*******ORACLE Apps DBA & ORACLE DBA Blog*******

Monday, 1 June 2026

How to allow only specific users to access Oracle EBS Applications

During some special time periods, Business management wants to restrict users to access Oracle EBS Application but allow only one or two users to complete some dedicated tasks, such as month-end process.

Oracle EBS has a way to do that See below doc:

Doc ID 605538.1 (How To Lock Users Out Of E-Business Suite And Allow Specific Users). This only works if EBS application does not have multiple web nodes which may use load balancing in the middle.

R12.1.X

1. Backup file $ORA_CONFIG_HOME/10.1.3/Apache/Apache/conf/custom.conf

2. Edit file $ORA_CONFIG_HOME/10.1.3/Apache/Apache/conf/custom.conf and add a list of ip addresses for the users system that you want to allow access to the system.

The benefit of using custom.conf is that it is preserved when autoconfig is run.

$ vi $ORA_CONFIG_HOME/10.1.3/Apache/Apache/conf/custom.conf

Order deny,allow

Deny from all

Allow from 10.23.124.64--Users IP who allow to access EBS

#Allow from XX.XXX.XXX.XXX

#Allow from X.XXX.XXX.XXX

Allow from localhost

Allow from erpuatappl.nicsi.in

Allow from 10.24.248.33---Oracle EBS Application Server IP

</Location>

ErrorDocument 403 "Oracle Application Service is temporarily unavailable!!!. We are currently performing the maintenance activity. Normal Service will be restored soon........

Note:
You need to include localhost and your apps tier server name. One can use the PC name rather than IP address, however PC name is more sensitive to network config

3. Restart Apache

[applmgr@erpuatappl scripts]$ cd $ADMIN_SCRIPTS_HOME
[applmgr@erpuatappl scripts]$ ./adopmnctl.sh status
You are running adopmnctl.sh version 120.6.12010000.5

Checking status of OPMN managed processes...

adopmnctl.sh: exiting with status 0

adopmnctl.sh: check the logfile /UATappl/inst/apps/UAT_erpuatappl/logs/appl/admin/log/adopmnctl.txt for more information ...

[applmgr@erpuatappl scripts]$ ./adapcctl.sh stop

You are running adapcctl.sh version 120.7.12010000.2

Stopping OPMN managed Oracle HTTP Server (OHS) instance ...

opmnctl: stopping opmn managed processes...

adapcctl.sh: exiting with status 0

adapcctl.sh: check the logfile /UATappl/inst/apps/UAT_erpuatappl/logs/appl/admin/log/adapcctl.txt for more information ...

[applmgr@erpuatappl scripts]$ ./adopmnctl.sh status

You are running adopmnctl.sh version 120.6.12010000.5

Checking status of OPMN managed processes...

adopmnctl.sh: exiting with status 0

adopmnctl.sh: check the logfile /UATappl/inst/apps/UAT_erpuatappl/logs/appl/admin/log/adopmnctl.txt for more information ...

[applmgr@erpuatappl scripts]$ ./adapcctl.sh start

You are running adapcctl.sh version 120.7.12010000.2

Starting OPMN managed Oracle HTTP Server (OHS) instance ...

opmnctl: opmn is already running.

opmnctl: starting opmn managed processes...

adapcctl.sh: exiting with status 0

adapcctl.sh: check the logfile /UATappl/inst/apps/UAT_erpuatappl/logs/appl/admin/log/adapcctl.txt for more information ...

[applmgr@erpuatappl scripts]$ ./adopmnctl.sh status

You are running adopmnctl.sh version 120.6.12010000.5

Checking status of OPMN managed processes...

adopmnctl.sh: exiting with status 0

adopmnctl.sh: check the logfile /UATappl/inst/apps/UAT_erpuatappl/logs/appl/admin/log/adopmnctl.txt for more information ...

4. Now only the users who are assigned to the ip addresses added will have access. All other users will get a forbidden error when they attempt to login.

This is a very simple solution and what makes it good is that it can be done programatically.

If Any user tries to login he will get below error

The forbidden error looks like this:

Forbidden
You don’t have permission to access /OA_HTML/AppsLocalLogin.jsp on this server

If you want to change the message you can do this: edit custom.conf add a line as follows (change the text to suit your requirements)

ErrorDocument 403 “Forbidden oops, you cannot access the production instance as it is month end, only certain users have access at this time

ErrorDocument 403 "Oracle Application Service is temporarily unavailable!!!. We are currently performing the maintenance activity. Normal Service will be restored soon........

R12.2.X

If users use VPN or Normal to login onto company's network PC.

