Wednesday, February 8, 2017

Integrating 11g Oracle Identity & Access Management with Oracle EBS

Pre-requisites :
  • Enterprise Linux 5.8 64 bit
  • Oracle Database 11.2.0.1
  • RCU for OID 11.1.1.7
  • OID 11.1.1.7
  • RCU for OAM 11.1.2.2
  • OAM 11.1.2.2
  • WebTier OHS 11.1.1.7
  • WebGate 11.1.2.2
  1. Install 11gr2 Database (11.2.0.1)
  2. Ensure that all of the processes are running for the database (into which you plan to install Oracle Internet Directory).
  3. Before running RCU 11.1.1.7.0, ensure that the database initialization parameter ‘Open_Cursors’ is set to a minimum of ‘500’.
  4. Run RCU 11.1.1.7.0 to create the necessary database schema: In the ‘Select Component’ page: Expand ‘Identity Management’ and select only ‘Oracle Internet Directory’ (‘Oracle Identity Federation’ is not required)
  5. Install RCU 11.1.1.7
IDM_1




IDM_2


IDM_3





IDM_4



IDM_5





IDM_6




IDM_7



IDM_8



IDM_9




IDM_10



Install WebLogic Server 10.3.6 (Full Installer)
(Later, you will also install an Oracle Identity Management Oracle home inside this Oracle Middleware home).
Download Java 6 Update 35 or later
Export JAVA Home
IDM_11


IDM_12

IDM_13






IDM_14






IDM_15






IDM_16





IDM_17





IDM_18





IDM_19





IDM_20






Install and Configure the Identity Management Products and Create a WebLogic Domain and Managed Server
IDM_21



IDM_22







During the configuration, in the ‘Configure Components’ screen:
• Select Oracle Internet Directory and Oracle Directory Integration Platform (the Oracle Directory Services Manager and Fusion Middleware Control management components are automatically selected for this installation):
(i.e. UNSELECT ‘Oracle Identity Federation Components’ and UNSELECT ‘Oracle Virtual Directory’)
• Ensure that only ‘Oracle Internet Directory’ and ‘Oracle Directory Integration Platform’ are selected and click Next.
• In the ‘Installation Summary’ screen, ensure that only the following are in the list of ‘Applications Selected for Configuration’:
a. Oracle Internet Directory
b. Oracle Directory Integration Platform
c. Enterprise Manager
d. Oracle Directory Services Manager
e. Click the ‘Configure’
IDM_21



IDM_22







IDM_23




IDM_24






IDM_25






IDM_26






IDM_27






IDM_28






IDM_29






IDM_30







IDM_31






IDM_32






IDM_33






IDM_34





IDM_35



IDM_36

IDM_37





IDM_38






IDM_39







Enforce Attribute Uniqueness for UID in Oracle Internet Directory 11gR1
Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server.
http://egtapp02:7001/odsm
(determine the port by examining the wls_ods1.url file at $MW_Home/user_projects/domains//servers/wls_ods1/data/nodemanager/wls_ods1.url)
IDM_40



IDM_41

IDM_42





IDM_43




Click on the ‘Advanced’ tab
Expand ‘Attribute Uniqueness’ in the left pane (bottom of the left frame)
Click on the left hand ‘Create an attribute uniqueness constraint’ icon (below the ‘Attribute Uniqueness’ heading.
The New Constraint window is displayed.
Enter the following values to ensure that the UID field is unique in Oracle Internet Directory:
Enter ‘UID_UNIQUE’ in ‘Attribute Uniqueness Constraint Name’
Ensure that ‘Enable Unique Attribute’ is Checked (i.e. Yes)
Enter ‘uid’ in ‘Unique Attribute Name’
Enter ‘ inetorgperson’ in ‘ Unique Attribute Objectclass’
Select ‘One Level’ in ‘Unique Attribute Scope’
Enter the Realm Distinguished Name (DN), e.g. ‘cn=Users,dc=us,dc=oracle,dc=com’ in ‘Unique Attribute Subtree’
Choose OK. The entry you just created appears in the list of attribute uniqueness constraint entries in the left frame.
Click on the ‘UID_UNIQUE’ name in the left frame (below ‘Attribute Uniqueness’) and the record is displayed in the main frame.
Click the ‘Apply’ button to apply this constraint
IDM_44




