Embed Size (px)
Citation preview
Oracle EBS 12.2 Single Sign on With Access Manager:
Introduction
Single sign on helps end users to login to multiple applications without prompting for credentials again after authentication is done with proper user ID and password. The term authentication is familiar to everyone, which always involves a user ID and password. Oracle EBS single sign on will help end users to have seamless authentication to other application is the organization.
Oracle EBS native authentication works on FND_USER table which saves the user ID and password, every user gets authenticated to the table using API. There will be a slight change in the table data once we change the authentication to be managed by Oracle Access Manager. We will discuss more on that very soon in this article.
Having said that, 12.2 doesn’t require any other installation of Oracle Weblogic to have Access gate deployed as it already has one and can be used to deploy the same. This is a major difference from the 12.1 version of EBS where we had many other additional steps to achieve the purpose. For 12.2, it has much more simplified steps with many of it done using EBS scripts.
Singe sign on requires additional components to be installed and configured. Below are the other components required for EBS 12.2 single sign on and I have used the below for this which are the latest when writing this article.
Oracle Access Manager (11.1.2.3)
Oracle Internet directory (11.1.1.9)
ArchitectureProduct Version Server OS User
Oracle EBS Application Node 12.2.4ebsapps01.mahesh.com (RHEL 5.5) applmgr
Oracle EBS Database Node 11.2.0.3 ebsdb01.mahesh.com (RHEL 5.5) oracleOracle Access Manager 11.1.2.3 oam01.mahesh.com (RHEL 5.5) apploam
Oracle Internet Directory 11.1.1.9 oam01.mahesh.com (RHEL 5.5) apploid
Oracle Database for OAM/OID 11.2.0.4oamdb01.mahesh.com (RHEL 5.5) oracle
This article is based on the architecture mentioned above assuming all components installed and running. We are just covering the integration of all the components together as installation and configuration of above components are straight forward. Please note, we are not having high availability architecture here and hence I would request to follow the Oracle notes for advances configuration and HA.
Even though I have mentioned the versions and details, please go through Oracle Certification matrix always from the Oracle support site. I have mentioned the reference also at the end of this article.
Pre-requisites on OIDYou need to select only Oracle Internet Directory and Oracle Directory Integration Platform; we don’t need any other components like OIF and OVD. You may end up having the below configured.
Oracle Internet Directory Oracle Directory Integration Platform Enterprise Manager Oracle Directory Services Manager
Installation of OID is similar to other fusion middleware applications; we need to run RCU to create the metadata schema before invoking the configuration tool. Once the installation is done, we can start/stop OID using opmnctl. Oracle directory services manager is deployed in weblogic, once started we can see the below screen connecting to the OID.
Navigate to Advanced Tab and expand “Attribute Uniqueness”, you can see the create button to add a new constraint.Referring below screenshot, I have filled up with below details.Attribute Uniqueness Constraint Name : UID_UNIQUEUnique Attribute : Check the boxUnique Attribute Name : uidUnique Attribute Objectclass : inetorgpersonUnique Attribute Scope : Select ‘One Level’ from the drop downUnique Attribute Subtree : cn=Users, dc=mahesh,dc=com,dc=au (select proper for your realm, you can browse and select)
Apply Patch 20742077 on OID Apply patch to fix BUG “THE PROVISIONING FROM OID TO APPS DOES NOT WORK IN OID 11.1.1.9 RC3”Please read the README.txt and make sure all steps followed properlyStop all services running for OID using opmnctl or stop wls_ods1 [apploid@oam01 20742077]$ export ORACLE_HOME=/u01/oid/Oracle/Middleware/Oracle_IDM1[apploid@oam01 20742077]$ export PATH=/u01/oid/Oracle/Middleware/Oracle_IDM1/OPatch:$PATH
[apploid@oam01 20742077]$ opatch applyOracle Interim Patch Installer version 11.1.0.11.0....OPatch succeeded.[apploid@oam01 20742077]$ Make sure logs don’t have any errors before proceeding further. Don’t miss to perform post steps as mentioned in the README.txt which is to redeploy the DIPAPPS Application.
