Friday, July 28, 2017

Oracle EBS 12.2.6 Single Sign on using OID, OAM 11G

Before directly jumping down to the steps, let us find some differences between the integrations of OAM/OID with EBS 12.2 and EBS 12.1

In EBS 12.2, it has the built in Weblogic techstack which has drastically modified the steps on how it integrates with FMW products such as OAM. Thus in a nutshell, steps have been reduced when we integrate EBS 12.2 with OAM/OID.

In EBS 12.1, the high level steps are as follows:

     1. Install EBS 12.1.X
     2. Install separate Weblogic and top of it OID/OAM
     3. Install OHS 11g server and install Webgate on top of it
     4. Install another welogic server and accessgate on top of it
     5. Integrate webgate, accessgate to work with EBS and OID/OAM







                          Images are from Overview of Single Sign-On Integration Options for Oracle E-Business Suite (Doc ID 1388152.1)






      In EBS 12.2, the high level steps are as follows

     1. Install EBS 12.2.X
     2. Install separate Weblogic and top of it OID/OAM
     3. R12.2 has built in OHS 11g and weblogic server. 
     4. Deploy and configure webgate on top of R12.2 OHS 11g
     5. Deploy and configure accessgate on a separate managed server on top of r12.2 weblogic.
     6. Integrate webgate, accessgate to work with EBS and OID/OAM








Images are from Overview of Single Sign-On Integration Options for Oracle E-Business Suite (Doc ID 1388152.1)


 Let’s brush up some basics first before going into the installation

Oracle Internet Directory (OID)

Oracle Internet Directory (OID) is Lightweight Directory Access Protocol (LDAP) server from Oracle where all enterprise users are stored. Users in OID are synchronized with users in EBusiness Suite (EBS) using Directory Integration Platform (DIP). Oracle Access Manager(OAM) should use OID (or Oracle Virtual Directory- OVD pointing to this OID) as its identity store for authentication.

Directory Integration Platform (DIP)

Directory Integration Platform (DIP) 11g is J2EE application deployed on WebLogic server and used for provisioning/synchronization of users/groups across other LDAP servers and applications. DIP consists of two type of engine, Synchronization and Provisioning. Synchronization component is used to sync users/groups between OID and other LDAP servers like Microsoft Active Directory (MS-AD) or IBM Directory Server. Provisioning is used to sync OID with applications like EBS, Portal, and Collaboration Suite. For user synchronization between OID and EBS, DIP uses its provisioning component.

Oracle Directory Services Manager (ODSM)

Oracle Directory Services Manager (ODSM) is a web application deployed on WebLogic server and used to manage OID using web browser. Using ODSM you can configure/manage OID, and create/delete users/groups.

Oracle WebLogic Server (WLS)

Oracle WebLogic Server (WLS) is J2EE Application Server from Oracle. WebLogic Domain is logical component in which all resources (Admin Server, Managed Server, Java Database Connectivity(JDBC), Java Messaging Server(JMS)) are deployed/configured. WebLogic Domain consists of one and only one Admin Server and zero or more managed server. 

Oracle Access Manager (OAM)

Oracle Access Manager is a J2EE application deployed on Weblogic Server and used as Authentication & Authorization Server. OAM Server consists of OAM Server deployed on WebLogic Managed Server (default port 14100). There is OAM-Proxy server running in background on default port 5575. Agents (WebGate) connect to OAM-Proxy Port. OAMConsole is web application deployed on WebLogic Admin Server (default port 7001). OAM Console application is used to manage configuration, and define/manage policies, authentication schemes.
OAM Configuration is stored in XML file (oam-config.xml) on server and contains all OAM configuration like server name, port, webgate details, and audit store details. If we want to change the admin server port, then we need to shut down admin server and managed server first, then we need to change the listen port under config.xml file and start the admin, managed servers to take the new port. OAM Policy Store is a repository (database) which stores policy (details like which URL is protected and using what authentication/authorization schemes)

Oracle HTTP Server (OHS)

Oracle HTTP Server is a Web Server from Oracle on which Web Gate is deployed. Users are redirected from EBS Middle Tier to this server for authentication (URL of this server is configured in EBS Profile option “Application Authentication Agent”). OHS acts as proxy server to WebLogic Server on which EBS AccessGate (EBS-AG) is deployed. This OHS server also has mod_wl_ohs configured to forward request to WebLogic Server where Oracle EBusiness Suite AccessGate (EBS-AG) is deployed. E-Business Suite R12 comes with its own OHS server, OHS server mentioned here is different OHS server than one shipped with EBS R12 technology stack. 

Web Gate

Web Gate is a web server plug-in (deployed with WebServer like Apache, OHS, IHS) which intercepts user's request and send it to Oracle Access Manager Server to check if user is authenticated/authorized to access requested resource. Web Gate is installed on same machine as WebServer (OHS) and webgate configuration settings are pointed OHS configuration file(httpd.conf). For Web Gate to work an instance of Web Gate must be configured in OAM Server using Remote Registration (REG) utility or OAMConsole and Web Gate must be installed with OHS using same user as OHS.

