Oracle Access Manager Integration with Oracle E-Business Suite

ERP Solution is a key and mission critical within most organizations, but it is one of many
applications. As organizations adapting to a web based approach for all their applications, the
need to extend SSO across the enterprise has become a requirement. Organizations are also
looking to standardize and centralize the security management. Demand for access to business
resources continues to increase; organizations require internal applications and information to be
accessible in a secure fashion to an increasing number of employees, customers, and partners.

This Technical white paper discusses how the Oracle access manager Integrates with Oracle E-
Business Suite allowing customer to realize SSO across their entire web-based applications.

Overview of Oracle Access Manager

Oracle Access Manager is a state-of-the-art solution for both centralized identity management and
access control, providing an integrated standards-based solution that delivers; authentication, web
single sign-on, access policy creation and enforcement, user self-registration and self-service,
delegated administration, reporting, and auditing. Oracle Access Managers unique coupling of
access management and identity administration functionality is why it is established as the leading
solution for web access management.

Features
Oracle Access Manager has two major systems: Identity System and Access System.
Identity System allows workflow driven user management and access clearance using
administrative, delegated and self-service functions. The Access System enforces access policies for
web resources using Webgate and AccessGate for legacy systems.

Access Server has following basic components

LDAP Server - To store user, configuration and policy data
Webgate - Webgate is an out-of-the-box access client for enforcing access policy on HTTP-
based resources; hence it is the Access Systems web Policy Enforcement Point or PEP
Access Server - Access Managers Access Server is a standalone software server that
enforces access policies on web and nonweb resources, so it is the Access Systems Policy
Decision Point or PDP.
Policy Manager and Access System Consol e - Access Managers Policy Manager is a
browser-based graphical tool for configuring resources to be protected and well as creating
and managing access policies.
Identity Server - The Identity Server manages identity information about users, groups,
organizations, and other objects.
Webpass - WebPass is the presentation tier of the Identity System.


Accessing E-Business Suite Instances with Single Sign-On

Oracle Application Server, Oracle Internet Directory and Oracle Single Sign-On Server are
required to enable single sign on (SSO) functionality with the E-Business Suite.

For Oracle E-Business Suite Release 12, mod_osso, an Oracle HTTP Server module, is used for
Single Sign-On authentication. It allows the E-Business Suite to register as a partner application to
the Oracle Single Sign-On Server, giving users the ability to access other registered partner
applications with a single credential (for example, a username/password combination). As a
partner application, the E-Business Suite also supports Single Sign-Off.

Oracle AS SSO Server, Oracle Access Manager and E-Business Suite form a chain of trust. Oracle
AS SSO Server delegates authentication to Oracle Access Manager. Implicitly E-Business Suite
trusts the Oracle Access Manager even though E-Business Suite only works with Oracle AS SSO
Server.

Simple Architecture with Oracle AS SSO, E Business Server and Access server Installed on Separate
Server

Customers
Partners Internet
Supply Chain


Process overview: Integration of Oracle Access Manager, Oracle AS Single Sign-On and Oracle
E-Business Suite

1. A User makes request to access E-Business Suite.E-Business Suite redirects it to Oracle AS

SSO Server for Authentication
2. Webgate, Plug-in running on Oracle AS HTTP Server, intercepts the request. Webgate
requests the security policy from the Access Server to determine if the resource is
protected. When the resource is protected, Webgate prompts the user to authenticate.
3. The credentials entered by the user are validated against the directory for authentication.
4. When authentication is successful, an encrypted Oracle Access Manager single sign-on
cookie is set on the user's browser.
5. After successful authentication, the Access System determines if the user is authorized by
applying policies that have been configured for the resource.
6. Upon successful authorization, the Access System executes the actions that have been
defined in the security policy and sets an HTTP header variable that maps to the OracleAS
10g user ID.
7. The OracleAS SSO Server recognizes the Oracle Access Manager Header Variable,
authenticates the user, and sets the Oracle SSO Cookie and redirects back to the E-Business
Suite.
8. Once redirected back to the E-Business Suite, the E-Business Suite recognizes the Single
Sign-On security tokens and looks up the user's assigned Applications Responsibilities in
the E-Business Suite FND_USER table.

The integration process consists of following major steps:

1. Install Oracle Application Server 10g Enterprise Edition on a standalone server or in a

separate ORACLE_HOMEs on an existing server.
2. Install interoperability patches to integrate the Oracle Application Server 10g Enterprise
Edition server with the E-Business Suite environment.
3. Synchronize user information between the Oracle Application Server 10g Enterprise
Edition server and the E-Business Suite environment
4. Install Oracle Access Manager on a standalone server or on an existing server. Install
webgate on Oracle AS HTTP server.
5. Synchronize user information between the Oracle Application Server 10g Enterprise
Edition server and the Oracle Access Manager User base, if it is different from Oracle AS
user base.

