2/9/2016
Docum ent 1576425.1 Shai k (A vai l abl e)
PowerView is Off
Dashboard
Knowledge
Servi ce ce Requests
Patches & Updat es es
(0)
C ontact Us
Hel p
C om ommuni ty ty
Dashboard >
Integrating Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11gR2 (11.1.2) using Oracle EBusiness Suite AccessGate (Doc ID 1576425.1)
Give Feedback...
To Bottom
https://support.oracle.com https://support.or acle.com/epmos/faces/D /epmos/faces/D ocumentDisplay?_afrLoop=264205 ocumentDi splay?_afrLoop=2642056539 65399303 93036&pa 6&parent= rent=DOC DOCUM UM ENT&sourceId=161479 ENT&sour ceId=1614793.1&id=157642 3.1&id=1576425.1&_a 5.1&_afrW frW ind…
1/25
2/9/2016
Docum ent 1576425.1
The most current version of this document can be obtained from My Oracle Support Knowledge Document 1576425.1. 1576425.1.
Was this document helpful? Yes No
There is a change log log at the end of this document. In this Document
Section 1: Introduction Section 2: Supported Architecture and Release Versions Section 3: Prerequisite Installations and Configurations Section 4: Integrate Oracle E-Business Suite with Oracle Access Manager Section 5: Oracle Access Manager Configurations Section 6: Advanced Configurations Section 7: Optional Post Installation Steps Section 8: Upgrade and Migration Section 9: Available Documentation Appendix A: Deregister Oracle E-Business Suite from Oracle Access Manager Appendix B: Known Issues Appendix C: Product Product-Specific -Specific Single Sign-On Exceptions Exceptions Change Log
Section 1: Introduction Oracle Access Manager 11g Release 2 (11.1.2) provides a comprehensive identity management and access control system that simplifies user access across applications.
Document Details Type: Status: Last Major Update: Last Update:
BULLETIN PUBLISHED Jan 28, 2016 Jan 28, 2016
Related Products Oracle Application Object Library Oracle Applications Technology Stack
Information Centers E-Business Suite Product Information Center Index [444.2]
For more information about Oracle Access Manager (OAM), refer to the Access Manager home page on the Oracle Corporation Web site at:
Information Center: Using EBS Technology Stack OID and SSO [1461466.2]
http://www.oracle.com/us/products/midd http://www.oracle.com/us/prod ucts/middleware/identit leware/identity-managemen y-management/oracle-accesst/oracle-accessmanager/overview/index.html
Information Center: Using EBS Technology Stack - Framework [1478640.2]
This document describes how to integrate Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11g Release 2 (11.1.2) using Oracle E-Business AccessGate.
Information Center: Oracle EBusiness Suite Extensions for Oracle Endeca Install & Configure [1487000.2]
If you have multiple instances of Oracle E-Business Suite that you wish to integrate with Oracle Access Manager for single sign on, perform the steps in this document on each Oracle E-Business Suite instance. For more information about single sign-on concepts, architecture, and options for integrating Oracle E-Business Suite with Oracle Identity Management products, refer to My Oracle Support Knowledge Document 1388152.1 Overview of Single Sign-On Integration Options for Oracle E-Business Suite. The procedures in this document have significant effects on Oracle E-Business Suite Release 12.2 environments and should be executed only by skilled Oracle E-Business Suite database or system administrators. Users are strongly advised to first review the prerequisites and plan the installation and configuration on the various supported platforms. For information about which platforms are supported by Oracle Access Manager, refer to the Oracle Identity and Access Management 11g Release 2 (11.1.2.3) Certification Matrix . Note that Oracle Identity and Access Management 11g Release 2 (11.1.2) is supported on 64 bit processors only.
Section 2: Supported Architecture and Release Versions The following software components must be installed on a standalone server accessing an Oracle E-Business Suite, or in separate Fusion Middleware Homes on an existing application tier server node. Component Name
Oracle Access Manager
Ve rsion
11.1.2.2.0, 11.1.2.3.0
Oracle Access Manager WebGate
See Footnote 1 for 1 for restrictions.
Or acle Identity Management
11.1.1.7.0, 11.1.1.9.0
Or acle Unified Directory
11.1.2.3
Footnote 1: As per Section 9 of 9 of the Oracle Fusion Middleware Release Notes for HTTP Server, Oracle WebGate version 11.1.2.3 for Oracle HTTP Server supports only Oracle HTTP Server version 11.1.1.9.
