Steven Chan Senior Director, Applications ... - Oracle · • Access one or more E-Business Suite...

Using Fusion Middleware with Oracle E-Business Suite

Steven Chan

Senior Director, Applications Technology Integration

Topics

• Supported Optional External Integrations

• In-Depth: Enabling Single Sign-On

• In-Depth: Third-Party Access Managers & LDAP

Directories

• Case Studies

• Certification Roadmap

Last updated: Oct 14, 2009

Optional External

Integrations

Simple Architecture

External

Users

(via VPN)

E-Business Suite

Database

Internal

Users

Intranet

Firewall

Oracle Application Server• Portal

• Single Sign-On

• Oracle Internet Directory

• Discoverer

• Other Fusion Middleware Components

Firewall

E-Business Suite Application Server

11i 12

E-Business Suite Integration with OracleAS 10g

• Runs Oracle9i Application Server 1.0.2.2.2 on mid-tier

• Runs Release 11i application-tier services such as Forms, Jserv

• Integrated with an external stand-alone Oracle Application

Server 10g instance for optional services (e.g. Single Sign-On)

11i

12 • Runs Oracle Application Server 10g on mid-tier

• Runs Release 12 application-tier services such as Forms, OC4J

• Integrated with an external stand-alone Oracle Application

Server instance for optional services (e.g. Single Sign-On)

Distributed Architecture

FirewallFirewall

Internet Reverse

Proxy

Firewall

OracleAS 10g

Infrastructure

Database

Oracle

Internet

Directory

Server 10gInternal EBS

Server

EBS

Database

Internal

Users

External

Users

External

EBS

Server

Single

Sign-On 10g

Portal

10g

11i 12

OracleAS 10g Integration Options

1. Access Apps via Oracle Single Sign-On

2. Access Apps via Oracle Access Manager

3. Manage users with Oracle Internet Directory

4. Build enterprise mashups with Oracle Web Center

5. Design custom portals with Oracle Portal

6. Analyse data with Discoverer

7. Analyse data with Business Intelligence Applications

8. Accelerate performance with

WebCache

9. Integrate applications via Oracle

SOA Suite

10. Integrate with third-party signon

tools

11. Integrate with third-party LDAPs

12. Search EBS content with

Secure Enterprise Search

11i 12

External Fusion Middleware Certifications

Oracle Application Server 10g Module Release 11i Release 12

Single Sign-On 10.1.4.3 10.1.4.3

Oracle Internet Directory 10.1.4.3 10.1.4.3

Web Center 10.1.3.4

Portal 10.1.4.2 10.1.4.2

Discoverer 10.1.2.3 10.1.2.3

Business Intelligence (EE+) 10.1.3.4 10.1.3.4

Business Intelligence Applications 7.9.6 7.9.6

Web Cache 10.1.2.3 10.1.2.3

Oracle SOA Suite (SOA development) 11.1.1.1 11.1.1.1

BPEL (prepackaged SOA integrations) 10.1.3.4

Secure Enterprise Search 10.1.8.4 10.1.8.4

Other Security-Related CertificationsCertified by Fusion Middleware Product Teams

11i 12

Access Manager via OSSO 10.1.4.3 10.1.4.3

Identity Manager 9.1.0.0 9.1.0.0

Enterprise Single Sign-On 10.1.4.0.1 10.1.4.0.1

Identity Federation via OSSO 11.1.1.1 11.1.1.1

Oracle Virtual Directory via OID 11.1.1.1 11.1.1.1

Access Apps via Oracle Single Sign-On

• E-Business Suite is a Single Sign-On partner application

• Log on to Oracle Single Sign-On to get access to all registered partner applications, including EBS

