Installing the Oracle APEX 24.2 Runtime-Only Schema into an Existing Oracle 19c PDB (Runtime-Only Install Method)
This instruction installs the Oracle Application Express 24.2 runtime-only schema (APEX_240200) into a pre-existing Oracle Database 19c pluggable database (PDB) using the apxrtins.sql script. The procedure uses pre-created APEX and APEX_FILES tablespaces, sets a custom password on every APEX-created database account, points the instance at Oracle's public CDN for static resources, and configures outbound SMTP through the APEX_INSTANCE_ADMIN package. After completing this instruction, the PDB hosts a runtime-only APEX instance that is ready for application import — the Application Builder, SQL Workshop, and web-based admin UI are intentionally not present.
Assumptions
This instruction assumes:
- An Oracle Linux 8 or 9 (x86_64) database host running Oracle Database 19c Enterprise Edition or Standard Edition 2 (19.3 base or any current Release Update). APEX 24.2 requires 19c or later.
- A multitenant CDB with at least one open PDB. APEX is installed locally inside the target PDB (CDB$ROOT does not get APEX).
- SYS-as-SYSDBA access to both CDB$ROOT and the target PDB.
- The APEX 24.2 distribution zip (
apex_24.2_en.ziporapex_24.2.zip) is downloaded from Oracle and unzipped on the database host into a path theoracleOS user can read. The English-only zip requires 670 MB of disk space; the multi-language zip requires 1,178 MB. - The unzipped path contains no spaces (e.g.,
/u01/install/apex_24.2/). - The reader has the SMTP relay parameters (host, port, username, password, TLS mode, default From address) for the email service APEX will use.
- The reader will configure ORDS or another web listener separately. This instruction does not make APEX runtime applications reachable from a web browser by itself.
- End-user browsers have outbound HTTPS connectivity to
static.oracle.com(the APEX CDN endpoint). Air-gapped browsers must useapxldimg.sqlinstead — out of scope here. - The database host has outbound TCP connectivity to the SMTP relay on the chosen port (25, 465, or 587).
- The reader understands this is a runtime-only deployment: applications are developed elsewhere on a full-development APEX instance and imported into this runtime via SQLcl using the
APEX_240200schema or a schema grantedAPEX_ADMINISTRATOR_ROLE. - No PDB or CDB restart is required after
apxrtins.sqlcompletes. Oracle's documented "Restarting Processes" post-install step refers only to OS-level processes (such as the listener or ORDS) that the operator manually stopped before the install.
Prerequisites
Automatic setup
The apxrtins.sql script handles the following automatically when invoked inside the target PDB:
- Creates the
APEX_240200schema (the APEX engine schema) and theFLOWS_FILESschema (the APEX file storage schema). - Creates the
APEX_PUBLIC_USERandAPEX_PUBLIC_ROUTERaccounts with random initial passwords. - Assigns the
APEX_240200schema totablespace_apex, theFLOWS_FILESschema totablespace_files, and the temporary tablespace totablespace_temp. - Installs the
APEX_INSTANCE_ADMINpackage and theWWV_FLOW%packages required to run APEX applications.
The runtime installer does not auto-perform any of the following — every item below must be done manually post-install (the silent installer apxsilentins.sql absorbs these steps; apxrtins.sql does not):
- Create the Instance Administrator account (run
apxchpwd.sql). - Create the
APEX_LISTENERandAPEX_REST_PUBLIC_USERaccounts (runapex_rest_config.sql). - Unlock and set a custom password on
APEX_PUBLIC_USER. - Configure
APEX_PUBLIC_ROUTER. - Grant a network ACL to the APEX engine schema for outbound SMTP.
- Recompile invalid objects with
utlrp.sql.
Manual setup
Each prerequisite below has a verification command. Run every check before proceeding to the main procedure.
- Verify the database version is 19c or later.
Connect to the target PDB as SYS-as-SYSDBA and run:
SELECT version_full FROM product_component_version;
Expected output:
VERSION_FULL
-------------
19.{RU}.0.0.0
{RU} is the installed Release Update. Any 19.x is acceptable.
- Verify the CDB/PDB topology and that the target PDB is open in
READ WRITEmode.
From a SYS-as-SYSDBA session in CDB$ROOT:
SHOW CON_NAME;
SELECT name, open_mode FROM v$pdbs ORDER BY name;
Expected output:
CON_NAME
---------
CDB$ROOT
NAME OPEN_MODE
--------------- ----------
{PDB_NAME} READ WRITE
PDB$SEED READ ONLY
{PDB_NAME} is the target PDB; it must be READ WRITE.
