Oracle EBS 12.

2 Single Sign on With Access Manager:

Introduction

Single sign on helps end users to login to multiple applications without prompting for
credentials again after authentication is done with proper user ID and password. The term
authentication is familiar to everyone, which always involves a user ID and password.
Oracle EBS single sign on will help end users to have seamless authentication to other
application is the organization.

Oracle EBS native authentication works on FND_USER table which saves the user ID and
password, every user gets authenticated to the table using API. There will be a slight
change in the table data once we change the authentication to be managed by Oracle Access
Manager. We will discuss more on that very soon in this article.
Having said that, 12.2 doesn’t require any other installation of Oracle Weblogic to have
Access gate deployed as it already has one and can be used to deploy the same. This is a
major difference from the 12.1 version of EBS where we had many other additional steps to
achieve the purpose. For 12.2, it has much more simplified steps with many of it done using
EBS scripts.
Singe sign on requires additional components to be installed and configured. Below are the
other components required for EBS 12.2 single sign on and I have used the below for this
which are the latest when writing this article.
Oracle Access Manager (11.1.2.3)
Oracle Internet directory (11.1.1.9)

Architecture
Product Version Server OS User
ebsapps01.mahesh.com (RHEL
Oracle EBS Application Node 12.2.4 5.5) applmgr
Oracle EBS Database Node 11.2.0.3 ebsdb01.mahesh.com (RHEL 5.5) oracle
Oracle Access Manager 11.1.2.3 oam01.mahesh.com (RHEL 5.5) apploam
 Oracle Internet Directory 11.1.1.9 oam01.mahesh.com (RHEL 5.5) apploid
oamdb01.mahesh.com (RHEL
Oracle Database for OAM/OID 11.2.0.4 5.5) oracle

This article is based on the architecture mentioned above assuming all components
installed and running. We are just covering the integration of all the components together
as installation and configuration of above components are straight forward. Please note, we
are not having high availability architecture here and hence I would request to follow the
Oracle notes for advances configuration and HA.
Even though I have mentioned the versions and details, please go through Oracle
Certification matrix always from the Oracle support site. I have mentioned the reference
also at the end of this article.

Pre-requisites on OID
You need to select only Oracle Internet Directory and Oracle Directory Integration
Platform; we don’t need any other components like OIF and OVD. You may end up having
the below configured.
 Oracle Internet Directory
 Oracle Directory Integration Platform
 Enterprise Manager
 Oracle Directory Services Manager

Installation of OID is similar to other fusion middleware applications; we need to run RCU
to create the metadata schema before invoking the configuration tool. Once the installation
is done, we can start/stop OID using opmnctl. Oracle directory services manager is
deployed in weblogic, once started we can see the below screen connecting to the OID.
Navigate to Advanced Tab and expand “Attribute Uniqueness”, you can see the create
button to add a new constraint.
Referring below screenshot, I have filled up with below details.
Attribute Uniqueness Constraint Name : UID_UNIQUE
Unique Attribute : Check the box
Unique Attribute Name : uid
Unique Attribute Objectclass : inetorgperson
Unique Attribute Scope : Select ‘One Level’ from the
drop down
Unique Attribute Subtree : cn=Users, dc=mahesh,dc=com,dc=au
(select proper for your realm, you can browse and select)

Apply Patch 20742077 on OID

Apply patch to fix BUG “THE PROVISIONING FROM OID TO APPS DOES NOT WORK IN OID
11.1.1.9 RC3”
Please read the README.txt and make sure all steps followed properly
Stop all services running for OID using opmnctl or stop wls_ods1

[apploid@oam01 20742077]$ export

ORACLE_HOME=/u01/oid/Oracle/Middleware/Oracle_IDM1
[apploid@oam01 20742077]$ export
PATH=/u01/oid/Oracle/Middleware/Oracle_IDM1/OPatch:$PATH
[apploid@oam01 20742077]$ opatch apply
Oracle Interim Patch Installer version 11.1.0.11.0
..
..
OPatch succeeded.
[apploid@oam01 20742077]$

Make sure logs don’t have any errors before proceeding further.

Don’t miss to perform post steps as mentioned in the README.txt which is to redeploy the
DIPAPPS Application.

Configure OID to return operational attributes

Execute the below in OID server (login as apploid)

Create a file change_attrs.ldif and add the contents as below.