Configure OID to return operational attributes Execute the below in OID server (login as apploid) Create a file change_attrs.ldif and add the contents as below. [apploid@oam01 ~]$ vi change_attrs.ldif[apploid@oam01 ~]$ cat change_attrs.ldifdn: cn=dsaconfig, cn=configsets,cn=oracle internet directorychangetype: modifyadd: orclallattrstodnorclallattrstodn:cn=orcladmin[apploid@oam01 ~]$ ldapmodify -h oam01.mahesh.com -p 3060 -D cn=orcladmin -w welcome123 -v -f change_attrs.ldif[apploid@oam01 ~]$ ldapmodify -h oam01.mahesh.com -p 3060 -D cn=orcladmin -w welcome123 -v -f change_attrs.ldifadd orclallattrstodn: cn=orcladminmodifying entry cn=dsaconfig, cn=configsets,cn=oracle internet directorymodify complete[apploid@oam01 ~]$
LDAP Server: oam01.mahesh.comLDAP port: 3060User ID: orcladminPassword: welcome123
The above command will add the attribute as shown below
Apply latest patches on Oracle Access Manager
Assuming we have completed the installation of Oracle Access Manager. It is also similar to OID installation. We need to create the repository using the RCU version 11.1.1.1.9, do not get confused looking for OAM version of RCU. You need to select only “Oracle Mobile Security Manager”, rest all dependent will be selected automatically. Hence, while configuring OAM using the config.sh, please select “Oracle Access Management and Mobile Security Site” as shown below.
Refer to the below document and apply the patches required
OAM Bundle Patch Release History (Doc ID 736372.1)
Make sure all patches are applied, below are the steps I did for OAM.
Download the latest Opatch using BUG number 6880880. Stop the Admin server and Managed servers Download and apply the latest bundle patch, now it is
p21869176_111230_Generic.zip (11.1.2.3.3 (BP03) Access Server) Start the Admin server and Managed Servers
Register EBS with OID We need to register EBS with OID to have user authentication to Single Sign on and also to have provisioning done to synchronize users between EBS and OID depending upon what we require.We are passing below values to the command to have provisioning done, please check your requirement before choosing the value 1. Bidirectional2. Instance to OID Server3. OID Server to Instance4. Bidirectional no creation1 is chosen default if we are not providing the parameter and I would prefer that in my article. Oracle recommends that we do it on the Patch filesystem so that the changes won’t affect the running system until and unless we do a cutover to have the changes available for effective use. Hence, invoke patch environment and be in the “prepare” phase before we start doing registration. From EBS Application node:
Check the current edition, using the variable $FILE_EDITION Source patch file system [applmgr@ebsapps01 ~]$ . /appl_base/EBSapps.env patch E-Business Suite Environment Information ---------------------------------------- RUN File System : /appl_base/fs2/EBSapps/appl PATCH File System : /appl_base/fs1/EBSapps/appl Non-Editioned File System : /appl_base/fs_ne DB Host: ebsdb01.mahesh.com Service/SID: VIS Sourcing the PATCH File System ... Check File edition [applmgr@ebsapps01 ~]$ echo $FILE_EDITIONpatch Check the status using ADOP, if we already have “prepare” phase active. [applmgr@ebsapps01 ~]$ adop –status Else call below to start prepare phase. [applmgr@ebsapps01 ~]$ adop phase=prepare Execute the below to register EBS with OID [applmgr@ebsapps01 ~]$ $FND_TOP/bin/txkrun.pl -script=SetSSOReg -registeroid=yes -provisiontype=1 You are registering this instance with OID Server. Enter LDAP Host name? oam01.mahesh.comEnter the LDAP Port on Oracle Internet Directory server? 3060Enter the Oracle Internet Directory Administrator (orcladmin) Bind password?Enter the instance password that you would like to register this application instance with?Enter Oracle E-Business apps database user password?
*** Log File = /appl_inst/fs1/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/txkSetSSOReg_Wed_Sep_30_02_59_38_2015.xml Beginning input parameter validation for OID registration.Input parameters validation for OID registration completed. BEGIN OID REGISTRATION:Beginning to register Application and Service containers if necessary.Application and Service containers were created successfully if necessary.Beginning to register application in Oracle Internet Directory.Registration of application in Oracle Internet Directory completed successfully.