Tuesday, August 27, 2019

Integrating Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate (Doc ID 1576425.1)

This document describes how to integrate Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11g Release 2 (11.1.2) using Oracle E-Business AccessGate.
Before you begin integration, you should read and understand all content described in this document.
The most current version of this document can be obtained from My Oracle Support Knowledge Document 1576425.1.
There is a change log at the end of this document.

In this Document

Section 1: Introduction

Oracle Access Manager 11g Release 2 (11.1.2) provides a comprehensive identity management and access control system that simplifies user access across applications.
For more information about Oracle Access Manager (OAM), refer to the Access Manager home page on the Oracle Corporation Web site at:
http://www.oracle.com/us/products/middleware/identity-management/oracle-access-manager/overview/index.html

This document describes how to integrate Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11g Release 2 (11.1.2) using Oracle E-Business AccessGate.
If you have multiple instances of Oracle E-Business Suite that you wish to integrate with Oracle Access Manager for single sign on, perform the steps in this document on each Oracle E-Business Suite instance.
For more information about single sign-on concepts, architecture, and options for integrating Oracle E-Business Suite with Oracle Identity Management products, refer to My Oracle Support Knowledge Document 1388152.1 Overview of Single Sign-On Integration Options for Oracle E-Business Suite.
The procedures in this document have significant effects on Oracle E-Business Suite Release 12.2 environments and should be executed only by skilled Oracle E-Business Suite database or system administrators. Users are strongly advised to first review the prerequisites and plan the installation and configuration on the various supported platforms.
For information about which platforms are supported by Oracle Access Manager, refer to the Oracle Identity and Access Management 11g Release 2 (11.1.2.3) Certification Matrix.
Note that Oracle Identity and Access Management 11g Release 2 (11.1.2) is supported on 64-bit processors only.

Section 2: Supported Architecture and Release Versions

The following software components must be installed on a standalone server accessing an Oracle E-Business Suite, or in separate Fusion Middleware Homes on an existing application tier server node.
Component Name
Version
Oracle Access Manager
11.1.2.2, 11.1.2.3
See Footnote 1 for restrictions.
Oracle Access Manager WebGate
Oracle Identity Management
11.1.1.7, 11.1.1.9
Oracle Unified Directory11.1.2.3
Footnote 1: As per Section 9 of the Oracle Fusion Middleware Release Notes for HTTP Server, Oracle WebGate version 11.1.2.3 for Oracle HTTP Server supports only Oracle HTTP Server version 11.1.1.9.
If you have integrated Oracle E-Business Suite 12.2 with Oracle Unified Directory 11.1.2.3 as detailed in My Oracle Support Knowledge Document 2003483.1, then Oracle HTTP Server 11.1.1.9 is already configured on the Oracle E-Business Suite Environment, you MUST therefore install and integrate with Oracle Access Manager 11.1.2.3 using Oracle Access Manager WebGate 11.1.2.3.
The following components must be used on the Oracle E-Business Suite Release 12 instance:
Component Name
Version
Oracle E-Business Suite Release 1212.2.2+

Section 3: Prerequisite Installations and Configurations

This section describes following prerequisite installations and configurations:

3.1 Integrate Oracle Internet Directory or Oracle Unified Directory with Oracle E-Business Suite

It is a requirement to use either Oracle Internet Directory or Oracle Unified Directory for any LDAP or single sign-on integration with Oracle E-Business Suite.
Oracle Internet Directory:
Use the instructions in the following My Oracle Support Knowledge Document to integrate Oracle Internet Directory with Oracle E-Business Suite.
  • Document 1371932.1 Integrating Oracle E-Business Suite Release 12.2 with Oracle Internet Directory 11gR1. If you are integrating with OID 11g for the first time, refer to this document for more information about specific requirements and additional patches that are required for integration with Oracle E-Business Suite
For further information regarding provisioning between Oracle E-Business Suite and Oracle Internet Directory, refer to Oracle E-Business Suite Security Guide Release 12.2.
Oracle Unified Directory:
Use the instructions in the following My Oracle Support Knowledge Document to integrate Oracle Unified Directory with Oracle E-Business Suite.
  • Document 2003483.1 Integrating Oracle E-Business Suite Release 12.2 with Oracle Unified Directory 11g Release 2. If you are integrating with OUD 11g for the first time, refer to this document for more information about specific requirements and additional patches that are required for integration with Oracle E-Business Suite.

3.2 Configure Oracle Internet Directory to return operational attributes

This step is only required for customers using Oracle Internet Directory. If your configuration is using Oracle Unified Directory, skip this step and proceed to step 3.3 - Install and Configure Oracle Access Manager.
Configure Oracle Internet Directory to return operational attributes for lookup requests. This modification adds the orclguid attribute to records returned by Oracle Internet Directory when queried by Oracle Access Manager, allowing these records to be mapped to others that are uniquely identified by orclguid. To make this modification create an ldif file as detailed below and execute this command from the Oracle Home where Oracle Internet Directory is installed:
Create an ldif file (for example 'change_attrs.ldif') containing the following:
dn: cn=dsaconfig, cn=configsets,cn=oracle internet directory
changetype: modify
add: orclallattrstodn
orclallattrstodn: [DN]
where [DN] is the DN (Distinguished Name) of the account that Oracle Access Manager uses to communicate with Oracle Internet Directory; for example, cn=orcladmin. If you are not sure what this value is for your site, you can find it by logging on to Oracle Directory Services Manager (ODSM), and looking under the Root element in the Data Tree on the Data Browser tab.
For example:
dn: cn=dsaconfig, cn=configsets,cn=oracle internet directory
changetype: modify
add: orclallattrstodn
orclallattrstodn:cn=orcladmin
Run the following to execute the command from the newly created ldif file:
$ORACLE_HOME/bin/ldapmodify -h [ldaphost] -p [ldapport] -D [DN] -w [orcladmin passwd] -v -f [ldif_filename]
For example:
$ORACLE_HOME/bin/ldapmodify -h ldaphost.example.com -p 3060 -D cn=orcladmin -w welcome972 -v -f change_attrs.ldif

3.3 Install and Configure Oracle Access Manager

RHEL 6 Customers only: (for Oracle Access Manager 11.1.2.2 Only):

Download and Apply Unified Installer Patch 18231786 prior to installing Oracle Access Manager 11.1.2.2.
Install and Configure Oracle Access Manager 11g Release 2 (11.1.2.3), following the installation instructions in the Installation Guide for Oracle Identity and Access Management, available from the Oracle Fusion Middleware Identity Management 11g Release 2 (11.1.2.3.0) Documentation Library.
For information about which platforms are supported by Oracle Access Manager, refer to the Oracle Identity and Access Management 11g Release 2 (11.1.2.3) Certification Matrix.
After successful installation and configuration, verify that you can logon to the Oracle Access Manager and WebLogic Administration consoles with the WebLogic admin user and password that you specified during installation.
  • http://<oamserver>.<domain>:<adminport>/console
  • http://<oamserver>.<domain>:<adminport>/oamconsole
Verify in the WebLogic Administration Console that the OAM managed server is running on the specified port.

3.4 Apply Required Updates to Oracle Access Manager Server

For Oracle Access Manager 11.1.2.3 only:
Oracle strongly recommends applying Oracle Access Manager 11.1.2.3 Bundle Patch 3 (OAM 11.1.2.3.3) as this includes a fix for Patch 19438948. Refer to My Oracle Support Knowledge Document 736372.1 OAM Bundle Patch Release History, for the instructions to download and apply Oracle Access Manager 11.1.2.3 Bundle Patch 3 (BP03) for Oracle Access Manager Server.
Applying later Oracle Access Manager Bundle Patches

Optionally, later Oracle Access Manager Bundle Patches may be applied on top of certified configurations. Please refer to My Oracle Support Knowledge Document 736372.1 OAM Bundle Patch Release History.

3.5 Install Prerequisite Software Updates and Components on your Oracle E-Business Suite Release 12.2 Instance

Install the following prerequisite software updates and components on your Oracle E-Business Suite Release 12.2 instance. These software updates are fully compatible with Oracle E-Business Suite environments regardless of whether or not you proceed with single sign-on integration. You may therefore choose to install these software updates at an earlier date, even before performing any of the subsequent steps in this document to complete single sign-on integration with Oracle Access Manager. You may combine these updates with other regularly-scheduled maintenance in your environment. You can choose to install these software updates during an Oracle E-Business Suite R12.2 Online Patching cycle to your patch file system (recommended) or on your run file system.
For details about Oracle E-Business Suite R12.2 Online Patching, refer to the Patching Procedures section in the Oracle E-Business Suite Maintenance Guide Release 12.2.

3.5.1 Apply the Latest AD and TXK Delta Release Update Packs

Note: Review My Oracle Support Knowledge Document 1617461.1Applying the Latest AD and TXK Release Update Packs to Oracle E-Business Suite Release 12.2, and follow the instructions to apply the required code level of AD and TXK for your system.

3.5.2 Download and apply Oracle E-Business Suite Updates

Download and apply the following updates to your Oracle E-Business Suite Release 12.2 instance:
Customers integrating with Oracle Access Manager 11.1.2.2 Server:
Table A
ReleasePatch Number
12.2Refer to My Oracle Support Knowledge Document 2202932.1
12.2R12.TXK.C Patch 20735848
Customers integrating with Oracle Access Manager 11.1.2.3 Server:
Table B
ReleasePatch Number
12.2Refer to My Oracle Support Knowledge Document 2202932.1
12.2R12.TXK.C Patch 20735848
12.2R12.TXK.C Patch 21229697
Windows Customers Only:
Download and apply the following updates to your Oracle E-Business Suite Release 12.2 instance:
ReleasePatch Number
FMW 11.1.1.6Patch 15861836 (This patch is not required for FMW 11.1.1.7 and above)

3.5.3 Download and install Oracle Access Manager WebGates

WebGates are policy enforcement agents that act as a filter for HTTP requests and communicate with Oracle Access Manager authentication and authorization services.
As per Section 9 of the Oracle Fusion Middleware Release Notes for HTTP Server, Oracle WebGate version 11.1.2.3 for Oracle HTTP Server supports only Oracle HTTP Server version 11.1.1.9. If your version of Oracle HTTP Server is lower than 11.1.1.9, it should be upgraded to 11.1.1.9 by following Document 1590356.1 Upgrading Oracle Fusion Middleware Technology Stack of Oracle E-Business Suite Release 12.2 to the latest 11gR1 (11.1.1.x) Patchset, before integrating with Oracle WebGate version 11.1.2.3.
Download Oracle Access Manager OHS 11g WebGates 11.1.2.3 from Identity & Access Management 11gR2 Downloads. Save the file to a temporary location on your Oracle E-Business Suite middle tier server node, and unzip it. For example unzip it to directory: /u01/webgate11g.
Source the Oracle E-Business Suite environment file.
$ cd <EBS_BASE_HOME>
$ . EBSapps.env
$ echo $FILE_EDITION
EBS_BASE_HOME is the top directory where fs1, fs2, and others are installed.
  • During an active Online Patching cycle, Type "P" to select the patch file system environment when prompted. Echo $FILE_EDITION returns "patch" to indicate that the patch file system is sourced.
  • Alternatively, if there is no active Online Patching cycle, you may also choose to install Oracle Access Manager WebGates on your run file system. In that case, type "R" to select the run file system environment when prompted. Echo $FILE_EDITION returns "run" to indicate that the run file system is sourced.
Execute the following command to install Oracle Access Manager WebGates:
$ txkrun.pl -script=SetOAMReg -installWebgate=yes -webgatestagedir=<webgate stage directory>
For parameter -webgatestagedir, specify the directory where you unzip'd Oracle Access Manager OHS 11g WebGates, for example /u01/webgate11g.
The installation should complete successfully.

