In these days, I have new OAM+OID and EBS 12.2 integration projects.
Altough I have done couple of ciritical SSO+OID and EBS integrations so far, I felt that; the new authenticatator named OAM(Oracle Access Manager) will introduce a new challange for me.
As the first thing to do, I have created a high level action plan which seems like a roadmap and wanted to share it with you. Note that, I also included the HA and DR related reference documents at the bottom of this document to make them to be within arms reach.
Let's take at the look our target, the new EBS login flow after the OAM enablement and the required EBS-OAM installation and integration process from the surface;
Our EBS environment is 12.2.4.
At the moment the latest version of OAM is 11.2.3.0 . OAM 11.2.3.0 is certified with EBS 12.2.5,12.2.4,12.2.3, 12.1.3, 12.1.2, 12.1.1, 12.0.6, 11.5.10.2
So we will install OAM 11.2.3.0.
We will use EBusiness Access Gate to integrate EBS 12.2 with OAM. Actually, we will use Webgate agent in conjunction with EBS Access Gate.
EBS can't go directory to Active Directory/3rd party ldap (not supported), so OID must be used in between EBS-OAM and 3rd party LDAP/Active directory. We will use OID plugins to speak(ldapbind) with the 3rd party LDAP/Active directory, which is residing in the backend.
When integrated with OAM, EBS login flow works like below;
During login; the request is directed to EBS access gate.
OAM's Web Gate agent intercepts the traffic between the user and EBS Access gate.
Once the traffic is intercepted, OAM's Web Gate agent connects EBS user to EBS access gate to collect the user's credentials. At this point, the user credentials given by the user is submitted to OAM server.
Once the credentials are collected, OAM server decides if the user is required to be authenticated and authenticates the user.
After the authentication, OAM Server creates an SSO session and sends the user identifier to EBS Access Gate.
EBS Access Gate, then connects to the database and links the authenticated OID/LDAP user with and EBS user account. (from fnd_user guid column)
Lastly, user is redirected to original EBS url with an authenticated EBS session.
We will install the following components;
Oracle Access Manager 11.1.2.3
Oracle Identity Management 11.1.1.9.0
Oracle Access Manager WebGate 11.1.2.3.0 (will be installed on top of Oracle HTTP Server 11.1.1.9)
Oracle E-Business Suite AccessGate version: Patch 21522495
Oracle EBS 12.2.4 (already installed)
The detailed installation plan is as follows;
--Note that, this is the first draft, so the actual action/installation plan may be changed during the installation.
*Install an Oracle Database for OID and OAM (Oracle Database 12c Release 1 (12.1.0.1) or higher)-- oracle recommend Enteprise edition for production environments.
----------------------------------------------------------------------------------------------------------------------------
this step doesn't require any references, as it is a standard database installation :)
*Install OID 11.1.1.9 (Oracle Internet Directory 11gR1 Patch Set 7 (11.1.1.9.0) comes as both full installer and an upgrade)
----------------------------------------------------------------------------------------------------------------------------
Ref:Integrating Oracle E-Business Suite Release 12.2 with Oracle Internet Directory 11gR1 (Doc ID 1371932.1)
--download weblogic 10.3.6
--download Rcu 11.1.1.9.0 (for creating OAM + OID schemas in the database)
--download Oracle Identity Management 11g Patch Set 7 (11.1.1.9.0)
--install OID + Oracle Directory Integration Platform
-run rcu (only select 'Oracle Internet Directory')
-Install Weblogic 10.3.6 and also apply mandatory patch for Weblogic.
-Install OID + Oracle Directory Integration Platform (11.1.1.9.0)
-configure OID + Oracle Directory Integration Platform and Create a weblogic Domain+managed server (Follow Section 7.2.1 OID with ODIP and Fusion Middleware Control
in a New WebLogic Domain of Oracle® Fusion Middleware Installation Guide for Oracle Identity Management)
-Apply Required Patch for Oracle Directory Integration Platform
-Configure OID with EBS 12.2.