[info] -> LOADING: /appl_base/fs1/EBSapps/appl/fnd/12.0.0/admin/template/AppsOIDRegistration.tmpSep 30, 2015 3:01:21 AM oracle.ldap.util.LDIFLoader loadOneLdifFileINFO: -> LOADING: /appl_base/fs1/EBSapps/appl/fnd/12.0.0/admin/template/AppsOIDRegistration.tmpBeginning to register provisioning profile in Oracle Internet Directory.Registration of provisioning profile in Oracle Internet Directory completed successfully.Application is now registered successfully with provisioning in Oracle Internet Directory. End of /appl_base/fs1/EBSapps/appl/fnd/12.0.0/patch/115/bin/txkSetSSOReg.pl : No Errors encountered[applmgr@ebsapps01 ~]$ Make sure this part is completed without any errors. Note: Do not get confused with the name of the LDAP server, it’s the same OID server but I have oam01.mahesh.com used for OAM and OID. Use your OID server name and Port properly when prompted, also make sure you have added the server name entries in the host file of EBS application server. Update the profile values Run the below scripts from the patch edition, connect to database from the patch edition of application. SQL> set serveroutput onDECLAREstat BOOLEAN;BEGINstat := FND_PROFILE.SAVE('APPS_SSO_OID_IDENTITY','Y','SITE');IF stat THENdbms_output.put_line( 'Profile APPS_SSO_OID_IDENTITY updated with Enabled ' );ELSE
dbms_output.put_line( 'Profile APPS_SSO_OID_IDENTITY could NOT be updated with Enabled' );commit;END IF;END;/ SQL> 2 3 4 5 6 7 8 9 10 11 12Profile APPS_SSO_OID_IDENTITY updated with Enabled PL/SQL procedure successfully completed. SQL> set serveroutput onDECLAREstat BOOLEAN;BEGINstat := FND_PROFILE.SAVE('APPS_SSO_LINK_SAME_NAMES','Y','SITE');IF stat THENdbms_output.put_line( 'Profile APPS_SSO_LINK_SAME_NAMES updated with Enabled' );ELSEdbms_output.put_line( 'Profile APPS_SSO_LINK_SAME_NAMES could NOT be updated with Enabled' );commit;END IF;END;/SQL> 2 3 4 5 6 7 8 9 10 11 12Profile APPS_SSO_LINK_SAME_NAMES updated with Enabled PL/SQL procedure successfully completed. SQL> set serveroutput onDECLAREstat BOOLEAN;beginstat := FND_PROFILE.SAVE('APPS_SSO', 'SSWA_SSO', 'SITE');IF stat THENdbms_output.put_line( 'Profile APPS_SSO updated with SSWA_SSO' );ELSEdbms_output.put_line( 'Profile APPS_SSO could NOT be updated with SSWA_SSO' );commit;END IF;end;/ SQL> 2 3 4 5 6 7 8 9 10 11 12Profile APPS_SSO updated with SSWA_SSO PL/SQL procedure successfully completed.
SQL> Now you will have the below profile values updated with values provided. Applications SSO Enable OID Identity Add Event (APPS_SSO_OID_IDENTITY) = ENABLED
This option is enabled to have users created in OID are automatically created in EBS and subscribed to the EBS instance.
Applications SSO Link Same Names (APPS_SSO_LINK_SAME_NAMES) = ENABLED This profile option decides if the Oracle EBS instance should link a newly created user to an existing OID account with same name.
Applications SSO Type (APPS_SSO) = SSWA w/SSO This is required if the EBS is integrated with Oracle Single Sign On, the user is
redirected to the SSO server login page and will be authenticated against the LDAP server. Activate it to the application by doing cutover, hence run autoconfig and perform the cutover. Make sure you have edited the sqlnet.ora to have OID server name in the invited nodes else will get whitelisted after running autoconfig.
Apply Oracle EBS patches
Apply the below patches as pre-requisites of integrating with OAM.
12.2 R12.TXK.C Patch 19767816 12.2 R12.TXK.C Patch 20735848 12.2 R12.TXK.C Patch 21229697
It is strongly recommended to install the latest AD and TXK release update packs, hence please check the below note to make you are on the latest.
Document 1617461.1 : Applying the Latest AD and TXK Release Update Packs to Oracle E-Business Suite Release 12.2.
Now we are almost ready with all our pre-requisites, but as I have mentioned below we have some additional components needed for Oracle EBS to work with OAM for single sign on.
One important component is WebGates, which are policy enforcement agents that act as a filter for HTTP requests and communicate with Oracle Access Manager Authentication and authorization services.
Install Webgate
Below are the steps we need to do for Webgate setup in EBS 12.2
Download Oracle Access Manager OHS 11g WebGates 11.1.2.2.0 from Patch 18057397
Unzip to /home/applmgr/oam_webgate (It can be any location, you can change path)
You can install it either on the run file system or patch filesystem depending on if you have a running patching cycle going on already. Hence, check the status before proceeding.
[applmgr@ebsapps01 ~]$ adop -statusEnter the APPS password:==============================================================ADOP (C.Delta.6)Session Id: 7Command: statusOutput: /appl_base/fs_ne/EBSapps/log/status_20150921_042545/adzdshowstatus.out=============================================================== Node Name Node Type Phase Status Started Finished Elapsed--------------- ---------- --------------- --------------- -------------------- -------------------- ------------ebsapps01 master PREPARE COMPLETED 2015/09/08 00:32:28 2015/09/08 00:42:33 0:10:05 APPLY NOT STARTED FINALIZE NOT STARTED CUTOVER NOT STARTED CLEANUP NOT STARTEDFile System Synchronization Type: Light adop exiting with status = 0 (Success) I did it on the run file system after completing the cutover session to move the pending changes and do directly on run file system. You can do either way, only thing is that cutover will bring in the changes if you do it in patch filesystem like other changes. [applmgr@ebsapps01 ~]$ echo $FILE_EDITIONrun[applmgr@ebsapps01 ~]$
Invoke the script below which will install the webgate from the location we unzip the patch. Pass the patch where we have the webgate with the parameter wegatestagedir as shown below.
