are required when patching DTF artifacts in either online or offline mode.

Patch E-Mail and Web Marketing (EWM) Artifacts

Oracle recommends to patch EWM artifacts in online mode. When updates to EWM artifacts are introduced in a patch, no manual steps are required in online mode. In offline mode, follow the steps in mentioned in the Patch Java EE Artifacts section.

Patch Flexfield Artifacts

Oracle recommends to patch flexfield artifacts in online mode. When flexfield changes are introduced in a patch, no manual steps are required to automatically deploy the flexfields in online mode, except to ensure that the following are running:

Administration Server
Managed Servers that host the FndSetup application
Database

Users must log out and log in after a successful patch application to see the latest flexfield changes because flexfields reload upon user logout and login. If the changes to a flexfield are not implemented, it is possible to revert to a previous version of a flexfield. For more information, consult following links:

Manually Deploy of Patched Flexfields

Follow these steps when patching flexfields in offline mode to manually deploy the patched flexfield:

Ensure that the Administration Server and database are running.
Stop and start the FNDSETUP Managed Servers. For more information, see the “Starting and Stopping Components” section in the Oracle Fusion Applications Administrator's Guide.
Connect to the Oracle WebLogic Server Administration Server for the domain that hosts the FndSetup application. This is typically the Common Domain.
Run the deployPatchedFlex() WLST command. As this is run on a domain that hosts the FndSetup Application, this application within the parentheses do not have to be specified. However, the FndSetup application must be running for the command to succeed.

Example:
```
connect('weblogic' , 'weblogic1' , 't3://localhost:7101')
deployPatchedFlex()
```
Review the report for errors.

Example of confirmation that flexfield changes were successfully deployed

As an example, assume that the patch delivered a new flexfield segment to the Calculation Defaults in Payroll Definitions. To confirm that the new flexfield segment was successfully deployed, follow these steps in the Payroll application:

From the Oracle Fusion Payroll application, select Manage Payroll Definition.
Click the Create a New Payroll icon.
Select a Legislative Data Group.
Confirm that the new flexfield segment appears under Calculation Defaults.

Perform Flexfield NameSpaces Merge

If a patch is applied in offline mode that includes flexfield changes that require a NameSpaces merge, the manual steps in this section must be manually performed, as follows:

Stop the managed servers that host the FNDSETUP application.
Run the following script: APPLICATIONS_BASE/fusionapps/atgpf/atgpf/bin/flex_namespaces_merge.py
Start the managed servers that host the FNDSETUP application.

Patch Group Space Templates

When a Group Space template is included in a patch, the patch introduces a new template with a version number attached, which is unlike other artifacts where the patched version replaces the existing one. If any customizations are on the template that the patched version will replace, the customizations must be manually incorporated in the new version of the template. If there are any settings or configurations that refer to the Group Space template name, ensure to update these to reflect the new template name. For all WebCenter services configured in a Group Space template, ensure that connections are configured properly.

Oracle recommends to patch Group Space templates in online mode. When updates to Group Space templates are introduced in a patch and the template included in the patch has not been customized, no manual steps are required in online mode, except to ensure that the following servers must be running:

WebCenter Managed and Servers: WC_Spaces, WC_Utilities
Oracle UCM Managed Server: ucm_server1
LDAP Policy Store Server

Manually Deploy Group Space Templates

In offline mode, or in the case of failure, the new Group Space template must be manually deployed using the importGroupSpace WLST command.

Ensure that the following WebCenter Managed Servers are running:
- WebCenter Managed Servers: WC_Spaces, WC_Utilities
- Oracle UCM Managed Server: ucm_server1
- LDAP Policy Store Server
Access the WLST shell from the Oracle home where WebCenter is installed, using the following command:
```
(UNIX) WC_ORACLE_HOME/common/bin/wlst.sh
```
Deploy the Group Space template, using the following command:
```
importGroupSpaces('appName', 'fileName')
```
The appName is always webcenter and the fileName is the name of the WebCenter archive file, from the patch to be imported. Refer to the Diagnostics report to get the full path and file name. For more information, see the Diagnostics Report section.

Patch Image and Process Management (IPM) Artifacts in Offline Mode

Oracle recommends to patch IPM artifacts in online mode. When updates to IPM artifacts are introduced in a patch, no manual steps are required in online mode, other than ensuring all prerequisites are met. In offline mode, the IPM artifacts must be manually deployed.

Perform the following steps to manually deploy IPM artifacts:

The opmn processes must be running. Follow these steps:
1. To verify if the process is running, go to the FA_ORACLE_HOME/CommonDomain_webtier directory and run this command:
```
opmnctl status
```
2. If the opmn process is not Alive, start it with this command:
```
opmnctl start 
```
The imaging application must be running. The format for the IPM URL is http://host name:Port/imaging/.
The Financials SOA server (soa_server1) must be running.
The Financials Payables Invoice and Expense Report SOA composites must have been successfully deployed and be in an active state.
The FIN wsm-pm application must be in an active state, which means the FinancialCommon server must be running.
The IPM to UCM connection, "Fusion Applications UCM Connection", must exist.
The IPM to SOA connection, "Financial SOA Connection", must exist.
The IPM Input should be set to Offline from the Manage Inputs section of the IPM UI. For example, select Invoices under Manage Inputs and then deselect Online under Basic Information.
Follow these steps to back up the existing IPM application definition:
1. Log in to the IPM server as the IPM super user.
2. From Tools, select Export Definitions.
3. Export the Oracle Fusion Payables Application and Expenses Application, all related searches, and inputs to a local file.
Review the Diagnostics report to find the location of the IPM artifacts that were copied to FA_ORACLE_HOME. For more information, see the Online Patch Progress Report and Diagnostics Report section.

Access the WLST shell, as follows:

(UNIX) ECM_ORACLE_HOME/common/bin/wlst.sh

Deploy the IPM artifact, as follows:

connect(IPM Server user name,IPM Server password,IPM Server hostname:port)
importIPMApplication(ipmAppFile,'Update',appDefName,'None');
importIPMInput(ipmAppFile,'Update',inputDefName);

Example:

connect('FAadmin','fusion','t3://IPMserver01.mycompany.com:17014');

importIPMApplication(exportFile='/net/server01/fusionapps/applications/fin/ap/ipm/ApInvoiceIpmApp.xml',
action='Update', name='Payables Invoice Application','None')

importIPMInput(exportFile='/net/server01/fusionapps/applications/fin/ap/ipm/ApInvoiceIpmApp.xml', 
action='Update', name='Payables Invoice Input')

If applicable, perform the customizations on the new file, based on the exported file.