Oracle E-Business Suite Access Gate

EBS AccessGate (EBS-AG) is a Java EE Application that maps a Single Sign-On user (authenticated via OAM) to an Oracle E-Business Suite user (stored in FND_USER table), and creates E-Business Suite session for that user. EBS-AG is deployed on WebLogic Server using ANT script which creates a web application and JDBC connection to EBS Database. Login Page for E-Business Suite is also configured as part of EBS AG.

Profile Option

Profile Option is used in E-Business Suite to update behavior of environment. Profile option which are used in Oracle E-Business Suite are Application SSO Type and Application

Authentication Agent

Application SSO Type (APPS_SSO) - This profile option can be set only at site level from one of four values SSWA, Portal, SSWA w/SSO or Portal w/SSO. To inform E-Business Suite that Single Sign-On is configured and redirect user to Single Sign-On Page and not to Local Login page, set this profile option to either SSWA w/SSO or Portal w/SSO
Application Authentication Agent (APPS_AUTH_AGENT) – 
When this profile option is set with "Application SSO Type", user is redirected page generated from this profile option. Lets assume value of profile option "Application SSO Type" is set to http://ohsserver:ohsport/ebsauth_dev/,  then user will be redirected to page http://ohsserver:ohsport/ebsauth_dev/OAMLogin.jsp. Value of profile option "Application Authentication Agent " is set to format http://server:port/<context_root> where server is name of server where Oracle HTTP Server (OHS) with Web Gate is installed, port is OHS Listen Port and context_root is context root defined during AccessGate configuration.


Request Flow for E-business Suite integrated with OAM/OID

1.User access E-Business Suite URL http://<ebs_mid_tier>:<ebs_ohs_port> or http://<ebs_mid_tier>:<ebs_ohs_port/OA_HTML/AppsLogin . EBS checks
that profile option “Application SSO Type” is set to Portal w/SSO or SSWA w/SSO
(w/SSO signifies that EBS is integrated with Single Sign-On Server).

2.EBS then check value of profile option “Application Authentication Agent” (value is set to  
http://<ohs_with_wg>:<ohs_with_wg:port>/<context_root>/ , where <context_root>
is value set during E-Business Suite Access Gate Deployment) and redirect user to value
set for “Application Authentication Agent”.

3.Web Gate deployed with OHS server then check if any token (Cookie) is available in user session 
and forwards this request to OAM server for validation.

4.OAM server will then check authentication URL configured for Web Gate (Host:Port or Host  
Identifier) and redirect user to authentication page configured by authentication
URL. User will then type username/password, which OAM will validate against OAM’s
identity store (Oracle Internet Directory). Oracle Internet Directory will validate
username and password against UID (login attribute) and userPassword (password
attribute)

5.On successful authentication OAM will forward response back to WebGate with generate
Cookie

6.Web Gate will then redirect user to E-Business Suite Access Gate for user validation or user 
Mapping

7.E-Business Suite Access Gate will take this user ID and map/validate against user in 
EBusinessSuite (FND_USER)

8. On successful validation response is returned back to Web Gate
9. Web Gate will forward response to user
10.User with token/cookie from WebGate/Access Gate to E-Business Middle Tier
11. E-Business Suite Middle Tier will generate E-Business Suite specific cookie to user and in subsequent requests, user talks directly to Oracle E-Business Suite until explicit log out or timeout
   Note: User in E-Business Suite (FND_USER) are synchronized with Oracle Internet Directory using Directory Integration Platform’s Provisioning Framework


Steps to integrate Oracle EBS R12 with OAM for Single Sign-On

Assumptions:

1. 12.1.0.2 database
2. JDK-6u45 for OAM and JDK-1.7.0_141 for OID
3. Weblogic server 10.3.6
4. RCU 11g
5. Oracle Identitiy management 11.1.1.9
6. Oracle access management 11.2.0.3
7. EBS 12.2.6

If you need the step by step document, please contact me at samratsinha05@gmail.com.

Thursday, July 27, 2017

Adop phase=prepare failing with error [UNEXPECTED]Error 1 occurred while Executing txkADOPValidation script on ebs1

As part of EBS 12.2.6 integration with OID, i was trying to run adop phase=prepare in the patch file system and i encountered the below error

[UNEXPECTED]Error occurred running "perl /u01/r12/application/fs1/EBSapps/appl/ad/12.0.0/patch/115/bin/txkADOPValidations.pl  -contextfile=/u01/r12/application/fs1/inst/apps/PROD_ebs1/appl/admin/PROD_ebs1.xml -patchctxfile=/u01/r12/application/fs2/inst/apps/PROD_ebs1/appl/admin/PROD_ebs1.xml -phase=prepare -logloc=/u01/r12/application/fs_ne/EBSapps/log/adop/3/20170226_034703/prepare/validate/ebs1 -promptmsg=hide"
    [UNEXPECTED]Error 1 occurred while Executing txkADOPValidation script on ebs1


[STATEMENT] Please run adopscanlog utility, using the command

"adopscanlog -latest=yes"

to get the list of the log files along with snippet of the error message corresponding to each log file.


adop exiting with status = 1 (Fail)



The detailed error was




Use of uninitialized value $result in split at /u01/r12/application/fs1/EBSapps/appl/au/12.0.0/perl/TXK/ADOPValidationUtils.pm line 1291.
No such file or directory at /u01/r12/application/fs1/EBSapps/appl/au/12.0.0/perl/TXK/ADOPValidationUtils.pm line 230.



