You are on page 1of 45

Integrating Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11gR2 (11.1.

2) using Oracle E- To
Business Suite AccessGate (Doc ID 1576425.1) Bottom

This document describes how to integrate Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11g Release 2 (11.1.2)
using Oracle E-Business AccessGate.

Before you begin integration, you should read and understand all content described in this document.

The most current version of this document can be obtained from My Oracle Support Knowledge Document 1576425.1.

There is a change log at the end of this document.

In this Document

Section 1: Introduction
Section 2: Supported Architecture and Release Versions
Section 3: Prerequisite Installations and Configurations
Section 4: Integrate Oracle E-Business Suite with Oracle Access Manager
Section 5: Oracle Access Manager Configurations
Section 6: Advanced Configurations
Section 7: Optional Post Installation Steps
Section 8: Upgrade and Migration
Section 9: Available Documentation
Appendix A: Deregister Oracle E-Business Suite from Oracle Access Manager
Appendix B: Known Issues
Appendix C: Product-Specific Single Sign-On Exceptions

Section 1: Introduction

Oracle Access Manager 11g Release 2 (11.1.2) provides a comprehensive identity management and access control system that
simplifies user access across applications.

For more information about Oracle Access Manager (OAM), refer to the Access Manager home page on the Oracle Corporation Web
site at:

http://www.oracle.com/us/products/middleware/identity-management/oracle-access-manager/overview/index.html

This document describes how to integrate Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11g Release 2 (11.1.2)
using Oracle E-Business AccessGate.

If you have multiple instances of Oracle E-Business Suite that you wish to integrate with Oracle Access Manager for single sign on,
perform the steps in this document on each Oracle E-Business Suite instance.

For more information about single sign-on concepts, architecture, and options for integrating Oracle E-Business Suite with Oracle
Identity Management products, refer to My Oracle Support Knowledge Document 1388152.1 Overview of Single Sign-On Integration
Options for Oracle E-Business Suite.

The procedures in this document have significant effects on Oracle E-Business Suite Release 12.2 environments and should be
executed only by skilled Oracle E-Business Suite database or system administrators. Users are strongly advised to first review the
prerequisites and plan the installation and configuration on the various supported platforms.

For information about which platforms are supported by Oracle Access Manager, refer to the Oracle Identity and Access Management
11g Release 2 (11.1.2.3) Certification Matrix.

Note that Oracle Identity and Access Management 11g Release 2 (11.1.2) is supported on 64-bit processors only.

Section 2: Supported Architecture and Release Versions

The following software components must be installed on a standalone server accessing an Oracle E-Business Suite, or in separate
Fusion Middleware Homes on an existing application tier server node.

Component Name Version

Oracle Access Manager 11.1.2.2, 11.1.2.3


Oracle Access Manager WebGate See Footnote 1 for restrictions.

Oracle Identity Management 11.1.1.7, 11.1.1.9

Oracle Unified Directory 11.1.2.3

Footnote 1: As per Section 9 of the Oracle Fusion Middleware Release Notes for HTTP Server, Oracle WebGate version 11.1.2.3 for
Oracle HTTP Server supports only Oracle HTTP Server version 11.1.1.9.

If you have integrated Oracle E-Business Suite 12.2 with Oracle Unified Directory 11.1.2.3 as detailed in My Oracle Support
Knowledge Document 2003483.1, then Oracle HTTP Server 11.1.1.9 is already configured on the Oracle E-Business Suite Environment,
you MUST therefore install and integrate with Oracle Access Manager 11.1.2.3 using Oracle Access Manager WebGate 11.1.2.3.

The following components must be used on the Oracle E-Business Suite Release 12 instance:

Component Name Version

Oracle E-Business Suite Release 12 12.2.2+

Section 3: Prerequisite Installations and Configurations

This section describes following prerequisite installations and configurations:

3.1 Integrate Oracle Internet Directory or Oracle Unified Directory with Oracle E-Business Suite
3.2 Configure Oracle Internet Directory to return operational attributes
3.3 Install Oracle Access Manager
3.4 Apply Required Updates to Oracle Access Manager Server
3.5 Install Prerequisite Software Updates and Components on your Oracle E-Business Suite Release 12.2 Instance

3.1 Integrate Oracle Internet Directory or Oracle Unified Directory with Oracle E-Business Suite

It is a requirement to use either Oracle Internet Directory or Oracle Unified Directory for any LDAP or single sign-on integration with
Oracle E-Business Suite.

Oracle Internet Directory:


Use the instructions in the following My Oracle Support Knowledge Document to integrate Oracle Internet Directory with Oracle E-
Business Suite.

Document 1371932.1 Integrating Oracle E-Business Suite Release 12.2 with Oracle Internet Directory 11gR1. If you
are integrating with OID 11g for the first time, refer to this document for more information about specific requirements
and additional patches that are required for integration with Oracle E-Business Suite

For further information regarding provisioning between Oracle E-Business Suite and Oracle Internet Directory, refer to Oracle E-
Business Suite Security Guide Release 12.2.

Oracle Unified Directory:


Use the instructions in the following My Oracle Support Knowledge Document to integrate Oracle Unified Directory with Oracle E-
Business Suite.

Document 2003483.1 Integrating Oracle E-Business Suite Release 12.2 with Oracle Unified Directory 11g Release 2.
If you are integrating with OUD 11g for the first time, refer to this document for more information about specific
requirements and additional patches that are required for integration with Oracle E-Business Suite.

3.2 Configure Oracle Internet Directory to return operational attributes

This step is only required for customers using Oracle Internet Directory. If your configuration is using Oracle Unified Directory, skip this
step and proceed to step 3.3 - Install and Configure Oracle Access Manager.

Configure Oracle Internet Directory to return operational attributes for lookup requests. This modification adds the orclguid attribute to
records returned by Oracle Internet Directory when queried by Oracle Access Manager, allowing these records to be mapped to others
that are uniquely identified by orclguid. To make this modification create an ldif file as detailed below and execute this command from the
Oracle Home where Oracle Internet Directory is installed:

Create an ldif file (for example 'change_attrs.ldif') containing the following:


dn: cn=dsaconfig, cn=configsets,cn=oracle internet directory
changetype: modify
add: orclallattrstodn
orclallattrstodn: [DN]

where [DN] is the DN (Distinguished Name) of the account that Oracle Access Manager uses to communicate with Oracle Internet
Directory; for example, cn=orcladmin. If you are not sure what this value is for your site, you can find it by logging on to Oracle Directory
Services Manager (ODSM), and looking under the Root element in the Data Tree on the Data Browser tab.

For example:

dn: cn=dsaconfig, cn=configsets,cn=oracle internet directory


changetype: modify
add: orclallattrstodn
orclallattrstodn:cn=orcladmin

Run the following to execute the command from the newly created ldif file:

$ORACLE_HOME/bin/ldapmodify -h [ldaphost] -p [ldapport] -D [DN] -w [orcladmin passwd] -v -f [ldif_filename]

For example:

$ORACLE_HOME/bin/ldapmodify -h ldaphost.example.com -p 3060 -D cn=orcladmin -w welcome972 -v -f change_attrs.ldif

3.3 Install and Configure Oracle Access Manager

RHEL 6 Customers only: (for Oracle Access Manager 11.1.2.2 Only):

Download and Apply Unified Installer Patch 18231786 prior to installing Oracle Access Manager 11.1.2.2.

Install and Configure Oracle Access Manager 11g Release 2 (11.1.2.3), following the installation instructions in the Installation Guide for
Oracle Identity and Access Management, available from the Oracle Fusion Middleware Identity Management 11g Release 2 (11.1.2.3.0)
Documentation Library.

For information about which platforms are supported by Oracle Access Manager, refer to the Oracle Identity and Access Management
11g Release 2 (11.1.2.3) Certification Matrix.

After successful installation and configuration, verify that you can logon to the Oracle Access Manager and WebLogic Administration
consoles with the WebLogic admin user and password that you specified during installation.

http://<oamserver>.<domain>:<adminport>/console
http://<oamserver>.<domain>:<adminport>/oamconsole

Verify in the WebLogic Administration Console that the OAM managed server is running on the specified port.

3.4 Apply Required Updates to Oracle Access Manager Server

For Oracle Access Manager 11.1.2.3 only:

Oracle strongly recommends applying Oracle Access Manager 11.1.2.3 Bundle Patch 3 (OAM 11.1.2.3.3) as this includes a fix for Patch
19438948. Refer to My Oracle Support Knowledge Document 736372.1 OAM Bundle Patch Release History, for the instructions to
download and apply Oracle Access Manager 11.1.2.3 Bundle Patch 3 (BP03) for Oracle Access Manager Server.

Applying later Oracle Access Manager Bundle Patches

Optionally, later Oracle Access Manager Bundle Patches may be applied on top of certified configurations. Please refer to My Oracle
Support Knowledge Document 736372.1 OAM Bundle Patch Release History.

3.5 Install Prerequisite Software Updates and Components on your Oracle E-Business Suite Release 12.2 Instance
Install the following prerequisite software updates and components on your Oracle E-Business Suite Release 12.2 instance. These
software updates are fully compatible with Oracle E-Business Suite environments regardless of whether or not you proceed with single
sign-on integration. You may therefore choose to install these software updates at an earlier date, even before performing any of the
subsequent steps in this document to complete single sign-on integration with Oracle Access Manager. You may combine these updates
with other regularly-scheduled maintenance in your environment. You can choose to install these software updates during an Oracle E-
Business Suite R12.2 Online Patching cycle to your patch file system (recommended) or on your run file system.

For details about Oracle E-Business Suite R12.2 Online Patching, refer to the Patching Procedures section in the Oracle E-Business
Suite Maintenance Guide Release 12.2.

3.5.1 Apply the Latest AD and TXK Delta Release Update Packs

Note: Review My Oracle Support Knowledge Document 1617461.1, Applying the Latest AD and TXK Release Update Packs to Oracle
E-Business Suite Release 12.2, and follow the instructions to apply the required code level of AD and TXK for your system.

3.5.2 Download and apply Oracle E-Business Suite Updates

Download and apply the following updates to your Oracle E-Business Suite Release 12.2 instance:

Customers integrating with Oracle Access Manager 11.1.2.2 Server:

Table A

Release Patch Number


12.2 Refer to My Oracle Support Knowledge Document 2202932.1
12.2 R12.TXK.C Patch 20735848

Customers integrating with Oracle Access Manager 11.1.2.3 Server:

Table B

Release Patch Number


12.2 Refer to My Oracle Support Knowledge Document 2202932.1
12.2 R12.TXK.C Patch 20735848
12.2 R12.TXK.C Patch 21229697

Windows Customers Only:

Download and apply the following updates to your Oracle E-Business Suite Release 12.2 instance:

Release Patch Number


FMW 11.1.1.6 Patch 15861836 (This patch is not required for FMW 11.1.1.7 and above)

3.5.3 Download and install Oracle Access Manager WebGates

WebGates are policy enforcement agents that act as a filter for HTTP requests and communicate with Oracle Access Manager
authentication and authorization services.

As per Section 9 of the Oracle Fusion Middleware Release Notes for HTTP Server, Oracle WebGate version 11.1.2.3 for Oracle HTTP
Server supports only Oracle HTTP Server version 11.1.1.9. If your version of Oracle HTTP Server is lower than 11.1.1.9, it should be
upgraded to 11.1.1.9 by following Document 1590356.1 Upgrading Oracle Fusion Middleware Technology Stack of Oracle E-Business
Suite Release 12.2 to the latest 11gR1 (11.1.1.x) Patchset, before integrating with Oracle WebGate version 11.1.2.3.

Download Oracle Access Manager OHS 11g WebGates 11.1.2.3 from Identity & Access Management 11gR2 Downloads. Save the file
to a temporary location on your Oracle E-Business Suite middle tier server node, and unzip it. For example unzip it to directory:
/u01/webgate11g.

Source the Oracle E-Business Suite environment file.

$ cd <EBS_BASE_HOME>
$ . EBSapps.env
$ echo $FILE_EDITION
EBS_BASE_HOME is the top directory where fs1, fs2, and others are installed.

During an active Online Patching cycle, Type "P" to select the patch file system environment when prompted. Echo
$FILE_EDITION returns "patch" to indicate that the patch file system is sourced.
Alternatively, if there is no active Online Patching cycle, you may also choose to install Oracle Access Manager
WebGates on your run file system. In that case, type "R" to select the run file system environment when prompted.
Echo $FILE_EDITION returns "run" to indicate that the run file system is sourced.

Execute the following command to install Oracle Access Manager WebGates:

$ txkrun.pl -script=SetOAMReg -installWebgate=yes -webgatestagedir=<webgate stage directory>

For parameter -webgatestagedir, specify the directory where you unzip'd Oracle Access Manager OHS 11g WebGates, for
example /u01/webgate11g.

The installation should complete successfully.

3.5.4 Apply Required Oracle Access Manager Bundle Patch to Oracle Access Manager WebGate

Refer to My Oracle Support Knowledge Document 736372.1 OAM Bundle Patch Release History for the instructions to download and
apply Oracle Access Manager 11.1.2.3 Bundle Patch 1 (BP01) for Oracle Access Manager WebGate.

Applying later Bundle Patches to Oracle HTTP Server 11g WebGate

Optionally, later Oracle HTTP Server 11g WebGate Bundle Patches may be applied on top of certified configurations. Please refer to My
Oracle Support Knowledge Document 736372.1 OAM Bundle Patch Release History.

3.5.5 Perform fs_clone (conditional)

Your system is now prepared with the prerequisites to enable single sign on with Oracle Access Manager.

You can choose to only prepare the system with the prerequisite software updates, and integrate Oracle E-Business Suite with Oracle
Access Manager for single sign on at a later point in time. In this case, complete the current Oracle E-Business Suite Release 12.2
Online Patching cycle now. Then you must perform an fs_clone to synchronize the changes before you start the next Oracle E-Business
Suite Release 12.2 Online Patching cycle. Performing an fs_clone will ensure that Oracle Access Manager OHS 11g WebGates are
installed on both file systems fs1 and fs2.

Alternatively, you can choose to directly proceed with integrating Oracle E-Business Suite with Oracle Access Manager for single sign on
in the next section. In this case, you must continue using the same file system where you just applied the prerequisite software updates,
and you can perform the fs_clone only after completing single sign on integration as documented in Step 4.4 of this document.

Section 4: Integrate Oracle E-Business Suite with Oracle Access Manager

Follow the steps in this section to integrate Oracle E-Business Suite with Oracle Access Manager:

4.1 Deploy Oracle E-Business Suite AccessGate


4.2 Register Oracle E-Business Suite with Oracle Access Manager
4.3 Test Single Sign-On with Oracle E-Business Suite
4.4 Perform fs_clone

Enabling single sign on for Oracle E-Business Suite with Oracle Access Manager does not require starting an Oracle E-Business Suite
Online Patching cycle. You may perform the integration optionally

a) on your run file system when no Online Patching cycle is active. Single sign on will be enabled after bouncing Oracle E-Business
Suite.
b) on your patch file system during an active Online Patching cycle. Single sign on will be enabled after completing your Online Patching
cycle and bouncing Oracle E-Business Suite.

Note that Oracle Access Manager maintains a single registration for your Oracle E-Business Suite instance, and does not distinguish
between run and patch file system. Hence modifying the configuration in Oracle Access Manager, or removing the registration
following Appendix A of this document will always affect the running system.

4.1 Deploy Oracle E-Business Suite AccessGate


Oracle E-Business Suite AccessGate is a J2EE application on your Oracle E-Business Suite 12.2 WebLogic server. Oracle E-Business
Suite AccessGate will be protected by Oracle Access Manager and creates an Oracle E-Business Suite session based on a valid Oracle
Access Manager session. Follow the step below to deploy Oracle E-Business Suite AccessGate.

Source the Oracle E-Business Suite environment file.

$ cd <EBS_BASE_HOME>
$ . EBSapps.env
$ echo $FILE_EDITION

EBS_BASE_HOME is the top directory where fs1, fs2, and others are installed.

Type "R" to select the run file system environment when prompted. Echo $FILE_EDITION returns "run" to indicate that
the run file system is sourced. Ensure there is no active Online Patching cycle.
Alternatively, if you wish to deploy Oracle E-Business Suite AccessGate to your patch file system first during an active
Online Patching cycle, type "P" to select the patch file system environment when prompted. Echo $FILE_EDITION
returns "patch" to indicate that the patch file system is sourced.

Execute the following command to deploy Oracle E-Business Suite AccessGate.

$ perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources \


-contextfile=$CONTEXT_FILE \
-deployApps=accessgate \
-SSOServerURL=<OAM Server URL> \
[-managedsrvname=<managed server name>] \
[-managedsrvport=<managed server port>] \
-logfile=<logfile>

For parameter -SSOServerURL, specify the URL for your OAM managed server, for example http://oamserver.example.com:14100:

Optional parameter managedsrvname defaults to oaea_server1. Parameter managedsrvport defaults to 6801. Specify these optional
parameters if you wish to deploy Oracle E-Business Suite AccessGate to a non-default managed server. The managed server name
provided must be of the form oaea_server<n>, where n is an integer.

For example:

$ perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources \


-contextfile=$CONTEXT_FILE \
-deployApps=accessgate \
-SSOServerURL=http://oamserver.example.com:14100 \
-managedsrvname=oaea_server3 \
-managedsrvport=6803 \
-logfile=/tmp/deployeag.log

The script will prompt for the following passwords:

Enter the APPS Schema password.


Enter the WebLogic AdminServer password.

Enter the required information when prompted.

