PeopleSoft 8.59 Infra DPK and Critical Patch Updates - Tuxedo and DB
Further to my last article about applying critical patches to the web server, lets take a look at the application and database servers.
Which Servers?
In my mind WebLogic runs on the web tier, and Tuxedo runs on the Application and process scheduler tier. The Oracle Client is also on the Application and process scheduler tier. However, since these and Java are installed on all tiers, we should apply the patches on all tiers.
Checking the Tuxedo Version
It seems that WebLogic and Tuxedo on my application server are not linked to the central repository. So if I try to list the installed patches, I just get an error:
|
|
If I specify the inventory location by adding the -invPtrLoc
parameter,
specifying the invPrt.loc
. file in the Oracle Home, it works:
|
|
So we can see we have Tuxedo 12.2.2.0.0 installed, and we need a patch for it.
Optionally Attach the Home to the Central Inventory
The home can be attached to the central inventory using the following command:
|
|
This will save using the -invPtrLoc
argument. I didn’t do this, so I will
need to keep specifying that argument.
Finding the Tuxedo Patch
Tuxedo is a component of Fusion Middleware. We find the patches by following the security advisory like we did for WebLogic From the latest security advisory:
- Click on one of the entries for Fusion Middleware in the right column which opens Oracle Doc ID 2853458.2
- Click the Products button
- This time we need to click on Oracle Tuxedo
- Click on the Click here link in the Patch Advisor column
- Oracle Support Doc ID 2806740.2 opens, this time the Tuxedo tab is already selected for us.
- In Step 3: Update Tuxedo Products, we can see there are three patches. I note that the one for SALT, and the one for TSAM are old. If they are required, they will already be in the DPK. It is only the current quarters patches that are missing.
- Click to download the patch from the table Oracle Tuxedo 12.2.2
- The patch download page displays. Ensure the correct operating system is selected. I find the web page has a tendency to change the OS back to Oracle Solaris, so double check it! If you get an error applying the patch this might be why!
Shut down the Application Servers
We can use systemd to do this as root
|
|
Or we can switch users to psadm2
and use psadmin.
Updating OPatch
The zip file contains a README.txt file containing instructions to apply the patch. We need to check if the OPatch version is high enough:
|
|
That isn’t correct, it needs to be version 12.1.0.1.0 or later. So we need to
download it from patch 6880880
. I find the readme to be rather unclear. It
says:
In ARU, select the patch for release 18.0.0.0.0
ARU is Automated Release Update, only accessable to Oracle staff. So that’s impossible for us to do. Looking in the Oracle Support Portal I can see there are opatch versions for Fusion Middleware, but they are all really old. It seems Oracle want us to download the version for the database. I downloaded
OPatch 12.2.0.1.30 for DB 18.0.0.0.0 (Apr 2022)(Patch)
But I am not patching a database, so that doesn’t make sense. But it
seems to work. It is installed by unzipping the
file. As psadm1
:
|
|
Applying the Tuxedo Patch
Now that we have the correct version of OPatch, we can apply the patch. We need
to unzip the downloaded zip file to extract the actual patch zip file that
we can apply. Once again I don’t have fuser
installed and OPatch needs it.
This version of OPatch doesn’t respect the OPATCH_NO_FUSER
variable,
so I created my own dummy fuser in the path. As root:
|
|
Then I can apply the patch as psadm1
. As always long lines have been edited
in the following output.
|
|
So that’s Tuxedo done. Now on to the database client!
Database Client
Once again the database client is installed on all tiers, so should be patched on all tiers.
What is Installed
The database client is installed (by default) as oracle2
, so that is the user
we need to use to maintain it. So as oracle2
we can run the following to see
what is installed:
|
|
We could also use lspatches, which gives a shorter output.
|
|
So we see Oracle have applied the last quarters release update. We just need to apply the one from this quarter.
Downloading the Patch
From the security alerts page, we follow the link to this quarters Critical Patch Update announcement. Normally I don’t pay much attention to the actual security alerts, as we tend to apply the security updates as fast as we can regardless of their severity. However, since this patch is a database roll up, you might decide that being a quarter behind is OK if none of the security alerts affect the client. If you want to have a look, then click on the text in the left hand column: Oracle Database Server, versions 12.1.0.2, 19c, 21c We can see this quarter than all of the security alerts affect a running database rather than the client. However, lets patch it anyway. It could be argued vulnerable code on the operating system might be used in some way by an attacker. Also I’m writing automation so I need to know how to patch the client in case we do need to apply a client patch.
- Click on Database in the right hand column of the security alerts page.
- Oracle support Doc ID 2844795.1 displays.
- We noted above that the database client was version 19, so we need section 3.1.7.3 Oracle Database 19
- Looking at the table Patch Availability for Oracle Database 19 we want the second row titled Oracle Database Server home, and from there we need to download the Database Release Update 19.15.0.0.220419 Patch 33806152
Downloading OPatch
Attempting to apply the patch gives the following error (Despite the README not mentioning a minimum OPatch version):
|
|
Let’s download the latest one.
Downloading OPatch is similar to above.
- Log in to Oracle Support
- Select the Patches & Updates tab
- Search for patch 6880880 for your operating system (In my case Linux x86-64)
- Find the patch with description OPatch 12.2.0.1.30 for DB 19.0.0.0.0 (Apr 2022) (Patch) Of course the version and date will change.
- Select the line and click Download.
Upgrading OPatch
Similarly to what we did with Tuxedo. As user oracle2
|
|
Patching the client
Now we can patch the client. As normal it is good practice to shut things down
before patching. OPATCH_NO_FUSER
is not honoured, so I created my own fuser
as with Tuxedo. As root
|
|
To apply the patch, as oracle2
run the following
|
|
Sub patch 33515361 is the previous quarters CPU which was applied by Oracle, so that makes sense. Doc ID 2161861.1 refers to rolling back patches. The new functionality is that the previous patch is inactivated rather than rolled back. If the patch is rolled back, the previous roll-up patch is reactivated, which actually makes more sense. Anyway, there is nothing else we need to do, so we can restart the processes.
Things I do not Understand
There is still a vulnerable version of Java in the database client home:
|
|
even though it is fully patched. So the latest tools patch contains the oracle client patched from last quarter, and the Java within the client home from six months ago. Also it is version 1.8 so to patch that I would have to download that version of Java.
In Understanding PeopleSoft Deployment Packages for Update Images Oracle say:
DPKs allow fast deployment of a PeopleSoft environment on supported hardware platform allowing you to skip the manual steps associated with the following:
- Installing third-party products such as Oracle Tuxedo and WebLogic and the latest patches (CPUs)
That is simply not true. I have had to apply 5 patches on each tier.
Conclusion
So now we have patched the web, application and process scheduler tiers with the latest critical patch updates. We don’t need to wait for Oracle to deliver the infra-dpks before we patch, which may enable us to be more secure.