Information Center: Overview E-Business Suite Technology Forms [1411953.2] Show More
Document References No References available for this document.
Recently Viewed Cloning Oracle E-Business Suite Release 12.2 Environments integrated with Oracle Access Manager 11gR2 (11.1.2) and Oracle EBusiness Suite AccessGate [1614793.1] Integrating Oracle EBusiness Suite Release 12.2 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate [1576425.1] Integrating Oracle EBusiness Suite Release 12 with Oracle Internet Directory and Oracle Single Sign-On 10gR3 (10.1.4.3) [376811.1] Cloning Oracle E-Business Suite Release 12.2 (AD-TXK Delta 6 or Lower Codelevel) with Rapid Clone [2047809.1] SRDC - Collect logfiles for an EBS patching issue (adpatch) [1937369. [1937369.1] 1] Show More
If you have integrated Oracle E-Business Suite 12.2 with Oracle Unified Directory 11.1.2.3 as detailed in My Oracle Support Knowledge Document 2003483.1, 2003483.1, then Oracle HTTP Server 11.1.1.9 is already configured on the Oracle EBusiness Suite Environment, you MUST therefore install and integrate with Oracle Access Manager 11.1.2.3 using Oracle Access Manager WebGate 11.1.2.3. The following components must be used on the Oracle E-Business Suite Release 12 instance:
https://support.oracle.com https://support.or acle.com/epmos/faces/D /epmos/faces/D ocumentDisplay?_afrLoop=264205 ocumentDi splay?_afrLoop=2642056539 65399303 93036&pa 6&parent= rent=DOC DOCUM UM ENT&sourceId=161479 ENT&sour ceId=1614793.1&id=157642 3.1&id=1576425.1&_a 5.1&_afrW frW ind…
2/25
2/9/2016
Document 1576425.1 Component Name
Version
Oracle E-Business Suite Release 12
12.2.2+
Section 3: Prerequisite Installations and Configurations This section describes following prerequisite installations and configurations: Integrate Oracle Internet Directory or Oracle Unified Directory with Oracle E-Business Suite Configure Oracle Internet Directory to return operational attributes Install Oracle Access Manager Apply Required Updates to Oracle Access Manager Server Install Pre-requisite Software Updates and Components on your Oracle E-Business Suite Release 12.2 Instance 3.1 Integrate Oracle Internet Directory or Oracle Unified Directory with Oracle E-Business Suite It is a requirement to use either Oracle Internet Directory or Oracle Unified Directory for any LDAP or single signon integration with Oracle E-Business Suite. Oracle Internet Directory: Use the instructions in the following My Oracle Support Knowledge Document to integrate Oracle Internet Directory with Oracle E-Business Suite.
Document 1371932.1 Integrating Oracle E-Business Suite Release 12.2 with Oracle Internet Directory 11gR1. If you are integrating with OID 11g for the first time, refer to this document for more information about specific requirements and additional patches that are required for integration with Oracle E-Business Suite For further information regarding provisioning between Oracle E-Business Suite and Oracle Internet Directory, refer to Oracle E-Business Suite Security Guide Release 12.2. Oracle Unified Directory: Use the instructions in the following My Oracle Support Knowledge Document to integrate Oracle Unified Directory with Oracle E-Business Suite.