• Log off any one partner application to log off all of them

E-Business Suite

Application ServerUser

Single

Sign-On 10g

11i 12

Access Apps via Oracle Access Manager

• Chain Oracle Access Manager with Oracle Single Sign-On

• Support complex third-party single sign-on architectures

Oracle Single

Sign-On

E-Business

Suite

Oracle

Access

Manager

11i 12

Manage Users in Oracle Internet Directory

• Synchronise user credentials bidirectionally between Oracle Internet Directory and E-Business Suite (FND_USER)

• Set master “source of truth” as OID, EBS, or both

• Manage user provisioning via powerful OID Directory Integration & Provisioning (DIP) templates

• Link an OID userid with one or more EBS userids “on-the-fly”

E-Business SuiteFND_USER

Oracle

Internet

Directory

DIP

DBMS_LDAP

11i 12

Provision Users with Oracle Identity Manager

• Use Oracle Identity Manager as a provisioning hub with third-party user

directories and applications

• Many connectors available, including OID, E-Business Suite’s FND_USER and HRMS directories

E-Business Suite

Oracle

Identity

Manager

OID

LDAP LDAP

11i 12

Build Enterprise Mashups using Web Center

• Build websites, collaborative applications, and enterprise mashups in Web Center

• Add EBS portlets via WSRP 1.0 / JSR-168

• Access one or more E-Business Suite instances

• Display data in EBS portlets based on EBS responsibilities

12

Web

Center

10g

E-BusinessSuite

PeopleSoft

Dashboards

Mashups

Using Web Center Extension in JDeveloper 12

Design Custom Portals using Oracle Portal

• Single Sign-On is a prerequisite

• Access one or more E-Business Suite instances from Oracle Portal

• Add EBS portlets to custom Portal pages via JPDK

• Display data in EBS portlets based on EBS responsibilities

Oracle

Portal 10g

E-BusinessSuite

AppsPortlets

11i 12

E-Business Suite Portlets

• Applications NavigatorAccess Applications menus based on user responsibilities

• Applications FavoritesBookmark specific Applications links for quick access

• Applications WorklistSummary of current workflow notifications

• Oracle Balanced ScorecardDisplay status of strategic and tactical business objectives

• Performance Management ViewerDisplay business intelligence key performance indicators in

graphical and tabular format

11i 12

11i

Apps Portlets in Third-Party Portals

WSRP 1.0 & JSR-168 compatible portlets:

• Application Navigator portlet

• Application Favorites portlet

• Application Worklist portlet

May be used in third-party portals

12

Custom Portlets for Release 12

• Create custom portlets from selected Release 12

OAF Page Regions

• WSRP 1.0 / JSR-168 compliant

• Oracle Application Framework

Developer's Guide Release 12

(Metalink Note 394780.1, Chapter 4, Portlets)

12

Analyse EBS with BI Applications

• Analytic dashboards running on Oracle Business Intelligence Suite

Enterprise Edition Plus

• Extracts data to external data warehouse

• Runs on separate cluster for enhanced scalability, wide deployment

OBIEE

OBIEE Data

Warehouse

User

11i 12

Analyse EBS with BI Applications

• Provide end-user reporting via ad hoc queries

• Drill-down into data via tabular & graphical analytical tools

• Consolidates data Siebel CRM, PeopleSoft Enterprise

11i 12

Drill

Analyse EBS with Discoverer 10g

• Access APPS_MODE End-User Layer via Business Intelligence System Discoverer

workbooks secured by Applications responsibilities

• Discoverer 10g End-User Layer resides in E-Business Suite database

• Run Discoverer on separate cluster for enhanced scalability, wide deployment

Discoverer

E-Business Suite

End-User Layer

User

11i 12

Why Upgrade Discoverer 4i to 10g?