IDM_45






Configure Oracle Internet Directory to return operational attributes
Configure Oracle Internet Directory to return operational attributes for lookup requests. This modification adds the orclguid attribute to records returned by Oracle Internet Directory when queried by Oracle Access Manager, allowing these records to be mapped to others that are uniquely identified by orclguid. To make this modification create an ldif file as detailed below and execute this command from the Oracle Home where Oracle Internet Directory is installed:
Create an ldif file (for example ‘change_attrs.ldif’) containing the following:
vi change_attrs.ldif
dn: cn=dsaconfig, cn=configsets,cn=oracle internet directory
changetype: modify
add: orclallattrstodn
orclallattrstodn: orcladmin
Run the following to execute the command from the newly created ldif file:
$ORACLE_HOME/bin/ldapmodify -h egtapp02.ods.local -p 3060 -D cn=orcladmin -w Oracle_123 -v -f change_attrs.ldif
IDM_46





Install Oracle Access Manager
Configure OAM Schema using RCU 11.1.2.2
IDM_46




IDM_47




IDM_48


IDM_49




IDM_50



IDM_51





IDM_52



IDM_53




IDM_54





IDM_55


IDM_56





IDM_57




Install Oracle Access Manager 11.1.2.2
IDM_58





IDM_59





IDM_60






IDM_61






IDM_62





IDM_64





Configure OAM Domain
IDM_65




IDM_66





IDM_67




IDM_68




IDM_69




IDM_70





IDM_71





IDM_72




IDM_73



IDM_74




IDM_75




IDM_76




IDM_77





IDM_78





IDM_79


Configure Security Store for OAM Domain to Database
Create DB security store – Mandatory step to start Admin Server for OAM server.
Configure OAM Domain to use database as security store using –m create option like
$DOMAIN_HOME/bin/setDomainEnv.sh
cd $MW_HOME/oracle_common/common/bin
./wlst.sh /u01/weblogic/fmw/Oracle_IAM1/common/tools/configureSecurityStore.py -p /u01/weblogic/fmw/user_projects/domains/IAMDomain/ -c IAM -m create -p Oracle_123
IDM_80




IDM_81






IDM_82





Upgrade OPSS schema
IDM_90

IDM_83





IDM_84



IDM_85




IDM_86



IDM_87



IDM_88



IDM_89


\
Create boot.properties to start WebLogic Administration and Managed Server
mkdir -p /u01/weblogic/fmw/user_projects/domains/IAMDomain/servers/oam_server1/security
vi boot.properties
username=weblogic
password=Oracle_123
Create boot.properties for Admin Server
mkdir -p /u01/weblogic/fmw/user_projects/domains/IAMDomain/servers/AdminServer/security
vi boot.properties
username=weblogic
password=Oracle_123
Start Weblogic Admin server and managed server(oam_server1)
IDM_91

tail -f nohup.out
IDM_92

IDM_93
tail -f nohup.out
IDM_94



Configure Identity Store
Oracle E-Business Suite requires Oracle Internet Directory as the identity store. To setup Oracle Internet Directory as the identity store for Oracle E-Business Suite create a dedicated Oracle Internet Directory identity store for Oracle E-Business Suite
Logon to the OAM Console
http://egtapp02:7002/oamconsole
IDM_95







Create User Identity Store
In the OAM Console, under the Launch Pad, navigate to Configuration > User Identity Stores
Click the “*” (Create) icon under the ‘OAM ID Stores’
In the window that opens, enter the attributes for your new identity store, for example:
Store Name- EBSIdStore
Store Type- OID: Oracle Internet Directory
Description- Directory for Oracle E-Business Suite Application
Location- egtapp02:3060
Bind DN- cn=orcladmin
Password- Oracle_123
User Name Attribute- uid
User Search Base- cn=Users,dc=ods,dc=local
Group Search Base- cn=Groups,dc=com
IDM_96




IDM_97





IDM_98






IDM_99



Create Authentication Module
In the OAM Console, under the Launch Pad, navigate to Access Manager –> Authentication Modules
Click the “*” (Create Authentication Module) icon > Select ‘Create LDAP Authentication Module’ from the drop-down:
Enter the following information in the Create LDAP Authentication Module region, and click Apply:
Name = LDAP_EBS
User Identity Store = EBSIdStore
IDM_100





