Step by Step Clone 19c DB from source to target

Step by Step Manually Clone 19c DB from source to target

Environment:

• Oracle 19c

• Multitenant (CDB + PDBs)

• Different server

• Filesystem (no ASM)

• Using RMAN full backup (not active duplicate)

Below is the correct production-grade procedure.

---

🔷 Architecture Assumption

Source:

• CDB name: CDBPROD

• PDBs inside: PDB1, PDB2

• Backup location: /backup/rman/

Target:

• New CDB name: CDBCLONE

• Datafiles will go to /u02/oradata/CDBCLONE/

---

✅ STEP 1 — Take Full Backup on Source

On source:

export ORACLE_SID=CDBPROD
rman target /

BACKUP AS COMPRESSED BACKUPSET DATABASE PLUS ARCHIVELOG;
BACKUP CURRENT CONTROLFILE;

Confirm:

LIST BACKUP SUMMARY;

---

✅ STEP 2 — Copy Backup to Target

Copy all backup pieces + archivelogs:

scp -r /backup/rman/* oracle@target:/backup/rman/

Ensure permission:

chown -R oracle:oinstall /backup/rman

---

✅ STEP 3 — Prepare Target Server

On target server:

Set environment

export ORACLE_SID=CDBCLONE

Create password file

orapwd file=$ORACLE_HOME/dbs/orapwCDBCLONE password=oracle

---

✅ STEP 4 — Create Minimal PFILE (Important for CDB)

Create /tmp/initCDBCLONE.ora

db_name=CDBPROD
db_unique_name=CDBCLONE
enable_pluggable_database=TRUE

control_files='/u02/oradata/CDBCLONE/control01.ctl'

db_file_name_convert=
'/u02/oradata/CDBPROD/','/u02/oradata/CDBCLONE/'

log_file_name_convert=
'/u02/oradata/CDBPROD/','/u02/oradata/CDBCLONE/'

🔎 Critical:

• db_name must match source CDB name

• enable_pluggable_database=TRUE is mandatory

---

✅ STEP 5 — Start Instance NOMOUNT

sqlplus / as sysdba

startup nomount pfile='/tmp/initCDBCLONE.ora';

---

✅ STEP 6 — Restore Controlfile

rman target /

RESTORE CONTROLFILE FROM '/backup/rman/<controlfile_piece>.bkp';
ALTER DATABASE MOUNT;

---

✅ STEP 7 — Catalog Backup Pieces

CATALOG START WITH '/backup/rman/';

Verify:

LIST BACKUP;

---

✅ STEP 8 — Restore CDB (All PDBs Included)

RUN {
  SET NEWNAME FOR DATABASE TO '/u02/oradata/CDBCLONE/%b';
  RESTORE DATABASE;
  SWITCH DATAFILE ALL;
}

This restores:

• CDB$ROOT

• PDB$SEED

• All PDBs automatically

---

✅ STEP 9 — Recover Database

RECOVER DATABASE;

Archivelogs will be applied automatically.

---

✅ STEP 10 — Open with RESETLOGS

ALTER DATABASE OPEN RESETLOGS;

Now entire CDB + PDBs should open.

---

✅ STEP 11 — Verify Multitenant

select name, open_mode from v$pdbs;
select name, cdb from v$database;

If PDBs are MOUNTED:

alter pluggable database all open;

---

✅ STEP 12 — Change DBID & DBNAME (Recommended)

To avoid backup conflicts:

nid target=/

Change name to:

CDBCLONE

Restart database.

---

✅ STEP 13 — Recompile Invalid Objects

@?/rdbms/admin/utlrp.sql

---

🔎 Important Multitenant Notes

✔ You do NOT restore PDB separately
✔ Entire CDB is restored as one unit
✔ All PDBs come automatically
✔ enable_pluggable_database=TRUE is mandatory
✔ Backup must be taken from CDB root

---

🚀 Cleaner Method (Recommended in 19c)

Instead of manual restore:

DUPLICATE DATABASE TO CDBCLONE
  BACKUP LOCATION '/backup/rman/'
  NOFILENAMECHECK;

For multitenant on different server, this is the safest and least error-prone method.

EBS 12.2 setup in DMZ for iRecruitement/iProcurement/iSupplier Portal

 Below is a clear, step-by-step guide to set up Oracle E-Business Suite (EBS) 12.2 iRecruitement/iProcurement/iSupplier Portal in a DMZ.

I’ll keep it practical, ordered, and DBA-oriented, assuming you already know EBS basics.

---

1. Understand the Target Architecture (Before Touching Anything)

Goal:
Expose only the web tier to the internet (DMZ) for suppliers, while keeping Application + Database tiers private.