3.5.4 Apply Required Oracle Access Manager Bundle Patch to Oracle Access Manager WebGate 

Refer to My Oracle Support Knowledge Document 736372.1 OAM Bundle Patch Release History for the instructions to download and apply Oracle Access Manager 11.1.2.3 Bundle Patch 1 (BP01) for Oracle Access Manager WebGate.
Applying later Bundle Patches to Oracle HTTP Server 11g WebGate

Optionally, later Oracle HTTP Server 11g WebGate Bundle Patches may be applied on top of certified configurations. Please refer to My Oracle Support Knowledge Document 736372.1 OAM Bundle Patch Release History.

3.5.5 Perform fs_clone (conditional)

Your system is now prepared with the prerequisites to enable single sign on with Oracle Access Manager.
You can choose to only prepare the system with the prerequisite software updates, and integrate Oracle E-Business Suite with Oracle Access Manager for single sign on at a later point in time. In this case, complete the current Oracle E-Business Suite Release 12.2 Online Patching cycle now. Then you must perform an fs_clone to synchronize the changes before you start the next Oracle E-Business Suite Release 12.2 Online Patching cycle. Performing an fs_clone will ensure that Oracle Access Manager OHS 11g WebGates are installed on both file systems fs1 and fs2.
Alternatively, you can choose to directly proceed with integrating Oracle E-Business Suite with Oracle Access Manager for single sign on in the next section. In this case, you must continue using the same file system where you just applied the prerequisite software updates, and you can perform the fs_clone only after completing single sign on integration as documented in Step 4.5 of this document.

Section 4: Integrate Oracle E-Business Suite with Oracle Access Manager

Follow the steps in this section to integrate Oracle E-Business Suite with Oracle Access Manager:
Enabling single sign on for Oracle E-Business Suite with Oracle Access Manager does not require starting an Oracle E-Business Suite Online Patching cycle. You may perform the integration optionally

a) on your run file system when no Online Patching cycle is active. Single sign on will be enabled after bouncing Oracle E-Business Suite.
b) on your patch file system during an active Online Patching cycle. Single sign on will be enabled after completing your Online Patching cycle and bouncing Oracle E-Business Suite.

Note that Oracle Access Manager maintains a single registration for your Oracle E-Business Suite instance, and does not distinguish between run and patch file system. Hence modifying the configuration in Oracle Access Manager, or removing the registration following Appendix A of this document will always affect the running system.

4.1 Deploy Oracle E-Business Suite AccessGate

Oracle E-Business Suite AccessGate is a J2EE application on your Oracle E-Business Suite 12.2 WebLogic server. Oracle E-Business Suite AccessGate will be protected by Oracle Access Manager and creates an Oracle E-Business Suite session based on a valid Oracle Access Manager session. Follow the step below to deploy Oracle E-Business Suite AccessGate.
Source the Oracle E-Business Suite environment file.
$ cd <EBS_BASE_HOME>
$ . EBSapps.env
$ echo $FILE_EDITION
EBS_BASE_HOME is the top directory where fs1, fs2, and others are installed.
  • Type "R" to select the run file system environment when prompted. Echo $FILE_EDITION returns "run" to indicate that the run file system is sourced. Ensure there is no active Online Patching cycle.
  • Alternatively, if you wish to deploy Oracle E-Business Suite AccessGate to your patch file system first during an active Online Patching cycle, type "P" to select the patch file system environment when prompted. Echo $FILE_EDITION returns "patch" to indicate that the patch file system is sourced.
Execute the following command to deploy Oracle E-Business Suite AccessGate.
$ perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources \
-contextfile=$CONTEXT_FILE \
-deployApps=accessgate \
-SSOServerURL=<OAM Server URL> \
[-managedsrvname=<managed server name>] \
[-managedsrvport=<managed server port>] \
-logfile=<logfile>
For parameter -SSOServerURL, specify the URL for your OAM managed server, for example http://oamserver.example.com:14100:
Optional parameter managedsrvname defaults to oaea_server1. Parameter managedsrvport defaults to 6801. Specify these optional parameters if you wish to deploy Oracle E-Business Suite AccessGate to a non-default managed server. The managed server name provided must be of the form oaea_server<n>, where n is an integer.

For example:
$ perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources \
-contextfile=$CONTEXT_FILE \
-deployApps=accessgate \
-SSOServerURL=http://oamserver.example.com:14100 \
-managedsrvname=oaea_server3 \
-managedsrvport=6803 \
-logfile=/tmp/deployeag.log
The script will prompt for the following passwords:
  • Enter the APPS Schema password.
  • Enter the WebLogic AdminServer password.
Enter the required information when prompted.
The script will now perform the following main tasks automatically:
  • Create managed server "oaea_server1" if it does not already exist.
  • Create Data Source "OAEADatasource" if it does not already exist.
  • Deploy the Oracle E-Business Suite AccessGate application named "accessgate".
The script must complete successfully. Review the log files for any error messages.
After successful completion of the script, ensure that your WebLogic AdminServer is running.
If you have specified a dedicated managed server and port in the previous command instead of using the default managed server and port, execute the following command to add details of the managed server into the OHS configuration files mod_wl_ohs.conf and apps.conf:
$ perl $FND_TOP/patch/115/bin/txkSetAppsConf.pl \
-contextfile=$CONTEXT_FILE \
-configoption=addMS \
-accessgate=<host>.<domain>:<port>
  • Replace <host>.<domain>:<port> with the hostname, full domain name and port of the new 'oaea_server1' managed server:
  • For example: ebshost.example.com:6803
The script must complete successfully. Review the log files for any error messages.
To verify successful deployment, logon to WebLogic Administration Console, for example:
http://ebshost.example.com:7001/console
In the WebLogic Administration Console, navigate to EBS_domain_sid > Environment > Servers, and verify that a managed server "oaea_server1" is available.
Verify that you can successfully start the server "oaea_server1". On the settings page for the server, navigate to the Control tab, and use the Start button to start the server.
Navigate to EBS_domain_sid > Deployments, and verify that the Oracle E-Business Suite AccessGate application named "accessgate" is deployed, with State: Active and Health: OK.
Navigate to EBS_domain_sid > Services > Data Sources, and verify that a data source "OAEADatasource" is available. Navigate to the "OAEADatasource" page, Monitoring tab, Testing tab. Click the control button next to server "oaea_server1", and press the "Test Data Source" button. You should see a message confirming that test of the datasource was successful.

4.2 Register Oracle E-Business Suite with Oracle Access Manager

Follow the steps in this section to register Oracle E-Business Suite with Oracle Access Manager.
Source the Oracle E-Business Suite environment file.
$ cd <EBS_BASE_HOME>
$ . EBSapps.env
$ echo $FILE_EDITION
EBS_BASE_HOME is the top directory where fs1, fs2, and others are installed.
  • Type "R" to select the run file system environment when prompted. Echo $FILE_EDITION returns "run" to indicate that the run file system is sourced. Ensure there is no active Online Patching cycle.
  • Alternatively, if you wish to register Oracle E-Business Suite during an active Online Patching cycle, type "P" to select the patch file system environment when prompted. Echo $FILE_EDITION returns "patch" to indicate that the patch file system is sourced.
If Oracle E-Business Suite is integrated with Oracle Internet Directory:
Execute the following command to register Oracle E-Business Suite with Oracle Access Manager:
$ txkrun.pl -script=SetOAMReg -registeroam=yes
If Oracle E-Business Suite is integrated with Oracle Unified Directory:
Execute the following command to register Oracle E-Business Suite with Oracle Access Manager
$ txkrun.pl -script=SetOAMReg -registeroam=yes -ldapProvider=OUD -oidUserName="cn=directory manager"
If the Oracle directory Service is Oracle Unified Directory then the ldapProvider must be specified as "OUD". By default the type is OID for Oracle Internet Directory.
The script will prompt for the following information.
  • Enter OAM console URL (for example: http://myoam.example.com:7001)
  • Enter OAM console user name (for example: weblogic)
  • Enter OAM console password
  • Enter LDAP URL (for example: ldap://myoid.example.com:3060)
  • Enter OID console user name (for example: cn=orcladmin)
  • Enter OID console password
  • Enter LDAP Search Base (for example: "cn=Users,dc=example,dc=com")
  • Enter LDAP Group Search Base (for example: "cn=Groups,dc=example,dc=com")
  • Enter APPS password
Enter the required information when prompted.
For the parameter OAM console URL, enter the base URL for the WebLogic Administration server where the OAM console is deployed, for example: http://myoam.example.com:7001.
The script will provide a summary of input values. Confirm that these are correct and start the registration.
Do you wish to continue (y|n)? y
The script will now perform the following main tasks automatically:
  • Register Oracle E-Business Suite AccessGate with Oracle Access Manager.
  • Create Identity Store named OIDIdentityStore if it does not already exist. If Identity Store OIDIdentityStore exists, the integration will use it.
  • Create Authentication Module named LDAP_EBS if it does not already exist. If Authentication Module LDAP_EBS exists, the integration will use it.
  • Configure Oracle Access Manager OAM Agent named <sid_host>.
  • Configure Authentication Scheme named EBSAuthScheme.
  • Configure Application Domain named <sid_host> with required Authentication Policies and response headers for your Oracle E-Business Suite integration.
  • Set Oracle E-Business Suite profile options Application Authenticate Agent (APPS_AUTH_AGENT) and Applications SSO Type (APPS_SSO).
Alternatively, you can execute the script using parameters. For example:
If Oracle E-Business Suite is integrated with Oracle Internet Directory:
$ txkrun.pl -script=SetOAMReg -registeroam=yes \
-oamHost=http://myoam.example.com:7001 \
-oamUserName=weblogic \
-ldapUrl=ldap://myoid.example.com:3060 \
-oidUserName=cn=orcladmin \
-skipConfirm=yes \
-ldapSearchBase=cn=Users,dc=example,dc=com \
-ldapGroupSearchBase=cn=Groups,dc=example,dc=com
If Oracle E-Business Suite is integrated with Oracle Unified Directory:
$ txkrun.pl -script=SetOAMReg -registeroam=yes -ldapProvider=OUD \
-oamHost=http://myoam.example.com:7001 \
-oamUserName=weblogic \
-ldapUrl=ldap://myoud.example.com:1389 \
-oidUserName="cn=directory manager" \
-skipConfirm=yes \
-ldapSearchBase=ou=People,dc=example,dc=com \
-ldapGroupSearchBase=dc=example,dc=com
Replace 'dc=example,dc.com' with the appropriate values for your ldap search base.
The script must complete successfully. Review the log files for any error messages.
By default, the registration as documented above automatically creates an Authentication Scheme named EBSAuthScheme.
For a multi-node configuration, after registering the first node, subsequent nodes should be registered by referencing the already existing authentication scheme, as detailed below:

Register an additional node by referencing the existing Authentication Scheme (authScheme) named EBSAuthScheme, for example:
If Oracle E-Business Suite is integrated with Oracle Internet Directory:
$ txkrun.pl -script=SetOAMReg -registeroam=yes \
-oamHost=http://myoam.example.com:7001 \
-oamUserName=weblogic \
-ldapUrl=ldap://myoid.example.com:3060 \
-oidUserName=cn=orcladmin \
-ldapSearchBase=cn=Users,dc=example,dc=com \
-ldapGroupSearchBase=cn=Groups,dc=example,dc=com \
-authScheme=EBSAuthScheme \
-authSchemeMode=reference
If Oracle E-Business Suite is integrated with Oracle Unified Directory:
$ txkrun.pl -script=SetOAMReg -registeroam=yes -ldapProvider=OUD \
-oamHost=http://myoam.example.com:7001 \
-oamUserName=weblogic \
-ldapUrl=ldap://myoud.example.com:1389 \
-oidUserName="cn=directory manager"\
-ldapSearchBase=ou=People,dc=example,dc=com \
-ldapGroupSearchBase=dc=example,dc=com \
-authScheme=EBSAuthScheme \
-authSchemeMode=reference
Optionally, you can also register your Oracle E-Business Suite instance using a custom authentication scheme that you have created manually using your OAM Console prior to registering your Oracle E-Business Suite instance.

To register your Oracle E-Business Suite instance with an existing custom authentication scheme, you can specify the following two additional command line parameters when executing the registration script txkrun.pl -script=SetOAMReg -registeroam=yes:
-authScheme=<Authentication Scheme>
-authSchemeMode=<create_reference|reference|create_update>

Description: -authScheme=<Authentication Scheme>

This parameter allows you to specify an authentication scheme to be created, updated or referenced. The default value is "EBSAuthScheme".

-authSchemeMode=create_reference (default)

Authentication Scheme mode "create_reference" is the default mode. The automated registration will create the specified authentication scheme if it does not exist. If the specified authentication scheme already exists, the registration will reference the existing authentication scheme. In this mode, an existing authentication scheme will not be overwritten.

-authSchemeMode=reference

Authentication Scheme mode "reference" will reference an existing authentication scheme. This mode does not create or update an existing authentication scheme, but will error if the specified authentication scheme does not exist.

-authSchemeMode=create_update

Authentication Scheme mode "create_update" will create the specified authentication scheme if it does not exist, or update an existing authentication scheme.

Example usage:

If you have created an authentication scheme named "CustomAuthScheme" using your OAM Console, prior to registering your Oracle E-Business Suite instance, you should register your Oracle E-Business Suite instance using your custom authentication scheme as follows:
If Oracle E-Business Suite is integrated with Oracle Internet Directory:
$ txkrun.pl -script=SetOAMReg -registeroam=yes \
-oamHost=http://myoam.example.com:7001 \
-oamUserName=weblogic \
-ldapUrl=ldap://myoid.example.com:3060 \
-oidUserName=cn=orcladmin \
-ldapSearchBase=cn=Users,dc=example,dc=com \
-ldapGroupSearchBase=cn=Groups,dc=example,dc=com \
-authScheme=CustomAuthScheme \
-authSchemeMode=reference
If Oracle E-Business Suite is integrated with Oracle Unified Directory:
$ txkrun.pl -script=SetOAMReg -registeroam=yes -ldapProvider=OUD \
-oamHost=http://myoam.example.com:7001 \
-oamUserName=weblogic \
-ldapUrl=ldap://myoud.example.com:1389 \
-oidUserName="cn=directory manager"\
-ldapSearchBase=ou=People,dc=example,dc=com \
-ldapGroupSearchBase=dc=example,dc=com \
-authScheme=CustomAuthScheme \
-authSchemeMode=reference
Important Note:
If you are planning to use a custom authentication scheme, please refer to the information in Section 5.5 Authentication Methods supported with Oracle Access Manager. Oracle E-Business Suite Development does not explicitly certify alternative authentication methods supported by Oracle Access Manager. Oracle E-Business Suite Support may ask you to revert Oracle Access Manager to the explicitly certified form based authentication and the default authentication scheme EBSAuthScheme, before issues with Oracle E-Business Suite can be triaged.
The registration script is re-runnable. If the registration script fails for any reason (for example, the OAM server is down), the script will detect an incomplete run, and continue completing the session with the same parameters after prompting for confirmation to continue.
If you configured your patch file system during an Online Patching cycle, complete your Online Patching cycle.
Stop and Restart the Oracle E-Business Suite 12.2 OHS and WebLogic servers.

4.3 Allow Browsers to Access Only Known Web Entry Points

You should only allow browsers to access Oracle WebLogic Server through your known web entry points. Please refer to the section Allowing Browsers to Access Only Known Web Entry Points in the Oracle E-Business Suite Setup Guide Release 12.2.

4.4 Test Single Sign-On with Oracle E-Business Suite

You have completed integrating Oracle E-Business Suite with Oracle Access Manager 11.1.2 using Oracle E-Business Suite AccessGate.
Test single sign-on integration now.
Logon to Oracle E-Business Suite
http://<ebshost>.<domain>:<port>/OA_HTML/AppsLogin
You will be re-directed to your Oracle Access Manager single sign-on page. Login using valid OID user credentials. After successful authentication, you will be re-directed to your Oracle E-Business Suite home page.
Note:
If you are using Oracle E-Business Suite Release 12.2.6 or higher, you can choose to configure single sign-on and local authentication at site and server level. Refer to section 6.5 - Configure Single Sign-on at Site or Server Level for further information.

4.5 Perform fs_clone

Stop the oaea managed server on the run file system. (see Known Issues section for further information).
Your Oracle E-Business Suite Release 12.2 instance is now integrated with Oracle Access Manager using Oracle E-Business Suite AccessGate on your run file system.
Perform an fs_clone to synchronize the changes to your patch file system before you start the next Oracle E-Business Suite Release 12.2 Online Patching cycle.

Section 5: Oracle Access Manager Configurations

This section lists additional configurations on your Oracle Access Manager server and information about advanced authentication methods supported with Oracle Access Manager.

5.1 Configure Oracle Access Manager to support long URLs

Long URLs may exceed a cookie limit on your Internet browser. Configure Oracle Access Manager to support long URLs by changing the serverRequestCacheType from COOKIE to FORM in Oracle Access Manager configuration file $DOMAIN_HOME/config/fmwconfig/oam-config.xml:
<Setting Name="serverRequestCacheType" Type="xsd:string">FORM</Setting>
Refer to section Application URL Requirements in the Oracle® Fusion Middleware Administrator's Guide for Oracle Access Management 11g Release 2 (11.1.2).

5.2 Configure Oracle Access Manager Whitelist

Oracle Access Manager whitelist is enabled by default in Oracle Access Manager 11.1.2.3.
Oracle Access Manager must be configured to only redirect to URLs listed in a whitelist. Oracle recommends that this configuration be done as part of a Secure Configuration.  

To use this Oracle Access Manager feature, you must add your Oracle E-Business Suite middle tier URL (Oracle E-Business Suite host name and port) to the whitelist. For example:
cd $OAM_ORACLE_HOME/common/bin
./wlst.sh
wls:/offline>> connect('weblogic','kwD9ij4dj', 'myoam.example.com:7001')
wls:/offline> domainRuntime()
wls...> oamWhiteListURLConfig (Name="EBS",Value="http://<ebshost>.<domain>:<port>", Operation="Update")
wls...> oamWhiteListURLConfig (Name="OAMCONSOLE",Value="http://<oamconsole_host>:<oamconsole_port>", Operation="Update")
wls...> oamWhiteListURLConfig (Name="EBS_POSTLOGOUT",Value="<APPS_SSO_POSTLOGOUT_HOME_URL>", Operation="Update")
wls...> exit()
Replace '<ebshost>:<ebs_port>' with the fully qualified Host Name and Port of your Oracle E-Business Suite middle-tier. For example: 'ebshost.example.com:8001'.

Replace <oamconsole_host>:<oamconsole_port> with the fully qualified Host Name and Port for your Oracle Access Manager Console. For example: 'oamserver.example.com:7001'.

In addition, if you configured the optional profile 'Applications SSO Post Logout URL' (APPS_SSO_POSTLOGOUT_HOME_URL) to re-direct to a different server URL post logout, replace <APPS_SSO_POSTLOGOUT_HOME_URL> with the URL from the 'Applications SSO Post Logout URL' profile option.

For further information on configuring the whitelist, refer to wlst commands 'oamSetWhiteListMode' and 'oamWhiteListURLConfig' in Oracle® Fusion Middleware WebLogic Scripting Tool Command Reference for Identity and Access Management.

5.3 Configure Oracle Access Manager Session Timeout

You can configure an inactivity timeout for a session in both Oracle E-Business Suite and Oracle Access Manager. The timeout values should be the same for both applications. If you configure a timeout value for Oracle E-Business Suite that is shorter than the one you configure for Oracle Access Manager, users can re-establish their Oracle E-Business Suite session after it times out without providing login credentials.
The inactivity timeout in Oracle E-Business Suite is configured in profile option ICX: Session Timeout (minutes). The inactivity timeout in Oracle Access Manager is configured as Idle Timeout (minutes) under Common Settings in the OAM Console System Configuration.

