Using Fusion Middleware with Oracle E-Business SuiteSteven ChanSenior Director, Applications Technology Integration
Topics
• Supported Optional External Integrations• In-Depth: Enabling Single Sign-On• In-Depth: Third-Party Access Managers & LDAP
Directories• Case Studies• Certification Roadmap
Last updated: Oct 14, 2009
Optional ExternalIntegrations
Simple Architecture
ExternalUsers
(via VPN)
E-Business SuiteDatabase
InternalUsers
IntranetFirewall
Oracle Application Server• Portal• Single Sign-On• Oracle Internet Directory• Discoverer• Other Fusion Middleware Components
Firewall
E-Business Suite Application Server
11i 12
E-Business Suite Integration with OracleAS 10g
• Runs Oracle9i Application Server 1.0.2.2.2 on mid-tier• Runs Release 11i application-tier services such as Forms, Jserv
• Integrated with an external stand-alone Oracle Application Server 10g instance for optional services (e.g. Single Sign-On)
11i
12 • Runs Oracle Application Server 10g on mid-tier• Runs Release 12 application-tier services such as Forms, OC4J
• Integrated with an external stand-alone Oracle Application Server instance for optional services (e.g. Single Sign-On)
Distributed Architecture
FirewallFirewall
Internet ReverseProxy
Firewall
OracleAS 10gInfrastructure
Database
OracleInternet
DirectoryServer 10gInternal EBS
Server
EBSDatabase
InternalUsers
ExternalUsers
ExternalEBS
Server
SingleSign-On 10g
Portal10g
11i 12
OracleAS 10g Integration Options
1. Access Apps via Oracle Single Sign-On
2. Access Apps via Oracle Access Manager
3. Manage users with Oracle Internet Directory
4. Build enterprise mashups with Oracle Web Center
5. Design custom portals with Oracle Portal
6. Analyse data with Discoverer
7. Analyse data with Business Intelligence Applications
8. Accelerate performance with WebCache
9. Integrate applications via Oracle SOA Suite
10. Integrate with third-party signontools
11. Integrate with third-party LDAPs
12. Search EBS content with Secure Enterprise Search
11i 12
External Fusion Middleware Certifications
10.1.3.4BPEL (prepackaged SOA integrations)
10.1.8.410.1.8.4Secure Enterprise Search
7.9.67.9.6Business Intelligence Applications
10.1.3.4Web Center
Oracle Application Server 10g Module Release 11i Release 12Single Sign-On 10.1.4.3 10.1.4.3Oracle Internet Directory 10.1.4.3 10.1.4.3
Portal 10.1.4.2 10.1.4.2Discoverer 10.1.2.3 10.1.2.3Business Intelligence (EE+) 10.1.3.4 10.1.3.4
Web Cache 10.1.2.3 10.1.2.3
Oracle SOA Suite (SOA development) 11.1.1.1 11.1.1.1
Other Security-Related CertificationsCertified by Fusion Middleware Product Teams
10.1.4.310.1.4.3Access Manager via OSSO
9.1.0.09.1.0.0Identity Manager
11i 12
Enterprise Single Sign-On 10.1.4.0.1 10.1.4.0.1
Identity Federation via OSSO 11.1.1.1 11.1.1.1
Oracle Virtual Directory via OID 11.1.1.1 11.1.1.1
Access Apps via Oracle Single Sign-On
• E-Business Suite is a Single Sign-On partner application • Log on to Oracle Single Sign-On to get access to all registered partner
applications, including EBS• Log off any one partner application to log off all of them
E-Business SuiteApplication Server
User
SingleSign-On 10g
11i 12
Access Apps via Oracle Access Manager
• Chain Oracle Access Manager with Oracle Single Sign-On• Support complex third-party single sign-on architectures
Oracle SingleSign-On
E-BusinessSuite
OracleAccessManager
11i 12
Manage Users in Oracle Internet Directory
• Synchronise user credentials bidirectionally between Oracle Internet Directory and E-Business Suite (FND_USER)
• Set master “source of truth” as OID, EBS, or both• Manage user provisioning via powerful OID Directory Integration &
Provisioning (DIP) templates• Link an OID userid with one or more EBS userids “on-the-fly”
E-Business SuiteFND_USER
OracleInternetDirectory
DIP
DBMS_LDAP
11i 12
Provision Users with Oracle Identity Manager
• Use Oracle Identity Manager as a provisioning hub with third-party user directories and applications
• Many connectors available, including OID, E-Business Suite’s FND_USER and HRMS directories
E-Business Suite
OracleIdentityManager
OID
LDAP LDAP