IDM_101

IDM_102



Create Authentication Scheme
In the OAM Console, under the Launch Pad, navigate to Access Manager >
Authentication Schemes
Click the “*” (Create Authentication Scheme) icon.
Enter the following information in the Authentication Schemes region, and click Apply:
Name = EBSAuthScheme
Description = Authentication Scheme for E-Business Suite
Authentication Level = 2
Default =
Challenge Method = FORM
Challenge Redirect URL = /oam/server/
Authentication Module = LDAP_EBS
Challenge URL = /pages/login.jsp
Context Type = default
Context Value = /
IDM_103





IDM_104





IDM_105




Registering Oracle E-Business Suite Release 12 with Oracle Internet Directory 11gR1
Oracle E-Business Suite is required to integrate with OID so that users can be synchronized
between FND_USER (in e-Business Suite) and users in OID. EBS-OID synchronization can be
configured in one of following four ways
a) OID to EBS: Users are synchronized from OID to E-Business Suite
b) EBS to OID: User are synchronized from E-Business Suite to OID
c) EBS to OID and OID to EBS two way: User are synchronized two way i.e. from OID to
E-Business Suite and E-Business Suite to OID
d) Bi-Directional but no creation: User are synchronized two way i.e. from OID to E-Business Suite and E-Business Suite to OID but if user is missing in one of the two systems them it will not be created.
EBS version apply following additional patches for 12.1.1 version on EBS Middle Tier
Patch 7651166 and 12408233
Register Instance
$FND_TOP/bin/txkrun.pl -script=SetSSOReg -registerinstance=yes -infradbhost=egtapp02 -ldapport=3060 -ldapportssl=3061 -ldaphost=egtapp02 -oidadminuser=cn=orcladmin -oidadminuserpass=Oracle_123 -appspass=apps
IDM_106



Register OID
$FND_TOP/bin/txkrun.pl -script=SetSSOReg -registeroid=yes -ldaphost=egtapp02 -ldapport=3060 -oidadminuser=cn=orcladmin -oidadminuserpass=Oracle_123 -appspass=apps -instpass=Oracle_123 -appname=VIS -svcname=VIS -provisiontype=1 -dbldapauthlevel=0
IDM_107



SELECT PREFERENCE_NAME, PREFERENCE_VALUE FROM APPS.FND_USER_PREFERENCES WHERE MODULE_NAME='LDAP_SYNCH';
SELECT * FROM fnd_user_preferences WHERE user_name='#INTERNAL' AND module_name='OID_CONF';
If the above script returns no rows then execute the below statement and re-check
execute fnd_oid_plug.setPlugin;
Install and Configure WebGate on the WebTierRun the WebGate 11g Installer to install WebGate 11g.
Execute deployWebgateInstance.sh and EditHttpConf to associate WebGate with the WebTier, for example
Run the WebTier 11g Installer to install and configure Oracle HTTP Server.
Install OHS WebTier 11.1.1.7
IDM_108





IDM_109




IDM_110




IDM_111



IDM_112



IDM_113




IDM_114



IDM_115



IDM_116



IDM_117





IDM_118




Install OAM WebGate 11.1.2.2
IDM_119





IDM_120



IDM_121



IDM_122




IDM_123




IDM_124




Deploy Webgate
Set OHS environment
IDM_125

cd /u01/weblogic/fmw/Oracle_OAMWebGate1/webgate/ohs/tools/deployWebGate
./deployWebGateInstance.sh -w /u01/weblogic/fmw/Oracle_WT1/instances/instance1/config/OHS/ohs1 -oh /u01/weblogic/fmw/Oracle_OAMWebGate1
IDM_126


Set LD_LIBRARY_PATH
IDM_127

IDM_128


Register the WebGate Agent with Oracle Access Manager
After installing the WebGate on the WebTier, you also need to register the WebGate agent.
Follow the steps below to register the WebGate agent on the machine where Oracle Access Manager is installed using the oamreg tool that is available in the <Oracle_IAM>/oam/server/rreg directory:
. oam.env
cd $MW_HOME/iam/oam/server/rreg/input/
cp OAM11GRequest_short.xml VIS.xml
IDM_129