5.4 Configure Languages for the Oracle Access Manager Login Page

Oracle Access Management 11.1.2.1 supports language selection through a drop down list of languages in the login page combined with use of the OAM_LANG_PREF language preference cookie. The Oracle Access Manager login page can be synchronized with the set of installed languages in Oracle E-Business Suite. To configure the Oracle Access Manager login page to provide language selection, refer to the section Choosing a User Login Language in the Oracle® Fusion Middleware Administrator's Guide for Oracle Access Management and the 'configOAMLoginPagePref' command in the Oracle® Fusion Middleware WebLogic Scripting Tool Command Reference for Identity and Access Management.
To enable languages in the Oracle Access Manager login page to match the languages installed in Oracle E-Business Suite:
wls...> configOAMLoginPagePref(persistentCookie="false", persistentCookieLifetime=<SessionTimeout>, langPrefCookieDomain="<mydomain>", langPrefOrder="oamPrefsCookie, browserAcceptLanguage, serverOverrideLangPref, defaultLanguage", serverOverrideLanguage="<EBS_Base_Lang>", defaultLanguage="<Default_Lang>", applicationSupportedLocales="<lang1>,<lang2>,<lang3>,<lang4>")
Recommended Settings for the language configuration in the Oracle Access Manager login page when integrated with Oracle E-Business Suite are as follows:
  • Ensure that 'persistentCookie' is set to 'false', this specifies the OAM_LANG_PREF cookie as a session cookie, ensuring that when a user starts a new browser session this language cookie no longer exists.
  • Replace <SessionTimeout> with the value that you have specified for Session Timeout in Oracle E-Business Suite and Oracle Access Manager.
  • Replace <mydomain> with the Domain Name on which Oracle Access Manager is configured.
  • Ensure that 'langPrefOrder' is set to "oamPrefsCookie, browserAcceptLanguage, serverOverrideLangPref,defaultLanguage".
    • Using the oamPrefsCookie first in the order of precedence is required as Oracle E-Business Suite will set the preferred language in the OAM_LANG_PREF cookie.
  • Replace <EBS_Base_Lang> with the base language installed in Oracle E-Business Suite:
    Setting 'serverOverrideLanguage' to the base language installed in Oracle E-Business Suite ensures that when the OAM_LANG_PREF cookie is not yet set and the Browser language is not set to a language supported by the Oracle Access Manager login page, then the Oracle Access Manager login page will attempt to display in the Oracle E-Business Suite base language. If this language is not supported by the Oracle Access Manager login page then the default language (see below) will be used.
  • Replace <Default_Lang> with 'en':
    Setting 'defaultLanguage' to 'en' ensures that English is the final fallback language used for the Oracle Access Manager login page.
  • For 'applicationSupportedLocales' specify the language codes for each of the languages that are installed in the Oracle E-Business Suite environment, this includes the base language and 'en' (English). The language code values are documented in Table 2-4 - Language Codes for Login Pages in the Oracle® Fusion Middleware WebLogic Scripting Tool Command Reference.
Example Scenario
An Oracle E-Business Suite environment has:
  • French as the base language
  • English, German, Arabic, Korean, Simplified Chinese, Traditional Chinese and Brazilian Portugese as installed languages.
  • Profile option 'ICX: Session Timeout' and the Oracle Access Manager 'Idle Timeout is set to 15 minutes.
  • The Domain name is 'example.us.com'
To configure the Oracle Access Manager login page languages to match this Oracle E-Business Suite environment:
wls...> configOAMLoginPagePref(persistentCookie="false", persistentCookieLifetime=15, langPrefCookieDomain="example.us.com", langPrefOrder="oamPrefsCookie, browserAcceptLanguage, serverOverrideLangPref, defaultLanguage", serverOverrideLanguage="fr", defaultLanguage="en", applicationSupportedLocales="en","fr",de",ar","ko","zh-CN","zh-TW","pt-BR")
There are several languages supported by Oracle E-Business Suite that are not currently supported by the OAM login page in 11.1.2.1, refer to Known Issues for a list of those languages:
  • If you have any of those languages installed in your Oracle E-Business Suite environment, you should continue with the Oracle E-Business Suite profile option 'Applications Override SSO Server Language' (FND_OVERRIDE_SSO_LANG) set to 'Override SSO Server Language'. In that case Oracle E-Business Suite will always use the site/user value for the profile option 'ICX: Language' (ICX_LANGUAGE). For further information regarding the profile option 'Applications Override SSO Server Language', refer to the 'Login Page Language and Runtime Session Language' section in Oracle E-Business Suite Setup Guide Release 12.2.
  • The language feature in OAM should remain disabled by skipping this section (5.4 Configuring Languages for the Oracle Access Manager Login Page). The Oracle Access Manager login page will continue to be displayed without a Language LOV, and the text on the OAM login page will appear in the language according to the users' browser preferences, for languages that OAM supports, otherwise it will default to OAM’s default language.
For further information regarding how Oracle E-Business Suite handles language precedence, refer to Document 393861.1 Globalization Guide for Oracle Applications Release 12.
When accessing the default Oracle Access Manager login page from the Oracle E-Business Suite AppsLogin page for the very first time (i.e. a new browser session), Oracle E-Business Suite sets the language in the OAM_LANG_PREF cookie based on the browser language preference setting. If this language is not enabled for the OAM login page, English is used.

If a user changes their 'session language' via the 'Preferences' page in Oracle E-Business Suite, regardless of the setting in the profile 'Applications Override SSO Server Language' (FND_OVERRIDE_SSO_LANG), this new session language will be used in the OAM_LANG_PREF cookie.  

Once the session language value has been changed in this manner, the Oracle E-Business Suite Home Page, the Oracle Access Manager login page (displayed after logging out of Oracle E-Business Suite) and the subsequent login to Oracle E-Business Suite will display in the newly set session language. This is the "login/logout" loop which means that the language in regard to the Home page, login page, and logout page is set based on the last session language.  This loop will exist until the user closes the browser or the cookie times out (as specified in the 'persistentCookieLifetime' parameter.

5.5 Authentication Methods supported with Oracle Access Manager

Oracle E-Business Suite delegates authentication to Oracle Access Manager. Oracle Access Manager protects resources, enforces authentication, and returns the configured response headers after successful authentication. Returning the configured response headers does not require any Oracle E-Business Suite or Oracle E-Business Suite AccessGate code. Oracle Access Manager must return these response headers even without having Oracle E-Business Suite AccessGate installed.

5.5.1 Form based authentication

Oracle E-Business Suite Development explicitly certifies the form based challenge method only.

5.5.2 Alternative authentication methods

In addition to the form based challenge method, Oracle Access Manager supports several alternative authentication methods, including Windows Native Authentication, X.509, integration with Oracle Identity Federation or other third party access management systems. You may leverage Oracle Access Manager to further integrate with any of the alternative authentication mechanisms supported by Oracle Access Manager. Integration with Oracle E-Business Suite is expected to work regardless of how Oracle Access Manager authenticates the user, provided that Oracle Access Manager protects the resources, enforces authentication, and returns the configured response headers.
Oracle E-Business Suite Development does not explicitly certify these alternative authentication methods. Oracle E-Business Suite Support may ask you to revert Oracle Access Manager to the explicitly certified form based authentication, before issues with Oracle E-Business Suite can be triaged.
If you encounter issues during configuration of Oracle Access Manager with alternative authentication mechanisms, you may contact Oracle Access Manager Support.
OAM for Federation:
If you are configuring OAM for Federation, with a 3rd party Identity Provider (IDP), where logout is initiated from the 3rd party Identity Provider, OAM does not currently provide sufficient logout callback functionality to destroy all registered partner application sessions.

By contrast, if OAM is not configured for Federation and logout is triggered from any of OAM's registered partner applications, OAM executes a configured OAM Agent Logout Callback URL http(s)://<ebshost>.<domain>:<port>/OA_HTML/AppsLogout. This ensures that an existing Oracle E-Business Suite session is destroyed during centralized logout, initiated from any of the registered partner applications.

OAM does not currently support executing logout callback URLs in a way that works for any OAM authentication scheme in general. If you configure OAM with a 3rd party Identity Management system, you must ensure centralized logout properly logs the user out from Oracle E-Business Suite. You may need to keep the OAM Agent Logout Callback URL at the default value of '/oam_logout_success', and then customize the federated logout flow to ensure that it executes Oracle E-Business Suite AppsLogout.

Refer to OAM Enhancement 11888451.

Section 6: Advanced Configurations

This section provides additional information on following advanced configurations:

6.1 Configure Transport Layer Security (TLS)

In production environments, we recommend the use of TLS on both the Oracle E-Business Suite middle tier and the WebLogic Server instance where the Oracle E-Business Suite AccessGate is deployed. We always recommended the use of TLS on the HTTP server where the WebGate plug-in is deployed.
Refer to My Oracle Support KnowledgeDocument 1367293.1 to configure TLS on an Oracle E-Business Suite Release 12.2 middle tier server node.
Important Note:
Configure TLS to match the TLS configuration in Oracle E-Business Suite Release 12.2. For example, if Oracle E-Business Suite Release 12.2 is configured for strict TLS 1.2 then the OAM managed server should also be configured for strict TLS 1.2.
The Oracle Fusion Middleware Administrator's Guide for Oracle Access Management 11g Release 2 (11.1.2) documents the steps necessary to enable TLS communication for the Oracle Access Manager components:
  • Appendix Securing Communication provides instructions on how to secure communications between Oracle Access Manager 11g and WebGates.
  • No special steps are needed to configure WebGate for intercepting TLS requests, as long as the Oracle HTTP Server where it is installed is configured to support TLS.
For more information on configuring TLS for other technology components required for this integration, consult the following resources:
When using WebLogic Server Release 10.3.6 and above and enabling TLS:
Ensure that the following are enabled in the WebLogic Server Administration Console:
WebLogic Plug-In
Client Cert Proxy
To verify this for 'oaea_server1' (the EAG Managed Server):
Navigate to 'Environments' > 'Servers' > 'oaea_server1'
Access the 'General' tab
Expand the 'Advanced' section and check the checkboxes for:
WebLogic Plug-In Enabled
Client Cert Proxy Enabled
Ensure that the following has been enabled in the WebLogic Server Administration Console:
Use JSSE SSL
To verify this for 'oaea_server1' (the EAG Managed Server):
Navigate to 'Environments' > 'Servers' > 'oaea_server1'
Access the 'SSL' tab
Expand the 'Advanced' section and check the checkbox for:
Use JSSE SSL
To verify this for 'oam_server1':
Navigate to 'Environments' > 'Servers' > 'oam_server1'
Access the 'General' tab
Expand the 'Advanced' section and check the checkboxes for:
WebLogic Plug-In Enabled
Client Cert Proxy Enabled
Ensure that the following has been enabled in the WebLogic Server Administration Console:
Use JSSE SSL
To verify this for 'oam_server1':
Navigate to 'Environments' > 'Servers' > 'oam_server1'
Access the 'SSL' tab
Expand the 'Advanced' section and check the checkbox for:
Use JSSE SSL
Restricting the TLS Protocol:
If you have enabled strict TLSv1.2 (i.e. enabled only the TLSv1.2 protocol) then in addition to the settings detailed above, you must add the following parameter setting:
"-Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2" at startup, as a JAVA_OPTION for the OAM managed server. Refer to Document 1936300.1 for details of where and how to specify JAVA_OPTIONS.
To configure TLS in your Oracle Access Manager environment, refer to Document 1936300.1 - How to Change SSL Protocols (to Disable SSL 2.0/3.0) in Oracle Fusion Middleware Products.
To restrict the ciphers, refer to Document 1067411.1 - How To Disable Anonymous and Weak Cipher Suites in WebLogic Server.
It is recommended to update to the latest Java version and WLS PSU version, in order to configure with the higher TLS protocols using the stronger cipher suites.
When deploying Oracle E-Business Suite AccessGate, ensure that you specify HTTPS and the OAM TLS port for the -SSOServerURL parameter.