-start a new online patching cycle (adop prepare)
-set your patch env and run registration script (txkrun.pl)
-set required profile options in EBS 12.2(Applications SSO Enable OID Add Event, Link applications user with OID same username, Applications SSO type)
-run autoconfig from patch filesystem
-set run env
-execute adop cutover
-configure OID plugin to be able to connect to the Active Directory/3rd Ldap server
Configure Oracle Internet Directory to return operational attributes
Ref:Integrating Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate (Doc ID 1576425.1)
*Install & Configure Oracle Access Manager 11g Release 2 (11.1.2.3.0)
----------------------------------------------------------------------------------------------------------------------------
Ref: Oracle Fusion Middleware Identity Management 11g Release 2 (11.1.2.3.0) Documentation Library -> Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management
--check the certification matrix also, for example for IE browswers; only IE 11+ is supported. Also for OEL 6, JDK 1.7.0_80 is required.
-Install certified JDK
-Review Database requirement (patches may be needed, some other actions may be needed , review: Oracle Fusion Middleware System Requirements and Specifications for Oracle Identity and Access Management
11g Release 2 (11.1.2)
-rcu is already downloaded in OID part. (rcu 11.1.1.9.0 will be used even if the Oracle Access Manager 11.1.2.3.0, because the Oracle instruction is "download and use the specific RCU version available as part of the Oracle Identity and Access Management 11g Release 2 (11.1.2) Media Pack on the Oracle Software Delivery Cloud." So when we select the media pack we only see the rcu 11.1.1.9.0 there.
-run rcu (select 'Identity Management - Oracle Access Manager' + Oracle Mobile Security Manager) Oracle Mobile Security is a must,
because we must also manually select the Identity Management - Oracle Mobile Security Manager schema because when we install and
configure Oracle Access Management in a WebLogic domain, the Oracle Mobile Security Manager server is installed and configured in the domain by default.
-weblogic server is already downloaded in OID part.
-Install Weblogic 10.3.6 and also apply mandatory patch for Weblogic.
-Install the Oracle Identity and Access Management 11g software. (basically run "runInstaller")
-Configure the Oracle Identity and Access Management 11g software
-Configure Oracle Access Management - IAM_HOME/common/bin/config.sh
-Configure the Database Security Store
-Start Weblogic Admin Server and managed servers
-Run the Environment Health Check Utility to Verify our Installation and Configuration (cd IAM_HOME/healthcheck/bin; idmhc.sh -manifest IAM_HOME/healthcheck/config/PostInstallChecks.xml )
-Apply BP3 to OAM (Oracle strongly recommends applying Oracle Access Manager 11.1.2.3 Bundle Patch 3 (OAM 11.1.2.3.3) as this includes a fix for Patch 19438948. )
*Apply EBS prereqs for OAM
-Apply the Latest AD and TXK Delta Release Update Packs (Document 1617461.1, Applying the Latest AD and TXK Release Update Packs to Oracle E-Business Suite Release 12.2, and follow the instructions to apply the required code level of AD and TXK for your system.)
-Apply patches for EBS 12.2 - OAM 11.1.2.3 interoperability:
12.2 R12.TXK.C Patch 21523147
12.2 R12.TXK.C Patch 20735848
12.2 R12.TXK.C Patch 21229697
*Download and install Oracle Access Manager WebGates
-Download Oracle Access Manager OHS 11g WebGates 11.1.2.3.0 from Identity & Access Management 11gR2 Downloads.
-Upgrade EBS's HTTP Server to 11.1.1.9 if it is not already.
-install Access Manager Web Gates to EBS's HTTP Server.(txkrun.pl -script=SetOAMReg -installWebgate=yes -webgatestagedir=<webgate stage directory>)
-Apply bundle patch for Oracle Access Manager Webgates - BP01.