The script will now perform the following main tasks automatically:

Create managed server "oaea_server1" if it does not already exist.


Create Data Source "OAEADatasource" if it does not already exist.
Deploy the Oracle E-Business Suite AccessGate application named "accessgate".

The script must complete successfully. Review the log files for any error messages.

After successful completion of the script, ensure that your WebLogic AdminServer is running.

If you have specified a dedicated managed server and port in the previous command instead of using the default managed server and
port, execute the following command to add details of the managed server into the OHS configuration files mod_wl_ohs.conf and
apps.conf:

$ perl $FND_TOP/patch/115/bin/txkSetAppsConf.pl \
-contextfile=$CONTEXT_FILE \
-configoption=addMS \
-accessgate=<host>.<domain>:<port>

Replace <host>.<domain>:<port> with the hostname, full domain name and port of the new 'oaea_server1' managed
server:
For example: ebshost.example.com:6803

The script must complete successfully. Review the log files for any error messages.

To verify successful deployment, logon to WebLogic Administration Console, for example:

http://ebshost.example.com:7001/console

In the WebLogic Administration Console, navigate to EBS_domain_sid > Environment > Servers, and verify that a managed server
"oaea_server1" is available.

Verify that you can successfully start the server "oaea_server1". On the settings page for the server, navigate to the Control tab, and use
the Start button to start the server.

Navigate to EBS_domain_sid > Deployments, and verify that the Oracle E-Business Suite AccessGate application named "accessgate"
is deployed, with State: Active and Health: OK.

Navigate to EBS_domain_sid > Services > Data Sources, and verify that a data source "OAEADatasource" is available. Navigate to the
"OAEADatasource" page, Monitoring tab, Testing tab. Click the control button next to server "oaea_server1", and press the "Test Data
Source" button. You should see a message confirming that test of the datasource was successful.

4.2 Register Oracle E-Business Suite with Oracle Access Manager

Follow the steps in this section to register Oracle E-Business Suite with Oracle Access Manager.

Source the Oracle E-Business Suite environment file.

$ cd <EBS_BASE_HOME>
$ . EBSapps.env
$ echo $FILE_EDITION

EBS_BASE_HOME is the top directory where fs1, fs2, and others are installed.

Type "R" to select the run file system environment when prompted. Echo $FILE_EDITION returns "run" to indicate that
the run file system is sourced. Ensure there is no active Online Patching cycle.
Alternatively, if you wish to register Oracle E-Business Suite during an active Online Patching cycle, type "P" to select
the patch file system environment when prompted. Echo $FILE_EDITION returns "patch" to indicate that the patch file
system is sourced.

If Oracle E-Business Suite is integrated with Oracle Internet Directory:

Execute the following command to register Oracle E-Business Suite with Oracle Access Manager:

$ txkrun.pl -script=SetOAMReg -registeroam=yes

If Oracle E-Business Suite is integrated with Oracle Unified Directory:

Execute the following command to register Oracle E-Business Suite with Oracle Access Manager
$ txkrun.pl -script=SetOAMReg -registeroam=yes -ldapProvider=OUD -oidUserName="cn=directory manager"

If the Oracle directory Service is Oracle Unified Directory then the ldapProvider must be specified as "OUD". By default the type is OID
for Oracle Internet Directory.

The script will prompt for the following information.

Enter OAM console URL (for example: http://myoam.us.oracle.com:7001)


Enter OAM console user name (for example: weblogic)
Enter OAM console password
Enter LDAP URL (for example: ldap://myoid.us.oracle.com:3060)
Enter OID console user name (for example: cn=orcladmin)
Enter OID console password
Enter LDAP Search Base (for example: "cn=Users,dc=us,dc=oracle,dc=com")
Enter LDAP Group Search Base (for example: "cn=Groups,dc=us,dc=oracle,dc=com")
Enter APPS password

Enter the required information when prompted.

For the parameter OAM console URL, enter the base URL for the WebLogic Administration server where the OAM console is deployed,
for example: http://myoam.us.oracle.com:7001.

The script will provide a summary of input values. Confirm that these are correct and start the registration.

Do you wish to continue (y|n)? y

The script will now perform the following main tasks automatically:

Register Oracle E-Business Suite AccessGate with Oracle Access Manager.


Create Identity Store named OIDIdentityStore if it does not already exist. If Identity Store OIDIdentityStore exists, the
integration will use it.
Create Authentication Module named LDAP_EBS if it does not already exist. If Authentication Module LDAP_EBS
exists, the integration will use it.
Configure Oracle Access Manager OAM Agent named <sid_host>.
Configure Authentication Scheme named EBSAuthScheme.
Configure Application Domain named <sid_host> with required Authentication Policies and response headers for your
Oracle E-Business Suite integration.
Set Oracle E-Business Suite profile options Application Authenticate Agent (APPS_AUTH_AGENT) and Applications
SSO Type (APPS_SSO).

Alternatively, you can execute the script using parameters. For example:

If Oracle E-Business Suite is integrated with Oracle Internet Directory:


$ txkrun.pl -script=SetOAMReg -registeroam=yes \
-oamHost=http://myoam.us.oracle.com:7001 \
-oamUserName=weblogic \
-ldapUrl=ldap://myoid.us.oracle.com:3060 \
-oidUserName=cn=orcladmin \
-skipConfirm=yes \
-ldapSearchBase=cn=Users,dc=example,dc=com \
-ldapGroupSearchBase=cn=Groups,dc=example,dc=com

If Oracle E-Business Suite is integrated with Oracle Unified Directory:


$ txkrun.pl -script=SetOAMReg -registeroam=yes -ldapProvider=OUD \
-oamHost=http://myoam.us.oracle.com:7001 \
-oamUserName=weblogic \
-ldapUrl=ldap://myoud.us.oracle.com:1389 \
-oidUserName="cn=directory manager" \
-skipConfirm=yes \
-ldapSearchBase=ou=People,dc=example,dc=com \
-ldapGroupSearchBase=dc=example,dc=com

Replace 'dc=example,dc.com' with the appropriate values for your ldap search base.

The script must complete successfully. Review the log files for any error messages.

By default, the registration as documented above automatically creates an Authentication Scheme named EBSAuthScheme.

For a multi-node configuration, after registering the first node, subsequent nodes should be registered by referencing the already existing
authentication scheme, as detailed below:

Register an additional node by referencing the existing Authentication Scheme (authScheme) named EBSAuthScheme, for example:

If Oracle E-Business Suite is integrated with Oracle Internet Directory:


$ txkrun.pl -script=SetOAMReg -registeroam=yes \
-oamHost=http://myoam.us.oracle.com:7001 \
-oamUserName=weblogic \
-ldapUrl=ldap://myoid.us.oracle.com:3060 \
-oidUserName=cn=orcladmin \
-ldapSearchBase=cn=Users,dc=example,dc=com \
-ldapGroupSearchBase=cn=Groups,dc=example,dc=com \
-authScheme=EBSAuthScheme \
-authSchemeMode=reference
If Oracle E-Business Suite is integrated with Oracle Unified Directory:
$ txkrun.pl -script=SetOAMReg -registeroam=yes -ldapProvider=OUD \
-oamHost=http://myoam.us.oracle.com:7001 \
-oamUserName=weblogic \
-ldapUrl=ldap://myoud.us.oracle.com:1389 \
-oidUserName="cn=directory manager"\
-ldapSearchBase=ou=People,dc=example,dc=com \
-ldapGroupSearchBase=dc=example,dc=com \
-authScheme=EBSAuthScheme \
-authSchemeMode=reference

Optionally, you can also register your Oracle E-Business Suite instance using a custom authentication scheme that you have created
manually using your OAM Console prior to registering your Oracle E-Business Suite instance.

To register your Oracle E-Business Suite instance with an existing custom authentication scheme, you can specify the following two
additional command line parameters when executing the registration script txkrun.pl -script=SetOAMReg -registeroam=yes:
-authScheme=<Authentication Scheme>
-authSchemeMode=<create_reference|reference|create_update>

Description: -authScheme=<Authentication Scheme>

This parameter allows you to specify an authentication scheme to be created, updated or referenced. The default value is
"EBSAuthScheme".

-authSchemeMode=create_reference (default)

Authentication Scheme mode "create_reference" is the default mode. The automated registration will create the specified authentication
scheme if it does not exist. If the specified authentication scheme already exists, the registration will reference the existing authentication
scheme. In this mode, an existing authentication scheme will not be overwritten.

-authSchemeMode=reference

Authentication Scheme mode "reference" will reference an existing authentication scheme. This mode does not create or update an
existing authentication scheme, but will error if the specified authentication scheme does not exist.

-authSchemeMode=create_update

Authentication Scheme mode "create_update" will create the specified authentication scheme if it does not exist, or update an existing
authentication scheme.

Example usage:

If you have created an authentication scheme named "CustomAuthScheme" using your OAM Console, prior to registering your Oracle E-
Business Suite instance, you should register your Oracle E-Business Suite instance using your custom authentication scheme as
follows:
If Oracle E-Business Suite is integrated with Oracle Internet Directory:
$ txkrun.pl -script=SetOAMReg -registeroam=yes \
-oamHost=http://myoam.us.oracle.com:7001 \
-oamUserName=weblogic \
-ldapUrl=ldap://myoid.us.oracle.com:3060 \
-oidUserName=cn=orcladmin \
-ldapSearchBase=cn=Users,dc=example,dc=com \
-ldapGroupSearchBase=cn=Groups,dc=example,dc=com \
-authScheme=CustomAuthScheme \
-authSchemeMode=reference

If Oracle E-Business Suite is integrated with Oracle Unified Directory:


$ txkrun.pl -script=SetOAMReg -registeroam=yes -ldapProvider=OUD \
-oamHost=http://myoam.us.oracle.com:7001 \
-oamUserName=weblogic \
-ldapUrl=ldap://myoud.us.oracle.com:1389 \
-oidUserName="cn=directory manager"\
-ldapSearchBase=ou=People,dc=example,dc=com \
-ldapGroupSearchBase=dc=example,dc=com \
-authScheme=CustomAuthScheme \
-authSchemeMode=reference

Important Note:
If you are planning to use a custom authentication scheme, please refer to the information in Section 5.5 Authentication Methods
supported with Oracle Access Manager. Oracle E-Business Suite Development does not explicitly certify alternative authentication
methods supported by Oracle Access Manager. Oracle E-Business Suite Support may ask you to revert Oracle Access Manager to the
explicitly certified form based authentication and the default authentication scheme EBSAuthScheme, before issues with Oracle E-
Business Suite can be triaged.
The registration script is re-runnable. If the registration script fails for any reason (for example, the OAM server is down), the script will
detect an incomplete run, and continue completing the session with the same parameters after prompting for confirmation to continue.

If you configured your patch file system during an Online Patching cycle, complete your Online Patching cycle.

Stop and Restart the Oracle E-Business Suite 12.2 OHS and WebLogic servers.

4.3 Test Single Sign-On with Oracle E-Business Suite

You have completed integrating Oracle E-Business Suite with Oracle Access Manager 11.1.2 using Oracle E-Business Suite
AccessGate.

Test single sign-on integration now.

Logon to Oracle E-Business Suite

http://<ebshost>.<domain>:<port>/OA_HTML/AppsLogin

You will be re-directed to your Oracle Access Manager single sign-on page. Login using valid OID user credentials. After successful
authentication, you will be re-directed to your Oracle E-Business Suite home page.

Note:
If you are using Oracle E-Business Suite Release 12.2.6 or higher, you can choose to configure single sign-on and local authentication
at site and server level. Refer to section 6.5 - Configure Single Sign-on at Site or Server Level for further information.

4.4 Perform fs_clone

Stop the oaea managed server on the run file system. (see Known Issues section for further information).

Your Oracle E-Business Suite Release 12.2 instance is now integrated with Oracle Access Manager using Oracle E-Business Suite
AccessGate on your run file system.

Perform an fs_clone to synchronize the changes to your patch file system before you start the next Oracle E-Business Suite Release
12.2 Online Patching cycle.

Section 5: Oracle Access Manager Configurations

This section lists additional configurations on your Oracle Access Manager server and information about advanced authentication
methods supported with Oracle Access Manager.

5.1 Configure Oracle Access Manager to support long URLs


5.2 Configure Oracle Access Manager Whitelist
5.3 Configure Oracle Access Manager Session Timeout
5.4 Configure Languages for the Oracle Access Manager Login Page
5.5 Authentication Methods supported with Oracle Access Manager

5.1 Configure Oracle Access Manager to support long URLs

Long URLs may exceed a cookie limit on your Internet browser. Configure Oracle Access Manager to support long URLs by changing
the serverRequestCacheType from COOKIE to FORM in Oracle Access Manager configuration file
$DOMAIN_HOME/config/fmwconfig/oam-config.xml:

<Setting Name="serverRequestCacheType" Type="xsd:string">FORM</Setting>

Refer to section Application URL Requirements in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management
11g Release 2 (11.1.2).

5.2 Configure Oracle Access Manager Whitelist

Oracle Access Manager whitelist is enabled by default in Oracle Access Manager 11.1.2.3.

Oracle Access Manager must be configured to only redirect to URLs listed in a whitelist. Oracle recommends that this configuration be
done as part of a Secure Configuration.
To use this Oracle Access Manager feature, you must add your Oracle E-Business Suite middle tier URL (Oracle E-Business Suite host
name and port) to the whitelist. For example:

cd $OAM_ORACLE_HOME/common/bin
./wlst.sh
wls:/offline>> connect('weblogic','kwD9ij4dj', 'myoam.example.com:7001')
wls:/offline> domainRuntime()
wls...> oamWhiteListURLConfig (Name="EBS",Value="http://<ebshost>.<domain>:<port>", Operation="Update")
wls...> oamWhiteListURLConfig (Name="OAMCONSOLE",Value="http://<oamconsole_host>:<oamconsole_port>", Operation="Update")
wls...> oamWhiteListURLConfig (Name="EBS_POSTLOGOUT",Value="<APPS_SSO_POSTLOGOUT_HOME_URL>",
Operation="Update")
wls...> exit()

Replace '<ebshost>:<ebs_port>' with the fully qualified Host Name and Port of your Oracle E-Business Suite middle-tier. For example:
'ebshost.example.com:8001'.

Replace <oamconsole_host>:<oamconsole_port> with the fully qualified Host Name and Port for your Oracle Access Manager Console.
For example: 'oamserver.example.com:7001'.

In addition, if you configured the optional profile 'Applications SSO Post Logout URL' (APPS_SSO_POSTLOGOUT_HOME_URL) to re-
direct to a different server URL post logout, replace <APPS_SSO_POSTLOGOUT_HOME_URL> with the URL from the 'Applications
SSO Post Logout URL' profile option.

For further information on configuring the whitelist, refer to wlst commands 'oamSetWhiteListMode' and 'oamWhiteListURLConfig'
in Oracle Fusion Middleware WebLogic Scripting Tool Command Reference for Identity and Access Management.

5.3 Configure Oracle Access Manager Session Timeout

You can configure an inactivity timeout for a session in both Oracle E-Business Suite and Oracle Access Manager. The timeout values
should be the same for both applications. If you configure a timeout value for Oracle E-Business Suite that is shorter than the one you
configure for Oracle Access Manager, users can re-establish their Oracle E-Business Suite session after it times out without providing
login credentials.

The inactivity timeout in Oracle E-Business Suite is configured in profile option ICX: Session Timeout (minutes). The inactivity timeout in
Oracle Access Manager is configured as Idle Timeout (minutes) under Common Settings in the OAM Console System Configuration.

5.4 Configure Languages for the Oracle Access Manager Login Page

Oracle Access Management 11.1.2.1 supports language selection through a drop down list of languages in the login page combined with
use of the OAM_LANG_PREF language preference cookie. The Oracle Access Manager login page can be synchronized with the set of
installed languages in Oracle E-Business Suite. To configure the Oracle Access Manager login page to provide language selection, refer
to the section Choosing a User Login Language in the Oracle Fusion Middleware Administrator's Guide for Oracle Access
Management and the 'configOAMLoginPagePref' command in the Oracle Fusion Middleware WebLogic Scripting Tool Command
Reference for Identity and Access Management.

To enable languages in the Oracle Access Manager login page to match the languages installed in Oracle E-Business Suite:

wls...> configOAMLoginPagePref(persistentCookie="false", persistentCookieLifetime=<SessionTimeout>,


langPrefCookieDomain="<mydomain>", langPrefOrder="oamPrefsCookie, browserAcceptLanguage, serverOverrideLangPref,
defaultLanguage", serverOverrideLanguage="<EBS_Base_Lang>", defaultLanguage="<Default_Lang>",
applicationSupportedLocales="<lang1>,<lang2>,<lang3>,<lang4>")

Recommended Settings for the language configuration in the Oracle Access Manager login page when integrated with Oracle E-
Business Suite are as follows:

Ensure that 'persistentCookie' is set to 'false', this specifies the OAM_LANG_PREF cookie as a session cookie,
ensuring that when a user starts a new browser session this language cookie no longer exists.
Replace <SessionTimeout> with the value that you have specified for Session Timeout in Oracle E-Business Suite and
Oracle Access Manager.
Replace <mydomain> with the Domain Name on which Oracle Access Manager is configured.
Ensure that 'langPrefOrder' is set to "oamPrefsCookie, browserAcceptLanguage,
serverOverrideLangPref,defaultLanguage".

Using the oamPrefsCookie first in the order of precedence is required as Oracle E-Business Suite will set the preferred
language in the OAM_LANG_PREF cookie.