Document 2003483.1 Integrating Oracle E-Business Suite Release 12.2 with Oracle Unified Directory 11g Release 2. If you are integrating with OUD 11g for the first time, refer to this document for more information about specific requirements and additional patches that are required for integration with Oracle E-Business Suite. 3.2 Configure Oracle Internet Directory to return operational attributes This step is only required for customers using Oracle Internet Directory. If your configuration is using Oracle Unified Directory, skip this step and proceed to step 3.3 - Install and Configure Oracle Access Manager . Configure Oracle Internet Directory to return operational attributes for lookup requests. This modification adds the orclguid attribute to records returned by Oracle Internet Directory when queried by Oracle Access Manager, allowing these records to be mapped to others that are uniquely identified by orclguid. To make this modification create an ldif file as detailed below and execute this command from the Oracle Home where Oracle Internet Directory is installed: Create an ldif file (for example 'change_attrs.ldif') containing the following: dn: cn=dsaconfig, cn=configsets,cn=oracle internet directory changetype: modify add: orclallattrstodn orclallattrstodn: [DN]
where [DN] is the DN (Distinguished Name) of the account that Oracle Access Manager uses to communicate with Oracle Internet Directory; for example, cn=orcladmin. If you are not sure what this value is for your site, you can find it by logging on to Oracle Directory Services Manager (ODSM), and looking under the Root element in the Data Tree on the Data Browser tab. For example: dn: cn=dsaconfig, cn=configsets,cn=oracle internet directory changetype: modify add: orclallattrstodn orclallattrstodn:cn=orcladmin
Run the following to execute the command from the newly created ldif file: $ORACLE_HOME/bin/ldapmodify -h [ldaphost] -p [ldapport] -D [DN] -w [orcladmin passwd] -v -f [ldif_filename]
For example:
https://support.oracle.com/epmos/faces/D ocumentDisplay?_afrLoop=264205653993036&parent=DOCUM ENT&sourceId=1614793.1&id=1576425.1&_afrW ind…
3/25
2/9/2016
Document 1576425.1 $ORACLE_HOME/bin/ldapmodify -h ldaphost.example.com -p 3060 -D cn=orcladmin -w welcome972 v -f change_attrs.ldif
3.3 Install & Configure Oracle Access Manager RHEL 6 Customers only: (for Oracle Access Manager 11.1.2.2.0 Only):
Download and Apply Unified Installer Patch 18231786 prior to installing Oracle Access Manager 11.1.2.2.0. Install & Configure Oracle Access Manager 11g Release 2 (11.1.2.3.0), following the installation instructions in the Installation Guide for Oracle Identity and Access Management, available from the Oracle Fusion Middleware Identity Management 11g Release 2 (11.1.2.3.0) Documentation Library . For information about which platforms are supported by Oracle Access Manager, refer to the Oracle Identity and Access Management 11g Release 2 (11.1.2.3) Certification Matrix . After successful installation and configuration, verify that you can logon to the Oracle Access Manager and WebLogic Administration consoles with the weblogic admin user and password that you specified during installation. http://
.:/console http://.:/oamconsole Verify in the WebLogic Administration Console that the OAM managed server is running on the specified port. 3.4 Apply Required Updates to Oracle Access Manager Server For Oracle Access Manager 11.1.2.3 only: Oracle strongly recommends applying Oracle Access Manager 11.1.2.3 Bundle Patch 3 (OAM 11.1.2.3.3) as this includes a fix for Patch 19438948. Refer to My Oracle Support Knowledge Document 736372.1 OAM Bundle Patch Release History, for the instructions to download and apply Oracle Access Manager 11.1.2.3 Bundle Patch 3 (BP03) for Oracle Access Manager Server. Applying later Oracle Access Manager Bundle Pa tches
Optionally, later Oracle Access Manager Bundle Patches may be applied on top of certified configurations. Please refer to My Oracle Support Knowledge Document 736372.1 OAM Bundle Patch Release History.
3.5 Install Pre-requisite Software Updates and Components on your Oracle E-Business Suite Release 12.2 Instance Install the following pre-requisite software updates and components on your Oracle E-Business Suite Release 12.2 instance. These software updates are fully compatible with Oracle E-Business Suite environments regardless of whether or not you proceed with single sign-on integration. You may therefore choose to install these software updates at an earlier date, even before performing any of the subsequent steps in this document to complete single sign-on integration with Oracle Access Manager. You may combine these updates with other regularly-scheduled maintenance in your environment. You can choose to install these software updates during an Oracle E-Business Suite R12.2 Online Patching cycle to your patch file system (recommended) or on your run file system. For details about Oracle E-Business Suite R12.2 Online Patching, refer to the Patching Procedures section in the Oracle E-Business Suite Maintenance Guide Release 12.2 . 3.5.1 Apply the Latest AD and TXK Delta Release Update Packs
Note: Review My Oracle Support Knowledge Document 1617461.1, Applying the Latest AD and T XK Release Update Packs to Oracle E-Business Suite Release 12.2 , and follow the instructions to apply the required code level of AD and TXK for your system.