PatchJava EE Artifacts

Oracle recommends to you patch Java EE artifacts in online mode. When Java EE artifacts are patched in online mode, no manual steps are required, except to ensure that the following are running:

Administration Server
Node manager
Database

In offline mode, manually stop, patch, and restart the impacted Managed Servers that host the Java EE application. To determine which product family is affected by the patch being applied, run the Patch Impact report. For more information, see the Run the Patch Impact Report section. For example, if the Patch Impact report indicates that the patch updates a Java EE artifact in the Financials Domain, then the Financials Domain must be stopped, apply the patch, and then start the Financials Domain after the patch applies successfully. Examples of artifacts in this category include Oracle ADF Resource JAR files and Oracle Enterprise Scheduler Service MAR files.

Patch JEECONFIG Artifacts

Oracle recommends to patch JEECONFIG artifacts in online mode. When JEECONFIG artifacts are patched in online mode, no manual steps are required, except to ensure that the following are running:

Administration Server
Node manager
Database
Impacted Managed Servers

Also, the JEECONFIG application should be in an active state.

In offline mode, manually stop, patch, and restart the impacted Managed Servers that host the JEECONFIG application. To determine which product family is affected by the patch being applied, run the Patch Impact report. For more information, see the Run the Patch Impact Report section. After bouncing the servers manually invoke the CrmExtnUpgradeMBean mbean from the Administration Server of the impacted domains.

For more information about stopping and starting servers, see the "Starting and Stopping an Oracle WebLogic Server Domain for a Product Family" section in the Oracle Fusion Applications Administrator's Guide.

Patching Mobile and Mobile Script Artifacts

Oracle recommends to patch Mobile and Mobile Script artifacts in online mode. When Mobile and Mobile Script artifacts are introduced in a patch, no manual steps are required to automatically import the mobile files into MDS in online mode, except to ensure that the following are running:

Administration Server
Database

To perform the validation for these artifacts, Fusion Applications Patch Manager must be run in online validate mode. In this mode, Patch Manager calls the corresponding python script from the patch to check for the availability of servers which are required to patch these artifacts. After the online validation completes successfully, the patch can be applied in online mode.

Manually Importing Mobile Artifacts into MDS

If the patch is applied in offline mode, perform the following steps to manually import Mobile artifacts into MDS:

Ensure the following servers are up and running:
- Common Domain Administration Server
- CRM Domain Administration Server
- SalesServer (In the case of high availability servers, any one instance must be up)
- CRMCommonServer
Confirm that Patch Panager copied one or more Mobile artifacts and the corresponding Mobiles Script artifact into the respective product family directory, as shown in the following examples:
- Mobile Artifact - FA_ORACLE_HOME/crm/mobile/deploy
- MobileScript Artifact - FA_ORACLE_HOME/crm/mobile/script
Run the following command to import the files:
```
$MW_HOME/oracle_common/common/bin ./wlst.sh FA_ORACLE_HOME/crm/mobile/script/OracleSalesCloudMobileArchiveImport.py $FA_ORACLE_HOME wls_host_name wls_admin_port_no wls_admin_user [apply|validate]
```
Provide the wls_admin_password on the command line. Note that the last parameter, ["apply" or "validate"] is optional. If no value is specified, the script runs in apply mode.

Patch Oracle Data Integrator (ODI) Artifacts

Oracle recommends to patch ODI artifacts in online mode. When updates to ODI artifacts are introduced in a patch, Patch Manager imports the ODI changes in online mode. If ODI artifacts are patched in offline mode, the changed ODI content must be manually imported to the ODI repository. In both online and offline modes, the ODI repository import tool and the database must be running.

Oracle Fusion Applications Provisioning does not install ODI Studio. ODI Studio must be installed before manually importing ODI changes. Therefore, ODI Studio must be installed before applying the patches that deliver ODI changes in offline mode or when a failed ODI import step is required to be manually retried in online mode.

Manually Importing ODI Changes

Oracle recommends that the ODI import be performed from a machine that is co-located in the same subnetwork as the database server to maximize performance. The following steps shows the instruction for the Manual Import ODI Changes:

Review the instructions in the patch README file to determine which ODI Project or Model must be deleted and imported again. The patch README file contains a list of the ODI files that are included in the patch, in the order that they must be imported.
Review the Diagnostics report to determine the location and file name for each ODI artifact that is to be imported. For more information, see the Online Patch Progress Report and Diagnostics Report section.
Start the ODI Studio, as follows:
```
(UNIX) odi.sh
```
Access the ODI Studio. Follow these steps:
1. Select View, then ODI Designer Navigator.
2. Click Connect to Repository.
3. Log in using the super user name and password for the ODI repository.
Delete the Model or Project if specified in the patch README file. The README file specifies whether any Model or Project must be deleted and in what order.

Right-click the Model or Project name and click Delete.
Import the ODI files in the order they are listed in the patch README file. Follow these steps:
1. To import a project, right-click the Project name and click Import, then Import Project.
2. To import a model, right-click the Model name and click Import, then Import Model.
3. Select Synonym Mode INSERT_UPDATE from the list in the Import Dialog window.
4. For the File Import directory, select the directory that contains the ODI file to be imported.
5. Select the ODI file to import.
6. Click OK to import.
Repeat Steps 5 and 6 for each Model or Project in the patch.
Close the ODI Studio after importing all the files in the order specified in the patch README file.

Patch Oracle Forms Recognition and Oracle Document Capture Artifacts

Oracle Forms Recognition (OFR) and Oracle Document Capture (ODC) artifacts are used only by Windows. When a patch that contains OFR and ODC artifacts is applied, Patch Manager backs up the customized files, if any, before copying the new files to FA_ORACLE_HOME., the OFR and ODC artifacts that were delivered in the patch must be manually installed. If the OFR and ODC have not been installed, refer to the Set Up Oracle Document Capture and Oracle Forms Recognition section in the Oracle Fusion Applications Installation Guide for the installation steps. Then return to this section for patching.

