Steven Chan Senior Director, Applications ... - Oracle · • Access one or more E-Business Suite...
Transcript of Steven Chan Senior Director, Applications ... - Oracle · • Access one or more E-Business Suite...
Using Fusion Middleware with Oracle E-Business Suite
Steven Chan
Senior Director, Applications Technology Integration
Topics
• Supported Optional External Integrations
• In-Depth: Enabling Single Sign-On
• In-Depth: Third-Party Access Managers & LDAP
Directories
• Case Studies
• Certification Roadmap
Last updated: Oct 14, 2009
Optional External
Integrations
Simple Architecture
External
Users
(via VPN)
E-Business Suite
Database
Internal
Users
Intranet
Firewall
Oracle Application Server• Portal
• Single Sign-On
• Oracle Internet Directory
• Discoverer
• Other Fusion Middleware Components
Firewall
E-Business Suite Application Server
11i 12
E-Business Suite Integration with OracleAS 10g
• Runs Oracle9i Application Server 1.0.2.2.2 on mid-tier
• Runs Release 11i application-tier services such as Forms, Jserv
• Integrated with an external stand-alone Oracle Application
Server 10g instance for optional services (e.g. Single Sign-On)
11i
12 • Runs Oracle Application Server 10g on mid-tier
• Runs Release 12 application-tier services such as Forms, OC4J
• Integrated with an external stand-alone Oracle Application
Server instance for optional services (e.g. Single Sign-On)
Distributed Architecture
FirewallFirewall
Internet Reverse
Proxy
Firewall
OracleAS 10g
Infrastructure
Database
Oracle
Internet
Directory
Server 10gInternal EBS
Server
EBS
Database
Internal
Users
External
Users
External
EBS
Server
Single
Sign-On 10g
Portal
10g
11i 12
OracleAS 10g Integration Options
1. Access Apps via Oracle Single Sign-On
2. Access Apps via Oracle Access Manager
3. Manage users with Oracle Internet Directory
4. Build enterprise mashups with Oracle Web Center
5. Design custom portals with Oracle Portal
6. Analyse data with Discoverer
7. Analyse data with Business Intelligence Applications
8. Accelerate performance with
WebCache
9. Integrate applications via Oracle
SOA Suite
10. Integrate with third-party signon
tools
11. Integrate with third-party LDAPs
12. Search EBS content with
Secure Enterprise Search
11i 12
External Fusion Middleware Certifications
Oracle Application Server 10g Module Release 11i Release 12
Single Sign-On 10.1.4.3 10.1.4.3
Oracle Internet Directory 10.1.4.3 10.1.4.3
Web Center 10.1.3.4
Portal 10.1.4.2 10.1.4.2
Discoverer 10.1.2.3 10.1.2.3
Business Intelligence (EE+) 10.1.3.4 10.1.3.4
Business Intelligence Applications 7.9.6 7.9.6
Web Cache 10.1.2.3 10.1.2.3
Oracle SOA Suite (SOA development) 11.1.1.1 11.1.1.1
BPEL (prepackaged SOA integrations) 10.1.3.4
Secure Enterprise Search 10.1.8.4 10.1.8.4
Other Security-Related CertificationsCertified by Fusion Middleware Product Teams
11i 12
Access Manager via OSSO 10.1.4.3 10.1.4.3
Identity Manager 9.1.0.0 9.1.0.0
Enterprise Single Sign-On 10.1.4.0.1 10.1.4.0.1
Identity Federation via OSSO 11.1.1.1 11.1.1.1
Oracle Virtual Directory via OID 11.1.1.1 11.1.1.1
Access Apps via Oracle Single Sign-On
• E-Business Suite is a Single Sign-On partner application
• Log on to Oracle Single Sign-On to get access to all registered partner applications, including EBS
• Log off any one partner application to log off all of them
E-Business Suite
Application ServerUser
Single
Sign-On 10g
11i 12
Access Apps via Oracle Access Manager
• Chain Oracle Access Manager with Oracle Single Sign-On
• Support complex third-party single sign-on architectures
Oracle Single
Sign-On
E-Business
Suite
Oracle
Access
Manager
11i 12
Manage Users in Oracle Internet Directory
• Synchronise user credentials bidirectionally between Oracle Internet Directory and E-Business Suite (FND_USER)
• Set master “source of truth” as OID, EBS, or both
• Manage user provisioning via powerful OID Directory Integration & Provisioning (DIP) templates
• Link an OID userid with one or more EBS userids “on-the-fly”
E-Business SuiteFND_USER
Oracle
Internet
Directory
DIP
DBMS_LDAP
11i 12
Provision Users with Oracle Identity Manager
• Use Oracle Identity Manager as a provisioning hub with third-party user
directories and applications
