Académique Documents
Professionnel Documents
Culture Documents
Introduction
Single sign on helps end users to login to multiple applications without prompting for
credentials again after authentication is done with proper user ID and password. The term
authentication is familiar to everyone, which always involves a user ID and password.
Oracle EBS single sign on will help end users to have seamless authentication to other
application is the organization.
Oracle EBS native authentication works on FND_USER table which saves the user ID and
password, every user gets authenticated to the table using API. There will be a slight
change in the table data once we change the authentication to be managed by Oracle Access
Manager. We will discuss more on that very soon in this article.
Having said that, 12.2 doesn’t require any other installation of Oracle Weblogic to have
Access gate deployed as it already has one and can be used to deploy the same. This is a
major difference from the 12.1 version of EBS where we had many other additional steps to
achieve the purpose. For 12.2, it has much more simplified steps with many of it done using
EBS scripts.
Singe sign on requires additional components to be installed and configured. Below are the
other components required for EBS 12.2 single sign on and I have used the below for this
which are the latest when writing this article.
Oracle Access Manager (11.1.2.3)
Oracle Internet directory (11.1.1.9)
Architecture
Product Version Server OS User
ebsapps01.mahesh.com (RHEL
Oracle EBS Application Node 12.2.4 5.5) applmgr
Oracle EBS Database Node 11.2.0.3 ebsdb01.mahesh.com (RHEL 5.5) oracle
Oracle Access Manager 11.1.2.3 oam01.mahesh.com (RHEL 5.5) apploam
Oracle Internet Directory 11.1.1.9 oam01.mahesh.com (RHEL 5.5) apploid
oamdb01.mahesh.com (RHEL
Oracle Database for OAM/OID 11.2.0.4 5.5) oracle
This article is based on the architecture mentioned above assuming all components
installed and running. We are just covering the integration of all the components together
as installation and configuration of above components are straight forward. Please note, we
are not having high availability architecture here and hence I would request to follow the
Oracle notes for advances configuration and HA.
Even though I have mentioned the versions and details, please go through Oracle
Certification matrix always from the Oracle support site. I have mentioned the reference
also at the end of this article.
Pre-requisites on OID
You need to select only Oracle Internet Directory and Oracle Directory Integration
Platform; we don’t need any other components like OIF and OVD. You may end up having
the below configured.
Oracle Internet Directory
Oracle Directory Integration Platform
Enterprise Manager
Oracle Directory Services Manager
Installation of OID is similar to other fusion middleware applications; we need to run RCU
to create the metadata schema before invoking the configuration tool. Once the installation
is done, we can start/stop OID using opmnctl. Oracle directory services manager is
deployed in weblogic, once started we can see the below screen connecting to the OID.
Navigate to Advanced Tab and expand “Attribute Uniqueness”, you can see the create
button to add a new constraint.
Referring below screenshot, I have filled up with below details.
Attribute Uniqueness Constraint Name : UID_UNIQUE
Unique Attribute : Check the box
Unique Attribute Name : uid
Unique Attribute Objectclass : inetorgperson
Unique Attribute Scope : Select ‘One Level’ from the
drop down
Unique Attribute Subtree : cn=Users, dc=mahesh,dc=com,dc=au
(select proper for your realm, you can browse and select)
Apply patch to fix BUG “THE PROVISIONING FROM OID TO APPS DOES NOT WORK IN OID
11.1.1.9 RC3”
Please read the README.txt and make sure all steps followed properly
Stop all services running for OID using opmnctl or stop wls_ods1
Make sure logs don’t have any errors before proceeding further.
Don’t miss to perform post steps as mentioned in the README.txt which is to redeploy the
DIPAPPS Application.
Assuming we have completed the installation of Oracle Access Manager. It is also similar to
OID installation. We need to create the repository using the RCU version 11.1.1.1.9, do not
get confused looking for OAM version of RCU. You need to select only “Oracle Mobile
Security Manager”, rest all dependent will be selected automatically. Hence, while
configuring OAM using the config.sh, please select “Oracle Access Management and Mobile
Security Site” as shown below.
Refer to the below document and apply the patches required
OAM Bundle Patch Release History (Doc ID 736372.1)
Make sure all patches are applied, below are the steps I did for OAM.
Download the latest Opatch using BUG number 6880880.
