Oracle Access Manager Integration with Oracle E-Business Suite ERP Solution is a key and mission critical within most organizations, but it is one of many applications. As organizations adapting to a web based approach for all their applications, the need to extend SSO across the enterprise has become a requirement. Organizations are also looking to standardize and centralize the security management. Demand for access to business resources continues to increase; organizations require internal applications and information to be accessible in a secure fashion to an increasing number of employees, customers, and partners. This Technical white paper discusses how the Oracle access manager Integrates with Oracle E-Business Suite allowing customer to realize SSO across their entire web-based applications. Overview of Oracle Access Manager Oracle Access Manager is a state-of-the-art solution for both centralized identity management and access control, providing an integrated standards-based solution that delivers; authentication, web single sign-on, access policy creation and enforcement, user self-registration and self-service, delegated administration, reporting, and auditing. Oracle Access Manager’s unique coupling of access management and identity administration functionality is why it is established as the leading solution for web access management. Features Oracle Access Manager has two major systems: Identity System and Access System. Identity System allows workflow driven user management and access clearance using administrative, delegated and self-service functions. The Access System enforces access policies for web resources using Webgate and AccessGate for legacy systems. Access Server has following basic components

• LDAP Server - To store user, configuration and policy data • Webgate - Webgate is an out-of-the-box access client for enforcing access policy on HTTP-

based resources; hence it is the Access System’s web Policy Enforcement Point or PEP • Access Server - Access Manager’s Access Server is a standalone software server that

enforces access policies on web and nonweb resources, so it is the Access System’s Policy Decision Point or PDP.

• Policy Manager and Access System Consol e - Access Manager’s Policy Manager is a browser-based graphical tool for configuring resources to be protected and well as creating and managing access policies.

• Identity Server - The Identity Server manages identity information about users, groups, organizations, and other objects.

• Webpass - WebPass is the presentation tier of the Identity System.

  

Accessing E-Business Suite Instances with Single Sign-On Oracle Application Server, Oracle Internet Directory and Oracle Single Sign-On Server are required to enable single sign on (SSO) functionality with the E-Business Suite. For Oracle E-Business Suite Release 12, mod_osso, an Oracle HTTP Server module, is used for Single Sign-On authentication. It allows the E-Business Suite to register as a partner application to the Oracle Single Sign-On Server, giving users the ability to access other registered partner applications with a single credential (for example, a username/password combination). As a partner application, the E-Business Suite also supports Single Sign-Off.

Oracle AS SSO Server, Oracle Access Manager and E-Business Suite form a chain of trust. Oracle AS SSO Server delegates authentication to Oracle Access Manager. Implicitly E-Business Suite trusts the Oracle Access Manager even though E-Business Suite only works with Oracle AS SSO Server.

Simple Architecture with Oracle AS SSO, E Business Server and Access server Installed on Separate Server

InternetCustomers

PartnersSupply Chain

  

Process overview: Integration of Oracle Access Manager, Oracle AS Single Sign-On and Oracle E-Business Suite

1. A User makes request to access E-Business Suite.E-Business Suite redirects it to Oracle AS SSO Server for Authentication

2. Webgate, Plug-in running on Oracle AS HTTP Server, intercepts the request. Webgate requests the security policy from the Access Server to determine if the resource is protected. When the resource is protected, Webgate prompts the user to authenticate.

3. The credentials entered by the user are validated against the directory for authentication. 4. When authentication is successful, an encrypted Oracle Access Manager single sign-on

cookie is set on the user's browser. 5. After successful authentication, the Access System determines if the user is authorized by

applying policies that have been configured for the resource. 6. Upon successful authorization, the Access System executes the actions that have been

defined in the security policy and sets an HTTP header variable that maps to the OracleAS 10g user ID.

7. The OracleAS SSO Server recognizes the Oracle Access Manager Header Variable, authenticates the user, and sets the Oracle SSO Cookie and redirects back to the E-Business Suite.

8. Once redirected back to the E-Business Suite, the E-Business Suite recognizes the Single Sign-On security tokens and looks up the user's assigned Applications Responsibilities in the E-Business Suite FND_USER table.

The integration process consists of following major steps:

1. Install Oracle Application Server 10g Enterprise Edition on a standalone server or in a separate ORACLE_HOMEs on an existing server.

2. Install interoperability patches to integrate the Oracle Application Server 10g Enterprise Edition server with the E-Business Suite environment.

3. Synchronize user information between the Oracle Application Server 10g Enterprise Edition server and the E-Business Suite environment

4. Install Oracle Access Manager on a standalone server or on an existing server. Install webgate on Oracle AS HTTP server.

5. Synchronize user information between the Oracle Application Server 10g Enterprise Edition server and the Oracle Access Manager User base, if it is different from Oracle AS user base.