[applmgr@ebsapps01 oam_webgate]$ txkrun.pl -script=SetOAMReg -installWebgate=yes -webgatestagedir=/home/applmgr/oam_webgate*** ALL THE FOLLOWING FILES ARE REQUIRED FOR RESOLVING RUNTIME ERRORS*** Log File = /appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/txkSetOAMReg_Mon_Sep_21_04_31_30_2015.logInstalling WebGate... *** Log File = /appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/oam/installWebgate_Mon_Sep_21_04_31_30_2015.log Execute SYSTEM command : /home/applmgr/oam_webgate/Disk1/runInstaller -silent -waitforcompletion -noconsole -invPtrLoc /appl_base/fs2/FMW_Home/webtier/oraInst.loc ORACLE_HOME=/appl_base/fs2/FMW_Home/Oracle_OAMWebGate1 MIDDLEWARE_HOME=/appl_base/fs2/FMW_Home -jreLoc /appl_base/fs2/FMW_Home/webtier/jdk SHOW_INSTALL_PROGRESS_PAGE=falseSuccessfully installed WebGate at /appl_base/fs2/FMW_Home/Oracle_OAMWebGate1Copying files from WebGate Oracle Home to WebGate InstancedirCopying /appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/oam/temp/oam.properties file to /appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/oam location Cleaning up the temporary directory /appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/oam/temp End of /appl_base/fs2/EBSapps/appl/fnd/12.0.0/patch/115/bin/txkSetOAMReg.pl : No Errors encountered[applmgr@ebsapps01 oam_webgate]$
Make sure you have no errors in the log file; any errors should be fixed before proceeding further.
At this stage, I would recommend you to run fs_clone to synchronize the installation we did to the patch filesystem. This is to make sure the change are there in both filesystem, in case you want to apply some changes and do a cutover, you will not lose any changes. You may have noticed that the above steps have made it easier for us compared to the setups we use to do in previous releases of EBS.
We have completed the all pre-requisites now to start with the integration of EBS with OAM.
Deploy Oracle E-Business Suite AccessGate
Access gate is another component which comes as a J2EE application need to be deployed in the weblogic server. Oracle access manager will be protecting this resource by challenging with user ID and password. We need to run the below from EBS application node again, which can be on run or patch filesystem. Since I am on run filesystem already, I am continuing the below steps there itself.
Prior to EBS 12.2, we had to install a separate weblogic server to deploy the access gate but life has become easier with the advent of weblogic with 12.2 versions. We can use the same weblogic coming with EBS 12.2 for creating a managed server to deploy access gate. Be cautious on the naming conventions and port. Name should match with the service we are creating; hence name oaea_server(n) and port should be free for it to start.
SSOServerURL is the OAM URL, I have mentioned below with my OAM URL with proper port. You can check the port from the webogic administrator console of OAM.
perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources \-contextfile=$CONTEXT_FILE \-deployApps=accessgate \-SSOServerURL=http://oam01.mahesh.com:14100 \-managedsrvname=oaea_server3 \-managedsrvport=6803 \-logfile=/home/applmgr/log/deployeag.log Check the log file we have given with parameter, logfile. For me, /home/applmgr/log/deployeag.log did not have any errors, so decided to proceed further. It is not a good idea to proceed further if you see any errors, as this is the place where it creates a managed sever on the weblogic server of EBS and deploy the application accessgate creating a data source. You can see all the details from the weblogic administration console of EBS as below.
Along with other managed servers coming by default with EBS, we have a new server created on port mentioned in the above command. Verify that you can start the server.
Going to the deployments in the managed server, we can see the accessgate application deployed.
And, we have a new data source created as per the command we executed as below.
You can navigate to data source => Monitoring => testing to check the connectivity is working fine. Click on “Test Data Source” and test it.
Since, I have used a dedicated managed server and port for accessgate, I have to run the below to add the information about the new managed server to OHS configuration files, mod_wl_ohs.conf and apps.conf. [applmgr@ebsapps01 ~]$ perl $FND_TOP/patch/115/bin/txkSetAppsConf.pl \> -contextfile=$CONTEXT_FILE \> -configoption=addMS \> -accessgate=ebsapps01.mahesh.com:6803*** LOG FILE: /appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/txkSetAppsConf_09210732.log ***[applmgr@ebsapps01 ~]$ We have completed the deployment of Accessgate successfully. Let us go to register EBS with OAM.
