Using Oracle Application Server with Oracle E-Business Suite Steven ChanSr. Director, Applications Technology Integration

Topics

• Supported Optional OracleAS 10g Integrations• In-Depth: Enabling Single Sign-On• In-Depth: Third-Party Access Managers and LDAP

Directories

• Customer Case Studies• Certification Roadmap• References

Last updated: Sep 20, 2008

<Insert Picture Here>

E-Business SuiteOptional OracleAS 10g Integrations

Middleware Desupport NoticesOr, “Why You Should Plan for OracleAS 10g Now”

• Discoverer 4i October 2006

• Login Server 3.0.9• Portal 3.0.9 July 2007• Oracle Internet Directory 3.0.1

• Oracle Application Server 10.1.2.0.2 December 2008

Other Important Desupport Notices

• J2SE 1.3 (Windows, Linux, Solaris) December 2006• J2SE 1.3 (HP-UX) January 2007• J2SE 1.3 (IBM AIX) September 2007

• E-Business Suite 11.5.7 May 2007• E-Business Suite 11.5.8 November 2007• E-Business Suite 11.5.9 June 2008

• JInitiator 1.1.8 December 2008• JInitiator 1.3 July 2009

Simple Architecture

ExternalUsers

(via VPN)

E-Business SuiteDatabase

InternalUsers

IntranetFirewall

Oracle Application Server 10g• Portal• Single Sign-On• Oracle Internet Directory• Discoverer• Other Fusion Middleware Components

Firewall

E-Business Suite Application Server

11i 12

E-Business Suite Integration with OracleAS 10g

• Runs Oracle9i Application Server 1.0.2.2.2 on mid-tier• Runs Release 11i application-tier services such as Forms, Jserv

• Integrated with an external stand-alone Oracle Application Server 10g instance for optional services (e.g. Single Sign-On)

11i

12 • Runs Oracle Application Server 10g on mid-tier• Runs Release 12 application-tier services such as Forms, OC4J

• Integrated with an external stand-alone Oracle Application Server 10g instance for optional services (e.g. Single Sign-On)

Distributed Architecture

FirewallFirewall

Internet ReverseProxy

Firewall

OracleAS 10gInfrastructure

Database

OracleInternet

DirectoryServer 10gInternal EBS

Server

EBSDatabase

InternalUsers

ExternalUsers

ExternalEBS

Server

SingleSign-On 10g

Portal10g

11i 12

OracleAS 10g Integration Options

1. Access Apps via Oracle Single Sign-On

2. Access Apps via Oracle Access Manager

3. Manage users with Oracle Internet Directory

4. Build enterprise mashups with Oracle Web Center

5. Design custom portals with Oracle Portal

6. Analyse data with Discoverer

7. Analyse data with Business Intelligence Applications

8. Accelerate performance with WebCache

9. Integrate applications via Oracle SOA Suite

10. Integrate with third-party signon tools

11. Integrate with third-party LDAPs

11i 12

External Fusion Middleware Certifications

10.1.3.3N/AWeb Center

Oracle Application Server 10g Module Release 11i Release 12Single Sign-On 10.1.2.3 / 10.1.4.2 10.1.2.2 / 10.1.4.2Oracle Internet Directory 10.1.2.3 / 10.1.4.2 10.1.2.2 / 10.1.4.2Access Manager 10.1.4.2 10.1.4.2Identity Manager 9.1.0.0 9.1.0.0

Portal 10.1.4.1 10.1.4.1Discoverer 10.1.2.2 10.1.2.2Business Intelligence (EE+) 10.1.3.4 10.1.3.4Web Cache 10.1.2.3 10.1.2.2

Oracle Integration 10.1.3 10.1.3

Enterprise Manager 10g Grid Control Release 3 Release 3

Access Apps via Oracle Single Sign-On

• E-Business Suite is a Single Sign-On partner application • Log on to Oracle Single Sign-On to get access to all registered partner

applications, including EBS• Log off any one partner application to log off all of them

E-Business SuiteApplication Server

User

SingleSign-On 10g

11i 12

Access Apps via Oracle Access Manager

• Chain Oracle Access Manager with Oracle Single Sign-On• Support complex third-party single sign-on architectures