*Integrate Oracle E-Business Suite with Oracle Access Manager
-Deploy Oracle E-Business Suite AccessGate (do it with perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources -contextfile=$CONTEXT_FILE -deployApps=accessgate )
-Register Oracle E-Business Suite with Oracle Access Manager
-txkrun.pl -script=SetOAMReg -registeroam=yes
*Test Single Sign-On with Oracle E-Business Suite (http://<ebshost>.<domain>:<port>/OA_HTML/AppsLogin)
*Perform fs_clone
*Configure TLS (SSL) - optional ; Configure SSL/TLS between Webgate and Access Manager + EBS itself.
-For Webgate and Access Manager:
Ref:Oracle Fusion Middleware Administrator's Guide for Oracle Access Management: Securing Communication Between OAM Servers and WebGates
Securing Communication provides instructions on how to secure communications between Oracle Access Manager 11g and WebGates.
-For EBS 12.2:
Ref:Enabling TLS in Oracle E-Business Suite Release 12.2 (Doc ID 1367293.1) To BottomTo Bottom
--EBS's SSL/TLS version should be the same as OAM's SSL/TLS version.
Additional References if DR and H/A need to be implemented:
Reference Figure 8-1 shows a sample Oracle Fusion Middleware 11g Oracle Identity Management high availability architecture from the Fusion Middleware High Availability Guide at the URL:
https://docs.oracle.com/cd/E28280_01/core.1111/e10106/imha.htm#ASHIA804
The following document is for Active-Passive solution:
12 Active-Passive Topologies for Oracle Fusion Middleware High Availability
Fusion Middleware High Availability Guide
http://docs.oracle.com/cd/E28280_01/core.1111/e10106/ap.htm#ASHIA3205
Fusion Middleware Disaster Recovery Guide
1.2.1 Oracle Fusion Middleware Disaster Recovery Architecture Overview
http://docs.oracle.com/cd/E28280_01/doc.1111/e15250/intro.htm#ASDRG106
The Oracle Fusion Middleware Disaster Recovery solution supports these methods of providing data protection for Oracle Fusion Middleware data and database content:
- Oracle Fusion Middleware product binary files, configuration files, and metadata files
Use storage replication technologies.
- Database content
Use Oracle Data Guard for Oracle databases (and vendor-recommended solutions for thirdparty databases)
Also note the following in "http://docs.oracle.com/cd/E28280_01/doc.1111/e15250/creating_sites.htm#ASDRG512" ->
4.5.6.1 Using rsync and Oracle Data Guard for Oracle Fusion Middleware Disaster Recovery Topologies
Altough I have done couple of ciritical SSO+OID and EBS integrations so far, I felt that; the new authenticatator named OAM(Oracle Access Manager) will introduce a new challange for me.
As the first thing to do, I have created a high level action plan which seems like a roadmap and wanted to share it with you. Note that, I also included the HA and DR related reference documents at the bottom of this document to make them to be within arms reach.
Let's take at the look our target, the new EBS login flow after the OAM enablement and the required EBS-OAM installation and integration process from the surface;
Our EBS environment is 12.2.4.
At the moment the latest version of OAM is 11.2.3.0 . OAM 11.2.3.0 is certified with EBS 12.2.5,12.2.4,12.2.3, 12.1.3, 12.1.2, 12.1.1, 12.0.6, 11.5.10.2
So we will install OAM 11.2.3.0.
We will use EBusiness Access Gate to integrate EBS 12.2 with OAM. Actually, we will use Webgate agent in conjunction with EBS Access Gate.
EBS can't go directory to Active Directory/3rd party ldap (not supported), so OID must be used in between EBS-OAM and 3rd party LDAP/Active directory. We will use OID plugins to speak(ldapbind) with the 3rd party LDAP/Active directory, which is residing in the backend.
When integrated with OAM, EBS login flow works like below;
During login; the request is directed to EBS access gate.