- Set
WORKAREA_SIZE_POLICYtoAUTOsystem-wide.
This is required by Oracle for any APEX install in a CDB. Run from CDB$ROOT as SYS-as-SYSDBA:
ALTER SYSTEM SET WORKAREA_SIZE_POLICY=AUTO SCOPE=BOTH;
Expected output:
System altered.
The setting may be reverted to MANUAL after the install if site policy requires it (see Cleanup Step 2).
- Confirm the APEX 24.2 distribution is unzipped on the database host into a no-spaces path.
ls -1 /u01/install/apex_24.2/apxrtins.sql /u01/install/apex_24.2/apxchpwd.sql /u01/install/apex_24.2/apex_rest_config.sql
Expected output:
/u01/install/apex_24.2/apxrtins.sql
/u01/install/apex_24.2/apxchpwd.sql
/u01/install/apex_24.2/apex_rest_config.sql
- Generate strong passwords ahead of time for every APEX account that will be customized.
You will need five distinct passwords:
| Account | How the password is set | Constraints |
|---|---|---|
APEX_PUBLIC_USER |
ALTER USER ... IDENTIFIED BY (post-install) |
Database default profile rules apply (which are temporarily disabled — see step 7) |
APEX_PUBLIC_ROUTER |
ALTER USER ... IDENTIFIED BY (post-install, defensive hardening — see procedure step 9) |
Database default profile rules apply |
APEX_LISTENER |
Positional parameter 1 to apex_rest_config.sql |
Database default profile rules apply |
APEX_REST_PUBLIC_USER |
Positional parameter 2 to apex_rest_config.sql |
Database default profile rules apply |
| Instance Administrator | Entered interactively at the apxchpwd.sql prompt |
At least 6 characters, at least one numeric, at least one of ! " # $ % & ( ) \ * + , - / : ; ? _`, at least one uppercase letter |
- Confirm a usable
TEMPtablespace exists in the target PDB.
Connect to the target PDB and run:
SELECT tablespace_name, contents FROM dba_tablespaces WHERE contents = 'TEMPORARY';
Expected output:
TABLESPACE_NAME CONTENTS
------------------ ------------
TEMP TEMPORARY
- Confirm the target PDB is reachable via
ALTER SESSION SET CONTAINER.
From CDB$ROOT as SYS-as-SYSDBA:
ALTER SESSION SET CONTAINER = {PDB_NAME};
SHOW CON_NAME;
Expected output:
Session altered.
CON_NAME
---------
{PDB_NAME}
Additional setup
Note the SMTP relay parameters APEX will use. You need: SMTP host, SMTP port, SMTP username, SMTP password, TLS mode (
N,Y, orSTARTTLS), and the default From address.Determine whether an Oracle Wallet is required.
SMTP_TLS_MODE |
Wallet required? |
|---|---|
N |
No — unencrypted; no wallet needed |
Y |
Yes — encrypted before data is sent; wallet required |
STARTTLS |
Recommended whenever the SMTP server presents a TLS certificate signed by a private/internal CA, to avoid ORA-29024 |
- (Conditional) Create the Oracle Wallet and add the SMTP server's CA certificate to its trust store. Run as the
oracleOS user:
mkdir -p /u01/app/oracle/wallets/apex
orapki wallet create -wallet /u01/app/oracle/wallets/apex -pwd {WALLET_PWD} -auto_login
orapki wallet add -wallet /u01/app/oracle/wallets/apex -trusted_cert -cert /path/to/smtp-ca.pem -pwd {WALLET_PWD}
orapki wallet display -wallet /u01/app/oracle/wallets/apex
{WALLET_PWD} — the wallet password the reader chooses; it will later be set as the APEX WALLET_PWD instance parameter.
Expected output:
Oracle PKI Tool Release ...
...
Trusted Certificates:
Subject: CN=...,O=...,L=...
- Verify network egress from the database host to the SMTP server on the chosen port (this is OS-level connectivity; the in-database ACL grant is performed in the procedure):
timeout 5 bash -c '</dev/tcp/{SMTP_HOST}/{SMTP_PORT}' && echo "REACHABLE" || echo "BLOCKED"
Expected output:
REACHABLE
Installation
Step 1: Connect as SYS and switch into the target PDB
From the database host as the oracle OS user:
cd /u01/install/apex_24.2
sqlplus / as sysdba
Inside SQL*Plus:
ALTER SESSION SET CONTAINER = {PDB_NAME};
SHOW CON_NAME;
Expected output:
Session altered.