• Many connectors available, including OID, E-Business Suite’s FND_USER and HRMS directories
E-Business Suite
Oracle
Identity
Manager
OID
LDAP LDAP
11i 12
Build Enterprise Mashups using Web Center
• Build websites, collaborative applications, and enterprise mashups in Web Center
• Add EBS portlets via WSRP 1.0 / JSR-168
• Access one or more E-Business Suite instances
• Display data in EBS portlets based on EBS responsibilities
12
Web
Center
10g
E-BusinessSuite
PeopleSoft
Dashboards
Mashups
Using Web Center Extension in JDeveloper 12
Design Custom Portals using Oracle Portal
• Single Sign-On is a prerequisite
• Access one or more E-Business Suite instances from Oracle Portal
• Add EBS portlets to custom Portal pages via JPDK
• Display data in EBS portlets based on EBS responsibilities
Oracle
Portal 10g
E-BusinessSuite
AppsPortlets
11i 12
E-Business Suite Portlets
• Applications NavigatorAccess Applications menus based on user responsibilities
• Applications FavoritesBookmark specific Applications links for quick access
• Applications WorklistSummary of current workflow notifications
• Oracle Balanced ScorecardDisplay status of strategic and tactical business objectives
• Performance Management ViewerDisplay business intelligence key performance indicators in
graphical and tabular format
11i 12
11i
Apps Portlets in Third-Party Portals
WSRP 1.0 & JSR-168 compatible portlets:
• Application Navigator portlet
• Application Favorites portlet
• Application Worklist portlet
May be used in third-party portals
12
Custom Portlets for Release 12
• Create custom portlets from selected Release 12
OAF Page Regions
• WSRP 1.0 / JSR-168 compliant
• Oracle Application Framework
Developer's Guide Release 12
(Metalink Note 394780.1, Chapter 4, Portlets)
12
Analyse EBS with BI Applications
• Analytic dashboards running on Oracle Business Intelligence Suite
Enterprise Edition Plus
• Extracts data to external data warehouse
• Runs on separate cluster for enhanced scalability, wide deployment
OBIEE
OBIEE Data
Warehouse
User
11i 12
Analyse EBS with BI Applications
• Provide end-user reporting via ad hoc queries
• Drill-down into data via tabular & graphical analytical tools
• Consolidates data Siebel CRM, PeopleSoft Enterprise
11i 12
Drill
Analyse EBS with Discoverer 10g
• Access APPS_MODE End-User Layer via Business Intelligence System Discoverer
workbooks secured by Applications responsibilities
• Discoverer 10g End-User Layer resides in E-Business Suite database
• Run Discoverer on separate cluster for enhanced scalability, wide deployment
Discoverer
E-Business Suite
End-User Layer
User
11i 12
Why Upgrade Discoverer 4i to 10g?
It’s better
• Automatic SQL trimming, per user memory caps, faster, new features
It’s safe
• Installation upgrades a copy of 4i End-User Layer to 10g
It’s low-impact
• TIP: Run Discoverer 4i and 10g on different physical servers to avoid Visibroker conflicts
• Compare 4i and 10g workbooks side-by-side for User Acceptance Tests
It’s free
• Your existing Business Intelligence product license includes 10g
It’s necessary
• Discoverer 4i was desupported on
October 31, 2006
Upgrade now
to avoid
Support issues
Tasty Carrots Big Stick
11i
• Cache and compress frequently used items
• Secured data (I.e. requiring authorization) is not cached
• Reduce network consumption and accelerate response time
• Can act as a reverse-proxy server or load-balancer
• Partial page refresh supported for Portal
WebCache 10g
UserE-Business Suite
Application Server
11i 12Accelerate Performance with WebCache
Integrate EBS with Third-Party Apps
• Build integrations via Service Oriented Architecture (SOA) technologies
• Over 250 adapters for Enterprise Application Integration J2EE and open
standards-based integration, including:
• E-Business Suite, third-party applications, database sources
• XML, JMS, JCA
• Web Services: SOAP, WSDL, UDDI
• B2B Protocols: RosettaNet, HIPAA, EDI
E-Business SuiteOther
Applications
Oracle
SOA Suite
11i 12
Integrate with EBS using BPEL 11i 12
Use Oracle BPEL
Process Manager to
integrate third-party
applications via
custom business
processes
Monitor Business Processes with
Business Activity Monitor11i 12
Single Sign On
Integration