[apploid@oam01 ~]$ vi change_attrs.ldif

[apploid@oam01 ~]$ cat change_attrs.ldif
dn: cn=dsaconfig, cn=configsets,cn=oracle internet directory
changetype: modify
add: orclallattrstodn
orclallattrstodn:cn=orcladmin
[apploid@oam01 ~]$ ldapmodify -h oam01.mahesh.com -p 3060 -D cn=orcladmin -w
welcome123 -v -f change_attrs.ldif
[apploid@oam01 ~]$ ldapmodify -h oam01.mahesh.com -p 3060 -D cn=orcladmin -w
welcome123 -v -f change_attrs.ldif
add orclallattrstodn:
cn=orcladmin
modifying entry cn=dsaconfig, cn=configsets,cn=oracle internet directory
modify complete
[apploid@oam01 ~]$

LDAP Server: oam01.mahesh.com

LDAP port: 3060
User ID: orcladmin
Password: welcome123
The above command will add the attribute as shown below

Apply latest patches on Oracle Access Manager

Assuming we have completed the installation of Oracle Access Manager. It is also similar to
OID installation. We need to create the repository using the RCU version 11.1.1.1.9, do not
get confused looking for OAM version of RCU. You need to select only “Oracle Mobile
Security Manager”, rest all dependent will be selected automatically. Hence, while
configuring OAM using the config.sh, please select “Oracle Access Management and Mobile
Security Site” as shown below.
Refer to the below document and apply the patches required
OAM Bundle Patch Release History (Doc ID 736372.1)
Make sure all patches are applied, below are the steps I did for OAM.
 Download the latest Opatch using BUG number 6880880.
 Stop the Admin server and Managed servers
 Download and apply the latest bundle patch, now it is
p21869176_111230_Generic.zip (11.1.2.3.3 (BP03) Access Server)
 Start the Admin server and Managed Servers
Register EBS with OID
We need to register EBS with OID to have user authentication to Single Sign on and also to
have provisioning done to synchronize users between EBS and OID depending upon what
we require.
We are passing below values to the command to have provisioning done, please check your
requirement before choosing the value

1. Bidirectional
2. Instance to OID Server
3. OID Server to Instance
4. Bidirectional no creation
1 is chosen default if we are not providing the parameter and I would prefer that in my
article.

Oracle recommends that we do it on the Patch filesystem so that the changes won’t affect
the running system until and unless we do a cutover to have the changes available for
effective use.

Hence, invoke patch environment and be in the “prepare” phase before we start doing
registration.

From EBS Application node:

Check the current edition, using the variable $FILE_EDITION

Source patch file system

[applmgr@ebsapps01 ~]$ . /appl_base/EBSapps.env patch

E-Business Suite Environment Information

----------------------------------------
RUN File System : /appl_base/fs2/EBSapps/appl
PATCH File System : /appl_base/fs1/EBSapps/appl
Non-Editioned File System : /appl_base/fs_ne

DB Host: ebsdb01.mahesh.com Service/SID: VIS

Sourcing the PATCH File System ...

Check File edition

[applmgr@ebsapps01 ~]$ echo $FILE_EDITION

patch

Check the status using ADOP, if we already have “prepare” phase active.

[applmgr@ebsapps01 ~]$ adop –status

Else call below to start prepare phase.

[applmgr@ebsapps01 ~]$ adop phase=prepare

Execute the below to register EBS with OID

[applmgr@ebsapps01 ~]$ $FND_TOP/bin/txkrun.pl -script=SetSSOReg -registeroid=yes -

provisiontype=1

You are registering this instance with OID Server.

Enter LDAP Host name? oam01.mahesh.com

Enter the LDAP Port on Oracle Internet Directory server? 3060
Enter the Oracle Internet Directory Administrator (orcladmin) Bind password?
Enter the instance password that you would like to register this application instance with?
Enter Oracle E-Business apps database user password?
*** Log File =
/appl_inst/fs1/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/txkSetSSOReg_Wed_Sep_30_02_
59_38_2015.xml

Beginning input parameter validation for OID registration.

Input parameters validation for OID registration completed.

BEGIN OID REGISTRATION:

Beginning to register Application and Service containers if necessary.
Application and Service containers were created successfully if necessary.
Beginning to register application in Oracle Internet Directory.
Registration of application in Oracle Internet Directory completed successfully.
[info] ->
LOADING: /appl_base/fs1/EBSapps/appl/fnd/12.0.0/admin/template/AppsOIDRegistration.
tmp
Sep 30, 2015 3:01:21 AM oracle.ldap.util.LDIFLoader loadOneLdifFile
INFO: ->
LOADING: /appl_base/fs1/EBSapps/appl/fnd/12.0.0/admin/template/AppsOIDRegistration.
tmp
Beginning to register provisioning profile in Oracle Internet Directory.
Registration of provisioning profile in Oracle Internet Directory completed successfully.
Application is now registered successfully with provisioning in Oracle Internet Directory.

End of /appl_base/fs1/EBSapps/appl/fnd/12.0.0/patch/115/bin/txkSetSSOReg.pl : No
Errors encountered
[applmgr@ebsapps01 ~]$

Make sure this part is completed without any errors.

Note: Do not get confused with the name of the LDAP server, it’s the same OID server but I
have oam01.mahesh.com used for OAM and OID. Use your OID server name and Port
properly when prompted, also make sure you have added the server name entries in the
host file of EBS application server.

