Before directly jumping down to the steps, let us find some differences between the integrations of OAM/OID with EBS 12.2 and EBS 12.1
In EBS 12.2, it has the built in Weblogic techstack which has drastically modified the steps on how it integrates with FMW products such as OAM. Thus in a nutshell, steps have been reduced when we integrate EBS 12.2 with OAM/OID.
In EBS 12.1, the high level steps are as follows:
1. Install EBS 12.1.X
2. Install separate Weblogic and top of it OID/OAM
3. Install OHS 11g server and install Webgate on top of it
4. Install another welogic server and accessgate on top of it
5. Integrate webgate, accessgate to work with EBS and OID/OAM
Images
are from Overview of Single Sign-On Integration Options
for Oracle E-Business Suite (Doc ID 1388152.1)
In EBS 12.2, the high level steps are as follows
1. Install EBS 12.2.X
2. Install separate Weblogic and top of it OID/OAM
3. R12.2 has built in OHS 11g and weblogic server.
4. Deploy and configure webgate on top of R12.2 OHS 11g
5. Deploy and configure accessgate on a separate managed server on top of r12.2 weblogic.
6. Integrate webgate, accessgate to work with EBS and OID/OAM
Images are from Overview
of Single Sign-On Integration Options for Oracle E-Business Suite (Doc ID
1388152.1)
Let’s brush up some basics first before going into the installation
Oracle Internet Directory (OID)
Oracle Internet Directory (OID) is Lightweight Directory Access Protocol (LDAP) server from Oracle where all enterprise users are stored. Users in OID are synchronized with users in EBusiness Suite (EBS) using Directory Integration Platform (DIP). Oracle Access Manager(OAM) should use OID (or Oracle Virtual Directory- OVD pointing to this OID) as its identity store for authentication.
Directory Integration Platform (DIP)
Directory Integration Platform (DIP) 11g is J2EE application deployed on WebLogic server and used for provisioning/synchronization of users/groups across other LDAP servers and applications. DIP consists of two type of engine, Synchronization and Provisioning. Synchronization component is used to sync users/groups between OID and other LDAP servers like Microsoft Active Directory (MS-AD) or IBM Directory Server. Provisioning is used to sync OID with applications like EBS, Portal, and Collaboration Suite. For user synchronization between OID and EBS, DIP uses its provisioning component.
Oracle Directory Services Manager (ODSM)
Oracle Directory Services Manager (ODSM) is a web application deployed on WebLogic server and used to manage OID using web browser. Using ODSM you can configure/manage OID, and create/delete users/groups.
Oracle WebLogic Server (WLS)
Oracle WebLogic Server (WLS) is J2EE Application Server from Oracle. WebLogic Domain is logical component in which all resources (Admin Server, Managed Server, Java Database Connectivity(JDBC), Java Messaging Server(JMS)) are deployed/configured. WebLogic Domain consists of one and only one Admin Server and zero or more managed server.
Oracle Access Manager (OAM)
Oracle Access Manager is a J2EE application deployed on Weblogic Server and used as Authentication & Authorization Server. OAM Server consists of OAM Server deployed on WebLogic Managed Server (default port 14100). There is OAM-Proxy server running in background on default port 5575. Agents (WebGate) connect to OAM-Proxy Port. OAMConsole is web application deployed on WebLogic Admin Server (default port 7001). OAM Console application is used to manage configuration, and define/manage policies, authentication schemes.
OAM Configuration is stored in XML file (oam-config.xml) on server and contains all OAM configuration like server name, port, webgate details, and audit store details. If we want to change the admin server port, then we need to shut down admin server and managed server first, then we need to change the listen port under config.xml file and start the admin, managed servers to take the new port. OAM Policy Store is a repository (database) which stores policy (details like which URL is protected and using what authentication/authorization schemes)
Oracle HTTP Server (OHS)
Oracle HTTP Server is a Web Server from Oracle on which Web Gate is deployed. Users are redirected from EBS Middle Tier to this server for authentication (URL of this server is configured in EBS Profile option “Application Authentication Agent”). OHS acts as proxy server to WebLogic Server on which EBS AccessGate (EBS-AG) is deployed. This OHS server also has mod_wl_ohs configured to forward request to WebLogic Server where Oracle EBusiness Suite AccessGate (EBS-AG) is deployed. E-Business Suite R12 comes with its own OHS server, OHS server mentioned here is different OHS server than one shipped with EBS R12 technology stack.