Replace <EBS_Base_Lang> with the base language installed in Oracle E-Business Suite:
Setting 'serverOverrideLanguage' to the base language installed in Oracle E-Business Suite ensures that when the
OAM_LANG_PREF cookie is not yet set and the Browser language is not set to a language supported by the Oracle
Access Manager login page, then the Oracle Access Manager login page will attempt to display in the Oracle E-
Business Suite base language. If this language is not supported by the Oracle Access Manager login page then the
default language (see below) will be used.
Replace <Default_Lang> with 'en':
Setting 'defaultLanguage' to 'en' ensures that English is the final fallback language used for the Oracle Access
Manager login page.
For 'applicationSupportedLocales' specify the language codes for each of the languages that are installed in the
Oracle E-Business Suite environment, this includes the base language and 'en' (English). The language code values
are documented in Table 2-4 - Language Codes for Login Pages in the Oracle Fusion Middleware WebLogic
Scripting Tool Command Reference.

Example Scenario

An Oracle E-Business Suite environment has:

French as the base language


English, German, Arabic, Korean, Simplified Chinese, Traditional Chinese and Brazilian Portugese as installed
languages.
Profile option 'ICX: Session Timeout' and the Oracle Access Manager 'Idle Timeout is set to 15 minutes.
The Domain name is 'example.us.com'

To configure the Oracle Access Manager login page languages to match this Oracle E-Business Suite environment:

wls...> configOAMLoginPagePref(persistentCookie="false", persistentCookieLifetime=15, langPrefCookieDomain="example.us.com",


langPrefOrder="oamPrefsCookie, browserAcceptLanguage, serverOverrideLangPref, defaultLanguage", serverOverrideLanguage="fr",
defaultLanguage="en", applicationSupportedLocales="en","fr",de",ar","ko","zh-CN","zh-TW","pt-BR")

There are several languages supported by Oracle E-Business Suite that are not currently supported by the OAM login page in 11.1.2.1,
refer to Known Issues for a list of those languages:

o If you have any of those languages installed in your Oracle E-Business Suite environment, you should
continue with the Oracle E-Business Suite profile option 'Applications Override SSO Server Language'
(FND_OVERRIDE_SSO_LANG) set to 'Override SSO Server Language'. In that case Oracle E-Business
Suite will always use the site/user value for the profile option 'ICX: Language' (ICX_LANGUAGE). For further
information regarding the profile option 'Applications Override SSO Server Language', refer to the 'Login
Page Language and Runtime Session Language' section in Oracle E-Business Suite Setup Guide Release
12.2.

The language feature in OAM should remain disabled by skipping this section (5.4 Configuring Languages for the
Oracle Access Manager Login Page). The Oracle Access Manager login page will continue to be displayed without a
Language LOV, and the text on the OAM login page will appear in the language according to the users' browser
preferences, for languages that OAM supports, otherwise it will default to OAMs default language.

For further information regarding how Oracle E-Business Suite handles language precedence, refer to Document 393861.1 Globalization
Guide for Oracle Applications Release 12.

When accessing the default Oracle Access Manager login page from the Oracle E-Business Suite AppsLogin page for the very first time
(i.e. a new browser session), Oracle E-Business Suite sets the language in the OAM_LANG_PREF cookie based on the browser
language preference setting. If this language is not enabled for the OAM login page, English is used.

If a user changes their 'session language' via the 'Preferences' page in Oracle E-Business Suite, regardless of the setting in the profile
'Applications Override SSO Server Language' (FND_OVERRIDE_SSO_LANG), this new session language will be used in the
OAM_LANG_PREF cookie.

Once the session language value has been changed in this manner, the Oracle E-Business Suite Home Page, the Oracle Access
Manager login page (displayed after logging out of Oracle E-Business Suite) and the subsequent login to Oracle E-Business Suite will
display in the newly set session language. This is the "login/logout" loop which means that the language in regard to the Home page,
login page, and logout page is set based on the last session language. This loop will exist until the user closes the browser or the cookie
times out (as specified in the 'persistentCookieLifetime' parameter.

5.5 Authentication Methods supported with Oracle Access Manager

Oracle E-Business Suite delegates authentication to Oracle Access Manager. Oracle Access Manager protects resources, enforces
authentication, and returns the configured response headers after successful authentication. Returning the configured response headers
does not require any Oracle E-Business Suite or Oracle E-Business Suite AccessGate code. Oracle Access Manager must return these
response headers even without having Oracle E-Business Suite AccessGate installed.

5.5.1 Form based authentication

Oracle E-Business Suite Development explicitly certifies the form based challenge method only.

5.5.2 Alternative authentication methods

In addition to the form based challenge method, Oracle Access Manager supports several alternative authentication methods, including
Windows Native Authentication, X.509, integration with Oracle Identity Federation or other third party access management systems. You
may leverage Oracle Access Manager to further integrate with any of the alternative authentication mechanisms supported by Oracle
Access Manager. Integration with Oracle E-Business Suite is expected to work regardless of how Oracle Access Manager authenticates
the user, provided that Oracle Access Manager protects the resources, enforces authentication, and returns the configured response
headers.

Oracle E-Business Suite Development does not explicitly certify these alternative authentication methods. Oracle E-Business Suite
Support may ask you to revert Oracle Access Manager to the explicitly certified form based authentication, before issues with Oracle E-
Business Suite can be triaged.

If you encounter issues during configuration of Oracle Access Manager with alternative authentication mechanisms, you may contact
Oracle Access Manager Support.

OAM for Federation:


If you are configuring OAM for Federation, with a 3rd party Identity Provider (IDP), where logout is initiated from the 3rd party Identity
Provider, OAM does not currently provide sufficient logout callback functionality to destroy all registered partner application sessions.

By contrast, if OAM is not configured for Federation and logout is triggered from any of OAM's registered partner applications, OAM
executes a configured OAM Agent Logout Callback URL http(s)://<ebshost>.<domain>:<port>/OA_HTML/AppsLogout. This ensures that
an existing Oracle E-Business Suite session is destroyed during centralized logout, initiated from any of the registered partner
applications.

OAM does not currently support executing logout callback URLs in a way that works for any OAM authentication scheme in general. If
you configure OAM with a 3rd party Identity Management system, you must ensure centralized logout properly logs the user out from
Oracle E-Business Suite. You may need to keep the OAM Agent Logout Callback URL at the default value of '/oam_logout_success',
and then customize the federated logout flow to ensure that it executes Oracle E-Business Suite AppsLogout.

Refer to OAM Enhancement 11888451.

Section 6: Advanced Configurations

This section provides additional information on following advanced configurations:

6.1 Configure Transport Layer Security (TLS)


6.2 Configure Single Sign-on in a Load Balanced Oracle E-Business Suite Environment
6.3 Deploy Oracle E-Business Suite AccessGate with a Real Applications Clusters (RAC) Database
6.4 Deploy Oracle E-Business Suite AccessGate in a Demilitarized Zone (DMZ)
6.5 Configure Single Sign-on at Site or Server Level

6.1 Configure Transport Layer Security (TLS)

In production environments, we recommend the use of TLS on both the Oracle E-Business Suite middle tier and the WebLogic Server
instance where the Oracle E-Business Suite AccessGate is deployed. We always recommended the use of TLS on the HTTP server
where the WebGate plug-in is deployed.

Refer to My Oracle Support KnowledgeDocument 1367293.1 to configure TLS on an Oracle E-Business Suite Release 12.2 middle tier
server node.

Important Note:
Configure TLS to match the TLS configuration in Oracle E-Business Suite Release 12.2. For example, if Oracle E-Business Suite
Release 12.2 is configured for strict TLS 1.2 then the OAM managed server should also be configured for strict TLS 1.2.

The Oracle Fusion Middleware Administrator's Guide for Oracle Access Management 11g Release 2 (11.1.2) documents the steps
necessary to enable TLS communication for the Oracle Access Manager components:

Appendix Securing Communication provides instructions on how to secure communications between Oracle Access
Manager 11g and WebGates.
No special steps are needed to configure WebGate for intercepting TLS requests, as long as the Oracle HTTP Server
where it is installed is configured to support TLS.

For more information on configuring TLS for other technology components required for this integration, consult the following resources:

For Oracle WebLogic Server, refer to the chapter Configuring SSL in Oracle Fusion Middleware Securing Oracle
WebLogic Server.

When using WebLogic Server Release 10.3.6 and above and enabling TLS:

Ensure that the following are enabled in the WebLogic Server Administration Console:
WebLogic Plug-In
Client Cert Proxy

To verify this:
Navigate to 'Environments' > 'Servers' > 'oam_server1'
Access the 'General' tab

Expand the 'Advanced' section and check the checkboxes for:


WebLogic Plug-In Enabled
Client Cert Proxy Enabled

Ensure that the following has been enabled in the WebLogic Server Administration Console:
Use JSSE SSL

To verify this:
Navigate to 'Environments' > 'Servers' > 'oam_server1'
Access the 'SSL' tab

Expand the 'Advanced' section and check the checkbox for:


Use JSSE SSL

Restricting the TLS Protocol:

If you have enabled strict TLSv1.2 (i.e. enabled only the TLSv1.2 protocol) then in addition to the settings detailed above, you must add
the following parameter setting:
"-Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2" at startup, as a JAVA_OPTION for the OAM managed server. Refer
to Document 1936300.1 for details of where and how to specify JAVA_OPTIONS.

To configure TLS in your Oracle Access Manager environment, refer to Document 1936300.1 - How to Change SSL Protocols (to
Disable SSL 2.0/3.0) in Oracle Fusion Middleware Products.

To restrict the ciphers, refer to Document 1067411.1 - How To Disable Anonymous and Weak Cipher Suites in WebLogic Server.
It is recommended to update to the latest Java version and WLS PSU version, in order to configure with the higher TLS protocols using
the stronger cipher suites.

When deploying Oracle E-Business Suite AccessGate, ensure that you specify HTTPS and the OAM TLS port for the -SSOServerURL
parameter.

If you have already deployed Oracle E-Business Suite AccessGate with non-TLS, you need to remove the deployment (stop and delete)
and re-deploy with the required TLS values. Refer to Section 4.1 Deploy Oracle E-Business Suite AccessGate above for the deployment
instructions.

When registering Oracle E-Business Suite with OAM, ensure that you specify the TLS protocol and the TLS port.

If you have already registered Oracle E-Business Suite with OAM with non-TLS values, you need to update the logoutRedirectUrl for the
OAM domain agent 'IAMSuiteAgent' to point to the TLS protocol for OAM (HTTPS) and the TLS port, also update 'Logout Redirect URL'
for webgate agent to point to specify the TLS protocol for OAM (HTTPS) and the TLS port in the OAM console.

After performing the configuration in this section, the following steps are required:

1. Test Single Sign-on with Oracle E-Business Suite


2. Perform fs_clone

6.2 Configure Single Sign-on in a Load Balanced Oracle E-Business Suite Environment

You can configure a load balancer to front end multiple Oracle E-Business Suite webtier servers. The load balancer acts as single entry
point to these Oracle E-Business Suite webtier servers. To configure your Oracle E-Business Suite environment with a load balancer,
refer to My Oracle Support Knowledge Document 1375686.1 Using Load Balancers with Oracle E-Business Suite Release 12.2.

First confirm that the load balanced environments are functioning correctly before continuing to configure your Oracle E-Business Suite
application tier servers with Oracle Access Manager.

For each Oracle E-Business Suite application tier server that participates in your load balanced configuration, perform the following

Apply the prerequisite software updates as documented in Section 3.5 Install Prerequisite Software Updates and
Components on your Oracle E-Business Suite Release 12.2 Instance.

Deploy Oracle E-Business Suite AccessGate on each Oracle E-Business Suite Application Tier server node using the
following command, to specify the managed server name and managed server port on which to deploy:

$ perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources \


-contextfile=$CONTEXT_FILE \
-deployApps=accessgate \
-SSOServerURL=<OAM Server URL> \
-managedsrvname=<managed server name> \
-managedsrvport=<managed server port> \
-logfile=<logfile>

For example:

$ perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources \


-contextfile=$CONTEXT_FILE \
-deployApps=accessgate \
-SSOServerURL=http://oamserver.example.com:14100 \
-managedsrvname=oaea_server1 \
-managedsrvport=6801 \
-logfile=/tmp/deployeag_6801.log

$ perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources \


-contextfile=$CONTEXT_FILE \
-deployApps=accessgate \
-SSOServerURL=http://oamserver.example.com:14100 \
-managedsrvname=oaea_server2 \
-managedsrvport=6802 \
-logfile=/tmp/deployeag_6802.log

The script will prompt for the following passwords:

Enter the APPS Schema password.


Enter the WebLogic AdminServer password.

Enter the required information when prompted.

Refer to Section 4.1 Deploy Oracle E-Business Suite AccessGate, for more information on parameters.

Execute the following command once for each managed server on which Oracle E-Business Suite AccessGate has
been deployed, to add details of the managed server into the OHS configuration files mod_wl_ohs.conf and apps.conf:

$ perl $FND_TOP/patch/115/bin/txkSetAppsConf.pl \
-contextfile=$CONTEXT_FILE \
-configoption=addMS \
-accessgate=<host>.<domain>:<port>

Replace <host>.<domain>:<port> with the hostname, full domain name and port of the managed server:
For example: ebshost1.example.com:6801

For example:

$ perl $FND_TOP/patch/115/bin/txkSetAppsConf.pl \
-contextfile=$CONTEXT_FILE \
-configoption=addMS \
-accessgate=ebshost1.example.com:6801

$ perl $FND_TOP/patch/115/bin/txkSetAppsConf.pl \
-contextfile=$CONTEXT_FILE \
-configoption=addMS \
-accessgate=ebshost2.example.com:6802

Register each Oracle E-Business Suite application tier server with Oracle Access Manager as documented in
section 4.2 Register Oracle E-Business Suite with Oracle Access Manager of this document.

After performing the configuration in this section, the following steps are required:
1. Test Single Sign-on with Oracle E-Business Suite
2. Perform fs_clone

Note:
If you are using Oracle E-Business Suite Release 12.2.6 or higher, you can choose to configure single sign on and local authentication
at site and server level. Refer to section 6.5 - Configure Single Sign-on at Site or Server Level for further information. You must use the
same Application SSO Type profile configuration for all nodes that participate in a load balanced configuration.

6.3 Deploy Oracle E-Business Suite AccessGate with a Real Applications Clusters (RAC) Database

If your database instance and your Oracle E-Business Suite Release 12.2 environment are configured to use RAC load balancing, your
Oracle E-Business Suite AccessGate will seamlessly continue to work.

For more information regarding Identity Management components with a RAC database, refer to the section Configuring High Availability
for Oracle Identity Manager Components in the Oracle Fusion Middleware High Availability Guide for Oracle Identity and Access
Management.

After performing the configuration in this section, the following steps are required:

1. Test Single Sign-on with Oracle E-Business Suite


2. Perform fs_clone

6.4 Deploy Oracle E-Business Suite AccessGate in a Demilitarized Zone (DMZ)

To make a subset of Oracle E-Business Suite Release 12 functionality accessible via the Internet to external users, refer to My Oracle
Support Knowledge Document 1375670.1, Oracle E-Business Suite Release 12.2 Configuration in a DMZ. Confirm that these
environments are working properly using local logon for all configured Oracle E-Business Suite Application Tiers, before continuing to
configure all your Oracle E-Business Suite Application Tiers with Oracle Access Manager for single sign on.

If you are using Oracle E-Business Suite Release 12.2.6 or higher, you can choose to configure single sign on and local authentication
at site and server level. Refer to section 6.5 Configure Single Sign-on at Site or Server Level for details. If you wish to use local
authentication for external entry points, then you will not register these external entry points with Oracle Access Manager for single sign-
on, as described in this section. Instead you will only set the profile Applications SSO Type (APPS_SSO) to SSWA for local
authentication at server level for selected external entry points.

To enable single sign on for external entry points, you must configure each Application Tier as documented in this section. This includes
deploying Oracle E-Business Suite AccessGate, and registering your Application Tier with Oracle Access Manager. The required Oracle
E-Business Suite AccessGate and WebGate components are embedded in each of your Oracle E-Business Suite Release 12.2
Application Tiers.

You can use any of the DMZ topologies documented in My Oracle Support Knowledge Document 1375670.1 Oracle E-Business Suite
Release 12.2 Configuration in a DMZ. In any topology, Oracle Access Manager and Oracle Internet Directory should be installed on the
intranet, completely isolated from establishment of any unauthenticated network connection. For each of your Oracle E-Business Suite
Release 12.2 Application Tiers you will plan to either make the web entry point accessible to internal users only, or to external users over
the intranet. Oracle E-Business Suite Release 12.2 Application Tiers that are accessed by external users over the internet must be
registered configuring WebGate as Detached Credentials Collector (DCC), following the registration steps in this section.

Before you proceed with configuring each of your external Oracle E-Business Suite Release 12.2 Application Tiers (DMZ), you must first
configure your internal Oracle E-Business Suite Release 12.2 Application Tier as entry point for internal users at SITE level. Follow the
steps in the main section 4 of this document.

Then proceed with the additional steps in this section below to configure each of your external Oracle E-Business Suite Release 12.2
Application Tiers (DMZ) as the entry point for external users at SERVER level.

For additional information on deploying Oracle Access Manager and WebGates in a DMZ, refer to the Oracle Fusion Middleware
Enterprise Deployment Guide for Oracle Identity Management 11g Release 2 (11.1.2), and Oracle Fusion Middleware Administrator's
Guide for Oracle Access Management 11g Release 2 (11.1.2), section Configuring 11g Webgates and Authentication Policy for DCC.