Update the profile values

Run the below scripts from the patch edition, connect to database from the patch edition of
application.

SQL> set serveroutput on

DECLARE
stat BOOLEAN;
BEGIN
stat := FND_PROFILE.SAVE('APPS_SSO_OID_IDENTITY','Y','SITE');
IF stat THEN
dbms_output.put_line( 'Profile APPS_SSO_OID_IDENTITY updated with Enabled ' );
ELSE
dbms_output.put_line( 'Profile APPS_SSO_OID_IDENTITY could NOT be updated with Enabled'
);
commit;
END IF;
END;
/ SQL> 2 3 4 5 6 7 8 9 10 11 12
Profile APPS_SSO_OID_IDENTITY updated with Enabled

PL/SQL procedure successfully completed.

SQL> set serveroutput on

DECLARE
stat BOOLEAN;
BEGIN
stat := FND_PROFILE.SAVE('APPS_SSO_LINK_SAME_NAMES','Y','SITE');
IF stat THEN
dbms_output.put_line( 'Profile APPS_SSO_LINK_SAME_NAMES updated with Enabled' );
ELSE
dbms_output.put_line( 'Profile APPS_SSO_LINK_SAME_NAMES could NOT be updated with
Enabled' );
commit;
END IF;
END;
/SQL> 2 3 4 5 6 7 8 9 10 11 12
Profile APPS_SSO_LINK_SAME_NAMES updated with Enabled

PL/SQL procedure successfully completed.

SQL> set serveroutput on

DECLARE
stat BOOLEAN;
begin
stat := FND_PROFILE.SAVE('APPS_SSO', 'SSWA_SSO', 'SITE');
IF stat THEN
dbms_output.put_line( 'Profile APPS_SSO updated with SSWA_SSO' );
ELSE
dbms_output.put_line( 'Profile APPS_SSO could NOT be updated with SSWA_SSO' );
commit;
END IF;
end;
/ SQL> 2 3 4 5 6 7 8 9 10 11 12
Profile APPS_SSO updated with SSWA_SSO
PL/SQL procedure successfully completed.

SQL>

Now you will have the below profile values updated with values provided.

Applications SSO Enable OID Identity Add Event (APPS_SSO_OID_IDENTITY) = ENABLED

This option is enabled to have users created in OID are automatically created in EBS and
subscribed to the EBS instance.

Applications SSO Link Same Names (APPS_SSO_LINK_SAME_NAMES) = ENABLED

This profile option decides if the Oracle EBS instance should link a newly created user
to an existing OID account with same name.

Applications SSO Type (APPS_SSO) = SSWA w/SSO

This is required if the EBS is integrated with Oracle Single Sign On, the user is
redirected to the SSO server login page and will be authenticated against the LDAP server.

Activate it to the application by doing cutover, hence run autoconfig and perform the
cutover.

Make sure you have edited the sqlnet.ora to have OID server name in the invited nodes else
will get whitelisted after running autoconfig.

Apply Oracle EBS patches

Apply the below patches as pre-requisites of integrating with OAM.

 12.2 R12.TXK.C Patch 19767816
 12.2 R12.TXK.C Patch 20735848
 12.2 R12.TXK.C Patch 21229697
It is strongly recommended to install the latest AD and TXK release update packs, hence
please check the below note to make you are on the latest.
Document 1617461.1 : Applying the Latest AD and TXK Release Update Packs to Oracle E-
Business Suite Release 12.2.
Now we are almost ready with all our pre-requisites, but as I have mentioned below we
have some additional components needed for Oracle EBS to work with OAM for single sign
on.
One important component is WebGates, which are policy enforcement agents that act as a
filter for HTTP requests and communicate with Oracle Access Manager Authentication and
authorization services.

Install Webgate

Below are the steps we need to do for Webgate setup in EBS 12.2
 Download Oracle Access Manager OHS 11g WebGates 11.1.2.2.0 from Patch
18057397
 Unzip to /home/applmgr/oam_webgate (It can be any location, you can change
path)
You can install it either on the run file system or patch filesystem depending on if you have
a running patching cycle going on already. Hence, check the status before proceeding.
[applmgr@ebsapps01 ~]$ adop -status
Enter the APPS password:
==============================================================
ADOP (C.Delta.6)
Session Id: 7
Command: status
Output: /appl_base/fs_ne/EBSapps/log/status_20150921_042545/adzdshowstatus.out
===============================================================

Node Name Node Type Phase Status Started Finished Elapsed

--------------- ---------- --------------- --------------- -------------------- -------------------- ------------
ebsapps01 master PREPARE COMPLETED 2015/09/08 00:32:28 2015/09/08
00:42:33 0:10:05
APPLY NOT STARTED
FINALIZE NOT STARTED
CUTOVER NOT STARTED
CLEANUP NOT STARTED
File System Synchronization Type: Light

adop exiting with status = 0 (Success)

I did it on the run file system after completing the cutover session to move the pending
changes and do directly on run file system. You can do either way, only thing is that cutover
will bring in the changes if you do it in patch filesystem like other changes.