CON_NAME
---------
{PDB_NAME}
{PDB_NAME} — the target PDB into which APEX 24.2 will be installed.
Step 2: Disable password complexity on the PDB's default profile
The seeded random passwords used internally during install may be rejected by an active password verify function. Disable the verify function for the duration of the install. The original setting will be restored in Cleanup Step 1.
First record the current value so it can be restored later:
SELECT resource_name, limit FROM dba_profiles
WHERE profile = 'DEFAULT' AND resource_name = 'PASSWORD_VERIFY_FUNCTION';
Expected output:
RESOURCE_NAME LIMIT
-------------------------- ----------
PASSWORD_VERIFY_FUNCTION {ORIGINAL_VALUE}
{ORIGINAL_VALUE} is typically NULL on a new database or a function name such as ORA12C_STRONG_VERIFY_FUNCTION. Save it.
Then disable the verifier inside the PDB session:
ALTER PROFILE default LIMIT password_verify_function null;
Expected output:
Profile altered.
Step 3: Create the custom APEX tablespaces
Create the two non-default tablespaces required for the runtime install. Adjust the datafile paths to match the target PDB's storage layout (the example uses Oracle Managed Files — replace '+DATA' with an absolute path such as '/u02/oradata/{PDB_NAME}/apex01.dbf' for filesystem storage).
Warning: The
APEXandAPEX_FILEStablespaces must be created inside the target PDB beforeapxrtins.sqlruns. If they are missing or the session is not in the PDB, the script fails with "tablespace does not exist".
CREATE TABLESPACE APEX
DATAFILE '+DATA' SIZE 300M AUTOEXTEND ON NEXT 50M MAXSIZE UNLIMITED
LOGGING
EXTENT MANAGEMENT LOCAL AUTOALLOCATE
SEGMENT SPACE MANAGEMENT AUTO;
CREATE TABLESPACE APEX_FILES
DATAFILE '+DATA' SIZE 100M AUTOEXTEND ON NEXT 50M MAXSIZE UNLIMITED
LOGGING
EXTENT MANAGEMENT LOCAL AUTOALLOCATE
SEGMENT SPACE MANAGEMENT AUTO;
Expected output:
Tablespace created.
Tablespace created.
The 300 MB / 100 MB starter sizes are not Oracle-prescribed for a runtime install; Oracle's 24.2 requirements page documents a 260 MB minimum for the APEX tablespace on a full install. Runtime is smaller in practice but Oracle does not publish a separate runtime minimum. Both tablespaces autoextend, so they will grow as needed.
Verify both tablespaces exist:
SELECT tablespace_name, status, bytes/1024/1024 AS size_mb
FROM dba_data_files
WHERE tablespace_name IN ('APEX','APEX_FILES')
ORDER BY tablespace_name;
Expected output:
TABLESPACE_NAME STATUS SIZE_MB
------------------ ----------- ----------
APEX AVAILABLE 300
APEX_FILES AVAILABLE 100
Step 4: Run the runtime-only installer
From the same SQL*Plus session, still connected to the target PDB:
@apxrtins.sql APEX APEX_FILES TEMP /i/
The four positional parameters are: tablespace_apex, tablespace_files, tablespace_temp, images. The apxrtins.sql script accepts no passwords on the command line. The /i/ virtual image directory is Oracle's recommended value to support future APEX upgrades.
Warning: Do not redirect the SQL*Plus session output. The installer takes 10–30 minutes depending on host performance and writes its log to
apxrtins.login the current directory. Spool to a separate file if you need a transcript.
The script ends with a final compile/validation phase. The last lines should report the install completed and an APEX version banner. Capture the log:
ls -l /u01/install/apex_24.2/apxrtins.log
grep -E "(ORA-|PLS-|FAILED|completed)" /u01/install/apex_24.2/apxrtins.log | tail -20
Expected output:
... apxrtins.log
PL/SQL procedure successfully completed.
... Oracle Application Express Runtime Installation completed successfully.
Step 5: Create the Instance Administrator with apxchpwd.sql
This is Oracle's documented post-install step §6.3.2. The runtime install does not seed an Instance Administrator — apxchpwd.sql creates it on a new install.