11i 12
Build Enterprise Mashups using Web Center
• Build websites, collaborative applications, and enterprise mashups in Web Center• Add EBS portlets via WSRP 1.0 / JSR-168• Access one or more E-Business Suite instances• Display data in EBS portlets based on EBS responsibilities
12
WebCenter
10gE-Business
Suite
PeopleSoft
Dashboards
Mashups
Using Web Center Extension in JDeveloper 12
Design Custom Portals using Oracle Portal
• Single Sign-On is a prerequisite• Access one or more E-Business Suite instances from Oracle Portal• Add EBS portlets to custom Portal pages via JPDK• Display data in EBS portlets based on EBS responsibilities
OraclePortal 10g
E-BusinessSuite
AppsPortlets
11i 12
E-Business Suite Portlets
• Applications NavigatorAccess Applications menus based on user responsibilities
• Applications FavoritesBookmark specific Applications links for quick access
• Applications WorklistSummary of current workflow notifications
• Oracle Balanced ScorecardDisplay status of strategic and tactical business objectives
• Performance Management ViewerDisplay business intelligence key performance indicators in graphical and tabular format
11i 12
11i
Apps Portlets in Third-Party Portals
WSRP 1.0 & JSR-168 compatible portlets:
• Application Navigator portlet• Application Favorites portlet• Application Worklist portlet
May be used in third-party portals
12
Custom Portlets for Release 12
• Create custom portlets from selected Release 12 OAF Page Regions
• WSRP 1.0 / JSR-168 compliant
• Oracle Application Framework Developer's Guide Release 12 (Metalink Note 394780.1, Chapter 4, Portlets)
12
Analyse EBS with BI Applications
• Analytic dashboards running on Oracle Business Intelligence SuiteEnterprise Edition Plus
• Extracts data to external data warehouse
• Runs on separate cluster for enhanced scalability, wide deployment
OBIEE
OBIEE DataWarehouse
User
11i 12
Analyse EBS with BI Applications
• Provide end-user reporting via ad hoc queries• Drill-down into data via tabular & graphical analytical tools• Consolidates data Siebel CRM, PeopleSoft Enterprise
11i 12
Drill
Analyse EBS with Discoverer 10g
• Access APPS_MODE End-User Layer via Business Intelligence System Discoverer workbooks secured by Applications responsibilities
• Discoverer 10g End-User Layer resides in E-Business Suite database• Run Discoverer on separate cluster for enhanced scalability, wide deployment
Discoverer
E-Business Suite End-User Layer
User
11i 12
Why Upgrade Discoverer 4i to 10g?
It’s better• Automatic SQL trimming, per user
memory caps, faster, new features
It’s safe• Installation upgrades a copy of 4i
End-User Layer to 10g
It’s low-impact• TIP: Run Discoverer 4i and 10g on
different physical servers to avoid Visibroker conflicts
• Compare 4i and 10g workbooks side-by-side for User Acceptance Tests
It’s free• Your existing Business Intelligence
product license includes 10g
It’s necessary• Discoverer 4i was desupported on
October 31, 2006
Upgrade nowto avoid
Support issues
Tasty Carrots Big Stick
11i
• Cache and compress frequently used items• Secured data (I.e. requiring authorization) is not cached• Reduce network consumption and accelerate response time• Can act as a reverse-proxy server or load-balancer• Partial page refresh supported for Portal
WebCache 10g
User E-Business SuiteApplication Server
11i 12Accelerate Performance with WebCache
Integrate EBS with Third-Party Apps
• Build integrations via Service Oriented Architecture (SOA) technologies• Over 250 adapters for Enterprise Application Integration J2EE and open
standards-based integration, including:• E-Business Suite, third-party applications, database sources• XML, JMS, JCA• Web Services: SOAP, WSDL, UDDI• B2B Protocols: RosettaNet, HIPAA, EDI
E-Business SuiteOtherApplications
OracleSOA Suite
11i 12
Integrate with EBS using BPEL 11i 12
Use Oracle BPEL Process Manager to integrate third-party applications via custom business processes
Monitor Business Processes with Business Activity Monitor
11i 12
Single Sign OnIntegration
Authentication vs. Authorization
