Using Oracle Application Server with Oracle E-Business Suite Steven ChanSr. Director, Applications Technology Integration
Topics
• Supported Optional OracleAS 10g Integrations• In-Depth: Enabling Single Sign-On• In-Depth: Third-Party Access Managers and LDAP
Directories
• Customer Case Studies• Certification Roadmap• References
Last updated: Sep 20, 2008
Middleware Desupport NoticesOr, “Why You Should Plan for OracleAS 10g Now”
• Discoverer 4i October 2006
• Login Server 3.0.9• Portal 3.0.9 July 2007• Oracle Internet Directory 3.0.1
• Oracle Application Server 10.1.2.0.2 December 2008
Other Important Desupport Notices
• J2SE 1.3 (Windows, Linux, Solaris) December 2006• J2SE 1.3 (HP-UX) January 2007• J2SE 1.3 (IBM AIX) September 2007
• E-Business Suite 11.5.7 May 2007• E-Business Suite 11.5.8 November 2007• E-Business Suite 11.5.9 June 2008
• JInitiator 1.1.8 December 2008• JInitiator 1.3 July 2009
Simple Architecture
ExternalUsers
(via VPN)
E-Business SuiteDatabase
InternalUsers
IntranetFirewall
Oracle Application Server 10g• Portal• Single Sign-On• Oracle Internet Directory• Discoverer• Other Fusion Middleware Components
Firewall
E-Business Suite Application Server
11i 12
E-Business Suite Integration with OracleAS 10g
• Runs Oracle9i Application Server 1.0.2.2.2 on mid-tier• Runs Release 11i application-tier services such as Forms, Jserv
• Integrated with an external stand-alone Oracle Application Server 10g instance for optional services (e.g. Single Sign-On)
11i
12 • Runs Oracle Application Server 10g on mid-tier• Runs Release 12 application-tier services such as Forms, OC4J
• Integrated with an external stand-alone Oracle Application Server 10g instance for optional services (e.g. Single Sign-On)
Distributed Architecture
FirewallFirewall
Internet ReverseProxy
Firewall
OracleAS 10gInfrastructure
Database
OracleInternet
DirectoryServer 10gInternal EBS
Server
EBSDatabase
InternalUsers
ExternalUsers
ExternalEBS
Server
SingleSign-On 10g
Portal10g
11i 12
OracleAS 10g Integration Options
1. Access Apps via Oracle Single Sign-On
2. Access Apps via Oracle Access Manager
3. Manage users with Oracle Internet Directory
4. Build enterprise mashups with Oracle Web Center
5. Design custom portals with Oracle Portal
6. Analyse data with Discoverer
7. Analyse data with Business Intelligence Applications
8. Accelerate performance with WebCache
9. Integrate applications via Oracle SOA Suite
10. Integrate with third-party signon tools
11. Integrate with third-party LDAPs
11i 12
External Fusion Middleware Certifications
10.1.3.3N/AWeb Center
Oracle Application Server 10g Module Release 11i Release 12Single Sign-On 10.1.2.3 / 10.1.4.2 10.1.2.2 / 10.1.4.2Oracle Internet Directory 10.1.2.3 / 10.1.4.2 10.1.2.2 / 10.1.4.2Access Manager 10.1.4.2 10.1.4.2Identity Manager 9.1.0.0 9.1.0.0
Portal 10.1.4.1 10.1.4.1Discoverer 10.1.2.2 10.1.2.2Business Intelligence (EE+) 10.1.3.4 10.1.3.4Web Cache 10.1.2.3 10.1.2.2
Oracle Integration 10.1.3 10.1.3
Enterprise Manager 10g Grid Control Release 3 Release 3
Access Apps via Oracle Single Sign-On
• E-Business Suite is a Single Sign-On partner application • Log on to Oracle Single Sign-On to get access to all registered partner
applications, including EBS• Log off any one partner application to log off all of them
E-Business SuiteApplication Server
User
SingleSign-On 10g
11i 12
Access Apps via Oracle Access Manager