3.5.2 Download and apply Oracle E-Business Suite Updates
Download and apply the following updates to your Oracle E-Business Suite Release 12.2 instance: Customers integrating with Oracle Access Manager 11.1.2.2 Server:
Table A Release
Patch Number
12.2
R12.TXK.C Patch 21523147
12.2
R12.TXK.C Patch 20735848
Customers integrating with Oracle Access Manager 11.1.2.3 Server:
Table B Release
Patch Number
https://support.oracle.com/epmos/faces/D ocumentDisplay?_afrLoop=264205653993036&parent=DOCUM ENT&sourceId=1614793.1&id=1576425.1&_afrW ind…
4/25
2/9/2016
Document 1576425.1 12.2
R12.TXK.C Patch 21523147
12.2
R12.TXK.C Patch 20735848
12.2
R12.TXK.C Patch 21229697
Windows Customers Only:
Download and apply the following updates to your Oracle E-Business Suite Release 12.2 instance: Release
Patch Number
FMW 11.1.1.6.0
Patch 15861836
3.5.3 Download and install Oracle Access Manager WebGates
WebGates are policy enforcement agents that act as a filter for HTTP requests and communicate with Oracle Access Manager authentication and authorization services. As per Section 9 of the Oracle Fusion Middleware Release Notes for HTTP Server, Oracle WebGate version 11.1.2.3 for Oracle HTTP Server supports only Oracle HTTP Server version 11.1.1.9. If your version of Oracle HTTP Server is lower than 11.1.1.9, it should be upgraded to 11.1.1.9 by following Document 1590356.1 Upgrading Oracle Fusion Middleware Technology Stack of Oracle E-Business Suite Release 12.2 to the latest 11gR1 (11.1.1.x) Patchset, before integrating with Oracle WebGate version 11.1.2.3. Download Oracle Access Manager OHS 11g WebGates 11.1.2.3.0 from Identity & Access Management 11gR2 Downloads. Save the file to a temporary location on your Oracle E-Business Suite middle tier server node, and unzip it. For example unzip it to directory: /u01/webgate11g. Source the Oracle E-Business Suite environment file. $ cd $ . EBSapps.env $ echo $FILE_EDITION
EBS_BASE_HOME is the top directory where fs1, fs2, and others are installed. During an active Online Patching cycle, Type "P" to select the patch file system environment when prompted. Echo $FILE_EDITION returns "patch" to indicate that the patch file system is sourced. Alternatively, if there is no active Online Patching cycle, you may also choose to install Oracle Access Manager WebGates on your run file system. In that case, type "R" to select the run file system environment when prompted. Echo $FILE_EDITION returns "run" to indicate that the run file system is sourced. Execute the following command to install Oracle Access Manager WebGates: $ txkrun.pl -script=SetOAMReg -installWebgate=yes -webgatestagedir=
For parameter -webgatestagedir, specify the directory where you unzip'd Oracle Access Manager OHS 11g WebGates, for example /u01/webgate11g. The installation should complete successfully. 3.5.4 Apply Required Oracle Access Manager Bundle Patch to Oracle Access Manager WebGate
Refer to My Oracle Support Knowledge Document 736372.1 OAM Bundle Patch Release History for the instructions to download and apply Oracle Access Manager 11.1.2.3 Bundle Patch 1 (BP01) for Oracle Access Manager WebGate. Applying later Bundle Pa tches to Oracle HTTP Server 11g WebGate
Optionally, later Oracle HTTP Server 11g WebGate Bundle Patches may be applied on top of certified configurations. Please refer to My Oracle Support Knowledge Document 736372.1 OAM Bundle Patch Release History. 3.5.5 Perform fs_clone (conditional)
Your system is now prepared with the pre-requisites to enable single sign on with Oracle Access Manager. You can choose to only prepare the system with the prerequisite software updates, and integrate Oracle E-Business Suite with Oracle Access Manager for single sign on at a later point in time. In this case, complete the current Oracle E-Business Suite Release 12.2 Online Patching cycle now. Then you must perform an fs_clone to synchronize the changes before you start the next Oracle E-Business Suite Release 12.2 Online Patching cycle. Performing an fs_clone will ensure that Oracle Access Manager OHS 11g WebGates are installed on both file systems fs1 and fs2. Alternatively, you can choose to directly proceed with integrating Oracle E-Business Suite with Oracle Access Manager for single sign on in the next section. In this case, you must continue using the same file system where you just applied the prerequisite software updates, and you can perform the fs_clone only after completing single
https://support.oracle.com/epmos/faces/D ocumentDisplay?_afrLoop=264205653993036&parent=DOCUM ENT&sourceId=1614793.1&id=1576425.1&_afrW ind…
5/25
2/9/2016
Document 1576425.1 sign on integration as documented in Step 4.4 of this document.
