Beruflich Dokumente
Kultur Dokumente
1
Shaik (Available) (0) Contact Us Help
PowerView is Off
Dashboard Knowledge Service Requests Patches & Updates Community
Dashboard >
Give Feedback...
Integrating Oracle EBusiness Suite Release 12.2 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E To Bottom
Business Suite AccessGate (Doc ID 1576425.1)
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=264205653993036&parent=DOCUMENT&sourceId=1614793.1&id=1576425.1&_afrWind… 1/25
2/9/2016 Document 1576425.1
The most current version of this document can be obtained from My Oracle Support Knowledge Document 1576425.1.
Was this document helpful?
There is a change log at the end of this document. Yes
No
In this Document
Section 1: Introduction Document Details
Section 2: Supported Architecture and Release Versions
Section 3: Prerequisite Installations and Configurations Type:
BULLETIN
Section 4: Integrate Oracle EBusiness Suite with Oracle Access Manager Status:
PUBLISHED
Section 5: Oracle Access Manager Configurations Last Major
Jan 28, 2016
Update:
Section 6: Advanced Configurations Jan 28, 2016
Last Update:
Section 7: Optional Post Installation Steps
Section 8: Upgrade and Migration
Section 9: Available Documentation
Appendix A: Deregister Oracle EBusiness Suite from Oracle Access Manager Related Products
Appendix B: Known Issues Oracle Application Object
Library
Appendix C: ProductSpecific Single SignOn Exceptions
Oracle Applications
Change Log Technology Stack
Section 1: Introduction Information Centers
EBusiness Suite Product
Oracle Access Manager 11g Release 2 (11.1.2) provides a comprehensive identity management and access control Information Center Index
[444.2]
system that simplifies user access across applications.
Information Center: Using EBS
For more information about Oracle Access Manager (OAM), refer to the Access Manager home page on the Oracle Technology Stack OID and SSO
Corporation Web site at: [1461466.2]
Information Center: Using EBS
http://www.oracle.com/us/products/middleware/identitymanagement/oracleaccess Technology Stack Framework
manager/overview/index.html [1478640.2]
Information Center: Oracle E
This document describes how to integrate Oracle EBusiness Suite Release 12.2 with Oracle Access Manager 11g Business Suite Extensions for
Release 2 (11.1.2) using Oracle EBusiness AccessGate. Oracle Endeca Install &
Configure [1487000.2]
If you have multiple instances of Oracle EBusiness Suite that you wish to integrate with Oracle Access Manager for
Information Center: Overview
single sign on, perform the steps in this document on each Oracle EBusiness Suite instance. EBusiness Suite Technology
Forms [1411953.2]
For more information about single signon concepts, architecture, and options for integrating Oracle EBusiness
Suite with Oracle Identity Management products, refer to My Oracle Support Knowledge Document 1388152.1 Show More
Overview of Single SignOn Integration Options for Oracle EBusiness Suite.
The procedures in this document have significant effects on Oracle EBusiness Suite Release 12.2 environments Document References
and should be executed only by skilled Oracle EBusiness Suite database or system administrators. Users are No References available for
this document.
strongly advised to first review the prerequisites and plan the installation and configuration on the various
supported platforms.
Recently Viewed
For information about which platforms are supported by Oracle Access Manager, refer to the Oracle Identity and
Access Management 11g Release 2 (11.1.2.3) Certification Matrix. Cloning Oracle EBusiness
Suite Release 12.2
Environments integrated
Note that Oracle Identity and Access Management 11g Release 2 (11.1.2) is supported on 64 bit processors only. with Oracle Access Manager
11gR2 (11.1.2) and Oracle E
Business Suite AccessGate
Section 2: Supported Architecture and Release Versions [1614793.1]
Integrating Oracle E
Business Suite Release 12.2
The following software components must be installed on a standalone server accessing an Oracle EBusiness Suite,
with Oracle Access Manager
or in separate Fusion Middleware Homes on an existing application tier server node. 11gR2 (11.1.2) using Oracle
EBusiness Suite AccessGate
[1576425.1]
Component Name Version
Integrating Oracle E
Oracle Access Manager Business Suite Release 12
11.1.2.2.0, 11.1.2.3.0 with Oracle Internet
Directory and Oracle Single
SignOn 10gR3 (10.1.4.3)
Oracle Access Manager WebGate See Footnote 1 for restrictions. [376811.1]
Cloning Oracle EBusiness
Oracle Identity Management 11.1.1.7.0, 11.1.1.9.0 Suite Release 12.2 (ADTXK
Delta 6 or Lower Codelevel)
with Rapid Clone
Oracle Unified Directory 11.1.2.3
[2047809.1]
SRDC Collect logfiles for
Footnote 1: As per Section 9 of the Oracle Fusion Middleware Release Notes for HTTP Server, Oracle WebGate an EBS patching issue
version 11.1.2.3 for Oracle HTTP Server supports only Oracle HTTP Server version 11.1.1.9. (adpatch) [1937369.1]
Show More
If you have integrated Oracle EBusiness Suite 12.2 with Oracle Unified Directory 11.1.2.3 as detailed in My Oracle
Support Knowledge Document 2003483.1, then Oracle HTTP Server 11.1.1.9 is already configured on the Oracle E
Business Suite Environment, you MUST therefore install and integrate with Oracle Access Manager 11.1.2.3 using
Oracle Access Manager WebGate 11.1.2.3.
The following components must be used on the Oracle EBusiness Suite Release 12 instance:
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=264205653993036&parent=DOCUMENT&sourceId=1614793.1&id=1576425.1&_afrWind… 2/25
2/9/2016 Document 1576425.1
Component Name Version
Oracle EBusiness Suite Release 12 12.2.2+
Section 3: Prerequisite Installations and Configurations
This section describes following prerequisite installations and configurations:
Integrate Oracle Internet Directory or Oracle Unified Directory with Oracle EBusiness Suite
Configure Oracle Internet Directory to return operational attributes
Install Oracle Access Manager
Apply Required Updates to Oracle Access Manager Server
Install Prerequisite Software Updates and Components on your Oracle EBusiness Suite Release 12.2
Instance
3.1 Integrate Oracle Internet Directory or Oracle Unified Directory with Oracle EBusiness Suite
It is a requirement to use either Oracle Internet Directory or Oracle Unified Directory for any LDAP or single sign
on integration with Oracle EBusiness Suite.
Oracle Internet Directory:
Use the instructions in the following My Oracle Support Knowledge Document to integrate Oracle Internet Directory
with Oracle EBusiness Suite.
Document 1371932.1 Integrating Oracle EBusiness Suite Release 12.2 with Oracle Internet Directory
11gR1. If you are integrating with OID 11g for the first time, refer to this document for more information
about specific requirements and additional patches that are required for integration with Oracle EBusiness
Suite
For further information regarding provisioning between Oracle EBusiness Suite and Oracle Internet Directory, refer
to Oracle EBusiness Suite Security Guide Release 12.2.
Oracle Unified Directory:
Use the instructions in the following My Oracle Support Knowledge Document to integrate Oracle Unified Directory
with Oracle EBusiness Suite.
Document 2003483.1 Integrating Oracle EBusiness Suite Release 12.2 with Oracle Unified Directory 11g
Release 2. If you are integrating with OUD 11g for the first time, refer to this document for more
information about specific requirements and additional patches that are required for integration with Oracle
EBusiness Suite.
3.2 Configure Oracle Internet Directory to return operational attributes
This step is only required for customers using Oracle Internet Directory. If your configuration is using Oracle
Unified Directory, skip this step and proceed to step 3.3 Install and Configure Oracle Access Manager.
Configure Oracle Internet Directory to return operational attributes for lookup requests. This modification adds the
orclguid attribute to records returned by Oracle Internet Directory when queried by Oracle Access Manager,
allowing these records to be mapped to others that are uniquely identified by orclguid. To make this modification
create an ldif file as detailed below and execute this command from the Oracle Home where Oracle Internet
Directory is installed:
Create an ldif file (for example 'change_attrs.ldif') containing the following:
dn: cn=dsaconfig, cn=configsets,cn=oracle internet directory
changetype: modify
add: orclallattrstodn
orclallattrstodn: [DN]
where [DN] is the DN (Distinguished Name) of the account that Oracle Access Manager uses to communicate with
Oracle Internet Directory; for example, cn=orcladmin. If you are not sure what this value is for your site, you can
find it by logging on to Oracle Directory Services Manager (ODSM), and looking under the Root element in the Data
Tree on the Data Browser tab.
For example:
dn: cn=dsaconfig, cn=configsets,cn=oracle internet directory
changetype: modify
add: orclallattrstodn
orclallattrstodn:cn=orcladmin
Run the following to execute the command from the newly created ldif file:
$ORACLE_HOME/bin/ldapmodify h [ldaphost] p [ldapport] D [DN] w [orcladmin passwd] v f
[ldif_filename]
For example:
$ORACLE_HOME/bin/ldapmodify h ldaphost.example.com p 3060 D cn=orcladmin w welcome972
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=264205653993036&parent=DOCUMENT&sourceId=1614793.1&id=1576425.1&_afrWind… 3/25
2/9/2016 Document 1576425.1
$ORACLE_HOME/bin/ldapmodify h ldaphost.example.com p 3060 D cn=orcladmin w welcome972
v f change_attrs.ldif
3.3 Install & Configure Oracle Access Manager
RHEL 6 Customers only: (for Oracle Access Manager 11.1.2.2.0 Only):
Download and Apply Unified Installer Patch 18231786 prior to installing Oracle Access Manager 11.1.2.2.0.
Install & Configure Oracle Access Manager 11g Release 2 (11.1.2.3.0), following the installation instructions in the
Installation Guide for Oracle Identity and Access Management, available from the Oracle Fusion Middleware
Identity Management 11g Release 2 (11.1.2.3.0) Documentation Library.
For information about which platforms are supported by Oracle Access Manager, refer to the Oracle Identity and
Access Management 11g Release 2 (11.1.2.3) Certification Matrix.
After successful installation and configuration, verify that you can logon to the Oracle Access Manager and
WebLogic Administration consoles with the weblogic admin user and password that you specified during
installation.
http://<oamserver>.<domain>:<adminport>/console
http://<oamserver>.<domain>:<adminport>/oamconsole
Verify in the WebLogic Administration Console that the OAM managed server is running on the specified port.
3.4 Apply Required Updates to Oracle Access Manager Server
For Oracle Access Manager 11.1.2.3 only:
Oracle strongly recommends applying Oracle Access Manager 11.1.2.3 Bundle Patch 3 (OAM
11.1.2.3.3) as this includes a fix for Patch 19438948. Refer to My Oracle Support Knowledge
Document 736372.1 OAM Bundle Patch Release History, for the instructions to download and apply
Oracle Access Manager 11.1.2.3 Bundle Patch 3 (BP03) for Oracle Access Manager Server.
Applying later Oracle Access Manager Bundle Patches
Optionally, later Oracle Access Manager Bundle Patches may be applied on top of certified configurations.
Please refer to My Oracle Support Knowledge Document 736372.1 OAM Bundle Patch Release History.
3.5 Install Prerequisite Software Updates and Components on your Oracle EBusiness Suite Release 12.2
Instance
Install the following prerequisite software updates and components on your Oracle EBusiness Suite Release 12.2
instance. These software updates are fully compatible with Oracle EBusiness Suite environments regardless of
whether or not you proceed with single signon integration. You may therefore choose to install these software
updates at an earlier date, even before performing any of the subsequent steps in this document to complete single
signon integration with Oracle Access Manager. You may combine these updates with other regularlyscheduled
maintenance in your environment. You can choose to install these software updates during an Oracle EBusiness
Suite R12.2 Online Patching cycle to your patch file system (recommended) or on your run file system.