• Chain Oracle Access Manager with Oracle Single Sign-On• Support complex third-party single sign-on architectures
Oracle SingleSign-On
E-BusinessSuite
OracleAccessManager
11i 12
Manage Users in Oracle Internet Directory
• Synchronise user credentials bidirectionally between Oracle Internet Directory and E-Business Suite (FND_USER)
• Set master “source of truth” as OID, EBS, or both• Manage user provisioning via powerful OID Directory Integration &
Provisioning (DIP) templates• Link an OID userid with one or more EBS userids “on-the-fly”
E-Business SuiteFND_USER
OracleInternetDirectory
DIP
DBMS_LDAP
11i 12
Provision Users with Oracle Identity Manager
• Use Oracle Identity Manager as a provisioning hub with third-party user directories and applications
• Many connectors available, including OID, E-Business Suite’s FND_USER and HRMS directories
E-Business SuiteFND_USER
OracleIdentityManager
OID
LDAP LDAP
11i 12
Build Enterprise Mashups using Web Center
• Build websites, collaborative applications, and enterprise mashups in Web Center• Add EBS portlets via WSRP 1.0 / JSR-168• Access one or more E-Business Suite instances• Display data in EBS portlets based on EBS responsibilities
12
WebCenter
10gE-Business
Suite
PeopleSoft
Dashboards
Mashups
Design Custom Portals using Oracle Portal
• Single Sign-On is a prerequisite• Access one or more E-Business Suite instances from Oracle Portal• Add EBS portlets to custom Portal pages via JPDK• Display data in EBS portlets based on EBS responsibilities
OraclePortal 10g
E-BusinessSuite
AppsPortlets
11i 12
E-Business Suite Portlets
• Applications NavigatorAccess Applications menus based on user responsibilities
• Applications FavoritesBookmark specific Applications links for quick access
• Applications WorklistSummary of current workflow notifications
• Oracle Balanced ScorecardDisplay status of strategic and tactical business objectives
• Performance Management ViewerDisplay business intelligence key performance indicators in graphical and tabular format
11i 12
11i
Apps Portlets in Third-Party Portals
WSRP 1.0 & JSR-168 compatible portlets:
• Application Navigator portlet• Application Favorites portlet• Application Worklist portlet
May be used in third-party portals
12
Custom Portlets for Release 12
• Create custom portlets from selected Release 12 OAF Page Regions
• WSRP 1.0 / JSR-168 compliant
• Oracle Application Framework Developer's Guide Release 12 (Metalink Note 394780.1, Chapter 4, Portlets)
12
Analyse EBS with BI Applications
• Analytic dashboards running on Oracle Business Intelligence SuiteEnterprise Edition Plus
• Extracts data to external data warehouse
• Runs on separate cluster for enhanced scalability, wide deployment
OBIEE
OBIEE DataWarehouse
User
11i 12
Analyse EBS with BI Applications
• Provide end-user reporting via ad hoc queries• Drill-down into data via tabular & graphical analytical tools• Consolidates data Siebel CRM, PeopleSoft Enterprise
11i 12
Drill
Analyse EBS with Discoverer 10g
• Access APPS_MODE End-User Layer via Business Intelligence System Discoverer workbooks secured by Applications responsibilities
• Discoverer 10g End-User Layer resides in E-Business Suite database• Run Discoverer on separate cluster for enhanced scalability, wide deployment
Discoverer
E-Business Suite End-User Layer
User
11i 12
Why Upgrade Discoverer 4i to 10g?