Section 4: Integrate Oracle E-Business Suite with Oracle Access Manager Follow the steps in this section to integrate Oracle E-Business Suite with Oracle Access Manager: Deploy Oracle E-Business Suite AccessGate Register Oracle E-Business Suite with Oracle Access Manager Test Single Sign-On with Oracle E-Business Suite Perform fs_clone Enabling single sign on for Oracle E-Business Suite with Oracle Access Manager does not require starting an Oracle E-Business Suite Online Patching cycle. You may perform the integration optionally a) on your run file system when no Online Patching cycle is active. Single sign on will be enabled after bouncing Oracle E-Business Suite. b) on your patch file system during an active Online Patching cycle. Single sign on will be enabled after completing your Online Patching cycle and bouncing Oracle E-Business Suite. Note that Oracle Access Manager maintains a single registration for your Oracle E-Business Suite instance, and does not distinguish between run and patch file system. Hence modifying the configuration in Oracle Access Manager, or removing the registration following Appendix A of this document will always affect the running system.
4.1 Deploy Oracle E-Business Suite AccessGate Oracle E-Business Suite AccessGate is a J2EE application on your Oracle E-Business Suite 12.2 WebLogic server. Oracle E-Business Suite AccessGate will be protected by Oracle Access Manager and creates an Oracle E-Business Suite session based on a valid Oracle Access Manager session. Follow the step below to deploy Oracle E-Business Suite AccessGate. Source the Oracle E-Business Suite environment file. $ cd $ . EBSapps.env $ echo $FILE_EDITION
EBS_BASE_HOME is the top directory where fs1, fs2, and others are installed. Type "R" to select the run file system environment when prompted. Echo $FILE_EDITION returns "run" to indicate that the run file system is sourced. Ensure there is no active Online Patching cycle. Alternatively, if you wish to deploy Oracle E-Business Suite AccessGate to your patch file system first during an active Online Patching cycle, type "P" to select the patch file system environment when prompted. Echo $FILE_EDITION returns "patch" to indicate that the patch file system is sourced. Execute the following command to deploy Oracle E-Business Suite AccessGate. $ perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources \ -contextfile=$CONTEXT_FILE \ -deployApps=accessgate \ -SSOServerURL= \ [-managedsrvname=] \ [-managedsrvport=] \ -logfile=
For parameter -SSOServerURL, specify the URL for your OAM managed server, for example http://oamserver.example.com:14100: Optional parameter managedsrvname defaults to oaea_server1. Parameter managedsrvport defaults to 6801. Specify these optional parameters if you wish to deploy Oracle E-Business Suite AccessGate to a non-default managed server. The managed server name provided must be of the form oaea_server, where n is an integer. For example: $ perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources \ -contextfile=$CONTEXT_FILE \ -deployApps=accessgate \ -SSOServerURL=http://oamserver.example.com:14100 \ -managedsrvname=oaea_server3 \ -managedsrvport=6803 \ -logfile=/tmp/deployeag.log
The script will prompt for the following passwords: Enter the APPS Schema password. Enter the WebLogic AdminServer password. Enter the required information when prompted.
https://support.oracle.com/epmos/faces/D ocumentDisplay?_afrLoop=264205653993036&parent=DOCUM ENT&sourceId=1614793.1&id=1576425.1&_afrW ind…
6/25
2/9/2016
Document 1576425.1 The script will now perform the following main tasks automatically: Create managed server "oaea_server1" if it does not already exist. Create Data Source "OAEADatasource" if it does not already exist. Deploy the Oracle E-Business Suite AccessGate application named "accessgate". The script must complete successfully. Review the log files for any error messages. After successful completion of the script, ensure that your WebLogic AdminServer is running. If you have specified a dedicated managed server and port in the previous command instead of using the default managed server and port, execute the following command to add details of the managed server into the OHS configuration files mod_wl_ohs.conf and apps.conf: $ perl $FND_TOP/patch/115/bin/txkSetAppsConf.pl \ -contextfile=$CONTEXT_FILE \ -configoption=addMS \ -accessgate=.:
Replace .: with the hostname, full domain name and port of the new 'oaea_server1' managed server: For example: ebshost.example.com:6803 The script must complete successfully. Review the log files for any error messages. To verify successful deployment, logon to WebLogic Administration Console, for example: http://ebshost.example.com:7001/console In the WebLogic Administration Console, navigate to EBS_domain_sid > Environment > Servers, and verify that a managed server "oaea_server1" is available. Verify that you can successfully start the server "oaea_server1". On the settings page for the server, navigate to the Control tab, and use the Start button to start the server. Navigate to EBS_domain_sid > Deployments, and verify that the Oracle E-Business Suite AccessGate application named "accessgate" is deployed, with State: Active and Health: OK. Navigate to EBS_domain_sid > Services > Data Sources, and verify that a data source "OAEADatasource" is available. Navigate to the "OAEADatasource" page, Monitoring tab, Testing tab. Click the control button next to server "oaea_server1", and press the "Test Data Source" button. You should see a message confirming that test of the datasource was successful. 4.2 Register Oracle E-Business Suite with Oracle Access Manager Follow the steps in this section to register Oracle E-Business Suite with Oracle Access Manager. Source the Oracle E-Business Suite environment file. $ cd $ . EBSapps.env $ echo $FILE_EDITION