Identifies the user
OracleSingle
Sign-On
E-BusinessSuite
Authentication Authorization
Identifies data & actions the user
can access
Checks user credentials
Checks user responsibilities
How Single Sign-On Works with EBS
• Unauthenticated users are automatically redirected to Oracle Single Sign-On 10g
Oracle SingleSign-On 10g
EBSApplication
Server
… delegates user authentication to …
How Single Sign-On Works with EBSOverview
E-Business SuiteDatabase
SingleSign-On 10g
Oracle InternetDirectory 10g
OracleAS 10gOID LDAP Directory
UserE-BusinessSuiteApplicationServer
How Single Sign-On Works with EBS
• Step 1: Unauthenticated user attempts to access the E-Business Suite
E-Business SuiteApplication Server
User
How Single Sign-On Works with EBS
• Step 2: E-Business Suite redirects user to Single Sign-On 10g for authentication
E-Business Suite Application Server
User SingleSign-On 10g
How Single Sign-On Works with EBS
• Step 3: Single Sign-On challenges the user with a logon form
UserSingleSign-On 10g
LogonForm
How Single Sign-On Works with EBS
• Step 4: User provides her credentials via the logon form
UserSingleSign-On 10g
LogonForm
How Single Sign-On Works with EBS
• Step 5: Single Sign-On passes user credentials to Oracle Internet Directory for validation
SingleSign-On10g
Oracle InternetDirectory 10g
How Single Sign-On Works with EBS
• Step 6: Oracle Internet Directory authenticates the user credentials against the OracleAS 10g OID LDAP Directory (in the OracleAS 10g Metadata Repository)
OracleAS 10g OIDLDAP Directory
Oracle InternetDirectory 10g
How Single Sign-On Works with EBS
• Step 7: Single Sign-On provides the authenticated user with a security token
SingleSign-On 10g
User
SSO SecurityToken
How Single Sign-On Works with EBS
• Step 8: User is redirected to E-Business Suite, which accepts the SSO security token as proof of an authenticated user
E-Business Suite EBSApplication Server
User
SSO SecurityToken
How Single Sign-On Works with EBS
• Step 9: E-Business Suite’s application server checks the user’s authorization (i.e Apps responsibilities) in FND_USER
E-Business SuiteApplication Server
E-Business Suite EBSDatabase (FND_USER)
How Single Sign-On Works with EBS
• Step 10: E-Business Suite issues its own Apps security tokens to the user, redirecting her to the requested Apps module
E-Business Suite Application Server
Apps SecurityToken
E-Business Suite Database
User
How Single Sign-On Works with EBS
E-Business Suite Database
SingleSign-On 10g
Oracle InternetDirectory 10g
OracleAS 10gLDAP Directory
UserE-BusinessSuite EBSApplicationServer
Oracle Internet Directory Integration
• Oracle Internet Directory and FND_USER must be kept synchronised• Supported synchronisation directions:
• From OID to FND_USER (Asynchronous via the Directory Integration & Provisioning Platform)
• From FND_USER to OID (Synchronous via dbms_ldap calls)• Bidirectionally
• Synchronisation events are raised via the Workflow-based Business Event System whenever users are added or modified
E-Business Suite FND_USER
OracleInternetDirectory
DIP
DBMS_LDAP
Link Accounts
OracleInternet
Directory
Userid =“John.Smith”
E-Business Suite
(FND_USER)
Userid =“jsmith”
One-time User Registration• Done at setup time by system administrator
• Optional: can be done by end-user on first logon (“Link on the fly”)
• Useful when existing accounts in Oracle Internet Directory 10g or a third-party LDAP directory differ from existing E-Business Suite accounts
“Link Account”Global Unique Identifier (GUID)
Link to Multiple EBS Accounts
• Note: It’s not possible to link multiple OID accounts to the same EBS account
OracleInternet
Directory
Userid =“John.Smith”
E-Business Suite
(FND_USER)
Userid =“jsmith”
“Link Account”
Userid =“testuser1”
Userid =“testuser2”
Supported 3rd
Party Identity Management Integrations
Third-Party Single Sign-On Integration
Oracle SingleSign-On 10g
EBSApplication Server
Third-PartySSO
… delegates user authentication to …
… delegates user authentication to …
Supported Third-Party SSO Integrations