Oracle SingleSign-On

E-BusinessSuite

OracleAccessManager

11i 12

Manage Users in Oracle Internet Directory

• Synchronise user credentials bidirectionally between Oracle Internet Directory and E-Business Suite (FND_USER)

• Set master “source of truth” as OID, EBS, or both• Manage user provisioning via powerful OID Directory Integration &

Provisioning (DIP) templates• Link an OID userid with one or more EBS userids “on-the-fly”

E-Business SuiteFND_USER

OracleInternetDirectory

DIP

DBMS_LDAP

11i 12

Provision Users with Oracle Identity Manager

• Use Oracle Identity Manager as a provisioning hub with third-party user directories and applications

• Many connectors available, including OID, E-Business Suite’s FND_USER and HRMS directories

E-Business SuiteFND_USER

OracleIdentityManager

OID

LDAP LDAP

11i 12

Build Enterprise Mashups using Web Center

• Build websites, collaborative applications, and enterprise mashups in Web Center• Add EBS portlets via WSRP 1.0 / JSR-168• Access one or more E-Business Suite instances• Display data in EBS portlets based on EBS responsibilities

12

WebCenter

10gE-Business

Suite

PeopleSoft

Dashboards

Mashups

Using Web Center Extension in JDeveloper 12

Design Custom Portals using Oracle Portal

• Single Sign-On is a prerequisite• Access one or more E-Business Suite instances from Oracle Portal• Add EBS portlets to custom Portal pages via JPDK• Display data in EBS portlets based on EBS responsibilities

OraclePortal 10g

E-BusinessSuite

AppsPortlets

11i 12

E-Business Suite Portlets

• Applications NavigatorAccess Applications menus based on user responsibilities

• Applications FavoritesBookmark specific Applications links for quick access

• Applications WorklistSummary of current workflow notifications

• Oracle Balanced ScorecardDisplay status of strategic and tactical business objectives

• Performance Management ViewerDisplay business intelligence key performance indicators in graphical and tabular format

11i 12

11i

Applications Navigator PortletFlat Mode Tree Mode

11i 12

ApplicationsFavoritesPortlet

Applications Worklist Portlet

11i 12

Apps Portlets in Third-Party Portals

WSRP 1.0 & JSR-168 compatible portlets:

• Application Navigator portlet• Application Favorites portlet• Application Worklist portlet

May be used in third-party portals

12

Custom Portlets for Release 12

• Create custom portlets from selected Release 12 OAF Page Regions

• WSRP 1.0 / JSR-168 compliant

• Oracle Application Framework Developer's Guide Release 12 (Metalink Note 394780.1, Chapter 4, Portlets)

12

Analyse EBS with BI Applications

• Analytic dashboards running on Oracle Business Intelligence SuiteEnterprise Edition Plus

• Extracts data to external data warehouse

• Runs on separate cluster for enhanced scalability, wide deployment

OBIEE

OBIEE DataWarehouse

User

11i 12

Analyse EBS with BI Applications

• Provide end-user reporting via ad hoc queries• Drill-down into data via tabular & graphical analytical tools• Consolidates data Siebel CRM, PeopleSoft Enterprise

11i 12

Drill

Analyse EBS with Discoverer 10g

• Access APPS_MODE End-User Layer via Business Intelligence System Discoverer workbooks secured by Applications responsibilities

• Discoverer 10g End-User Layer resides in E-Business Suite database• Run Discoverer on separate cluster for enhanced scalability, wide deployment

Discoverer

E-Business Suite End-User Layer

User

11i 12

Why Upgrade Discoverer 4i to 10g?