If you have already deployed Oracle E-Business Suite AccessGate with non-TLS, you need to remove the deployment (stop and delete) and re-deploy with the required TLS values. Refer to Section 4.1 Deploy Oracle E-Business Suite AccessGate above for the deployment instructions.

When registering Oracle E-Business Suite with OAM, ensure that you specify the TLS protocol and the TLS port.

If you have already registered Oracle E-Business Suite with OAM with non-TLS values, you need to update the logoutRedirectUrl for the OAM domain agent 'IAMSuiteAgent' to point to the TLS protocol for OAM (HTTPS) and the TLS port, also update 'Logout Redirect URL' for webgate agent to point to specify the TLS protocol for OAM (HTTPS) and the TLS port in the OAM console.
After performing the configuration in this section, the following steps are required:
  1. Test Single Sign-on with Oracle E-Business Suite
  2. Perform fs_clone

6.2 Configure Single Sign-on in a Load Balanced Oracle E-Business Suite Environment

You can configure a load balancer to front end multiple Oracle E-Business Suite webtier servers. The load balancer acts as single entry point to these Oracle E-Business Suite webtier servers. To configure your Oracle E-Business Suite environment with a load balancer, refer to My Oracle Support Knowledge Document 1375686.1 Using Load Balancers with Oracle E-Business Suite Release 12.2.
First confirm that the load balanced environments are functioning correctly before continuing to configure your Oracle E-Business Suite application tier servers with Oracle Access Manager.
For each Oracle E-Business Suite application tier server that participates in your load balanced configuration, perform the following
$ perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources \
-contextfile=$CONTEXT_FILE \
-deployApps=accessgate \
-SSOServerURL=<OAM Server URL> \
-managedsrvname=<managed server name> \
-managedsrvport=<managed server port> \
-logfile=<logfile>
For example:
$ perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources \
-contextfile=$CONTEXT_FILE \
-deployApps=accessgate \
-SSOServerURL=http://oamserver.example.com:14100 \
-managedsrvname=oaea_server1 \
-managedsrvport=6801 \
-logfile=/tmp/deployeag_6801.log

$ perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources \
-contextfile=$CONTEXT_FILE \
-deployApps=accessgate \
-SSOServerURL=http://oamserver.example.com:14100 \
-managedsrvname=oaea_server2 \
-managedsrvport=6802 \
-logfile=/tmp/deployeag_6802.log
The script will prompt for the following passwords:
  • Enter the APPS Schema password.
  • Enter the WebLogic AdminServer password.
Enter the required information when prompted.
Refer to Section 4.1 Deploy Oracle E-Business Suite AccessGate, for more information on parameters.
  • Execute the following command once for each managed server on which Oracle E-Business Suite AccessGate has been deployed, to add details of the managed server into the OHS configuration files mod_wl_ohs.conf and apps.conf:
    • $ perl $FND_TOP/patch/115/bin/txkSetAppsConf.pl \
    -contextfile=$CONTEXT_FILE \
    -configoption=addMS \
    -accessgate=<host>.<domain>:<port>
    Replace <host>.<domain>:<port> with the hostname, full domain name and port of the managed server:
    For example: ebshost1.example.com:6801
    For example:
    $ perl $FND_TOP/patch/115/bin/txkSetAppsConf.pl \
    -contextfile=$CONTEXT_FILE \
    -configoption=addMS \
    -accessgate=ebshost1.example.com:6801

    $ perl $FND_TOP/patch/115/bin/txkSetAppsConf.pl \
    -contextfile=$CONTEXT_FILE \
    -configoption=addMS \
    -accessgate=ebshost2.example.com:6802
Note:
If you are using Oracle E-Business Suite Release 12.2.6 or higher, you can choose to configure single sign on and local authentication at site and server level. Refer to section 6.5 - Configure Single Sign-on at Site or Server Level for further information. You must use the same Application SSO Type profile configuration for all nodes that participate in a load balanced configuration.

6.3 Deploy Oracle E-Business Suite AccessGate with a Real Applications Clusters (RAC) Database

If your database instance and your Oracle E-Business Suite Release 12.2 environment are configured to use RAC load balancing, your Oracle E-Business Suite AccessGate will seamlessly continue to work.
For more information regarding Identity Management components with a RAC database, refer to the section Configuring High Availability for Oracle Identity Manager Components in the Oracle® Fusion Middleware High Availability Guide for Oracle Identity and Access Management.
After performing the configuration in this section, the following steps are required:
  1. Test Single Sign-on with Oracle E-Business Suite
  2. Perform fs_clone

6.4 Deploy Oracle E-Business Suite AccessGate in a Demilitarized Zone (DMZ)

To make a subset of Oracle E-Business Suite Release 12 functionality accessible via the Internet to external users, refer to My Oracle Support Knowledge Document 1375670.1, Oracle E-Business Suite Release 12.2 Configuration in a DMZ. Confirm that these environments are working properly using local logon for all configured Oracle E-Business Suite Application Tiers, before continuing to configure all your Oracle E-Business Suite Application Tiers with Oracle Access Manager for single sign on.

If you are using Oracle E-Business Suite Release 12.2.6 or higher, you can choose to configure single sign on and local authentication at site and server level. Refer to section 6.5 Configure Single Sign-on at Site or Server Level for details. If you wish to use local authentication for external entry points, then you will not register these external entry points with Oracle Access Manager for single sign-on, as described in this section. Instead you will only set the profile Applications SSO Type (APPS_SSO) to SSWA for local authentication at server level for selected external entry points.

To enable single sign on for external entry points, you must configure each Application Tier as documented in this section. This includes deploying Oracle E-Business Suite AccessGate, and registering your Application Tier with Oracle Access Manager. The required Oracle E-Business Suite AccessGate and WebGate components are embedded in each of your Oracle E-Business Suite Release 12.2 Application Tiers. 

You can use any of the DMZ topologies documented in My Oracle Support Knowledge Document 1375670.1 Oracle E-Business Suite Release 12.2 Configuration in a DMZ. In any topology, Oracle Access Manager and Oracle Internet Directory should be installed on the intranet, completely isolated from establishment of any unauthenticated network connection. For each of your Oracle E-Business Suite Release 12.2 Application Tiers you will plan to either make the web entry point accessible to internal users only, or to external users over the intranet. Oracle E-Business Suite Release 12.2 Application Tiers that are accessed by external users over the internet must be registered configuring WebGate as Detached Credentials Collector (DCC), following the registration steps in this section.

Before you proceed with configuring each of your external Oracle E-Business Suite Release 12.2 Application Tiers (DMZ), you must first configure your internal Oracle E-Business Suite Release 12.2 Application Tier as entry point for internal users at SITE level. Follow the steps in the main section 4 of this document.

Then proceed with the additional steps in this section below to configure each of your external Oracle E-Business Suite Release 12.2 Application Tiers (DMZ) as the entry point for external users at SERVER level.

For additional information on deploying Oracle Access Manager and WebGates in a DMZ, refer to the Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management 11g Release 2 (11.1.2), and Oracle® Fusion Middleware Administrator's Guide for Oracle Access Management 11g Release 2 (11.1.2), section Configuring 11g Webgates and Authentication Policy for DCC.

6.4.1 Deploy Oracle E-Business Suite AccessGate on your External Oracle E-Business Suite Application Tier (DMZ)

Source the Oracle E-Business Suite environment file on your external application tier in the DMZ.
$ cd <EBS_BASE_HOME>
$ . EBSapps.env
$ echo $FILE_EDITION
EBS_BASE_HOME is the top directory where fs1, fs2, and others are installed.
  • Type "R" to select the run file system environment when prompted. Echo $FILE_EDITION returns "run" to indicate that the run file system is sourced. Ensure there is no active Online Patching cycle.
  • Alternatively, if you wish to register Oracle E-Business Suite during an active Online Patching cycle, type "P" to select the patch file system environment when prompted. Echo $FILE_EDITION returns "patch" to indicate that the patch file system is sourced.
Prerequisites:
  • The Oracle WebLogic Administration Server on the primary internal application tier must be running from both the run and patch file system.
  • The Oracle WebLogic Administration server ports must be opened on the firewall that separate the external application tier from the primary internal application tier. All other managed server ports must be closed between the external application tier and the internal application tiers.
Execute the following command to deploy Oracle E-Business Suite AccessGate.
$ perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources \
-contextfile=$CONTEXT_FILE \
-deployApps=accessgate \
-SSOServerURL=<OAM Server URL> \
-OAMLogoutURL=<DCC Logout URL> \
[-managedsrvname=<managed server name>] \
[-managedsrvport=<managed server port>] \
-logfile=<logfile>
For parameter -SSOServerURL, specify the URL for your OAM managed server.
For parameter -OAMLogoutURL, specify the URL the full URL to the Detached Credentials Collector logout script on your Oracle E-Business Suite Release 12.2 webtier.
For example:
$ perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources \
-contextfile=$CONTEXT_FILE \
-deployApps=accessgate \
-SSOServerURL=http://myoam.example.com:14100 \ -OAMLogoutURL=http://myebs.example.com:80/oamsso-bin/logout.pl \
-managedsrvname=oaea_server3 \
-managedsrvport=6803 \
-logfile=/tmp/deployeag.log
The script will prompt for the following passwords:
  • Enter the APPS Schema password.
  • Enter the WebLogic AdminServer password.
The script must complete successfully. Review the log files for any error messages.
After successful completion of the script, ensure your WebLogic AdminServer is running, and execute the following script to regenerate the mod_wl_ohs.conf file based on your WebLogic domain configuration:
Execute the following command to add details of the managed server into the OHS configuration files mod_wl_ohs.conf and apps.conf:
$ perl $FND_TOP/patch/115/bin/txkSetAppsConf.pl \
-contextfile=$CONTEXT_FILE \
-configoption=addMS \
-accessgate=<host>.<domain>:<port>
  • Replace <host>.<domain>:<port> with the hostname, full domain name and port of the new 'oaea_server3' managed server:
  • For example: ebshost.example.com:6803
The script must complete successfully. Review the log files for any error messages.