Typical DMZ Architecture

Internet
   |
[Firewall]
   |
[DMZ]
   |
External Web Tier (OHS)
   |
[Internal Firewall]
   |
Internal Web Tier + App Tier
   |
Database Tier

Key Principles

• No DB or Forms traffic exposed to internet

• Only HTTPS (443) open from Internet → DMZ

• DMZ web tier is stateless

• iSupplier uses OAF (HTML) → no Java Forms exposure needed

---

2. Prerequisites Checklist

Before setup, ensure:

• EBS 12.2.x fully upgraded

• Latest AD + TXK patches

• SSL certificates ready (Public CA)

• Separate servers:

  • DMZ Web Tier

  • Internal App Tier

  • DB Tier

• DNS names defined:

  • External: supplier.company.com

  • Internal: ebs-internal.company.local

---

3. Prepare the DMZ Web Tier Server

OS Preparation

• Same OS & version as internal web tier

• Same users/groups (oracle, oinstall)

• Time sync (NTP)

• No database client required

Directory Structure

Example:

/u01/oracle/VIS_DMZ/fs1
/u01/oracle/VIS_DMZ/fs2
/u01/oracle/VIS_DMZ/fs_ne

---

4. Clone Web Tier to DMZ (Web-Only Clone)

You do NOT install a fresh EBS in DMZ.
You clone only the web tier.

Steps (High Level)

1. On internal EBS:

   perl adpreclone.pl appsTier
   

2. Copy required directories to DMZ server

3. Run Rapid Clone on DMZ:

   perl adcfgclone.pl appsTier
   

During Clone

• Choose Web Tier Only

• Skip DB & App services

• Set external hostname

• Disable Forms, Concurrent, Admin services

---

5. Configure External Web Tier (DMZ)

After clone, configure OHS for external access.

Key Config Files

• httpd.conf

• ssl.conf

• mod_wl_ohs.conf

mod_wl_ohs (Very Important)

Forward traffic to internal web/app tier:

<Location /OA_HTML>
   SetHandler weblogic-handler
   WebLogicHost internal-ebs.company.local
   WebLogicPort 8001
</Location>

Same for:

• /OA_MEDIA

• /OAFunc

• /OA_JAVA

---

6. Enable SSL on DMZ Web Tier (Mandatory)

iSupplier must use HTTPS.

Steps

1. Import public SSL cert into OHS wallet

2. Configure:

   Listen 443
   SSLEngine on
   

3. Enforce HTTPS redirect:

   RewriteEngine On
   RewriteCond %{HTTPS} off
   RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
   

---

7. Configure EBS Context Files (Critical)

External Node Context

Set:

<s_external_url>https://supplier.company.com</s_external_url>
<s_webentryhost>supplier.company.com</s_webentryhost>
<s_webentryprotocol>https</s_webentryprotocol>

Internal Node Context

Ensure:

<s_internal_url>http://internal-ebs.company.local</s_internal_url>

Run:

adautocfg.sh

---

8. Enable iSupplier Portal Responsibility

Check These Are Installed

• iSupplier Portal (POS)

• TCA

• FND Web components

Profile Options (Important)

Set at Site level:

Profile	Value
Applications Servlet Agent	https://supplier.company.com
Applications Framework Agent	https://supplier.company.com
Self Service Web Applications	Enabled

---

9. Configure Guest Access (Optional but Common)

For supplier registration:

• Responsibility: iSupplier Portal Full Access

• User: GUEST

• Enable self-registration if required

---

10. Firewall Rules (Very Important)

Internet → DMZ

• TCP 443 (HTTPS)

DMZ → Internal

• WebLogic ports (usually 8001/8003)

• OHS → Internal Web tier only

Block Completely

• Forms ports

• Database ports

• Admin ports

---

11. Testing Checklist

External Test

• Open: https://supplier.company.com/OA_HTML/AppsLogin

• Login as supplier

• Open:

  • Home page

  • Purchase Orders

  • Invoices

Verify:

• No Forms launch

• No internal URLs exposed

• SSL padlock valid

---

12. Security Hardening (Highly Recommended)

• Disable /OA_HTML/AppsLocalLogin.jsp

• Remove admin responsibilities from DMZ

• Enable:

  • WAF

  • Rate limiting

• Patch OHS regularly

---

13. Common Issues & Fixes

Blank Page After Login

➡ Usually Applications Servlet Agent wrong

Redirects to Internal URL

➡ Context file mismatch → rerun AutoConfig

Images Not Loading

➡ /OA_MEDIA not proxied correctly

---

14. Final Architecture Summary

Tier	Location
OHS (External)	DMZ
WebLogic (OAF)	Internal
Forms	Internal
DB	Internal

---

Below is ready-to-use configs, firewall table, and a troubleshooting checklist for EBS 12.2 iSupplier Portal in DMZ.

1️⃣ Exact mod_wl_ohs.conf (DMZ Web Tier)

This is the most critical file.