From the same SQL*Plus session in the target PDB:
@apxchpwd.sql
The script prompts for username, email, and password. The password must contain at least 6 characters, at least one numeric, at least one of ! " # $ % & ( ) \ * + , - / : ; ? _`, and at least one uppercase letter. Follow the on-screen instructions to supply a username, email address, and password.
Step 6: Restart processes (Oracle §6.3.3)
If any application or web-tier processes were stopped before the install (for example, an existing ORDS instance, a connection pool, or the listener), restart them now. In a fresh runtime install where ORDS has not yet been configured, this step is typically a no-op.
If the database listener was stopped, restart it as the oracle OS user from a separate shell:
lsnrctl status
lsnrctl start
Expected output:
LSNRCTL for Linux: ...
The command completed successfully
Step 7: Set a custom password on APEX_PUBLIC_USER (Oracle §6.3.4)
Oracle requires APEX_PUBLIC_USER to be unlocked and given a non-default password before the database access descriptor (DAD) is configured.
From the same SQL*Plus session in the target PDB:
ALTER USER APEX_PUBLIC_USER ACCOUNT UNLOCK;
ALTER USER APEX_PUBLIC_USER IDENTIFIED BY {APEX_PUBLIC_USER_PWD};
Expected output:
User altered.
User altered.
{APEX_PUBLIC_USER_PWD} — the strong password generated for APEX_PUBLIC_USER in prerequisite step 5.
Step 8: Assign the APEX_PUBLIC_ROUTER profile (Oracle §6.3.5)
Oracle's documented configuration for APEX_PUBLIC_ROUTER is SESSIONS_PER_USER profile assignment. First inspect the current profile and lock state:
SELECT username, account_status, profile
FROM dba_users
WHERE username = 'APEX_PUBLIC_ROUTER';
Expected output:
USERNAME ACCOUNT_STATUS PROFILE
--------------------- ----------------- ----------
APEX_PUBLIC_ROUTER {STATUS} DEFAULT
If site policy assigns a custom profile with a tuned SESSIONS_PER_USER limit, attach it now:
ALTER USER APEX_PUBLIC_ROUTER PROFILE {CUSTOM_PROFILE};
{CUSTOM_PROFILE} — the profile name your site uses for connection-pool service accounts. If you are not customizing the profile, skip this command and leave the account on DEFAULT.
Step 9: (Defensive hardening, NOT Oracle-prescribed) Set a custom password on APEX_PUBLIC_ROUTER
Warning: This step is not documented by Oracle. Oracle 24.2 §6.3.5 covers only
SESSIONS_PER_USERprofile assignment forAPEX_PUBLIC_ROUTER— it does not document a password change for this account. The commands below are included as a defensive hardening practice to satisfy a "no installer defaults on any APEX-created account" requirement. Inspect the account first before changing it.
Inspect the account's lock state and take action accordingly:
SELECT username, account_status, lock_date
FROM dba_users
WHERE username = 'APEX_PUBLIC_ROUTER';
If ACCOUNT_STATUS is LOCKED (or EXPIRED & LOCKED), unlock it:
ALTER USER APEX_PUBLIC_ROUTER ACCOUNT UNLOCK;
Then set the custom password:
ALTER USER APEX_PUBLIC_ROUTER IDENTIFIED BY {APEX_PUBLIC_ROUTER_PWD};
Expected output:
User altered.
User altered.
{APEX_PUBLIC_ROUTER_PWD} — the strong password generated for APEX_PUBLIC_ROUTER in prerequisite step 5. Record this password if you intend to use the account interactively.
Step 10: Run apex_rest_config.sql to create APEX_LISTENER and APEX_REST_PUBLIC_USER
Oracle requires apex_rest_config.sql after a new APEX installation when ORDS is the web server. The script creates the APEX_LISTENER and APEX_REST_PUBLIC_USER accounts.
Warning: The two-positional-parameter silent form below is corroborated by oracle-base.com but is not published as a parameter signature in the Oracle 24.2 install guide. The Oracle docs confirm the script's purpose and requirement, but only the interactive form is published. If the silent form ever fails (for example, with a future patched bundle), the fallback is to run
@apex_rest_config.sqlwith no arguments and respond to the two interactive prompts.
From the same SQL*Plus session in the target PDB:
@apex_rest_config.sql {APEX_LISTENER_PWD} {APEX_REST_PUBLIC_USER_PWD}
{APEX_LISTENER_PWD} — the strong password for APEX_LISTENER (positional parameter 1).