Authentication vs. Authorization
Identifies the user
Oracle
Single
Sign-On
E-Business
Suite
Authentication Authorization
Identifies data & actions the user
can access
Checks user credentials
Checks user responsibilities
How Single Sign-On Works with EBS
• Unauthenticated users are automatically redirected to Oracle
Single Sign-On 10g
Oracle Single
Sign-On 10g
EBS
Application
Server
… delegates user authentication to …
How Single Sign-On Works with EBSOverview
E-Business Suite
Database
Single
Sign-On 10g
Oracle Internet
Directory 10g
OracleAS 10g
OID LDAP Directory
User
E-Business
Suite
Application
Server
How Single Sign-On Works with EBS
• Step 1: Unauthenticated user attempts to access the
E-Business Suite
E-Business Suite
Application Server
User
How Single Sign-On Works with EBS
• Step 2: E-Business Suite redirects user to Single
Sign-On 10g for authentication
E-Business Suite
Application Server
User Single
Sign-On 10g
How Single Sign-On Works with EBS
• Step 3: Single Sign-On challenges the user with a
logon form
UserSingle
Sign-On 10g
Logon
Form
How Single Sign-On Works with EBS
• Step 4: User provides her credentials via the logon
form
UserSingle
Sign-On 10g
Logon
Form
How Single Sign-On Works with EBS
• Step 5: Single Sign-On passes user credentials to
Oracle Internet Directory for validation
Single
Sign-On
10g
Oracle Internet
Directory 10g
How Single Sign-On Works with EBS
• Step 6: Oracle Internet Directory authenticates the
user credentials against the OracleAS 10g OID LDAP
Directory (in the OracleAS 10g Metadata Repository)
OracleAS 10g OID
LDAP Directory
Oracle Internet
Directory 10g
How Single Sign-On Works with EBS
• Step 7: Single Sign-On provides the authenticated
user with a security token
Single
Sign-On 10g
User
SSO Security
Token
How Single Sign-On Works with EBS
• Step 8: User is redirected to E-Business Suite, which
accepts the SSO security token as proof of an
authenticated user
E-Business Suite EBS
Application Server
User
SSO Security
Token
How Single Sign-On Works with EBS
• Step 9: E-Business Suite’s application server checks
the user’s authorization (i.e Apps responsibilities) in FND_USER
E-Business Suite
Application Server
E-Business Suite EBS
Database (FND_USER)
How Single Sign-On Works with EBS
• Step 10: E-Business Suite issues its own Apps
security tokens to the user, redirecting her to the requested Apps module
E-Business Suite
Application Server
Apps Security
Token
E-Business Suite
Database
User
How Single Sign-On Works with EBS
E-Business Suite
Database
Single
Sign-On 10g
Oracle Internet
Directory 10g
OracleAS 10g
LDAP Directory
User
E-Business
Suite EBS
Application
Server
Oracle Internet Directory Integration
• Oracle Internet Directory and FND_USER must be kept synchronised
• Supported synchronisation directions:
• From OID to FND_USER (Asynchronous via the Directory Integration & Provisioning Platform)
• From FND_USER to OID (Synchronous via dbms_ldap calls)
• Bidirectionally
• Synchronisation events are raised via the Workflow-based Business Event System whenever users are added or modified
E-Business Suite FND_USER
Oracle
Internet
Directory
DIP
DBMS_LDAP
Link Accounts
OracleInternet
Directory
Userid =
“John.Smith”
E-Business Suite
(FND_USER)
Userid =
“jsmith”
One-time User Registration
• Done at setup time by system administrator
• Optional: can be done by end-user on first logon (“Link on the fly”)
• Useful when existing accounts in Oracle Internet Directory 10g or a third-party LDAP directory differ from existing E-Business Suite accounts
“Link Account”
Global Unique Identifier (GUID)
Link to Multiple EBS Accounts
• Note: It’s not possible to link
multiple OID accounts to the
same EBS account
OracleInternet
Directory
Userid =
“John.Smith”
E-Business Suite
(FND_USER)
Userid =
“jsmith”
“Link Account”
Userid =
“testuser1”
Userid =
“testuser2”
Supported 3rd
Party Identity
Management
Integrations
Third-Party Single Sign-On Integration
Oracle Single
Sign-On 10g
EBS
Application
Server
Third-Party
SSO
… delegates user authentication to …
… delegates user authentication to …
Supported Third-Party SSO Integrations
Integrate Oracle Single Sign-On with
• Windows Native Authentication via Kerberos