For details about Oracle EBusiness Suite R12.2 Online Patching, refer to the Patching Procedures section in the
Oracle EBusiness Suite Maintenance Guide Release 12.2.
3.5.1 Apply the Latest AD and TXK Delta Release Update Packs
Note: Review My Oracle Support Knowledge Document 1617461.1, Applying the Latest AD and TXK Release
Update Packs to Oracle EBusiness Suite Release 12.2, and follow the instructions to apply the required code
level of AD and TXK for your system.
3.5.2 Download and apply Oracle EBusiness Suite Updates
Download and apply the following updates to your Oracle EBusiness Suite Release 12.2 instance:
Customers integrating with Oracle Access Manager 11.1.2.2 Server:
Table A
Release Patch Number
12.2 R12.TXK.C Patch 21523147
12.2 R12.TXK.C Patch 20735848
Customers integrating with Oracle Access Manager 11.1.2.3 Server:
Table B
Release Patch Number
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=264205653993036&parent=DOCUMENT&sourceId=1614793.1&id=1576425.1&_afrWind… 4/25
2/9/2016 Document 1576425.1
Release Patch Number
12.2 R12.TXK.C Patch 21523147
12.2 R12.TXK.C Patch 20735848
12.2 R12.TXK.C Patch 21229697
Windows Customers Only:
Download and apply the following updates to your Oracle EBusiness Suite Release 12.2 instance:
Release Patch Number
FMW 11.1.1.6.0 Patch 15861836
3.5.3 Download and install Oracle Access Manager WebGates
WebGates are policy enforcement agents that act as a filter for HTTP requests and communicate with Oracle
Access Manager authentication and authorization services.
As per Section 9 of the Oracle Fusion Middleware Release Notes for HTTP Server, Oracle WebGate version
11.1.2.3 for Oracle HTTP Server supports only Oracle HTTP Server version 11.1.1.9. If your version of Oracle HTTP
Server is lower than 11.1.1.9, it should be upgraded to 11.1.1.9 by following Document 1590356.1 Upgrading
Oracle Fusion Middleware Technology Stack of Oracle EBusiness Suite Release 12.2 to the latest 11gR1 (11.1.1.x)
Patchset, before integrating with Oracle WebGate version 11.1.2.3.
Download Oracle Access Manager OHS 11g WebGates 11.1.2.3.0 from Identity & Access Management 11gR2
Downloads. Save the file to a temporary location on your Oracle EBusiness Suite middle tier server node, and
unzip it. For example unzip it to directory: /u01/webgate11g.
Source the Oracle EBusiness Suite environment file.
$ cd <EBS_BASE_HOME>
$ . EBSapps.env
$ echo $FILE_EDITION
EBS_BASE_HOME is the top directory where fs1, fs2, and others are installed.
During an active Online Patching cycle, Type "P" to select the patch file system environment when prompted.
Echo $FILE_EDITION returns "patch" to indicate that the patch file system is sourced.
Alternatively, if there is no active Online Patching cycle, you may also choose to install Oracle Access
Manager WebGates on your run file system. In that case, type "R" to select the run file system environment
when prompted. Echo $FILE_EDITION returns "run" to indicate that the run file system is sourced.
Execute the following command to install Oracle Access Manager WebGates:
$ txkrun.pl script=SetOAMReg installWebgate=yes webgatestagedir=<webgate stage
directory>
For parameter webgatestagedir, specify the directory where you unzip'd Oracle Access Manager OHS 11g
WebGates, for example /u01/webgate11g.
The installation should complete successfully.
3.5.4 Apply Required Oracle Access Manager Bundle Patch to Oracle Access Manager WebGate
Refer to My Oracle Support Knowledge Document 736372.1 OAM Bundle Patch Release History for the instructions
to download and apply Oracle Access Manager 11.1.2.3 Bundle Patch 1 (BP01) for Oracle Access Manager
WebGate.
Applying later Bundle Patches to Oracle HTTP Server 11g WebGate
Optionally, later Oracle HTTP Server 11g WebGate Bundle Patches may be applied on top of certified
configurations. Please refer to My Oracle Support Knowledge Document 736372.1 OAM Bundle Patch Release
History.
3.5.5 Perform fs_clone (conditional)
Your system is now prepared with the prerequisites to enable single sign on with Oracle Access Manager.
You can choose to only prepare the system with the prerequisite software updates, and integrate Oracle EBusiness
Suite with Oracle Access Manager for single sign on at a later point in time. In this case, complete the current
Oracle EBusiness Suite Release 12.2 Online Patching cycle now. Then you must perform an fs_clone to
synchronize the changes before you start the next Oracle EBusiness Suite Release 12.2 Online Patching cycle.
Performing an fs_clone will ensure that Oracle Access Manager OHS 11g WebGates are installed on both file
systems fs1 and fs2.
Alternatively, you can choose to directly proceed with integrating Oracle EBusiness Suite with Oracle Access
Manager for single sign on in the next section. In this case, you must continue using the same file system where
you just applied the prerequisite software updates, and you can perform the fs_clone only after completing single
sign on integration as documented in Step 4.4 of this document.
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=264205653993036&parent=DOCUMENT&sourceId=1614793.1&id=1576425.1&_afrWind… 5/25
2/9/2016 Document 1576425.1
sign on integration as documented in Step 4.4 of this document.
Section 4: Integrate Oracle EBusiness Suite with Oracle Access Manager
Follow the steps in this section to integrate Oracle EBusiness Suite with Oracle Access Manager:
Deploy Oracle EBusiness Suite AccessGate
Register Oracle EBusiness Suite with Oracle Access Manager
Test Single SignOn with Oracle EBusiness Suite
Perform fs_clone
Enabling single sign on for Oracle EBusiness Suite with Oracle Access Manager does not require starting an
Oracle EBusiness Suite Online Patching cycle. You may perform the integration optionally
a) on your run file system when no Online Patching cycle is active. Single sign on will be enabled after bouncing
Oracle EBusiness Suite.
b) on your patch file system during an active Online Patching cycle. Single sign on will be enabled after
completing your Online Patching cycle and bouncing Oracle EBusiness Suite.
Note that Oracle Access Manager maintains a single registration for your Oracle EBusiness Suite instance, and
does not distinguish between run and patch file system. Hence modifying the configuration in Oracle Access
Manager, or removing the registration following Appendix A of this document will always affect the running
system.
4.1 Deploy Oracle EBusiness Suite AccessGate
Oracle EBusiness Suite AccessGate is a J2EE application on your Oracle EBusiness Suite 12.2 WebLogic server.
Oracle EBusiness Suite AccessGate will be protected by Oracle Access Manager and creates an Oracle EBusiness
Suite session based on a valid Oracle Access Manager session. Follow the step below to deploy Oracle EBusiness
Suite AccessGate.
Source the Oracle EBusiness Suite environment file.
$ cd <EBS_BASE_HOME>
$ . EBSapps.env
$ echo $FILE_EDITION
EBS_BASE_HOME is the top directory where fs1, fs2, and others are installed.
Type "R" to select the run file system environment when prompted. Echo $FILE_EDITION returns "run" to
indicate that the run file system is sourced. Ensure there is no active Online Patching cycle.
Alternatively, if you wish to deploy Oracle EBusiness Suite AccessGate to your patch file system first during
an active Online Patching cycle, type "P" to select the patch file system environment when prompted. Echo
$FILE_EDITION returns "patch" to indicate that the patch file system is sourced.
Execute the following command to deploy Oracle EBusiness Suite AccessGate.
$ perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebscreateoaea_resources \
contextfile=$CONTEXT_FILE \
deployApps=accessgate \
SSOServerURL=<OAM Server URL> \
[managedsrvname=<managed server name>] \
[managedsrvport=<managed server port>] \
logfile=<logfile>
For parameter SSOServerURL, specify the URL for your OAM managed server, for example
http://oamserver.example.com:14100:
Optional parameter managedsrvname defaults to oaea_server1. Parameter managedsrvport defaults to 6801.
Specify these optional parameters if you wish to deploy Oracle EBusiness Suite AccessGate to a nondefault
managed server. The managed server name provided must be of the form oaea_server<n>, where n is an integer.
For example:
$ perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebscreateoaea_resources \
contextfile=$CONTEXT_FILE \
deployApps=accessgate \
SSOServerURL=http://oamserver.example.com:14100 \
managedsrvname=oaea_server3 \
managedsrvport=6803 \
logfile=/tmp/deployeag.log
The script will prompt for the following passwords:
Enter the APPS Schema password.
Enter the WebLogic AdminServer password.
Enter the required information when prompted.
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=264205653993036&parent=DOCUMENT&sourceId=1614793.1&id=1576425.1&_afrWind… 6/25
2/9/2016 Document 1576425.1
The script will now perform the following main tasks automatically:
Create managed server "oaea_server1" if it does not already exist.
Create Data Source "OAEADatasource" if it does not already exist.
Deploy the Oracle EBusiness Suite AccessGate application named "accessgate".
The script must complete successfully. Review the log files for any error messages.
After successful completion of the script, ensure that your WebLogic AdminServer is running.
If you have specified a dedicated managed server and port in the previous command instead of using the default
managed server and port, execute the following command to add details of the managed server into the OHS
configuration files mod_wl_ohs.conf and apps.conf:
$ perl $FND_TOP/patch/115/bin/txkSetAppsConf.pl \
contextfile=$CONTEXT_FILE \
configoption=addMS \
accessgate=<host>.<domain>:<port>
Replace <host>.<domain>:<port> with the hostname, full domain name and port of the new
'oaea_server1' managed server:
For example: ebshost.example.com:6803
The script must complete successfully. Review the log files for any error messages.
To verify successful deployment, logon to WebLogic Administration Console, for example:
http://ebshost.example.com:7001/console
In the WebLogic Administration Console, navigate to EBS_domain_sid > Environment > Servers, and verify that a
managed server "oaea_server1" is available.
Verify that you can successfully start the server "oaea_server1". On the settings page for the server, navigate to
the Control tab, and use the Start button to start the server.
Navigate to EBS_domain_sid > Deployments, and verify that the Oracle EBusiness Suite AccessGate application
named "accessgate" is deployed, with State: Active and Health: OK.
Navigate to EBS_domain_sid > Services > Data Sources, and verify that a data source "OAEADatasource" is
available. Navigate to the "OAEADatasource" page, Monitoring tab, Testing tab. Click the control button next to
server "oaea_server1", and press the "Test Data Source" button. You should see a message confirming that test of
the datasource was successful.
4.2 Register Oracle EBusiness Suite with Oracle Access Manager
Follow the steps in this section to register Oracle EBusiness Suite with Oracle Access Manager.
Source the Oracle EBusiness Suite environment file.
$ cd <EBS_BASE_HOME>
$ . EBSapps.env
$ echo $FILE_EDITION
EBS_BASE_HOME is the top directory where fs1, fs2, and others are installed.
Type "R" to select the run file system environment when prompted. Echo $FILE_EDITION returns "run" to
indicate that the run file system is sourced. Ensure there is no active Online Patching cycle.