{APEX_REST_PUBLIC_USER_PWD} — the strong password for APEX_REST_PUBLIC_USER (positional parameter 2).
Expected output:
...
PL/SQL procedure successfully completed.
User created.
User created.
PL/SQL procedure successfully completed.
If the silent form is unsupported in your environment, run the interactive form instead:
@apex_rest_config.sql
Respond to each password prompt with the corresponding strong password.
Step 11: Configure the IMAGE_PREFIX to use the Oracle CDN
Set the APEX instance to serve static resources from Oracle's public CDN. From the same SQL*Plus session in the target PDB:
BEGIN
APEX_INSTANCE_ADMIN.SET_PARAMETER('IMAGE_PREFIX', 'https://static.oracle.com/cdn/apex/24.2.0/');
COMMIT;
END;
/
Expected output:
PL/SQL procedure successfully completed.
Commit complete.
Warning: The CDN URL
https://static.oracle.com/cdn/apex/24.2.0/is correct for the base 24.2.0 release. For a patched bundle (24.2.1, 24.2.2, etc.), verify the per-bundle URL on Oracle's APEX known-issues page on install day before running this command — the URL has historically changed per patch.
Step 12: Grant the network ACL for outbound SMTP
The runtime installer does not auto-configure network ACLs. The APEX engine schema needs connect privilege to the SMTP host. From the same SQL*Plus session in the target PDB:
BEGIN
DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE(
host => '{SMTP_HOST}',
ace => xs$ace_type(
privilege_list => xs$name_list('connect'),
principal_name => APEX_APPLICATION.g_flow_schema_owner,
principal_type => xs_acl.ptype_db));
END;
/
COMMIT;
{SMTP_HOST} — the SMTP relay hostname or IP (e.g., smtp.example.com). Use a wildcard such as *.example.com only if site policy permits; otherwise scope the ACE to the exact host.
Expected output:
PL/SQL procedure successfully completed.
Commit complete.
Step 13: (Conditional) Configure the wallet for secure SMTP
Run this step only if SMTP_TLS_MODE will be Y, or if it will be STARTTLS against a private CA. Skip if SMTP_TLS_MODE = N.
From the same SQL*Plus session in the target PDB:
BEGIN
APEX_INSTANCE_ADMIN.SET_PARAMETER('WALLET_PATH', 'file:/u01/app/oracle/wallets/apex');
APEX_INSTANCE_ADMIN.SET_PARAMETER('WALLET_PWD', '{WALLET_PWD}');
COMMIT;
END;
/
{WALLET_PWD} — the wallet password set when the wallet was created (Additional setup step 3).
Expected output:
PL/SQL procedure successfully completed.
Commit complete.
Step 14: Configure SMTP instance parameters
Set the six SMTP parameters in a single block. From the same SQL*Plus session in the target PDB:
BEGIN
APEX_INSTANCE_ADMIN.SET_PARAMETER('SMTP_HOST_ADDRESS', '{SMTP_HOST}');
APEX_INSTANCE_ADMIN.SET_PARAMETER('SMTP_HOST_PORT', '{SMTP_PORT}');
APEX_INSTANCE_ADMIN.SET_PARAMETER('SMTP_USERNAME', '{SMTP_USERNAME}');
APEX_INSTANCE_ADMIN.SET_PARAMETER('SMTP_PASSWORD', '{SMTP_PASSWORD}');
APEX_INSTANCE_ADMIN.SET_PARAMETER('SMTP_TLS_MODE', '{SMTP_TLS_MODE}');
APEX_INSTANCE_ADMIN.SET_PARAMETER('SMTP_FROM', '{SMTP_FROM}');
COMMIT;
END;
/
| Placeholder | Description | Example |
|---|---|---|
{SMTP_HOST} |
SMTP relay hostname or IP | smtp.example.com |
{SMTP_PORT} |
SMTP TCP port | 25, 465, or 587 |
{SMTP_USERNAME} |
Authenticated username for the relay | apex@example.com |
{SMTP_PASSWORD} |
Password for {SMTP_USERNAME} |
(site secret) |
{SMTP_TLS_MODE} |
Encryption mode | N (unencrypted), Y (encrypted before data sent), or STARTTLS |
{SMTP_FROM} |
Default From address for outbound APEX mail | noreply@example.com |
Expected output:
PL/SQL procedure successfully completed.