Web Gate
Web Gate is a web server plug-in (deployed with WebServer like Apache, OHS, IHS) which intercepts user's request and send it to Oracle Access Manager Server to check if user is authenticated/authorized to access requested resource. Web Gate is installed on same machine as WebServer (OHS) and webgate configuration settings are pointed OHS configuration file(httpd.conf). For Web Gate to work an instance of Web Gate must be configured in OAM Server using Remote Registration (REG) utility or OAMConsole and Web Gate must be installed with OHS using same user as OHS.
Oracle E-Business Suite Access Gate
EBS AccessGate (EBS-AG) is a Java EE Application that maps a Single Sign-On user (authenticated via OAM) to an Oracle E-Business Suite user (stored in FND_USER table), and creates E-Business Suite session for that user. EBS-AG is deployed on WebLogic Server using ANT script which creates a web application and JDBC connection to EBS Database. Login Page for E-Business Suite is also configured as part of EBS AG.
Profile Option
Profile Option is used in E-Business Suite to update behavior of environment. Profile option which are used in Oracle E-Business Suite are Application SSO Type and Application
Authentication Agent
Application SSO Type (APPS_SSO) - This profile option can be set only at site level from one of four values SSWA, Portal, SSWA w/SSO or Portal w/SSO. To inform E-Business Suite that Single Sign-On is configured and redirect user to Single Sign-On Page and not to Local Login page, set this profile option to either SSWA w/SSO or Portal w/SSO
Application Authentication Agent (APPS_AUTH_AGENT) –
When this profile option is set with "Application SSO Type", user is redirected page generated from this profile option. Lets assume value of profile option "Application SSO Type" is set to http://ohsserver:ohsport/ebsauth_dev/, then user will be redirected to page http://ohsserver:ohsport/ebsauth_dev/OAMLogin.jsp. Value of profile option "Application Authentication Agent " is set to format http://server:port/<context_root> where server is name of server where Oracle HTTP Server (OHS) with Web Gate is installed, port is OHS Listen Port and context_root is context root defined during AccessGate configuration.
Request Flow for E-business Suite integrated with OAM/OID
1.User access E-Business Suite URL http://<ebs_mid_tier>:<ebs_ohs_port> or http://<ebs_mid_tier>:<ebs_ohs_port/OA_HTML/AppsLogin . EBS checks
that profile option “Application SSO Type” is set to Portal w/SSO or SSWA w/SSO
(w/SSO signifies that EBS is integrated with Single Sign-On Server).
2.EBS then check value of profile option “Application Authentication Agent” (value is set to
http://<ohs_with_wg>:<ohs_with_wg:port>/<context_root>/ , where <context_root>
is value set during E-Business Suite Access Gate Deployment) and redirect user to value
set for “Application Authentication Agent”.
3.Web Gate deployed with OHS server then check if any token (Cookie) is available in user session
and forwards this request to OAM server for validation.
4.OAM server will then check authentication URL configured for Web Gate (Host:Port or Host
Identifier) and redirect user to authentication page configured by authentication
URL. User will then type username/password, which OAM will validate against OAM’s
identity store (Oracle Internet Directory). Oracle Internet Directory will validate
username and password against UID (login attribute) and userPassword (password
attribute)
5.On successful authentication OAM will forward response back to WebGate with generate
Cookie
6.Web Gate will then redirect user to E-Business Suite Access Gate for user validation or user
Mapping
7.E-Business Suite Access Gate will take this user ID and map/validate against user in
EBusinessSuite (FND_USER)
8. On successful validation response is returned back to Web Gate
9. Web Gate will forward response to user
10.User with token/cookie from WebGate/Access Gate to E-Business Middle Tier
11. E-Business Suite Middle Tier will generate E-Business Suite specific cookie to user and in subsequent requests, user talks directly to Oracle E-Business Suite until explicit log out or timeout
Note: User in E-Business Suite (FND_USER) are synchronized with Oracle Internet Directory using Directory Integration Platform’s Provisioning Framework
Steps to integrate Oracle EBS R12 with OAM for Single Sign-On
Assumptions:
1. 12.1.0.2 database
2. JDK-6u45 for OAM and JDK-1.7.0_141 for OID
3. Weblogic server 10.3.6
4. RCU 11g
5. Oracle Identitiy management 11.1.1.9
6. Oracle access management 11.2.0.3
7. EBS 12.2.6
If you need the step by step document, please contact me at samratsinha05@gmail.com.