EBS_BASE_HOME is the top directory where fs1, fs2, and others are installed. Type "R" to select the run file system environment when prompted. Echo $FILE_EDITION returns "run" to indicate that the run file system is sourced. Ensure there is no active Online Patching cycle. Alternatively, if you wish to register Oracle E-Business Suite during an active Online Patching cycle, type "P" to select the patch file system environment when prompted. Echo $FILE_EDITION returns "patch" to indicate that the patch file system is sourced. If Oracle E-Business Suite is integrated with Oracle Internet Directory: Execute the following command to register Oracle E-Business Suite with Oracle Access Manager: $ txkrun.pl -script=SetOAMReg -registeroam=yes
If Oracle E-Business Suite is integrated with Oracle Unified Directory: Execute the following command to register Oracle E-Business Suite with Oracle Access Manager $ txkrun.pl -script=SetOAMReg -registeroam=yes -ldapProvider=OUD oidUserName="cn=directory manager"
If the Oracle directory Service is Oracle Unified Directory then the ldapProvider must be specified as "OUD". By default the type is OID for Oracle Internet Directory. The script will prompt for the following information. Enter OAM console URL (for example: http://myoam.us.oracle.com:7001) Enter OAM console user name (for example: weblogic) Enter OAM console assword
https://support.oracle.com/epmos/faces/D ocumentDisplay?_afrLoop=264205653993036&parent=DOCUM ENT&sourceId=1614793.1&id=1576425.1&_afrW ind…
7/25
2/9/2016
Document 1576425.1 Enter LDAP URL (for example: ldap://myoid.us.oracle.com:3060) Enter OID console user name (for example: cn=orcladmin) Enter OID console password Enter LDAP Search Base (for example: "cn=Users,dc=us,dc=oracle,dc=com") Enter LDAP Group Search Base (for example: "cn=Groups,dc=us,dc=oracle,dc=com") Enter APPS password Enter the required information when prompted. For the parameter OAM console URL, enter the base URL for the WebLogic Administration server where the OAM console is deployed, for example: http://myoam.us.oracle.com:7001. The script will provide a summary of input values. Confirm that these are correct and start the registration. Do you wish to continue (y|n)? y The script will now perform the following main tasks automatically: Register Oracle E-Business Suite AccessGate with Oracle Access Manager. Create Identity Store named OIDIdentityStore if it does not already exist. If Identity Store OIDIdentityStore exists, the integration will use it. Create Authentication Module named LDAP_EBS if it does not already exist. If Authentication Module LDAP_EBS exists, the integration will use it. Configure Oracle Access Manager OAM Agent named . Configure Authentication Scheme named EBSAuthScheme. Configure Application Domain named with required Authentication Policies and response headers for your Oracle E-Business Suite integration. Set Oracle E-Business Suite profile options Application Authenticate Agent (APPS_AUTH_AGENT) and Applications SSO Type (APPS_SSO). Alternatively, you can execute the script using parameters. For example: If Oracle E-Business Suite is integrated with Oracle Internet Directory: $ txkrun.pl -script=SetOAMReg -registeroam=yes \ -oamHost=http://myoam.us.oracle.com:7001 \ -oamUserName=weblogic \ -ldapUrl=ldap://myoid.us.oracle.com:3060 \ -oidUserName=cn=orcladmin \ -skipConfirm=yes \ -ldapSearchBase=cn=Users,dc=example,dc=com \ -ldapGroupSearchBase=cn=Groups,dc=example,dc=com
If Oracle E-Business Suite is integrated with Oracle Unified Directory: $ txkrun.pl -script=SetOAMReg -registeroam=yes -ldapProvider=OUD \ -oamHost=http://myoam.us.oracle.com:7001 \ -oamUserName=weblogic \ -ldapUrl=ldap://myoud.us.oracle.com:1389 \ -oidUserName="cn=directory manager" \ -skipConfirm=yes \ -ldapSearchBase=ou=People,dc=example,dc=com \ -ldapGroupSearchBase=dc=example,dc=com
Replace 'dc=example,dc.com' with the appropriate values for your ldap search base. The script must complete successfully. Review the log files for any error messages. By default, the registration as documented above automatically creates an Authentication Scheme named EBSAuthScheme. Optionally, you can also register your Oracle E-Business Suite instance using a custom authentication scheme that you have created manually using your OAM Console prior to registering your Oracle E-Business Suite instance. To register your Oracle E-Business Suite instance with an existing custom authentication scheme, you can specify the following two additional command line parameters when executing the registration script txkrun.pl script=SetOAMReg -registeroam=yes: -authScheme= -authSchemeMode= Description: -authScheme= This parameter allows you to specify an authentication scheme to be created, updated or referenced. The default value is "EBSAuthScheme". -authSchemeMode=create_reference (default) Authentication Scheme mode "create_reference" is the default mode. The automated r egistration will cr eate the specified authentication scheme if it does not exist. If the specified authentication scheme already exists, the registration will reference the existing authentication scheme. In this mode, an existing authentication scheme will not be overwritten.