[applmgr@ebsapps01 ~]$ echo $FILE_EDITION

run
[applmgr@ebsapps01 ~]$
Invoke the script below which will install the webgate from the location we unzip the
patch. Pass the patch where we have the webgate with the parameter wegatestagedir as
shown below.
[applmgr@ebsapps01 oam_webgate]$ txkrun.pl -script=SetOAMReg -installWebgate=yes
-webgatestagedir=/home/applmgr/oam_webgate
*** ALL THE FOLLOWING FILES ARE REQUIRED FOR RESOLVING RUNTIME ERRORS
*** Log File =
/appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/txkSetOAMReg_Mon_Sep_21_04
_31_30_2015.log
Installing WebGate...

*** Log File =

/appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/oam/installWebgate_Mon_Sep_
21_04_31_30_2015.log

Execute SYSTEM command : /home/applmgr/oam_webgate/Disk1/runInstaller -silent -

waitforcompletion -noconsole -invPtrLoc /appl_base/fs2/FMW_Home/webtier/oraInst.loc
ORACLE_HOME=/appl_base/fs2/FMW_Home/Oracle_OAMWebGate1
MIDDLEWARE_HOME=/appl_base/fs2/FMW_Home -jreLoc
/appl_base/fs2/FMW_Home/webtier/jdk SHOW_INSTALL_PROGRESS_PAGE=false
Successfully installed WebGate at /appl_base/fs2/FMW_Home/Oracle_OAMWebGate1
Copying files from WebGate Oracle Home to WebGate Instancedir
Copying
/appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/oam/temp/oam.properties file
to /appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/oam location

Cleaning up the temporary directory

/appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/oam/temp

End of /appl_base/fs2/EBSapps/appl/fnd/12.0.0/patch/115/bin/txkSetOAMReg.pl : No
Errors encountered
[applmgr@ebsapps01 oam_webgate]$

Make sure you have no errors in the log file; any errors should be fixed before proceeding
further.
At this stage, I would recommend you to run fs_clone to synchronize the installation we did
to the patch filesystem. This is to make sure the change are there in both filesystem, in case
you want to apply some changes and do a cutover, you will not lose any changes. You may
have noticed that the above steps have made it easier for us compared to the setups we use
to do in previous releases of EBS.
We have completed the all pre-requisites now to start with the integration of EBS with
OAM.
Deploy Oracle E-Business Suite AccessGate

Access gate is another component which comes as a J2EE application need to be deployed
in the weblogic server. Oracle access manager will be protecting this resource by
challenging with user ID and password. We need to run the below from EBS application
node again, which can be on run or patch filesystem. Since I am on run filesystem already, I
am continuing the below steps there itself.
Prior to EBS 12.2, we had to install a separate weblogic server to deploy the access gate but
life has become easier with the advent of weblogic with 12.2 versions. We can use the same
weblogic coming with EBS 12.2 for creating a managed server to deploy access gate. Be
cautious on the naming conventions and port. Name should match with the service we are
creating; hence name oaea_server(n) and port should be free for it to start.
SSOServerURL is the OAM URL, I have mentioned below with my OAM URL with proper
port. You can check the port from the webogic administrator console of OAM.
perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources \
-contextfile=$CONTEXT_FILE \
-deployApps=accessgate \
-SSOServerURL=http://oam01.mahesh.com:14100 \
-managedsrvname=oaea_server3 \
-managedsrvport=6803 \
-logfile=/home/applmgr/log/deployeag.log

Check the log file we have given with parameter, logfile. For me,
/home/applmgr/log/deployeag.log did not have any errors, so decided to proceed further.
It is not a good idea to proceed further if you see any errors, as this is the place where it
creates a managed sever on the weblogic server of EBS and deploy the application
accessgate creating a data source.

You can see all the details from the weblogic administration console of EBS as below.

Along with other managed servers coming by default with EBS, we have a new server
created on port mentioned in the above command. Verify that you can start the server.
Going to the deployments in the managed server, we can see the accessgate application
deployed.

And, we have a new data source created as per the command we executed as below.

You can navigate to data source => Monitoring => testing to check the connectivity is
working fine. Click on “Test Data Source” and test it.
Since, I have used a dedicated managed server and port for accessgate, I have to run the
below to add the information about the new managed server to OHS configuration files,
mod_wl_ohs.conf and apps.conf.

[applmgr@ebsapps01 ~]$ perl $FND_TOP/patch/115/bin/txkSetAppsConf.pl \

> -contextfile=$CONTEXT_FILE \
> -configoption=addMS \
> -accessgate=ebsapps01.mahesh.com:6803
*** LOG FILE:
/appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/txkSetAppsConf_09210732.log
***
[applmgr@ebsapps01 ~]$

We have completed the deployment of Accessgate successfully. Let us go to register EBS

with OAM.