6.4.2 Register Oracle E-Business Suite AccessGate on your External Oracle E-Business Suite Application Tier (DMZ)

Source the Oracle E-Business Suite environment file on your external application tier in the DMZ.
$ cd <EBS_BASE_HOME>
$ . EBSapps.env
$ echo $FILE_EDITION
EBS_BASE_HOME is the top directory where fs1, fs2, and others are installed.
  • Type "R" to select the run file system environment when prompted. Echo $FILE_EDITION returns "run" to indicate that the run file system is sourced. Ensure there is no active Online Patching cycle.
  • Alternatively, if you wish to register Oracle E-Business Suite during an active Online Patching cycle, type "P" to select the patch file system environment when prompted. Echo $FILE_EDITION returns "patch" to indicate that the patch file system is sourced.
If Oracle E-Business Suite is integrated with Oracle Internet Directory:
Execute the following command to register Oracle E-Business Suite with Oracle Access Manager. Specify all parameters on a single command line:
$ txkrun.pl -script=SetOAMReg -registeroam=yes -allowCCOperations=true -authScheme=EBSAuthSchemeDMZ
-authChalRedirectUrl=http://myebs.example.com -authChalUrl=/oamsso-bin/login.pl -logoutUrl=/oamsso-bin/logout.pl
-logoutRedirectUrl=null -protectedResource=/oamsso-bin/logout.pl -responseType=HTTP -ebsProfileLevel=Server
If Oracle E-Business Suite is integrated with Oracle Unified Directory:
Execute the following command to register Oracle E-Business Suite with Oracle Access Manager. Specify all parameters on a single command line:
$ txkrun.pl -script=SetOAMReg -registeroam=yes -ldapProvider=OUD -oidUserName="cn=directory manager" -allowCCOperations=true -authScheme=EBSAuthSchemeDMZ
-authChalRedirectUrl=http://myebs.example.com -authChalUrl=/oamsso-bin/login.pl -logoutUrl=/oamsso-bin/logout.pl
-logoutRedirectUrl=null -protectedResource=/oamsso-bin/logout.pl -responseType=HTTP -ebsProfileLevel=Server
For parameter -authChalRedirectUrl, specify the base URL that external users use to access your Oracle E-Business Suite webtier. If you use a load balancer in front of your Oracle E-Business Suite webtier, specify the load balancer base URL.
For parameter -ebsProfileLevel, specify either Server or Site (default). If you are configuring separate Oracle E-Business Suite instances for internal and external users, you must register at least one instance at Site level. You may register other Oracle E-Business Suite instances at Server level. This will set the APPS_AUTH_AGENT profile option at the SERVER level, so that internal users are directed to one URL for authentication, and external users to another. For more information on E-Business Suite profile options at SERVER level, refer to My Oracle Support Knowledge Document 1375670.1Oracle E-Business Suite Release 12.2 Configuration in a DMZ.
For all other parameters, specify the values as listed in the example above.
The script will prompt for the following information.
  • Enter OAM console URL (for example: http://myoam.example.com:7001)
  • Enter OAM console user name (for example: weblogic)
  • Enter OAM console password
  • Enter LDAP URL (for example: ldap://myoid.example.com:3060)
  • Enter OID console user name (for example: cn=orcladmin)
  • Enter OID console password
  • Enter APPS password
Enter the required information when prompted.
The script must complete successfully. Review the log files for any error messages.
During the prerequisite DMZ configuration of your external application tier, following My Oracle Support Knowledge Document 1375670.1, Oracle E-Business Suite Release 12.2 Configuration in a DMZ, Appendix E: Configuring the URL Firewall, you will have configured your OHS to use the URL Firewall configuration file url_fw.conf. This file implements a whitelist of URLs that are allowed.

You will find the URLs required for your Oracle E-Business Suite AccessGate integration with Oracle Access Manager in section with comment header:

#======================================================================
#Include URLs for Accessgate Application
#======================================================================

By default the URLs in this section are commented in url_fw.conf.

Edit url_fw.conf, and uncomment all lines in this section.
Stop and restart the Oracle E-Business Suite 12.2 OHS and WebLogic servers.
Verify that external users can access the following resources:
http://myebs.example.com/oamsso-bin/login.pl
http://myebs.example.com/oamsso-bin/logout.pl

If an error occurs when accessing the above URLs, check the OHS error log. If you see a 'Premature end of script headers' error, then you may need to adjust the perl location for your environment. Modify the first line #!/usr/local/bin/perl in the files login.pl and logout.pl in the following directory, to point to the correction location for perl:
$FMW_HOME/Oracle_OAMWebGate1/webgate/ohs/oamsso-bin
After performing the configuration in this section, the following steps are required:
  1. Test Single Sign-on with Oracle E-Business Suite
  2. Perform fs_clone

6.5 Configure Single Sign-on at Site or Server Level 

If you are using Oracle E-Business Suite 12.2.6 or higher, you can choose to configure single sign-on and local authentication at site and server level.

For example you may choose to register your Oracle E-Business Suite 12.2.6 instance with Oracle Access Manager for single sign-on at site level  (default) for all internal users. For external users, you may not wish to register external entry points for single sign-on, but instead use local user authentication.

To configure single sign-on at site level and local user authentication for selected server entry points, set the profile Applications SSO Type (APPS_SSO) as follows:

Profile: Applications SSO Type (APPS_SSO)
Level:   Site
Value:   SSWA w/SSO

Profile: Applications SSO Type (APPS_SSO)
Level:   Server
Server:  <Server Name>
Value:   SSWA
As of Oracle E-Business Suite Release 12.2.6, the Applications SSO Type (APPS_SSO) profile option is decoupled from provisioning, therefore provisioning from Oracle E-Business Suite to the LDAP Server (OID or OUD) will continue to take place after the profile option has been set to only 'SSWA’.
For further information on enabling or disabling provisioning, refer to note the following documents:
For Oracle Internet Directory:
Document 1371932.1 Integrating Oracle E-Business Suite Release 12.2 with Oracle Internet Directory 11gR1<OID/OUD Note>.

For Oracle Unified Directory:
Document 2003483.1 Integrating Oracle E-Business Suite Release 12.2 with Oracle Unified Directory 11g Release 2.

Section 7: Optional Post Installation Steps

7.1 Implement functionality for self-service password changes

If you wish to implement functionality for self-service password changes, you may install and configure the identity provisioning tool of your choice and integrate it with Oracle Access Manager and Oracle E-Business Suite. Refer to the manual Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity and Access Management for more information on integrating Oracle Access Manager with other provisioning and password management tools.
Once you have configured your identity provisioning tool with Oracle Access Manager, you may allow users to invoke a external URL that supports self-service password changes from the Oracle E-Business Suite Preferences page. Set the following profile to enable this functionality.
ProfileLevelValue
Application SSO Change Password URL
(APPS_SSO_CHANGE_PWD_URL)		SiteSet this profile to an external page URL that supports self-service password changes.

For example:
http://<IDM server>:<port>/account/changePassword.jsp

7.2 Migrating from using Oracle Single Sign-On Server

If you are migrating from using Oracle Single Sign-On Server, you should deregister OSSO from all nodes of your Oracle E-Business Suite instance, once your Oracle Access Manager integration has been completed and tested. Refer to My Oracle Support Knowledge Document 1371932.1. Your Oracle E-Business Suite instance and Oracle Internet Directory registrations will be retained from your OSSO integration.
The OID registration scripts may reset the setting for the APPS_SSO profile option to SSWA. Log on to Oracle E-Business Suite and verify the setting for the APPS_SSO profile option, changing it back to SSWA w/SSO if necessary.

Section 8: Upgrade and Migration

8.1 Oracle Access Manager Upgrade and Migration

Integrating Oracle E-Business Suite is simpler for Oracle Access Manager 11g Release 2 (11.1.2) than it was for previous Oracle Access Manager releases. Oracle E-Business Suite is certified using the default OAM single sign-on page and no longer requires the configuration of an Oracle E-Business Suite specific single sign-on page. The necessary configuration is now automated.
Follow the steps in section Integrate Oracle E-Business Suite with Oracle Access Manager to automatically integrate your Oracle E-Business Suite Release 12.2 environment with Oracle Access Manager 11g Release 2 (11.1.2) instead of migrating your old Oracle Access Manager configuration.
This is the recommended option because it involves less manual configuration steps.
Migration of the old Application Domain for Oracle E-Business Suite integration is not needed. If you have previously migrated the Oracle E-Business Suite Application Domain along with other non Oracle E-Business Suite Application Domains from a previous Oracle Access Manager release to Oracle Access Manager 11g Release 2, you must delete the old Oracle E-Business Suite Application Domain prior to creating the new configuration. To delete your old Application Domain, use the Oracle Access Manager Console, select your old Oracle E-Business Suite Application Domain in the Policy Configuration tab, and press the delete button.
8.1.1 Upgrading from Oracle Access Manager 11.1.2.2 to Oracle Access Manager 11.1.2.3:As per Section 9 of the Oracle Fusion Middleware Release Notes for HTTP Server, Oracle WebGate version 11.1.2.3 for Oracle HTTP Server supports only Oracle HTTP Server version 11.1.1.9. If your version of Oracle HTTP Server is lower than 11.1.1.9, it should be upgraded to 11.1.1.9 by following Document 1590356.1 Upgrading Oracle Fusion Middleware Technology Stack of Oracle E-Business Suite Release 12.2 to the latest 11gR1 (11.1.1.x) Patchset, before upgrading Oracle WebGate to version 11.1.2.3.
There are two options when upgrading to Oracle Access Manager 11.1.2.3, (Option 1 is the recommended option):
  • Upgrade Oracle HTTP Server, Oracle Access Manager and Oracle WebGate (Option 1)
  • Upgrade Oracle Access Manager Only (Option 2)
8.1.1.1 Upgrade Oracle HTTP Server, Oracle Access Manager and Oracle WebGate (Option 1)
  1. Follow the steps in Appendix A to deregister Oracle E-Business Suite from Oracle Access Manager 11.1.2.2
  2. Apply the prerequisite patches as documented in Table B of step 3.5.2 - Download and apply Oracle E-Business Suite Updates
  3. Deinstall Oracle WebGate 11.1.2.2:
    Execute the following commands to deinstall Oracle WebGate 11.1.2.2:
    $ cd $FMW_HOME/Oracle_OAMWebGate1/oui/bin
    $ ./runInstaller -deinstall
    After deinstallation, ensure that the directory 'Oracle_OAMWebGate1' under <FMW_Home> is removed.
  4. Upgrade Oracle HTTP Server to 11.1.1.9, by referring to Document 1590356.1 Upgrading Oracle Fusion Middleware Technology Stack of Oracle E-Business Suite Release 12.2 to the latest 11gR1 (11.1.1.x) Patch Set.
  5. Upgrade Oracle Access Manager to 11.1.2.3, by referring to Oracle Fusion Middleware Upgrade Guide for Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) together with Oracle Fusion Middleware Release Notes for Identity Management 11g Release 2 (11.1.2.3).
  6. Follow Step 3.4 to apply Oracle Access Manager 11.1.2.3 Bundle Patch 3 (OAM 11.1.2.3.3) to Oracle Access Manager Server.
  7. Perform steps 3.5.3 to 4.5 (inclusive) to download and install WebGate 11.1.2.3 and Integrate Oracle E-Business Suite 12.2 with Oracle Access Manager 11.1.2.3
8.1.1.2 Upgrade Oracle Access Manager Only (Option 2)
If you plan to continue using Oracle HTTP Server 11.1.1.7 with Oracle Access Manager 11.1.2.3, you must continue using Oracle WebGate 11.1.2.2 with Oracle Access Manager 11.1.2.3. It is necessary to re-register Oracle E-Business Suite 12.2 with Oracle Access Manager 11.1.2.3 using the new registration scripts for Oracle Access Manager 11.1.2.3:
  1. Follow the steps in Appendix A to Deregister Oracle E-Business Suite from Oracle Access Manager 11.1.2.2
  2. Apply the prerequisite patches as documented in Table B of step 3.5.2 - Download and apply Oracle E-Business Suite Updates
  3. Upgrade Oracle Access Manager to 11.1.2.3, by referring to Oracle® Fusion Middleware Upgrade Guide for Oracle Identity and Access Management 11g Release 2 (11.1.2.3) together with Oracle® Fusion Middleware Release Notes for Identity Management 11g Release 2 (11.1.2.3).
  4. Follow Step 3.4 to apply Oracle Access Manager 11.1.2.3 Bundle Patch 3 (OAM 11.1.2.3.3) to Oracle Access Manager Server
  5. Perform steps 4.1 to 4.5 (inclusive) to Integrate Oracle E-Business Suite 12.2 with Oracle Access Manager 11.1.2.3

8.2 Oracle E-Business Suite AccessGate Upgrade

If you have integrated Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate, following the steps in this document, and an update for Oracle E-Business Suite AccessGate becomes available, you may apply the Oracle E-Business Suite AccessGate update as follows.

