Apps Account Locking

Topic
------
"Apps" Account Locking in E-business suite.

ADI(Application Desktop Integrator) is a software runs on Windows systems and uses the net8 client to talk to the database. However, user's logon as their application ID and password, not directly to the database.

In order for this to work, the application goes to the database with a public username/password that must never be changed for the application to function. The username/password is APPLYSYSPUB and the password is PUB (this is openly documented). This database account is able to find the APPS schema and encrypted password in the database. It then unencrypts the password and uses it to connect to the database.


Problem
---------
There is a know issue with customers using ADI(Application Desktop Integrator).

When ever there are unsuccessful logins (failed login attempts count) number of attempts by an application user using desktop ADI, apps account will get locked (timed). This can be confirmed by checking by checking database listener log.

Solution
--------
1. Increase failed login attempts.

2. Recommend customers to use web ADI instead of Desktop ADI.

3. Educate ADI users not to make unsuccessful attempts to login more than than times that you have specified in "failed login attempts".

Metalink users can educate thyself through note:400743.1

Security Issues
---------------

The version of ADI (Application Desktop Integrator) 7.1.1.10.1, contains a major security breach.

Whenever the software is launched, it creates a file called dbg.txt on the
local hard drive on the system which contains in PLAIN TEXT the usernames
and passwords for both the application user and the APPS schema!

further readings
----------------
http://www.oracle.com/technology/deploy/security/pdf/secalert_adi.pdf

Regards
Manoj