Integrate Oracle Single Sign-On with• Windows Native Authentication via Kerberos• CA Entrust, CA Netegrity, IBM Tivoli, RSA • PKI X.509v3 Digital Certificates• Biometric and smartcard systems• Other SSO systems via custom adapters
• Oracle Identity Federation• Formerly Oblix COREid Federation• SAML, WS-Federation, Liberty Alliance
• Oracle Access Manager• Formerly Oblix COREid Access & Identity
If you already have a third-party LDAP…
OracleInternetDirectory10g
E-BusinessSuite DB(FND_USER)
Third-PartyLDAP
… synchronizes user attributes with …
… synchronizes user attributes with …
Available Oracle Internet Directory Connectors
• Microsoft Active Directory 2000/2003• Microsoft Active Directory Application Mode (ADAM) 2003• Microsoft Exchange 2000/2003• Sun Java System Directory (Sun ONE / iPlanet) 5.2, 6.3• Novell eDirectory 8.6 / 8.7• OpenLDAP 2.2• Any LDAP directory via LDIF files• Any other directory via custom DIP agent
• Oracle Identity Manager• Formerly Thor Xellerate Identity Provisioning• Also integrates directly with E-Business Suite
FND_USER & HRMS
• Oracle Virtual Directory• Formerly OctetString Virtual Directory Engine
E-BusinessDatabase(FND_USER)
OracleInternet
Directory
Third-PartyLDAP(optional)
User Password User Password User PasswordX X
Passwords Stored in Third-Party LDAP
• Third-party LDAP:• Handles user authentication, usually with a third-party authentication
solution• Commonly considered “Master” source-of-truth
• Oracle Internet Directory and E-Business Suite take minimal copies of master user definition -- excluding passwords
• E-Business Suite doesn’t maintain user passwords in this configuration
How 3rd Party Identity ManagementIntegrations Work
Third-Party Integration Architecture
Single Sign-On 10g
OracleInternetDirectory 10g
EndUser
Third-PartySSO
Third-PartyLDAP
EBS ApplicationServer
EBSDatabase(FND_USER)
User Logs onto Third-Party System
• Step 1. User provides userid & password to third-party single sign-on system
Third-PartySSO
Third-Party Authenticates User
• Step 2. Third-party single sign-on sends user’s credentials to third-party LDAP for authentication
Third-PartyLDAP
Third-PartySSO
Third-Party Grants User Access
• Step 3. Third-party single sign-on provides authenticated user with third-party security token
Third-PartySSO
Third-PartyToken
Logged-On User Attempts EBS Access
• Step 4. User attempts to access E-Business Suite, and is redirected to Oracle Single Sign-On 10g
E-BusinessSuite
Single Sign-On10g
Oracle SSO Grants User Access
• Step 5. Oracle Single Sign-On recognizes the third-party security token, then issues its own
Single Sign-On 10g
SSO Security Token
EBS Grants User Access
• Step 6. User is redirected back to E-Business Suite, which recognizes the SSO security token and issues its own
Single Sign-On 10gApps
SecurityToken
E-BusinessSuite
Third-Party Integration Architecture
Single Sign-On 10g
OracleInternetDirectory 10g
EndUser
Third-PartySSO
Third-PartyLDAP
EBS ApplicationServer
EBSDatabase(FND_USER)
Case Studies
Deployed Widely in Production • Amdocs (Israel)• Alcoa (Europe)• Applied Materials (Israel)• Atento (Norway)• Berwind Pharmaceuticals (USA)• Bunnings (Australia)• CapGemini / Councils Online (Australia)• Central Bank of Nigeria• Cisco Systems• Cox Communications (USA)• Fiera Milano (Italy)• General Dynamics Land Sys• General Electric (USA)• Google (USA)
• Guandong Unicom (China)• Inter-Arab Investment Guarantee (Kuwait)• International Enterprises (Singapore)• International Institute for Applied Systems
Analysis (Austria)• Ireland Dept of Defence• Kansas State University• Libgo Travel (USA)• Mitac (Taiwan)• Phoenix Technologies (USA)• Putrajaya (Malaysia)• Telecom Italia Mobile (Italy)• Texas Instruments (USA)• Universal Weather & Aviation (USA)• Wind River Systems (USA)• World Wide Technology
These are not customer references
Integration with MicrosoftActive Directory Only
Single Sign-On10g
OracleInternetDirectory 10g
EndUser
MicrosoftActiveDirectory
EBS ApplicationServer
EBSDatabase(FND_USER)
Integration with MicrosoftActive Directory & Kerberos
Single Sign-On 10g
OracleInternetDirectory 10g