IDM_130





Create a new file named VIS.oam.conf to serve as URIs file to the oamreg tool.
IDM_131








IDM_132



./bin/oamreg.sh inband input/VIS.xml
When prompted for the admin username and password, enter the credentials for your Oracle Access Manager Administrator, by default user “weblogic”.
You may optionally set a password for your WebGate.
When prompted “Do you want to import an URIs file?(y/n)”, enter “y”.
Enter the full path for the URIs file that you just created as <RREG_Home>/input/VIS.oam.conf.
The script will output Success INFO messages and should complete successfully with a Request summary..
IDM_133




Copy the generated registration artifacts to your WebTier
IDM_134
Verify registration using OAM Console
Logon to the OAM Console
Verify that the following artifacts are visible now in the OAM Console, under Launch Pad:.
Access Manager section > Click on SSO Agents > Under Webgates tab > Search for {Identifier for your WebGate}
Access Manager section > Click on Host Identifiers > Search for {Identifier for your WebGate}
Access Manager section > Click on Application Domains > Search for {Identifier for your WebGate}
IDM_135


IDM_136



IDM_137



Test WebGate
IDM_138

Access a public resource
IDM_139

Access a protected resource
You should be redirected to OAM login page
Set Authentication Scheme
Login to OAM Console à Application Domains à VIS_agent à Authentication Policies à Protected Resource Policy
Change Authentication Scheme to EBSAuthScheme
IDM_140


Configure Response Headers
Oracle E-Business Suite integration with Oracle Access Manager uses two specific response headers. Configure Oracle Access Manager to set these response headers as follows.
Add Response Headers to the Authentication Policies
In the OAM Console,under the Launch Pad, navigate to Access Manager > Application Domain > VIS_agent > Authentication Policies > Protected Resource Policy.
Click the Protected Resource Policy.
In the Authentication Policy configuration window, click on the Responses tab. Use the “+” icon and add the following two rows.
IDM_141


Add Response Headers to the Authorization Policies
In the OAM Console,under the Launch Pad, navigate to Access Manager > Application Domain > VIS_agent > Authorization Policies > Protected Resource Policy.
Click the Protected Resource Policy.
In the Authentication Policy configuration window, click on the Responses tab. Use the “+” icon and add the following two rows.
IDM_142


Test Response Headers
Test that Oracle Access Manager sets the response headers as specified, for example by adding the printenv script to your protected resources and accessing the script from your browser as authenticated user. On a WebTier 11g, you will find the printenv script in your $ORACLE_INSTANCE/config/OHS/ohs1/cgi-bin directory.
You may create a symbolic link and add this resource to your protected resources. For example:
cd $ORACLE_INSTANCE/config/OHS/ohs1/htdocs ln -s ../cgi-bin cgi-bin chmod 755 cgi-bin/printenv
IDM_143
In the OAM Console,under the Launch Pad, navigate to Access Manager > Application Domain > Search for {Identifier for your WebGate} > Resources tab.
Click the “New Resource” button at the upper right hand side of the window.
Enter the following information in the Create Resource region, and click Apply:
IDM_144


IDM_145







IDM_146

Configure OAM to support long URLs
Long URLs may exceed a cookie limit on your Internet browser. Configure Oracle Access Manager to support long URLs by changing the serverRequestCacheType from COOKIE to FORM in Oracle Access Manager configuration file $DOMAIN_HOME/config/fmwconfig/oam-config.xml:
<Setting Name=”serverRequestCacheType” Type=”xsd:string”>FORM</Setting>
Restart Admin and Managed server to pickup the new changes
Create WebLogic Domain for Oracle E-Business Suite AccessGate
cd $WLHOME/common/bin ./config.sh
IDM_147




IDM_148




IDM_149



IDM_150




IDM_151




IDM_152



IDM_153



IDM_154


IDM_155



IDM_156

Download and extract Oracle E-Business Suite AccessGate
Download Oracle E-Business Suite AccessGate available from Patch 18131618 and unzip it to $MW_HOME/appsutil/accessgate/VIS. For example:
mkdir -p $MW_HOME/appsutil/accessgate/myEBS cd $MW_HOME/appsutil/accessgate/myEBS unzip [location to patch 18131618]/p18131618_R12_GENERIC.zip
IDM_157
IDM_158