1. Backup file $IAS_ORACLE_HOME/instances/EBS_web_OHS1/config/OHS/EBS_web/custom.conf

2. Edit file $IAS_ORACLE_HOME/instances/EBS_web_OHS1/config/OHS/EBS_web/custom.conf
and add a list of ip addresses for the users system that you want to allow access to the system.

The benefit of using custom.conf is that it is preserved when autoconfig is run.

Only those users can access our Oracle EBS Application whose users IP allow in custom.conf file and all other users get "Forbidden oops." message on the login page.

$ vi $IAS_ORACLE_HOME/instances/EBS_web_OHS1/config/OHS/EBS_web/custom.conf

Order deny,allow

Deny from all

Allow from 10.23.124.64--Users IP who allow to access EBS

#Allow from XX.XXX.XXX.XXX

#Allow from X.XXX.XXX.XXX

Allow from localhost

Allow from erpuatappl.nicsi.in

Allow from 10.24.248.33---Oracle EBS Application Server IP

</Location>

Use "grep ohs_inst $CONTEXT_FILE" to identify the OHS# (i.e. EBS_web_OHS1) and the location.

3. Restart Apache

If load balancing is used, above method may not work because end-user's IP may not reach EBS server. Other ways can be used to accomplish this but additional work is needed.

1. Create a special Responsibility. Then, disable all other Responsibilities. Only users in the new Responsibility will be able to log into EBS site to do the work.

2. You can disable/enable users in bulk using API. But this will change last_update_date and last_updated_by of table fnd_user, and may become a security auditing concern (specially when we have bulk active users in the system. Huge worry is users' password would still work).

fnd_user_pkg.disableuser('<username>');

fnd_user_pkg.enableuser('<username>');

3. Ask internal firewall team to restrict access to the EBS Load Balancer URL to specific IP addresses.

4. Change the Load Balancer port to a temporary port that only will be given to the authorized users, and after the archive process is complete, the port can be switched back to the original port so it becomes available to all users.

Tuesday, 28 April 2026

AOP Installation &Configuration

Content of the zip file: aop_linux_v22.2.zip

Under the Apex version folder like apex_version_5.x, apex_version_18.x_19.x_20.x_21.x_22.x

- /db: sql files to install the back-end database objects for the Oracle APEX plug-ins (run install.sql)

- /plugin: the APEX plug-ins for APEX Office Print (AOP)

- /app: the five sample applications

v22.2

- /server: the server side component (** for on-premises packages only **)

Pre-requisites:

- Oracle Database 12.2 or above

- Oracle Application Express (APEX) 19.2 or above

(** for on-premises packages only **)

- Windows or Linux (Red Hat / Oracle 8 and higher and Ubuntu 18.04 and higher)

- Java 8 or higher installed

Quick start: using AOP in your application:

- Go to SQL Workshop > SQL Scripts and upload (and run) the files aop_db_pkg.sql and aop_modal_pkg.sql from the /db directory

This will create the database objects used by the Oracle APEX plug-ins

- Go to App Builder > Your application > Shared Components > Plug-ins > Import

Select the file process_type_plugin_be_apexrnd_aop.sql from the /apex_version_<your_version>/plugin or aop_linux_v<your_version>\v<your_version> directory (for the AOP Process type plug-in)

Select the file dynamic_action_plugin_be_apexrnd_aop_da.sql from the /apex_version_<your_version>/plugin or aop_linux_v<your_version>\v<your_version> directory (for the AOP Dynamic Action type plug-in)

Select the file dynamic_action_plugin_be_apexrnd_aop_convert_da.sql from the /apex_version_<your_version>/plugin or aop_linux_v<your_version>\v<your_version> directory (for the Convert Dynamic Action type plug-in)

Select the file dynamic_action_plugin_be_apexrnd_aop_modal.sql from the /apex_version_<your_version>/plugin or aop_linux_v<your_version>\v<your_version> directory (for the Modal Dynamic Action type plug-in)

- On your Page, create a dynamic action; on click of a button for example and select the True Action: APEX Office Print (AOP) [Plug-in]

$ mkdir -p /apps/AOPServer/aop22.2

Install/Upgrade the AOP Server (** only for on-premises version **):

- Copy the server folder to your server(Use WinSCP/Putty etc.)