6.4.1 Deploy Oracle E-Business Suite AccessGate on your External Oracle E-Business Suite Application Tier (DMZ)
Source the Oracle E-Business Suite environment file on your external application tier in the DMZ.

$ cd <EBS_BASE_HOME>
$ . EBSapps.env
$ echo $FILE_EDITION

EBS_BASE_HOME is the top directory where fs1, fs2, and others are installed.

Type "R" to select the run file system environment when prompted. Echo $FILE_EDITION returns "run" to indicate that
the run file system is sourced. Ensure there is no active Online Patching cycle.
Alternatively, if you wish to register Oracle E-Business Suite during an active Online Patching cycle, type "P" to select
the patch file system environment when prompted. Echo $FILE_EDITION returns "patch" to indicate that the patch file
system is sourced.

Prerequisites:

The Oracle WebLogic Administration Server on the primary internal application tier must be running from both the run
and patch file system.
The Oracle WebLogic Administration server ports must be opened on the firewall that separate the external application
tier from the primary internal application tier. All other managed server ports must be closed between the external
application tier and the internal application tiers.

Execute the following command to deploy Oracle E-Business Suite AccessGate.

$ perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources \


-contextfile=$CONTEXT_FILE \
-deployApps=accessgate \
-SSOServerURL=<OAM Server URL> \
-OAMLogoutURL=<DCC Logout URL> \
[-managedsrvname=<managed server name>] \
[-managedsrvport=<managed server port>] \
-logfile=<logfile>

For parameter -SSOServerURL, specify the URL for your OAM managed server.

For parameter -OAMLogoutURL, specify the URL the full URL to the Detached Credentials Collector logout script on your Oracle E-
Business Suite Release 12.2 webtier.

For example:

$ perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources \


-contextfile=$CONTEXT_FILE \
-deployApps=accessgate \
-SSOServerURL=http://myoam.example.com:14100 \
-OAMLogoutURL=http://myebs.example.com:80/oamsso-bin/logout.pl \
-managedsrvname=oaea_server3 \
-managedsrvport=6803 \
-logfile=/tmp/deployeag.log

The script will prompt for the following passwords:

Enter the APPS Schema password.


Enter the WebLogic AdminServer password.

The script must complete successfully. Review the log files for any error messages.

After successful completion of the script, ensure your WebLogic AdminServer is running, and execute the following script to regenerate
the mod_wl_ohs.conf file based on your WebLogic domain configuration:

Execute the following command to add details of the managed server into the OHS configuration files mod_wl_ohs.conf and apps.conf:

$ perl $FND_TOP/patch/115/bin/txkSetAppsConf.pl \
-contextfile=$CONTEXT_FILE \
-configoption=addMS \
-accessgate=<host>.<domain>:<port>

Replace <host>.<domain>:<port> with the hostname, full domain name and port of the new 'oaea_server3' managed
server:
For example: ebshost.example.com:6803

The script must complete successfully. Review the log files for any error messages.

6.4.2 Register Oracle E-Business Suite AccessGate on your External Oracle E-Business Suite Application Tier (DMZ)

Source the Oracle E-Business Suite environment file on your external application tier in the DMZ.

$ cd <EBS_BASE_HOME>
$ . EBSapps.env
$ echo $FILE_EDITION

EBS_BASE_HOME is the top directory where fs1, fs2, and others are installed.

Type "R" to select the run file system environment when prompted. Echo $FILE_EDITION returns "run" to indicate that
the run file system is sourced. Ensure there is no active Online Patching cycle.
Alternatively, if you wish to register Oracle E-Business Suite during an active Online Patching cycle, type "P" to select
the patch file system environment when prompted. Echo $FILE_EDITION returns "patch" to indicate that the patch file
system is sourced.

If Oracle E-Business Suite is integrated with Oracle Internet Directory:

Execute the following command to register Oracle E-Business Suite with Oracle Access Manager. Specify all parameters on a single
command line:

$ txkrun.pl -script=SetOAMReg -registeroam=yes -allowCCOperations=true -authScheme=EBSAuthSchemeDMZ


-authChalRedirectUrl=http://myebs.example.com -authChalUrl=/oamsso-bin/login.pl -logoutUrl=/oamsso-bin/logout.pl
-logoutRedirectUrl=null -protectedResource=/oamsso-bin/logout.pl -responseType=HTTP -ebsProfileLevel=Server

If Oracle E-Business Suite is integrated with Oracle Unified Directory:

Execute the following command to register Oracle E-Business Suite with Oracle Access Manager. Specify all parameters on a single
command line:

$ txkrun.pl -script=SetOAMReg -registeroam=yes -ldapProvider=OUD -oidUserName="cn=directory manager" -


allowCCOperations=true -authScheme=EBSAuthSchemeDMZ
-authChalRedirectUrl=http://myebs.example.com -authChalUrl=/oamsso-bin/login.pl -logoutUrl=/oamsso-bin/logout.pl
-logoutRedirectUrl=null -protectedResource=/oamsso-bin/logout.pl -responseType=HTTP -ebsProfileLevel=Server

For parameter -authChalRedirectUrl, specify the base URL that external users use to access your Oracle E-Business Suite webtier. If
you use a load balancer in front of your Oracle E-Business Suite webtier, specify the load balancer base URL.

For parameter -ebsProfileLevel, specify either Server or Site (default). If you are configuring separate Oracle E-Business Suite instances
for internal and external users, you must register at least one instance at Site level. You may register other Oracle E-Business Suite
instances at Server level. This will set the APPS_AUTH_AGENT profile option at the SERVER level, so that internal users are directed
to one URL for authentication, and external users to another. For more information on E-Business Suite profile options at SERVER level,
refer to My Oracle Support Knowledge Document 1375670.1, Oracle E-Business Suite Release 12.2 Configuration in a DMZ.

For all other parameters, specify the values as listed in the example above.

The script will prompt for the following information.

Enter OAM console URL (for example: http://myoam.us.oracle.com:7001)


Enter OAM console user name (for example: weblogic)
Enter OAM console password
Enter LDAP URL (for example: ldap://myoid.us.oracle.com:3060)
Enter OID console user name (for example: cn=orcladmin)
Enter OID console password
Enter APPS password

Enter the required information when prompted.

The script must complete successfully. Review the log files for any error messages.

During the prerequisite DMZ configuration of your external application tier, following My Oracle Support Knowledge Document
1375670.1, Oracle E-Business Suite Release 12.2 Configuration in a DMZ, Appendix E: Configuring the URL Firewall, you will have
configured your OHS to use the URL Firewall configuration file url_fw.conf. This file implements a whitelist of URLs that are allowed.
You will find the URLs required for your Oracle E-Business Suite AccessGate integration with Oracle Access Manager in section with
comment header:

#======================================================================
#Include URLs for Accessgate Application
#======================================================================

By default the URLs in this section are commented in url_fw.conf.

Edit url_fw.conf, and uncomment all lines in this section.

Stop and restart the Oracle E-Business Suite 12.2 OHS and WebLogic servers.

Verify that external users can access the following resources:

http://myebs.example.com/oamsso-bin/login.pl
http://myebs.example.com/oamsso-bin/logout.pl

If an error occurs when accessing the above URLs, check the OHS error log. If you see a 'Premature end of script headers' error, then
you may need to adjust the perl location for your environment. Modify the first line #!/usr/local/bin/perl in the files login.pl and logout.pl in
the following directory, to point to the correction location for perl:
$FMW_HOME/Oracle_OAMWebGate1/webgate/ohs/oamsso-bin

After performing the configuration in this section, the following steps are required:

1. Test Single Sign-on with Oracle E-Business Suite


2. Perform fs_clone

6.5 Configure Single Sign-on at Site or Server Level

If you are using Oracle E-Business Suite 12.2.6 or higher, you can choose to configure single sign-on and local authentication at site and
server level.

For example you may choose to register your Oracle E-Business Suite 12.2.6 instance with Oracle Access Manager for single sign-on at
site level (default) for all internal users. For external users, you may not wish to register external entry points for single sign-on, but
instead use local user authentication.

To configure single sign-on at site level and local user authentication for selected server entry points, set the profile Applications SSO
Type (APPS_SSO) as follows:

Profile: Applications SSO Type (APPS_SSO)


Level: Site
Value: SSWA w/SSO

Profile: Applications SSO Type (APPS_SSO)


Level: Server
Server: <Server Name>
Value: SSWA

As of Oracle E-Business Suite Release 12.2.6, the Applications SSO Type (APPS_SSO) profile option is decoupled from provisioning,
therefore provisioning from Oracle E-Business Suite to the LDAP Server (OID or OUD) will continue to take place after the profile option
has been set to only 'SSWA.

For further information on enabling or disabling provisioning, refer to note the following documents:

For Oracle Internet Directory:


Document 1371932.1 Integrating Oracle E-Business Suite Release 12.2 with Oracle Internet Directory 11gR1<OID/OUD Note>.

For Oracle Unified Directory:


Document 2003483.1 Integrating Oracle E-Business Suite Release 12.2 with Oracle Unified Directory 11g Release 2.

Section 7: Optional Post Installation Steps

7.1 Implement functionality for self-service password changes

If you wish to implement functionality for self-service password changes, you may install and configure the identity provisioning tool of
your choice and integrate it with Oracle Access Manager and Oracle E-Business Suite. Refer to the manual Oracle Fusion Middleware
Enterprise Deployment Guide for Oracle Identity and Access Management for more information on integrating Oracle Access Manager
with other provisioning and password management tools.
Once you have configured your identity provisioning tool with Oracle Access Manager, you may allow users to invoke a external URL
that supports self-service password changes from the Oracle E-Business Suite Preferences page. Set the following profile to enable this
functionality.

Profile Level Value

Application SSO Change Password URL Site Set this profile to an external page URL that supports
(APPS_SSO_CHANGE_PWD_URL)
For example:

http://<IDM server>:<port>/account/changePassword.

7.2 Migrating from using Oracle Single Sign-On Server

If you are migrating from using Oracle Single Sign-On Server, you should deregister OSSO from all nodes of your Oracle E-Business
Suite instance, once your Oracle Access Manager integration has been completed and tested. Refer to My Oracle Support
Knowledge Document 1371932.1. Your Oracle E-Business Suite instance and Oracle Internet Directory registrations will be retained
from your OSSO integration.

The OID registration scripts may reset the setting for the APPS_SSO profile option to SSWA. Log on to Oracle E-Business Suite and
verify the setting for the APPS_SSO profile option, changing it back to SSWA w/SSO if necessary.

Section 8: Upgrade and Migration

8.1 Oracle Access Manager Upgrade and Migration

Integrating Oracle E-Business Suite is simpler for Oracle Access Manager 11g Release 2 (11.1.2) than it was for previous Oracle Access
Manager releases. Oracle E-Business Suite is certified using the default OAM single sign-on page and no longer requires the
configuration of an Oracle E-Business Suite specific single sign-on page. The necessary configuration is now automated.

Follow the steps in section Integrate Oracle E-Business Suite with Oracle Access Manager to automatically integrate your Oracle E-
Business Suite Release 12.2 environment with Oracle Access Manager 11g Release 2 (11.1.2) instead of migrating your old Oracle
Access Manager configuration.

This is the recommended option because it involves less manual configuration steps.

Migration of the old Application Domain for Oracle E-Business Suite integration is not needed. If you have previously migrated the Oracle
E-Business Suite Application Domain along with other non Oracle E-Business Suite Application Domains from a previous Oracle Access
Manager release to Oracle Access Manager 11g Release 2, you must delete the old Oracle E-Business Suite Application Domain prior
to creating the new configuration. To delete your old Application Domain, use the Oracle Access Manager Console, select your old
Oracle E-Business Suite Application Domain in the Policy Configuration tab, and press the delete button.

8.1.1 Upgrading from Oracle Access Manager 11.1.2.2 to Oracle Access Manager 11.1.2.3:

As per Section 9 of the Oracle Fusion Middleware Release Notes for HTTP Server, Oracle WebGate version 11.1.2.3 for Oracle HTTP
Server supports only Oracle HTTP Server version 11.1.1.9. If your version of Oracle HTTP Server is lower than 11.1.1.9, it should be
upgraded to 11.1.1.9 by following Document 1590356.1 Upgrading Oracle Fusion Middleware Technology Stack of Oracle E-Business
Suite Release 12.2 to the latest 11gR1 (11.1.1.x) Patchset, before upgrading Oracle WebGate to version 11.1.2.3.

There are two options when upgrading to Oracle Access Manager 11.1.2.3, (Option 1 is the recommended option):

Upgrade Oracle HTTP Server, Oracle Access Manager and Oracle WebGate (Option 1)
Upgrade Oracle Access Manager Only (Option 2)

8.1.1.1 Upgrade Oracle HTTP Server, Oracle Access Manager and Oracle WebGate (Option 1)

1. Follow the steps in Appendix A to deregister Oracle E-Business Suite from Oracle Access Manager 11.1.2.2
2. Apply the prerequisite patches as documented in Table B of step 3.5.2 - Download and apply Oracle E-Business Suite
Updates
3. Deinstall Oracle WebGate 11.1.2.2:
Execute the following commands to deinstall Oracle WebGate 11.1.2.2:

$ cd $FMW_HOME/Oracle_OAMWebGate1/oui/bin
$ ./runInstaller -deinstall
After deinstallation, ensure that the directory 'Oracle_OAMWebGate1' under <FMW_Home> is removed.

4. Upgrade Oracle HTTP Server to 11.1.1.9, by referring to Document 1590356.1 Upgrading Oracle Fusion Middleware
Technology Stack of Oracle E-Business Suite Release 12.2 to the latest 11gR1 (11.1.1.x) Patch Set.
5. Upgrade Oracle Access Manager to 11.1.2.3, by referring to Oracle Fusion Middleware Upgrade Guide for Oracle
Identity and Access Management 11g Release 2 (11.1.2.3.0) together with Oracle Fusion Middleware Release Notes
for Identity Management 11g Release 2 (11.1.2.3).
6. Follow Step 3.4 to apply Oracle Access Manager 11.1.2.3 Bundle Patch 3 (OAM 11.1.2.3.3) to Oracle Access
Manager Server.
7. Perform steps 3.5.3 to 4.4 (inclusive) to download and install WebGate 11.1.2.3 and Integrate Oracle E-Business Suite
12.2 with Oracle Access Manager 11.1.2.3

8.1.1.2 Upgrade Oracle Access Manager Only (Option 2)

If you plan to continue using Oracle HTTP Server 11.1.1.7 with Oracle Access Manager 11.1.2.3, you must continue using Oracle
WebGate 11.1.2.2 with Oracle Access Manager 11.1.2.3. It is necessary to re-register Oracle E-Business Suite 12.2 with Oracle Access
Manager 11.1.2.3 using the new registration scripts for Oracle Access Manager 11.1.2.3:

1. Follow the steps in Appendix A to Deregister Oracle E-Business Suite from Oracle Access Manager 11.1.2.2
2. Apply the prerequisite patches as documented in Table B of step 3.5.2 - Download and apply Oracle E-Business Suite
Updates
3. Upgrade Oracle Access Manager to 11.1.2.3, by referring to Oracle Fusion Middleware Upgrade Guide for Oracle
Identity and Access Management 11g Release 2 (11.1.2.3) together with Oracle Fusion Middleware Release Notes
for Identity Management 11g Release 2 (11.1.2.3).
4. Follow Step 3.4 to apply Oracle Access Manager 11.1.2.3 Bundle Patch 3 (OAM 11.1.2.3.3) to Oracle Access
Manager Server
5. Perform steps 4.1 to 4.4 (inclusive) to Integrate Oracle E-Business Suite 12.2 with Oracle Access Manager 11.1.2.3

8.2 Oracle E-Business Suite AccessGate Upgrade

If you have integrated Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business
Suite AccessGate, following the steps in this document, and an update for Oracle E-Business Suite AccessGate becomes available, you
may apply the Oracle E-Business Suite AccessGate update as follows.

8.2.1 Download and apply the latest Oracle E-Business Suite AccessGate Update

You will always find the latest certified update for Oracle E-Business Suite AccessGate in the patch table at section 3.5.2 above. Apply
the update to your Oracle E-Business Suite Release 12.2 instance.

8.2.2 Redeploy Oracle E-Business Suite AccessGate

Redeploy Oracle E-Business Suite AccessGate using the same command as during initial deployment. Refer to section 4.1 Deploy
Oracle E-Business Suite AccessGate or respectively section 6.4.1 Deploy Oracle E-Business Suite AccessGate in a DMZ.

Similar to the initial deployment of Oracle E-Business Suite AccessGate, you can choose to redeploy on your patch file system first,
during an active Online Patching cycle, then cutover. Alternatively you can redeploy on your run file system first when no Online
Patching cycle is active.

8.2.3 Perform fs_clone

Your Oracle E-Business Suite Release 12.2 instance is now integrated with Oracle Access Manager using the latest Oracle E-Business
Suite AccessGate on your run file system. Perform an fs_clone to synchronize the changes to your patch file system before you start the
next Oracle E-Business Suite Release 12.2 Online Patching cycle.