Register Oracle E-Business Suite with Oracle Access Manager

As mentioned before also, please source the environment based on where you would doing
the changes and having patching cycle already in progress. Please find the values I have
passed to the prompts, you can easily make out what has to be given.
[applmgr@ebsapps01 ~]$ txkrun.pl -script=SetOAMReg -registeroam=yes
*** ALL THE FOLLOWING FILES ARE REQUIRED FOR RESOLVING RUNTIME ERRORS
*** Log File =
/appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/txkSetOAMReg_Mon_Sep_21_07
_43_10_2015.log
Enter OAM Console URL (for ex: http://myoam.us.oracle.com:7001):
http://oam01.mahesh.com:7001
Enter OAM console user name (for ex: weblogic):
ERROR processing <arg> oamUserName: Argument value cannot be an empty string
Enter OAM console user name (for ex: weblogic): weblogic
Enter OAM console password:
Enter LDAP URL (for ex: ldap://myoid.us.oracle.com:3060):
ldap://oam01.mahesh.com:3060
Enter OID console user name (for ex: cn=orcladmin): cn=orcladmin
Enter OID console password:
Enter LDAP Search Base: cn=Users, dc=mahesh,dc=com,dc=au
Enter LDAP Group Search Base: cn=Groups, dc=mahesh,dc=com,dc=au
Enter APPS password:
##############################################################
########
oamHost = http://oam01.mahesh.com:7001
oamApplicationDomain = VIS_ebsapps01.mahesh.com_8000
oamHostIdentifier = VIS_ebsapps01.mahesh.com_8000

contextFile = /appl_inst/fs2/inst/apps/VIS_ebsapps01/appl/admin/VIS_ebsapps01.xml
webGateInternal = Yes
ebsProfileLevel = Site

webGateUrl = http://ebsapps01.mahesh.com:8000
contextRoot = accessgate
logoutUrl = /accessgate/logout

authScheme = EBSAuthScheme
authModule = LDAP_EBS

ldapName = OIDIdentityStore
ldapUrl = ldap://oam01.mahesh.com:3060

ldapSearchBase = cn=Users, dc=mahesh,dc=com,dc=au

ldapGroupSearchBase = cn=Groups, dc=mahesh,dc=com,dc=au
##############################################################
########
Do you wish to continue (y|n)?
y
Validating APPS schema credentials...

Validation: Success

Installing WebGate...

WebGate is Already Installed at /appl_base/fs2/FMW_Home/Oracle_OAMWebGate1

Skipping the installation of WebGate !

Registering WebGate with OAM...

*** Log File =

/appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/oam/oamreg_registerAgent_Mo
n_Sep_21_07_43_10_2015.log

Execute SYSTEM command :

/appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/oam/rreg/bin/oamreg.sh
inband input/ebs_oam_short.xml -noprompt
/appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/oam/temp/ebs_oam_uri.conf
Successfully registered the WebGate with OAM

Copying registration artifacts to WebGate configuration directory

Automating the policy configurations...

*** Log File =

/appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/txkSetOAMReg_Mon_Sep_21_07
_43_10_2015.xml

Successfully completed the policy configurations

Copying
/appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/oam/temp/oam.properties file
to /appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/oam location

Cleaning up the temporary directory

/appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/oam/temp

################# BEGIN AUTOCONFIG RUN

#############################
Execute SYSTEM command :
/appl_inst/fs2/inst/apps/VIS_ebsapps01/admin/scripts/adautocfg.sh *************

The log file for this session is located at:

/appl_inst/fs2/inst/apps/VIS_ebsapps01/admin/log/09210803/adconfig.log

AutoConfig is configuring the Applications environment...

AutoConfig will consider the custom templates if present.

Using CONFIG_HOME location : /appl_inst/fs2/inst/apps/VIS_ebsapps01
Classpath : /appl_base/fs2/FMW_Home/Oracle_EBS-app1/shared-libs/ebs-
appsborg/WEB-
INF/lib/ebsAppsborgManifest.jar:/appl_base/fs2/EBSapps/comn/java/classes

Using Context file :