- Stop the previous version of AOP (in case of upgrade)

Note: you can run the old and new AOP simultaneously but on different ports

- Start the AOP executable

=====================If Rquired Upgrade plug-ins========================

Upgrading the plug-in:

- Go to SQL Workshop > SQL Scripts and upload (and run) the files aop_db_pkg.sql and aop_modal_pkg.sql from the /db directory

This will create the database objects used by the APEX plug-ins

- Go to App Builder > Your application > Shared Components > Plug-ins > Import

Select the file process_type_plugin_be_apexrnd_aop.sql from the /apex_version_<your_version>/plugin or aop_linux_v<your_version>\v<your_version> directory (for the AOP Process type plug-in)

Select the file dynamic_action_plugin_be_apexrnd_aop_da.sql from the /apex_version_<your_version>/plugin or aop_linux_v<your_version>\v<your_version>directory (for the AOP Dynamic Action type plug-in)

[applmgr@proderpappl ~]$ cd /apps/AOPServer/aop22.2/server/APEXOfficePrintLinux64_4096

[applmgr@proderpappl APEXOfficePrintLinux64_4096]$ ll

total 304768

-rwxrwxrwx 1 applmgr dba 312077953 Dec 30 2022 APEXOfficePrintLinux64

drwxr-xr-x 8 applmgr dba 4096 Feb 19 15:07 assets

[applmgr@proderpappl APEXOfficePrintLinux64_4096]$ ./APEXOfficePrintLinux64 --version

APEX Office Print version 22.2

Using node version v14.21.1

Memory Limit 4096

[applmgr@proderpappl APEXOfficePrintLinux64_4096]$ ./APEXOfficePrintLinux64 --For Trial Running

Setting number of pdf retries to 3

Setting 120 seconds for idle request processing

Setting max size for request 200mb

No configuration found. Creating...

Could not find the license file. Expecting it to be in /apps/aop20.2/server/aop.license.

If your license file is somewhere else please give in the location with --license argument.

Trial has been enabled. Activate the software with '--activate' or '-a' option

[ConverterHandler]: Configuration file found. Adding custom converters.

[ConverterHandler]: Converter added: abiword

[ConverterHandler]: Number of parallel conversions for openofficeconverter 16

[ConverterHandler]: Number of parallel conversions for officetopdfconverter 1

[ConverterHandler]: Number of parallel conversions for abiword 1

Local resources (using local templates, images, ...) are disabled. Use --enable_local_resources to enable

Starting HTTP on port 8010

AOP 1 (HTTP) running

[applmgr@proderpappl APEXOfficePrintLinux64_4096]$ ./APEXOfficePrintLinux64 -a -------With License Running

prompt: email: Your_email_address

We are now contacting the server....

Sending license request for email: Your_email_address and mid: 461F549AE4690981CFFB3AA6D348143826E5FF2130F50747E62978572FFDEEA0

License successfully activated.

Starting HTTP on port 8010

email:Your_email_address

MID:461F549AE4690981CFFB3AA6D348143826E5FF2130F50747E62978572FFDEEA0

Generating license request file to upload on https://www.apexofficeprint.com/

Request file /apps/AOPServer/aop22.2/server/APEXOfficePrintLinux64_4096/aop_license.request generated, please use the file to generate the license file through the dashboard of https://www.apexofficeprint.com/.

--------------------------What This Means------------------------------

-a option = Activate AOP

The tool is sending a license activation request to the AOP license server.

mid = Machine ID (unique hardware fingerprint of your server)

It is waiting for license validation response

===================Offline Activation Steps===================

Use the generated request file

Already created: /apps/AOPServer/aop22.2/server/APEXOfficePrintLinux64_4096/aop_license.request

Go to: 👉 https://www.apexofficeprint.com/

Upload: aop_license.request

It will generate: aop_license.lic

Download it and Upload License File Back to Server

Place it in: /apps/AOPServer/aop22.2/server/APEXOfficePrintLinux64_4096/

Example: scp aop_license.lic applmgr@IP:/apps/AOPServer/aop22.2/server/APEXOfficePrintLinux64_4096/

Start AOP Server

[applmgr@proderpappl ~]$ cd /apps/AOPServer/aop22.2/server/APEXOfficePrintLinux64_4096

[applmgr@proderpappl APEXOfficePrintLinux64_4096]$ ./APEXOfficePrintLinux64

You should see: License activated

Server running on port 8010--Default Port

==========================================================================

Steps to Resolve the ACL Configuration:

Identify your APEX schema version: (e.g., APEX_240200).

Execute the following script as SYS or SYSTEM to grant the necessary privileges to your AOP server (replace 'print.apexofficeprint.com' with your actual AOP server/cloud URL)

BEGIN
dbms_network_acl_admin.Append_host_ace(host => 'proderpappl.nicsi.in', --AOP Cloud or Local URL
ace => Xs$ace_type(privilege_list => Xs$name_list('connect'),
principal_name => 'APEX_240200', -- Change to your APEX version
principal_type => xs_acl.ptype_db));
END;
/