8.2.1 Download and apply the latest Oracle E-Business Suite AccessGate Update

You will always find the latest certified update for Oracle E-Business Suite AccessGate in the patch table at section 3.5.2 above. Apply the update to your Oracle E-Business Suite Release 12.2 instance.

8.2.2 Redeploy Oracle E-Business Suite AccessGate

Redeploy Oracle E-Business Suite AccessGate using the same command as during initial deployment. Refer to section 4.1 Deploy Oracle E-Business Suite AccessGate or respectively section 6.4.1 Deploy Oracle E-Business Suite AccessGate in a DMZ.
Similar to the initial deployment of Oracle E-Business Suite AccessGate, you can choose to redeploy on your patch file system first, during an active Online Patching cycle, then cutover. Alternatively you can redeploy on your run file system first when no Online Patching cycle is active.

8.2.3 Perform fs_clone

Your Oracle E-Business Suite Release 12.2 instance is now integrated with Oracle Access Manager using the latest Oracle E-Business Suite AccessGate on your run file system. Perform an fs_clone to synchronize the changes to your patch file system before you start the next Oracle E-Business Suite Release 12.2 Online Patching cycle.

Section 9: Available Documentation

Oracle Fusion Middleware Documentation:
Oracle E-Business Suite Documentation:
    • My Oracle Support Knowledge Document 1367293.1 Enabling TLS in Oracle E-Business Suite Release 12.2
    • My Oracle Support Knowledge Document 1375670.1 Oracle E-Business Suite Release 12.2 Configuration in a DMZ
    • My Oracle Support Knowledge Document 1614793.1 Cloning Oracle E-Business Suite Release 12.2 Environments integrated with Oracle Access Manager 11gR2 (11.1.2) and Oracle E-Business Suite AccessGate

Appendix A: Deregister Oracle E-Business Suite from Oracle Access Manager

Note: Oracle Access Manager maintains a single registration for your Oracle E-Business Suite instance and does not distinguish between run and patch file systems. Hence removing the registration from Oracle Access Manager will affect the running system.
To deregister your Oracle E-Business Suite instance from Oracle Access Manager:
Source the Oracle E-Business Suite environment file of your run file system.
$ cd <EBS_BASE_HOME>
$ . EBSapps.env
$ echo $FILE_EDITION
EBS_BASE_HOME is the top directory where fs1, fs2, and others are installed.
Type "R" to select the run file system environment when prompted. Echo $FILE_EDITION returns "run" to indicate that the run file system is sourced. Ensure there is no active Online Patching cycle.
Stop the OHS server on the Oracle E-Business Suite Environment:
$ adapcctl.sh stop
Execute the following command to deregister Oracle E-Business Suite from Oracle Access Manager.
$ txkrun.pl -script=SetOAMReg -deregisteroam=yes -ebsProfileLevel=[Site|Server]
Specify -ebsProfileLevel=Site if you followed the instructions in Section 4.2 and registered the instance at site level. This will switch back the Oracle E-Business Suite profile options Application Authenticate Agent (APPS_AUTH_AGENT) and Applications SSO Type (APPS_SSO) to local login.

Specify -ebsProfileLevel=Server if you registered the instance at server level. This will not affect the site level profiles, and only remove the profiles at server level for the server that you deregister.
The script will prompt for the following information.
  • Enter OAM console URL (for example: http://myoam.example.com:7001)
  • Enter OAM console user name (for example: weblogic)
  • Enter OAM console password
  • Enter APPS password
Enter the required information when prompted.
The script will provide a summary of input values. Confirm that these are correct and start the deregistration.
Do you wish to continue (y|n)? y
The script will now perform the following main tasks automatically:
  • Deregister Oracle E-Business Suite AccessGate with Oracle Access Manager.
  • Disable WebGate in your Oracle E-Business Suite webtier.
  • Clear Oracle E-Business Suite profile options Application Authenticate Agent (APPS_AUTH_AGENT) and Applications SSO Type (APPS_SSO) to switch back to local login. If you registered the instance with -ebsProfileLevel=Site (default), deregistration will clear the profiles at SITE level. If you registered the instance with -ebsProfileLevel=Server, deregistration will clear the profiles at SERVER level.
Alternatively, you can execute the script with parameters. For example:
$ txkrun.pl -script=SetOAMReg -deregisteroam=yes \
-oamHost=http://myoam.example.com:7001 \
-oamUserName=weblogic \
-skipConfirm=yes
The script must complete successfully. Review the log files for any error messages.
The script will not automatically delete the following entries, as you may have also used these for other partner applications:
  • Authentication Scheme (by default named EBSAuthScheme)
  • Authentication Module (by default named LDAP_EBS)
  • Identity Store (by default named OIDIdentityStore)
If you exclusively used these entries for the Oracle E-Business Suite instance that you deregistered, you may delete the Authentication Scheme, Authentication Module, and Identity Store in the order listed, using your OAM Administration Console.
After de-registering your Oracle E-Business Suite instance from Oracle Access Manager, you no longer need the Oracle E-Business Suite AccessGate deployment. Delete your Oracle E-Business Suite AccessGate using your WebLogic Administration Console, for example:
http://ebshost.example.com:7001/console
In the WebLogic Administration Console, navigate to EBS_domain_sid > Deployments, stop then delete the Oracle E-Business Suite AccessGate application named "accessgate". Ensure that you click 'Activate Changes' in the 'Change Center' pane, for the changes to take effect.
If you do not use the data source "OAEADatasource" for any other application, you may also delete the datasource. Navigate to EBS_domain_sid > Services > Data Sources, and delete data source "OAEADatasource". Ensure that you click 'Activate Changes' in the 'Change Center' pane, for the changes to take effect.
Delete the managed server on which accessgate was deployed:
  1. If the managed server oaea_server1 is currently running, shut it down as follows:
$ sh $ADMIN_SCRIPTS_HOME/admanagedsrvctl.sh stop oaea_server1
The script will prompt for the following passwords:
  • Enter the WebLogic Admin password.
Enter the required information when prompted.
  1. Run the command below on the application tier node where the oaea_server1 managed server resides. This will delete the managed server, and also update the respective context variables that contain references to the deleted managed server:
$ perl $AD_TOP/patch/115/bin/adProvisionEBS.pl \
ebs-delete-managedserver \
-contextfile=$CONTEXT_FILE -managedsrvname=oaea_server1
The script will prompt for the following passwords:
  • Enter the APPS Schema password.
  • Enter the WebLogic AdminServer password.
Enter the required information when prompted.
The following confirmation message will be displayed: ManagedServer oaea_server1 deleted successfully.
  1. Remove the managed server and port from the mod_wl_ohs.conf configuration:
$ perl $FND_TOP/patch/115/bin/txkSetAppsConf.pl \
-contextfile=$CONTEXT_FILE \
-configoption=removeMS \
-accessgate=<host>.<domain>:<port>
To determine the value of the Port that was used for the oaea_server1 managed server, search for 's_wls_oaeaport' in $CONTEXT_FILE.
Stop and restart the Oracle E-Business Suite Application Tier services.

Appendix B: Known Issues

The following table lists known issues and workarounds for Oracle E-Business Suite integration with Oracle Access Manager 11g Release 2 (11.1.2) using Oracle E-Business Suite AccessGate.
IssueDescription and Workaround
OAM Failure on long URLsOAM System error. Please re-try your action. If you continue to get this error, please contact the Administrator. OAM-02073 may be caused by long URLs that exceeds a cookie limit on your Internet browser. Ensure that you changed the serverRequestCacheType from COOKIE to FORM as documented in section Configure Oracle Access Manager to support long URLs.
Language SupportThe following languages supported by Oracle E-Business Suite are not yet supported by the Oracle Access Manager login page. If you have any of these languages installed in your Oracle E-Business Suite Environment, do not configure the language functionality for the Oracle Access Manager login page in OAM 11.1.2.1.0 and continue using Oracle E-Business Suite profile option 'Applications Override SSO Server Language'. Refer to the instructions in section Configuring Languages for the Oracle Access Manager Login Page.

Hebrew - Bug 16901373 - Fixed in OAM 11gR1 Patchset 2.
Croatian and Canadian French - Bug 16920577
Albanian, Catalan, Cyrillic Serbian, Dutch, Egyptian, Icelandic, Indonesian, Latin Serbian, Lithuanian, Slovenian, Ukrainain, Vietnamese - Bug 16920613
Global Logout issue specific to Oracle Applications Framework pagesBug 14799314

If a user is subscribed to two Oracle E-Business Suite environments that are integrated with the same OID and WebGate: If the user has two active sessions (one in each Oracle E-Business Suite environment) then logs out of the first session, they are automatically logged out of the second session. However, when they click a link in the second session, for example 'Preferences', instead of being redirected to the OAM single sign-on page, the following error message is displayed:

Error
You have insufficient privileges for the current operation. Please contact your System Administrator.
iStore Logout doesn't redirect to the iStore page after integration with OAM 11.1.2.2/11.1.2.3.After OAM 11.1.2.2 integration, iStore logout doesn't redirect to the iStore page, it redirects to the OAM SSO logout page instead.