Stop the Admin server and Managed servers
Download and apply the latest bundle patch, now it is
p21869176_111230_Generic.zip (11.1.2.3.3 (BP03) Access Server)
Start the Admin server and Managed Servers
Register EBS with OID
We need to register EBS with OID to have user authentication to Single Sign on and also to
have provisioning done to synchronize users between EBS and OID depending upon what
we require.
We are passing below values to the command to have provisioning done, please check your
requirement before choosing the value
1. Bidirectional
2. Instance to OID Server
3. OID Server to Instance
4. Bidirectional no creation
1 is chosen default if we are not providing the parameter and I would prefer that in my
article.
Oracle recommends that we do it on the Patch filesystem so that the changes won’t affect
the running system until and unless we do a cutover to have the changes available for
effective use.
Hence, invoke patch environment and be in the “prepare” phase before we start doing
registration.
Check the status using ADOP, if we already have “prepare” phase active.
End of /appl_base/fs1/EBSapps/appl/fnd/12.0.0/patch/115/bin/txkSetSSOReg.pl : No
Errors encountered
[applmgr@ebsapps01 ~]$
Note: Do not get confused with the name of the LDAP server, it’s the same OID server but I
have oam01.mahesh.com used for OAM and OID. Use your OID server name and Port
properly when prompted, also make sure you have added the server name entries in the
host file of EBS application server.
Run the below scripts from the patch edition, connect to database from the patch edition of
application.
SQL>
Now you will have the below profile values updated with values provided.
This profile option decides if the Oracle EBS instance should link a newly created user
to an existing OID account with same name.
This is required if the EBS is integrated with Oracle Single Sign On, the user is
redirected to the SSO server login page and will be authenticated against the LDAP server.
Activate it to the application by doing cutover, hence run autoconfig and perform the
cutover.
Make sure you have edited the sqlnet.ora to have OID server name in the invited nodes else
will get whitelisted after running autoconfig.
Install Webgate
Below are the steps we need to do for Webgate setup in EBS 12.2
Download Oracle Access Manager OHS 11g WebGates 11.1.2.2.0 from Patch
18057397
Unzip to /home/applmgr/oam_webgate (It can be any location, you can change
path)
You can install it either on the run file system or patch filesystem depending on if you have
a running patching cycle going on already. Hence, check the status before proceeding.
[applmgr@ebsapps01 ~]$ adop -status
Enter the APPS password:
==============================================================
ADOP (C.Delta.6)
Session Id: 7
Command: status
Output: /appl_base/fs_ne/EBSapps/log/status_20150921_042545/adzdshowstatus.out
===============================================================
I did it on the run file system after completing the cutover session to move the pending
changes and do directly on run file system. You can do either way, only thing is that cutover
will bring in the changes if you do it in patch filesystem like other changes.
End of /appl_base/fs2/EBSapps/appl/fnd/12.0.0/patch/115/bin/txkSetOAMReg.pl : No
Errors encountered
[applmgr@ebsapps01 oam_webgate]$
Make sure you have no errors in the log file; any errors should be fixed before proceeding
further.
At this stage, I would recommend you to run fs_clone to synchronize the installation we did
to the patch filesystem. This is to make sure the change are there in both filesystem, in case
you want to apply some changes and do a cutover, you will not lose any changes. You may
have noticed that the above steps have made it easier for us compared to the setups we use
to do in previous releases of EBS.
We have completed the all pre-requisites now to start with the integration of EBS with
OAM.
Deploy Oracle E-Business Suite AccessGate
Access gate is another component which comes as a J2EE application need to be deployed
in the weblogic server. Oracle access manager will be protecting this resource by
challenging with user ID and password. We need to run the below from EBS application
node again, which can be on run or patch filesystem. Since I am on run filesystem already, I
am continuing the below steps there itself.
Prior to EBS 12.2, we had to install a separate weblogic server to deploy the access gate but
life has become easier with the advent of weblogic with 12.2 versions. We can use the same
weblogic coming with EBS 12.2 for creating a managed server to deploy access gate. Be
cautious on the naming conventions and port. Name should match with the service we are
creating; hence name oaea_server(n) and port should be free for it to start.