Alternatively, if you wish to register Oracle EBusiness Suite during an active Online Patching cycle, type "P"
to select the patch file system environment when prompted. Echo $FILE_EDITION returns "patch" to indicate
that the patch file system is sourced.
If Oracle EBusiness Suite is integrated with Oracle Internet Directory:
Execute the following command to register Oracle EBusiness Suite with Oracle Access Manager:
$ txkrun.pl script=SetOAMReg registeroam=yes
If Oracle EBusiness Suite is integrated with Oracle Unified Directory:
Execute the following command to register Oracle EBusiness Suite with Oracle Access Manager
$ txkrun.pl script=SetOAMReg registeroam=yes ldapProvider=OUD
oidUserName="cn=directory manager"
If the Oracle directory Service is Oracle Unified Directory then the ldapProvider must be specified as
"OUD". By default the type is OID for Oracle Internet Directory.
The script will prompt for the following information.
Enter OAM console URL (for example: http://myoam.us.oracle.com:7001)
Enter OAM console user name (for example: weblogic)
Enter OAM console password
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=264205653993036&parent=DOCUMENT&sourceId=1614793.1&id=1576425.1&_afrWind… 7/25
2/9/2016 Document 1576425.1
Enter OAM console password
Enter LDAP URL (for example: ldap://myoid.us.oracle.com:3060)
Enter OID console user name (for example: cn=orcladmin)
Enter OID console password
Enter LDAP Search Base (for example: "cn=Users,dc=us,dc=oracle,dc=com")
Enter LDAP Group Search Base (for example: "cn=Groups,dc=us,dc=oracle,dc=com")
Enter APPS password
Enter the required information when prompted.
For the parameter OAM console URL, enter the base URL for the WebLogic Administration server where the OAM
console is deployed, for example: http://myoam.us.oracle.com:7001.
The script will provide a summary of input values. Confirm that these are correct and start the registration.
Do you wish to continue (y|n)? y
The script will now perform the following main tasks automatically:
Register Oracle EBusiness Suite AccessGate with Oracle Access Manager.
Create Identity Store named OIDIdentityStore if it does not already exist. If Identity Store OIDIdentityStore
exists, the integration will use it.
Create Authentication Module named LDAP_EBS if it does not already exist. If Authentication Module
LDAP_EBS exists, the integration will use it.
Configure Oracle Access Manager OAM Agent named <sid_host>.
Configure Authentication Scheme named EBSAuthScheme.
Configure Application Domain named <sid_host> with required Authentication Policies and response
headers for your Oracle EBusiness Suite integration.
Set Oracle EBusiness Suite profile options Application Authenticate Agent (APPS_AUTH_AGENT) and
Applications SSO Type (APPS_SSO).
Alternatively, you can execute the script using parameters. For example:
If Oracle EBusiness Suite is integrated with Oracle Internet Directory:
$ txkrun.pl script=SetOAMReg registeroam=yes \
oamHost=http://myoam.us.oracle.com:7001 \
oamUserName=weblogic \
ldapUrl=ldap://myoid.us.oracle.com:3060 \
oidUserName=cn=orcladmin \
skipConfirm=yes \
ldapSearchBase=cn=Users,dc=example,dc=com \
ldapGroupSearchBase=cn=Groups,dc=example,dc=com
If Oracle EBusiness Suite is integrated with Oracle Unified Directory:
$ txkrun.pl script=SetOAMReg registeroam=yes ldapProvider=OUD \
oamHost=http://myoam.us.oracle.com:7001 \
oamUserName=weblogic \
ldapUrl=ldap://myoud.us.oracle.com:1389 \
oidUserName="cn=directory manager" \
skipConfirm=yes \
ldapSearchBase=ou=People,dc=example,dc=com \
ldapGroupSearchBase=dc=example,dc=com
Replace 'dc=example,dc.com' with the appropriate values for your ldap search base.
The script must complete successfully. Review the log files for any error messages.
By default, the registration as documented above automatically creates an Authentication Scheme named
EBSAuthScheme.
Optionally, you can also register your Oracle EBusiness Suite instance using a custom authentication scheme that
you have created manually using your OAM Console prior to registering your Oracle EBusiness Suite instance.
To register your Oracle EBusiness Suite instance with an existing custom authentication scheme, you can specify
the following two additional command line parameters when executing the registration script txkrun.pl
script=SetOAMReg registeroam=yes:
authScheme=<Authentication Scheme>
authSchemeMode=<create_reference|reference|create_update>
Description: authScheme=<Authentication Scheme>
This parameter allows you to specify an authentication scheme to be created, updated or referenced. The default
value is "EBSAuthScheme".
authSchemeMode=create_reference (default)
Authentication Scheme mode "create_reference" is the default mode. The automated registration will create the
specified authentication scheme if it does not exist. If the specified authentication scheme already exists, the
registration will reference the existing authentication scheme. In this mode, an existing authentication scheme will
not be overwritten.
authSchemeMode=reference
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=264205653993036&parent=DOCUMENT&sourceId=1614793.1&id=1576425.1&_afrWind… 8/25
2/9/2016 Document 1576425.1
authSchemeMode=reference
Authentication Scheme mode "reference" will reference an existing authentication scheme. This mode does not
create or update an existing authentication scheme, but will error if the specified authentication scheme does not
exist.
authSchemeMode=create_update
Authentication Scheme mode "create_update" will create the specified authentication scheme if it does not exist, or
update an existing authentication scheme.
Example usage:
If you have created an authentication scheme named "CustomAuthScheme" using your OAM Console, prior to
registering your Oracle EBusiness Suite instance, you should register your Oracle EBusiness Suite instance using
your custom authentication scheme as follows:
If Oracle EBusiness Suite is integrated with Oracle Internet Directory:
$ txkrun.pl script=SetOAMReg registeroam=yes \
oamHost=http://myoam.us.oracle.com:7001 \
oamUserName=weblogic \
ldapUrl=ldap://myoid.us.oracle.com:3060 \
oidUserName=cn=orcladmin \
ldapSearchBase=cn=Users,dc=example,dc=com \
ldapGroupSearchBase=cn=Groups,dc=example,dc=com \
authScheme=CustomAuthScheme \
authSchemeMode=reference
If Oracle EBusiness Suite is integrated with Oracle Unified Directory:
$ txkrun.pl script=SetOAMReg registeroam=yes ldapProvider=OUD \
oamHost=http://myoam.us.oracle.com:7001 \
oamUserName=weblogic \
ldapUrl=ldap://myoud.us.oracle.com:1389 \
oidUserName="cn=directory manager"\
ldapSearchBase=ou=People,dc=example,dc=com \
ldapGroupSearchBase=dc=example,dc=com \
authScheme=CustomAuthScheme \
authSchemeMode=reference
Important Note:
If you are planning to use a custom authentication scheme, please refer to the information in Section 5.5
Authentication Methods supported with Oracle Access Manager. Oracle EBusiness Suite Development does not
explicitly certify alternative authentication methods supported by Oracle Access Manager. Oracle EBusiness
Suite Support may ask you to revert Oracle Access Manager to the explicitly certified form based authentication
and the default authentication scheme EBSAuthScheme, before issues with Oracle EBusiness Suite can be
triaged.
The registration script is rerunnable. If the registration script fails for any reason (for example, the OAM
server is down), the script will detect an incomplete run, and continue completing the session with the same
parameters after prompting for confirmation to continue.
If you configured your patch file system during an Online Patching cycle, complete your Online Patching cycle.
Stop and Restart the Oracle EBusiness Suite 12.2 OHS and WebLogic servers.
4.3 Test Single SignOn with Oracle EBusiness Suite
You have completed integrating Oracle EBusiness Suite with Oracle Access Manager 11.1.2 using Oracle E
Business Suite AccessGate.
Test single signon integration now.
Logon to Oracle EBusiness Suite
http://<ebshost>.<domain>:<port>/OA_HTML/AppsLogin
You will be redirected to your Oracle Access Manager single signon page. Login using valid OID user credentials.
After successful authentication, you will be redirected to your Oracle EBusiness Suite home page.
4.4 Perform fs_clone
Stop the oaea managed server on the run file system. (see Known Issues section for further information).
Your Oracle EBusiness Suite Release 12.2 instance is now integrated with Oracle Access Manager using Oracle E
Business Suite AccessGate on your run file system.
Perform an fs_clone to synchronize the changes to your patch file system before you start the next Oracle E
Business Suite Release 12.2 Online Patching cycle.
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=264205653993036&parent=DOCUMENT&sourceId=1614793.1&id=1576425.1&_afrWind… 9/25
2/9/2016 Document 1576425.1
Section 5: Oracle Access Manager Configurations
This section lists additional configurations on your Oracle Access Manager server and information about advanced
authentication methods supported with Oracle Access Manager.
Configure Oracle Access Manager to support long URLs
Configure Oracle Access Manager Whitelist
Configure Oracle Access Manager Session Timeout
Configure Languages for the Oracle Access Manager Login Page
Authentication Methods supported with Oracle Access Manager
5.1 Configure Oracle Access Manager to support long URLs
Long URLs may exceed a cookie limit on your Internet browser. Configure Oracle Access Manager to support long
URLs by changing the serverRequestCacheType from COOKIE to FORM in Oracle Access Manager configuration file
$DOMAIN_HOME/config/fmwconfig/oamconfig.xml:
<Setting Name="serverRequestCacheType" Type="xsd:string">FORM</Setting>
Refer to section Application URL Requirements in the Oracle® Fusion Middleware Administrator's Guide for Oracle
Access Management 11g Release 2 (11.1.2).
5.2 Configure Oracle Access Manager Whitelist
Oracle Access Manager whitelist is enabled by default in Oracle Access Manager 11.1.2.3.
Oracle Access Manager must be configured to only redirect to URLs listed in a whitelist. Oracle recommends that
this configuration be done as part of a Secure Configuration.
To use this Oracle Access Manager feature, you must add your Oracle EBusiness Suite middle tier URL (Oracle E
Business Suite host name and port) to the whitelist. For example:
cd $OAM_ORACLE_HOME/common/bin
./wlst.sh
wls:/offline>> connect('weblogic','kwD9ij4dj', 'myoam.example.com:7001')
wls:/offline> domainRuntime()
wls...> oamWhiteListURLConfig (Name="EBS",Value="http://<ebshost>.<domain>:<port>",
Operation="Update")
wls...> oamWhiteListURLConfig (Name="OAMCONSOLE",Value="http://<oamconsole_host>:
<oamconsole_port>", Operation="Update")
wls...> oamWhiteListURLConfig (Name="EBS_POSTLOGOUT",Value="<APPS_SSO_POSTLOGOUT_HOME_URL>",
Operation="Update")
wls...> exit()
Replace '<ebshost>:<ebs_port>' with the fully qualified Host Name and Port of your Oracle EBusiness Suite
middletier. For example: 'ebshost.example.com:8001'.
Replace <oamconsole_host>:<oamconsole_port> with the fully qualified Host Name and Port for your Oracle
Access Manager Console. For example: 'oamserver.example.com:7001'.
In addition, if you configured the optional profile 'Applications SSO Post Logout URL'
(APPS_SSO_POSTLOGOUT_HOME_URL) to redirect to a different server URL post logout, replace
<APPS_SSO_POSTLOGOUT_HOME_URL> with the URL from the 'Applications SSO Post Logout URL' profile option.
For further information on configuring the whitelist, refer to wlst commands 'oamSetWhiteListMode' and
'oamWhiteListURLConfig' in Oracle® Fusion Middleware WebLogic Scripting Tool Command Reference for Identity
and Access Management.