It’s better• Automatic SQL trimming, per user
memory caps, faster, new features
It’s safe• Installation upgrades a copy of 4i
End-User Layer to 10g
It’s low-impact• TIP: Run Discoverer 4i and 10g on
different physical servers to avoid Visibroker conflicts
• Compare 4i and 10g workbooks side-by-side for User Acceptance Tests
It’s free• Your existing Business Intelligence
product license includes 10g
It’s necessary• Discoverer 4i was desupported on
October 31, 2006
Start your upgrade now to avoid
Support issues
Tasty Carrots Big Stick
11i
• Cache and compress frequently used items• Reduce network consumption and accelerate response time• Can act as a reverse-proxy server• Can act as a load-balancer
WebCache 10g
User E-Business SuiteApplication Server
11i 12Accelerate 11i Performance with WebCache
Accelerate 11i Performance with WebCache
• Secured data (I.e. requiring authorization) is not cached• Partial page refresh supported for Portal
WebCache 10g
User E-Business Suite Application Server
11i 12
Integrate EBS with Third-Party Apps
• Build integrations via Service Oriented Architecture (SOA) technologies• Over 250 adapters for Enterprise Application Integration J2EE and open
standards-based integration, including:• E-Business Suite, third-party applications, database sources• XML, JMS, JCA• Web Services: SOAP, WSDL, UDDI• B2B Protocols: RosettaNet, HIPAA, EDI
E-Business SuiteLegacyApplication
OracleIntegration
11i 12
Integrate EBS with Third-Party Apps 11i 12
Use Oracle BPEL Process Manager to integrate third-party applications via custom business processes
Authentication vs. Authorization
Identifies the user
OracleSingle
Sign-On
E-BusinessSuite
Authentication Authorization
Identifies data & actions the user
can access
Checks user credentials
Checks user responsibilities
How Single Sign-On Works with EBS
• Unauthenticated users attempting E-Business Suite access are automatically redirected to Oracle Single Sign-On 10g
Oracle SingleSign-On 10g
EBSApplication
Server
… delegates user authentication to …
How Single Sign-On Works with EBSOverview
E-Business SuiteDatabase
SingleSign-On 10g
Oracle InternetDirectory 10g
OracleAS 10gOID LDAP Directory
UserE-BusinessSuiteApplicationServer
How Single Sign-On Works with EBS
• Step 1: Unauthenticated user attempts to access the E-Business Suite
E-Business SuiteApplication Server
User
How Single Sign-On Works with EBS
• Step 2: E-Business Suite redirects user to Single Sign-On 10g for authentication
E-Business Suite Application Server
User SingleSign-On 10g
How Single Sign-On Works with EBS
• Step 3: Single Sign-On challenges the user with a logon form
UserSingleSign-On 10g
LogonForm
How Single Sign-On Works with EBS
• Step 4: User provides her credentials via the logon form
UserSingleSign-On 10g
LogonForm
How Single Sign-On Works with EBS
• Step 5: Single Sign-On passes user credentials to Oracle Internet Directory for validation
SingleSign-On10g
Oracle InternetDirectory 10g
How Single Sign-On Works with EBS
• Step 6: Oracle Internet Directory authenticates the user credentials against the OracleAS 10g OID LDAP Directory (in the OracleAS 10g Metadata Repository)
OracleAS 10g OIDLDAP Directory
Oracle InternetDirectory 10g
How Single Sign-On Works with EBS
• Step 7: Single Sign-On provides the authenticated user with a security token
SingleSign-On 10g
User
SSO SecurityToken
How Single Sign-On Works with EBS
• Step 8: User is redirected to E-Business Suite, which accepts the SSO security token as proof of an authenticated user
E-Business Suite EBSApplication Server
User
SSO SecurityToken
How Single Sign-On Works with EBS
• Step 9: E-Business Suite’s application server checks the user’s authorization (i.e Apps responsibilities) in FND_USER
E-Business SuiteApplication Server
E-Business Suite EBSDatabase (FND_USER)