Install OFR Artifacts

If the AP_Packaged_Project_1004a.ini file was previously customized, then this file should not be installed from the patch as the patch delivers it. Instead keep the existing file and copy the file from the patch to a directory with a different name. Then compare the files and manually update the existing file with the changes to preserve the customizations, as follows:

Review the Patch Impact report to find the location of the files related to OFR.
Rename the file AP_Packaged_Project_1004a.ini to another name as a backup and copy APPLICATIONS_BASE/fusionapps/fin/ap/ofr/AP_Packaged_Project_1004a.ini to a new file on the Windows environment.
Move this .ini file to the OFR AP Project directory, which is located in the OFR directory structure, Projects\AP\Global (for example, C:\Program Files\OFR\Projects\AP\Global). If the existing AP_Packaged_Projects_1004a.ini file is in this location, rename it to a backup file.
Create a data link:
1. Click the Windows Start menu button.
2. Select Run.
3. Enter Notepad into the Open field and click OK.
  
  Do not right click on the desktop to create a new file. Windows will assign a hidden file type to the file that will interfere with the following steps.
4. Click File - Save.
5. Navigate to the Desktop folder.
6. In the File name field, enter the following, including quote marks: "odbc_dns.udl". Substitute the actual ODBC data source name for odbc_dns. The data source name can be found by opening the Control Panel, then Administrative Tools, and Data Source (ODBC).
7. Click Save.
8. Find the file on the desktop and double-click it to open the Data Link Properties dialog. If a text file is opened instead, go back and carefully follow the instructions for creating this file again.
9. Set Data Source: ODBC data source name
10. Select the Use a specific user name and password option.
11. Enter the READ-ONLY user name and password
12. Select the Allow saving password option.
13. Select Test Connection.
14. Click OK. An example of the file contents follows:
```
Provider=MSDASQL.1;Password=fusion;Persist Security Info=True;User ID=fusion;Data Source=ffinde
```
Open the data link (.udl file) previously created, as follows:
1. Click the Windows Start menu button.
2. Select Run.
3. Enter Notepad into the Open field and click OK.
4. Open the .udl file.
5. From the .udl file, copy the entire string, starting with Provider=.
Open the AP Packaged Project_1004a.ini file (under C:\OFR_Projects\AP\Global) in another instance of Notepad and make the following changes:
1. Replace the connection string for the line starting with SQL_VL_01_ConnectionString=, with the text copied in Step 5.
2. Update attribute ASA_VL_01_ImportODBCDSN with the System DSN name of the Oracle Fusion Applications database.
3. Update attribute ASA_VL_01_ImportODBCUser with the READ-ONLY user name.
4. Update the attribute, ASA_VL_01_ImportODBCPWD, with the READ-ONLY account password.
5. Proceed with any additional customizations on the .ini file, as required by the implementation.
6. Verify the changes.
7. Save and close the file.

Update ODC Expenses Metadata

Perform the following steps to update ODC Expenses metadata:

Install the ODC Import-Export Utility from the Companion DVD, if this has not already been done.
Copy the ODC metadata ZIP files from APPLICATIONS_BASE/fusionapps/fin/ap/odc and APPLICATIONS_BASE/fusionapps/fin/exm/odc to a temporary directory in the Windows desktop environment.
Go to Start, then Oracle Document Capture, then Import-Export Utility and log in. The user name is ADMIN and the password is admin.
In the utility, go to File - Import or click Import and then import the metadata files one at a time. Ensure that all files are imported.

Patch Oracle Fusion Applications Patch Manager Artifacts

When updates to Oracle Fusion Applications Patch Manager are introduced in a patch, the patch must be applied with the OPatch utility. Oracle Fusion Applications is compatible with a specific version of OPatch instead of the generic version of OPatch. If an incompatible version of OPatch exists in FA_ORACLE_HOME, errors can occur while applying patches and running Upgrade Orchestrator. The compatible version of Opatch is available on My Oracle Support under patch 14044793.

During provisioning, the data model for Oracle Fusion Applications Patch Manager is updated by running the fapmgr bootstrap command. If the data model is updated again by a patch, the patch README file instructs to run the fapmgr bootstrap command.

Use this syntax to run bootstrap:

(UNIX) FA_ORACLE_HOME/lcm/ad/bin/fapmgr.sh bootstrap [-logfile log_file_name] [-loglevel level]

Patch Script Files

When updates to script files or control files are introduced in a patch, no manual steps are required in either online or offline mode. Note that before applying Scripts Control artifacts (SCRIPTSCTL), no processes should be running that use these scripts or control files.

Patch Security Artifacts

In Oracle Fusion Applications, the following artifact types related to security can be patched:

Function Security Policies (Applications Policies, using the system-jazn-data.xml file)
Data Security Grants (using Seed Data)
Data Role (RGX) Templates
JAR files secured by the Data Security Grants and Function Security Grants

A patch can contain one or more of these artifacts. This section describes the steps for applying security patches and recovering from patch failures. Examples of scenarios that may be needed when following the recovery steps include:

Apply a security patch that introduces a set of new policies and LDAP GUIDs, after backing up the policy store and the applications database. The GUID reconciliation has not been performed with the applications database due to an unrelated database issue. To resolve the database issue, restore from the backup, resulting in the policy store containing extra GUIDs from the database and a synchronization issue between the policy store and the database.
Apply a security patch that includes updates to the applications policies and the patch fails, resulting in a set of LDAP GUIDs not applying correctly.

The patching and recovery scenarios for the following combinations of security artifact patches are included:

Oracle recommends to apply security patches in online mode and run the Patch Impact report to understand which artifacts are included in the patch. The Patch Impact report displays security artifacts as JAZN, Data Security, and RGXTEMPLATE. For more information, see the Patch Impact Report section.

Patch Applications Policies (system-jazn-data.xml)

Oracle Fusion Applications uses the XML file, system-jazn-data.xml, to package function security policies through application roles, role hierarchies, grants, and policies. Function security policies are shipped as a system-jazn-data.xml file that resides in the Oracle home. After provisioning, these policies are migrated to an LDAP Policy store. Patching function security policies requires steps to absorb changes delivered by Oracle (system-jazn-data.xml in a patch), changes currently deployed, which include changes by the policies in the LDAP server, and system-jazn-data.xml contents previously shipped from Oracle (system-jazn-data.xml in the Oracle home).