Install OracleAS Identity Management Infrastructure 10g

This task creates the standalone Oracle Application Server 10g Enterprise Edition server that will be associated with the E-Business Suite server and Oracle Access Server Run runInstaller on Linux/UNIX or setup.exe on windows.

  

Select “Oracle Application Server Infrastructure 10g”

Select Configuration Options: Select Oracle Internet Directory, OracleAS Directory Integration and Provisioning, OracleAS Single Sign-On, OracleAS Delegated Administration Services

  

Test Oracle AS Infrastructure environment Goto OID DAS (Oracle Internet Directory Delegated Administration Service) and login as orcladmin. http://<host_name>.<domain>:<Infrastructure http port number>/oiddas

Install E-Business Suite SSO 10g Integration Patch, If needed. (Integration Patch is included in R12 Rapid install) On the E-Business Suite (EBS) application tier set the environment to $FND_TOP and run the following command Ex. To provision user from Apps to EBS use ProvOIDtoApps.tmp template. Chmod 755 $FND_TOP/admin/template/ProvOIDtoApps.tmp Grant connect , resource to ssosdk

  

Register EBS with Oracle AS Infrastructure.

$txkrun.pl -script=SetSSOReg -provtmp=$FND_TOP/admin/template/ProvOIDtoApps.tmp

The script prompts for the following information: Enter the host name where Oracle AS Infrastructure database is installed: <OAS Infra host> Enter the Oracle AS Infrastructure database port number : 1521 Enter the Oracle AS Infrastructure database SID: <OID SID> Enter the LDAP Port on Oracle Internet Directory server: 389 Enter Oracle E-Business apps database user password: <Apps password> Enter Oracle AS Infrastructure database ORASSO schema password: Enter Oracle E-Business SYSTEM database user password: <DB Password> Enter E-Business Suite existing SSOSDK schema password or choose a password to use

with the new SSOSDK schema if the schema does not exist: <SSOSDK Password> Enter the Oracle Internet Directory Administrator (orcladmin) Bind password: <password> Enter the password that you would like to register this E-Business instance with:

<password>

Using LDAPUserImport or use the Oracle Internet Directory provisioning solution to move users into Oracle E-Business Suite. Link the eBS Accounts with SSO user Set SSO related profile in EBS to enable Single Sign On, setup link option for existing users. Login to eBS through http://<EBS Server Name>:<port>/oa_servlets/AppsLogin. EBS redirects to the Oracle AS SSO page.  

  

Enter Userid and password and Oracle SSO after authentication redirects back to EBS.

Install Oracle Access Manager and Install Webgate on Oracle AS HTTP Server. Integrating Oracle Access Manager with Oracle Single Sign On. Log in to the Policy Manager.

  

Create Policy Domain and protect following http resource .

1) /sso/auth 2) /pls/orasso/orasso.wwsso_app_admin.ls_login.

  

Configure default rules with Basic Over LDAP Authentication Scheme.

Click the Actions subtab to configure authentication success or failure actions. Click Add and configure Return Attributes for Authentication Success with the following information. Click Save when done

Configure Policies with following information Resource operations: GET and POST Resource type: http

  

Create the Authorization Rule, and allow access to any one. Enable policy domain related sso. Install and Configure Oracle Single Sign On Authentication Plug-In. • Compile the SSOOblixAuth.java file. The Sample SSOOblixAuth.java file can be found in the

following location ORCLE_HOME/sso/lib •   Compile the file in Linux, including ORACLE_HOME/sso/lib/ipastoolkit.jar in the class path.    Use the command as shown below    ORACLE_HOME/jdk/bin/javac -classpath 

ORACLE_HOME/sso/lib/ipastoolkit.jar:ORACLE_HOME/lib/servlet.jar -d ORACLE_HOME/sso/plugin SSOOblixAuth.java

The above command creates SSOOblixAuth.class and places it in the directory ORACLE_HOME/sso/plugin/oblix/security/ssoplugin.

• Register the Java class for integration by editing the policy.properties file in the following location:

OracleAS_install_dir/sso/conf

Where OracleAS_install_dir is the directory where OracleAS Single Sign-On infrastructure is installed.

• In the OracleAS Single Sign-On policy.properties file, replace the simple authentication plug-in with the plug-in that you created in the previous steps. In this class, navigate to the line MediumSecurity_AuthPlugin:

MediumSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOServerAuth

  

Comment out the existing line and add a new line to register your Java class, as follows:

MediumSecurity_AuthPlugin = oblix.security.ssoplugin.SSOOblixAuth

When editing policy.properties, take care not to insert blank space at the end of a line.

• Save the file.

• Restart the single sign-on middle tier, and restart the OC4J instance OC4J_SECURITY to have your changes to take effect:

• Test the integrated system. Log on to the EBS.

  

 

Harish R Jangada Harish.Jangada@identris.com Identris 499 Thornall Street Edison,NJ