OAM's Web Gate agent intercepts the traffic between the user and EBS Access gate.
Once the traffic is intercepted, OAM's Web Gate agent connects EBS user to EBS access gate to collect the user's credentials. At this point, the user credentials given by the user is submitted to OAM server.
Once the credentials are collected, OAM server decides if the user is required to be authenticated and authenticates the user.
After the authentication, OAM Server creates an SSO session and sends the user identifier to EBS Access Gate.
EBS Access Gate, then connects to the database and links the authenticated OID/LDAP user with and EBS user account. (from fnd_user guid column)
Lastly, user is redirected to original EBS url with an authenticated EBS session.
We will install the following components;
Oracle Access Manager 11.1.2.3
Oracle Identity Management 11.1.1.9.0
Oracle Access Manager WebGate 11.1.2.3.0 (will be installed on top of Oracle HTTP Server 11.1.1.9)
Oracle E-Business Suite AccessGate version: Patch 21522495
Oracle EBS 12.2.4 (already installed)
The detailed installation plan is as follows;
--Note that, this is the first draft, so the actual action/installation plan may be changed during the installation.
*Install an Oracle Database for OID and OAM (Oracle Database 12c Release 1 (12.1.0.1) or higher)-- oracle recommend Enteprise edition for production environments.
----------------------------------------------------------------------------------------------------------------------------
this step doesn't require any references, as it is a standard database installation :)
*Install OID 11.1.1.9 (Oracle Internet Directory 11gR1 Patch Set 7 (11.1.1.9.0) comes as both full installer and an upgrade)
----------------------------------------------------------------------------------------------------------------------------
Ref:Integrating Oracle E-Business Suite Release 12.2 with Oracle Internet Directory 11gR1 (Doc ID 1371932.1)
--download weblogic 10.3.6
--download Rcu 11.1.1.9.0 (for creating OAM + OID schemas in the database)
--download Oracle Identity Management 11g Patch Set 7 (11.1.1.9.0)
--install OID + Oracle Directory Integration Platform
-run rcu (only select 'Oracle Internet Directory')
-Install Weblogic 10.3.6 and also apply mandatory patch for Weblogic.
-Install OID + Oracle Directory Integration Platform (11.1.1.9.0)
-configure OID + Oracle Directory Integration Platform and Create a weblogic Domain+managed server (Follow Section 7.2.1 OID with ODIP and Fusion Middleware Control
in a New WebLogic Domain of Oracle® Fusion Middleware Installation Guide for Oracle Identity Management)
-Apply Required Patch for Oracle Directory Integration Platform
-Configure OID with EBS 12.2.
-start a new online patching cycle (adop prepare)
-set your patch env and run registration script (txkrun.pl)
-set required profile options in EBS 12.2(Applications SSO Enable OID Add Event, Link applications user with OID same username, Applications SSO type)
-run autoconfig from patch filesystem
-set run env
-execute adop cutover
-configure OID plugin to be able to connect to the Active Directory/3rd Ldap server
Configure Oracle Internet Directory to return operational attributes
Ref:Integrating Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate (Doc ID 1576425.1)
*Install & Configure Oracle Access Manager 11g Release 2 (11.1.2.3.0)
----------------------------------------------------------------------------------------------------------------------------
Ref: Oracle Fusion Middleware Identity Management 11g Release 2 (11.1.2.3.0) Documentation Library -> Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management
--check the certification matrix also, for example for IE browswers; only IE 11+ is supported. Also for OEL 6, JDK 1.7.0_80 is required.
-Install certified JDK
-Review Database requirement (patches may be needed, some other actions may be needed , review: Oracle Fusion Middleware System Requirements and Specifications for Oracle Identity and Access Management
11g Release 2 (11.1.2)
-rcu is already downloaded in OID part. (rcu 11.1.1.9.0 will be used even if the Oracle Access Manager 11.1.2.3.0, because the Oracle instruction is "download and use the specific RCU version available as part of the Oracle Identity and Access Management 11g Release 2 (11.1.2) Media Pack on the Oracle Software Delivery Cloud." So when we select the media pack we only see the rcu 11.1.1.9.0 there.