SSOServerURL is the OAM URL, I have mentioned below with my OAM URL with proper
port. You can check the port from the webogic administrator console of OAM.
perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources \
-contextfile=$CONTEXT_FILE \
-deployApps=accessgate \
-SSOServerURL=http://oam01.mahesh.com:14100 \
-managedsrvname=oaea_server3 \
-managedsrvport=6803 \
-logfile=/home/applmgr/log/deployeag.log
Check the log file we have given with parameter, logfile. For me,
/home/applmgr/log/deployeag.log did not have any errors, so decided to proceed further.
It is not a good idea to proceed further if you see any errors, as this is the place where it
creates a managed sever on the weblogic server of EBS and deploy the application
accessgate creating a data source.
You can see all the details from the weblogic administration console of EBS as below.
Along with other managed servers coming by default with EBS, we have a new server
created on port mentioned in the above command. Verify that you can start the server.
Going to the deployments in the managed server, we can see the accessgate application
deployed.
And, we have a new data source created as per the command we executed as below.
You can navigate to data source => Monitoring => testing to check the connectivity is
working fine. Click on “Test Data Source” and test it.
Since, I have used a dedicated managed server and port for accessgate, I have to run the
below to add the information about the new managed server to OHS configuration files,
mod_wl_ohs.conf and apps.conf.
As mentioned before also, please source the environment based on where you would doing
the changes and having patching cycle already in progress. Please find the values I have
passed to the prompts, you can easily make out what has to be given.
[applmgr@ebsapps01 ~]$ txkrun.pl -script=SetOAMReg -registeroam=yes
*** ALL THE FOLLOWING FILES ARE REQUIRED FOR RESOLVING RUNTIME ERRORS
*** Log File =
/appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/txkSetOAMReg_Mon_Sep_21_07
_43_10_2015.log
Enter OAM Console URL (for ex: http://myoam.us.oracle.com:7001):
http://oam01.mahesh.com:7001
Enter OAM console user name (for ex: weblogic):
ERROR processing <arg> oamUserName: Argument value cannot be an empty string
Enter OAM console user name (for ex: weblogic): weblogic
Enter OAM console password:
Enter LDAP URL (for ex: ldap://myoid.us.oracle.com:3060):
ldap://oam01.mahesh.com:3060
Enter OID console user name (for ex: cn=orcladmin): cn=orcladmin
Enter OID console password:
Enter LDAP Search Base: cn=Users, dc=mahesh,dc=com,dc=au
Enter LDAP Group Search Base: cn=Groups, dc=mahesh,dc=com,dc=au
Enter APPS password:
##############################################################
########
oamHost = http://oam01.mahesh.com:7001
oamApplicationDomain = VIS_ebsapps01.mahesh.com_8000
oamHostIdentifier = VIS_ebsapps01.mahesh.com_8000
contextFile = /appl_inst/fs2/inst/apps/VIS_ebsapps01/appl/admin/VIS_ebsapps01.xml
webGateInternal = Yes
ebsProfileLevel = Site
webGateUrl = http://ebsapps01.mahesh.com:8000
contextRoot = accessgate
logoutUrl = /accessgate/logout
authScheme = EBSAuthScheme
authModule = LDAP_EBS
ldapName = OIDIdentityStore
ldapUrl = ldap://oam01.mahesh.com:3060
Validation: Success
Installing WebGate...
Copying
/appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/oam/temp/oam.properties file
to /appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/oam location
Template:
/appl_base/fs2/EBSapps/appl/fnd/12.0.0/admin/template/oracle_apache_conf_FMW.tmp
End of /appl_base/fs2/EBSapps/appl/fnd/12.0.0/patch/115/bin/txkSetOAMReg.pl : No
Errors encountered
[applmgr@ebsapps01 ~]$
What it does is basically registration of EBS with Oracle Access Manager, but a few things
by itself which we used to do manually in the prior releases.
Create Identity Store named OIDIdentityStore if it does not already exist.
Now, we have completed the setup for the single sign on but many organizations won’t be
having an existing OID running having all their users, so here we may have to populate the
users into the OID as well. Then only accessgate can map users with EBS and create a
session for that user. As we all know, we intend to have authorization to be managed by
EBS itself, so we need to address only the user information synchronization to OID. The
synchronization procedure creates users in the OID from EBS and OID assigns a GUID and
updated the EBS table, this GUID will be the link between EBS and OAM.