• CA Entrust, CA Netegrity, IBM Tivoli, RSA
• PKI X.509v3 Digital Certificates
• Biometric and smartcard systems
• Other SSO systems via custom adapters
• Oracle Identity Federation
• Formerly Oblix COREid Federation
• SAML, WS-Federation, Liberty Alliance
• Oracle Access Manager
• Formerly Oblix COREid Access & Identity
If you already have a third-party LDAP…
Oracle
Internet
Directory
10g
E-Business
Suite DB(FND_USER)
Third-Party
LDAP
… synchronizes user attributes with …
… synchronizes user attributes with …
Available Oracle Internet Directory Connectors
• Microsoft Active Directory 2000/2003
• Microsoft Active Directory Application Mode (ADAM) 2003
• Microsoft Exchange 2000/2003
• Sun Java System Directory (Sun ONE / iPlanet) 5.2, 6.3
• Novell eDirectory 8.6 / 8.7
• OpenLDAP 2.2
• Any LDAP directory via LDIF files
• Any other directory via custom DIP agent
• Oracle Identity Manager
• Formerly Thor Xellerate Identity Provisioning
• Also integrates directly with E-Business Suite
FND_USER & HRMS
• Oracle Virtual Directory
• Formerly OctetString Virtual Directory Engine
E-Business
Database(FND_USER)
Oracle
Internet
Directory
Third-Party
LDAP(optional)
User Password User Password User PasswordX X
Passwords Stored in Third-Party LDAP
• Third-party LDAP:
• Handles user authentication, usually with a third-party authentication
solution
• Commonly considered “Master” source-of-truth
• Oracle Internet Directory and E-Business Suite take minimal
copies of master user definition -- excluding passwords
• E-Business Suite doesn’t maintain user passwords in this
configuration
How 3rd Party
Identity Management
Integrations Work
Third-Party Integration Architecture
Single
Sign-On 10g
Oracle
Internet
Directory 10g
End
User
Third-Party
SSO
Third-Party
LDAP
EBS Application
Server
EBS
Database(FND_USER)
User Logs onto Third-Party System
• Step 1. User provides userid & password to third-
party single sign-on system
Third-Party
SSO
Third-Party Authenticates User
• Step 2. Third-party single sign-on sends user’s
credentials to third-party LDAP for authentication
Third-Party
LDAP
Third-Party
SSO
Third-Party Grants User Access
• Step 3. Third-party single sign-on provides
authenticated user with third-party security token
Third-Party
SSO
Third-Party
Token
Logged-On User Attempts EBS Access
• Step 4. User attempts to access E-Business Suite,
and is redirected to Oracle Single Sign-On 10g
E-Business
Suite
Single Sign-On
10g
Oracle SSO Grants User Access
• Step 5. Oracle Single Sign-On recognizes the third-
party security token, then issues its own
Single
Sign-On 10g
SSO Security Token
EBS Grants User Access
• Step 6. User is redirected back to E-Business Suite,
which recognizes the SSO security token and issues
its own
Single
Sign-On 10gApps
Security
Token
E-Business
Suite
Third-Party Integration Architecture
Single
Sign-On 10g
Oracle
Internet
Directory 10g
End
User
Third-Party
SSO
Third-Party
LDAP
EBS Application
Server
EBS
Database(FND_USER)
Case Studies
Deployed Widely in Production
• Amdocs (Israel)
• Alcoa (Europe)
• Applied Materials (Israel)
• Atento (Norway)
• Berwind Pharmaceuticals (USA)
• Bunnings (Australia)
• CapGemini / Councils Online (Australia)
• Central Bank of Nigeria
• Cisco Systems
• Cox Communications (USA)
• Fiera Milano (Italy)
• General Dynamics Land Sys
• General Electric (USA)
• Google (USA)
• Guandong Unicom (China)
• Inter-Arab Investment Guarantee (Kuwait)
• International Enterprises (Singapore)
• International Institute for Applied Systems Analysis (Austria)
• Ireland Dept of Defence
• Kansas State University
• Libgo Travel (USA)
• Mitac (Taiwan)
• Phoenix Technologies (USA)
• Putrajaya (Malaysia)
• Telecom Italia Mobile (Italy)
• Texas Instruments (USA)
• Universal Weather & Aviation (USA)
• Wind River Systems (USA)
• World Wide Technology
These are not customer references
Integration with MicrosoftActive Directory Only
Single
Sign-On
10g
Oracle
Internet
Directory 10g
End
User
Microsoft
Active
Directory
EBS Application
Server
EBS
Database(FND_USER)
Integration with MicrosoftActive Directory & Kerberos
Single
Sign-On 10g
Oracle
Internet
Directory 10g
End
User
Microsoft Windows
Native Authentication
via Kerberos
Microsoft Active