Commit complete.
Step 15: Validate the email configuration end-to-end
From the same SQL*Plus session in the target PDB:
BEGIN
APEX_INSTANCE_ADMIN.VALIDATE_EMAIL_CONFIG;
END;
/
Expected output:
PL/SQL procedure successfully completed.
If this block raises an error (ORA-24247, ORA-29024, ORA-29278), see Troubleshooting below before proceeding.
Post-installation
Step 1: Recompile invalid objects
Connect as SYS-as-SYSDBA to CDB$ROOT (not the PDB) from a fresh SQL*Plus session and run UTLRP:
sqlplus / as sysdba
@?/rdbms/admin/utlrp.sql
Expected output:
TIMESTAMP
--------------------------------------------------------------------------------
COMP_TIMESTAMP UTLRP_BGN ...
PL/SQL procedure successfully completed.
...
PL/SQL procedure successfully completed.
DOC> The following query reports the number of objects that have compiled
DOC> with errors.
...
The 24.2 runtime installer does not auto-run UTLRP. After it completes, the script reports counts of any objects that failed to recompile — investigate any non-zero rows.
Validation
Quick check
From a SYS-as-SYSDBA session in the target PDB:
SELECT comp_name, version_full, status
FROM dba_registry
WHERE comp_id = 'APEX';
Expected output:
COMP_NAME VERSION_FULL STATUS
-------------------------- ---------------- -----------
Oracle Application Express 24.2.{patch} VALID
{patch} is the patch-level suffix of the installed APEX release (for example .0.00.16 for the base 24.2.0 release). STATUS must be VALID.
Full validation
- Verify the six APEX-created accounts exist with correct default tablespaces.
SELECT username, account_status, default_tablespace, temporary_tablespace
FROM dba_users
WHERE username IN ('APEX_240200','FLOWS_FILES','APEX_PUBLIC_USER',
'APEX_PUBLIC_ROUTER','APEX_LISTENER','APEX_REST_PUBLIC_USER')
ORDER BY username;
Expected output:
USERNAME ACCOUNT_STATUS DEFAULT_TABLESPACE TEMPORARY_TABLESPACE
--------------------- ----------------- -------------------- --------------------
APEX_240200 LOCKED APEX TEMP
APEX_LISTENER OPEN {SYSAUX_OR_USERS} TEMP
APEX_PUBLIC_ROUTER OPEN {SYSAUX_OR_USERS} TEMP
APEX_PUBLIC_USER OPEN {SYSAUX_OR_USERS} TEMP
APEX_REST_PUBLIC_USER OPEN {SYSAUX_OR_USERS} TEMP
FLOWS_FILES LOCKED APEX_FILES TEMP
APEX_240200 and FLOWS_FILES are both locked by design per Oracle's documentation — they are schema-only accounts that own APEX objects and cannot be logged into. The four "user" accounts (APEX_LISTENER, APEX_PUBLIC_ROUTER, APEX_PUBLIC_USER, APEX_REST_PUBLIC_USER) must be OPEN. The default tablespaces for those four accounts depend on installer behavior (typically SYSAUX or USERS) and are not relevant to runtime function.
- Verify
IMAGE_PREFIXis set to the CDN URL.
SELECT APEX_INSTANCE_ADMIN.GET_PARAMETER('IMAGE_PREFIX') AS image_prefix FROM dual;
Expected output:
IMAGE_PREFIX
--------------------------------------------------
https://static.oracle.com/cdn/apex/24.2.0/
- Verify the SMTP instance parameters are populated.
SELECT name, value FROM apex_instance_parameters
WHERE name LIKE 'SMTP\_%' ESCAPE '\'
ORDER BY name;
Expected output:
NAME VALUE
--------------------- --------------------------------
SMTP_FROM {SMTP_FROM}
SMTP_HOST_ADDRESS {SMTP_HOST}
SMTP_HOST_PORT {SMTP_PORT}
SMTP_TLS_MODE {SMTP_TLS_MODE}
SMTP_USERNAME {SMTP_USERNAME}
SMTP_PASSWORD is not exposed through apex_instance_parameters for security. Verify by attempting a real send via VALIDATE_EMAIL_CONFIG (next step).
- Validate the email configuration end-to-end.
BEGIN
APEX_INSTANCE_ADMIN.VALIDATE_EMAIL_CONFIG;
END;
/
Expected output:
PL/SQL procedure successfully completed.