Register Oracle E-Business Suite with Oracle Access Manager
As mentioned before also, please source the environment based on where you would doing the changes and having patching cycle already in progress. Please find the values I have passed to the prompts, you can easily make out what has to be given.
[applmgr@ebsapps01 ~]$ txkrun.pl -script=SetOAMReg -registeroam=yes*** ALL THE FOLLOWING FILES ARE REQUIRED FOR RESOLVING RUNTIME ERRORS*** Log File = /appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/txkSetOAMReg_Mon_Sep_21_07_43_10_2015.logEnter OAM Console URL (for ex: http://myoam.us.oracle.com:7001): http://oam01.mahesh.com:7001Enter OAM console user name (for ex: weblogic):ERROR processing <arg> oamUserName: Argument value cannot be an empty stringEnter OAM console user name (for ex: weblogic): weblogicEnter OAM console password:Enter LDAP URL (for ex: ldap://myoid.us.oracle.com:3060): ldap://oam01.mahesh.com:3060Enter OID console user name (for ex: cn=orcladmin): cn=orcladminEnter OID console password:Enter LDAP Search Base: cn=Users, dc=mahesh,dc=com,dc=auEnter LDAP Group Search Base: cn=Groups, dc=mahesh,dc=com,dc=auEnter APPS password:######################################################################oamHost = http://oam01.mahesh.com:7001
oamApplicationDomain = VIS_ebsapps01.mahesh.com_8000oamHostIdentifier = VIS_ebsapps01.mahesh.com_8000 contextFile = /appl_inst/fs2/inst/apps/VIS_ebsapps01/appl/admin/VIS_ebsapps01.xmlwebGateInternal = YesebsProfileLevel = Site webGateUrl = http://ebsapps01.mahesh.com:8000contextRoot = accessgatelogoutUrl = /accessgate/logout authScheme = EBSAuthSchemeauthModule = LDAP_EBS ldapName = OIDIdentityStoreldapUrl = ldap://oam01.mahesh.com:3060 ldapSearchBase = cn=Users, dc=mahesh,dc=com,dc=auldapGroupSearchBase = cn=Groups, dc=mahesh,dc=com,dc=au######################################################################Do you wish to continue (y|n)?yValidating APPS schema credentials... Validation: Success Installing WebGate... WebGate is Already Installed at /appl_base/fs2/FMW_Home/Oracle_OAMWebGate1 Skipping the installation of WebGate ! Registering WebGate with OAM... *** Log File = /appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/oam/oamreg_registerAgent_Mon_Sep_21_07_43_10_2015.log Execute SYSTEM command : /appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/oam/rreg/bin/oamreg.sh inband input/ebs_oam_short.xml -noprompt /appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/oam/temp/ebs_oam_uri.conf
Successfully registered the WebGate with OAM Copying registration artifacts to WebGate configuration directory Automating the policy configurations... *** Log File = /appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/txkSetOAMReg_Mon_Sep_21_07_43_10_2015.xml Successfully completed the policy configurations Copying /appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/oam/temp/oam.properties file to /appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/oam location Cleaning up the temporary directory /appl_inst/fs2/inst/apps/VIS_ebsapps01/logs/appl/rgf/TXK/oam/temp ################# BEGIN AUTOCONFIG RUN #############################Execute SYSTEM command : /appl_inst/fs2/inst/apps/VIS_ebsapps01/admin/scripts/adautocfg.sh ************* The log file for this session is located at: /appl_inst/fs2/inst/apps/VIS_ebsapps01/admin/log/09210803/adconfig.log AutoConfig is configuring the Applications environment... AutoConfig will consider the custom templates if present. Using CONFIG_HOME location : /appl_inst/fs2/inst/apps/VIS_ebsapps01 Classpath : /appl_base/fs2/FMW_Home/Oracle_EBS-app1/shared-libs/ebs-appsborg/WEB-INF/lib/ebsAppsborgManifest.jar:/appl_base/fs2/EBSapps/comn/java/classes Using Context file : /appl_inst/fs2/inst/apps/VIS_ebsapps01/appl/admin/VIS_ebsapps01.xml Context Value Management will now update the Context file Updating Context file...COMPLETED Attempting upload of Context file and templates to database...COMPLETED