5.3 Configure Oracle Access Manager Session Timeout
You can configure an inactivity timeout for a session in both Oracle EBusiness Suite and Oracle Access Manager.
The timeout values should be the same for both applications. If you configure a timeout value for Oracle EBusiness
Suite that is shorter than the one you configure for Oracle Access Manager, users can reestablish their Oracle E
Business Suite session after it times out without providing login credentials.
The inactivity timeout in Oracle EBusiness Suite is configured in profile option ICX: Session Timeout (minutes).
The inactivity timeout in Oracle Access Manager is configured as Idle Timeout (minutes) under Common Settings
in the OAM Console System Configuration.
5.4 Configure Languages for the Oracle Access Manager Login Page
Oracle Access Management 11.1.2.1 supports language selection through a drop down list of languages in the login
page combined with use of the OAM_LANG_PREF language preference cookie. The Oracle Access Manager login
page can be synchronized with the set of installed languages in Oracle EBusiness Suite. To configure the Oracle
Access Manager login page to provide language selection, refer to the section Choosing a User Login Language in
the Oracle® Fusion Middleware Administrator's Guide for Oracle Access Management and the
'configOAMLoginPagePref' command in the Oracle® Fusion Middleware WebLogic Scripting Tool Command
Reference for Identity and Access Management.
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=264205653993036&parent=DOCUMENT&sourceId=1614793.1&id=1576425.1&_afrWin… 10/25
2/9/2016 Document 1576425.1
Reference for Identity and Access Management.
To enable languages in the Oracle Access Manager login page to match the languages installed in Oracle E
Business Suite:
wls...> configOAMLoginPagePref(persistentCookie="false", persistentCookieLifetime=
<SessionTimeout>, langPrefCookieDomain="<mydomain>", langPrefOrder="oamPrefsCookie,
browserAcceptLanguage, serverOverrideLangPref, defaultLanguage", serverOverrideLanguage="
<EBS_Base_Lang>", defaultLanguage="<Default_Lang>", applicationSupportedLocales="<lang1>,
<lang2>,<lang3>,<lang4>")
Recommended Settings for the language configuration in the Oracle Access Manager login page when integrated
with Oracle EBusiness Suite are as follows:
Ensure that 'persistentCookie' is set to 'false', this specifies the OAM_LANG_PREF cookie as a session cookie,
ensuring that when a user starts a new browser session this language cookie no longer exists.
Replace <SessionTimeout> with the value that you have specified for Session Timeout in Oracle EBusiness
Suite and Oracle Access Manager.
Replace <mydomain> with the Domain Name on which Oracle Access Manager is configured.
Ensure that 'langPrefOrder' is set to "oamPrefsCookie, browserAcceptLanguage,
serverOverrideLangPref,defaultLanguage".
Using the oamPrefsCookie first in the order of precedence is required as Oracle EBusiness Suite will set the
preferred language in the OAM_LANG_PREF cookie.
Replace <EBS_Base_Lang> with the Base Language installed in Oracle EBusiness Suite:
Setting 'serverOverrideLanguage' to the base language installed in Oracle EBusiness Suite ensures that
when the OAM_LANG_PREF cookie is not yet set and the Browser language is not set to a language
supported by the Oracle Access Manager login page, then the Oracle Access Manager login page will
attempt to display in the Oracle EBusiness Suite Base Language. If this language is not supported by the
Oracle Access Manager login page then the default language (see below) will be used.
Replace <Default_Lang> with 'en':
Setting 'defaultLanguage' to 'en' ensures that English is the final fallback language used for the Oracle
Access Manager login page.
For 'applicationSupportedLocales' specify the language codes for each of the languages that are installed in
the Oracle EBusiness Suite environment, this includes the Base Language and 'en' (English). The language
code values are documented in Table 24 Language Codes for Login Pages in the Oracle® Fusion
Middleware WebLogic Scripting Tool Command Reference.
Example Scenario
An Oracle EBusiness Suite environment has:
French as the Base Language
English, German, Arabic, Korean, Simplified Chinese, Traditional Chinese and Brazilian Portugese as
installed languages.
Profile option 'ICX: Session Timeout' and the Oracle Access Manager 'Idle Timeout is set to 15 minutes.
The Domain name is 'example.us.com'
To configure the Oracle Access Manager login page languages to match this Oracle EBusiness Suite environment:
wls...> configOAMLoginPagePref(persistentCookie="false", persistentCookieLifetime=15,
langPrefCookieDomain="example.us.com", langPrefOrder="oamPrefsCookie, browserAcceptLanguage,
serverOverrideLangPref, defaultLanguage", serverOverrideLanguage="fr", defaultLanguage="en",
applicationSupportedLocales="en","fr",de",ar","ko","zhCN","zhTW","ptBR")
There are several languages supported by Oracle EBusiness Suite that are not currently supported by the OAM
login page in 11.1.2.1.0, refer to Known Issues for a list of those languages:
If you have any of those languages installed in your Oracle EBusiness Suite environment, you should
continue with the Oracle EBusiness Suite profile option 'Applications Override SSO Server Language'
(FND_OVERRIDE_SSO_LANG) set to 'Override SSO Server Language'. In that case Oracle EBusiness
Suite will always use the site/user value for the profile option 'ICX: Language' (ICX_LANGUAGE). For
further information regarding the profile option 'Applications Override SSO Server Language', refer to
the 'Login Page Language and Runtime Session Language' section in Oracle EBusiness Suite Setup
Guide Release 12.2.
The language feature in OAM should remain disabled by skipping this section (5.4 Configuring Languages for
the Oracle Access Manager Login Page). The Oracle Access Manager login page will continue to be
displayed without a Language LOV, and the text on the OAM login page will appear in the language
according to the users' browser preferences, for languages that OAM supports, otherwise it will default to
OAM’s default language.
For further information regarding how Oracle EBusiness Suite handles language precedence, refer to Document
393861.1 Globalization Guide for Oracle Applications Release 12.
When accessing the default Oracle Access Manager login page from the Oracle EBusiness Suite AppsLogin
page for the very first time (i.e. a new browser session), Oracle EBusiness Suite sets the language in the
OAM_LANG_PREF cookie based on the browser language preference setting. If this language is not enabled for
the OAM login page, English is used.
If a user changes their 'session language' via the 'Preferences' page in Oracle EBusiness Suite, regardless of
the setting in the profile 'Applications Override SSO Server Language' (FND_OVERRIDE_SSO_LANG), this new
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=264205653993036&parent=DOCUMENT&sourceId=1614793.1&id=1576425.1&_afrWin… 11/25
2/9/2016 Document 1576425.1
the setting in the profile 'Applications Override SSO Server Language' (FND_OVERRIDE_SSO_LANG), this new
session language will be used in the OAM_LANG_PREF cookie.
Once the session language value has been changed in this manner, the Oracle EBusiness Suite Home Page,
the Oracle Access Manager login page (displayed after logging out of Oracle EBusiness Suite) and the
subsequent login to Oracle EBusiness Suite will display in the newly set session language. This is the
"login/logout" loop which means that the language in regard to the Home page, login page, and logout page is
set based on the last session language. This loop will exist until the user closes the browser or the cookie
times out (as specified in the 'persistentCookieLifetime' parameter.
5.5 Authentication Methods supported with Oracle Access Manager
Oracle EBusiness Suite delegates authentication to Oracle Access Manager. Oracle Access Manager protects
resources, enforces authentication, and returns the configured response headers after successful authentication.
Returning the configured response headers does not require any Oracle EBusiness Suite or Oracle EBusiness
Suite AccessGate code. Oracle Access Manager must return these response headers even without having Oracle E
Business Suite AccessGate installed.
5.5.1 Form based authentication
Oracle EBusiness Suite Development explicitly certifies the form based challenge method only.
5.5.2 Alternative authentication methods
In addition to the form based challenge method, Oracle Access Manager supports several alternative authentication
methods, including Windows Native Authentication, X.509, integration with Oracle Identity Federation or other third
party access management systems. You may leverage Oracle Access Manager to further integrate with any of the
alternative authentication mechanisms supported by Oracle Access Manager. Integration with Oracle EBusiness
Suite is expected to work regardless of how Oracle Access Manager authenticates the user, provided that Oracle
Access Manager protects the resources, enforces authentication, and returns the configured response headers.
Oracle EBusiness Suite Development does not explicitly certify these alternative authentication methods. Oracle E
Business Suite Support may ask you to revert Oracle Access Manager to the explicitly certified form based
authentication, before issues with Oracle EBusiness Suite can be triaged.
If you encounter issues during configuration of Oracle Access Manager with alternative authentication mechanisms,
you may contact Oracle Access Manager Support.
Section 6: Advanced Configurations
This section provides additional information on following advanced configurations:
Configure Secure Sockets Layer (SSL)
Configure Single Signon in a Load Balanced Oracle EBusiness Suite Environment
Deploy Oracle EBusiness Suite AccessGate with a Real Applications Clusters (RAC) Database
Deploy Oracle EBusiness Suite AccessGate in a Demilitarized Zone (DMZ)
6.1 Configure Secure Sockets Layer (SSL)
In production environments, we recommend the use of SSL on both the Oracle EBusiness Suite middle tier and the
WebLogic Server instance where the Oracle EBusiness Suite AccessGate is deployed. We always recommended
the use of SSL on the HTTP server where the WebGate plugin is deployed.
Refer to My Oracle Support KnowledgeDocument 1367293.1 to configure SSL on an Oracle EBusiness Suite
Release 12.2 middle tier server node.
The Oracle Fusion Middleware Administrator's Guide for Oracle Access Management 11g Release 2 (11.1.2)
documents the steps necessary to enable SSL communication for the Oracle Access Manager components:
Appendix Securing Communication provides instructions on how to secure communications between Oracle
Access Manager 11g and WebGates.
No special steps are needed to configure WebGate for intercepting SSL requests, as long as the Oracle
HTTP Server where it is installed is configured to support SSL.
For more information on configuring SSL on other technology components required for this integration, consult the
following resources:
For Oracle WebLogic Server, refer to the chapter Configuring SSL in Oracle® Fusion Middleware Securing
Oracle WebLogic Server.
For Oracle HTTP Server, refer to chapter Configuring SSL in Oracle Fusion Middleware in the Oracle®
Fusion Middleware Administrator's Guide 11g Release 1.
When using WebLogic Server Release 10.3.4 and above and enabling SSL:
Ensure that the following are enabled in the WebLogic Server Administration Console:
WebLogic PlugIn
Client Cert Proxy
To verify this:
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=264205653993036&parent=DOCUMENT&sourceId=1614793.1&id=1576425.1&_afrWin… 12/25
2/9/2016 Document 1576425.1
To verify this:
Navigate to 'Environments' > 'Servers' > 'oam_server1'
Access the 'General' tab
Expand the 'Advanced' section and check the checkboxes for:
WebLogic PlugIn Enabled
Client Cert Proxy Enabled
If you have enabled only the TLSv1 protocol in Oracle EBusiness Suite 12.2.x after referring to Document
1937646.1 Instructions to Mitigate the SSLv3 Vulnerability ("POODLE Attack") in Oracle EBusiness Suite, then you
must also enable the TLSv1 protocol in your Oracle Access Manager environment.
To configure TLSv1 in your Oracle Access Manager environment refer to Document 1936300.1 How to Change
SSL Protocols (to Disable SSL 2.0/3.0) in Oracle Fusion Middleware Products.