It’s better

• Automatic SQL trimming, per user memory caps, faster, new features

It’s safe

• Installation upgrades a copy of 4i End-User Layer to 10g

It’s low-impact

• TIP: Run Discoverer 4i and 10g on different physical servers to avoid Visibroker conflicts

• Compare 4i and 10g workbooks side-by-side for User Acceptance Tests

It’s free

• Your existing Business Intelligence product license includes 10g

It’s necessary

• Discoverer 4i was desupported on

October 31, 2006

Upgrade now

to avoid

Support issues

Tasty Carrots Big Stick

11i

• Cache and compress frequently used items

• Secured data (I.e. requiring authorization) is not cached

• Reduce network consumption and accelerate response time

• Can act as a reverse-proxy server or load-balancer

• Partial page refresh supported for Portal

WebCache 10g

UserE-Business Suite

Application Server

11i 12Accelerate Performance with WebCache

Integrate EBS with Third-Party Apps

• Build integrations via Service Oriented Architecture (SOA) technologies

• Over 250 adapters for Enterprise Application Integration J2EE and open

standards-based integration, including:

• E-Business Suite, third-party applications, database sources

• XML, JMS, JCA

• Web Services: SOAP, WSDL, UDDI

• B2B Protocols: RosettaNet, HIPAA, EDI

E-Business SuiteOther

Applications

Oracle

SOA Suite

11i 12

Integrate with EBS using BPEL 11i 12

Use Oracle BPEL

Process Manager to

integrate third-party

applications via

custom business

processes

Monitor Business Processes with

Business Activity Monitor11i 12

Single Sign On

Integration

Authentication vs. Authorization

Identifies the user

Oracle

Single

Sign-On

E-Business

Suite

Authentication Authorization

Identifies data & actions the user

can access

Checks user credentials

Checks user responsibilities

How Single Sign-On Works with EBS

• Unauthenticated users are automatically redirected to Oracle

Single Sign-On 10g

Oracle Single

Sign-On 10g

EBS

Application

Server

… delegates user authentication to …

How Single Sign-On Works with EBSOverview

E-Business Suite

Database

Single

Sign-On 10g

Oracle Internet

Directory 10g

OracleAS 10g

OID LDAP Directory

User

E-Business

Suite

Application

Server


• Step 1: Unauthenticated user attempts to access the

E-Business Suite

E-Business Suite

Application Server

User


• Step 2: E-Business Suite redirects user to Single

Sign-On 10g for authentication

E-Business Suite

Application Server

User Single

Sign-On 10g


• Step 3: Single Sign-On challenges the user with a

logon form

UserSingle

Sign-On 10g

Logon

Form


• Step 4: User provides her credentials via the logon

form

UserSingle

Sign-On 10g

Logon

Form


• Step 5: Single Sign-On passes user credentials to

Oracle Internet Directory for validation

Single

Sign-On

10g

Oracle Internet

Directory 10g


• Step 6: Oracle Internet Directory authenticates the

user credentials against the OracleAS 10g OID LDAP

Directory (in the OracleAS 10g Metadata Repository)

OracleAS 10g OID

LDAP Directory

Oracle Internet

Directory 10g


• Step 7: Single Sign-On provides the authenticated

user with a security token

Single

Sign-On 10g

User

SSO Security

Token


• Step 8: User is redirected to E-Business Suite, which

accepts the SSO security token as proof of an

authenticated user

E-Business Suite EBS

Application Server

User

SSO Security

Token


• Step 9: E-Business Suite’s application server checks

the user’s authorization (i.e Apps responsibilities) in FND_USER

E-Business Suite

Application Server

E-Business Suite EBS

Database (FND_USER)


• Step 10: E-Business Suite issues its own Apps

security tokens to the user, redirecting her to the requested Apps module

E-Business Suite

Application Server

Apps Security

Token

E-Business Suite

Database

User


E-Business Suite

Database

Single

Sign-On 10g

Oracle Internet

Directory 10g

OracleAS 10g

LDAP Directory

User

E-Business

Suite EBS

Application

Server

Oracle Internet Directory Integration

• Oracle Internet Directory and FND_USER must be kept synchronised

• Supported synchronisation directions:

• From OID to FND_USER (Asynchronous via the Directory Integration & Provisioning Platform)