The solution is mentioned in one of the metalink note:Error "Use of uninitialized value $result in split" In File txkADOPValidations.error When Running fs_clone (Doc ID 2090393.1)

[applmgr@ebs1 validations]$ sqlplus apps

SQL*Plus: Release 10.1.0.5.0 - Production on Sun Feb 26 04:34:29 2017

Copyright (c) 1982, 2005, Oracle.  All rights reserved.

Enter password:

Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

SQL> select distinct(PATH) from FND_OAM_CONTEXT_FILES where NAME not in ('TEMPLATE','METADATA','config.txt') and CTX_TYPE='A' and (status is null or upper(status) in ('S','F')) and EXTRACTVALUE(XMLType(TEXT),'//file_edition_type') = 'patch';

no rows selected

SQL>
[applmgr@ebs1 application]$ . ./EBSapps.env

  E-Business Suite Environment Information
  ----------------------------------------
  RUN File System           : /u01/r12/application/fs1/EBSapps/appl
  PATCH File System         : /u01/r12/application/fs2/EBSapps/appl
  Non-Editioned File System : /u01/r12/application/fs_ne


  DB Host: ebs1.oracle.com  Service/SID: PROD


  E-Business Suite Environment Setting
  ------------------------------------
  - Enter [R/r] for sourcing Run File System Environment file, or
  - Enter [P/p] for sourcing Patch File System Environment file, or
  - Enter anything else to exit

  Please choose the environment file you wish to source [R/P]:P

  Sourcing the PATCH File System ...

[applmgr@ebs1 application]$ echo $CONTEXT_FILE
/u01/r12/application/fs2/inst/apps/PROD_ebs1/appl/admin/PROD_ebs1.xml
[applmgr@ebs1 application]$


$ADJVAPRG oracle.apps.ad.autoconfig.oam.CtxSynchronizer \
action=upload \
contextfile=/u01/r12/application/fs2/inst/apps/PROD_ebs1/appl/admin/PROD_ebs1.xml \
logfile=/tmp/patchctxupload.log
run the query to validate

Run the below query again to validate


select distinct(PATH) from FND_OAM_CONTEXT_FILES where NAME not in ('TEMPLATE','METADATA','config.txt') and CTX_TYPE='A' and (status is null or upper(status) in ('S','F')) and EXTRACTVALUE(XMLType(TEXT),'//file_edition_type') =



EBS adop error:ORA-20008: No Concurrent Manager is running that can run concurrent program

While i was on my way to apply a patch in EBS 12.2.6, i enountered an error which is very common.

ORA-20008: No Concurrent Manager is running that can run concurrent program

I checked the concurrent manager status from front end and saw that it was not correct. I then checked the manager status

adcmctl.sh status apps/password

You are running adcmctl.sh version 120.19.12020000.7

Internal Concurrent Manager is Not Active at this time.

adcmctl.sh: exiting with status 0


adcmctl.sh: check the logfile /u01/r12/application/fs1/inst/apps/PROD_ebs1/logs/appl/admin/log/adcmctl.txt for more information ...


Thus the information stored in the Concurrent manager tables are not correct. In EBS 12.2 cmclean.sql is not supported, instead there is an alterative option known as cpadmin.sh.I Stopped the concurrent manager and then invoked cpadmin.sh


[applmgr@ebs1 scripts]$ cpadmin.sh


                     Copyright (c) 2015 Oracle Corporation
                        Redwood Shores, California, USA

                   Oracle E-Business Suite CP Administration
                             $Revision: 120.0.12020000.5 $

Logging to file /u01/r12/application/fs_ne/inst/PROD_ebs1/logs/appl/conc/log/cpadmin.022620170737

Enter the password for your 'APPS' ORACLE schema:
Connecting to database...



         CP Administration Main Menu
   --------------------------------------------------

   1.    Administer Concurrent Managers

   2.    Administer Concurrent Requests


   E.    (E)xit CP Administration


Enter your choice: [E] :  1
        Administer Concurrent Managers
   --------------------------------------------------

   1.    Manager Status
          - Show status of all managers

   2.    Clean concurrent processing tables--choose the second option
          - Ensure concurrent processing tables are cleaned and reset for ICM startup

   3.    Set Manager Diagnostics
          - Turn diagnostics on/off for specific managers

   4.    Control a manager or service
          - Send a control request to a manager or service

   5.    Rebuild Concurrent Manager Views
          - Rebuild Views for Fnd_Concurrent_Worker_Requests and Fnd_Concurrent_CRM_Requests


   R.    (R)eturn to previous menu

   E.    (E)xit CP Administration




Thereafter, adop phase=prepare successfully got completed.