When using WebLogic Server 10.3.6 and above and enabling the TLSv1 protocol:
Ensure that the following has been enabled in the WebLogic Server Administration Console:
Use JSSE SSL
To verify this:
Navigate to 'Environments' > 'Servers' > 'oam_server1'
Access the 'SSL' tab
Expand the 'Advanced' section and check the checkbox for:
Use JSSE SSL
For more information, refer to My Oracle Support Knowledge Document 1316142.1 How To Configure mod_wl_ohs
with Oracle HTTP Server and Oracle WebLogic Server.
After performing the configuration in this section, the following steps are required:
1. Test Single Signon with Oracle EBusiness Suite
2. Perform fs_clone
6.2 Configure Single Signon in a Load Balanced Oracle EBusiness Suite Environment
You can configure a load balancer to front end multiple Oracle EBusiness Suite webtier servers. The load balancer
acts as single entry point to these Oracle EBusiness Suite webtier servers. To configure your Oracle EBusiness
Suite environment with a load balancer, refer to My Oracle Support Knowledge Document 1375686.1 Using Load
Balancers with Oracle EBusiness Suite Release 12.2.
First confirm that the load balanced environments are functioning correctly before continuing to configure your
Oracle EBusiness Suite application tier servers with Oracle Access Manager.
For each Oracle EBusiness Suite application tier server that participates in your load balanced configuration,
perform the following
Apply the prerequisite software updates as documented in Section 3.5 Install Prerequisite Software Updates
and Components on your Oracle EBusiness Suite Release 12.2 Instance.
Deploy Oracle EBusiness Suite AccessGate on each Oracle EBusiness Suite Application Tier server node
using the following command, to specify the managed server name and managed server port on which to
deploy:
$ perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebscreateoaea_resources \
contextfile=$CONTEXT_FILE \
deployApps=accessgate \
SSOServerURL=<OAM Server URL> \
managedsrvname=<managed server name> \
managedsrvport=<managed server port> \
logfile=<logfile>
For example:
$ perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebscreateoaea_resources \
contextfile=$CONTEXT_FILE \
deployApps=accessgate \
SSOServerURL=http://oamserver.example.com:14100 \
managedsrvname=oaea_server1 \
managedsrvport=6801 \
logfile=/tmp/deployeag_6801.log
$ perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebscreateoaea_resources \
contextfile=$CONTEXT_FILE \
deployApps=accessgate \
SSOServerURL=http://oamserver.example.com:14100 \
managedsrvname=oaea_server2 \
managedsrvport=6802 \
logfile=/tmp/deployeag_6802.log
The script will prompt for the following passwords:
Enter the APPS Schema password.
Enter the WebLogic AdminServer password.
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=264205653993036&parent=DOCUMENT&sourceId=1614793.1&id=1576425.1&_afrWin… 13/25
2/9/2016 Document 1576425.1
Enter the WebLogic AdminServer password.
Enter the required information when prompted.
Refer to Section 4.1 Deploy Oracle EBusiness Suite AccessGate, for more information on
parameters.
Execute the following command once for each managed server on which Oracle EBusiness Suite
AccessGate has been deployed, to add details of the managed server into the OHS configuration files
mod_wl_ohs.conf and apps.conf:
$ perl $FND_TOP/patch/115/bin/txkSetAppsConf.pl \
contextfile=$CONTEXT_FILE \
configoption=addMS \
accessgate=<host>.<domain>:<port>
Replace <host>.<domain>:<port> with the hostname, full domain name and port of the managed server:
For example: ebshost1.example.com:6801
For example:
$ perl $FND_TOP/patch/115/bin/txkSetAppsConf.pl \
contextfile=$CONTEXT_FILE \
configoption=addMS \
accessgate=ebshost1.example.com:6801
$ perl $FND_TOP/patch/115/bin/txkSetAppsConf.pl \
contextfile=$CONTEXT_FILE \
configoption=addMS \
accessgate=ebshost2.example.com:6802
Register each Oracle EBusiness Suite application tier server with Oracle Access Manager as documented in
section 4.2 Register Oracle EBusiness Suite with Oracle Access Manager of this document.
After performing the configuration in this section, the following steps are required:
1. Test Single Signon with Oracle EBusiness Suite
2. Perform fs_clone
6.3 Deploy Oracle EBusiness Suite AccessGate with a Real Applications Clusters (RAC) Database
If your database instance and your Oracle EBusiness Suite Release 12.2 environment are configured to use RAC
load balancing, your Oracle EBusiness Suite AccessGate will seemlessly continue to work.
For more information regarding Identity Management components with a RAC database, refer to the section
Configuring High Availability for Oracle Identity Manager Components in the Oracle® Fusion Middleware High
Availability Guide for Oracle Identity and Access Management.
After performing the configuration in this section, the following steps are required:
1. Test Single Signon with Oracle EBusiness Suite
2. Perform fs_clone
6.4 Deploy Oracle EBusiness Suite AccessGate in a Demilitarized Zone (DMZ)
To make a subset of Oracle EBusiness Suite Release 12 functionality accessible via the Internet to external users,
refer to My Oracle Support Knowledge Document 1375670.1, Oracle EBusiness Suite Release 12.2 Configuration in
a DMZ. Confirm that these environments are working properly using local logon for all configured Oracle EBusiness
Suite Application Tiers, before continuing to configure all your Oracle EBusiness Suite Application Tiers with Oracle
Access Manager for single sign on.
The required Oracle EBusiness Suite AccessGate and WebGate components are embedded in each of your Oracle
EBusiness Suite Release 12.2 Application Tiers. To enable single sign on, you must configure each Application Tier
as documented in this note. This includes deploying Oracle EBusiness Suite AccessGate, and registering your
Application Tier with Oracle Access Manager.
You can use any of the DMZ topologies documented in My Oracle Support Knowledge Document 1375670.1 Oracle
EBusiness Suite Release 12.2 Configuration in a DMZ. In any topology, Oracle Access Manager and Oracle Internet
Directory should be installed on the intranet, completely isolated from establishment of any unauthenticated
network connection. For each of your Oracle EBusiness Suite Release 12.2 Application Tiers you will plan to either
make the web entry point accessible to internal users only, or to external users over the intranet. Oracle EBusiness
Suite Release 12.2 Application Tiers that are accessed by external users over the internet must be registered
configuring WebGate as Detached Credentials Collector (DCC), following the registration steps in this section.
Before you proceed with configuring each of your external Oracle EBusiness Suite Release 12.2 Application Tiers
(DMZ), you must first configure your internal Oracle EBusiness Suite Release 12.2 Application Tier as entry point
for internal users at SITE level. Follow the steps in the main section 4 of this document.
Then proceed with the additional steps in this section below to configure each of your external Oracle EBusiness
Suite Release 12.2 Application Tiers (DMZ) as the entry point for external users at SERVER level.
For additional information on deploying Oracle Access Manager and WebGates in a DMZ, refer to the Oracle®
Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management 11g Release 2 (11.1.2), and
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=264205653993036&parent=DOCUMENT&sourceId=1614793.1&id=1576425.1&_afrWin… 14/25
2/9/2016 Document 1576425.1
Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management 11g Release 2 (11.1.2), and
Oracle® Fusion Middleware Administrator's Guide for Oracle Access Management 11g Release 2 (11.1.2), section
Configuring 11g Webgates and Authentication Policy for DCC.
6.4.1 Deploy Oracle EBusiness Suite AccessGate on your External Oracle EBusiness Suite Application
Tier (DMZ)
Source the Oracle EBusiness Suite environment file on your external application tier in the DMZ.
$ cd <EBS_BASE_HOME>
$ . EBSapps.env
$ echo $FILE_EDITION
EBS_BASE_HOME is the top directory where fs1, fs2, and others are installed.
Type "R" to select the run file system environment when prompted. Echo $FILE_EDITION returns "run" to
indicate that the run file system is sourced. Ensure there is no active Online Patching cycle.
Alternatively, if you wish to register Oracle EBusiness Suite during an active Online Patching cycle, type "P"
to select the patch file system environment when prompted. Echo $FILE_EDITION returns "patch" to indicate
that the patch file system is sourced.
Prerequisites:
The Oracle WebLogic Administration Server on the primary internal application tier must be running from
both the run and patch file system.
The Oracle WebLogic Administration server ports must be opened on the firewall that separate the external
application tier from the primary internal application tier. All other managed server ports must be closed
between the external application tier and the internal application tiers.
Execute the following command to deploy Oracle EBusiness Suite AccessGate.
$ perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebscreateoaea_resources \
contextfile=$CONTEXT_FILE \
deployApps=accessgate \
SSOServerURL=<OAM Server URL> \
OAMLogoutURL=<DCC Logout URL> \
[managedsrvname=<managed server name>] \
[managedsrvport=<managed server port>] \
logfile=<logfile>
For parameter SSOServerURL, specify the URL for your OAM managed server.
For parameter OAMLogoutURL, specify the URL the full URL to the Detached Credentials Collector logout script on
your Oracle EBusiness Suite Release 12.2 webtier.
For example:
$ perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebscreateoaea_resources \
contextfile=$CONTEXT_FILE \
deployApps=accessgate \
SSOServerURL=http://myoam.example.com:14100 \
OAMLogoutURL=http://myebs.example.com:80/oamssobin/logout.pl \
managedsrvname=oaea_server3 \
managedsrvport=6803 \
logfile=/tmp/deployeag.log
The script will prompt for the following passwords:
Enter the APPS Schema password.
Enter the WebLogic AdminServer password.
The script must complete successfully. Review the log files for any error messages.
After successful completion of the script, ensure your WebLogic AdminServer is running, and execute the following
script to regenerate the mod_wl_ohs.conf file based on your WebLogic domain configuration:
Execute the following command to add details of the managed server into the OHS configuration files
mod_wl_ohs.conf and apps.conf:
$ perl $FND_TOP/patch/115/bin/txkSetAppsConf.pl \
contextfile=$CONTEXT_FILE \
configoption=addMS \
accessgate=<host>.<domain>:<port>
Replace <host>.<domain>:<port> with the hostname, full domain name and port of the new
'oaea_server3' managed server:
For example: ebshost.example.com:6803
The script must complete successfully. Review the log files for any error messages.
6.4.2 Register Oracle EBusiness Suite AccessGate on your External Oracle EBusiness Suite Application
Tier (DMZ)
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=264205653993036&parent=DOCUMENT&sourceId=1614793.1&id=1576425.1&_afrWin… 15/25
2/9/2016 Document 1576425.1
Tier (DMZ)
Source the Oracle EBusiness Suite environment file on your external application tier in the DMZ.
$ cd <EBS_BASE_HOME>
$ . EBSapps.env
$ echo $FILE_EDITION
EBS_BASE_HOME is the top directory where fs1, fs2, and others are installed.
Type "R" to select the run file system environment when prompted. Echo $FILE_EDITION returns "run" to
indicate that the run file system is sourced. Ensure there is no active Online Patching cycle.
Alternatively, if you wish to register Oracle EBusiness Suite during an active Online Patching cycle, type "P"
to select the patch file system environment when prompted. Echo $FILE_EDITION returns "patch" to indicate
that the patch file system is sourced.
If Oracle EBusiness Suite is integrated with Oracle Internet Directory:
Execute the following command to register Oracle EBusiness Suite with Oracle Access Manager.