https://support.oracle.com/epmos/faces/D ocumentDisplay?_afrLoop=264205653993036&parent=DOCUM ENT&sourceId=1614793.1&id=1576425.1&_afrW ind…
8/25
2/9/2016
Document 1576425.1 -au
c eme o e=re erence
Authentication Scheme mode "reference" w ill r eference an existing authentication scheme. This mode does not create or update an existing authentication scheme, but will error if the specified authentication scheme does not exist. -authSchemeMode=create_update Authentication Scheme mode "create_update" will create the specified authentication scheme if it does not exist, or update an existing authentication scheme. Example usage: If you have created an authentication scheme named "CustomAuthScheme" using your OAM Console, prior to registering your Oracle E-Business Suite instance, you should register your Oracle E-Business Suite instance using your custom authentication scheme as follows: If Oracle E-Business Suite is integrated with Oracle Internet Directory: $ txkrun.pl -script=SetOAMReg -registeroam=yes \ -oamHost=http://myoam.us.oracle.com:7001 \ -oamUserName=weblogic \ -ldapUrl=ldap://myoid.us.oracle.com:3060 \ -oidUserName=cn=orcladmin \ -ldapSearchBase=cn=Users,dc=example,dc=com \ -ldapGroupSearchBase=cn=Groups,dc=example,dc=com \ -authScheme=CustomAuthScheme \ -authSchemeMode=reference
If Oracle E-Business Suite is integrated with Oracle Unified Directory: $ txkrun.pl -script=SetOAMReg -registeroam=yes -ldapProvider=OUD \ -oamHost=http://myoam.us.oracle.com:7001 \ -oamUserName=weblogic \ -ldapUrl=ldap://myoud.us.oracle.com:1389 \ -oidUserName="cn=directory manager"\ -ldapSearchBase=ou=People,dc=example,dc=com \ -ldapGroupSearchBase=dc=example,dc=com \ -authScheme=CustomAuthScheme \ -authSchemeMode=reference
Important Note: If you are planning to use a custom authentication scheme, please refer to the information in Section 5.5 Authentication Methods supported with Oracle Access Manager. Oracle E-Business Suite Development does not explicitly certify alternative authentication methods supported by Oracle Access Manager. Oracle E-Business Suite Support may ask you to revert Oracle Access Manager to the explicitly certified form based authentication and the default authentication scheme EBSAuthScheme, before issues with Oracle E-Business Suite can be triaged.
The registration script is re-runnable. If the registration script fails for any reason (for example, the OAM server is down), the script will detect an incomplete run, and continue completing the session with the same parameters after prompting for confirmation to continue. If you configured your patch file system during an Online Patching cycle, complete your Online Patching cycle. Stop and Restart the Oracle E-Business Suite 12.2 OHS and WebLogic servers. 4.3 Test Single Sign-On with Oracle E-Business Suite You have completed integrating Oracle E-B usiness Suite with Oracle Access Manager 11.1.2 using Oracle EBusiness Suite AccessGate. Test single sign-on integration now. Logon to Oracle E-Business Suite http://.:/OA_HTML/AppsLogin You will be r e-directed to your Oracle Access Manager single sign-on page. Login using valid OID user credentials. After successful authentication, you will be r e-directed to your Oracle E-Business Suite home page. 4.4 Perform fs_clone Stop the oaea managed server on the run file system. (see Known Issues section for further information). Your Oracle E-Business Suite Release 12.2 instance is now integrated with Oracle Access Manager using Oracle EBusiness Suite AccessGate on your run file system. Perform an fs_clone to synchronize the changes to your patch file system before you start the next Oracle EBusiness Suite Release 12.2 Online Patching cycle.