Directory
EBS Application
Server
EBS
Database(FND_USER)
Internal / External Configuration
FirewallFirewall
Internet Reverse
Proxy
Firewall
External
9iAS 1.0.2
Server
OracleAS 10g
Infrastructure
Database
Oracle
Internet
Directory
Server 10gInternal 9iAS
1.0.2 Server
Release 11i
Database
Internal
Users
Single
Sign-On 10g
External
Users
Shared 11i
Filesystem
RAC 1 RAC 2
Highly Available
FirewallFirewall
External
Users
Internet Reverse
Proxy
Firewall
Internal
Users
Web
Node 3
Web
Node 4
HTTP LBR2
HTTP
LBR1
Web
Node 2
Web
Node 1
LBR1
SSO
Node 2
SSO
Node 1
OracleAS 10g
Infrastructure DB
OID 1 OID 2
Desupport
Notices
Updated E-Business Suite Baselines
E-Business Suite 12.0 baseline
• ATG Release Update Patch 6 (Patch 7237006)
• ATG Release Update Patch 4 (Patch 6272680)
E-Business Suite 11.5.10 baseline
• ATG Rollup Patchset 7 (Patch 6241631)
• ATG Rollup Patchset 6 (Patch 5903765)
New features, patches and certifications released for the current
and previous ATG patchset (Note 363827.1)
New Support Policies for Technology Products
New patches released for
• Current patchset
• Previous patchset for 12 months after current patchset
Applies to
• Quarterly Critical Update Patches (security fixes)
• Patch bundles
• Interim patches (a.k.a. “one-off” or emergency patches)
Real Examples
Database
• Database 10.2.0.4 patchset released in February 2008
• Database 10.2.0.3 patchset supported until February 2009
• All previous patchsets (e.g. 10.2.0.2) desupported
Fusion Middleware
• Oracle Identity Management 10.1.4.3 patchset released in
November 2008
• Oracle Identity Management 10.1.4.2 patchset supported until
November 2009
• All previous patchsets (e.g. 10.1.4.0.1) desupported
Support Policy References
• Oracle Lifetime Support Policywww.oracle.com/support/lifetime-support-policy.html
• Database, FMW, EM Grid Control, and OCS Software Error Correction Support Policy (Note 209768.1)
• Release Schedule of Current Database Patch Sets (Note 742060.1)
• Oracle Application Server 10g Release 2 (10.1.2) Support Status and Alerts (Note 329361.1)
Implications for E-Business Suite Users
Articles on blogs.oracle.com/stevenChan
• On Database Patching and Support:
A Primer for E-Business Suite Users
• On Apps Tier Patching and Support:
A Primer for E-Business Suite Users
External Application Tier Desupport Notices
• Discoverer 4i Oct 2006
• Login Server 3.0.9 July 2007
• Portal 3.0.9 July 2007
• Oracle Internet Directory 3.0.1 July 2007
• Oracle Application Server 10.1.2.2 Mar 2009
(incl. Portal, Discoverer, WebCache)
• Single Sign-On / OID 10.1.4.2 Nov 2009
“Desupport” = “End of Premier Support”
Certification
Roadmap
The following is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracle’s
products remains at the sole discretion of Oracle.
Future Application Tier Certifications
E-Business Suite Release 11i
• Developer6i Forms
Patchset 20
E-Business Suite Release 12
• SOA Suite 10.1.3.5
• BPEL 10.1.3.5
• OC4J 10.1.3.5
• Web Center 11g
Both 11i & 12
• Oracle Access Manager 10gR3
(direct integration with EBS)
• Oracle Internet Directory 11g
• Discoverer 11g
• Portal 11g
• Web Cache 11g
• Java SE (JDK) 7
Oracle Access Manager & Oracle Internet Directory
E-Business Suite
Database
Oracle Access
Manager 10gR3
Oracle Internet
Directory 10g or 11g
OID LDAP
Directory
User
E-Business
Suite
Application
Server
Still Bubbling in the Labs
• Generate portlets based on selected OA Framework regions
(R12 only)
• Server-level configuration of authentication mechanism
(i.e. different authentication tools for internal vs. external users)
The preceding is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracle’s
products remains at the sole discretion of Oracle.
OracleAS + E-Business Suite Resources
• Application Server + 11i FAQ Note 186981.1
• 11i Documentation Roadmap Note 207159.1
• Application Server + R12 FAQ Note 415007.1
• R12 Documentation Roadmap Note 380482.1
E-Business Suite Technology Stack Blog
• Direct from EBS Development
• Latest EBS techstack news
• Certification announcements
• Primers, FAQs, tips
• Desupport reminders
• Advanced architectures
• Statements of Direction
• Early Adopter Programs
• Subscribe via email & RSS
blogs.oracle.com/stevenChan