It’s better• Automatic SQL trimming, per user

memory caps, faster, new features

It’s safe• Installation upgrades a copy of 4i

End-User Layer to 10g

It’s low-impact• TIP: Run Discoverer 4i and 10g on

different physical servers to avoid Visibroker conflicts

• Compare 4i and 10g workbooks side-by-side for User Acceptance Tests

It’s free• Your existing Business Intelligence

product license includes 10g

It’s necessary• Discoverer 4i was desupported on

October 31, 2006

Start your upgrade now to avoid

Support issues

Tasty Carrots Big Stick

11i

• Cache and compress frequently used items• Reduce network consumption and accelerate response time• Can act as a reverse-proxy server• Can act as a load-balancer

WebCache 10g

User E-Business SuiteApplication Server

11i 12Accelerate 11i Performance with WebCache

Accelerate 11i Performance with WebCache

• Secured data (I.e. requiring authorization) is not cached• Partial page refresh supported for Portal

WebCache 10g

User E-Business Suite Application Server

11i 12

Integrate EBS with Third-Party Apps

• Build integrations via Service Oriented Architecture (SOA) technologies• Over 250 adapters for Enterprise Application Integration J2EE and open

standards-based integration, including:• E-Business Suite, third-party applications, database sources• XML, JMS, JCA• Web Services: SOAP, WSDL, UDDI• B2B Protocols: RosettaNet, HIPAA, EDI

E-Business SuiteLegacyApplication

OracleIntegration

11i 12

Integrate EBS with Third-Party Apps 11i 12

Use Oracle BPEL Process Manager to integrate third-party applications via custom business processes

Monitor Business Processes with Business Activity Monitor

11i 12

<Insert Picture Here>

In-Depth Single Sign-On Integration

Authentication vs. Authorization

Identifies the user

OracleSingle

Sign-On

E-BusinessSuite

Authentication Authorization

Identifies data & actions the user

can access

Checks user credentials

Checks user responsibilities

How Single Sign-On Works with EBS

• Unauthenticated users attempting E-Business Suite access are automatically redirected to Oracle Single Sign-On 10g

Oracle SingleSign-On 10g

EBSApplication

Server

… delegates user authentication to …

How Single Sign-On Works with EBSOverview

E-Business SuiteDatabase

SingleSign-On 10g

Oracle InternetDirectory 10g

OracleAS 10gOID LDAP Directory

UserE-BusinessSuiteApplicationServer

How Single Sign-On Works with EBS

• Step 1: Unauthenticated user attempts to access the E-Business Suite

E-Business SuiteApplication Server

User

How Single Sign-On Works with EBS

• Step 2: E-Business Suite redirects user to Single Sign-On 10g for authentication

E-Business Suite Application Server

User SingleSign-On 10g

How Single Sign-On Works with EBS

• Step 3: Single Sign-On challenges the user with a logon form

UserSingleSign-On 10g

LogonForm

How Single Sign-On Works with EBS

• Step 4: User provides her credentials via the logon form

UserSingleSign-On 10g

LogonForm

How Single Sign-On Works with EBS

• Step 5: Single Sign-On passes user credentials to Oracle Internet Directory for validation

SingleSign-On10g

Oracle InternetDirectory 10g

How Single Sign-On Works with EBS

• Step 6: Oracle Internet Directory authenticates the user credentials against the OracleAS 10g OID LDAP Directory (in the OracleAS 10g Metadata Repository)

OracleAS 10g OIDLDAP Directory

Oracle InternetDirectory 10g

How Single Sign-On Works with EBS

• Step 7: Single Sign-On provides the authenticated user with a security token

SingleSign-On 10g

User

SSO SecurityToken

How Single Sign-On Works with EBS

• Step 8: User is redirected to E-Business Suite, which accepts the SSO security token as proof of an authenticated user

E-Business Suite EBSApplication Server

User

SSO SecurityToken

How Single Sign-On Works with EBS

• Step 9: E-Business Suite’s application server checks the user’s authorization (i.e Apps responsibilities) in FND_USER

E-Business SuiteApplication Server

E-Business Suite EBSDatabase (FND_USER)

How Single Sign-On Works with EBS

• Step 10: E-Business Suite issues its own Apps security tokens to the user, redirecting her to the requested Apps module

E-Business Suite Application Server

Apps SecurityToken

E-Business Suite Database

User

How Single Sign-On Works with EBS

E-Business Suite Database

SingleSign-On 10g

Oracle InternetDirectory 10g

OracleAS 10gLDAP Directory

UserE-BusinessSuite EBSApplicationServer

Oracle Internet Directory Integration

• Oracle Internet Directory and FND_USER must be kept synchronised• Supported synchronisation directions:

• From OID to FND_USER (Asynchronous via the Directory Integration & Provisioning Platform)

• From FND_USER to OID (Synchronous via dbms_ldap calls)• Bidirectionally

• Synchronisation events are raised via the Workflow-based Business Event System whenever users are added or modified

E-Business Suite FND_USER

OracleInternetDirectory

DIP

DBMS_LDAP

Link Accounts

OracleInternet

Directory

Userid =“John.Smith”

E-Business Suite

(FND_USER)

Userid =“jsmith”

One-time User Registration• Done at setup time by system administrator

• Optional: can be done by end-user on first logon (“Link on the fly”)

• Useful when existing accounts in Oracle Internet Directory 10g or a third-party LDAP directory differ from existing E-Business Suite accounts

“Link Account”Global Unique Identifier (GUID)

Link to Multiple EBS Accounts

• Note: It’s not possible to link multiple OID accounts to the same EBS account

OracleInternet

Directory

Userid =“John.Smith”

E-Business Suite

(FND_USER)

Userid =“jsmith”

“Link Account”

Userid =“testuser1”

Userid =“testuser2”

<Insert Picture Here>

Integrating the E-Business Suite with Third-Party Access Management & LDAP Directories

Third-Party Single Sign-On Integration

Oracle SingleSign-On 10g

EBSApplication Server

Third-PartySSO

… delegates user authentication to …

… delegates user authentication to …

Supported Third-Party SSO Integrations

Integrate Oracle Single Sign-On with• Windows Native Authentication via Kerberos• CA Entrust, CA Netegrity, IBM Tivoli, RSA • PKI X.509v3 Digital Certificates• Biometric and smartcard systems• Other SSO systems via custom adapters

• Oracle Identity Federation• Formerly Oblix COREid Federation• SAML, WS-Federation, Liberty Alliance

• Oracle Access Manager• Formerly Oblix COREid Access & Identity

If you already have a third-party LDAP…

OracleInternetDirectory10g

E-BusinessSuite DB(FND_USER)

Third-PartyLDAP

… synchronizes user attributes with …

… synchronizes user attributes with …

Available Oracle Internet Directory Connectors

• Microsoft Active Directory 2000/2003• Microsoft Exchange 2000/2003• Sun Java System Directory (Sun ONE / iPlanet) 5.2• Novell eDirectory 8.6 / 8.7• OpenLDAP 2.2• Any LDAP directory via LDIF files• Any other directory via custom DIP agent

• Oracle Identity Manager• Formerly Thor Xellerate Identity Provisioning• Also integrates directly with E-Business Suite

FND_USER & HRMS

• Oracle Virtual Directory• Formerly OctetString Virtual Directory Engine

E-BusinessDatabase(FND_USER)

OracleInternet

Directory

Third-PartyLDAP(optional)

User Password User Password User PasswordX X

Passwords Stored in Third-Party LDAP

• Third-party LDAP:• Handles user authentication, usually with a third-party authentication

solution• Commonly considered “Master” source-of-truth

• Oracle Internet Directory and E-Business Suite take minimal copies of master user definition -- excluding passwords

• E-Business Suite doesn’t maintain user passwords in this configuration

<Insert Picture Here>

How Third-Party Identity Management works withthe E-Business Suite

Third-Party Integration Architecture

Single Sign-On 10g

OracleInternetDirectory 10g

EndUser

Third-PartySSO

Third-PartyLDAP

EBS ApplicationServer

EBSDatabase(FND_USER)

User Logs onto Third-Party System

• Step 1. User provides userid & password to third-party single sign-on system

Third-PartySSO

Third-Party Authenticates User

• Step 2. Third-party single sign-on sends user’s credentials to third-party LDAP for authentication

Third-PartyLDAP

Third-PartySSO

Third-Party Grants User Access

• Step 3. Third-party single sign-on provides authenticated user with third-party security token

Third-PartySSO

Third-PartyToken

Logged-On User Attempts EBS Access

• Step 4. User attempts to access E-Business Suite, and is redirected to Oracle Single Sign-On 10g