Install OracleAS Identity Management Infrastructure 10g

This task creates the standalone Oracle Application Server 10g Enterprise Edition server
that will be associated with the E-Business Suite server and Oracle Access Server

Run runInstaller on Linux/UNIX or setup.exe on windows.



Select Oracle Application Server Infrastructure 10g

Select Configuration Options:

Select Oracle Internet Directory, OracleAS Directory Integration
and Provisioning, OracleAS Single Sign-On, OracleAS Delegated
Administration Services


Test Oracle AS Infrastructure environment

Goto OID DAS (Oracle Internet Directory Delegated Administration Service) and login as
orcladmin.
http://<host_name>.<domain>:<Infrastructure http port number>/oiddas

Install E-Business Suite SSO 10g Integration Patch, If needed. (Integration Patch is included in
R12 Rapid install)

On the E-Business Suite (EBS) application tier set the environment to $FND_TOP and run the
following command
Ex. To provision user from Apps to EBS use ProvOIDtoApps.tmp template.
Chmod 755 $FND_TOP/admin/template/ProvOIDtoApps.tmp
Grant connect , resource to ssosdk


Register EBS with Oracle AS Infrastructure.

$txkrun.pl -script=SetSSOReg -
provtmp=$FND_TOP/admin/template/ProvOIDtoApps.tmp
The script prompts for the following information:
Enter the host name where Oracle AS Infrastructure database is installed: <OAS Infra host>
Enter the Oracle AS Infrastructure database port number : 1521
Enter the Oracle AS Infrastructure database SID: <OID SID>
Enter the LDAP Port on Oracle Internet Directory server: 389
Enter Oracle E-Business apps database user password: <Apps password>
Enter Oracle AS Infrastructure database ORASSO schema password:
Enter Oracle E-Business SYSTEM database user password: <DB Password>
Enter E-Business Suite existing SSOSDK schema password or choose a password to use
with the new SSOSDK schema if the schema does not exist: <SSOSDK Password>
Enter the Oracle Internet Directory Administrator (orcladmin) Bind password: <password>
Enter the password that you would like to register this E-Business instance with:
<password>

Using LDAPUserImport or use the Oracle Internet Directory provisioning solution to move users
into Oracle E-Business Suite.

LinktheeBSAccountswithSSOuser
Set SSO related profile in EBS to enable Single Sign On, setup link option for existing users.
LogintoeBSthroughhttp://<EBSServerName>:<port>/oa_servlets/AppsLogin.EBSredirectstotheOracle
ASSSOpage.



Enter Userid and password and Oracle SSO after authentication redirects back to EBS.

Install Oracle Access Manager and Install Webgate on Oracle AS HTTP Server.

Integrating Oracle Access Manager with Oracle Single Sign On.

Log in to the Policy Manager.



Create Policy Domain and protect following http resource .

1) /sso/auth
2) /pls/orasso/orasso.wwsso_app_admin.ls_login.


Configure default rules with Basic Over LDAP Authentication Scheme.

Click the Actions subtab to configure authentication success or failure actions. Click Add and
configure Return Attributes for Authentication Success with the following information. Click
Save when done

Configure Policies with following information

Resource operations: GET and POST
Resource type: http


Create the Authorization Rule, and allow access to any one. Enable policy domain related sso.

Install and Configure Oracle Single Sign On Authentication Plug-In.

Compile the SSOOblixAuth.java file. The Sample SSOOblixAuth.java file can be found in the
following location
ORCLE_HOME/sso/lib

CompilethefileinLinux,includingORACLE_HOME/sso/lib/ipastoolkit.jarintheclasspath.
Usethecommandasshownbelow

ORACLE_HOME/jdk/bin/javac -classpath
ORACLE_HOME/sso/lib/ipastoolkit.jar:ORACLE_HOME/lib/servlet.jar -d
ORACLE_HOME/sso/plugin SSOOblixAuth.java

The above command creates SSOOblixAuth.class and places it in the directory

ORACLE_HOME/sso/plugin/oblix/security/ssoplugin.

Register the Java class for integration by editing the policy.properties file in the following
location:

OracleAS_install_dir/sso/conf

Where OracleAS_install_dir is the directory where OracleAS Single Sign-On infrastructure is

installed.

In the OracleAS Single Sign-On policy.properties file, replace the simple authentication plug-in
with the plug-in that you created in the previous steps. In this class, navigate to the line
MediumSecurity_AuthPlugin:

MediumSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOServerAuth


Comment out the existing line and add a new line to register your Java class, as follows:

MediumSecurity_AuthPlugin = oblix.security.ssoplugin.SSOOblixAuth

When editing policy.properties, take care not to insert blank space at the end of a line.

Save the file.

Restart the single sign-on middle tier, and restart the OC4J instance OC4J_SECURITY to have
your changes to take effect:

Test the integrated system. Log on to the EBS.



Harish R Jangada
Harish.Jangada@identris.com
Identris
499 Thornall Street
Edison,NJ