-run rcu (select 'Identity Management - Oracle Access Manager' + Oracle Mobile Security Manager) Oracle Mobile Security is a must,
because we must also manually select the Identity Management - Oracle Mobile Security Manager schema because when we install and
configure Oracle Access Management in a WebLogic domain, the Oracle Mobile Security Manager server is installed and configured in the domain by default.
-weblogic server is already downloaded in OID part.
-Install Weblogic 10.3.6 and also apply mandatory patch for Weblogic.
-Install the Oracle Identity and Access Management 11g software. (basically run "runInstaller")
-Configure the Oracle Identity and Access Management 11g software
-Configure Oracle Access Management - IAM_HOME/common/bin/config.sh
-Configure the Database Security Store
-Start Weblogic Admin Server and managed servers
-Run the Environment Health Check Utility to Verify our Installation and Configuration (cd IAM_HOME/healthcheck/bin; idmhc.sh -manifest IAM_HOME/healthcheck/config/PostInstallChecks.xml )
-Apply BP3 to OAM (Oracle strongly recommends applying Oracle Access Manager 11.1.2.3 Bundle Patch 3 (OAM 11.1.2.3.3) as this includes a fix for Patch 19438948. )
*Apply EBS prereqs for OAM
-Apply the Latest AD and TXK Delta Release Update Packs (Document 1617461.1, Applying the Latest AD and TXK Release Update Packs to Oracle E-Business Suite Release 12.2, and follow the instructions to apply the required code level of AD and TXK for your system.)
-Apply patches for EBS 12.2 - OAM 11.1.2.3 interoperability:
12.2 R12.TXK.C Patch 21523147
12.2 R12.TXK.C Patch 20735848
12.2 R12.TXK.C Patch 21229697
*Download and install Oracle Access Manager WebGates
-Download Oracle Access Manager OHS 11g WebGates 11.1.2.3.0 from Identity & Access Management 11gR2 Downloads.
-Upgrade EBS's HTTP Server to 11.1.1.9 if it is not already.
-install Access Manager Web Gates to EBS's HTTP Server.(txkrun.pl -script=SetOAMReg -installWebgate=yes -webgatestagedir=<webgate stage directory>)
-Apply bundle patch for Oracle Access Manager Webgates - BP01.
*Integrate Oracle E-Business Suite with Oracle Access Manager
-Deploy Oracle E-Business Suite AccessGate (do it with perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources -contextfile=$CONTEXT_FILE -deployApps=accessgate )
-Register Oracle E-Business Suite with Oracle Access Manager
-txkrun.pl -script=SetOAMReg -registeroam=yes
*Test Single Sign-On with Oracle E-Business Suite (http://<ebshost>.<domain>:<port>/OA_HTML/AppsLogin)
*Perform fs_clone
*Configure TLS (SSL) - optional ; Configure SSL/TLS between Webgate and Access Manager + EBS itself.
-For Webgate and Access Manager:
Ref:Oracle Fusion Middleware Administrator's Guide for Oracle Access Management: Securing Communication Between OAM Servers and WebGates
Securing Communication provides instructions on how to secure communications between Oracle Access Manager 11g and WebGates.
-For EBS 12.2:
Ref:Enabling TLS in Oracle E-Business Suite Release 12.2 (Doc ID 1367293.1) To BottomTo Bottom
--EBS's SSL/TLS version should be the same as OAM's SSL/TLS version.