Configuring templates from all of the product tops... Configuring AD_TOP........COMPLETED Configuring FND_TOP.......COMPLETED Configuring ICX_TOP.......COMPLETED Configuring MSC_TOP.......COMPLETED Configuring IEO_TOP.......COMPLETED Configuring BIS_TOP.......COMPLETED Configuring CZ_TOP........COMPLETED Configuring AMS_TOP.......COMPLETED Configuring CCT_TOP.......COMPLETED Configuring WSH_TOP.......COMPLETED Configuring CLN_TOP.......COMPLETED Configuring OKE_TOP.......COMPLETED Configuring OKL_TOP.......COMPLETED Configuring OKS_TOP.......COMPLETED Configuring CSF_TOP.......COMPLETED Configuring IBY_TOP.......COMPLETED Configuring JTF_TOP.......COMPLETED Configuring MWA_TOP.......COMPLETED Configuring CN_TOP........COMPLETED Configuring CSI_TOP.......COMPLETED Configuring WIP_TOP.......COMPLETED Configuring CSE_TOP.......COMPLETED Configuring EAM_TOP.......COMPLETED Configuring GMF_TOP.......COMPLETED Configuring PON_TOP.......COMPLETED Configuring FTE_TOP.......COMPLETED Configuring ONT_TOP.......COMPLETED Configuring AR_TOP........COMPLETED Configuring AHL_TOP.......COMPLETED Configuring IES_TOP.......COMPLETED Configuring OZF_TOP.......COMPLETED Configuring CSD_TOP.......COMPLETED Configuring IGC_TOP.......COMPLETED AutoConfig completed successfully. ################# END AUTOCONFIG RUN ###############################Instantiating template... Template: /appl_base/fs2/EBSapps/appl/fnd/12.0.0/admin/template/oracle_apache_conf_FMW.tmp
End of /appl_base/fs2/EBSapps/appl/fnd/12.0.0/patch/115/bin/txkSetOAMReg.pl : No Errors encountered[applmgr@ebsapps01 ~]$
What it does is basically registration of EBS with Oracle Access Manager, but a few things by itself which we used to do manually in the prior releases.
Create Identity Store named OIDIdentityStore if it does not already exist.
Create Authentication Module named LDAP_EBS if it does not already exist.
Configure Oracle Access Manager OAM Agent named <sid_host>, which is VIS_ebsapps01.mahesh.com
Configure Authentication Scheme named EBSAuthScheme.
You can see the information in the scheme clicking on it, the authentication module is pointing to the LDAP_EBS.
Configure Application Domain named <sid_host> with required Authentication
Policies and response headers for your Oracle E-Business Suite integration.
Set Oracle E-Business Suite profile options Application Authenticate Agent
(APPS_AUTH_AGENT) and Applications SSO Type (APPS_SSO).Now we have completed the steps for having EBS single sign on with OAM and Access gate. If you have completed it in the patching cycle, complete the patching cycle. Restart OHS and Webogic servers in EBS application node.
Open the EBS URL like below which will re-direct you to the Single Sign on page.
http://<ebshost>.<domain>:<port>/OA_HTML/AppsLogin
It redirects to the OAM page for authentication as below.
Bulk Migration of Users from EBS to OID
Now, we have completed the setup for the single sign on but many organizations won’t be having an existing OID running having all their users, so here we may have to populate the users into the OID as well. Then only accessgate can map users with EBS and create a session for that user. As we all know, we intend to have authorization to be managed by EBS itself, so we need to address only the user information synchronization to OID. The synchronization procedure creates users in the OID from EBS and OID assigns a GUID and updated the EBS table, this GUID will be the link between EBS and OAM.
Please be careful that for security reasons, local users and standard administrative accounts such as SYSADMIN should never be configured for single sign-on. Below figure shows the profile for sysadmin which is set to Local and we can use AppsLocalLogin.jsp to login to the application without going to OAM. We would be copying the users to OID using the EBS User migration tool to sync both EBS and OID. New users will be provisioned by itself as we have already registered with bi-directional synchronization.
We can use the utility AppsUserExport to export select set of application accounts from the Oracle EBS user directory (FND_USER) into an intermediate LDIF file which can be moved to OID server and using ldifmigrator to convert it into LDIF file to be loaded to OID.
We are going to do the below process which can vary based on your requirement, you can refer the notes from Oracle mentioned in the last page of this book for more information. You can see from the below figure, we are creating an intermediate LDIF file using the EBS utility and copying the file to the OID server to convert to final LDIF file before importing to the OID. You can get a good idea seeing the below figure.
Figure (from Oracle Document)
I have provided the screenshot below of one sample user who is candidate of migration to OID, you can see the USER_GUID is null. From the above statements, GUID is the main link between OID and EBS and we should see some values here. What process is updating it?
Let us prepare the intermediate file using the below commands from EBS application server.
[applmgr@ebsapps01 user_export]$ java oracle.apps.fnd.oid.AppsUserExport -v -dbc $FND_SECURE/VIS.dbc -o VIS_Users.txt -pwd apps -g -l VIS_Users.log
User Export to VIS_Users.txt started..