Specify all parameters on a single command line:
$ txkrun.pl script=SetOAMReg registeroam=yes allowCCOperations=true
authScheme=EBSAuthSchemeDMZ
authChalRedirectUrl=http://myebs.example.com authChalUrl=/oamsso
bin/login.pl logoutUrl=/oamssobin/logout.pl
logoutRedirectUrl=null protectedResource=/oamssobin/logout.pl
responseType=HTTP ebsProfileLevel=Server
If Oracle EBusiness Suite is integrated with Oracle Unified Directory:
Execute the following command to register Oracle EBusiness Suite with Oracle Access Manager.
Specify all parameters on a single command line:
$ txkrun.pl script=SetOAMReg registeroam=yes ldapProvider=OUD
oidUserName="cn=directory manager" allowCCOperations=true
authScheme=EBSAuthSchemeDMZ
authChalRedirectUrl=http://myebs.example.com authChalUrl=/oamsso
bin/login.pl logoutUrl=/oamssobin/logout.pl
logoutRedirectUrl=null protectedResource=/oamssobin/logout.pl
responseType=HTTP ebsProfileLevel=Server
For parameter authChalRedirectUrl, specify the base URL that external users use to access your Oracle EBusiness
Suite webtier. If you use a load balancer in front of your Oracle EBusiness Suite webtier, specify the load balancer
base URL.
For parameter ebsProfileLevel, specify either Server or Site (default). If you are configuring separate Oracle E
Business Suite instances for internal and external users, you must register at least one instance at Site level. You
may register other Oracle EBusiness Suite instances at Server level. This will set the APPS_AUTH_AGENT profile
option at the SERVER level, so that internal users are directed to one URL for authentication, and external users to
another. For more information on EBusiness Suite profile options at SERVER level, refer to My Oracle Support
Knowledge Document 1375670.1, Oracle EBusiness Suite Release 12.2 Configuration in a DMZ.
For all other parameters, specify the values as listed in the example above.
The script will prompt for the following information.
Enter OAM console URL (for example: http://myoam.us.oracle.com:7001)
Enter OAM console user name (for example: weblogic)
Enter OAM console password
Enter LDAP URL (for example: ldap://myoid.us.oracle.com:3060)
Enter OID console user name (for example: cn=orcladmin)
Enter OID console password
Enter APPS password
Enter the required information when prompted.
The script must complete successfully. Review the log files for any error messages.
During the prerequisite DMZ configuration of your external application tier, following My Oracle Support Knowledge
Document 1375670.1, Oracle EBusiness Suite Release 12.2 Configuration in a DMZ, Appendix E: Configuring the
URL Firewall, you will have configured your OHS to use the URL Firewall configuration file url_fw.conf. This file
implements a whitelist of URLs that are allowed.
You will find the URLs required for your Oracle EBusiness Suite AccessGate integration with Oracle Access
Manager in section with comment header:
#======================================================================
#Include URLs for Accessgate Application
#======================================================================
By default the URLs in this section are commented in url_fw.conf.
Edit url_fw.conf, and uncomment all lines in this section.
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=264205653993036&parent=DOCUMENT&sourceId=1614793.1&id=1576425.1&_afrWin… 16/25
2/9/2016 Document 1576425.1
Edit url_fw.conf, and uncomment all lines in this section.
Stop and restart the Oracle EBusiness Suite 12.2 OHS and WebLogic servers.
Verify that external users can access the following resources:
http://myebs.example.com/oamssobin/login.pl
http://myebs.example.com/oamssobin/logout.pl
If an error occurs when accessing the above URLs, check the OHS error log. If you see a 'Premature end of script
headers' error, then you may need to adjust the perl location for your environment. Modify the first line
#!/usr/local/bin/perl in the files login.pl and logout.pl in the following directory, to point to the correction location
for perl:
$FMW_HOME/Oracle_OAMWebGate1/webgate/ohs/oamssobin
After performing the configuration in this section, the following steps are required:
1. Test Single Signon with Oracle EBusiness Suite
2. Perform fs_clone
Section 7: Optional Post Installation Steps
7.1 Implement functionality for selfservice password changes
If you wish to implement functionality for selfservice password changes, you may install and configure the identity
provisioning tool of your choice and integrate it with Oracle Access Manager and Oracle EBusiness Suite. Refer to
the manual Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity and Access Management
for more information on integrating Oracle Access Manager with other provisioning and password management
tools.
Once you have configured your identity provisioning tool with Oracle Access Manager, you may allow users to
invoke a external URL that supports selfservice password changes from the Oracle EBusiness Suite Preferences
page. Set the following profile to enable this functionality.
Application SSO Change Password URL Site
(APPS_SSO_CHANGE_PWD_URL) Set this profile to an external page URL that supports selfservice password change
For example:
http://<IDM server>:<port>/account/changePassword.jsp
7.2 Migrating from using Oracle Single SignOn Server
If you are migrating from using Oracle Single SignOn Server, you should deregister OSSO from all nodes of your
Oracle EBusiness Suite instance, once your Oracle Access Manager integration has been completed and tested.
Refer to My Oracle Support Knowledge Document 1371932.1. Your Oracle EBusiness Suite instance and Oracle
Internet Directory registrations will be retained from your OSSO integration.
The OID registration scripts may reset the setting for the APPS_SSO profile option to SSWA. Log on to Oracle
EBusiness Suite and verify the setting for the APPS_SSO profile option, changing it back to SSWA w/SSO if
necessary.
Section 8: Upgrade and Migration
8.1 Oracle Access Manager Upgrade and Migration
Integrating Oracle EBusiness Suite is simpler for Oracle Access Manager 11g Release 2 (11.1.2) than it was for
previous Oracle Access Manager releases. Oracle EBusiness Suite is certified using the default OAM single signon
page and no longer requires the configuration of an Oracle EBusiness Suite specific single signon page. The
necessary configuration is now automated.
Follow the steps in section Integrate Oracle EBusiness Suite with Oracle Access Manager to automatically integrate
your Oracle EBusiness Suite Release 12.2 environment with Oracle Access Manager 11g Release 2 (11.1.2)
instead of migrating your old Oracle Access Manager configuration.
This is the recommended option because it involves less manual configuration steps.
Migration of the old Application Domain for Oracle EBusiness Suite integration is not needed. If you have
previously migrated the Oracle EBusiness Suite Application Domain along with other non Oracle EBusiness
Suite Application Domains from a previous Oracle Access Manager release to Oracle Access Manager 11g
Release 2, you must delete the old Oracle EBusiness Suite Application Domain prior to creating the new
configuration. To delete your old Application Domain, use the Oracle Access Manager Console, select your old
Oracle EBusiness Suite Application Domain in the Policy Configuration tab, and press the delete button.
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=264205653993036&parent=DOCUMENT&sourceId=1614793.1&id=1576425.1&_afrWin… 17/25
2/9/2016 Document 1576425.1
8.1.1 Upgrading from Oracle Access Manager 11.1.2.2 to Oracle Access Manager 11.1.2.3:
As per Section 9 of the Oracle Fusion Middleware Release Notes for HTTP Server, Oracle WebGate version
11.1.2.3 for Oracle HTTP Server supports only Oracle HTTP Server version 11.1.1.9. If your version of Oracle HTTP
Server is lower than 11.1.1.9, it should be upgraded to 11.1.1.9 by following Document 1590356.1 Upgrading
Oracle Fusion Middleware Technology Stack of Oracle EBusiness Suite Release 12.2 to the latest 11gR1 (11.1.1.x)
Patchset, before upgrading Oracle WebGate to version 11.1.2.3.
There are two options when upgrading to Oracle Access Manager 11.1.2.3, (Option 1 is the recommended option):
Upgrade Oracle HTTP Server, Oracle Access Manager and Oracle WebGate (Option 1)
Upgrade Oracle Access Manager Only (Option 2)
8.1.1.1 Upgrade Oracle HTTP Server, Oracle Access Manager and Oracle WebGate (Option 1)
1. Follow the steps in Appendix A to deregister Oracle EBusiness Suite from Oracle Access Manager 11.1.2.2
2. Apply the prerequisite patches as documented in Table B of step 3.5.2 Download and apply Oracle E
Business Suite Updates
3. Deinstall Oracle WebGate 11.1.2.2:
Execute the following commands to deinstall Oracle WebGate 11.1.2.2:
$ cd $FMW_HOME/Oracle_OAMWebGate1/oui/bin
$ ./runInstaller deinstall
After deinstallation, ensure that the directory 'Oracle_OAMWebGate1' under <FMW_Home> is removed.
4. Upgrade Oracle HTTP Server to 11.1.1.9, by referring to Document 1590356.1 Upgrading Oracle Fusion
Middleware Technology Stack of Oracle EBusiness Suite Release 12.2 to the latest 11gR1 (11.1.1.x) Patch
Set.
5. Upgrade Oracle Access Manager to 11.1.2.3.0, by referring to Oracle® Fusion Middleware Upgrade Guide
for Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) together with Oracle® Fusion
Middleware Release Notes for Identity Management 11g Release 2 (11.1.2.3).
6. Follow Step 3.4 to apply Oracle Access Manager 11.1.2.3 Bundle Patch 3 (OAM 11.1.2.3.3) to Oracle Access
Manager Server.
7. Perform steps 3.5.3 to 4.4 (inclusive) to download and install WebGate 11.1.2.3 and Integrate Oracle E
Business Suite 12.2 with Oracle Access Manager 11.1.2.3
8.1.1.2 Upgrade Oracle Access Manager Only (Option 2)
If you plan to continue using Oracle HTTP Server 11.1.1.7 with Oracle Access Manager 11.1.2.3, you must continue
using Oracle WebGate 11.1.2.2 with Oracle Access Manager 11.1.2.3. It is necessary to reregister Oracle E
Business Suite 12.2 with Oracle Access Manager 11.1.2.3 using the new registration scripts for Oracle Access
Manager 11.1.2.3:
1. Follow the steps in Appendix A to Deregister Oracle EBusiness Suite from Oracle Access Manager 11.1.2.2
2. Apply the prerequisite patches as documented in Table B of step 3.5.2 Download and apply Oracle E
Business Suite Updates
3. Upgrade Oracle Access Manager to 11.1.2.3, by referring to Oracle® Fusion Middleware Upgrade Guide for
Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) together with Oracle® Fusion
Middleware Release Notes for Identity Management 11g Release 2 (11.1.2.3).
4. Follow Step 3.4 to apply Oracle Access Manager 11.1.2.3 Bundle Patch 3 (OAM 11.1.2.3.3) to Oracle Access
Manager Server
5. Perform steps 4.1 to 4.4 (inclusive) to Integrate Oracle EBusiness Suite 12.2 with Oracle Access Manager
11.1.2.3
8.2 Oracle EBusiness Suite AccessGate Upgrade
If you have integrated Oracle EBusiness Suite Release 12.2 with Oracle Access Manager 11gR2 (11.1.2) using
Oracle EBusiness Suite AccessGate, following the steps in this document, and an update for Oracle EBusiness
Suite AccessGate becomes available, you may apply the Oracle EBusiness Suite AccessGate update as follows.
8.2.1 Download and apply the latest Oracle EBusiness Suite AccessGate Update
You will always find the latest certified update for Oracle EBusiness Suite AccessGate in the patch table at section
3.5.2 above. Apply the update to your Oracle EBusiness Suite Release 12.2 instance.