Section 9: Available Documentation

Oracle Fusion Middleware Documentation:

Oracle Identity Management Documentation Library


Oracle Fusion Middleware Administrator's Guide for Oracle Access Management
Oracle Fusion Middleware WebLogic Scripting Tool Command Reference
Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity and Access Management
Oracle Fusion Middleware High Availability Guide for Oracle Identity and Access Management

Oracle E-Business Suite Documentation:

My Oracle Support Knowledge Document 1367293.1 Enabling TLS in Oracle E-Business Suite Release 12.2
My Oracle Support Knowledge Document 1375670.1 Oracle E-Business Suite Release 12.2 Configuration in a DMZ
My Oracle Support Knowledge Document 1614793.1 Cloning Oracle E-Business Suite Release 12.2 Environments
integrated with Oracle Access Manager 11gR2 (11.1.2) and Oracle E-Business Suite AccessGate

Appendix A: Deregister Oracle E-Business Suite from Oracle Access Manager

Note: Oracle Access Manager maintains a single registration for your Oracle E-Business Suite instance and does not distinguish
between run and patch file systems. Hence removing the registration from Oracle Access Manager will affect the running system.

To deregister your Oracle E-Business Suite instance from Oracle Access Manager:

Source the Oracle E-Business Suite environment file of your run file system.

$ cd <EBS_BASE_HOME>
$ . EBSapps.env
$ echo $FILE_EDITION

EBS_BASE_HOME is the top directory where fs1, fs2, and others are installed.

Type "R" to select the run file system environment when prompted. Echo $FILE_EDITION returns "run" to indicate that the run file
system is sourced. Ensure there is no active Online Patching cycle.

Stop the OHS server on the Oracle E-Business Suite Environment:

$ adapcctl.sh stop

Execute the following command to deregister Oracle E-Business Suite from Oracle Access Manager.

$ txkrun.pl -script=SetOAMReg -deregisteroam=yes -ebsProfileLevel=[Site|Server]

Specify -ebsProfileLevel=Site if you followed the instructions in Section 4.2 and registered the instance at site level. This will switch back
the Oracle E-Business Suite profile options Application Authenticate Agent (APPS_AUTH_AGENT) and Applications SSO Type
(APPS_SSO) to local login.

Specify -ebsProfileLevel=Server if you registered the instance at server level. This will not affect the site level profiles, and only remove
the profiles at server level for the server that you deregister.

The script will prompt for the following information.

Enter OAM console URL (for example: http://myoam.us.oracle.com:7001)


Enter OAM console user name (for example: weblogic)
Enter OAM console password
Enter APPS password

Enter the required information when prompted.

The script will provide a summary of input values. Confirm that these are correct and start the deregistration.

Do you wish to continue (y|n)? y

The script will now perform the following main tasks automatically:

Deregister Oracle E-Business Suite AccessGate with Oracle Access Manager.


Disable WebGate in your Oracle E-Business Suite webtier.
Clear Oracle E-Business Suite profile options Application Authenticate Agent (APPS_AUTH_AGENT) and Applications
SSO Type (APPS_SSO) to switch back to local login. If you registered the instance with -
ebsProfileLevel=Site (default), deregistration will clear the profiles at SITE level. If you registered the instance with -
ebsProfileLevel=Server, deregistration will clear the profiles at SERVER level.

Alternatively, you can execute the script with parameters. For example:

$ txkrun.pl -script=SetOAMReg -deregisteroam=yes \


-oamHost=http://myoam.us.oracle.com:7001 \
-oamUserName=weblogic \
-skipConfirm=yes
The script must complete successfully. Review the log files for any error messages.

The script will not automatically delete the following entries, as you may have also used these for other partner applications:

Authentication Scheme (by default named EBSAuthScheme)


Authentication Module (by default named LDAP_EBS)
Identity Store (by default named OIDIdentityStore)

If you exclusively used these entries for the Oracle E-Business Suite instance that you deregistered, you may delete the Authentication
Scheme, Authentication Module, and Identity Store in the order listed, using your OAM Administration Console.

After de-registering your Oracle E-Business Suite instance from Oracle Access Manager, you no longer need the Oracle E-Business
Suite AccessGate deployment. Delete your Oracle E-Business Suite AccessGate using your WebLogic Administration Console, for
example:

http://ebshost.example.com:7001/console

In the WebLogic Administration Console, navigate to EBS_domain_sid > Deployments, stop then delete the Oracle E-Business Suite
AccessGate application named "accessgate". Ensure that you click 'Activate Changes' in the 'Change Center' pane, for the changes to
take effect.

If you do not use the data source "OAEADatasource" for any other application, you may also delete the datasource. Navigate to
EBS_domain_sid > Services > Data Sources, and delete data source "OAEADatasource". Ensure that you click 'Activate Changes' in the
'Change Center' pane, for the changes to take effect.

Delete the managed server on which accessgate was deployed:

1. If the managed server oaea_server1 is currently running, shut it down as follows:

$ sh $ADMIN_SCRIPTS_HOME/admanagedsrvctl.sh stop oaea_server1

The script will prompt for the following passwords:

Enter the WebLogic Admin password.

Enter the required information when prompted.

2. Run the command below on the application tier node where the oaea_server1 managed server resides. This will
delete the managed server, and also update the respective context variables that contain references to the deleted
managed server:

$ perl $AD_TOP/patch/115/bin/adProvisionEBS.pl \
ebs-delete-managedserver \
-contextfile=$CONTEXT_FILE -managedsrvname=oaea_server1

The script will prompt for the following passwords:

Enter the APPS Schema password.


Enter the WebLogic AdminServer password.

Enter the required information when prompted.

The following confirmation message will be displayed: ManagedServer oaea_server1 deleted successfully.

3. Remove the managed server and port from the mod_wl_ohs.conf configuration:

$ perl $FND_TOP/patch/115/bin/txkSetAppsConf.pl \
-contextfile=$CONTEXT_FILE \
-configoption=removeMS \
-accessgate=<host>.<domain>:<port>

To determine the value of the Port that was used for the oaea_server1 managed server, search for 's_wls_oaeaport' in
$CONTEXT_FILE.

Stop and restart the Oracle E-Business Suite Application Tier services.
Appendix B: Known Issues

The following table lists known issues and workarounds for Oracle E-Business Suite integration with Oracle Access Manager 11g
Release 2 (11.1.2) using Oracle E-Business Suite AccessGate.

Issue Description and Workaround

OAM Failure on long URLs OAM System error. Please re-try your action. If you continue to get this error, please contact
the Administrator. OAM-02073 may be caused by long URLs that exceeds a cookie limit on
your Internet browser. Ensure that you changed the serverRequestCacheType from COOKIE
to FORM as documented in section Configure Oracle Access Manager to support long URLs.

Language Support The following languages supported by Oracle E-Business Suite are not yet supported by the
Oracle Access Manager login page. If you have any of these languages installed in your
Oracle E-Business Suite Environment, do not configure the language functionality for the
Oracle Access Manager login page in OAM 11.1.2.1.0 and continue using Oracle E-Business
Suite profile option 'Applications Override SSO Server Language'. Refer to the instructions in
section Configuring Languages for the Oracle Access Manager Login Page.

Hebrew - Bug 16901373 - Fixed in OAM 11gR1 Patchset 2.


Croatian and Canadian French - Bug 16920577
Albanian, Catalan, Cyrillic Serbian, Dutch, Egyptian, Icelandic, Indonesian, Latin Serbian,
Lithuanian, Slovenian, Ukrainain, Vietnamese - Bug 16920613

Global Logout issue specific to Bug 14799314


Oracle Applications Framework
pages If a user is subscribed to two Oracle E-Business Suite environments that are integrated with
the same OID and WebGate: If the user has two active sessions (one in each Oracle E-
Business Suite environment) then logs out of the first session, they are automatically logged
out of the second session. However, when they click a link in the second session, for example
'Preferences', instead of being redirected to the OAM single sign-on page, the following error
message is displayed:

Error
You have insufficient privileges for the current operation. Please contact your System
Administrator.

iStore Logout doesn't redirect to the After OAM 11.1.2.2 integration, iStore logout doesn't redirect to the iStore page, it redirects to
iStore page after integration with the OAM SSO logout page instead.
OAM 11.1.2.2/11.1.2.3.
Solution:
This will be addressed through Bug 17947381.

OUI Installer fails to apply one-off OUI Installer fails to apply one-off patches using latest OPatch
patches using latest OPatch
Solution:
This will be addressed through Bug 17848279.

Warning messages displayed during Bug 19341220


EBS AccessGate deployment
The following warning message can be ignored:

Warning messages <Warning> <JNDI> <BEA-050001> <WLContext.close() was called in a


different thread than the one in which it
was created.>

DMZ Deployment of Oracle E- Bug 18949797


Business Suite AccessGate on
multiple internal and external nodes Oracle E-Business Suite AccessGate cannot be deployed in a shared file system for multiple
sharing a single file system internal and external nodes.

Solution:
This issue will be addressed through Bug 18949797.

In a load balanced configuration, To remove a single node from a multi node, load balanced configuration, do not de-register
there is a single web entry point that OAM using txkrun.pl -script=SetOAMReg -deregisteroam=yes. Instead, clear the profile option
is being registered in OAM. De- 'Application Authenticate Agent' (APPS_AUTH_AGENT) at server level for the server that is
registering one node will remove the being removed from the configuration. Set the autoconfig variable s_enable_webgate to '#',
OAM registration. and run autoconfig. This will disable the webgate configuration on the node that is being
removed.
Solution:
Removal of a single node from a multi node load balanced configuration will be enhanced
through Bug 19558683.

mod_wl_ohs.conf has invalid entries Bug 19373026

The default server:port entry still exists in file mod_wl_ohs.conf after deploying Oracle E-
Business Suite AccessGate on a different dedicated server:port. For example:

***************************************************
<Location /accessgate>
SetHandler weblogic-handler
WebLogicCluster supplier.certdmz.com:6803,supplier.certdmz.com:3803
WLTempDir ${ORACLE_INSTANCE}/tmp
</Location>
***************************************************

Solution: Remove the invalid entry using

$ perl $FND_TOP/patch/115/bin/txkSetAppsConf.pl \
-contextfile=$CONTEXT_FILE \
-configoption=removeMS \
-accessgate=<host>.<domain>:<port>

Running fs_clone after completing Bug 19817016


AccessGate and OAM integration and
after completing a patch cycle results The following errors are encountered when running fs_clone after completing AccessGate and
in fs_clone failing with port conflicts OAM integration and after completing a patch cycle:

Checking WLS OAEA Application Port on aolesc11: Port Value = 6801


RC-50204: Error: - WLS OAEA Application Port in use: Port Value = 6801

-----------------------------
ERROR: The following required ports are in use:
-----------------------------
6801 : WLS OAEA Application Port
Corrective Action: Free the listed ports and retry the adop operation.

Workaround:
Stop the oaea managed server on the run file system before performing the fs_clone
operation, immediately after the accessgate deployment.

Solution:
This issue will be addressed through Bug 19817016.

After applying the November 2014 Bug 20120776, Bug 20120500


AD-TXK Bundles
(Patch 20034256:R12.AD.C and Workaround:
Patch 20043910:R12.TXK.C To deploy Oracle E-Business Suite AccessGate, source the run file system, then execute
respectively): adProvisionEBS.pl to deploy Oracle E-Business Suite AccessGate as documented. Ignore the
Unable to shutdown message in the log file. Manually stop and start the managed server after
EBS AccessGate deployment deployment.
failures with error messages:
ERROR: Unable to shutdown the Solution:
managed server This issue is addressed in the AD/TXK Delta 6 patches.
ERROR: Unable to start managed
server

The Link-on-the-fly page fails if the Bug 21330792


<Enter> key is used to submit the
username and password Workaround:
Click the 'apply' button on t he Link-on-the-fly page and the user credentials are accepted.

Solution:
This issue is addressed in Patch 21330792.

Appendix C: Product-Specific Single Sign-On Exceptions

A small number of Oracle E-Business Suite products have limited or no support for Oracle Access Manager. Refer to the table below for
more information.

Product Name Comments

Oracle Demand Signal Integration with Oracle Access Manager is not supported at this time.
Repository

Oracle iLearning Oracle iLearning is a standalone product and is not part of E-Business Suite. Support for Oracle Access
(Standalone) Manager is planned for a later date. Oracle Learning Management is part of the E-Business Suite and is
certified with Oracle Access Manager.

Oracle Manufacturing Administrative functions of this product require Oracle Warehouse Builder, which does not support
Operation Center integration with Oracle Access Manager.

Oracle Sales Offline Sales Offline currently requires the "Application SSO Login Types" profile option to be set to 'Local' or 'Both'
for users. This is documented in Oracle Sales Offline Implementation Guide Release 12.1. The product
plans to support Oracle Access Manager at a later date.

Oracle Warehouse Integration with Oracle Access Manager is not supported at this time.
Management

Oracle Workflow Single sign-on functionality is not supported with password-based digital signatures. If using password-
based signatures, you must set the "Applications SSO Login Types" profile option to either 'Local' or 'Both'
for all users who need to enter password-based signatures.

Oracle XML Gateway Integration with Oracle Access Manager is not supported at this time. The "Application SSO Login Types"
profile option must be set to 'Local' or 'Both' for all users with this responsibility.

Change Log

Date Comments

Dec 1, 2016 Updated with External/Internal Authentication details.

Nov 15, 2016 Updated Document to refer to My Oracle Support Knowledge Document 2202932.1 for Oracle E-Business Suite
AccessGate Patch number.
Removed fifth-level patchset digit from version numbers.

Oct 24, 2016 Removed Mobile Applications from Appendix C: Product Specific Single Sign-On Exceptions table.

Jul 1, 2016 Clarified JAVA_OPTIONS setting for Minimum Protocol Version in section 6.1.
Removed Windows Bug 23622992 from Known Issues table.

Jun 23, 2016 Updated for TLS configurations.


Added Federation issue details in section 5.2.2.
Removed Bug 20989144 from Known Issues table as this is fixed with OUD BP and is added as a
recommendation in OUID Integration Note.

Jan 28, 2016 Clarified the details in section 6.2 for the Load Balanced configuration.

Dec 18, 2015 Added missing OAM Registration step for OUD Integration to Section 6.4.2 for DMZ.

Dec 9, 2015 Updated to include Oracle Unified Directory 11.1.2.3.

Oct 29, 2015 Updated to include Oracle Access Manager WebGate 11.1.2.3 as WebTier 11.1.1.9 is certified with Oracle E-
Business Suite 12.2.

Oct 7, 2015 Replaced EAG Patch 19767816 with EAG Patch 21523147. Added Bug 21330792 to Known Issues.

Sep 28, 2015 Added recommendation to apply OAM BP3 (as this includes the fix for Bug 19438948).

Sep 22, 2015 Removed Known Issue requiring Patch 16513008 as this is fixed from OAM 11.1.2.2 onwards.

Aug 26, 2015 Clarified in section 4.1 that Oracle E-Business Suite AccessGate can be deployed to a non-default managed
server.

Aug 17, 2015 Corrected Patch application sequence in section 3.4 - OAM BP1 must be applied before Patch 19438948.

Aug 7, 2015 Added Patch 19438948 as a prerequisite patch.

Jul 22, 2015 Added OAM BP01 as a prerequisite (as it includes Patch 21084067).

Jun 23, 2015 Updated for OAM 11.1.2.3.

Mar 17, 2015 Corrected Table in Appendix C.


Jan 23, 2015 Removed footnote for Windows customers from Section 3.4.2.
Updated Load Balancing Section 6.2 to be more concise.
Added an explanation to the introduction regarding integrating multiple Oracle E-Business Suite instances.

Dec 11, 2014 Added EAG Patch 19767816.


Added Bug 20120776 and Bug 20120500 to Known Issues section.

Nov 11, 2014 Added Bug 19817016 to Known Issues section with workaround.

Oct 29, 2014 Added requirement for RHEL 6 customers to apply Unified Installer Patch 18231786 before installing Oracle
Access Manager 11.1.2.2.0.

Oct 10, 2014 Added patches for Windows customers.


Added link to MOS Note 1614793.1 in Available Documentation Section.

Oct 1, 2014 Corrected Change Log.

Sep 11, 2014 Finalized patches required on top of TXK Delta 5 in section 3.4.1.

Aug 18, 2014 Updated txksetappsconf.pl commands at section 4.1 and section 6.4.1.
Added required patches to table in section 3.4.1:
R12.TXK.C Patch 19344241

Aug 16, 2014 Updated to include R12.TXK.C.DELTA.5 Patch 18288881.


Deleted the OAM registration Known Issue as this it not an issue from RUP 5 onwards.
Updated the DMZ information in section 6.4.
Added required patches to table in section 3.4.1:
R12.TXK.C Patch 18921971
R12.AD.C Patch 19223358

Aug 15, 2014 Added Known Issue Bug 19438948 - Issue in PS2 and BP2 with USER_ORCLGUID attribute.
Deleted Note box recommending install of WebGate 11.1.2.1 for Linux customers as issue with installer (Bug
18758638) has now been addressed.

Jun 20, 2014 Added Oracle E-Business Suite AccessGate 1.2.3 patch and consolidated patch 18497540.
Added requirement to stop OHS before performing OAM deregistration.

May 28, 2014 Corrected logoutUrl parameter for DMZ.


Added a test to ensure that login.pl and logout.pl function correctly in a DMZ environment.
Added instructions for upgrading Oracle E-Business Suite AccessGate.

May 27, 2014 Updated Section 3.3. to clarify that OAM 11.1.2.2.0 should be installed.

May 23, 2014 Added Known Issue for Linux 11.1.2.2.0 Webgates to Section 3.4.2 (Bug 18758638).

Apr 17, 2014 Corrected -authChalRedirectUrl parameter example in Section 6.4.2 (removed the port as the URL without the
port is required for this parameter in a DMZ environment).

Apr 1, 2014 Added regeneration of mod_wl_ohs.conf. This step is required on R12.TXK.C.DELTA.4 and will be removed with
a future TXK patchset.