User Export completed successfully. For further details please refer to log file at: VIS_Users.log
[applmgr@ebsapps01 user_export]$
Now you know who is updating the GUID column when doing bulk migration!
I have showed a screenshot of User definition screen, in which the password area is greyed out, youcan imagine why is it so
Copy the intermediate file to the OID server for converting it to format which can be uploaded to the OID server. Below command should be executed in the OID server.
[apploid@oam01 user_import]$ ldifmigrator "input_file=VIS_Users.txt" "output_file=VIS_Users.txt.ldif" "s_UserContainerDN=cn=Users, dc=mahesh,dc=com,dc=au" "s_UserNicknameAttribute=uid"INFO: [Thu Oct 01 10:24:27 AEST 2015] Migration of LDIF data to OID startsINFO: [Thu Oct 01 10:24:28 AEST 2015] Input file : /home/apploid/user_import/VIS_Users.txtINFO: [Thu Oct 01 10:24:28 AEST 2015] Output file : /home/apploid/user_import/VIS_Users.txt.ldifINFO: [Thu Oct 01 10:24:28 AEST 2015] Substitution Variables s_UserContainerDN : cn=Users, dc=mahesh,dc=com,dc=au s_UserNicknameAttribute : uidINFO: [Thu Oct 01 10:24:29 AEST 2015] Migration of LDIF data completed. All the entries are successfully migratedMigration of LDIF data completed. All the entries are successfully migrated [apploid@oam01 user_import]$ Now we have the final file ready to be uploaded to the OID. We need to make sure the profile is disabled which does the synchronization from OID to EBS.
oidprovtool operation=disable \ldap_host=oam01.mahesh.com \ldap_port=3060 \ldap_user_dn=cn=orcladmin \
application_dn=”orclApplicationCommonName=VIS,cn=EBusiness,cn=Products,cn=OracleContext,dc=mahesh,dc=com,dc=au” \profile_mode=BOTH [apploid@oam01 bin]$ ./opmnctl stopallopmnctl stopall: stopping opmn and all managed processes...[apploid@oam01 bin]$ ps -ef | grep odisrvapploid 7478 19961 0 13:14 pts/5 00:00:00 grep odisrv[apploid@oam01 bin]$ Verify by running the below command to make sure we don’t have any bad records. Remove manually if anything is there and re-run to have a clean file. [apploid@oam01 user_import]$ /u01/oid/Oracle/Middleware/Oracle_IDM1/ldap/bin/bulkload connect=OIDDB check=true generate=true file=VIS_Users.txt.ldif ------------------------------------------------------------"oiddb"...------------------------------------------------------------This tool can only be executed if you know database user password for OIDEnter OID Password ::[apploid@oam01 user_import]$ /u01/oid/Oracle/Middleware/Oracle_IDM1/ldap/bin/bulkload connect=OIDDB check=true generate=true file=VIS_Users.txt.ldif ------------------------------------------------------------"oiddb"...------------------------------------------------------------This tool can only be executed if you know database user password for OIDEnter OID Password ::...Setting OID server mode to read-modify on "oiddb" node... ------------------------------------------------------------Checking and Generating Internet Directory data for bulk loading------------------------------------------------------------ ------------------------------------------------------------Found Schema-Check errors, bad entries are logged in /u01/oid/Oracle/Middleware/asinst_1//OID/load/badentry.ldif------------------------------------------------------------ ------------------------------------------------------------For more details, see bulkload.log------------------------------------------------------------
[apploid@oam01 user_import]$After fixing the bad records, we should try again to get a message like below. [apploid@oam01 user_import]$ /u01/oid/Oracle/Middleware/Oracle_IDM1/ldap/bin/bulkload connect=OIDDB check=true generate=true file=VIS_Users.txt.ldif ------------------------------------------------------------"oiddb"...------------------------------------------------------------This tool can only be executed if you know database user password for OIDEnter OID Password :: ------------------------------------------------------------Checking and Generating Internet Directory data for bulk loading------------------------------------------------------------ ------------------------------------------------------------Data generated successfully------------------------------------------------------------[apploid@oam01 user_import]$ Now load the data by replacing the check to load clause as below. [apploid@oam01 user_import]$ /u01/oid/Oracle/Middleware/Oracle_IDM1/ldap/bin/bulkload connect=OIDDB load=true generate=true file=VIS_Users.txt.ldif ------------------------------------------------------------"oiddb"...------------------------------------------------------------This tool can only be executed if you know database user password for OIDEnter OID Password :: ------------------------------------------------------------Generating Internet Directory data for bulk loading------------------------------------------------------------ ------------------------------------------------------------Data generated successfully------------------------------------------------------------ ------------------------------------------------------------Loading data on "oiddb"------------------------------------------------------------
attr_store002... battr_store001... objectclass001... .. …. uid... uidnumber... uniquemember... vdeprimaryref... vpimmail... x509issuer... ------------------------------------------------------------Data loaded successfully------------------------------------------------------------ ------------------------------------------------------------Verifying indexes ...------------------------------------------------------------ ------------------------------------------------------------Following tables do not have all indexes------------------------------------------------------------CT_ORCLOPENLDAPENTRYUUIDCT_ORCLNDSOBJECTGUIDCT_ORCLODIPCONDIRTYPECT_ORCLFEDSERVERIDCT_ORCLFEDNAMENEWFORMATCT_ORCLFEDNAMEOLDFORMATCT_ORCLFEDOWNERGUIDCT_ORCLSOURCEMODIFYTIMESTAMPCT_ORCLFEDNAMESPQUALIFIERCT_ORCLSOURCECREATETIMESTAMPCT_ORCLODIPPROFILEEXECGROUPIDCT_ORCLFEDFEDERATIONTYPE ------------------------------------------------------------Generating Database Statistics ...------------------------------------------------------------...Setting OID server mode to read-write on "oiddb" node...[apploid@oam01 user_import]$ Now logging with the EBS URL, you should be able to login without any issues
It gets re-directed to the OAM login page.