https://support.oracle.com/epmos/faces/D ocumentDisplay?_afrLoop=264205653993036&parent=DOCUM ENT&sourceId=1614793.1&id=1576425.1&_afrW ind…
9/25
2/9/2016
Document 1576425.1
Section 5: Oracle Access Manager Configurations This section lists additional configurations on your Oracle Access Manager server and information about advanced authentication methods supported with Oracle Access Manager. Configure Oracle Access Manager to support long URLs Configure Oracle Access Manager Whitelist Configure Oracle Access Manager Session Timeout Configure Languages for the Oracle Access Manager Login Page Authentication Methods supported with Oracle Access Manager 5.1 Configure Oracle Access Manager to support long URLs Long URLs may exceed a cookie limit on your Internet browser. Configure Oracle Access Manager to support long URLs by changing the serverRequestCacheType from COOKIE to FORM in Oracle Access Manager configuration file $DOMAIN_HOME/config/fmwconfig/oam-config.xml: FORM
Refer to section Application U RL Requirements in the Oracle® Fusion Middleware Administrator's Guide for Oracle Access Management 11g Release 2 (11.1.2). 5.2 Configure Oracle Access Manager Whitelist Oracle Access Manager whitelist is enabled by default in Oracle Access Manager 11.1.2.3. Oracle Access Manager must be configured to only redirect to URLs listed in a whitelist. Oracle recommends that this configuration be done as part of a Secure Configuration. To use this Oracle Access Manager feature, you must add your Oracle E-Business Suite middle tier URL (Oracle EBusiness Suite host name and port) to the whitelist. For example: cd $OAM_ORACLE_HOME/common/bin ./wlst.sh wls:/offline>> connect('weblogic','kwD9ij4dj', 'myoam.example.com:7001') wls:/offline> domainRuntime() wls...> oamWhiteListURLConfig (Name="EBS",Value="http://.:", Operation="Update") wls...> oamWhiteListURLConfig (Name="OAMCONSOLE",Value="http://: ", Operation="Update") wls...> oamWhiteListURLConfig (Name="EBS_POSTLOGOUT",Value="", Operation="Update") wls...> exit()
Replace ':' with the fully qualified Host Name and Port of your Oracle E-Business Suite middle-tier. For example: 'ebshost.example.com:8001'. Replace : with the fully qualified Host Name and Port for your Oracle Access Manager Console. For example: 'oamserver.example.com:7001'. In addition, if you configured the optional profile 'Applications SSO Post Logout URL' (APPS_SSO_POSTLOGOUT_HOME_URL) to re-direct to a different server URL post logout, replace with the URL from the 'Applications SSO Post Logout URL' profile option. For further information on configuring the whitelist, refer to wlst commands 'oamSetWhiteListMode' and 'oamWhiteListURLConfig' in Oracle® Fusion Middleware WebLogic Scripting Tool Command Reference for Identity and Access Management. 5.3 Configure Oracle Access Manager Session Timeout You can configure an inactivity time-out for a s ession in both Oracle E-Business Suite and Oracle Access Manager. The timeout values should be the same for both applications. If you configure a timeout value for Oracle E-Business Suite that is shorter than the one you configure for Oracle Access Manager, users can re-establish their Oracle EBusiness Suite session after it times out without providing login credentials. The inactivity time-out in Oracle E-Business Suite is configured in profile option ICX: Session Timeout (minutes). The inactivity time-out in Oracle Access Manager is configured as Idle Timeout (minutes) under Common Settings in the OAM Console System Configuration. 5.4 Configure Languages for the Oracle Access Manager Login Page Oracle Access Management 11.1.2.1 supports language selection through a drop down list of languages in the login page combined with use of the OAM_LANG_PREF language preference cookie. The Oracle Access Manager login page can be synchronized with the set of installed languages in Oracle E-Business Suite. To configure the Oracle Access Manager login page to provide language selection, refer to the section Choosing a User Login Language in the Oracle® Fusion Middleware Administrator's Guide for Oracle Access Management and the 'configOAMLoginPagePref ' command in the Oracle® Fusion Middleware WebLogic Scripting Tool Command
https://support.oracle.com/epmos/faces/D ocumentDisplay?_afrLoop=264205653993036&parent=DOCUM ENT&sourceId=1614793.1&id=1576425.1&_afrW in…
10/25