How Single Sign-On Works with EBS
• Step 10: E-Business Suite issues its own Apps security tokens to the user, redirecting her to the requested Apps module
E-Business Suite Application Server
Apps SecurityToken
E-Business Suite Database
User
How Single Sign-On Works with EBS
E-Business Suite Database
SingleSign-On 10g
Oracle InternetDirectory 10g
OracleAS 10gLDAP Directory
UserE-BusinessSuite EBSApplicationServer
Oracle Internet Directory Integration
• Oracle Internet Directory and FND_USER must be kept synchronised• Supported synchronisation directions:
• From OID to FND_USER (Asynchronous via the Directory Integration & Provisioning Platform)
• From FND_USER to OID (Synchronous via dbms_ldap calls)• Bidirectionally
• Synchronisation events are raised via the Workflow-based Business Event System whenever users are added or modified
E-Business Suite FND_USER
OracleInternetDirectory
DIP
DBMS_LDAP
Link Accounts
OracleInternet
Directory
Userid =“John.Smith”
E-Business Suite
(FND_USER)
Userid =“jsmith”
One-time User Registration• Done at setup time by system administrator
• Optional: can be done by end-user on first logon (“Link on the fly”)
• Useful when existing accounts in Oracle Internet Directory 10g or a third-party LDAP directory differ from existing E-Business Suite accounts
“Link Account”Global Unique Identifier (GUID)
Link to Multiple EBS Accounts
• Note: It’s not possible to link multiple OID accounts to the same EBS account
OracleInternet
Directory
Userid =“John.Smith”
E-Business Suite
(FND_USER)
Userid =“jsmith”
“Link Account”
Userid =“testuser1”
Userid =“testuser2”
<Insert Picture Here>
Integrating the E-Business Suite with Third-Party Access Management & LDAP Directories
Third-Party Single Sign-On Integration
Oracle SingleSign-On 10g
EBSApplication Server
Third-PartySSO
… delegates user authentication to …
… delegates user authentication to …
Supported Third-Party SSO Integrations
Integrate Oracle Single Sign-On with• Windows Native Authentication via Kerberos• CA Entrust, CA Netegrity, IBM Tivoli, RSA • PKI X.509v3 Digital Certificates• Biometric and smartcard systems• Other SSO systems via custom adapters
• Oracle Identity Federation• Formerly Oblix COREid Federation• SAML, WS-Federation, Liberty Alliance
• Oracle Access Manager• Formerly Oblix COREid Access & Identity
If you already have a third-party LDAP…
OracleInternetDirectory10g
E-BusinessSuite DB(FND_USER)
Third-PartyLDAP
… synchronizes user attributes with …
… synchronizes user attributes with …
Available Oracle Internet Directory Connectors
• Microsoft Active Directory 2000/2003• Microsoft Exchange 2000/2003• Sun Java System Directory (Sun ONE / iPlanet) 5.2• Novell eDirectory 8.6 / 8.7• OpenLDAP 2.2• Any LDAP directory via LDIF files• Any other directory via custom DIP agent
• Oracle Identity Manager• Formerly Thor Xellerate Identity Provisioning• Also integrates directly with E-Business Suite
FND_USER & HRMS
• Oracle Virtual Directory• Formerly OctetString Virtual Directory Engine
E-BusinessDatabase(FND_USER)
OracleInternet
Directory
Third-PartyLDAP(optional)
User Password User Password User PasswordX X
Passwords Stored in Third-Party LDAP
• Third-party LDAP:• Handles user authentication, usually with a third-party authentication
solution• Commonly considered “Master” source-of-truth
• Oracle Internet Directory and E-Business Suite take minimal copies of master user definition -- excluding passwords
• E-Business Suite doesn’t maintain user passwords in this configuration
Third-Party Integration Architecture
Single Sign-On 10g
OracleInternetDirectory 10g
EndUser
Third-PartySSO
Third-PartyLDAP
EBS ApplicationServer
EBSDatabase(FND_USER)
User Logs onto Third-Party System
• Step 1. User provides userid & password to third-party single sign-on system
Third-PartySSO