Oracle Fusion Applications Manager runs a comprehensive analysis tool during patch validation to check for conflicts in applications policy changes before the patch is applied. If a change is considered safe, apply the patch in online mode. If a change is considered to be a conflict, follow the steps to apply the patch in offline mode, which includes manually resolving conflicts. The following table describes a summary of changes that are safe and those that cause a conflict:

Table 10-3 Changes to Applications Policies

Type of Change	Safe - Apply Patch in Online Mode	Conflicts - Apply Patch in Offline Mode
Additions	New artifacts shipped from Oracle	Artifacts retained by Oracle in a patch with or without modifications, but deleted by the customer
Modifications	Artifacts modified by Oracle in a patch but not by the customer	Artifacts modified by Oracle in a patch and by the customer Artifact created by both Oracle in a patch and by the customer, using the same identifier, but with some other differences
Deletions	All artifact deletions must be applied in offline mode	Artifacts deleted by Oracle in a patch and not touched by the customer Artifacts deleted by Oracle in a patch and modified by the customer Artifacts deleted by Oracle in a patch, and where the customer created new references to the Oracle deleted artifact in their system. Examples include but are not limited to permission and resource grants, entitlements grants, role inheritance relationships, and entitlements to resource associations

This section contains information about the following methods for patching applications policies:

Prerequisites for Patching Applications Policies in Online Mode

Oracle recommends to patch applications policies in online mode because Patch Manager automates the deployment of the system-jazn-data.xml file by running the patchPolicyStore silent install command.

Ensure that the following steps are completed before patching applications policies in online mode:

Validate the patch in online mode and ensure that the validation output does not contain any conflicts. For more information, consult the Validate Patches section and the Table 10-3 section.

If the validation reports any conflicts, then choose to apply all safe changes in online mode. Later, apply conflicting changes in offline mode, as described in the Patch Applications Policies in Offline Mode using APM section.
All domains that use the OPSS Policy store in Oracle Internet Directory for authorization policies must be shut down before the patch applies.

Patch Applications Policies in Offline Mode using APM

All domains, except the OPSS Security Store and the domain that hosts APM, must be shut down before JAZN patching and restarted after JAZN patching. The following steps must be performed if applications policies are patched in offline mode using APM:

Run the Patch Impact report to see which artifacts are included in the patch. For more information, see the Patch Impact Report section. The location where the system-jazn-data.xml is located in the patch, because this location is requested in Step 4.
Run Patch Manager to apply the patch, which copies system-jazn-data.xml from the patch to the Oracle home in offline mode.
Log in to Authorization Policy Manager.
Open the Policy Upgrade Management tab as follows:
1. Perform the analysis
2. Before applying a patch, take off line any WebLogic domain that uses the Security Store where the application policies to be patched reside
3. Backup the Security Store by using Oracle Platform Security Services migrateSecurityStore to export the Security Store into a replica of it. Now the patch can be applied.
When the application to patch from the pull-down Application list is selected, choices such as the following should appear:
- fscm_system-jazn-data.xml: FSCM stripe
- crm_system-jazn-data.xml: CRM stripe
- hcm_system-jazn-data.xml: HCM stripe
- bip_jazn-data.xml: OBI stripe
Analyze Patch Differences and Resolve Patch Differences and, if there are errors during this step, restore the backup, as mentioned in the step 4.
Restart all Oracle Fusion Applications domains.
Oracle delivers changes to system-jazn-data.xmlin its own patch. Related code change patches, if any, should be applied only after all of the steps in this section complete successfully.

The following document provides additional information related to subjects discussed in this section:

For more information about general troubleshooting for Patch Manager, see the Monitor and Troubleshoot Patches section.
For more information about security in Oracle Fusion Applications, see the Secure Oracle Fusion Applications in the Oracle Fusion Applications Administrator's Guide.

Patch Data Security Grants

Oracle recommends to patch data security grants in online mode. In both online and offline patching mode, ensure that the prerequisites are met. The topics related to Patch Data Security Grants area as follows:

Prerequisites for Patching Data Security Grants

Follow these steps to Patching Data Security Grants steps:

Run the Patch Impact report to see which artifacts are included in the patch. For more information, see the Patch Impact Report section .
Back up the data security store by using the Oracle Database data pump export tool. For more information, see the Back up the Data Security Store section.

Patch Data Security Grants in Offline Mode

Follow these steps to patch data security in Offline Mode:

Run Patch Manager to apply the seed data changes to the data security system. When data security changes are introduced in a patch, no manual steps are required in online mode to update the data security subsystem with the GUIDs of the new application roles seeded in the policy story. In offline mode or in the case of patch failure, manually run the DSDataMigrator utility as described in the Data is Missing After Migrating or Patching the Policy Store: Use DSDataMigrator to Reconcile GUIDs section in the Oracle Fusion Applications Administrator's Guide.
If there are any database errors during Step 1, such as running out of tablespace, fix the database errors that occurred and restart the patch.
If the errors that occurred while applying the seed data changes are not resolved, recover the seed data from the backup export file created in Step 2 of the prerequisites.

Patch Data Role (RGX) Templates in Offline Mode

Oracle recommends to patch data role templates in online mode. When data role template changes are introduced in a patch, no manual steps are required in online mode to deploy the changed templates.

Every data role template consists of two XML files. One is for data role generation and the other XML file is for data security policies generation. Both of these files must be deployed after a patch that contains changes to data role templates is applied, so that they remain synchronized with each other. Follow the steps in this section when applying a patch in offline mode that contains data role templates:

Run the Patch Impact report to see which artifacts are included in the patch. For more information, see the Patch Impact Report section. Note that the Patch Impact report refers to data role templates as RGXTEMPLATE.
The following must be running while patching data role templates:
- Administration Server
- Oracle Authorization Policy Manager
- Database
Run Patch Manager to copy the data role templates to FA_ORACLE_HOME.
To create a save point before deploying the data role templates, use the createMetadataLabel WLST command to label the MDS partition for oracle.security.apm, using the following syntax:
```
createMetadataLabel(application, server, name)
 
```
The following example creates the label data_role_save_point for the application oracle.security.apm deployed in the Administration Server:
```
createMetadataLabel('oracle.security.apm', 'AdminServer', data_role_save_point')
```

Follow these steps to manually deploy the data role templates using the importMetadata WLST command against the Administration Server in the Common Domain for the oracle.security.apm application:

Access the WLST shell, as follows:

(UNIX) SOA_ORACLE_HOME/common/bin/wlst.sh

Connect to WebLogic Server, as follows:

> connect ('admin user name','admin user password','URL of the AdminServer')

Deploy the data role template using the importMetadata WLST command. Refer to the Diagnostics report to find the directory where the template was copied by the patch. For more information, see the Diagnostics Report section.