Mar 11, 2014 Added required fs_clone.

Feb 27, 2014 Added section on load balancing.


Added prerequisite R12.TXK.C.DELTA.4.
Moved WebGate install to the prerequisite section.
Added note that registration is supported on either run or patch file system.

Feb 26, 2014 Added New Section 6.2 to provide configuration details for load balanced environments.

Feb 07, 2014 Updated with OAM PS2 (11.1.2.2) related changes

Dec 31, 2013 Added requirement to specify values for 'ldapSearchBase' and 'ldapGroupSearchBase' in txkrun.pl command in
Section 4.3.

Dec 16, 2013 1) Updated for Oracle E-Business Suite Release 12.2.3.
2) Updated Section 4.3:

Added clarification that the OAM registration script is re-runnable.


Added the '-webgatestagedir' parameter example to the non-interactive command in section 4.3.

Dec 9, 2013 Removed empty patching cycle from Section 4.1.1.

Oct 24, 2013 Added clarification to DMZ section and details of Known Issues for DMZ environments.

Corrected OAM Logout URL parameter in DMZ Section 2.3 (was '-DOAMLogoutURL' but should be '-
Sep 26, 2013
OAMLogoutURL').
Sep 19, 2013 Document published for Oracle E-Business Suite Release 12.2.

My Oracle Support Knowledge Document 1576425.1 by Oracle E-Business Suite Development


Integrating Oracle E-Business Suite Release 12.2 with Oracle Unified Directory 11gR2 (Doc ID 2003483.1)

This document describes the process of integrating Oracle Unified Directory 11g Release 2 with Oracle E-Business Suite Release 12.2.

Before you begin integration, you should read and understand all content described in this document.

The most current version of this document can be obtained in My Oracle Support Knowledge Document 2003483.1.

Section 1: Overview
Section 2: Prerequisites and Required Software
Section 3: Installing Oracle Identity Management
Section 4: Installing and Configuring Oracle Unified Directory for Oracle Directory Integration Platform
Section 5: Upgrading to Oracle Directory Integration Platform
Section 6: Configuring Oracle Unified Directory 11g Release 2 with Oracle E-Business Suite Release 12.2
Section 7: References
Appendix A: Registration, Deregistration, Removing References, and Provisioning
Appendix B: Disable/Re-enable/Check Provisioning
Appendix C: Known Issues

There is a change log at the end of this document.

Section 1: Overview

This document describes the process of integrating Oracle Unified Directory 11g Release 2 Patch Set 3 with Oracle E-Business Suite
Release 12.2.

Oracle Unified Directory, along with Oracle Internet Directory, is part of Oracle Directory Services. Benefits of this configuration include
Oracle E-Business Suite support for the following services running on servers external to the Oracle E-Business Suite environment:

Oracle Unified Directory 11g


Oracle Portal 11g
Oracle Discoverer 11g
Oracle WebCenter 11g
Third-party single sign-on solutions
Third-party Lightweight Directory Access Protocol (LDAP) directories

The process of installing Oracle Unified Directory and Oracle Directory Integration Platform from Oracle Fusion Middleware 11 g Release
1 provides the following configuration:

Oracle Fusion Middleware Oracle Unified Directory 11g Release 2


Oracle Fusion Middleware Oracle Directory Integration Platform (DIP) 11g Release 1
Oracle Enterprise Manager Fusion Middleware Control 11g Release 1
Oracle Fusion Middleware Directory Services Manager (ODSM)

These services may run:

On one or more standalone servers external to the existing Oracle E-Business Suite Release 12 environment
In separate ORACLE_HOMEs on existing servers

These services may not run:

In the existing Oracle E-Business Suite Release 12 Oracle Application Server 10g 10.1.2 ORACLE_HOME for Forms and Reports

Note: You must perform a fresh installation of Oracle Unified Directory. Migration from Oracle Internet Directory to Oracle Unified
Directory is not supported.

For more information about Oracle E-Business Suite Release 12.2 architectures, see Oracle E-Business Suite Concepts.

Section 2: Prerequisites and Required Software

This section provides information to help prepare for the installation and configuration of Oracle Unified Directory 11 g Release 2 Patch
Set 3 (11.1.2.3) and Oracle Directory Integration Plaform11g Release 1 Patch Set 7 (11.1.1.9).

2.1 Prerequisites
2.2 Required Software
2.1 Prerequisites

Prior to installing and integrating Oracle Unified Directory and Oracle Directory Integration Platform, refer to the following
documentation for prerequisites and other information you should consider:
o Chapter 1: Planning the Oracle Unified Directory Installation in Oracle Fusion Middleware Installing Oracle Unified
Directory 11g Release 2 (11.1.2)
o 5.1 Prerequisites in the Oracle Fusion Middleware Administrator Guide for Oracle Directory Integration Platform

In addition, in your Oracle E-Business Suite instance, you must either:


o Apply the R12.ATG_PF.C.Delta.5 product family release update pack (see: My Oracle Support Knowledge Document
1983021.1, Applying the R12.ATG_PF.C.Delta.5 Release Update Pack); or
o Apply the Oracle E-Business Suite Release 12.2.5 Release Update Pack which includes R12.ATG_PF.C.Delta.5 (see: My
Oracle Support Knowledge Document 1983050.1, Oracle E-Business Suite Release 12.2.5 Readme).

Integration with Oracle Unified Directory 11.1.2.3 requires Oracle HTTP Server version 11.1.1.9 on the Oracle E-Business Suite
Environment. Follow My Oracle Support Knowledge Document 1590356.1, Upgrading Oracle Fusion Middleware Technology
Stack of Oracle E-Business Suite Release 12.2 to the latest 11gR1 (11.1.1.x) Patchset, to upgrade Oracle HTTP Server to
11.1.1.9.

Download and apply the following updates to your Oracle E-Business Suite Release 12.2 instance:

Release Patch Number

12.2 R12.FND.C Patch 22098300

If you are using Oracle E-Business Suite Release 12.2.5 or lower and applying the AD and TXK Delta 8 Release Update Packs to
Oracle E-Business Suite:

Download and apply the following updates to your Oracle E-Business Suite Release 12.2 instance:

Release Patch Number

12.2 R12.FND.C Patch 24691100

2.2 Required Software

The following table lists the required software and the appropriate version certified with Oracle E-Business Suite Release 12.2 required
for the integration of Oracle Unified Directory:

Additional
Certified Software Versions Download Location
Information

Oracle Directory Integration Platform 11g Release 1 Patch Set 7 (11.1.1.9) for Oracle Oracle Technology
Fusion Middleware Identity Management Network

Oracle Technology
Oracle Unified Directory 11g Release 2 Patch Set 3 (11.1.2.3)
Network

Note: If you plan to manage the Oracle Unified Directory server with Oracle Directory Services Manager (ODSM), you must also
download Oracle Application Development Framework 11g Release 2. See: 2.3 Configuring Oracle WebLogic Server for Oracle Directory
Services Manager in Oracle Fusion Middleware Installing Oracle Unified Directory 11g Release 2 (11.1.2) for more details.

Section 3: Installing Oracle Identity Management

For integration of Oracle Unified Directory, you must first install Oracle Identity Management 11g Release 1 Patch Set 7 (11.1.1.9),
which includes the necessary components: Oracle Directory Integration Platform and Oracle Enterprise Manager.

The 1.2 Installation Roadmap in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management describes the high-
level tasks for installing Oracle Identity Management.

Referencing the Installation Roadmap, complete the following tasks:

Task Notes
Task 1 - Prepare your
Follow the instructions in the Installation Roadmap to prepare your environment.
environment for installation

Do not complete Task 2 of the Installation Roadmap ("Run RCU to create the necessary schemas")
Task 2 - SKIP when installing Oracle Unified Directory as the backend directory. Performing the tasks listed in this
step is not required.

Task 3 - Install Oracle


Follow the instructions in the Installation Roadmap to install Oracle WebLogic Server 11g and create a
WebLogic Server 11g and
Middleware home.
create a Middleware home

Follow the instructions in the Installation Roadmap to install Oracle Identity Management.

Ensure that you select the "Install Software - Do Not Configure" option in the Select Installation Type
screen while installing Oracle Identity Management.
Task 4 - Install Oracle Identity
Management
Reference 4.2.8 Installing and Configuring Oracle Identity Management 11g Release 1 (11.1.1.9.0)
Software and 1.3 Installation Types: "Install Software - Do Not Configure" vs. "Install and Configure" in
the Oracle Fusion Middleware Installation Guide for Oracle Identify Management 11g Release 1
(11.1.1.9).

Do not complete Task 5 of the Installation Roadmap ("Configure Oracle Identity Management") as the
Task 5 - SKIP
configuration will be completed later in this document.

Section 4: Installing and Configuring Oracle Unified Directory for Oracle Directory Integration Platform

The main steps to configure Oracle Unified Directory for Oracle Directory Integration Platform are as follows:

4.1 Install Oracle Unified Directory


4.2 Configure Oracle Unified Directory
4.3 Configure the Naming Context
4.4 Configure Oracle Fusion Middleware Directory Services Manager (ODSM)
4.5 Enable the External Change Log
4.6 Enforce Unique UID Attribute
4.7 Configure Oracle Directory Integration Platform for Oracle Unified Directory
4.8 Add Access Control Instructions for Oracle Unified Directory
4.9 Verify the Oracle Directory Integration Platform

4.1 Install Oracle Unified Directory

For Oracle E-Business Suite Release 12.2, the minimum required version of Oracle Unified Directory is 11.1.2.3.

1. Follow the instructions in 2.2 Installing Oracle Unified Directory in the "Installing the Oracle Unified Directory Software" chapter
of Oracle Fusion Middleware Installing Oracle Unified Directory 11g Release 2.

Note: Oracle Unified Directory 11.1.2.3 must be installed in a separate FMW home. It must not be installed in the same FMW home as
Oracle Directory Integration Platform 11.1.1.9.

2. Apply Required Updates to Oracle Unified Directory

Oracle strongly recommends applying Oracle Unified Directory Bundle Patch 11.1.2.3.160419 as this includes a fix for Patch
20989144. Refer to My Oracle Support Knowledge Document 1494151.1 Master Note on Fusion
Middleware Proactive Patching - Patch Set Updates (PSUs) and Bundle Patches (BPs), for the instructions to download and
apply Oracle Unified Directory Bundle Patch 11.1.2.3.160419.

Applying later Oracle Unified Directory Bundle Patches

Optionally, later Oracle Unified Directory Bundle Patches may be applied on top of certified configurations. Please refer to
494151.1 Master Note on Fusion Middleware Proactive Patching - Patch Set Updates (PSUs) and Bundle Patches (BPs).

4.2 Configure Oracle Unified Directory

To configure Oracle Unified Directory, refer to 5.2.2 Task 2: Configuring Oracle Unified Directory in the Oracle Fusion Middleware
Administrator's Guide for Oracle Directory Integration Platform.

The oud-setup command installs and configures a directory server instance and can be run in one of two modes: graphical-user
integration (GUI) mode or command-line interface (CLI) mode.
If you choose the oud-setup command in the GUI mode:

On the Directory Data screen, enter the directory base DN and select the method in which you want to populate the data. The "import
automatically-generated" option allows you to generate random user data to populate the Oracle Unified Directory users.

On the Oracle Components Integration screen, select the "Enable for EBS (E-Business Suite), Database Net Services and DIP" option in
order to enable the server instance as a datastore for Oracle E-Business Suite, Oracle Database Net Services, and Oracle Directory
Integration Platform (DIP). See: 3.1 Setting Up the Directory Server Using the Graphical User Interface (GUI) in Oracle Fusion
Middleware Installing Oracle Unified Directory for more details.

If you choose the oud-setup command using the CLI mode, select the generic integration option to integrate Oracle Unified Directory
with the Oracle E-Business Suite instance.

For example:

oud-setup --cli --hostName myoud.us.oracle.com --ldapPort 1389 --ldapsPort 1636 --adminConnectorPort


4444 --rootUserDN "cn=directory manager" --rootUserPasswordFile /tmp/pwd --
generateSelfSignedCertificate --enableStartTLS --baseDN dc=example,dc=com --integration generic --
sampleData 30 --no-prompt

This generic integration option allows you to complete the integration for Oracle E-Business Suite by creating the necessary naming
context.

Further details can be found in 3.2 Setting Up the Directory Server by Using the CLI in the Oracle Fusion Middleware Installation Guide
for Oracle Unified Directory 11g Release 2 (11.1.2).

Note: When using the oud-setup GUI, you must manually create a password file after setting up the directory server. This password
file will be used in the following steps for option -j /tmp/pwd/ later in the process.

After Oracle Unified Directory has been configured for Oracle E-Business Suite integration, you must configure the naming context used
to store the users and the groups by performing the steps found in 31.3.1.2 Task 2: Configure the User and Groups Location in
the Oracle Fusion Middleware Administering Oracle Unified Directory.

4.3 Configure the Naming Context

After Oracle Unified Directory has been configured for Oracle E-Business Suite integration, you must configure the naming context used
to store the users and the groups by performing the following steps described in 31.3.1.2 Task 2: Configure the User and Groups
Location in Oracle Fusion Middleware Administering Oracle Unified Directory.

4.4 Configure Oracle Fusion Middleware Directory Services Manager (ODSM)

To configure the ODSM, follow the instructions detailed in 2.3 Configuring Oracle WebLogic Server for Oracle Directory Services
Managers in the Oracle Fusion Middleware Installing Oracle Unified Directory 11g Release 2.

Note: If you plan to manage the Oracle Unified Directory server with Oracle Directory Services Manager (ODSM), in step 7 of 5.2.5.2
Oracle Directory Integration Platform and Oracle Unified Directory in a New Oracle WebLogic Domain Server, be sure to select
"Administration Server" and configure the listener to one port other than the default port 7001 to avoid any conflicts.
Note: Ensure all mandatory WebLogic Server patches have been applied before continuing. See: 2.1.1 Mandatory Patches for Oracle
WebLogic Server in the Oracle Fusion Middleware Infrastructure Release Notes.

4.5 Enable the External Change Log

Enable the external change log (ECL) for the directory server instance. Follow the instructions for "5.2.4 Task 4: Enabling External
Change Log" in the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Integration Platform.

4.6 Enforce Unique UID Attribute

In Oracle Unified Directory, the unique attribute plug-in ensures that there is no duplication of attribute values, both when adding and
modifying them. Refer to the "Ensuring Attribute Uniqueness" section in Chapter 7 of the Oracle Fusion Middleware Administration Guide
for Oracle Unified Directory 11g Release 1 (11.1.1) for additional information.

By default, the unique attribute plug-in is disabled.

To check if the unique attribute plug-in is enabled:


$ dsconfig -p 4444 -h myoud.us.oracle.com -D "cn=directory manager" \
-j /tmp/pwd -n --trustAll list-plugins

To enable the uid attribute uniqueness plug-in:

$ dsconfig -p 4444 -h myoud.us.oracle.com -D "cn=directory manager" \


-j /tmp/pwd -n --trustAll set-plugin-prop --plugin-name "UID Unique Attribute" \
--set enabled:true

Then, set the base DN under which uniqueness is checked:

$ dsconfig -p 4444 -h myoud.us.oracle.com -D "cn=directory manager" \


-j /tmp/pwd -n --trustAll set-plugin-prop --plugin-name "UID Unique Attribute" \
--set base-dn:ou=people,dc=example,dc=com

4.7 Configure Oracle Directory Integration Platform for Oracle Unified Directory

To configure Oracle Directory Integration Platform for Oracle Unified Directory, there are two major steps:

Run the config.sh command to configure Oracle Directory Integration Platform with Oracle Unified Directory in an existing or new
domain.

See 5.2.5 Task 5: Configuring the Oracle WebLogic Server Domain in the Oracle Fusion Middleware Administrator's Guide for Oracle
Directory Integration Platform for details.

1. Note: Ensure all mandatory WebLogic Server patches have been applied before continuing. See: 2.1.1 Mandatory Patches for
Oracle WebLogic Server in the Oracle Fusion Middleware Infrastructure Release Notes.

2. Start the servers in the correct order to be able to configure Oracle Directory Integration Platform for Oracle Unified Directory.

See 5.2.6 Task 6: Starting the Servers in the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Integration
Platform for details.

3. After configuring and starting the Oracle WebLogic server domain, you must configure Oracle Directory Integration Platform for
Oracle Unified Directory by setting the WL_HOME and ORACLE_HOME environment variables for Oracle Directory Integration
Platform running the dipConfigurator setup (<ORACLE_HOME>/bin) command on the command line:

$ dipConfigurator setup -wlshost $WLS_HOST -wlsport $WLS_ADMIN_PORT \


-wlsuser weblogic -ldaphost $LDAP_HOST -ldapport $LDAP_PORT -ldapuser \
"$LDAP_ADMIN" -isldapssl false -ldapadminport $LDAP_APORT

For example:

$ dipConfigurator setup -wlshost myodip.us.oracle.com -wlsport 7001 \


-wlsuser weblogic -ldaphost myoud.us.oracle.com -ldapport 1389 \
-ldapuser "cn=directory manager" -isldapssl false -ldapadminport 4444

For more information, see 5.2.7 Task 7: Configuring Oracle Directory Integration Platform for Oracle Unified Directory in the Oracle
Fusion Middleware Administrator's Guide for Oracle Directory Integration Platform for more details.