8.2.2 Redeploy Oracle EBusiness Suite AccessGate
Redeploy Oracle EBusiness Suite AccessGate using the same command as during initial deployment. Refer to
section 4.1 Deploy Oracle EBusiness Suite AccessGate or respectively section 6.4.1 Deploy Oracle EBusiness Suite
AccessGate in a DMZ.
Similar to the initial deployment of Oracle EBusiness Suite AccessGate, you can choose to redeploy on your
patch file system first, during an active Online Patching cycle, then cutover. Alternatively you can redeploy on
your run file system first when no Online Patching cycle is active.
8.2.3 Perform fs_clone
Your Oracle EBusiness Suite Release 12.2 instance is now integrated with Oracle Access Manager using the latest
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=264205653993036&parent=DOCUMENT&sourceId=1614793.1&id=1576425.1&_afrWin… 18/25
2/9/2016 Document 1576425.1
Your Oracle EBusiness Suite Release 12.2 instance is now integrated with Oracle Access Manager using the latest
Oracle EBusiness Suite AccessGate on your run file system. Perform an fs_clone to synchronize the changes to
your patch file system before you start the next Oracle EBusiness Suite Release 12.2 Online Patching cycle.
Section 9: Available Documentation
Oracle Fusion Middleware Documentation:
Oracle® Identity Management Documentation Library
Oracle® Fusion Middleware Administrator's Guide for Oracle Access Management
Oracle® Fusion Middleware WebLogic Scripting Tool Command Reference
Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity and Access Management
Oracle® Fusion Middleware High Availability Guide for Oracle Identity and Access Management
Oracle EBusiness Suite Documentation:
My Oracle Support Knowledge Document 1367293.1 Enabling SSL in Oracle EBusiness Suite Release 12.2
My Oracle Support Knowledge Document 1375670.1 Oracle EBusiness Suite Release 12.2 Configuration in a DMZ
My Oracle Support Knowledge Document 1614793.1 Cloning Oracle EBusiness Suite Release 12.2 Environments
integrated with Oracle Access Manager 11gR2 (11.1.2) and Oracle EBusiness Suite AccessGate
Appendix A: Deregister Oracle EBusiness Suite from Oracle Access Manager
Note that Oracle Access Manager maintains a single registration for your Oracle EBusiness Suite instance, and
does not distinguish between run and patch file system. Hence removing the registration from Oracle Access
Manager will affect the running system.
To deregister your Oracle EBusiness Suite instance from Oracle Access Manager:
Source the Oracle EBusiness Suite environment file of your run file system.
$ cd <EBS_BASE_HOME>
$ . EBSapps.env
$ echo $FILE_EDITION
EBS_BASE_HOME is the top directory where fs1, fs2, and others are installed.
Type "R" to select the run file system environment when prompted. Echo $FILE_EDITION returns "run" to indicate
that the run file system is sourced. Ensure there is no active Online Patching cycle.
Stop the OHS server on the Oracle EBusiness Suite Environment:
$ adapcctl.sh stop
Execute the following command to deregister Oracle EBusiness Suite from Oracle Access Manager.
$ txkrun.pl script=SetOAMReg deregisteroam=yes ebsProfileLevel=[Site|Server]
Specify ebsProfileLevel=Site if you followed the instructions in Section 4.2 and registered the instance at site level.
This will switch back the Oracle EBusiness Suite profile options Application Authenticate Agent
(APPS_AUTH_AGENT) and Applications SSO Type (APPS_SSO) to local login.
Specify ebsProfileLevel=Server if you registered the instance at server level. This will not affect the site level
profiles, and only remove the profiles at server level for the server that you deregister.
The script will prompt for the following information.
Enter OAM console URL (for example: http://myoam.us.oracle.com:7001)
Enter OAM console user name (for example: weblogic)
Enter OAM console password
Enter APPS password
Enter the required information when prompted.
The script will provide a summary of input values. Confirm that these are correct and start the deregistration.
Do you wish to continue (y|n)? y
The script will now perform the following main tasks automatically:
Deregister Oracle EBusiness Suite AccessGate with Oracle Access Manager.
Disable WebGate in your Oracle EBusiness Suite webtier.
Clear Oracle EBusiness Suite profile options Application Authenticate Agent (APPS_AUTH_AGENT) and
Applications SSO Type (APPS_SSO) to switch back to local login. If you registered the instance with
ebsProfileLevel=Site (default), deregistration will clear the profiles at SITE level. If you registered the
instance with ebsProfileLevel=Server, deregistration will clear the profiles at SERVER level.
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=264205653993036&parent=DOCUMENT&sourceId=1614793.1&id=1576425.1&_afrWin… 19/25
2/9/2016 Document 1576425.1
instance with ebsProfileLevel=Server, deregistration will clear the profiles at SERVER level.
Alternatively, you can execute the script with parameters. For example:
$ txkrun.pl script=SetOAMReg deregisteroam=yes \
oamHost=http://myoam.us.oracle.com:7001 \
oamUserName=weblogic \
skipConfirm=yes
The script must complete successfully. Review the log files for any error messages.
The script will not automatically delete the following entries, as you may have also used these for other partner
applications:
Authentication Scheme (by default named EBSAuthScheme)
Authentication Module (by default named LDAP_EBS)
Identity Store (by default named OIDIdentityStore)
If you exclusively used these entries for the Oracle EBusiness Suite instance that you deregistered, you may delete
the Authentication Scheme, Authentication Module, and Identity Store in the order listed, using your OAM
Administration Console.
After deregistering your Oracle EBusiness Suite instance from Oracle Access Manager, you no longer need the
Oracle EBusiness Suite AccessGate deployment. Delete your Oracle EBusiness Suite AccessGate using your
WebLogic Administration Console, for example:
http://ebshost.example.com:7001/console
In the WebLogic Administration Console, navigate to EBS_domain_sid > Deployments, stop then delete the Oracle
EBusiness Suite AccessGate application named "accessgate". Ensure that you click 'Activate Changes' in the
'Change Center' pane, for the changes to take effect.
If you do not use the data source "OAEADatasource" for any other application, you may also delete the datasource.
Navigate to EBS_domain_sid > Services > Data Sources, and delete data source "OAEADatasource". Ensure that
you click 'Activate Changes' in the 'Change Center' pane, for the changes to take effect.
Delete the Managed Server on which accessgate was deployed:
1. If the Managed Server oaea_server1 is currently running, shut it down as follows:
$ sh $ADMIN_SCRIPTS_HOME/admanagedsrvctl.sh stop oaea_server1
The script will prompt for the following passwords:
Enter the WebLogic Admin password.
Enter the required information when prompted.
2. Run the command below on the application tier node where the oaea_server1 managed server resides. This
will delete the managed server, and also update the respective context variables that contain references to
the deleted managed server:
$ perl $AD_TOP/patch/115/bin/adProvisionEBS.pl \
ebsdeletemanagedserver \
contextfile=$CONTEXT_FILE managedsrvname=oaea_server1
The script will prompt for the following passwords:
Enter the APPS Schema password.
Enter the WebLogic AdminServer password.
Enter the required information when prompted.
The following confirmation message will be displayed: ManagedServer oaea_server1 deleted
successfully.
3. Remove the managed server and port from the mod_wl_ohs.conf configuration:
$ perl $FND_TOP/patch/115/bin/txkSetAppsConf.pl \
contextfile=$CONTEXT_FILE \
configoption=removeMS \
accessgate=<host>.<domain>:<port>
To determine the value of the Port that was used for the oaea_server1 managed server, search for
's_wls_oaeaport' in $CONTEXT_FILE.
Stop and restart the Oracle EBusiness Suite Application Tier services.
Appendix B: Known Issues
The following table lists known issues and workarounds for Oracle EBusiness Suite integration with Oracle Access
Manager 11g Release 2 (11.1.2) using Oracle EBusiness Suite AccessGate.
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=264205653993036&parent=DOCUMENT&sourceId=1614793.1&id=1576425.1&_afrWin… 20/25
2/9/2016 Document 1576425.1
Manager 11g Release 2 (11.1.2) using Oracle EBusiness Suite AccessGate.
Issue Description and Workaround
OAM Failure on long OAM System error. Please retry your action. If you continue to get this error, please
URLs contact the Administrator. OAM02073 may be caused by long URLs that exceeds a
cookie limit on your Internet browser. Ensure that you changed the
serverRequestCacheType from COOKIE to FORM as documented in section
Configure Oracle Access Manager to support long URLs.
Language Support The following languages supported by Oracle EBusiness Suite are not yet supported
by the Oracle Access Manager login page. If you have any of these languages
installed in your Oracle EBusiness Suite Environment, do not configure the
language functionality for the Oracle Access Manager login page in OAM 11.1.2.1.0
and continue using Oracle EBusiness Suite profile option 'Applications Override
SSO Server Language'. Refer to the instructions in section Configuring Languages
for the Oracle Access Manager Login Page.
Hebrew Bug 16901373 Fixed in OAM 11gR1 Patchset 2.
Croatian and Canadian French Bug 16920577
Albanian, Catalan, Cyrillic Serbian, Dutch, Egyptian, Icelandic, Indonesian, Latin
Serbian, Lithuanian, Slovenian, Ukrainain, Vietnamese Bug 16920613
Global Logout issue Bug 14799314
specific to Oracle
Applications Framework If a user is subscribed to two Oracle EBusiness Suite environments that are
pages integrated with the same OID and WebGate: If the user has two active sessions (one
in each Oracle EBusiness Suite environment) then logs out of the first session, they
are automatically logged out of the second session. However, when they click a link
in the second session, for example 'Preferences', instead of being redirected to the
OAM single signon page, the following error message is displayed:
Error
You have insufficient privileges for the current operation. Please contact your
System Administrator.
iStore Logout doesn't After OAM 11.1.2.2 integration, iStore logout doesn't redirect to IStore page, it
redirect to istore page redirects to OAM SSO logout page instead.
after integration with
OAM 11.1.2.2/11.1.2.3. Solution:
This will be addressed through Bug 17947381.
OUI Installer fails to OUI Installer fails to apply oneoff patches using latest OPatch
apply oneoff patches
using latest OPatch Solution:
This will be addressed through Bug 17848279.
Warning messages
displayed during EBS Bug 19341220
AccessGate
deployment The following warning message can be ignored:
Warning messages <Warning> <JNDI> <BEA050001> <WLContext.close() was
called in a different thread than the one in which it
was created.>
DMZ Deployment of
Oracle EBusiness Bug 18949797
Suite AccessGate on
multiple internal and Oracle EBusiness Suite AccessGate cannot be deployed in a shared file system for
external nodes sharing a multiple internal and external nodes.
single file system
Solution:
This issue will be addressed through bug 18949797.
In a load balanced To remove a single node from a multi node, load balanced configuration, do not de
configuration, there is a register OAM using txkrun.pl script=SetOAMReg deregisteroam=yes. Instead,
single web entry point clear the profile option 'Application Authenticate Agent' (APPS_AUTH_AGENT) at
that is being registered server level for the server that is being removed from the configuration. Set the
in OAM. Deregistering autoconfig variable s_enable_webgate to '#', and run autoconfig. This will disable the
one node will remove webgate configuration on the node that is being removed.
the OAM registration.