Syntax for the importMetadata command follows:

importMetadata(application='oracle.security.apm', server='Name of AdminServer',
fromLocation='Directory in FA_ORACLE_HOME where data role templates were copied',
docs='Path to the changed data role templates starting with APM partition')

The following table displays the parameters required by the importMetadata command:

Table 10-4 Parameters for the importMetadata WLST Command

Parameter Name	Description
application	Enter the value of `oracle.security.apm`
server	Enter the name of theAdministration Server
fromLocation	Enter the absolute path to the directory in `FA_ORACLE_HOME` where the patch copied the data role templates. The path must not include the APM partition, because the APM partition is included in the next parameter, `docs`. The Diagnostics report provides the full path and file name in `FA_ORACLE_HOME` for each data role template that was copied from the patch
docs	Enter the directory for the APM partition, starting with `/oracle/apps/apm`, followed by the remainder of the path, which includes the data role template itself

Example for Importing the FinancialAssetBook.xml data role template

In this example, the FinancialAssetBook.xml data role template is located in this directory:

(UNIX)FA_ORACLE_HOME/fin/fa/apm/oracle/apps/apm/fin/fa/rgx/template

Example of the importMetadata command:

(UNIX)
importMetadata(application='oracle.security.apm', server='AdminServer',
fromLocation='FA_ORACLE_HOME/fin/fa/apm',
docs='/oracle/apps/apm/fin/fa/rgx/template/FinancialAssetBook.xml'

Example for Importing multiple XML files in one command by using a wild card in the docs parameter

The XML file for data role generation is located in this directory:

(UNIX) /net/machine1/oracle/apps/oracle/fin/gl/rgx/template/GeneralLedger.xml

The XML file for data security policies generation is located in this directory:

(UNIX) /net/machine1/oracle/apps/oracle/fin/gl/rgx/dataSecPolicy/fndDataSecProvider/GeneralLedger.xml

The following command imports both XML files at the same time:

(UNIX) importMetadata(application='oracle.security.apm', server='AdminServer',
fromLocation='/net/machine1', docs='/oracle/apps/oracle/fin/gl/**'

If there are any errors in Step 5, follow these steps to recover by restoring the data role templates. Proceed to Step 7 if there are no errors in Step 5.
1. Promote the MDS label created in Step 4 using the following command:
```
promoteMetadataLabel(application, server, name)
```
  The following example promotes the metadata label data_role_save_point to the oracle.security.apm application deployed in the Administration Server:
```
promoteMetadataLabel('oracle.security.apm', 'AdminServer','data_role_save_point')
```
2. Delete any new data role templates that were delivered in the patch, using the following command:
```
deleteMetadataLabel(application, server, name)
```
  The following example deletes the data role templates in the metadata label data_role_save_point from the oracle.security.apm application deployed in the Administration Server:
```
deleteMetadataLabel('oracle.security.apm','AdminServer','data_role_save_point')
```
Assuming Steps 3 through 5 are successful, Oracle recommends to preview the execution of the changed data role templates. Run the preview from the Summary tab after the data role template is opened from the APM console.

If the preview results are not correct, follow the recovery described in Step 6 to restore the data role templates. Otherwise, proceed to Step 8.
Run the changed data role template and confirm that the data roles and grants are generated correctly. Use the APM role templates summary for reconciliation of the generated artifacts.
If all steps are successful, delete the MDS label created in Step 4, using the deleteMetaDataLabels command:
```
deleteMetadataLabel(application, server, name)
```
The following example deletes the metadata label data_role_save_point from the oracle.security.apm application deployed in the Administration Server:
```
deleteMetadataLabel('oracle.security.apm','AdminServer','data_role_save_point')
```

Patch Data Security Grants and Data Role (RGX) Templates

Oracle recommends to patch data security grants in online mode. Follow the steps in this section when a patch contains both data security grants and data role templates. Every data role template consists of two XML files. One is for data role generation and the other XML file is for data security policies generation. Both of these files must be manually deployed after a patch is applied, so they remain synchronized with each other.

Perform the following steps to patch data security grants and data role templates:

Run the Patch Impact report to see which artifacts are included in the patch. Note that the Patch Impact report refers to data role templates as RGXTEMPLATE.
Back up the security store by using the Oracle Database data pump export tool, as described in the Back up the Data Security Store section.
The following must be running when patching data security grants and data role templates:
- OPSS Security Store
- Administration Server
- Oracle Authorization Policy Manager
- Database
Run Patch Manager to apply the seed data changes to the data security system and to copy the data role templates to FA_ORACLE_HOME.

When data security changes are introduced in a patch, no manual steps are required in online mode to update the data security subsystem with the GUIDs of the new application roles seeded in the policy story. In offline patching mode or in the case of patch failure, manually run the DSDataMigrator utility as described in Data is Missing After Migrating or Patching the Policy Store: Use DSDataMigrator to Reconcile GUIDs in the Oracle Fusion Applications Administrator's Guide.
If there are any database errors during Step 4, such as running out of tablespace, fix the database errors that occurred and restart the patch.

If the errors that occurred while applying the seed data changes are not solved, recover the seed data from the backup export file created in Step 2.
To create a save point before deploying the data role templates, use the createMetadataLabel WLST command to label the MDS partition for oracle.security.apm, using the following syntax:
```
createMetadataLabel(application, server, name)
 
```
The following example creates the label data_role_save_point for the application oracle.security.apm deployed in the Administration Server:
```
createMetadataLabel('oracle.security.apm', 'AdminServer', data_role_save_point')
```

Follow these steps to manually deploy the data role templates using the importMetadata WLST command against the Administration Server in the Common Domain for the oracle.security.apm application:

Access the WLST shell, as follows:

(UNIX) SOA_ORACLE_HOME/common/bin/wlst.sh

Connect to WebLogic Server, as follows:

> connect ('admin user name','admin user password','URL of the AdminServer')

Deploy the data role template using the following importMetadata WLST command. Refer to the Diagnostics report to find the directory where the template was copied, as follows:

importMetadata(application='oracle.security.apm', server='Name of AdminServer',
fromLocation='Directory in FA_ORACLE_HOME where data role templates were copied',
docs='Path to the changed data role templates starting with APM partition')

The following table displays the parameters required by the importMetadata command:

Table 10-5 Parameters for the importMetadata WLST Command

Parameter Name	Description
application	Enter the value of `oracle.security.apm`.
server	Enter the name of the Administration Server
fromLocation	Enter the absolute path to the directory in `FA_ORACLE_HOME` where the patch copied the data role templates. The path must not include the APM partition, because the APM partition is included in the next parameter, `docs`. The Diagnostics report provides the full path and file name in `FA_ORACLE_HOME` for each data role template that was copied from the patch
docs	Enter the directory for the APM partition, starting with `/oracle/apps/apm`, followed by the remainder of the path, which includes the data role template itself

Example of Importing the Financial AssetBook.xml data role template:

(UNIX)FA_ORACLE_HOME/fin/fa/apm/oracle/apps/apm/fin/fa/rgx/template

Example of the importMetadata command:

(UNIX)
importMetadata(application='oracle.security.apm', server='AdminServer',
fromLocation='FA_ORACLE_HOME/fin/fa/apm',
docs='/oracle/apps/apm/fin/fa/rgx/template/FinancialAssetBook.xml'

Example of importing multiple XML files in one command by using a wild card in the doc parameter. The XML file for data role generation is located in this directory:

(UNIX) /net/machine1/oracle/apps/oracle/fin/gl/rgx/template/GeneralLedger.xml

The XML file for data security policies generation is located in this directory:

(UNIX) /net/machine1/oracle/apps/oracle/fin/gl/rgx/dataSecPolicy/fndDataSecProvider/GeneralLedger.xml

The following command imports both XML files at the same time:

(UNIX) importMetadata(application='oracle.security.apm', server='AdminServer',
fromLocation='/net/machine1', docs='/oracle/apps/oracle/fin/gl/**'

For more information, see the Diagnostics Report section.

If there are any errors in Step 7, follow these steps to recover by restoring the data role templates. Otherwise, proceed to Step 9.
1. Restore the security seed data from the backup created in Step 2. For more information, see the Recovery Data Security Seed Data from the Backup section.
2. Promote the MDS label created in Step 6 using the following command:
```
promoteMetadataLabel(application, server, name)
```
  The following example promotes the metadata label data_role_save_point to the oracle.security.apm application deployed in the Administration Server:
```
promoteMetadataLabel('oracle.security.apm', 'AdminServer','data_role_save_point')
```
3. Delete any new data role templates that were delivered in the patch, using the following command:
```
deleteMetadataLabel(application, server, name)
```
  The following example deletes the data role templates in the metadata label data_role_save_point from the oracle.security.apm application deployed in the Administration Server:
```
deleteMetadataLabel('oracle.security.apm','AdminServer','data_role_save_point')
```
Assuming Steps 2 through 7 are successful, Oracle recommends to preview the execution of the changed data role templates. Run the preview from the Summary tab after the data role template is opened from the APM console.

If the preview results are not correct, follow the recovery described in Step 8 to restore the seed grants and data role templates. Otherwise, proceed to Step 10.
Run the changed data role template and confirm that the data roles and grants are generated correctly. Use the APM role templates summary for reconciliation of the generated artifacts.

If the results are not correct, restore the database from the backup created in Step 2. For more information, see the Recovery Data Security Seed Data from the Backup section.
If all steps are successful, delete the MDS label created in Step 6, using the deleteMetaDataLabels command:
```
deleteMetadataLabel(application, server, name)
```
The following example deletes the metadata label data_role_save_point from the oracle.security.apm application deployed in the Administration Server:
```
deleteMetadataLabel('oracle.security.apm','AdminServer','data_role_save_point')
```

Back up the Data Security Store

Back up the data security store by using the Oracle Database data pump export tool. Before running the export tool, ensure that the TWO_TASK environment variable is set to point to the Oracle Fusion Applications instance. Oracle Fusion Applications database user name and password are requested. Perform the following steps for Back up the Data Security Store:

For setting any environment variable, run the adsetenv script to generate the APPSORA.env file, which when sourced, sets all environment variables:
```
(UNIX)
sh adsetenv.sh
source APPSORA.env
echo $TWO_TASK
```

Run the data pump export tool as follows:

ORACLE_HOME/bin/expdp directory=local_directory dumpfile=fndds1.dmp tables='(FND_GRANTS,
FND_MENUS_TL,FND_MENUS,FND_MENU_ENTRIES,FND_COMPILED_MENU_FUNCTIONS,
FND_FORM_FUNCTIONS_TL,FND_FORM_FUNCTIONS,FND_OBJECT_INSTANCE_SETS_TL,
FND_OBJECT_INSTANCE_SETS,FND_OBJECTS_TL,FND_OBJECTS)' NOLOGFILE=y

The following document provides additional information related to subjects discussed in this section:

For more information about Oracle Data Pump, see the Oracle Data Pump Overview page.

Recovery Data Security Seed Data from the Backup

Follow these steps only if a data security seed data patch failed and there is no way to resolve the failure and reapply the patch:

Remove the existing data security grant data from the data security tables. Connect to the fusion account using SQL*Plus and run the following commands:

truncate table fusion.fnd_objects; 
truncate table fusion.fnd_objects_tl; 
truncate table fusion.fnd_object_instance_sets; 
truncate table fusion.fnd_object_instance_sets_tl; 
truncate table fusion.fnd_form_functions; 
truncate table fusion.fnd_form_functions_tl; 
truncate table fusion.fnd_menus; 
truncate table fusion.fnd_menus_tl; 
truncate table fusion.fnd_menu_entries; 
truncate table fusion.fnd_grants;

Import the data security seed data from the backup export file previously created, as follows:

ORACLE_HOME/bin/impdp dumpfile=fndds1.dmp tables='(FND_GRANTS,
FND_MENUS_TL,FND_MENUS,FND_MENU_ENTRIES,FND_COMPILED_MENU_FUNCTIONS,
FND_FORM_FUNCTIONS_TL,FND_FORM_FUNCTIONS,FND_OBJECT_INSTANCE_SETS_TL,
FND_OBJECT_INSTANCE_SETS,FND_OBJECTS_TL,FND_OBJECTS)' 
NOLOGFILE=y

Patch Service-Oriented Architecture (SOA) Composites

When updates to SOA composites are introduced in a patch, no manual steps are required if both of the following conditions are met:

SOA composite customizations are not available in Oracle JDeveloper. If customizations exist, follow the steps in the Preserve SOA Composite JDeveloper Customizations Before Applying a Patch section.
Apply the patch in online mode and no validation or deployment errors occurred during the application of the patch that contains SOA composites. Oracle recommends not to use offline mode when a patch contains SOA composites. If the patch fails while attempting to deploy a SOA composite, manually deploy the composite. For more information, see the Manually Deploy SOA Composites section.