4.8 Add Access Control Instructions for Oracle Unified Directory

1. Create an odisgroup.ldif file in /tmp/odisgroup.ldif with the following content:

dn: dc=example,dc=com
changetype: modify
add: aci
aci: (target=" ldap:///dc=example,dc=com" )(version 3.0; acl "Entry-level DIP permissions";
allow (all,proxy) groupdn=" ldap:///cn=odisgroup,cn=DIPadmins,cn=Directory Integration
platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn="
ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration
Platform,cn=Products,cn=oraclecontext";)
-
add: aci
aci: (targetattr="*")(version 3.0; acl "Attribute-level DIP permissions"; allow (all,proxy)
groupdn=" ldap:///cn=odisgroup,cn=DIPadmins,cn=Directory Integration
Platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn="
ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration
Platform,cn=Products,cn=oraclecontext";)

Replace dc=example,dc.com with the appropriate values for your LDAP.

2. Use the ldapmodify command to load the data to the Oracle Unified Directory server:

ldapmodify -p 1389 -h myoud.us.oracle.com -D "cn=directory manager" \


-j /tmp/pwd -f /tmp/odisgroup.ldif

For more information, see 5.2.8 Task 8: Adding Access Control Instructions (ACIs) for Oracle Unified Directory in the Oracle Fusion
Middleware Administrator's Guide for Oracle Directory Integration Platform.

4.9 Verify the Oracle Directory Integration Platform

To verify the Oracle Directory Integration Platform, follow the instructions found in "5.2.9 Task 9: Verifying Oracle Directory Integration
Platform" in the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Integration Platform.

As noted in 5.2.9 Task 9: Verifying Oracle Directory Integration Platform, you must use the dipStatus command to verify the DIP
installation. The following is the syntax for the command:

$ ORACLE_HOME/bin/dipStatus -h myodip.us.oracle.com -p <odip port> -D weblogic

Section 5: Upgrading Oracle Directory Integration Platform

If you have an earlier version of Oracle Directory Integration Platform 11g Release 1 (such as 11.1.1.2, 11.1.1.3, 11.1.1.4, 11.1.1.5, or
11.1.1.6), apply the latest certified Oracle Fusion Middleware 11g Release 1 patch set:

Description Download Location

Oracle Identity Management 11g Patch Set 7 (11.1.1.9) Patch 20995629

Upgrade Oracle Directory Integration Platform to 11g Release 1 Patch Set 7 (11.1.1.9) by following the instructions in the Oracle Fusion
Middleware Patching Guide 11g Release 1 (11.1.1.9).

Section 6: Configuring Oracle Unified Directory 11g Release 2 with Oracle E-Business Suite Release 12.2

The following steps create a default configuration employing bidirectional synchronization of user information between Oracle Unified
Directory and Oracle E-Business Suite. This default configuration meets the majority of customer requirements, but before proceeding
further, you should review Oracle E-Business Suite Security Guide Release 12.2 to evaluate whether an alternate configuration better
meets your needs. If so, you may elect to perform a manual configuration, as detailed in Appendix A: Registration, Deregistration,
Provisioning, and Removing References.

Note: Ensure all mandatory WebLogic Server patches have been applied before continuing. See: 2.1.1 Mandatory Patches for Oracle
WebLogic Server in the Oracle Fusion Middleware Infrastructure Release Notes. Also, you must enable JSSE for WebLogic administration
server and all managed servers. See: Step 8: Set the Node Manager Environment Variables in Oracle Fusion Middleware Node Manager
Administrator's Guide for Oracle WebLogic Server 10.3.6 and "Using the JSSE-Based SSL Implementation" section of the Oracle Fusion
Middleware Securing Oracle WebLogic Server 10.3.6.

Note: Refer to Oracle E-Business Suite Security Guide Release 12.2, which provides various scenarios for synchronizing user information
between Oracle E-Business Suite and Oracle Directory Services.

Perform the following steps on all application tier web node(s), detailed in the sections below:

6.1 Start an Online Patching Cycle Using ADOP Before Starting Configuration
6.2 Choose the Registration Type
6.3 Compile the Parameter Checklist
6.4 Check the Specific Environment Settings
6.5 Run the Registration Script from the Patch File System
6.6 Confirm Successful Script Completion
6.7 Set the Profile Options in Oracle E-Business Suite Release 12.2 From the Patch File System
6.8 Run AutoConfig From the Patch File System
6.9 End ADOP Patching Cycle (Cutover)
6.10 Verify User Provisioning Between Oracle E-Business Suite and Oracle Unified Directory

Note: Oracle HTTP Server version 11.1.1.9 is required on the Oracle E-Business Suite environment. Follow My Oracle Support
Knowledge Document 1590356.1, Upgrading Oracle Fusion Middleware Technology Stack of Oracle E-Business Suite Release 12.2 to the
latest 11gR1 (11.1.1.x) Patch Set, before integrating with Oracle Unified Directory version 11.1.2.3.

6.1 Start an Online Patching Cycle Using ADOP Before Starting Configuration

Prior to beginning the configuration of an Oracle Directory Service, start an online patching cycle using ADOP with the steps below:

6.1.1 Run the environment script for the patch file system

Since all tasks related to the configuration will be performed on the patch file system first, use the following commands to source the
Oracle E-Business Suite environment with the patch file system:

UNIX
$ cd <EBS_BASE_HOME> /* <EBS_BASE_HOME> is the top directory where fs1, fs2, and others are
installed. */
$ . EBSapps.env /* Type "P" to select the PATCH file system environment when prompted. */
$ echo $FILE_EDITION /* This returns "patch" to indicate that it uses the patch file system
environment. */

Windows
C:\>cd <EBS_BASE_HOME> /* <EBS_BASE_HOME> is the top directory where fs1, fs2, and others are
installed. */
C:\><EBS_BASE_HOME>\>EBSapps.cmd /* Type "P" to select the PATCH file system environment when
prompted. */
C:\><EBS_BASE_HOME>\>echo %FILE_EDITION% /* This returns "patch" to indicate that it uses the patch
file system environment. */

6.1.2 Check whether an online patching cycle is already active

The online patching cycle should be started before continuing with the configuration. If an online patching cycle has not been started
already, start one using ADOP.

Oracle E-Business Suite Release 12.2 operates in two file systems: the run file system and the patch file system. It is required that all
pending online patching activities are completed before upgrading the Technology Stack. Use the following command to verify for the
completion of all pending Online Patching activities if there are.

UNIX
$ adop -status

Windows
C:\>adop.cmd -status

For details about Oracle E-Business Suite Release 12.2 Online Patching, refer to the Oracle E-Business Suite Maintenance Guide, Release
12.2.

6.1.3 Before starting with the configuration, start an Online patching cycle using ADOP

All tasks related to the Oracle E-Business Suite instance will be performed on the patch file system first while the system is online and
available for users through the run file system. Use the following command to prepare the patch file system:

UNIX
$ adop phase=prepare

Windows
C:\>adop.cmd phase=prepare

Note: All steps related to the Oracle E-Business Suite instance, between "Start and End of Online Patching Cycle" should be performed
on the patch file system only.

6.2 Choose the Registration Type

The registration script automates Oracle Unified Directory registration. To simplify the registration process, the script defaults many
parameters. The default simple registration process will result in a configuration that meets the needs of the majority of users.
System administrators should review the default settings to determine whether they apply to their environment. The default simple
registration of Oracle Unified Directory registers Oracle E-Business Suite with Oracle Unified Directory using the provisioningtype=1
provisioning profile. This will enable bidirectional user synchronization with user creation.

If you need to use different settings, please refer to Appendix A: Registration, Deregistration, Provisioning, and Removing References.

6.3 Compile a Parameter Checklist

Before running the registration script, make sure you've gathered all the information in the following checklist.

Parameter Checklist:

Parameter
Description Required Default
Name

ldapbindmode LDAP bind mode: 0, 1 0

appname Application name

svcname Service name

ldaphost LDAP host name

ldapport LDAP port

Default cn=orcladmin
ldapadminuser LDAP administrator For OUD the LDAP Administrator is by default
cn=directory manager

ldapadminuserpass LDAP administrator bind password

ldapportssl SSL port for LDAP for infra instance Yes

LDAP port on Oracle Directory Server to be used from


dbldapport Yes
Oracle Database

The instance password that you would like to register


instpass Yes
the application instance with

Provision type 1, 2, 3, 4
1.Bidirectional
provisiontype 2.Instance to LDAP Server No
3.LDAP Server to Instance
4.Bidirectional no creation

RDBMS distinguished name registered in the directory


rdbmsdn No
server

dbldapauthlevel The authentication level of the LDAP server No

dbwalletpass Database Oracle home wallet password No

dbwalletdir Wallet directory in Database Oracle home No

6.4 Check Specific Environment Settings

Confirm the ability to connect to Oracle E-Business Suite database through patch file system by checking that the environment
variable TWO_TASK (or LOCAL on Windows) is set correctly. To do this, execute the following command:

sqlplus [apps user]/[apps password]@["two_task of Patch FS" or local]

This will confirm that you are able to connect to the Oracle E-Business Suite database through the patch file system.

6.5 Run the Registration Script From the Patch File System

A Perl script is used to register Oracle E-Business Suite instance with Oracle Unified Directory. This registration process allows the Oracle
E-Business Suite to delegate user authentication to Oracle Single Sign-On and for user information to be synchronized between Oracle
Unified Directory and the Oracle E-Business Suite.

Note: The apps name and svcname registered with Oracle Unified Directory must be unique. If you already have an Oracle E-Business
Suite environment integrated with this Oracle Unified Directory server and the integrated Oracle E-Business Suite environment has the
same SID as the current Oracle E-Business Suite environment, you must add the "-appname" and "-svcname" arguments to the
registration command.
$ FND_TOP/bin/txkrun.pl -script=SetSSOReg -registerldap=yes \
-appname=<CONTEXT NAME> -svcname=<CONTEXT NAME> -ldapadminuser=$<LDAP ADMIN USER>

For example:
$ FND_TOP/bin/txkrun.pl -script=SetSSOReg -registerldap=yes \
-appname=vis_myhost -svcname=vis_myhost -ldapadminuser="cn=directory manager"

For debugging purposes, it is strongly recommended that you keep careful records of all information entered in this step.

UNIX

On UNIX, you can split the command over multiple command lines, by entering the '\' continuation character followed by [Return].
Execute the following command if you want to use the default (simple) registration that uses the bidirectional provisioning:

$ FND_TOP/bin/txkrun.pl -script=SetSSOReg -registerldap=yes \


-ldapadminuser="cn=directory manager"

or

Execute the following command if you want to use the default (simple) registration, but with a different provisioning type:

$ FND_TOP/bin/txkrun.pl -script=SetSSOReg \
-registerldap=yes -ldapadminuser="cn=directory manager" \
-provisiontype=[Provision Type]

where [Provision Type] corresponds to the provisioning type that you wish to use.

Windows

On Windows, you must pass all the arguments on a single command line, pressing [Return] once at the end. Execute the following
command if you want to use the default (simple) registration that uses bidirectional provisioning:

%ADPERLPRG% %FND_TOP%\bin\txkrun.pl -script=SetSSOReg -registerldap=yes -ldapadminuser="cn=directory


manager"

Execute the following command if you want to use the default (simple) registration, but with a different provisioning type:

%ADPERLPRG% %FND_TOP%\bin\txkrun.pl -script=SetSSOReg -registerldap=yes


-provisiontype=[Provision Type] -ldapadminuser="cn=directory manager"

where [Provision Type] corresponds to the provisioning type that you wish to use.

Parameter Prompts:

The registration script will prompt for several parameters. Use the parameter values from the Parameter Checklist that you compiled.

The script will prompt for the parameters in the following order:

1. Enter LDAP Host name


2. Enter the LDAP Port on Oracle Directory server
3. Enter the LDAP Directory Administrator (orcladmin) Bind password
4. Enter the instance password that you would like to register this application instance with
5. Enter Oracle E-Business apps database user password

Note: You can use the default (simple) registration and still chose a different provisioning type. You can do so by passing
provisioningtype=[1-4] as part of script execution. For more details about provisioning types, please refer to A4. Provisioning

Here is an example that chooses outbound provisioning instead of the default:

UNIX

$ FND_TOP/bin/txkrun.pl -script=SetSSOReg -registerldap=yes -provisiontype=3

Windows
%ADPERLPRG% %FND_TOP%\bin\txkrun.pl -script=SetSSOReg -registerldap=yes
-provisiontype=3

If you need to override additional registration parameters, please refer to Appendix A: Registration, Deregistration, Provisioning, and
Removing References.

6.6 Confirm Successful Script Completion

When the registration script completes successfully, it will print the following line:

End of [FND_TOP]/patch/115/bin/txkSetSSOReg.pl : No Errors encountered

If you do not see this confirmation, examine the following file to investigate the problem:

$ APPLRGF/TXK/txkSetSSOReg_[timestamp].xml

6.7 Set the Profiles Options in Oracle E-Business Suite Release 12.2 from the Patch File System

Set the following profile options in Oracle E-Business Suite Release 12.2 from the patch file system:

Applications SSO Enable OID Identity Add Event = ENABLED


Link Applications user with OID user with same username = ENABLED
Applications SSO Type" profile option (APPS_SSO) = SSWA w/SSO

You can use the code detailed below to set the profile values from the patch file system. Ensure that you edit this with the appropriate
values before running it from the patch file system.

set serveroutput on
DECLARE
stat BOOLEAN;
BEGIN
stat := FND_PROFILE.SAVE('APPS_SSO_OID_IDENTITY','Y','SITE');
IF stat THEN
dbms_output.put_line( 'Profile APPS_SSO_OID_IDENTITY updated with Enabled ' );
ELSE
dbms_output.put_line( 'Profile APPS_SSO_OID_IDENTITY could NOT be updated with Enabled' );
commit;
END IF;
END;
/

set serveroutput on
DECLARE
stat BOOLEAN;
BEGIN
stat := FND_PROFILE.SAVE('APPS_SSO_LINK_SAME_NAMES','Y','SITE');
IF stat THEN
dbms_output.put_line( 'Profile APPS_SSO_LINK_SAME_NAMES updated with Enabled' );
ELSE
dbms_output.put_line( 'Profile APPS_SSO_LINK_SAME_NAMES could NOT be updated with Enabled' );
commit;
END IF;
END;
/

set serveroutput on
DECLARE
stat BOOLEAN;
begin
stat := FND_PROFILE.SAVE('APPS_SSO', 'SSWA_SSO', 'SITE');
IF stat THEN
dbms_output.put_line( 'Profile APPS_SSO updated with SSWA_SSO' );
ELSE
dbms_output.put_line( 'Profile APPS_SSO could NOT be updated with SSWA_SSO' );
commit;
END IF;
end;
/

6.8 Run AutoConfig from the Patch File System


Before performing a cutover, run AutoConfig on the patch file system so that any pending context file changes will be populated and will
be retained after cutover.

UNIX

$ sh <ADMIN_SCRIPTS_HOME>/adautocfg.sh

Windows

C:\><ADMIN_SCRIPTS_HOME>\adautocfg.cmd

6.9 End ADOP Patching Cycle (Cutover)

Source the Oracle E-Business Suite environment file of the run file system as the owner of the application tier file system before
executing the utility.

Note: If you are planning to perform any further administration tasks, you can postpone cutover until after you have completed those
tasks. You must perform a cutover before proceeding with the rest of the tasks in this document.

UNIX

$ adop phase=cutover

Windows

C:\>adop.cmd phase=cutover

For details about the Oracle E-Business Suite Release 12.2 Online Patching, refer to the Oracle E-Business Suite Maintenance Guide,
Release 12.2.

After successful completion of ADOP cutover phase, verify the user provisioning between Oracle E-Business Suite and Oracle Identity
Manager.

Note: By default, Oracle E-Business Suite Release 12.2 Rapid Install enables the parameter "tcp.validnode_checking" which restricts
SQL*Net access to the Oracle E-Business Suite database based on a whitelist of authorized hosts listed for the parameter
"tcp.invited_nodes." For a user created in Oracle Unified Directory to be synchronized to an Oracle E-Business Suite 12.2 database,
the sqlnet.ora file has to be updated with the Oracle Directory Server hostname for the parameter "tcp.invited_nodes."

6.10 Verify User Provisioning Between Oracle E-Business Suite and Oracle Unified Directory

If you have enabled bi-directional provisioning:

1. Create a user in Oracle E-Business Suite through the Define User Form. Then, verify that the user exists through ODSM by
querying that user within the Search tab.

2. When creating a user through ODSM (for Oracle Unified Directory):


1. In ODSM, query back the user that was created in Oracle E-Business Suite within the Search tab.
2. Select the user in the Entry list.
3. Click on the "Document" icon (Create an entry like the selected entry).
4. Select 'User ID' from the "RDN Attribute(s)" drop-down list (instead of the default value of "Common Name").
5. Specify the required values for the new user in the Common Name, User ID, Email, and Last Name fields.
6. Ensure that a value is specified in the Password field.
7. Click Create.
8. Verify that the user exists in Oracle E-Business Suite through the Define User Form.

If you have specified an alternative provisioning method, when creating a new user through ODSM (for Oracle Unified Directory):

1. Expand the entries for the DN to the ou level: For example, select 'ou=People' below 'dc=us,dc=oracle,dc=com' >
'cn=OracleContext'.
2. Click the first document icon with the drop-down symbol. Select the Type of Entry to Create, then select 'User Entry'.
3. Select 'User ID' from the "RDN Attribute(s)" drop-down list (instead of the default value of "Common Name").
4. Specify the required values for the new user in the Common Name, User ID, Email, and Last Name fields.
5. Ensure that a value is specified in the Password field.
6. Click Create.
7. Query back the user within the Search tab.
8. Select the user in the Entry list.
9. Click the Attributes tab.
10. In the Mandatory Attributes table, click the Add button.
11. Select and enter orclUserV2.
12. Click Apply (to add the new object class).
13. Verify that the user exists in Oracle E-Business Suite through the Define User Form.