Solution:
This will be addressed through Bug 17947381.
OUI Installer fails to apply one-off patches using latest OPatchOUI Installer fails to apply one-off patches using latest OPatch

Solution:
This will be addressed through Bug 17848279.
Warning messages displayed during EBS AccessGate deploymentBug 19341220

The following warning message can be ignored:

arning messages <Warning> <JNDI> <BEA-050001> <WLContext.close() was called in a different thread than the one in which it
was created.>
DMZ Deployment of Oracle E-Business Suite AccessGate on multiple internal and external nodes sharing a single file systemBug 18949797

Oracle E-Business Suite AccessGate cannot be deployed in a shared file system for multiple internal and external nodes.

Solution:
This issue will be addressed through Bug 18949797.
In a load balanced configuration, there is a single web entry point that is being registered in OAM. De-registering one node will remove the OAM registration.To remove a single node from a multi node, load balanced configuration, do not de-register OAM using txkrun.pl -script=SetOAMReg -deregisteroam=yes. Instead, clear the profile option 'Application Authenticate Agent' (APPS_AUTH_AGENT) at server level for the server that is being removed from the configuration. Set the autoconfig variable s_enable_webgate to '#', and run autoconfig. This will disable the webgate configuration on the node that is being removed.

Solution:
Removal of a single node from a multi node load balanced configuration will be enhanced through Bug 19558683.
mod_wl_ohs.conf has invalid entriesBug 19373026

The default server:port entry still exists in file mod_wl_ohs.conf after deploying Oracle E-Business Suite AccessGate on a different dedicated server:port. For example:

***************************************************
<Location /accessgate>
SetHandler weblogic-handler
WebLogicCluster supplier.certdmz.com:6803,supplier.certdmz.com:3803
WLTempDir ${ORACLE_INSTANCE}/tmp
</Location>
***************************************************

Solution: Remove the invalid entry using

$ perl $FND_TOP/patch/115/bin/txkSetAppsConf.pl \
-contextfile=$CONTEXT_FILE \
-configoption=removeMS \
-accessgate=<host>.<domain>:<port>
After applying the November 2014 AD-TXK Bundles
(Patch 20034256:R12.AD.C and Patch 20043910:R12.TXK.C respectively):
EBS AccessGate deployment failures with error messages:
ERROR: Unable to shutdown the managed server
ERROR: Unable to start managed server		Bug 20120776Bug 20120500

Workaround:
To deploy Oracle E-Business Suite AccessGate, source the run file system, then execute adProvisionEBS.pl to deploy Oracle E-Business Suite AccessGate as documented. Ignore the Unable to shutdown message in the log file. Manually stop and start the managed server after deployment.

Solution:
This issue is addressed in the AD/TXK Delta 6 patches.
The Link-on-the-fly page fails if the <Enter> key is used to submit the username and passwordBug 21330792

Workaround:
Click the 'apply' button on t he Link-on-the-fly page and the user credentials are accepted.

Solution:
This issue is addressed in Patch 21330792.

Appendix C: Product-Specific Single Sign-On Exceptions

A small number of Oracle E-Business Suite products have limited or no support for Oracle Access Manager. Refer to the table below for more information.
Product NameComments
Oracle Demand Signal RepositoryIntegration with Oracle Access Manager is not supported at this time.
Oracle iLearning (Standalone)Oracle iLearning is a standalone product and is not part of E-Business Suite. Support for Oracle Access Manager is planned for a later date. Oracle Learning Management is part of the E-Business Suite and is certified with Oracle Access Manager.
Oracle Manufacturing Operation CenterAdministrative functions of this product require Oracle Warehouse Builder, which does not support integration with Oracle Access Manager.
Oracle Sales OfflineSales Offline currently requires the "Application SSO Login Types" profile option to be set to 'Local' or 'Both' for users. This is documented in Oracle Sales Offline Implementation Guide Release 12.1. The product plans to support Oracle Access Manager at a later date.
Oracle Warehouse ManagementIntegration with Oracle Access Manager is not supported at this time.
Oracle WorkflowSingle sign-on functionality is not supported with password-based digital signatures. If using password-based signatures, you must set the "Applications SSO Login Types" profile option to either 'Local' or 'Both' for all users who need to enter password-based signatures.
Oracle XML GatewayIntegration with Oracle Access Manager is not supported at this time. The "Application SSO Login Types" profile option must be set to 'Local' or 'Both' for all users with this responsibility.

Change Log

DateComments
Mar 14, 2019Updated TLS section to clarify that WebLogic Plug-In and Client Cert Proxy must be enabled for both the eag managed server and the oam managed server.
Jan 30, 2019Updated to make example host names more generic.
Oct 12, 2018Removed Known Issue Bug 19817016 as this is no longer an issue.
May 21, 2018Added new Task 4.3 - Allow Browsers to Access Only Known Web Entry Points.
Dec 1, 2016Updated with External/Internal Authentication details.
Nov 15, 2016Updated Document to refer to My Oracle Support Knowledge Document 2202932.1 for Oracle E-Business Suite AccessGate Patch number.
Removed fifth-level patchset digit from version numbers.
Oct 24, 2016Removed Mobile Applications from Appendix C: Product Specific Single Sign-On Exceptions table.
Jul 1, 2016Clarified JAVA_OPTIONS setting for Minimum Protocol Version in section 6.1.
Removed Windows Bug 23622992 from Known Issues table.
Jun 23, 2016Updated for TLS configurations.
Added Federation issue details in section 5.2.2.
Removed Bug 20989144 from Known Issues table as this is fixed with OUD BP and is added as a recommendation in OUID Integration Note.
Jan 28, 2016Clarified the details in section 6.2 for the Load Balanced configuration.
Dec 18, 2015Added missing OAM Registration step for OUD Integration to Section 6.4.2 for DMZ.
Dec 9, 2015Updated to include Oracle Unified Directory 11.1.2.3.
Oct 29, 2015Updated to include Oracle Access Manager WebGate 11.1.2.3 as WebTier 11.1.1.9 is certified with Oracle E-Business Suite 12.2.
Oct 7, 2015Replaced EAG Patch 19767816 with EAG Patch 21523147. Added Bug 21330792 to Known Issues.
Sep 28, 2015Added recommendation to apply OAM BP3 (as this includes the fix for Bug 19438948).
Sep 22, 2015Removed Known Issue requiring Patch 16513008 as this is fixed from OAM 11.1.2.2 onwards.
Aug 26, 2015Clarified in section 4.1 that Oracle E-Business Suite AccessGate can be deployed to a non-default managed server.
Aug 17, 2015Corrected Patch application sequence in section 3.4 - OAM BP1 must be applied before Patch 19438948.
Aug 7, 2015Added Patch 19438948 as a prerequisite patch.
Jul 22, 2015Added OAM BP01 as a prerequisite (as it includes Patch 21084067).
Jun 23, 2015Updated for OAM 11.1.2.3.
Mar 17, 2015Corrected Table in Appendix C.
Jan 23, 2015Removed footnote for Windows customers from Section 3.4.2.
Updated Load Balancing Section 6.2 to be more concise.
Added an explanation to the introduction regarding integrating multiple Oracle E-Business Suite instances.
Dec 11, 2014Added EAG Patch 19767816.
Added Bug 20120776 and Bug 20120500 to Known Issues section.
Nov 11, 2014Added Bug 19817016 to Known Issues section with workaround.
Oct 29, 2014Added requirement for RHEL 6 customers to apply Unified Installer Patch 18231786 before installing Oracle Access Manager 11.1.2.2.0.
Oct 10, 2014Added patches for Windows customers.
Added link to MOS Note 1614793.1 in Available Documentation Section.
Oct 1, 2014Corrected Change Log.
Sep 11, 2014Finalized patches required on top of TXK Delta 5 in section 3.4.1.
Aug 18, 2014Updated txksetappsconf.pl commands at section 4.1 and section 6.4.1.
Added required patches to table in section 3.4.1:
R12.TXK.C Patch 19344241
Aug 16, 2014Updated to include R12.TXK.C.DELTA.5 Patch 18288881.
Deleted the OAM registration Known Issue as this it not an issue from RUP 5 onwards.
Updated the DMZ information in section 6.4.
Added required patches to table in section 3.4.1:
R12.TXK.C Patch 18921971
R12.AD.C Patch 19223358
Aug 15, 2014Added Known Issue Bug 19438948 - Issue in PS2 and BP2 with USER_ORCLGUID attribute.
Deleted Note box recommending install of WebGate 11.1.2.1 for Linux customers as issue with installer (Bug 18758638) has now been addressed.
Jun 20, 2014Added Oracle E-Business Suite AccessGate 1.2.3 patch and consolidated patch 18497540.
Added requirement to stop OHS before performing OAM deregistration.
May 28, 2014Corrected logoutUrl parameter for DMZ.
Added a test to ensure that login.pl and logout.pl function correctly in a DMZ environment.
Added instructions for upgrading Oracle E-Business Suite AccessGate.
May 27, 2014Updated Section 3.3. to clarify that OAM 11.1.2.2.0 should be installed.
May 23, 2014Added Known Issue for Linux 11.1.2.2.0 Webgates to Section 3.4.2 (Bug 18758638).
Apr 17, 2014Corrected -authChalRedirectUrl parameter example in Section 6.4.2 (removed the port as the URL without the port is required for this parameter in a DMZ environment).
Apr 1, 2014Added regeneration of mod_wl_ohs.conf. This step is required on R12.TXK.C.DELTA.4 and will be removed with a future TXK patchset.
Mar 11, 2014Added required fs_clone.
Feb 27, 2014Added section on load balancing.
Added prerequisite R12.TXK.C.DELTA.4.
Moved WebGate install to the prerequisite section.
Added note that registration is supported on either run or patch file system.
Feb 26, 2014Added New Section 6.2 to provide configuration details for load balanced environments.
Feb 07, 2014Updated with OAM PS2 (11.1.2.2) related changes
Dec 31, 2013Added requirement to specify values for 'ldapSearchBase' and 'ldapGroupSearchBase' in txkrun.pl command in Section 4.3.
Dec 16, 20131) Updated for Oracle E-Business Suite Release 12.2.3.
2) Updated Section 4.3:
  • Added clarification that the OAM registration script is re-runnable.
  • Added the '-webgatestagedir' parameter example to the non-interactive command in section 4.3.
Dec 9, 2013Removed empty patching cycle from Section 4.1.1.
Oct 24, 2013Added clarification to DMZ section and details of Known Issues for DMZ environments.
Sep 26, 2013Corrected OAM Logout URL parameter in DMZ Section 2.3 (was '-DOAMLogoutURL' but should be '-OAMLogoutURL').
Sep 19, 2013Document published for Oracle E-Business Suite Release 12.2.

My Oracle Support Knowledge Document 1576425.1 by Oracle E-Business Suite Development

Copyright © 2013, 2016, Oracle and/or its affiliates. All rights reserved.
at 1 comment:
Subscribe to: Posts (Atom)

Oracle E-Business Suite Release 12.2 System Schema Migration

In This Document Section 1: Overview of the EBS System Schema Section 2: Requirements for Using the EBS System Schema Section 3: Migrating t...