For information about resolving validation errors, see the Troubleshoot SOA Composite Validation Failures section. For information about recovering from deployment errors, see the Troubleshoot SOA Composite Deployment Failures section.

If SOA composites used by Oracle Fusion Applications are customized in JDeveloper, preserve these customizations before applying a patch that includes the next revision of the composite. Other customizations to the SOA composite being patched are automatically merged by the SOA deployment command called during patching. These runtime customizations, such as design time and run-time (DT@RT) changes or property changes, do not require a manual merge process.

What must be running when patching SOA composite:

Administration Server
SOA-INFRA Managed Servers
Database
At least one server must be running the Policy Manager component from the Web Services Manager (WSM-PM) application. Typically in an Oracle Fusion Applications environment, this is the Common Cluster, for example in the CRMDomain, it is the CRMCommonCluster. Find out which server is running by logging in to Fusion Applications Control to verify that the application named wsm-pm is running with an OK or green status.

Preserve SOA Composite JDeveloper Customizations Before Apply a Patch

If JDeveloper customizations were performed, not supported by OPatch, to a SOA composite and then the composite to the SOA runtime is deployed, subsequent patches are not directly deployable. The Patch Manager validation process returns the appropriate error, which instructs to take the newer version of the composite that is in the patch, redo the same customizations that were performed on the previous version of the composite, and then apply the patch in online mode to deploy the composite.

Perform the following steps to preserve SOA composite JDeveloper customizations before applying a patch:

Run Patch Manager validation in online mode to determine which composites have JDeveloper customizations. If any customizations are detected, the validation results display the SOA composite name, its location in the patch_top directory, and the requirement to merge JDeveloper customizations into the sca_*.jar file in the patch_top directory before applying the patch in online mode. For more information, see the Validate Patches section. Run Patch Manager validation before applying every patch, especially patches that contain SOA composites. If the JDeveloper customizations are not merged into the sca_*.jar file in the patch_top directory, the deployment of the SOA composite that was changed inside the patch will fail when applying the patch.
Open the custom SOA workspace and the customized version of the Fusion Applications SOA composite in JDeveloper using "Oracle Fusion Applications Developer".
Import the composite sca_*.jar file from the patch_top directory into the project, for example revision yy_patchnum, in JDeveloper. Make note of this revision number in the deployment window because it will be needed it in Step 8. Find the revision number on the Patch Impact report.
Restart JDeveloper in the Oracle Fusion Applications Administrator Customization role.
Verify that there are no errors in JDeveloper.
Verify that the changes introduced in both the customized version and the patched version are present.
Right-click the composite project in the Application Navigator, select Deploy, select the composite, click Deploy to SAR, and click Next.
Manually change the value in New Revision ID to the revision from Step 3, for example, yy_patchnum, and click Finish.
If the deployment folder is set to a location different from that of the patch_top directory, copy and replace the JAR in the patch under patch_top/patch_mw/files/productfamily/deploy. If the file name is different, rename it to the original name.
Now validate and apply this patch successfully using Patch Manager in online mode.

For more information about customizing SOA composites, see the Oracle Fusion Applications Extensibility Guide for Developers Guide .

Manually Deploying SOA Composites

If a customized SOA composite deployment fails during patching, manually deploy this composite using WLST commands. Also manually deploy SOA composites if a patch is applied in offline mode that contains SOA composites.

Perform the following steps to apply a SOA composite manually after a deployment failure or when patching in offline mode:

In the following steps, the example composite, FinAp, is patched from revision 1.0 to revision 2.0 and the SAR file of revision 2.0 is in FA_ORACLE_HOME/crm/deploy/sca_FinAp_rev2.0.jar. Note that the parameters are for illustration purposes only.

Refer to the Diagnostics Report section, to find the name and location of the sca_*.jar file that was copied to FA_ORACLE_HOME by Patch Manager.
If the previous revision contained JDeveloper customizations, ensure that the patched revision is deployed with the merged JDeveloper customizations. Using the sca_*.jar file from Step 1, follow the JDeveloper customization merge instructions that are described in the Preserve SOA Composite JDeveloper Customizations Before Apply a Patch section. Then use the merged sca_*.jar for Step 3.

Deploy the patched composite using the single patch composite command, as follows:

sca_patchComposite('SOA-Infra URL', user, password, 
'/FA_ORACLE_HOME/crm/deploy//sca_FinAprev2.0.jar', mergeLogFile='/tmp/merge-log.txt')

Patch SOAEXTENSION Artifacts

When updates to SOAEXTENSION artifacts are introduced in a patch, stop and restart all SOA-INFRA Managed Servers in all domains. Both online and offline patching require this step.

Patch SOA Resource Bundles

Oracle recommends to patch SOA resource bundles in online mode. No manual steps are required when patching SOA resource bundles in online mode unless the SOA resource bundle JAR file contains translatable strings for human task-mapped attribute labels and standard view names, as indicated by a JAR name that ends with FlexFieldSoaResource.jar. In offline mode, in case of patch failure, or if the patch contains human task-mapped attribute labels and standard view names, manually deploy the SOA resource bundle and restart the SOA composites that depend on the SOA resource bundle.

The following must be running when SOA resource bundles are patched:

Administration Server
SOA-INFRA Managed Servers
Node manager
Database

After applying the patch, refer to the Diagnostics Report section to get a complete list of composites that depend on each SOA resource bundle and also the domains.

Manually Deployment SOA Resource Bundle JAR Files

Perform the following steps to manually deploy SOA resource Bubdle JAR files:

From the Diagnostics report for patch validation, review the list of SOA resource bundle JAR files included in the patch and the domain where they should be deployed. Use the ant-sca-deploy.xml script to deploy the appropriate SOA cluster for each JAR included in the patch.