Section 7: References

Oracle Fusion Middleware Documentation:

Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management 11g Release 2 (11.1.2) (E27301-04)
Oracle Fusion Middleware Installation Guide for Oracle Unified Directory 11g Release 2 (11.1.2) (E23737-02)
Oracle Fusion Middleware Installing Oracle Unified Directory 11g Release 2 (11.1.2) (E56132-02)
Oracle Fusion Middleware Installation Guide for Oracle Identity Management 11g Release 1 (11.1.1.9.0) (E12002-13)
Oracle Fusion Middleware Administrator's Guide for Oracle Unified Directory 11g Release 2 (11.1.2) (E22648-02)
Oracle Fusion Middleware Administrator's Guide for Oracle Directory Integration Platform (E56469-01)
Oracle Fusion Middleware Patching Guide 11g Release 1 (11.1.1.9.0) (E16793-28)

Oracle E-Business Suite Documentation:

Oracle E-Business Suite Concepts (E22949-11)


Oracle E-Business Suite Security Guide Release 12.2 (E22952-11)
Oracle E-Business Suite Maintenance Guide, Release 12.2 (E22954-20)
My Oracle Support Knowledge Document 1576425.1, Integrating Oracle E-Business Suite Release 12.2 with Oracle Access
Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate
My Oracle Support Knowledge Document 1614793.1, Cloning Oracle E-Business Suite Release 12.2 Environments integrated
with Oracle Access Manager 11gR2 (11.1.2) and Oracle E-Business Suite AccessGate

Appendix A: Registration, Deregistration, Removing References, and Provisioning

This appendix provides an overview of Oracle Unified Directory registration tools to register the Oracle E-Business Suite instance with
the Oracle Directory Services server. It contains the following sections:

A1. Registration of an Oracle E-Business Suite Instance with the Oracle Unified Directory Server
A2. Deregistration of an Oracle E-Business Suite Instance with the Oracle Unified Directory Server
A3. Remove References
A4. Provisioning

A1. Registration of an Oracle E-Business Suite Instance with the Oracle Unified Directory Server

Note: The apps name and svcname registered with the SSO LDAP server must be unique. If you already have an Oracle E-Business
Suite environment integrated with this SSO LDAP server and the integrated Oracle E-Business Suite environment has the same SID as
the current Oracle E-Business Suite environment, you must add the -appname and -svcname arguments to the registration
command. -ldapadminuser=$LDAP_ADMIN_USER is added since by default, the parameter value is cn=orcladmin.
$ FND_TOP/bin/txkrun.pl -script=SetSSOReg -registerldap=yes \
-ldapadminuser=$LDAP_ADMIN_USER -appname=$CONTEXT_NAME -svcname=$CONTEXT_NAME

For example:
$ FND_TOP/bin/txkrun.pl -script=SetSSOReg -registerldap=yes \
-ldapadminuser="cn=directory manager" appname=vis_myhost -svcname=vis_myhost

Interactive Mode

$ FND_TOP/bin/txkrun.pl -script=SetSSOReg -registerldap=yes \


-appname=$CONTEXT_NAME -svcname=$CONTEXT_NAME -ldapadminuser=$LDAP_ADMIN_USER

It prompts for required arguments as follows:

[ Enter LDAP Host name ]

[ Enter the LDAP Port on Oracle Unified Directory server ]

[ Enter the Oracle Unified Directory Administrator (orcladmin) Bind password ]

[ Enter the instance password that you would like to register this application instance with ]

[ Enter Oracle E-Business Suite apps database user password ]


It does the following things:

It validates the arguments


It registers this instance with Oracle Unified Directory.
Also, it creates provisioning.

Non-Interactive Mode

$ FND_TOP/bin/txkrun.pl \
-script=SetSSOReg \
-registerldap \
-ldaphost=ldaphost.us.oracle.com \
-ldapport=13061 \
-ldapadminuser="cn=directory manager" \
-ldapadminuserpass=password \
-appspass=password \
-instpass=password \
[-appname=s_dbSid \]
[-svcname=s_dbSid \]
[-provisiontype=1 \]
[-dbldapauthlevel=1 \]
[-dbldapportssl=13130 \]
[-dbwalletpass= \]
[-dbwalletdir= \]
[-rdbmsdn= ]

Note: Entering your password at the command line is a security risk. You can avoid this risk by running the script in interactive mode
instead.

Purpose of optional arguments:

Argument Purpose

ldapadminuser This parameter has to be set to connect the Oracle Unified directory server. For example cn=directory manager".

appname This instance will be registered with Oracle Directory Services server with this appname. Default value of
appname is [s_dbSid].

svcname This instance will be registered with Oracle Directory Services server with this svcname. Default value of appname
is [s_dbSid].

Specifies the provisioning type between instance and LDAP server. Default value is 1. Allowed values are as
follows:
provisiontype 1 - Bidirectional; This is the default value
2 - Instance to Oracle Directory Services server
3 - Oracle Directory Services server to Instance
4 - Bidirectional no creation

This is the selected authentication level between Oracle E-Business Suite database and Oracle Directory Services
server for provisioning purpose.

dbldapauthlevel 0 - Non-SSL Communication. This is the default value


1 - SSL with no authentication.
2 - SSL with server authentication
3 - SSL with Client and Server authentication.

Port on Oracle Directory Services server used by Oracle E-Business Suite database for provisioning. Default value
dbldapport is ldapport. This is a required parameter if the Oracle Unified Directory instance is SSL enabled and is used to
specify the SSL LDAP Port for Oracle Unified Directory.

ldaphost For non-collocated infrastructure, such as if the ldaphost is different from infradbhost, the pass value of ldaphost
for this parameter in command line. Default value of ldaphost is infradbhost.

dbwalletpass Oracle E-Business Suite database wallet password. This is a required parameter if dbldapauthlevel > 1.

dbwalletdir Oracle E-Business Suite database wallet directory. This is a required parameter if dbldapauthlevel > 1. Default
dbwalletdir is the value of site level profile FND_DB_WALLET_DIR

RDBMS DN of this Oracle E-Business Suite database instance that is registered with Oracle Directory Services
server (for example, cn=OracleContext).
rdbmsdn
This parameter is required if your Oracle E-Business Suite environment has been configured to use Real
Application Clusters (RAC) on the database tier.
A2. Deregistration of an Oracle E-Business Suite Instance with the Oracle Directory Services Server

Interactive Mode

$ FND_TOP/bin/txkrun.pl -script=SetSSOReg -deregisterldap=yes \


-ldapadminuser=$LDAP_ADMIN_USER

This command prompts for required arguments as follows:

[ Enter Oracle E-Business Suite apps database user password ]

[ Enter the LDAP Directory Administrator (orcladmin) Bind password ]

This command does the following:

Validates the arguments


Deletes the provisioning
Deregisters this instance with the Oracle Directory Services server

$ FND_TOP/bin/txkrun.pl -script=SetSSOReg -deregisterldap=yes \


-ldapadminuser="cn=directory manager"

Non-Interactive Mode

$ FND_TOP/bin/txkrun.pl \
-script=SetSSOReg \
-deregisterldap=yes \
-appspass=password \
[-ldaphost=ldaphost \]
[-ldapport=13061 \]
[-ldapadminuser="cn=directory manager" \]
-ldapadminuserpass=password \
[-appname=[s_dbSid] \]
[-svcname=[s_dbSid] \]

Note: Entering your password at the command line is a security risk. You can avoid this risk by running the scrip in interactive mode
instead.

A3. Remove References

SSO LDAP server registration stores a set of preferences on Oracle E-Business Suite database. If the Oracle E-Business Suite instance is
cloned from an Oracle Unified Directory registered Oracle E-Business Suite instance, the cloned environment has the same preferences
as the source environment and throws errors during the SSO LDAP server registration. Therefore, the following command should be
called in the post-cloning phase or before proceeding for Oracle Unified Directory registration to remove all the preferences or settings
from cloned environments.

Interactive Mode

$ FND_TOP/bin/txkrun.pl -script=SetSSOReg -removereferences=Yes

It prompts for required arguments as follows:

Enter Oracle E-Business Suite apps database user password ? password

It does the following things:

It validates the arguments


It removes the Oracle Home Instance preferences, OSSO Preferences and Site level profiles, and SSO LDAP server preferences
from Oracle E-Business Suite database.

Non-Interactive Mode

$ FND_TOP/bin/txkrun.pl -script=SetSSOReg -removereferences=yes -appspass=password

Note: Entering your password at the command line is a security risk. You can avoid this risk by running the script in interactive mode
instead.
A4. Provisioning

There are four types of provisioning provided by the registration utility. These provisioning options can be later customized to suit your
needs.

1. Bidirectional Provisioning (-provisiontype=1)


From the instance to Oracle Unified Directory and from the Oracle Unified Directory to the instance. This is set by "-
provisiontype=1" command line argument during Oracle LDAP server registration. This is the default provisioning type set by
the registration utility.

2. Inbound Provisioning
Inbound from the instance to the Oracle Unified Directory. This is set by "-provisiontype=2" command line argument during
Oracle LDAP server registration.

3. Outbound Provisioning
Outbound from the Oracle Unified Directory to the instance. This is set by "-provisiontype=3" command line argument during
Oracle LDAP server registration.

4. BiDiNoCreation Provisioning
Bidirectional provisioning with no creation. This is set by "-provisiontype=4" command line argument during Oracle LDAP server
registration.

Customizing Provisioning

If there is a need to customize the provisioning settings, then the "manageProvProfiles" utility can be used to modify the existing
provisioning. You must ensure that Oracle Unified Directory server registration has completed successfully before you can modify the
provisioning.

Note: The "manageProvProfiles" utility is for 11.1.1.9. The "oidProvTool" utility is to be used on previous release versions, prior to
11.1.1.9, although the utility is still delivered in 11.1.1.9 for backwards compatibility.

1. Run the "manageProvProfiles" utility. (Again, for backwards compatibility, the oidprovtool CLI is still supported.)

The manageProvProfiles and oidProvtool utilities can be used from Oracle Directory Integration Platform 11 g Release 1 Oracle
Home. Set the environment ensuring ORACLE_HOME is set and ORACLE_HOME/bin is in PATH.

2. Ensure that provisioning is present in the Oracle Unified Directory before modification.

The following ldapsearch command will list ALL provisioning profiles:

ldapsearch -h host -p port -D "cn=directory manager" -j passwordfile -s sub -b


"cn=Profiles,cn=Provisioning,cn=Directory Integration Platform,cn=products,cn=OracleContext"
"objectclass=*" "*"

Each profile will have a DN that looks like:


orclODIPProfileName=E2E546797206BA4BE030018ABE853912_F1573026A253C04EE030018AE85855E8

The first number 'E2E546797206BA4BE030018ABE853912' is the Subscriber DN or Realm guid, the


second is the ApplicationDN guid. To list the object given the guid execute: ldapsearch -h
host -p port -D "cn=directory manager" -j pasdwordfile -s sub -b ""
orclguid=E2E546797206BA4BE030018ABE853912" dn

To list the status of a specific profile, given the application name:

manageprovprofiles operation=STATUS \
ldap_host=host ldap_port=port \
ldap_user="cn=orcladmin" \
application_dn="orclApplicationCommonName=AppName,cn=EBusiness,cn=Products,cn=OracleContext,Su
bscriberDN"

3. Modify the provisioning profile using "manageProvProfiles."

For syntax for manageProvProfiles, see the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Integration
Platform.

Choose the appropriate "profile_mode" based on the following table:

If Provisioning Type is: Then profile_mode is:


1 BOTH

2 INBOUND

3 OUTBOUND

4 BOTH

The following is an "example" to change an "INBOUND" or provisioning_type=2 type profile and realm is
"dc=us,dc=oracle,dc=com".

$ ORACLE_HOME/bin/manageProvProfiles \
operation=modify \
ldap_host=[LDAP_HOST] ldap_port=[LDAP_PORT] \
ldap_user_dn="cn=directory manager" \
profile_mode=INBOUND \
application_dn=orclApplicationCommonName=[SID OF YOUR DB or appName],cn=EBusiness,cn=Products,
cn=OracleContext, dc=us, dc=oracle, dc=com \
event_permitted_operations="IDENTITY:dc=us,dc=oracle,dc=com:ADD(cn,sn,mail,userpassword,descri
ption, facsimiletelephonenumber, orclactivestartdate,orclactiveenddate, orclisenabled,
telephonenumber, street, postalcode, physicaldeliveryofficename, ou, st,l, displayname,
employeenumber,employeetype, givenname, homephone, manager, o,uid,c,postaladdress, title )" \
event_permitted_operations="SUBSCRIPTION:dc=us,dc=oracle,dc=com:ADD(*)" \
event_mapping_rules=FND::cn=users,dc=us,dc=oracle,dc=com \
event_mapping_rules=HR::cn=users,dc=us,dc=oracle,dc=com \
event_mapping_rules=TCA::cn=users,dc=us,dc=oracle,dc=com

4. Execute step 2 above to ensure that provisioning has been modified as per the command.

For further information regarding provisioning, refer to Oracle E-Business Suite Security Guide Release 12.2.

Appendix B: Disable/Re-enable/Check Provisioning

With effect from Oracle E-Business Suite Release 12.2.6:

The Applications SSO Type (APPS_SSO) profile option is now supported at Site and Server level to support internal and external
authentication. The Applications SSO Type (APPS_SSO) profile option has also been decoupled from provisioning, therefore provisioning
from Oracle E-Business Suite to the LDAP Server (OID or OUD) will continue to take place after the profile option has been set to only
'SSWA. For details of these changes and the other new FND_SSO_UTIL procedures, refer to section 3.4 Changes to the Applications
SSO Type (APPS_SSO) profile and section 3.5 New FND_SSO_UTIL Procedures in Document 2174164.1, Oracle E-Business Suite System
Administration Release Notes for Release 12.2.6.

To disable provisioning from Oracle E-Business Suite to the LDAP Server, for the entire Oracle E-Business Suite instance, the preference
'APPS_SSO_LDAP_INTEGRATION' should be set to 'DISABLED'. This is set using the following API:
DisableLDAPIntegration (EBS->LDAP): fnd_sso_util.disableLDAPIntegration

execute fnd_sso_util.disableLDAPIntegration;
commit;

If your environment is configured for bi-directional provisioning or provisioning only from the LDAP Server to Oracle E-Business Suite,
you can disable this provisioning by disabling the following Worfklow Business Events:
oracle.apps.fnd.identity.add
oracle.apps.fnd.identity.delete
oracle.apps.fnd.identity.modify
oracle.apps.fnd.subscription.add

If you wish to re-enable provisioning from Oracle E-Business Suite to the LDAP Server once it has been disabled, use the following API:
Enable LDAP Integration: fnd_sso_util.enableLDAPIntegration
execute fnd_sso_util.enableLDAPIntegration;
commit;

To check your configuration to determine whether or not provisioning from Oracle E-Business Suite to the LDAP Server is enabled, use
the following API:
fnd_ldap_util.isLDAPIntegrationEnabled
(This API returns true if the preference (APPS_SSO_LDAP_INTEGRATION) is enabled.)
execute fnd_ldap_util.isLDAPIntegrationEnabled;
commit;

Appendix C: Known Issues


Bug No. Problem Workaround / Solution

Bug For users created through the ODSM which then have been provisioned to Workaround: Through the ODSM, add
21835208 the EBS, the following message is reported when unsuccessfully attempting the orcluserv2 object class to the user
to save modifications to those users through the EBS System Administrator whose e-mail address cannot be changed
-> Security- > User -> Define form. through the EBS. Wait about one minute.

For example, attempting to save changes to the e-mail address or Through the EBS, change the e-mail
password. address for that user. The changes will be
saved this time around. Wait about one
Error minute.
(Red bell ringer)
Unabled to call fnd_ldap_wrapper.update_user due to the following Through the ODSM, verify the changed e-
reason: mail address.
ORA-20001: Entry uid=OUD17,ou=People, dc=us,dc=oracle,dc=com
violates the Directory Server schema configuration because it includes
attribute orclIsEnabled whih is not allowed by any of the objectclasses
defined in that entry (USER_NAME=OUD17).

This issue can also be observed with EBS 12.2.4 on Windows, integrated
with OUD 11.1.2.3 and DIP 11.1.1.9.

Bug When registering Oracle Unified Directory with Oracle E-Business Suite, the This issue is specific to Oracle E-Business
24691100 following error message is displayed: Suite versions lower than 12.2.5 with the
AD and TXK Delta 8 Release Update Packs
*** ERROR : java.sql.SQLException: ORA-06576: not a valid function or applied.
procedure name
Solution:
Download and apply Patch 24691100.

Change Log

Date Description

7 Apr, 2017 Added reference to MOS Note 2174164.1 in Appendix B.

17 Dec, 2016 Added pre-requisite Patch 24691100 for Oracle E-Business Suite 12.2.5 and lower with AD/TXK RUP 8. Also added this Pa

Dec 1, 2016 Updated with External/Internal Authentication details.


Removed fifth-level patchset digit from version numbers.

Jun 10, 2016 Added recommendation to apply Oracle Unified Directory Bundle Patch 11.1.2.3.160419 (as this includes the fix for Bug 2

Dec 9, 2015 Document published for Oracle Unified Directory 11.1.2.3.