EBS (E-Buisness Suite) R12 Integration with Oracle Access Manager 11g R2

iamonlinewiki.blogspot.com/2012/10/ebs-e-buisness-suite-r12-integration.html#!/2012/10/ebs-e-buisness-suite-r12-integration.html Note: This post is not a new invention but simplies the steps that are given in the integration document provided by Oracle. I have sucessfully integrated using below steps. Pre-Requisites:· Oracle EBS 12.0.6 or 12.1.1 or later installed and configured o 10220779 Patch needs to be apply for 12.0.6 o 8919489 Patch needs to be apply for 12.1.1. Note: For other verison no patch required · OID 11g R1 installed and configured · OAM 11g R1 or OAM 11g R2 installed and configured · OHS & Webgate (11g) installed and configured The High Level Steps & components involved in this Intigration 1. EBS R12: •Depends on the verison of the EBS it requires a patch before the integration. Refer to above pre-requisites section for the required patches. • FND patch (as listed below) needs to be applied •Site Profiles needs to be modified as explained in below sections •Register the EBS instance & Home with OID 2. EBS AccessGate: •The integration uses EBS AccessGate. So EBS AccessGate is required to be installed in either its own domain or existing domain (not IAM doamin) as a managed server. AccessGate will be deployed in this managed or admin server 3. OID 11g R1: •EBS R12 SSO using OAM 11g has a mandatory requirement of OID. The EBS instance & Home will be registered with OID. Also OID is the identity store for user authentication. •Configure OID to return operational attributes for lookup requests 4. OAM 11g R2/R1: •Requires Resources, Policies (AuthN & AuthZ) to be created in a Policy Domain. 5. OHS & Webgate: •Update the OHS proxy configuration so the requests proxy to protected resources from OHS Detailed Steps for the Integration: 1.Make sure the listed components above are installed before the integration 2.Configure OID to return the operational attribtues for lookup requests •Make LDIF file with below contents dn: cn=dsaconfig, cn=configsets,cn=oracle internet directory changetype: modify add: orclallattrstodn orclallattrstodn: cn=orcladmin where orclallattrstodn is the Bind DN which is used to connect to OID •Run ldapmodify command to add the above entry. Also the entry can be modified using ODSM console 3. Install weblogic instance or domain for EBS AccessGate 4. Download the EBS AccessGate (Patch 12796012) from oracle website • Create a folder for EBS AccessGate •Unzip the downloaded patch •Create another directory "plan" in patch directory location •copy the fndext.jar file from the downloaded location to EBS AccessGate Weblogic domain to the 'lib' location. ($MW_HOME/user_projects/domains//lib/ •Restart the EBS AccessGate domain & managed servers 5. Create a directory "public" in OHS Server at OHS_HOME/instances//config/OHS/ohs1/htdocs/ 6. Copy the samplecleanup.html file from the above EBS AccessGate Patch location to OHS Server at OHS_HOME/instances//config/OHS/ohs1/htdocs/public location 7. Rename the file as "oacleanup.html". Make sure there is no another file with this name. This is Centralized log-out script which cleansup the cookies and log-out the user. 8. Get DBC file from EBS server. It is required for creating the datasource connection from EBS AccessGate to EBS Database server. •Login to EBS DB Server. •Run the environment variables script (Ex: . VIS_.env) •java oracle.apps.fnd.security.AdminDesktop / CREATE NODE_NAME= IP_ADDRESS= DBC= •Copy the generated DBC file back to EBS AccessGate patch directory 9. Deploy the AccessGate Application and create the datasource connection to EBS DB server •cd $MW_HOME/wlserver_10.3/server/bin/ •. setWLSEnv.sh •Set DOMAIN_HOME variable (ex: export DOMAIN_HOME=$MW_HOME/user_projects/domains/) •Go to EBS AccessGate Patch directory and look for the script "txkEBSAuth.xml" •run the command as shown below •ant -f txkEBSAuth.xml •Prmots for Weblogic userid, pw, EBS application scheama, deployment plan file location, DBC file location etc... •The above command will deploy the AccessGate application into EBS AccessGate server and create datasource connections Note: The above command works for only single instance Database. If using Oracle RAC the datasource connections needs to be created manually. • Restart EBS AccessGate admin and managed servers 10. Assuming webgate is already installed and registered with OAM 11g server, create the required application domain, resources, policies etc... in OAM console •Create an application Domain like "EBS App Domain" in OAM Console •Create EBS Id (data store) store under system configuration tab. This is OID user data store •Create an EBS Authentication Module (LDAP) and assign above data store as "identity store" •Create EBS Authentication Scheme with below parameters •Authentication Level: 1 •Challenge Method: FORM •Challenge Redirect URL: http://:14100/oam/server •Authentication Module: EBS Authentication Module •Challenge URL: http://:///OAMLogin.jsp •Context Type: external •Create Protected Resource & Public Resource containers under Authentciation Policies •Create Protected Resource & Public Resource containers under Authorization Policies •Create the below resources for the above application domain •Protected Resources Policies •/ebsauth_app (This is the EBS application context) •/ebsauth_appsp1/…/* •Public Resource Policies •/ebsauth_appsp1/OAMLogin.jsp •ebsauth_appsp1/ssologout.do •/ebsauth_appsp1/ssologout_callback •/ebsauth_appsp1/style •Un-Protected (Excluded) Resource Policies •/exclude/index.html•/public/oacleanup.html •Open the Protected Resource Policies under EBS Application Domain Authentication Policies •Assign "EBS Authentication Scheme" as authentication •Enter "http://:///OAMLogin.jsp in failure URL •In response tab enter below details •USER_NAME Header $user.userid •USER_ORCLGUID Header $user.attr.orclguid •Open Protected Resource Policies under EBS Application Domain Authorization Policies •Enter "http://:///OAMLogin.jsp in failure URL •Check the "Use Implied Constraints" checkbox •In response tab enter below details •USER_NAME Header $user.userid •USER_ORCLGUID Header $user.attr.orclguid 11. Configure redirection configuration in OHS server •Login to OHS server •Go to /instances/instance_name/config/OHS/ohs1/ •Update the mod_wl_ohs.conf file with below contents • SetHandler weblogic-handler WebLogicHost WebLogicPort •Restart the OHS server 12. Apply the FND patch on EBS Server •12408040 for 12.0.6 version •12408233 for 12.1.1 version •12387976 for 12.1.2 & 12.1.3 13. Restart EBS Application 14. Configure EBS Site Policies as listed below •Application Authenticate Agent = http://:/// •AutoLink SSO User = True •OID Syncronization = True •Application SSO Type = SSWA w/SSO 15. Restart EBS Application 16. Configure the centralzied log-out page •open "oacleanup.html" file in OHS server •update the below lines • •In function doLoad() section add below lines logoutHandler.addCallback('/ebsauth_fin02/ssologout_callback'); logoutHandler.addCallback('http://webgatehost2.example.com:7780/ebsauth_test/ssologout_callback'); logoutHandler.addCookie('ObSSOCookie','domain=.); •Restart the OHS Server 17. Test the integration by access the EBS Application URL (ex: http://ebs server:8000/OA_HTML/AppsLogin?>. It prompts for EBS AccessGate Login Page. Enter user credentials and verify if you are able to access EBS Application