• From FND_USER to OID (Synchronous via dbms_ldap calls)

• Bidirectionally

• Synchronisation events are raised via the Workflow-based Business Event System whenever users are added or modified

E-Business Suite FND_USER

Oracle

Internet

Directory

DIP

DBMS_LDAP

Link Accounts

OracleInternet

Directory

Userid =

“John.Smith”

E-Business Suite

(FND_USER)

Userid =

“jsmith”

One-time User Registration

• Done at setup time by system administrator

• Optional: can be done by end-user on first logon (“Link on the fly”)

• Useful when existing accounts in Oracle Internet Directory 10g or a third-party LDAP directory differ from existing E-Business Suite accounts

“Link Account”

Global Unique Identifier (GUID)

Link to Multiple EBS Accounts

• Note: It’s not possible to link

multiple OID accounts to the

same EBS account

OracleInternet

Directory

Userid =

“John.Smith”

E-Business Suite

(FND_USER)

Userid =

“jsmith”

“Link Account”

Userid =

“testuser1”

Userid =

“testuser2”

Supported 3rd

Party Identity

Management

Integrations

Third-Party Single Sign-On Integration

Oracle Single

Sign-On 10g

EBS

Application

Server

Third-Party

SSO



Supported Third-Party SSO Integrations

Integrate Oracle Single Sign-On with

• Windows Native Authentication via Kerberos

• CA Entrust, CA Netegrity, IBM Tivoli, RSA

• PKI X.509v3 Digital Certificates

• Biometric and smartcard systems

• Other SSO systems via custom adapters

• Oracle Identity Federation

• Formerly Oblix COREid Federation

• SAML, WS-Federation, Liberty Alliance

• Oracle Access Manager

• Formerly Oblix COREid Access & Identity

If you already have a third-party LDAP…

Oracle

Internet

Directory

10g

E-Business

Suite DB(FND_USER)

Third-Party

LDAP

… synchronizes user attributes with …

… synchronizes user attributes with …

Available Oracle Internet Directory Connectors

• Microsoft Active Directory 2000/2003

• Microsoft Active Directory Application Mode (ADAM) 2003

• Microsoft Exchange 2000/2003

• Sun Java System Directory (Sun ONE / iPlanet) 5.2, 6.3

• Novell eDirectory 8.6 / 8.7

• OpenLDAP 2.2

• Any LDAP directory via LDIF files

• Any other directory via custom DIP agent

• Oracle Identity Manager

• Formerly Thor Xellerate Identity Provisioning

• Also integrates directly with E-Business Suite

FND_USER & HRMS

• Oracle Virtual Directory

• Formerly OctetString Virtual Directory Engine

E-Business

Database(FND_USER)

Oracle

Internet

Directory

Third-Party

LDAP(optional)

User Password User Password User PasswordX X

Passwords Stored in Third-Party LDAP

• Third-party LDAP:

• Handles user authentication, usually with a third-party authentication

solution

• Commonly considered “Master” source-of-truth

• Oracle Internet Directory and E-Business Suite take minimal

copies of master user definition -- excluding passwords

• E-Business Suite doesn’t maintain user passwords in this

configuration

How 3rd Party

Identity Management

Integrations Work

Third-Party Integration Architecture

Single

Sign-On 10g

Oracle

Internet

Directory 10g

End

User

Third-Party

SSO

Third-Party

LDAP

EBS Application

Server

EBS

Database(FND_USER)