Copy oacleanup.html to WebTier
Copy the samplecleanup.html from $MW_HOME/appsutil/accessgate/VIS/sample to the /public directory that you created on your WebTier and rename the file to oacleanup.html.
$ORACLE_INSTANCE/config/OHS/ohs1/htdocs/public/oacleanup.html
IDM_159

Access the page from your browser:
IDM_160



You should be able to access this test page without authentication, because we specified this page in the URIs file during WebGate registration with Oracle Access Manager as public resource. At this point you will only see an empty page. We will use this URL when deploying E-Business Suite AccessGate in the next step.
Copy library
Copy the file $MW_HOME/appsutil/accessgate/{instance}/fndext.jar to your $DOMAIN_HOME/lib directory. For example:
cd $MW_HOME/appsutil/accessgate/myEBS cp fndext.jar /d01/Oracle/Middleware/user_projects/domains/eag_domain/lib
Restart the Oracle WebLogic Server processes. This allows the Oracle WebLogic Server to include fndext.jar on the classpath during startup.
IDM_161

Generate DBC file
Login to Oracle EBS Machine (VIS) and generate a dbc file using below command
java oracle.apps.fnd.security.AdminDesktop apps/<apps password> CREATE \ NODE_NAME=eaghost.example.com [IP_ADDRESS=<IP address of external application server>] DBC=$FND_SECURE/VIS.dbc

IDM_162




IDM_163



Set Up Necessary Oracle E-Business Suite Users
Set up a necessary Oracle E-Business Suite user with role UMX|APPS Schema Connect, logon locally to Oracle E-Business Suite as the user with role UMX|Apps Schema Connect.
http://<ebshost>.<domain>:<port>/OA_HTML/AppsLocalLogin.jsp
If this user has just been created, you will be prompted on logon to Oracle E-Business Suite to reset the password. Reset the password.
Verify that you can successfully logon locally with the new password as the user with role UMX|Apps Schema Connect.
Deploy Oracle E-Business Suite AccessGate using txkEBSAuth.xml
Navigate to System Administrator Responsibility aàSecurity : Usersà Define
Username- EBSADMIN
Password- Password1
Description- E-business AccessGate User
Switch to User Management Responsibilty àUsers
Search for “EBSADMIN” user and click Update
On Update User screen, click Assign Roles
On next screen , select Role from drop down and search for “APPS%SCHEMA%”
Select the “APPS SCHEMA CONNECT ROLE”
Click Save
On Next Screen, give justification for user as shown below and click Apply
After setting up the user, logon locally to Oracle E-Business Suite as the user with role UMX|Apps Schema Connect.
IDM_164




IDM_165




IDM_166





Deploy Oracle E-Business Suite AccessGate using txkEBSAuth.xml
Set the environment, for example:
. $MW_HOME/wlserver_10.3/server/bin/setWLSEnv.sh
Change to the directory where you installed Oracle E-Business Suite AccessGate in the previous step. For example:
cd $MW_HOME/appsutil/accessgate/VIS
Execute the txkEBSAuth.xml ant script to create your data source and deploy the Oracle E-Business Suite AccessGate Java application.
IDM_167