Additional References if DR and H/A need to be implemented:
Reference Figure 8-1 shows a sample Oracle Fusion Middleware 11g Oracle Identity Management high availability architecture from the Fusion Middleware High Availability Guide at the URL:
https://docs.oracle.com/cd/E28280_01/core.1111/e10106/imha.htm#ASHIA804
8.2 Prerequisites for Oracle Identity Management High Availability Configuration
https://docs.oracle.com/cd/E28280_01/core.1111/e10106/imha.htm#ASHIA3047
https://docs.oracle.com/cd/E28280_01/core.1111/e10106/imha.htm#ASHIA3047
8.3 Oracle Internet Directory High Availability
https://docs.oracle.com/cd/E28280_01/core.1111/e10106/imha.htm#ASHIA806
https://docs.oracle.com/cd/E28280_01/core.1111/e10106/imha.htm#ASHIA806
8.3.3.3 Configuring Oracle Internet Directory With a WebLogic Domain
8.3.3.3.1 Configuring Oracle Internet Directory on OIDHOST1
This section describes the steps to deploy Oracle Internet Directory in a high availability configuration as part of a WebLogic Server domain.
8.3.3.3.3 Configuring Oracle Internet Directory on OIDHOST2
Ensure that the Oracle Internet Directory repository is running and then follow these steps to configure the Oracle Internet Directory instance on OIDHOST2:
On the second node, you will be extending the domain using config.sh tool.
Ensure that the Oracle Internet Directory repository is running and then follow these steps to configure the Oracle Internet Directory instance on OIDHOST2:
On the second node, you will be extending the domain using config.sh tool.
12 Active-Passive Topologies for Oracle Fusion Middleware High Availability
Fusion Middleware High Availability Guide
http://docs.oracle.com/cd/E28280_01/core.1111/e10106/ap.htm#ASHIA3205
The following document is for DR solution:
Fusion Middleware Disaster Recovery Guide
1.2.1 Oracle Fusion Middleware Disaster Recovery Architecture Overview
http://docs.oracle.com/cd/E28280_01/doc.1111/e15250/intro.htm#ASDRG106
The Oracle Fusion Middleware Disaster Recovery solution supports these methods of providing data protection for Oracle Fusion Middleware data and database content:
- Oracle Fusion Middleware product binary files, configuration files, and metadata files
Use storage replication technologies.
- Database content
Use Oracle Data Guard for Oracle databases (and vendor-recommended solutions for thirdparty databases)
4.5.6.1 Using rsync and Oracle Data Guard for Oracle Fusion Middleware Disaster Recovery Topologies
Hi Erman
ReplyDeleteCan i use the same weblogic domain created for OID and extend the same for OAM
Hi Raja,
ReplyDeleteTechnically possible but; I don't recommend it.
Sometimes, we use the same Weblogic server but not the same domain for those two.
OID is an IDM(Oracle Identity Management) component.
OAM is an IAM(Identity and Access Management) component.
And this is from Oracle:
IDM and IAM components can be installed into a single Middleware Home and share a single Weblogic Server domain, as long as they share the same version number or patch set. In production cases, the intention is usually a separate machine to distribute your resources and security rules within a full topology.
"Given that there are no guarantees that a future patchset will be applicable to both IDM and IAM, the best practice is to maintain separate Middleware homes for IDM and IAM"
Perfect. Thanks So much
ReplyDeleteThank for sharing the high level steps, can you please share the Detailed document if have any
ReplyDeleteHi Hussein,
ReplyDelete"the best practice is to maintain separate Middleware homes for IDM and IAM"
-- Can we use the single server to Maintain the separate Middleware homes
-- Can we use the same database for both OID and OAM ?
Actually, our requirement is to implement One Time Password (OTP) or Multi-Factor Authentication (MFA) on our DMZ server(for iSuppliers).
For this purpose we are planning to install and configure OAM and OID, so that on top of OAM we can implement MFA for our DMZ(R12.2.7) which is on Oracle Solaris on SPARC (64-bit).
Could you please help me in providing some useful documents or links for carrying out the entire task.
Thanks
Kasim