User Logs onto Third-Party System

• Step 1. User provides userid & password to third-

party single sign-on system

Third-Party

SSO

Third-Party Authenticates User

• Step 2. Third-party single sign-on sends user’s

credentials to third-party LDAP for authentication

Third-Party

LDAP

Third-Party

SSO

Third-Party Grants User Access

• Step 3. Third-party single sign-on provides

authenticated user with third-party security token

Third-Party

SSO

Third-Party

Token

Logged-On User Attempts EBS Access

• Step 4. User attempts to access E-Business Suite,

and is redirected to Oracle Single Sign-On 10g

E-Business

Suite

Single Sign-On

10g

Oracle SSO Grants User Access

• Step 5. Oracle Single Sign-On recognizes the third-

party security token, then issues its own

Single

Sign-On 10g

SSO Security Token

EBS Grants User Access

• Step 6. User is redirected back to E-Business Suite,

which recognizes the SSO security token and issues

its own

Single

Sign-On 10gApps

Security

Token

E-Business

Suite

Third-Party Integration Architecture

Single

Sign-On 10g

Oracle

Internet

Directory 10g

End

User

Third-Party

SSO

Third-Party

LDAP

EBS Application

Server

EBS

Database(FND_USER)

Case Studies

Deployed Widely in Production

• Amdocs (Israel)

• Alcoa (Europe)

• Applied Materials (Israel)

• Atento (Norway)

• Berwind Pharmaceuticals (USA)

• Bunnings (Australia)

• CapGemini / Councils Online (Australia)

• Central Bank of Nigeria

• Cisco Systems

• Cox Communications (USA)

• Fiera Milano (Italy)

• General Dynamics Land Sys

• General Electric (USA)

• Google (USA)

• Guandong Unicom (China)

• Inter-Arab Investment Guarantee (Kuwait)

• International Enterprises (Singapore)

• International Institute for Applied Systems Analysis (Austria)

• Ireland Dept of Defence

• Kansas State University

• Libgo Travel (USA)

• Mitac (Taiwan)

• Phoenix Technologies (USA)

• Putrajaya (Malaysia)

• Telecom Italia Mobile (Italy)

• Texas Instruments (USA)

• Universal Weather & Aviation (USA)

• Wind River Systems (USA)

• World Wide Technology

These are not customer references

Integration with MicrosoftActive Directory Only

Single

Sign-On

10g

Oracle

Internet

Directory 10g

End

User

Microsoft

Active

Directory

EBS Application

Server

EBS

Database(FND_USER)

Integration with MicrosoftActive Directory & Kerberos

Single

Sign-On 10g

Oracle

Internet

Directory 10g

End

User

Microsoft Windows

Native Authentication

via Kerberos

Microsoft Active

Directory

EBS Application

Server

EBS

Database(FND_USER)

Internal / External Configuration

FirewallFirewall

Internet Reverse

Proxy

Firewall

External

9iAS 1.0.2

Server

OracleAS 10g

Infrastructure

Database

Oracle

Internet

Directory

Server 10gInternal 9iAS

1.0.2 Server

Release 11i

Database

Internal

Users

Single

Sign-On 10g

External

Users

Shared 11i

Filesystem

RAC 1 RAC 2

Highly Available

FirewallFirewall

External

Users

Internet Reverse

Proxy

Firewall

Internal

Users

Web

Node 3

Web

Node 4

HTTP LBR2

HTTP

LBR1

Web

Node 2

Web

Node 1

LBR1

SSO

Node 2

SSO

Node 1

OracleAS 10g

Infrastructure DB

OID 1 OID 2

Desupport

Notices

Updated E-Business Suite Baselines

E-Business Suite 12.0 baseline

• ATG Release Update Patch 6 (Patch 7237006)

• ATG Release Update Patch 4 (Patch 6272680)

E-Business Suite 11.5.10 baseline

• ATG Rollup Patchset 7 (Patch 6241631)

• ATG Rollup Patchset 6 (Patch 5903765)

New features, patches and certifications released for the current

and previous ATG patchset (Note 363827.1)

New Support Policies for Technology Products

New patches released for

• Current patchset

• Previous patchset for 12 months after current patchset

Applies to

• Quarterly Critical Update Patches (security fixes)

• Patch bundles

• Interim patches (a.k.a. “one-off” or emergency patches)