Solution:
Removal of a single node from a multi node load balanced configuration will be
enhanced through bug 19558683.
mod_wl_ohs.conf has
invalid entries Bug 19373026
The default server:port entry still exists in file mod_wl_ohs.conf after deploying
Oracle EBusiness Suite AccessGate on a different dedicated server:port. For
example:
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=264205653993036&parent=DOCUMENT&sourceId=1614793.1&id=1576425.1&_afrWin… 21/25
2/9/2016 Document 1576425.1
***************************************************
<Location /accessgate>
SetHandler weblogichandler
WebLogicCluster supplier.certdmz.com:6803,supplier.certdmz.com:3803
WLTempDir ${ORACLE_INSTANCE}/tmp
</Location>
***************************************************
Solution: Remove the invalid entry using
$ perl $FND_TOP/patch/115/bin/txkSetAppsConf.pl \
contextfile=$CONTEXT_FILE \
configoption=removeMS \
accessgate=<host>.<domain>:<port>
Running fs_clone after
completing AccessGate Bug 19817016
and OAM integration and
after completing a patch The following errors are encountered when running fs_clone after completing
cycle results in fs_clone AccessGate and OAM integration and after completing a patch cycle:
failing with port conflicts
Checking WLS OAEA Application Port on aolesc11: Port Value = 6801
RC50204: Error: WLS OAEA Application Port in use: Port Value = 6801
ERROR: The following required ports are in use:
6801 : WLS OAEA Application Port
Corrective Action: Free the listed ports and retry the adop operation.
Workaround:
Stop the oaea managed server on the run file system before performing the fs_clone
operation, immediately after the accessgate deployment.
Solution:
This issue will be addressed through Bug 19817016.
After applying the Bug 20120776, Bug 20120500
November 2014 AD
TXK Bundles Workaround:
(Patch To deploy Oracle EBusiness Suite AccessGate, source the run file system, then
20034256:R12.AD.C execute adProvisionEBS.pl to deploy Oracle EBusiness Suite AccessGate as
and Patch documented. Ignore the Unable to shutdown message in the log file. Manually stop
20043910:R12.TXK.C and start the managed server after deployment.
respectively):
Solution:
EBS AccessGate This issue is addressed in the AD/TXK Delta 6 patches.
deployment failures with
error messages:
ERROR: Unable to
shutdown the managed
server
ERROR: Unable to start
managed server
The Linkonthefly page
fails if the <Enter> key Bug 21330792
is used to submit the
username and password Workaround:
Click the 'apply' button on the Linkonthefly page and the user credentials are
accepted.
Solution:
This issue is addressed in Patch 21330792.
OUD integration only (this Workaround:
issue does not occur with
OID integration): Close the browser.
After session timeout and Alternatively, exit Oracle Applications.
reauthentication, the
Click 'OK' at the following message prompt:
user cannot continue
"Press OK when you have logged in using the other window"
using an open Oracle
Form. The user is Click 'No' at the following message prompt:
redirected to the Oracle "Your log on session is no longer valid. Would you like to log back in so you can
EBusiness Suite home continue working?
page. If you do not log back in, any outstanding data changes in your forms will not be
saved."
Click 'OK' at the following message prompt:
"Your log on session has become invalid. Exiting Oracle Applications."
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=264205653993036&parent=DOCUMENT&sourceId=1614793.1&id=1576425.1&_afrWin… 22/25
2/9/2016 Document 1576425.1
Solution: Contact OUD Support to request a patch for OUD Bug 20989144.
Appendix C: ProductSpecific Single SignOn Exceptions
A small number of Oracle EBusiness Suite products have limited or no support for Oracle Access Manager. Refer
to the table below for more information.
Product
Comments
Name
Oracle Integration with Oracle Access Manager is not supported at this time.
Demand
Signal
Repository
Oracle Oracle iLearning is a standalone product and is not part of EBusiness Suite. Support for
iLearning Oracle Access Manager is planned for a later date. Oracle Learning Management is part of the
(Standalone) EBusiness Suite and is certified with Oracle Access Manager.
Oracle Administrative functions of this product require Oracle Warehouse Builder, which does not
Manufacturing support integration with Oracle Access Manager.
Operation
Center
Oracle Mobile Single signon for Mobile Field Service is currently provided through the mod_osso agent only.
Field Service Support for WebGate and Oracle EBusiness Suite AccessGate is planned for a later date.
Oracle Sales Sales Offline currently requires the "Application SSO Login Types" profile option to be set to
Offline 'Local' or 'Both' for users. This is documented in Oracle Sales Offline Implementation Guide
Release 12.1. The product plans to support Oracle Access Manager at a later date.
Oracle Integration with Oracle Access Manager is not supported at this time.
Warehouse
Management
Oracle Single signon functionality is not supported with passwordbased digital signatures. If using
Workflow passwordbased signatures, you must set the "Applications SSO Login Types" profile option to
either 'Local' or 'Both' for all users who need to enter passwordbased signatures.
Oracle XML Integration with Oracle Access Manager is not supported at this time. The "Application SSO
Gateway Login Types" profile option must be set to 'Local' or 'Both' for all users with this responsibility.
Change Log
Date Comments
Jan 28, 2016 Clarified the details in section 6.2 for the Load Balanced configuration.
Dec 18, 2015 Added missing OAM Registration step for OUD Integration to Section 6.4.2 for DMZ.
Dec 9, 2015 Updated to include Oracle Unified Directory 11.1.2.3.
Oct 29, 2015 Updated to include Oracle Access Manager WebGate 11.1.2.3 as WebTier 11.1.1.9 is certified with
Oracle EBusiness Suite 12.2.
Oct 7, 2015 Replaced EAG Patch 19767816 with EAG Patch 21523147. Added Bug 21330792 to Known Issues.
Sep 28, 2015 Added recommendation to apply OAM BP3 (as this includes the fix for Bug 19438948).
Sep 22, 2015 Removed Known Issue requiring Patch 16513008 as this is fixed from OAM 11.1.2.2 onwards.
Aug 26, 2015 Clarified in section 4.1 that Oracle EBusiness Suite AccessGate can be deployed to a nondefault
managed server.
Aug 17, 2015 Corrected Patch application sequence in section 3.4 OAM BP1 must be applied before Patch 19438948.
Aug 7, 2015 Added Patch 19438948 as a prerequisite patch.
Jul 22, 2015 Added OAM BP01 as a prerequisite (as it includes Patch 21084067).
Jun 23, 2015 Updated for OAM 11.1.2.3.
Mar 17, 2015 Corrected Table in Appendix C.
Jan 23, 2015
Removed footnote for Windows customers from Section 3.4.2.
Updated Load Balancing Section 6.2 to be more concise.
Added an explanation to the introduction regarding integrating multiple Oracle EBusiness Suite
instances.
Dec 11, 2014 Added EAG Patch 19767816.
Added Bug 20120776 and Bug 20120500 to Known Issues section.
Nov 11, 2014 Added Bug 19817016 to Known Issues section with workaround.
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=264205653993036&parent=DOCUMENT&sourceId=1614793.1&id=1576425.1&_afrWin… 23/25
2/9/2016 Document 1576425.1
Nov 11, 2014 Added Bug 19817016 to Known Issues section with workaround.
Oct 29, 2014 Added requirement for RHEL 6 customers to apply Unified Installer Patch 18231786 before installing
Oracle Access Manager 11.1.2.2.0.
Oct 10, 2014 Added patches for Windows customers.
Added link to MOS Note 1614793.1 in Available Documentation Section.
Oct 1, 2014 Corrected Change Log.
Sep 11, 2014 Finalized patches required on top of TXK Delta 5 in section 3.4.1.
Aug 18, 2014 Updated txksetappsconf.pl commands at section 4.1 and section 6.4.1.
Added required patches to table in section 3.4.1:
R12.TXK.C Patch 19344241
Aug 16, 2014 Updated to include R12.TXK.C.DELTA.5 Patch 18288881.
Deleted the OAM registration Known Issue as this it not an issue from RUP 5 onwards.
Updated the DMZ information in section 6.4.
Added required patches to table in section 3.4.1:
R12.TXK.C Patch 18921971
R12.AD.C Patch 19223358
Aug 15, 2014 Added Known Issue Bug 19438948 Issue in PS2 and BP2 with USER_ORCLGUID attribute.
Deleted Note box recommending install of WebGate 11.1.2.1 for Linux customers as issue with installer
(Bug 18758638) has now been addressed.
Jun 20, 2014 Added Oracle EBusiness Suite AccessGate 1.2.3 patch and consolidated patch 18497540.
Added requirement to stop OHS before performing OAM deregistration.
May 28, 2014 Corrected logoutUrl parameter for DMZ.
Added a test to ensure that login.pl and logout.pl function correctly in a DMZ environment.
Added instructions for upgrading Oracle EBusiness Suite AccessGate.
May 27, 2014 Updated Section 3.3. to clarify that OAM 11.1.2.2.0 should be installed.
May 23, 2014 Added Known Issue for Linux 11.1.2.2.0 Webgates to Section 3.4.2 (Bug 18758638).
Apr 17, 2014 Corrected authChalRedirectUrl parameter example in Section 6.4.2 (removed the port as the URL
without the port is required for this parameter in a DMZ environment).
Apr 1, 2014 Added regeneration of mod_wl_ohs.conf. This step is required on R12.TXK.C.DELTA.4 and will be
removed with a future TXK patchset.
Mar 11, 2014 Added required fs_clone.
Feb 27, 2014 Added section on load balancing.
Added prerequisite R12.TXK.C.DELTA.4.
Moved WebGate install to the prerequisite section.
Added note that registration is supported on either run or patch file system.
Feb 26, 2014 Added New Section 6.2 to provide configuration details for load balanced environments.
Feb 07, 2014 Updated with OAM PS2 (11.1.2.2) related changes
Dec 31, 2013 Added requirement to specify values for 'ldapSearchBase' and 'ldapGroupSearchBase' in txkrun.pl
command in Section 4.3.
Dec 16, 2013 1) Updated for Oracle EBusiness Suite Release 12.2.3.
2) Updated Section 4.3:
Added clarification that the OAM registration script is rerunnable.
Added the 'webgatestagedir' parameter example to the noninteractive command in section 4.3.
Dec 9, 2013 Removed empty patching cycle from Section 4.1.1.
Oct 24, 2013 Added clarification to DMZ section and details of Known Issues for DMZ environments.
Corrected OAM Logout URL parameter in DMZ Section 2.3 (was 'DOAMLogoutURL' but should be '
Sep 26, 2013
OAMLogoutURL').
Sep 19, 2013 Document published for Oracle EBusiness Suite Release 12.2.
Knowledge Document 1576425.1 by Oracle EBusiness Suite Development
Copyright© 2013 Oracle
Didn't find what you are looking for? Ask in Community...
Related
Products
Oracle EBusiness Suite > Applications Technology > Application Object Library > Oracle Application Object Library > Oracle Access Manager > Oracle Access Manager
Oracle EBusiness Suite > Applications Technology > Technology Components > Oracle Applications Technology Stack > Certification and Interops > Certification and Interops
Keywords
11G RELEASE 2; ACCESS MANAGER; APPS_SSO; DIRECTORY; DMZ; EBUSINESS; IDM; INTERNET DIRECTORY; LDAP; OAM; OID; ORACLE INTERNET DIRECTORY; OSSO; PROVISIONING;
SIGNON; SINGLE SIGNON; SSO
Back to Top
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=264205653993036&parent=DOCUMENT&sourceId=1614793.1&id=1576425.1&_afrWin… 24/25
2/9/2016 Document 1576425.1
Copyright (c) 2016, Oracle. All rights reserved. Legal Notices and Terms of Use Privacy Statement
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=264205653993036&parent=DOCUMENT&sourceId=1614793.1&id=1576425.1&_afrWin… 25/25