Any error here indicates an SMTP, ACL, or wallet problem — see Troubleshooting.
- Verify the network ACL for the APEX schema.
SELECT host, lower_port, upper_port, principal, privilege, is_grant
FROM dba_host_aces
WHERE principal = 'APEX_240200'
ORDER BY host;
Expected output:
HOST LOWER_PORT UPPER_PORT PRINCIPAL PRIVILEGE IS_GRANT
----------------- ---------- ---------- ------------ ---------- --------
{SMTP_HOST} APEX_240200 connect GRANTED
At least one row must show connect privilege for the SMTP host (or for a matching wildcard pattern).
- Verify the Instance Administrator account exists.
SELECT user_name, last_login_date
FROM apex_workspace_apex_users
WHERE workspace = 'INTERNAL' AND is_admin_user = 'Yes';
Expected output:
USER_NAME LAST_LOGIN_DATE
------------------------ ---------------
{INSTANCE_ADMIN_USER} {NULL_or_DATE}
The username must match the value entered at the apxchpwd.sql prompt. LAST_LOGIN_DATE is NULL until first interactive login (which requires ORDS — out of scope here).
Cleanup
Run these steps after the Validation section confirms the install is healthy. If Validation reveals a defect that requires re-running apxchpwd.sql, apex_rest_config.sql, or any account ALTER USER statement, leave the password verifier disabled until remediation is complete — restoring it before the install is verified can cause ORA-28003 on remediation commands.
Step 1: Restore the password verify function on the PDB default profile
Warning: Run this step inside the target PDB session, not in CDB$ROOT. The verifier was disabled in Installation Step 2; leaving it disabled defeats database password policy.
Switch back into the target PDB:
ALTER SESSION SET CONTAINER = {PDB_NAME};
Restore the original setting captured in Installation Step 2. If {ORIGINAL_VALUE} was NULL, leave it as null. If it was a function name, set it back:
ALTER PROFILE default LIMIT password_verify_function {ORIGINAL_VALUE};
Expected output:
Profile altered.
Verify:
SELECT resource_name, limit FROM dba_profiles
WHERE profile = 'DEFAULT' AND resource_name = 'PASSWORD_VERIFY_FUNCTION';
Expected output:
RESOURCE_NAME LIMIT
-------------------------- ----------
PASSWORD_VERIFY_FUNCTION {ORIGINAL_VALUE}
Step 2: (Optional) Revert WORKAREA_SIZE_POLICY
If site policy required WORKAREA_SIZE_POLICY = MANUAL before the install, restore it from CDB$ROOT:
ALTER SESSION SET CONTAINER = CDB$ROOT;
ALTER SYSTEM SET WORKAREA_SIZE_POLICY=MANUAL SCOPE=BOTH;
Expected output:
Session altered.
System altered.
Most Oracle 19c deployments leave the policy at AUTO permanently. Only revert if a documented site standard requires it.
Step 3: Follow-on tasks (out of scope here)
- Configure ORDS or another web listener so APEX runtime applications are reachable from a browser.
- Import APEX applications via SQLcl using the
APEX_240200schema or a schema grantedAPEX_ADMINISTRATOR_ROLE. The Application Builder is intentionally not present on a runtime install.