E-BusinessSuite

Single Sign-On10g

Oracle SSO Grants User Access

• Step 5. Oracle Single Sign-On recognizes the third-party security token, then issues its own

Single Sign-On 10g

SSO Security Token

EBS Grants User Access

• Step 6. User is redirected back to E-Business Suite, which recognizes the SSO security token and issues its own

Single Sign-On 10gApps

SecurityToken

E-BusinessSuite

Third-Party Integration Architecture

Single Sign-On 10g

OracleInternetDirectory 10g

EndUser

Third-PartySSO

Third-PartyLDAP

EBS ApplicationServer

EBSDatabase(FND_USER)

<Insert Picture Here>

Customer Case Studies

Deployed Widely in Production • Amdocs (Israel)• Alcoa (Europe)• Applied Materials (Israel)• Atento (Norway)• Berwind Pharmaceuticals (USA)• Bunnings (Australia)• CapGemini / Councils Online (Australia)• Central Bank of Nigeria• Cisco Systems• Cox Communications (USA)• Fiera Milano (Italy)• General Dynamics Land Sys• General Electric (USA)• Google (USA)

• Guandong Unicom (China)• Inter-Arab Investment Guarantee (Kuwait)• International Enterprises (Singapore)• International Institute for Applied Systems

Analysis (Austria)• Ireland Dept of Defence• Kansas State University• Libgo Travel (USA)• Mitac (Taiwan)• Phoenix Technologies (USA)• Putrajaya (Malaysia)• Telecom Italia Mobile (Italy)• Texas Instruments (USA)• Universal Weather & Aviation (USA)• Wind River Systems (USA)• World Wide Technology

These are not customer references

Integration with MicrosoftActive Directory Only

Single Sign-On10g

OracleInternetDirectory 10g

EndUser

MicrosoftActiveDirectory

EBS ApplicationServer

EBSDatabase(FND_USER)

Integration with MicrosoftActive Directory & Kerberos

Single Sign-On 10g

OracleInternetDirectory 10g

EndUser

Microsoft WindowsNative Authenticationvia Kerberos

Microsoft ActiveDirectory

EBS ApplicationServer

EBSDatabase(FND_USER)

Internal / External Configuration

FirewallFirewall

Internet ReverseProxy

Firewall

External9iAS 1.0.2

Server

OracleAS 10gInfrastructure

Database

OracleInternet

DirectoryServer 10gInternal 9iAS

1.0.2 Server

Release 11iDatabase

InternalUsers

SingleSign-On 10g

ExternalUsers

Shared 11i Filesystem

RAC 1 RAC 2

Highly Available

FirewallFirewall

ExternalUsers

Internet ReverseProxy

Firewall

InternalUsers

WebNode 3

WebNode 4

HTTP LBR2

HTTPLBR1

WebNode 2

WebNode 1

LBR1

SSONode 2

SSONode 1

OracleAS 10gInfrastructure DB

OID 1 OID 2

<Insert Picture Here>

E-Business SuiteCertification Roadmap for Fusion Middleware

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

Not Certified... Yet

• Very complex environment → “Source of Truth” issues• No documentation... yet (we’re working on this)

Third-PartyLDAP

Third-PartySSO

OID

OracleAccessManager

OracleSingleSign-On

E-BusinessSuite AppServer

EBSFND_USER

Oracle IdentityManagerMultiple

Combined Architectures

Upcoming Application Tier Certifications

Release 11i• Developer6i Patchset 20• Portal 10.1.4.2

Release 12• Web Center 10.1.3.4• Portal 10.1.4.2

The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

OracleAS + E-Business Suite Resources

• Application Server + 11i FAQ Note 186981.1• 11i Documentation Roadmap Note 207159.1

• Application Server + R12 FAQ Note 415007.1• R12 Documentation Roadmap Note 380482.1

Oracle E-Business Suite Technology Stack Blog

http://blogs.oracle.com/schan

• Latest Apps techstack news• Primers & FAQs• Certification & desupport

announcements• Advanced architectures• Early Adopter Programs• Statements of Direction• Discussions with Oracle Development • Subscribe via email & RSS