EndUser
Microsoft WindowsNative Authenticationvia Kerberos
Microsoft ActiveDirectory
EBS ApplicationServer
EBSDatabase(FND_USER)
Internal / External Configuration
FirewallFirewall
Internet ReverseProxy
Firewall
External9iAS 1.0.2
Server
OracleAS 10gInfrastructure
Database
OracleInternet
DirectoryServer 10gInternal 9iAS
1.0.2 Server
Release 11iDatabase
InternalUsers
SingleSign-On 10g
ExternalUsers
Shared 11i Filesystem
RAC 1 RAC 2
Highly Available
FirewallFirewall
ExternalUsers
Internet ReverseProxy
Firewall
InternalUsers
WebNode 3
WebNode 4
HTTP LBR2
HTTPLBR1
WebNode 2
WebNode 1
LBR1
SSONode 2
SSONode 1
OracleAS 10gInfrastructure DB
OID 1 OID 2
DesupportNotices
Updated E-Business Suite Baselines
E-Business Suite 12.0 baseline• ATG Release Update Patch 6 (Patch 7237006)• ATG Release Update Patch 4 (Patch 6272680)
E-Business Suite 11.5.10 baseline• ATG Rollup Patchset 7 (Patch 6241631)• ATG Rollup Patchset 6 (Patch 5903765)
New features, patches and certifications released for the current and previous ATG patchset (Note 363827.1)
New Support Policies for Technology Products
New patches released for• Current patchset• Previous patchset for 12 months after current patchset
Applies to
• Quarterly Critical Update Patches (security fixes)• Patch bundles• Interim patches (a.k.a. “one-off” or emergency patches)
Real Examples
Database• Database 10.2.0.4 patchset released in February 2008
• Database 10.2.0.3 patchset supported until February 2009
• All previous patchsets (e.g. 10.2.0.2) desupported
Fusion Middleware• Oracle Identity Management 10.1.4.3 patchset released in
November 2008• Oracle Identity Management 10.1.4.2 patchset supported until
November 2009• All previous patchsets (e.g. 10.1.4.0.1) desupported
Support Policy References
• Oracle Lifetime Support Policywww.oracle.com/support/lifetime-support-policy.html
• Database, FMW, EM Grid Control, and OCS Software Error Correction Support Policy (Note 209768.1)
• Release Schedule of Current Database Patch Sets (Note 742060.1)
• Oracle Application Server 10g Release 2 (10.1.2) Support Status and Alerts (Note 329361.1)
Implications for E-Business Suite Users
Articles on blogs.oracle.com/stevenChan
• On Database Patching and Support: A Primer for E-Business Suite Users
• On Apps Tier Patching and Support: A Primer for E-Business Suite Users
External Application Tier Desupport Notices
• Discoverer 4i Oct 2006• Login Server 3.0.9 July 2007• Portal 3.0.9 July 2007• Oracle Internet Directory 3.0.1 July 2007• Oracle Application Server 10.1.2.2 Mar 2009
(incl. Portal, Discoverer, WebCache)• Single Sign-On / OID 10.1.4.2 Nov 2009
“Desupport” = “End of Premier Support”
CertificationRoadmap
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Future Application Tier Certifications
E-Business Suite Release 11i• Developer6i Forms
Patchset 20
E-Business Suite Release 12• SOA Suite 10.1.3.5• BPEL 10.1.3.5 • OC4J 10.1.3.5• Web Center 11g
Both 11i & 12• Oracle Access Manager 10gR3
(direct integration with EBS)• Oracle Internet Directory 11g• Discoverer 11g• Portal 11g• Web Cache 11g• Java SE (JDK) 7
Oracle Access Manager & Oracle Internet Directory
E-Business SuiteDatabase
Oracle Access Manager 10gR3
Oracle InternetDirectory 10g or 11g
OID LDAPDirectory
UserE-BusinessSuiteApplicationServer
Still Bubbling in the Labs
• Generate portlets based on selected OA Framework regions (R12 only)
• Server-level configuration of authentication mechanism(i.e. different authentication tools for internal vs. external users)
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
OracleAS + E-Business Suite Resources
• Application Server + 11i FAQ Note 186981.1• 11i Documentation Roadmap Note 207159.1
• Application Server + R12 FAQ Note 415007.1• R12 Documentation Roadmap Note 380482.1
E-Business Suite Technology Stack Blog
• Direct from EBS Development • Latest EBS techstack news• Certification announcements• Primers, FAQs, tips• Desupport reminders• Advanced architectures• Statements of Direction• Early Adopter Programs
• Subscribe via email & RSS
blogs.oracle.com/stevenChan