Troubleshooting
| Problem | Cause | Solution |
|---|---|---|
apxrtins.sql fails with ORA-00959: tablespace '{NAME}' does not exist |
Target tablespace not created in the PDB before running the script, or session is in CDB$ROOT instead of the PDB | Re-run Installation Step 1 to switch to the PDB; then re-run Installation Step 3 to create the tablespaces; then re-run apxrtins.sql |
apxrtins.sql or apxchpwd.sql fails with ORA-28003: password verification for the specified password failed |
Password verify function still active on the PDB's DEFAULT profile |
Confirm Installation Step 2 was executed inside the PDB session, not in CDB$ROOT. Re-run ALTER PROFILE default LIMIT password_verify_function null; while connected to the PDB |
VALIDATE_EMAIL_CONFIG raises ORA-24247: network access denied by access control list (ACL) |
APEX engine schema lacks the connect ACE on the SMTP host (runtime install does not auto-configure this) |
Re-run Installation Step 12 with the correct {SMTP_HOST}. Verify with SELECT host, principal, privilege FROM dba_host_aces WHERE principal = 'APEX_240200'; |
VALIDATE_EMAIL_CONFIG raises ORA-29024: Certificate validation failure |
SMTP_TLS_MODE is Y or STARTTLS against a private CA, but WALLET_PATH/WALLET_PWD are not set or the wallet is missing the SMTP CA chain |
Re-run Additional setup step 3 to add the SMTP CA cert to the wallet; re-run Installation Step 13 to set the wallet parameters; re-run VALIDATE_EMAIL_CONFIG |
VALIDATE_EMAIL_CONFIG raises ORA-29278: SMTP transient error: 421 Service not available |
SMTP relay rejected the connection — typically wrong port, wrong TLS mode, or a relay-side block | Verify {SMTP_PORT} matches the relay's accepted port for the chosen {SMTP_TLS_MODE}; confirm the relay accepts the database host's source IP |
apex_rest_config.sql ran but APEX_LISTENER or APEX_REST_PUBLIC_USER is still locked or missing |
The script was run before apxrtins.sql finished, or run in CDB$ROOT instead of the target PDB |
Re-run Installation Step 10 from a SYS-as-SYSDBA session inside the target PDB. Verify with SELECT username, account_status FROM dba_users WHERE username IN ('APEX_LISTENER','APEX_REST_PUBLIC_USER'); |
IMAGE_PREFIX change is reflected in APEX_INSTANCE_ADMIN.GET_PARAMETER but the APEX UI still 404s on icons |
End-user browser cannot reach static.oracle.com:443, or the IMAGE_PREFIX value points to a non-existent patched-bundle URL |
Confirm browser-side egress to static.oracle.com:443. If using a patched APEX bundle, re-verify the per-bundle CDN URL and re-run Installation Step 11 with the corrected URL |
apxchpwd.sql reports an Instance Administrator already exists on a fresh install |
A prior apxsilentins.sql was run by mistake (silent install seeds the Instance Administrator), or APEX is already installed in CDB$ROOT and this PDB inherits it |
Run SELECT comp_name, version_full FROM dba_registry WHERE comp_id='APEX'; in both CDB$ROOT and the PDB. If APEX is in CDB$ROOT, decide whether to remove with apxremov.sql or accept the common install |
apxrtins.sql ran but dba_registry shows APEX status INVALID |
UTLRP not yet run, or one or more APEX objects failed to compile | Run @?/rdbms/admin/utlrp.sql from CDB$ROOT (Post-installation Step 1). If status is still INVALID, review apxrtins.log for compile errors |
ORA-04031 or workarea-related errors during apxrtins.sql in a CDB |
WORKAREA_SIZE_POLICY not set to AUTO system-wide before the install |
Run ALTER SYSTEM SET WORKAREA_SIZE_POLICY=AUTO SCOPE=BOTH; from CDB$ROOT (prerequisite step 3); re-run apxrtins.sql |
| Runtime install ran in CDB$ROOT by mistake | ALTER SESSION SET CONTAINER was not executed before apxrtins.sql |
APEX is now installed common across every PDB. Either accept the common install (no per-PDB upgrade possible) or run apxremov.sql from CDB$ROOT to back out, then re-run Installation Step 1 onward inside the target PDB |
References
- Oracle APEX 24.2 Installation Guide — Downloading and Installing APEX
- Oracle APEX 24.2 Installation Guide — About APEX Database Accounts
- Oracle APEX 24.2 Installation Guide — Automating the APEX Installation Process
- Oracle APEX 24.2 Installation Guide — Configuring ORDS
- Oracle APEX 24.2 Installation Guide — APEX Installation Requirements
- Oracle APEX 24.2 Installation Guide — Installing APEX into an Application Container
- Oracle APEX 24.2 Installation Guide — Enabling Network Services in Oracle DB 11g or Later
- Oracle APEX 24.2 Administration Guide — Installing Exported Applications in a Runtime Environment
- Oracle APEX 24.2 Administration Guide — Configuring Email
- Oracle APEX 24.2 Administration Guide — Configuring Wallet Information
- Oracle APEX 24.2 API Reference — APEX_INSTANCE_ADMIN.SET_PARAMETER
- Oracle APEX 24.2 API Reference — APEX_INSTANCE_ADMIN Available Parameter Values
- Oracle APEX Static Resources on Content Delivery Network (Oracle Blog)
- Oracle APEX Downloads
- oracle-base.com — Oracle Application Express (APEX) Installation
- Oracle Database 19c Administrator's Guide — Recompiling Invalid Objects