📍 Location (DMZ node):

$EBS_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/mod_wl_ohs.conf

✅ Recommended Production Configuration

# Load weblogic module
LoadModule weblogic_module ${ORACLE_HOME}/ohs/modules/mod_wl_ohs.so

# Default settings
WLProxySSL ON
WLProxySSLPassThrough ON
Debug OFF

# ===== OA Framework =====
<Location /OA_HTML>
   SetHandler weblogic-handler
   WebLogicHost internal-ebs.company.local
   WebLogicPort 8001
   WLIOTimeoutSecs 300
</Location>

<Location /OA_MEDIA>
   SetHandler weblogic-handler
   WebLogicHost internal-ebs.company.local
   WebLogicPort 8001
</Location>

<Location /OA_JAVA>
   SetHandler weblogic-handler
   WebLogicHost internal-ebs.company.local
   WebLogicPort 8001
</Location>

<Location /OAFunc>
   SetHandler weblogic-handler
   WebLogicHost internal-ebs.company.local
   WebLogicPort 8001
</Location>

# ===== Disable Forms Completely =====
<Location /forms>
   Require all denied
</Location>

👉 Do NOT proxy /forms for iSupplier.

Restart OHS:

$ADMIN_SCRIPTS_HOME/adapcctl.sh stop
$ADMIN_SCRIPTS_HOME/adapcctl.sh start

---

2️⃣ SSL Configuration (DMZ OHS)

📍 File:

ssl.conf

Minimum Required

Listen 443

<VirtualHost *:443>
   ServerName supplier.company.com

   SSLEngine on
   SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
   SSLCipherSuite HIGH:!aNULL:!MD5
   SSLHonorCipherOrder on

   SSLCertificateFile /u01/ssl/public.crt
   SSLCertificateKeyFile /u01/ssl/private.key
   SSLCertificateChainFile /u01/ssl/chain.crt
</VirtualHost>

Force HTTPS Redirect

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]

---

3️⃣ Firewall Rules (Clear Table)

🌐 Internet → DMZ

Source	Destination	Port	Purpose
Any	DMZ OHS	443	Supplier access

---

🔥 DMZ → Internal Network

Source	Destination	Port	Purpose
DMZ OHS	Internal WebLogic	8001	OAF
DMZ OHS	Internal WebLogic	8003	SSL (if used)

---

❌ Block Completely

Port	Reason
1521	DB security
7777	Internal OHS
9000+	Admin ports
Forms ports	Not needed

---

4️⃣ EBS Context File Settings (Very Important)

DMZ Web Tier Context

<s_webentryprotocol>https</s_webentryprotocol>
<s_webentryhost>supplier.company.com</s_webentryhost>
<s_webentryurl>https://supplier.company.com</s_webentryurl>
<s_external_url>https://supplier.company.com</s_external_url>

Internal Web Tier Context

<s_webentryprotocol>http</s_webentryprotocol>
<s_webentryhost>internal-ebs.company.local</s_webentryhost>
<s_internal_url>http://internal-ebs.company.local</s_internal_url>

Run on both tiers:

adautocfg.sh

---

5️⃣ Mandatory Profile Options (Site Level)

Profile Name	Value
Applications Servlet Agent	https://supplier.company.com
Applications Framework Agent	https://supplier.company.com
ICX: Session Timeout	180
Self Service Personal Home Page Mode	Framework

---

6️⃣ Testing URLs (Order Matters)

Login Page

https://supplier.company.com/OA_HTML/AppsLogin

iSupplier Home

https://supplier.company.com/OA_HTML/OA.jsp?OAFunc=POS_HOME

Media Test

https://supplier.company.com/OA_MEDIA/FNDSSCORP.gif

✔ Image loads = proxy OK
❌ Broken image = /OA_MEDIA issue

---

7️⃣ Common Issues & Fixes (Real-World)

❌ Redirects to Internal URL

Cause: Wrong profile or context
Fix:

• Check Applications Servlet Agent

• Re-run adautocfg.sh

---

❌ Blank Page After Login

Cause: WebLogic port blocked
Fix:

telnet internal-ebs.company.local 8001

---

❌ CSS / Images Missing

Cause: /OA_MEDIA not proxied
Fix: Add <Location /OA_MEDIA>

---

❌ Supplier Can See Forms

Cause: Forms not blocked
Fix:

<Location /forms>
   Require all denied
</Location>

---

8️⃣ Security Hardening (Strongly Recommended)

✔ Disable local login:

/OA_HTML/AppsLocalLogin.jsp

✔ Enable:

• Web Application Firewall (WAF)

• Rate limiting

• IDS/IPS

✔ Patch regularly:

• OHS PSU

• EBS CPU

---

9️⃣ Final Production Checklist ✅

• SSL works end-to-end

• No internal hostname leaks

• No Forms access

• Only 443 exposed

• Suppliers can view:

  • POs

  • Invoices

  • Payments

---

• 
  🔹DMZ architecture diagram