ant -f txkEBSAuth.xml \
-Dwlshosturl=egtapp02.qia.local:7041 \
-Dwlsuser=weblogic \
-Dwlspwd=Oracle_123 \
-DdataSourceName=VIS \
-DdataSourceJNDIName=jdbc/VIS \
-DasadminUser=EBSADMIN \
-DasadminPassword=Oracle_123 \
-DdbcFile=/u01/weblogic/fmw/appsutil/accessgate/VIS/VIS_EGTAPP02.ODS.LOCAL.dbc \
-DserverName=eag_server1 \
-DdeploymentName=ebsauth_VIS \
-DcontextRoot=/ebsauth_VIS \
-DfndauthWarFile=/u01/weblogic/fmw/appsutil/accessgate/VIS/fndauth.war \
-DplanPath=/u01/weblogic/fmw/appsutil/accessgate/VIS/plan/Plan.xml \
-DSSOServerRelease=11 \
-DSSOServerURL=http://egtapp02.ods.local:14100 \
-DWebgateLogoutURL=http://egtapp02.ods.local:7780/public/oacleanup.html \
-DlogConfigFile=/u01/weblogic/fmw/appsutil/accessgate/VIS/sample/logging.properties
echoOFF:
getDataSourceDetails:
[input] skipping input as property dataSourceName has already been set.
[input] skipping input as property dataSourceJNDIName has already been set.
[input] skipping input as property dbcFile has already been set.
[input] skipping input as property asadminUser has already been set.
getASADMINPasswordWindows:
getASADMINPasswordUnix:
echoON:
[input] skipping input as property asadminPassword has already been set.
echoOFF:
getTargetServerDetails:
[input] skipping input as property serverName has already been set.
getDeploymentDetails:
[input] skipping input as property deploymentName has already been set.
[input] skipping input as property contextRoot has already been set.
[input] skipping input as property fndauthWarFile has already been set.
[input] skipping input as property planPath has already been set.
[input] skipping input as property dbcFile has already been set.
[input] skipping input as property dataSourceJNDIName has already been set.
getOAMDetails:
[input] skipping input as property WebgateLogoutURL has already been set.
[input] skipping input as property SSOServerRelease has already been set.
[input] skipping input as property SSOServerURL has already been set.
getAllParameters:
checkDBCExists:
checkWarExists:
checkFndextWarExits:
checkPlanDirExists:
all:
findOS:
getServerDetails:
[input] skipping input as property wlshosturl has already been set.
[input] skipping input as property wlsuser has already been set.
getWLSAdminPasswordWindows:
getWLSAdminPasswordUnix:
echoON:
[input] skipping input as property wlspwd has already been set.
echoOFF:
getDataSourceDetails:
[input] skipping input as property dataSourceName has already been set.
[input] skipping input as property dataSourceJNDIName has already been set.
[input] skipping input as property dbcFile has already been set.
[input] skipping input as property asadminUser has already been set.
getappsDBDetails:
[echo] DBC File is /u01/weblogic/fmw/appsutil/accessgate/VIS/VIS_EGTAPP02.QIA.LOCAL.dbc
[echo] APPS_JDBC_URL is APPS_JDBC_URL=jdbc\:oracle\:thin\:@(DESCRIPTION\=(ADDRESS_LIST\=(LOAD_BALANCE\=YES)(FAILOVER\=YES)(ADDRESS\=(PROTOCOL\=tcp)(HOST\=idm.ods.local)(PORT\=1525)))(CONNECT_DATA\=(SID\=VIS)))
[echo]
[echo] Following values are retrieved from DBC File:
[echo] SID/SERVICE:VIS
[echo] APPS_JDBC_URL:jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(LOAD_BALANCE=YES)(FAILOVER=YES)(ADDRESS=(PROTOCOL=tcp)(HOST=idm.ods.local)(PORT=1525)))(CONNECT_DATA=(SID=VIS)))
getASADMINPasswordWindows:
getASADMINPasswordUnix:
echoON:
[input] skipping input as property asadminPassword has already been set.
echoOFF:
getTargetServerDetails:
[input] skipping input as property serverName has already been set.
getDataSourceParameters:
checkDBCExists:
checkFndextWarExits:
createDataSource:
[echo] ********************************************************************
[echo] STEP 1: CREATING DATA SOURCE
[echo] ********************************************************************
[wlst] Connecting to server using username:weblogic url:egtapp02.ods.local:7041
[wlst] Connecting to t3://egtapp02.ods.local:7041 with userid weblogic ...
[wlst] Successfully connected to Admin Server 'AdminServer' that belongs to domain 'eag_domain'.
[wlst]
[wlst] Warning: An insecure protocol was used to connect to the
[wlst] server. To ensure on-the-wire security, the SSL port or
[wlst] Admin port should be used instead.
[wlst]
[wlst] Check if data source VIS already exits
[wlst]
[wlst]
[wlst] Check if JNDI Name jdbc/VIS already exists
[wlst]
[wlst] Changing to Edit Mode
[wlst] Location changed to edit tree. This is a writable tree with
[wlst] DomainMBean as the root. To make changes you will need to start
[wlst] an edit session via startEdit().
[wlst]
[wlst] For more help, use help(edit)
[wlst] You already have an edit session in progress and hence WLST will
[wlst] continue with your edit session.
[wlst]
[wlst] Starting an edit session ...
[wlst] Started edit session, please be sure to save and activate your