Set the ANT_HOME variable:
```
ANT_HOME=FA_ORACLE_HOME/modules/org.apache.ant_1.7.1; export ANT_HOME
```
Deploy the appropriate cluster:
```
ant -f Middleware_Home/SOA_Suite_Home/bin/ant-sca-deploy.xml
     -DserverURL=URL_to_SOA_server
     -DsarLocation=Location_of_resource_bundle_jar under FA_ORACLE_HOME
     -Duser=weblogic
     -Dpassword=weblogic_password
```
The Diagnostics report lists the composite affected by the patch and the domain where the composite is deployed. Follow these steps for each affected composite:
1. Log in to in the domain where the composite is deployed.
2. Go to domain name, then SOA, then soa-infra (SOA cluster name), then default, and then composite name.
3. Click Shut Down.
4. Click Yes in the confirmation window.
5. Click Start Up.
6. Click Yes in the confirmation window.
Review the list of SOA resource bundle JAR files being patched. If a patch contains a JAR file with a name which starts with "jar_" and ends with "FlexFieldSoaResource.jar", for example, jar_AppCmmnCompNotesFlexFieldSoaResource.jar, perform the following steps to ensure that the patched resource bundle is reflected in the Oracle BPM Worklist. These steps describe how to set the WorkflowCustomClasspathURL MBean property to null, and then set it to oramds:///apps/resource/ and apply the changes in Fusion Applications Control.
1. Log in to Fusion Applications Control in the domain where the JAR was deployed.
2. Go to SOA, then soa-infra in the left-hand panel. Go to SOA Infrastructure, then Administration, and then System MBean Browser in the right-hand panel.
3. Go to Application Defined MBeans, then oracle.as.soainfra.config, then Server: SOA cluster name, then WorkflowConfig and then human-workflow.
4. Remove the contents in the Value column of the WorkflowCustomClasspathURL attribute.
5. Click Apply.
6. Enter oramds:///apps/resource/ in the Value column of the WorkflowCustomClasspathURL attribute.
7. Click Apply.

The following documents provide additional information related to subjects discussed in this section:

For more information about the ant-sca-deploy.xml script that is used to deploy the SOA resource bundle, see "How to Manage SOA Composite Applications with ant Scripts" in the Developing SOA Applications with Oracle SOA Suite.
For information about shutting down and starting up SOA composites in Oracle Enterprise Manager, see "Managing the State of Deployed SOA Composite Applications" in the Administering Oracle SOA Suite and Oracle Business Process Management Suite.

Patch Sales Prediction Engine (SPE) Inline Service Artifacts

Oracle recommends to patch data role templates in online mode. When updates to SPE Inline Service artifacts are introduced in a patch, no manual steps are required in online mode to deploy changed SPE artifacts.

Updates to SPE Inline Service are delivered in the SPE_ILS.zip file and the AdfZspPredictionModuleSupportUtilities.jar file. This section contains information about manual deployment of SPE artifacts, in the case of offline patching or failure during online patching.

SPE artifacts are provisioned only when Oracle Fusion CRM Performance Management is provisioned. If CRM Performance Management is not provisioned in the environment, do not deploy SPE artifacts.

Manually Deploying SPE Artifacts After Applying the Patch

Perform the following steps:

JDK 1.6 or later must be running.
Access to the ZIP file, rtd-deploytool-11.1.1.zip. This ZIP file resides inside another ZIP file, FA_ORACLE_HOME/bi/clients/rtd/rtd_client_11.1.1.zip.
Make a backup copy, in a temporary directory, of the existing SPE_ILS.zip file, which is located under FA_ORACLE_HOME in this directory:
```
(Unix) crm/components/crmPerformance/zsp/predictionmodule/inlineservice
```
Oracle suggests to refer to the text file that was created when provisioning completed, which is a textual overview of the topology, as you follow these steps.
Stop and start bi_server1 to include the changes in AdfZspPredictionModuleSupportUtilities.jar.
Follow these steps to deploy the new SPE_ILS.zip artifact:
1. Unzip rtd_client_11.1.1.zip in a temporary directory. To find this file, refer to Step 2 in this section.
2. In the unzipped files, go to the folder .../client/CommandLineDeploy and find rtd-deploytool-11.1.1.zip.
3. Unzip rtd-deploytool-11.1.1.zip and go to the folder, .../OracleBI/RTD/deploytool.
4. In this folder, open a command terminal. Ensure having the JDK class path set for this terminal.
5. Run this command:
```
java -jar deploytool.jar -deploy 
-server Host name of the server where BI domain is created
-port Managed server port where the OracleRTD app is deployed
-terminateSessions true Full directory path to SPE_ILS.zip
```
  Example:
```
(UNIX) java -jar deploytool.jar -deploy -server server01.oracle.com -port
7001 -terminateSessions true FA_ORACLE_HOME/crm/components/ \
crmPerformance/zsp/predictionmodule/inlineservice/SPE_ILS.zip
```
6. When prompted, enter the user name and password to connect to the RTD server. This user must have a role that includes ILS deploy permission. Both the BIAdministrator and BIAuthor have this permission.
7. This message indicates the deployment is complete:
```
deploymentStateId is 5Inline service "SPE_ILS" in "FA_ORACLE_HOME/crm/components/crmPerformance/zsp/predictionmodule/inlineservice/SPE_ILS.zip/SPE_ILS.zip" 
deployed to server: "server01.oracle.com" port: "7001" deployment state: "Development"
```

Patch Tree Artifacts

Tree artifacts are delivered as seed data in patches and therefore, do not typically require manual steps after they are patched. A process called tree flattening automatically runs during the patching process. If this process fails, perform the following additional steps:

To determine if the patch contains any files related to tree flattening, refer to the Patch Impact report and look for a file named FndTreeVersionSD.xml. This is the only file that requires tree flattening. For more information, see the Patch Impact Report section.
Confirm that the tree version changes were successfully flattened by reviewing the worker logs for errors related to tree flattening. To determine the worker that executed the specific seed data task, based on the file name FndTreeVersionSD.xml, refer to the Diagnostics report generated at the end of the patching session. Note any tree versions that failed because the version numbers are needed to manually flatten the tree version changes.
Follow these steps to manually flatten tree versions:
1. Access the administrative area of Oracle Fusion Functional Setup Manager by logging in to Oracle Fusion Applications with a user account that is provisioned with the necessary role. Contact the security administrator for details.
2. From the Administration menu in the work area of Oracle Fusion Applications, choose Setup and Maintenance.
3. Choose the Manage Trees and Tree Versions task.
4. Search for the tree versions that require flattening.
5. Choose the appropriate tree version and optionally choose Audit from the Actions menu to diagnose the issues.
6. If changes to the tree version need to be made, click the tree version and edit it.
7. Choose Flattening, Row Flattening, then Flattening, Column Flattening from the Actions menu to flatten the selected tree version.