/appl_inst/fs2/inst/apps/VIS_ebsapps01/appl/admin/VIS_ebsapps01.xml

Context Value Management will now update the Context file

Updating Context file...COMPLETED

Attempting upload of Context file and templates to database...COMPLETED

Configuring templates from all of the product tops...
Configuring AD_TOP........COMPLETED
Configuring FND_TOP.......COMPLETED
Configuring ICX_TOP.......COMPLETED
Configuring MSC_TOP.......COMPLETED
Configuring IEO_TOP.......COMPLETED
Configuring BIS_TOP.......COMPLETED
Configuring CZ_TOP........COMPLETED
Configuring AMS_TOP.......COMPLETED
Configuring CCT_TOP.......COMPLETED
Configuring WSH_TOP.......COMPLETED
Configuring CLN_TOP.......COMPLETED
Configuring OKE_TOP.......COMPLETED
Configuring OKL_TOP.......COMPLETED
Configuring OKS_TOP.......COMPLETED
Configuring CSF_TOP.......COMPLETED
Configuring IBY_TOP.......COMPLETED
Configuring JTF_TOP.......COMPLETED
Configuring MWA_TOP.......COMPLETED
Configuring CN_TOP........COMPLETED
Configuring CSI_TOP.......COMPLETED
Configuring WIP_TOP.......COMPLETED
Configuring CSE_TOP.......COMPLETED
Configuring EAM_TOP.......COMPLETED
Configuring GMF_TOP.......COMPLETED
Configuring PON_TOP.......COMPLETED
Configuring FTE_TOP.......COMPLETED
Configuring ONT_TOP.......COMPLETED
Configuring AR_TOP........COMPLETED
Configuring AHL_TOP.......COMPLETED
Configuring IES_TOP.......COMPLETED
Configuring OZF_TOP.......COMPLETED
Configuring CSD_TOP.......COMPLETED
Configuring IGC_TOP.......COMPLETED

AutoConfig completed successfully.

################# END AUTOCONFIG RUN

###############################
Instantiating template...

Template:
/appl_base/fs2/EBSapps/appl/fnd/12.0.0/admin/template/oracle_apache_conf_FMW.tmp
End of /appl_base/fs2/EBSapps/appl/fnd/12.0.0/patch/115/bin/txkSetOAMReg.pl : No
Errors encountered
[applmgr@ebsapps01 ~]$

What it does is basically registration of EBS with Oracle Access Manager, but a few things
by itself which we used to do manually in the prior releases.
 Create Identity Store named OIDIdentityStore if it does not already exist.

 Create Authentication Module named LDAP_EBS if it does not already exist.

 Configure Oracle Access Manager OAM Agent named <sid_host>, which is

VIS_ebsapps01.mahesh.com

 Configure Authentication Scheme named EBSAuthScheme.

 You can see the information in the scheme clicking on it, the authentication module is
pointing to the LDAP_EBS.

 Configure Application Domain named <sid_host> with required Authentication

Policies and response headers for your Oracle E-Business Suite integration.

 Set Oracle E-Business Suite profile options Application Authenticate Agent

(APPS_AUTH_AGENT) and Applications SSO Type (APPS_SSO).
Now we have completed the steps for having EBS single sign on with OAM and Access gate.
If you have completed it in the patching cycle, complete the patching cycle. Restart OHS and
Webogic servers in EBS application node.
Open the EBS URL like below which will re-direct you to the Single Sign on page.
http://<ebshost>.<domain>:<port>/OA_HTML/AppsLogin
It redirects to the OAM page for authentication as below.

Bulk Migration of Users from EBS to OID

Now, we have completed the setup for the single sign on but many organizations won’t be
having an existing OID running having all their users, so here we may have to populate the
users into the OID as well. Then only accessgate can map users with EBS and create a
session for that user. As we all know, we intend to have authorization to be managed by
EBS itself, so we need to address only the user information synchronization to OID. The
synchronization procedure creates users in the OID from EBS and OID assigns a GUID and
updated the EBS table, this GUID will be the link between EBS and OAM.
Please be careful that for security reasons, local users and standard administrative
accounts such as SYSADMIN should never be configured for single sign-on. Below figure
shows the profile for sysadmin which is set to Local and we can use AppsLocalLogin.jsp to
login to the application without going to OAM. We would be copying the users to OID using
the EBS User migration tool to sync both EBS and OID. New users will be provisioned by
itself as we have already registered with bi-directional synchronization.
We can use the utility AppsUserExport to export select set of application accounts from the
Oracle EBS user directory (FND_USER) into an intermediate LDIF file which can be moved
to OID server and using ldifmigrator to convert it into LDIF file to be loaded to OID.

We are going to do the below process which can vary based on your requirement, you can
refer the notes from Oracle mentioned in the last page of this book for more information.
You can see from the below figure, we are creating an intermediate LDIF file using the EBS
utility and copying the file to the OID server to convert to final LDIF file before importing to
the OID. You can get a good idea seeing the below figure.

Figure (from Oracle Document)

I have provided the screenshot below of one sample user who is candidate of migration to
OID, you can see the USER_GUID is null. From the above statements, GUID is the main link
between OID and EBS and we should see some values here. What process is updating it?