Please be careful that for security reasons, local users and standard administrative
accounts such as SYSADMIN should never be configured for single sign-on. Below figure
shows the profile for sysadmin which is set to Local and we can use AppsLocalLogin.jsp to
login to the application without going to OAM. We would be copying the users to OID using
the EBS User migration tool to sync both EBS and OID. New users will be provisioned by
itself as we have already registered with bi-directional synchronization.
We can use the utility AppsUserExport to export select set of application accounts from the
Oracle EBS user directory (FND_USER) into an intermediate LDIF file which can be moved
to OID server and using ldifmigrator to convert it into LDIF file to be loaded to OID.
We are going to do the below process which can vary based on your requirement, you can
refer the notes from Oracle mentioned in the last page of this book for more information.
You can see from the below figure, we are creating an intermediate LDIF file using the EBS
utility and copying the file to the OID server to convert to final LDIF file before importing to
the OID. You can get a good idea seeing the below figure.
I have provided the screenshot below of one sample user who is candidate of migration to
OID, you can see the USER_GUID is null. From the above statements, GUID is the main link
between OID and EBS and we should see some values here. What process is updating it?
Let us prepare the intermediate file using the below commands from EBS application
server.
[applmgr@ebsapps01 user_export]$ java oracle.apps.fnd.oid.AppsUserExport -v -dbc
$FND_SECURE/VIS.dbc -o VIS_Users.txt -pwd apps -g -l VIS_Users.log
User Export to VIS_Users.txt started..
User Export completed successfully. For further details please refer to log file at: VIS_Users.log
[applmgr@ebsapps01 user_export]$
Now you know who is updating the GUID column when doing bulk migration!
I have showed a screenshot of User definition screen, in which the password area is greyed
out, youcan imagine why is it so
Copy the intermediate file to the OID server for converting it to format which can be
uploaded to the OID server. Below command should be executed in the OID server.
[apploid@oam01 user_import]$ ldifmigrator "input_file=VIS_Users.txt"
"output_file=VIS_Users.txt.ldif" "s_UserContainerDN=cn=Users,
dc=mahesh,dc=com,dc=au" "s_UserNicknameAttribute=uid"
INFO: [Thu Oct 01 10:24:27 AEST 2015] Migration of LDIF data to OID starts
INFO: [Thu Oct 01 10:24:28 AEST 2015] Input file : /home/apploid/user_import/VIS_Users.txt
INFO: [Thu Oct 01 10:24:28 AEST 2015] Output file :
/home/apploid/user_import/VIS_Users.txt.ldif
INFO: [Thu Oct 01 10:24:28 AEST 2015] Substitution Variables
s_UserContainerDN : cn=Users, dc=mahesh,dc=com,dc=au
s_UserNicknameAttribute : uid
INFO: [Thu Oct 01 10:24:29 AEST 2015] Migration of LDIF data completed. All the entries are
successfully migrated
Migration of LDIF data completed. All the entries are successfully migrated
[apploid@oam01 user_import]$
Now we have the final file ready to be uploaded to the OID. We need to make sure the
profile is disabled which does the synchronization from OID to EBS.
oidprovtool operation=disable \
ldap_host=oam01.mahesh.com \
ldap_port=3060 \
ldap_user_dn=cn=orcladmin \
application_dn=”orclApplicationCommonName=VIS,cn=EBusiness,cn=Products,cn=Ora
cleContext,dc=mahesh,dc=com,dc=au” \
profile_mode=BOTH
Verify by running the below command to make sure we don’t have any bad records.
Remove manually if anything is there and re-run to have a clean file.
[apploid@oam01 user_import]$
/u01/oid/Oracle/Middleware/Oracle_IDM1/ldap/bin/bulkload connect=OIDDB
check=true generate=true file=VIS_Users.txt.ldif
------------------------------------------------------------
"oiddb"...
------------------------------------------------------------
This tool can only be executed if you know database user password for OID
Enter OID Password ::
[apploid@oam01 user_import]$
/u01/oid/Oracle/Middleware/Oracle_IDM1/ldap/bin/bulkload connect=OIDDB
check=true generate=true file=VIS_Users.txt.ldif
------------------------------------------------------------
"oiddb"...
------------------------------------------------------------
This tool can only be executed if you know database user password for OID
Enter OID Password ::
...Setting OID server mode to read-modify on "oiddb" node...