Login with User ID and password, you will get the landing page as below.
Known Issues Below are some issues I encountered, posting below.
1. Error: “Internal Error: Webgate allowed access to protected page GUID=null”
This is a known issue for OAM 11gR2 PS2. Login to OAM and navigate to configuration, select “User Identity Store”
Edit the OIDIdentityStore and enter orclguid in the 'Prefetched Attributes' field and click 'Apply' to save
Stop and restart the 'oam_server1' Managed server to pick up this change. 2. Error while running fs_clone After completing the integration of OAM with EBS 12.2, I had to run the fs_clone to synchronize both file system with the changes we did for single sign on. Please follow the document “Integrating Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate (Doc ID 1576425.1)” for completing the steps. If you follow it without missing anything, you will never encounter the below issue but I am posting below for giving a small idea how to check.I ran the below command to start the phase, adop phase=fs_clone allnodes=no force=yes (check the syntax for multi node) Encountered below errors even though trying [UNEXPECTED]Error occurred while executing “perl /appl_base/fs2/EBSapps/appl/ad/12.0.0/patch/115/bin/txkADOPValidations.pl -contextfile=/appl_inst/fs2/inst/apps/VIS_ebsapps01/appl/admin/VIS_ebsapps01.xml -patchctxfile=/appl_inst/fs1/inst/apps/VIS_ebsapps01/appl/admin/VIS_ebsapps01.xml -phase=fs_clone -logloc=/appl_base/fs_ne/EBSapps/log/adop/8/fs_clone_20150922_103236/VIS_ebsapps01 -promptmsg=hide”[UNEXPECTED]Error 1 occurred while Executing txkADOPValidation script on ebsapps01 From the log file, we can get the log information generated while doing the validations as below which showed the exact reason for the failure. [applmgr@ebsapps01 VIS_ebsapps01]$ grep -i ERROR /appl_base/fs_ne/EBSapps/log/adop/8/fs_clone_20150922_103236/VIS_ebsapps01/ADOPValidations_detailed.log
RC-50204: Error: – WLS OAEA Application Port in use: Port Value = 6803ERROR: The following required ports are in use:[applmgr@ebsapps01 VIS_ebsapps01]$ It’s clear from above that the port 6803 is causing the issue, its the new port used by the new managed server created for Access gate. We can verify it using the below commands. [applmgr@ebsapps01 VIS_ebsapps01]$ netstat -a | grep 6803tcp 1 0 ebsapps01.mahesh.com.a:52978 ebsapps01.mahesh.com:6803 CLOSE_WAITtcp 0 0 ebsapps01.mahesh.com:6803 *:* LISTENtcp 0 0 ebsapps01.mahesh.com:6803 ebsapps01.mahesh.com.a:52769 ESTABLISHEDtcp 0 0 ebsapps01.mahesh.com.a:52769 ebsapps01.mahesh.com:6803 ESTABLISHED[applmgr@ebsapps01 VIS_ebsapps01]$ Solution: Stop the oaea managed server on the run file system before performing the fs_clone operation, immediately after the accessgate deployment.
References
Integrating Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate (Doc ID 1576425.1)
Integrating Oracle E-Business Suite Release 12.2 with Oracle Internet Directory 11gR1 (Doc ID 1371932.1)
https://docs.oracle.com/cd/E26401_01/doc.122/e22952/T156458T580814.htm