Third-Party Authenticates User
• Step 2. Third-party single sign-on sends user’s credentials to third-party LDAP for authentication
Third-PartyLDAP
Third-PartySSO
Third-Party Grants User Access
• Step 3. Third-party single sign-on provides authenticated user with third-party security token
Third-PartySSO
Third-PartyToken
Logged-On User Attempts EBS Access
• Step 4. User attempts to access E-Business Suite, and is redirected to Oracle Single Sign-On 10g
E-BusinessSuite
Single Sign-On10g
Oracle SSO Grants User Access
• Step 5. Oracle Single Sign-On recognizes the third-party security token, then issues its own
Single Sign-On 10g
SSO Security Token
EBS Grants User Access
• Step 6. User is redirected back to E-Business Suite, which recognizes the SSO security token and issues its own
Single Sign-On 10gApps
SecurityToken
E-BusinessSuite
Third-Party Integration Architecture
Single Sign-On 10g
OracleInternetDirectory 10g
EndUser
Third-PartySSO
Third-PartyLDAP
EBS ApplicationServer
EBSDatabase(FND_USER)
Deployed Widely in Production • Amdocs (Israel)• Alcoa (Europe)• Applied Materials (Israel)• Atento (Norway)• Berwind Pharmaceuticals (USA)• Bunnings (Australia)• CapGemini / Councils Online (Australia)• Central Bank of Nigeria• Cisco Systems• Cox Communications (USA)• Fiera Milano (Italy)• General Dynamics Land Sys• General Electric (USA)• Google (USA)
• Guandong Unicom (China)• Inter-Arab Investment Guarantee (Kuwait)• International Enterprises (Singapore)• International Institute for Applied Systems
Analysis (Austria)• Ireland Dept of Defence• Kansas State University• Libgo Travel (USA)• Mitac (Taiwan)• Phoenix Technologies (USA)• Putrajaya (Malaysia)• Telecom Italia Mobile (Italy)• Texas Instruments (USA)• Universal Weather & Aviation (USA)• Wind River Systems (USA)• World Wide Technology
These are not customer references
Integration with MicrosoftActive Directory Only
Single Sign-On10g
OracleInternetDirectory 10g
EndUser
MicrosoftActiveDirectory
EBS ApplicationServer
EBSDatabase(FND_USER)
Integration with MicrosoftActive Directory & Kerberos
Single Sign-On 10g
OracleInternetDirectory 10g
EndUser
Microsoft WindowsNative Authenticationvia Kerberos
Microsoft ActiveDirectory
EBS ApplicationServer
EBSDatabase(FND_USER)
Internal / External Configuration
FirewallFirewall
Internet ReverseProxy
Firewall
External9iAS 1.0.2
Server
OracleAS 10gInfrastructure
Database
OracleInternet
DirectoryServer 10gInternal 9iAS
1.0.2 Server
Release 11iDatabase
InternalUsers
SingleSign-On 10g
ExternalUsers
Shared 11i Filesystem
RAC 1 RAC 2
Highly Available
FirewallFirewall
ExternalUsers
Internet ReverseProxy
Firewall
InternalUsers
WebNode 3
WebNode 4
HTTP LBR2
HTTPLBR1
WebNode 2
WebNode 1
LBR1
SSONode 2
SSONode 1
OracleAS 10gInfrastructure DB
OID 1 OID 2
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Not Certified... Yet
• Very complex environment → “Source of Truth” issues• No documentation... yet (we’re working on this)
Third-PartyLDAP
Third-PartySSO
OID
OracleAccessManager
OracleSingleSign-On
E-BusinessSuite AppServer
EBSFND_USER
Oracle IdentityManagerMultiple
Combined Architectures
Upcoming Application Tier Certifications
Release 11i• Developer6i Patchset 20• Portal 10.1.4.2
Release 12• Web Center 10.1.3.4• Portal 10.1.4.2
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
OracleAS + E-Business Suite Resources
• Application Server + 11i FAQ Note 186981.1• 11i Documentation Roadmap Note 207159.1
• Application Server + R12 FAQ Note 415007.1• R12 Documentation Roadmap Note 380482.1
Oracle E-Business Suite Technology Stack Blog
http://blogs.oracle.com/schan
• Latest Apps techstack news• Primers & FAQs• Certification & desupport
announcements• Advanced architectures• Early Adopter Programs• Statements of Direction• Discussions with Oracle Development • Subscribe via email & RSS