Let us prepare the intermediate file using the below commands from EBS application
server.
[applmgr@ebsapps01 user_export]$ java oracle.apps.fnd.oid.AppsUserExport -v -dbc
$FND_SECURE/VIS.dbc -o VIS_Users.txt -pwd apps -g -l VIS_Users.log
User Export to VIS_Users.txt started..
User Export completed successfully. For further details please refer to log file at: VIS_Users.log
[applmgr@ebsapps01 user_export]$
Now you know who is updating the GUID column when doing bulk migration!
I have showed a screenshot of User definition screen, in which the password area is greyed
out, youcan imagine why is it so

Copy the intermediate file to the OID server for converting it to format which can be
uploaded to the OID server. Below command should be executed in the OID server.
[apploid@oam01 user_import]$ ldifmigrator "input_file=VIS_Users.txt"
"output_file=VIS_Users.txt.ldif" "s_UserContainerDN=cn=Users,
dc=mahesh,dc=com,dc=au" "s_UserNicknameAttribute=uid"
INFO: [Thu Oct 01 10:24:27 AEST 2015] Migration of LDIF data to OID starts
INFO: [Thu Oct 01 10:24:28 AEST 2015] Input file : /home/apploid/user_import/VIS_Users.txt
INFO: [Thu Oct 01 10:24:28 AEST 2015] Output file :
/home/apploid/user_import/VIS_Users.txt.ldif
INFO: [Thu Oct 01 10:24:28 AEST 2015] Substitution Variables
s_UserContainerDN : cn=Users, dc=mahesh,dc=com,dc=au
s_UserNicknameAttribute : uid
INFO: [Thu Oct 01 10:24:29 AEST 2015] Migration of LDIF data completed. All the entries are
successfully migrated
Migration of LDIF data completed. All the entries are successfully migrated

[apploid@oam01 user_import]$

Now we have the final file ready to be uploaded to the OID. We need to make sure the
profile is disabled which does the synchronization from OID to EBS.

oidprovtool operation=disable \
ldap_host=oam01.mahesh.com \
ldap_port=3060 \
ldap_user_dn=cn=orcladmin \
application_dn=”orclApplicationCommonName=VIS,cn=EBusiness,cn=Products,cn=Ora
cleContext,dc=mahesh,dc=com,dc=au” \
profile_mode=BOTH

[apploid@oam01 bin]$ ./opmnctl stopall

opmnctl stopall: stopping opmn and all managed processes...
[apploid@oam01 bin]$ ps -ef | grep odisrv
apploid 7478 19961 0 13:14 pts/5 00:00:00 grep odisrv
[apploid@oam01 bin]$

Verify by running the below command to make sure we don’t have any bad records.
Remove manually if anything is there and re-run to have a clean file.

[apploid@oam01 user_import]$
/u01/oid/Oracle/Middleware/Oracle_IDM1/ldap/bin/bulkload connect=OIDDB
check=true generate=true file=VIS_Users.txt.ldif

------------------------------------------------------------
"oiddb"...
------------------------------------------------------------
This tool can only be executed if you know database user password for OID
Enter OID Password ::
[apploid@oam01 user_import]$
/u01/oid/Oracle/Middleware/Oracle_IDM1/ldap/bin/bulkload connect=OIDDB
check=true generate=true file=VIS_Users.txt.ldif

------------------------------------------------------------
"oiddb"...
------------------------------------------------------------
This tool can only be executed if you know database user password for OID
Enter OID Password ::
...Setting OID server mode to read-modify on "oiddb" node...

------------------------------------------------------------
Checking and Generating Internet Directory data for bulk loading
------------------------------------------------------------

------------------------------------------------------------
Found Schema-Check errors, bad entries are logged in
/u01/oid/Oracle/Middleware/asinst_1//OID/load/badentry.ldif
------------------------------------------------------------

------------------------------------------------------------
For more details, see bulkload.log
------------------------------------------------------------
[apploid@oam01 user_import]$
After fixing the bad records, we should try again to get a message like below.

[apploid@oam01 user_import]$
/u01/oid/Oracle/Middleware/Oracle_IDM1/ldap/bin/bulkload connect=OIDDB
check=true generate=true file=VIS_Users.txt.ldif

------------------------------------------------------------
"oiddb"...
------------------------------------------------------------
This tool can only be executed if you know database user password for OID
Enter OID Password ::

------------------------------------------------------------
Checking and Generating Internet Directory data for bulk loading
------------------------------------------------------------

------------------------------------------------------------
Data generated successfully
------------------------------------------------------------
[apploid@oam01 user_import]$

Now load the data by replacing the check to load clause as below.

[apploid@oam01 user_import]$
/u01/oid/Oracle/Middleware/Oracle_IDM1/ldap/bin/bulkload connect=OIDDB
load=true generate=true file=VIS_Users.txt.ldif

------------------------------------------------------------
"oiddb"...
------------------------------------------------------------
This tool can only be executed if you know database user password for OID
Enter OID Password ::

------------------------------------------------------------
Generating Internet Directory data for bulk loading
------------------------------------------------------------

------------------------------------------------------------
Data generated successfully
------------------------------------------------------------

------------------------------------------------------------
Loading data on "oiddb"
------------------------------------------------------------
 attr_store002...
battr_store001...
objectclass001...
..
….
uid...
uidnumber...
uniquemember...
vdeprimaryref...
vpimmail...
x509issuer...