[wlst] changes once you are done.
[wlst]
[wlst] Creating data source : VIS
[wlst]
[wlst] Setting JDBCDataSourceParams for the data source VIS
[wlst]
[wlst] Setting JNDI name for the data source VIS
[wlst]
[wlst] Setting JDBCDriverParams for the data source VIS
[wlst]
[wlst] Setting User and dbcFile properties for the data source VIS
[wlst]
[wlst] Setting JDBCConnectionPoolParams for the data source VIS
[wlst]
[wlst] Setting GlobalTransactionsProtocol for the data source VIS
[wlst]
[wlst] Setting target for the data source VIS
[wlst]
[wlst] Saving all your changes ...
[wlst] Saved all your changes successfully.
[wlst] Activating all your changes, this may take a while ...
[wlst] The edit lock associated with this edit session is released
[wlst] once the activation is completed.
[wlst] Activation completed
[wlst] Successfully created data source VIS.
[wlst] Disconnected from weblogic server: AdminServer
findOS:
getServerDetails:
[input] skipping input as property wlshosturl has already been set.
[input] skipping input as property wlsuser has already been set.
getWLSAdminPasswordWindows:
getWLSAdminPasswordUnix:
echoON:
[input] skipping input as property wlspwd has already been set.
echoOFF:
getTargetServerDetails:
[input] skipping input as property serverName has already been set.
getDeploymentDetails:
[input] skipping input as property deploymentName has already been set.
[input] skipping input as property contextRoot has already been set.
[input] skipping input as property fndauthWarFile has already been set.
[input] skipping input as property planPath has already been set.
[input] skipping input as property dbcFile has already been set.
[input] skipping input as property dataSourceJNDIName has already been set.
getOAMDetails:
[input] skipping input as property WebgateLogoutURL has already been set.
[input] skipping input as property SSOServerRelease has already been set.
[input] skipping input as property SSOServerURL has already been set.
getDeploymentParameters:
checkWarExists:
checkDBCExists:
copyDeploymentPlan:
[echo] Copying fndauth_deployment_plan.tmp to /u01/weblogic/fmw/appsutil/accessgate/VIS/plan/Plan.xml
[copy] Copying 1 file to /u01/weblogic/fmw/appsutil/accessgate/VIS/plan
checkPlanDirExists:
creatPlandirAndWeblogicXML:
[touch] Creating /u01/weblogic/fmw/appsutil/accessgate/VIS/plan/plan/WEB-INF/weblogic.xml
checkPlanExists:
getAPPServerID:
updateDeploymentPlan:
[echo] Updating Deployment Plan
deployApplication:
[echo] ********************************************************************
[echo] STEP 2: DEPLOYING APPLICATION
[echo] ********************************************************************
[wlst] Connecting to server using username:weblogic url:egtapp02.ods.local:7041
[wlst]
[wlst] Connecting to t3://egtapp02.ods.local:7041 with userid weblogic ...
[wlst] Successfully connected to Admin Server 'AdminServer' that belongs to domain 'eag_domain'.
[wlst]
[wlst] Warning: An insecure protocol was used to connect to the
[wlst] server. To ensure on-the-wire security, the SSL port or
[wlst] Admin port should be used instead.
[wlst]
[wlst]
[wlst] Check if deployment ebsauth_VIS already exists.
[wlst]
[wlst] Location changed to serverRuntime tree. This is a read-only tree with ServerRuntimeMBean as the root.
[wlst] For more help, use help(serverRuntime)
[wlst]
[wlst]
[wlst]
[wlst]
[wlst] Deploying application to eag_server1
[wlst]
[wlst] Changing to Edit Mode
[wlst] Location changed to edit tree. This is a writable tree with
[wlst] DomainMBean as the root. To make changes you will need to start
[wlst] an edit session via startEdit().
[wlst]
[wlst] For more help, use help(edit)
[wlst]
[wlst] Starting an edit session ...
[wlst] Started edit session, please be sure to save and activate your
[wlst] changes once you are done.
[wlst] Deploying application from /u01/weblogic/fmw/appsutil/accessgate/VIS/fndauth.war to targets eag_server1 (upload=false) ...
[wlst]
[wlst] You have an edit session in progress, hence WLST will not
[wlst] block for your deployment to complete.
[wlst] Started the Deployment of Application. Please refer to the returned WLSTProgress object or variable LAST to track the status.
[wlst]
[wlst] Successfully deployed fndauth.war application.
[wlst]
[wlst] Saving all your changes ...
[wlst] Saved all your changes successfully.
[wlst] Activating all your changes, this may take a while ...
[wlst] The edit lock associated with this edit session is released
[wlst] once the activation is completed.
[wlst] Activation completed
[wlst] Disconnected from weblogic server: AdminServer
[wlst] &lt;WLContext.close() was called in a different thread than the one in which it was created.&gt;
BUILD SUCCESSFUL
Total time: 31 seconds
Create application like ebsauth_VIS which is visible under deployments in WebLogic Console


