Add in Patching of the Oracle Java JDK for Oracle Databse (#146)

martinfanning1 · Martin Fanning · web-flow · commit 7afec5e9b4ea · 2026-01-06T09:34:54.000Z
* Add in Patching of the Oracle JDK

Add in Patching of the Oracle JDK which looks to be now released as a seperate Patch to the Databae Patch

This often causes compliancy issues in Qualys - so adding in this extra tasks - only ran if the specific var file has a jdk_patch_filename specified - to add this patch.

Kept it seperate in case there is not JDK Patch.

* Update Galaxy

Update Galaxy

* Update Java version of latest OHS 12.2.1.4

Update Java version of latest OHS 12.2.1.4 to ensure compiance in Qualys...

This is likely the last OHS fixpack for 12.2.1.4..
So Java version should be updated each quarter..

---------

Co-authored-by: Martin Fanning &lt;mfanning@merative.com&gt;
diff --git a/galaxy.yml b/galaxy.yml
@@ -11,7 +11,7 @@ name: spm_middleware
 
 # The version of the collection. Must be compatible with semantic versioning
 # Please note. version also exists in /github/workflows/release.yml and will need to be update also
-version: 1.10.1
+version: 1.10.2
 
 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection
 readme: README.md
diff --git a/roles/ohs/vars/v12.2.1.4.250609.yml b/roles/ohs/vars/v12.2.1.4.250609.yml
@@ -26,8 +26,8 @@ opatch_version: 13.9.4.2.20
 opatch_folder: 6880880
 
 # JDK Information
-java_zip_path: 'WLS/jdk-8u461-linux-x64.tar.gz'
-java_version_path: 'jdk1.8.0_461'
+java_zip_path: 'WLS/jdk-8u471-linux-x64.tar.gz'
+java_version_path: 'jdk1.8.0_471'
 jdk_folder: "{{ ohs_home }}/oracle_common/jdk"
 
 template_jar: "ohs_standalone_template.jar"
diff --git a/roles/oracle/tasks/jdkpatch.yml b/roles/oracle/tasks/jdkpatch.yml
@@ -0,0 +1,70 @@
+---
+- name: Check if JDK patch already applied
+  become: yes
+  become_user: oracle
+  shell: "{{ oracle_home }}/OPatch/opatch lsinventory | grep -q {{ jdk_patch_number }}"
+  ignore_errors: true
+  register: jdk_patch_applied
+  changed_when: false
+  environment:
+    ORACLE_HOME: "{{ oracle_home }}"
+
+- name: "Copy JDK Patch {{ jdk_patch_filename }}"
+  copy:
+    src: "{{ oracle_installer_path }}/{{ jdk_patch_filename }}"
+    dest: "/tmp//{{ jdk_patch_filename }}"
+    owner: oracle
+    group: oinstall
+  when: download_url is not defined and jdk_patch_applied.rc != 0
+
+- name: "Download JDK Patch {{ jdk_patch_filename }}"
+  get_url:
+    url: "{{ download_url }}/{{ oracle_installer_path }}/JDKPatch/{{ jdk_patch_filename }}"
+    dest: "/tmp/{{ jdk_patch_filename }}"
+    owner: oracle
+    group: oinstall
+    headers: "{{ download_header }}"
+  when: download_url is defined and jdk_patch_applied.rc != 0
+
+- name: "Extract JDK Patch {{ jdk_patch_filename }}"
+  unarchive:
+    remote_src: yes
+    src: "/tmp/{{ jdk_patch_filename }}"
+    dest: /tmp/
+    owner: oracle
+    group: oinstall
+  when: jdk_patch_applied.rc != 0
+
+- name: "Apply JDK Patch {{ jdk_patch_number }}"
+  become: yes
+  become_user: oracle
+  command: $ORACLE_HOME/OPatch/opatch apply -silent
+  args:
+    chdir: "/tmp/{{ jdk_patch_number }}"
+  environment:
+    ORACLE_HOME: "{{ oracle_home }}"
+    ORACLE_SID: "{{ oracle_sid }}"
+  async: 900
+  poll: 0
+  register: patch_checker
+  when: jdk_patch_applied.rc != 0
+
+# Avoid travis timeout
+- name: 'JDK Patch - check status'
+  become: yes
+  become_user: oracle
+  async_status:
+    jid: "{{ patch_checker.ansible_job_id }}"
+  register: job_result
+  until: job_result.finished
+  retries: 30
+  delay: 30
+  when: jdk_patch_applied.rc != 0
+
+- name: Cleanup
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /tmp/{{ jdk_patch_filename }}
+    - /tmp/{{ jdk_patch_number }}
diff --git a/roles/oracle/tasks/main.yml b/roles/oracle/tasks/main.yml
@@ -28,6 +28,22 @@
   include_tasks: "patch.yml"
   when: patch_filename is defined and oracle_version_status.rc != 0
 
+- name: Check if JDK Patch already applied
+  become: yes
+  become_user: oracle
+  # shell: "echo 'SELECT * FROM v$version;' | $ORACLE_HOME/bin/sqlplus / as sysdba | grep -i {{ oracle_version }}"
+  shell: "$ORACLE_HOME/OPatch/opatch lspatches | grep -i {{ jdk_patch_number }}"
+  register: jdk_version_status
+  changed_when: False
+  ignore_errors: True
+  environment:
+    ORACLE_HOME: "{{ oracle_home }}"
+    ORACLE_SID: "{{ oracle_sid }}"
+
+- name: Install JDK Patch
+  include_tasks: "jdkpatch.yml"
+  when: jdk_patch_filename is defined and jdk_version_status.rc != 0
+
 - name: Props and Profile
   include_tasks: "dot_profile.yml"
 
diff --git a/roles/oracle/vars/v19.29.0.0.0.yml b/roles/oracle/vars/v19.29.0.0.0.yml
@@ -12,3 +12,7 @@ patch_number: 38291812  # used for directory
 # Add OPatch values when bundled OPatch needs to be upgraded
 opatch_filename: p6880880_190000_Linux-x86-64.zip
 opatch_version: 12.2.0.1.48
+
+# jdk patch values
+jdk_patch_filename: p38245243_190000_Linux-x86-64.zip
+jdk_patch_number: 38245243 # used for directory