Real Examples

Database

• Database 10.2.0.4 patchset released in February 2008

• Database 10.2.0.3 patchset supported until February 2009

• All previous patchsets (e.g. 10.2.0.2) desupported

Fusion Middleware

• Oracle Identity Management 10.1.4.3 patchset released in

November 2008

• Oracle Identity Management 10.1.4.2 patchset supported until

November 2009

• All previous patchsets (e.g. 10.1.4.0.1) desupported

Support Policy References

• Oracle Lifetime Support Policywww.oracle.com/support/lifetime-support-policy.html

• Database, FMW, EM Grid Control, and OCS Software Error Correction Support Policy (Note 209768.1)

• Release Schedule of Current Database Patch Sets (Note 742060.1)

• Oracle Application Server 10g Release 2 (10.1.2) Support Status and Alerts (Note 329361.1)

Implications for E-Business Suite Users

Articles on blogs.oracle.com/stevenChan

• On Database Patching and Support:

A Primer for E-Business Suite Users

• On Apps Tier Patching and Support:

A Primer for E-Business Suite Users

External Application Tier Desupport Notices

• Discoverer 4i Oct 2006

• Login Server 3.0.9 July 2007

• Portal 3.0.9 July 2007

• Oracle Internet Directory 3.0.1 July 2007

• Oracle Application Server 10.1.2.2 Mar 2009

(incl. Portal, Discoverer, WebCache)

• Single Sign-On / OID 10.1.4.2 Nov 2009

“Desupport” = “End of Premier Support”

Certification

Roadmap

The following is intended to outline our general

product direction. It is intended for information

purposes only, and may not be incorporated into any

contract. It is not a commitment to deliver any

material, code, or functionality, and should not be

relied upon in making purchasing decisions.

The development, release, and timing of any

features or functionality described for Oracle’s

products remains at the sole discretion of Oracle.

Future Application Tier Certifications

E-Business Suite Release 11i

• Developer6i Forms

Patchset 20

E-Business Suite Release 12

• SOA Suite 10.1.3.5

• BPEL 10.1.3.5

• OC4J 10.1.3.5

• Web Center 11g

Both 11i & 12

• Oracle Access Manager 10gR3

(direct integration with EBS)

• Oracle Internet Directory 11g

• Discoverer 11g

• Portal 11g

• Web Cache 11g

• Java SE (JDK) 7

Oracle Access Manager & Oracle Internet Directory

E-Business Suite

Database

Oracle Access

Manager 10gR3

Oracle Internet

Directory 10g or 11g

OID LDAP

Directory

User

E-Business

Suite

Application

Server

Still Bubbling in the Labs

• Generate portlets based on selected OA Framework regions

(R12 only)

• Server-level configuration of authentication mechanism

(i.e. different authentication tools for internal vs. external users)

The preceding is intended to outline our general

product direction. It is intended for information

purposes only, and may not be incorporated into any

contract. It is not a commitment to deliver any

material, code, or functionality, and should not be

relied upon in making purchasing decisions.

The development, release, and timing of any

features or functionality described for Oracle’s

products remains at the sole discretion of Oracle.

OracleAS + E-Business Suite Resources

• Application Server + 11i FAQ Note 186981.1

• 11i Documentation Roadmap Note 207159.1

• Application Server + R12 FAQ Note 415007.1

• R12 Documentation Roadmap Note 380482.1

E-Business Suite Technology Stack Blog

• Direct from EBS Development

• Latest EBS techstack news

• Certification announcements

• Primers, FAQs, tips

• Desupport reminders

• Advanced architectures

• Statements of Direction

• Early Adopter Programs

• Subscribe via email & RSS

blogs.oracle.com/stevenChan

Steven Chan Senior Director, Applications ... - Oracle · • Access one or more E-Business Suite...

Documents

Transcript of Steven Chan Senior Director, Applications ... - Oracle · • Access one or more E-Business Suite...