IDM_168


Verify Oracle E-Business Suite AccessGate deployment
Logon to WebLogic Administration Console, for example:
In the WebLogic Administration Console, navigate to EAGdomain > Environment > Servers, and verify that the Oracle E-Business Suite AccessGate managed server “eag_server1” is running on the specified port, for example port 7043.
Navigate to EAGdomain > Deployments, and verify that the Oracle E-Business Suite AccessGate application named “ebsauth_VIS” is deployed, with State: Active and Health: OK.
Navigate to Services > DataSources, and verify that the DataSource that you created during deployment, for example “ebsDSVIS” exists, and is targeted to your managed server, for example eag_server1. Click on the data source to review its settings.
IDM_169

In the Connection Pool tab, observe it has the correct values for Properties user and dbcFile that you specified during deployment in parameters -DasadminUser and -DdbcFile respectively.
IDM_170







In the Monitoring tab, observe that the data source is enabled and running.
IDM_171


Verify that you can access following Oracle E-Business Suite AccessGate URL from your browser, for example:
You should see an empty page at this point.
IDM_172



Redirect HTTP Server to WebLogic Server for Oracle E-Business Suite AccessGate
Configure the HTTP server on which WebGate is running to act as a proxy for authentication requests for Oracle E-Business Suite resources. After a request for authentication is successfully handled by WebGate, the request will be processed by the Oracle E-Business Suite AccessGate application that is deployed on your WebLogic Server instance.
If you are using Oracle HTTP Server 11g, you will find the configuration for the mod_weblogic plugin in the mod_wl_ohs.conf file, which is included in httpd.conf by default.
Modify the file and include the configuration to redirect HTTP server requests to your WebLogic Server. For example:
<IfModule mod_weblogic.c>
 WebLogicHost egtapp02.ods.local
 WebLogicPort 7043
 </IfModule>
 <Location /ebsauth_VIS>
 SetHandler weblogic-handler
 </Location>
IDM_173



Restart your HTTP Server.
Verify that you can access following Oracle E-Business Suite AccessGate resource via your HTTP server and WebGate from your browser, for example:
You should be able to access this test page without authentication, because we specified the ssologout_callback resource in the URIs file during WebGate registration with Oracle Access Manager as public resource.
Your HTTP server will now act as a proxy and your Oracle E-Business Suite AccessGate application will process the request.
You should see an empty page at this point.
IDM_174



Set Oracle E-Business Suite profile options
Set the following Oracle E-Business Suite profile options.
Application Authenticate Agent (APPS_AUTH_AGENT)
IDM_175



Applications SSO Type (APPS_SSO)
IDM_176



Applications Single Sign On Hint Cookie Name (APPS_SSO_HINT_COOKIE_NAME)s
IDM_177


Stop and restart the applications services on your Oracle E-Business Suite middle tier. Then stop and restart the Oracle WebLogic Server where Oracle E-Business Suite AccessGate is deployed.
Test Single Sign-On with Oracle E-Business Suite
You have completed integrating Oracle E-Business Suite with Oracle Access Manager 11.1.2 using Oracle E-Business Suite AccessGate.
Test single sign-on integration now.
Logon to Oracle E-Business Suite
You will be re-directed to your OAM single sign-on page. Login using valid OID user credentials. After successful authentication, you will be re-directed to your Oracle E-Business Suite home page.
IDM_178









IDM_180