------------------------------------------------------------
Checking and Generating Internet Directory data for bulk loading
------------------------------------------------------------
------------------------------------------------------------
Found Schema-Check errors, bad entries are logged in
/u01/oid/Oracle/Middleware/asinst_1//OID/load/badentry.ldif
------------------------------------------------------------
------------------------------------------------------------
For more details, see bulkload.log
------------------------------------------------------------
[apploid@oam01 user_import]$
After fixing the bad records, we should try again to get a message like below.
[apploid@oam01 user_import]$
/u01/oid/Oracle/Middleware/Oracle_IDM1/ldap/bin/bulkload connect=OIDDB
check=true generate=true file=VIS_Users.txt.ldif
------------------------------------------------------------
"oiddb"...
------------------------------------------------------------
This tool can only be executed if you know database user password for OID
Enter OID Password ::
------------------------------------------------------------
Checking and Generating Internet Directory data for bulk loading
------------------------------------------------------------
------------------------------------------------------------
Data generated successfully
------------------------------------------------------------
[apploid@oam01 user_import]$
Now load the data by replacing the check to load clause as below.
[apploid@oam01 user_import]$
/u01/oid/Oracle/Middleware/Oracle_IDM1/ldap/bin/bulkload connect=OIDDB
load=true generate=true file=VIS_Users.txt.ldif
------------------------------------------------------------
"oiddb"...
------------------------------------------------------------
This tool can only be executed if you know database user password for OID
Enter OID Password ::
------------------------------------------------------------
Generating Internet Directory data for bulk loading
------------------------------------------------------------
------------------------------------------------------------
Data generated successfully
------------------------------------------------------------
------------------------------------------------------------
Loading data on "oiddb"
------------------------------------------------------------
attr_store002...
battr_store001...
objectclass001...
..
….
uid...
uidnumber...
uniquemember...
vdeprimaryref...
vpimmail...
x509issuer...
------------------------------------------------------------
Data loaded successfully
------------------------------------------------------------
------------------------------------------------------------
Verifying indexes ...
------------------------------------------------------------
------------------------------------------------------------
Following tables do not have all indexes
------------------------------------------------------------
CT_ORCLOPENLDAPENTRYUUID
CT_ORCLNDSOBJECTGUID
CT_ORCLODIPCONDIRTYPE
CT_ORCLFEDSERVERID
CT_ORCLFEDNAMENEWFORMAT
CT_ORCLFEDNAMEOLDFORMAT
CT_ORCLFEDOWNERGUID
CT_ORCLSOURCEMODIFYTIMESTAMP
CT_ORCLFEDNAMESPQUALIFIER
CT_ORCLSOURCECREATETIMESTAMP
CT_ORCLODIPPROFILEEXECGROUPID
CT_ORCLFEDFEDERATIONTYPE
------------------------------------------------------------
Generating Database Statistics ...
------------------------------------------------------------
...Setting OID server mode to read-write on "oiddb" node...
[apploid@oam01 user_import]$
Now logging with the EBS URL, you should be able to login without any issues
It gets re-directed to the OAM login page.
Login with User ID and password, you will get the landing page as below.
Known Issues
Below are some issues I encountered, posting below.
Stop and restart the 'oam_server1' Managed server to pick up this change.
After completing the integration of OAM with EBS 12.2, I had to run the fs_clone to
synchronize both file system with the changes we did for single sign on. Please follow the
document “Integrating Oracle E-Business Suite Release 12.2 with Oracle Access Manager
11gR2 (11.1.2) using Oracle E-Business Suite AccessGate (Doc ID 1576425.1)” for
completing the steps. If you follow it without missing anything, you will never encounter
the below issue but I am posting below for giving a small idea how to check.
I ran the below command to start the phase,
adop phase=fs_clone allnodes=no force=yes (check the syntax for multi node)
From the log file, we can get the log information generated while doing the validations as
below which showed the exact reason for the failure.
It’s clear from above that the port 6803 is causing the issue, its the new port used by the
new managed server created for Access gate. We can verify it using the below commands.
Solution: Stop the oaea managed server on the run file system before performing the
fs_clone operation, immediately after the accessgate deployment.
References
Integrating Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11gR2
(11.1.2) using Oracle E-Business Suite AccessGate (Doc ID 1576425.1)
Integrating Oracle E-Business Suite Release 12.2 with Oracle Internet Directory 11gR1 (Doc
ID 1371932.1)
https://docs.oracle.com/cd/E26401_01/doc.122/e22952/T156458T580814.htm