------------------------------------------------------------
Data loaded successfully
------------------------------------------------------------

------------------------------------------------------------
Verifying indexes ...
------------------------------------------------------------

------------------------------------------------------------
Following tables do not have all indexes
------------------------------------------------------------
CT_ORCLOPENLDAPENTRYUUID
CT_ORCLNDSOBJECTGUID
CT_ORCLODIPCONDIRTYPE
CT_ORCLFEDSERVERID
CT_ORCLFEDNAMENEWFORMAT
CT_ORCLFEDNAMEOLDFORMAT
CT_ORCLFEDOWNERGUID
CT_ORCLSOURCEMODIFYTIMESTAMP
CT_ORCLFEDNAMESPQUALIFIER
CT_ORCLSOURCECREATETIMESTAMP
CT_ORCLODIPPROFILEEXECGROUPID
CT_ORCLFEDFEDERATIONTYPE

------------------------------------------------------------
Generating Database Statistics ...
------------------------------------------------------------
...Setting OID server mode to read-write on "oiddb" node...
[apploid@oam01 user_import]$

Now logging with the EBS URL, you should be able to login without any issues
It gets re-directed to the OAM login page.

Login with User ID and password, you will get the landing page as below.
Known Issues
Below are some issues I encountered, posting below.

1. Error: “Internal Error: Webgate allowed access to protected page

GUID=null”

This is a known issue for OAM 11gR2 PS2.

Login to OAM and navigate to configuration, select “User Identity Store”

Edit the OIDIdentityStore and enter orclguid in the 'Prefetched Attributes' field and click
'Apply' to save

Stop and restart the 'oam_server1' Managed server to pick up this change.

2. Error while running fs_clone

After completing the integration of OAM with EBS 12.2, I had to run the fs_clone to
synchronize both file system with the changes we did for single sign on. Please follow the
document “Integrating Oracle E-Business Suite Release 12.2 with Oracle Access Manager
11gR2 (11.1.2) using Oracle E-Business Suite AccessGate (Doc ID 1576425.1)” for
completing the steps. If you follow it without missing anything, you will never encounter
the below issue but I am posting below for giving a small idea how to check.
I ran the below command to start the phase,

adop phase=fs_clone allnodes=no force=yes (check the syntax for multi node)

Encountered below errors even though trying

[UNEXPECTED]Error occurred while executing “perl

/appl_base/fs2/EBSapps/appl/ad/12.0.0/patch/115/bin/txkADOPValidations.pl -
contextfile=/appl_inst/fs2/inst/apps/VIS_ebsapps01/appl/admin/VIS_ebsapps01.xml -
patchctxfile=/appl_inst/fs1/inst/apps/VIS_ebsapps01/appl/admin/VIS_ebsapps01.xml -
phase=fs_clone -
logloc=/appl_base/fs_ne/EBSapps/log/adop/8/fs_clone_20150922_103236/VIS_ebsapps01 -
promptmsg=hide”
[UNEXPECTED]Error 1 occurred while Executing txkADOPValidation script on ebsapps01

From the log file, we can get the log information generated while doing the validations as
below which showed the exact reason for the failure.

[applmgr@ebsapps01 VIS_ebsapps01]$ grep -i ERROR

/appl_base/fs_ne/EBSapps/log/adop/8/fs_clone_20150922_103236/VIS_ebsapps01/ADOPVa
lidations_detailed.log
RC-50204: Error: – WLS OAEA Application Port in use: Port Value = 6803
ERROR: The following required ports are in use:
[applmgr@ebsapps01 VIS_ebsapps01]$

It’s clear from above that the port 6803 is causing the issue, its the new port used by the
new managed server created for Access gate. We can verify it using the below commands.

[applmgr@ebsapps01 VIS_ebsapps01]$ netstat -a | grep 6803

tcp 1 0 ebsapps01.mahesh.com.a:52978 ebsapps01.mahesh.com:6803 CLOSE_WAIT
tcp 0 0 ebsapps01.mahesh.com:6803 *:* LISTEN
tcp 0 0 ebsapps01.mahesh.com:6803 ebsapps01.mahesh.com.a:52769 ESTABLISHED
tcp 0 0 ebsapps01.mahesh.com.a:52769 ebsapps01.mahesh.com:6803 ESTABLISHED
[applmgr@ebsapps01 VIS_ebsapps01]$

Solution: Stop the oaea managed server on the run file system before performing the
fs_clone operation, immediately after the accessgate deployment.

References

Integrating Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11gR2
(11.1.2) using Oracle E-Business Suite AccessGate (Doc ID 1576425.1)
Integrating Oracle E-Business Suite Release 12.2 with Oracle Internet Directory 11gR1 (Doc
ID 1371932.1)
https://docs.oracle.com/cd/E26401_01/doc.122/e22952/T156458T580814.htm