SID # 283122 Leveraging enterprise identity management capabilities of Application Server 10g
with E-Business suite : A Customer Case Study
Arun Changamveetil Sr. Principal ArchitectFujitsu Consulting
Michael KronProject ManagerRegal Beloit Corporation
Agenda• Regal Beloit corporation
• Business requirement
• Current Architecture
• Various architecture options
• New Architecture
• Implementation steps
• Major road blocks
• Best Practices
• Business benefits
• Road to success
• Question and Answers
Regal-Beloit Corporation
Regal Beloit Corporation
Founded in 1955 ( Originally known as Beloit Tool )
Leading manufacturer of electrical and mechanical motion productions
11,000 employees
69 manufacturing and service /distribution facilities
# 1 fastest growing company in Wisconsin
USD $ 1.4 Billion net sales FY 2005
Acquired GE Motors in 2004
Visit us @ www.regalbeloit.com
Business Requirement
“We need to have a seamless environment for customers that are using i-Store , i-Supplier and i-Support modules of E Business suite “
Single Sign-on / point of entry for customers to CRM applications ,Portal , Discoverer reports and custom applications
Single Sign-on for employees
Central LDAP repository for all users (customers and employees )
Current Architecture
Various Architecture options
1. Implement AS 10g SSO/Portal with E Business suite DMZ configuration
2. Implement AS 10g SSO/Portal with E Business suite using Reverse proxy
3. Buy router technology for redirection e.g. Juniper , Cisco solutions
4. Buy third party SSO software
5. Implement AS 10g SSO/Portal with E Business suite no DMZ configuration
New Architecture
Implementation Steps
Implementation Steps – Overview1. Build AS 10g Infrastructure
2. Build AS 10g Middle Tier
3. Configure AS 10g Infrastructure to run on Reverse Proxy
4. Configure AS 10g Middle tier to run on Reverse Proxy
5. Eject E Business suite external node from E-Business Suite 11i farm
6. Configure Oracle Applications 11i to run with Reverse Proxy
7. Bulkload Oracle Applications 11i users for Oracle Internet directory
8. Integrate E Business suite 11i with Oracle Application Server 10g
9. Update Profile Options
Step # 1 & 2
Build AS 10g Infrastructure
Follow the Installation Documentation
Build AS 10g Middle Tier
Follow the Installation Documentation
Step # 3 Configure AS 10g Infrastructure to run on reverse proxy
Enable HTTP Server to run on port 80 chown root .apachectl
chmod 6750 .apachectl
Execute the ssocfg ScriptIssue this command in $ORACLE_HOME/sso/bin:
ssocfg.sh http sso.regalbeloit.com 80
Update the targets.xml File$ORACLE_HOME/sysman/emd/targets.xml
HTTPMachine , HTTPPort
Restart all Infrastructure services
opmnctl stopall
opmnctl startall
Step # 3 Configure AS 10g Infrastructure to run on reverse proxy
Update the httpd.conf File
KeepAlive Off
ServerName sso.regalbeloit.com
Port 80
Create a Virtual HostLoadModule certheaders_module libexec/mod_certheaders.so
NameVirtualHost infra.rbcmtg.com:7777
<VirtualHost infra.rbcmtg.com:7777>
ServerName sso.regalbeloit.com
Port 80
RewriteEngine On
RewriteOptions inherit
</VirtualHost>
Step # 3 Configure AS 10g Infrastructure to run on reverse proxy
Update Internet directory Operational URL
http://sso.regalbeloit.com/
Register mod_osso to Use the Proxy Host Namessoreg.sh
-oracle_home_path $ORACLE_HOME
-site_name regalsso1
-config_mod_osso TRUE
-mod_osso_url http://sso.regalbeloit.com
Restart Infrastructure Services
Validate SSO Login http://sso.regalbeloit.com/pls/orasso
Step # 4 Configure AS 10g Middle Tier with reverse proxy
Create a Virtual hostLoadModule certheaders_module libexec/mod_certheaders.so
NameVirtualHost mt hegel.rbcmtg.com:7778
<VirtualHost hegel.rbcmtg.com:7778>
ServerName portal.regalbeloit.com
Port 80
RewriteEngine On
RewriteOptions inherit
</VirtualHost>
Bounce Middle Tier
Configure loopback communication for internal servere.g. 127.0.0.1 loopback localhost
127.0.0.2 portal.regalbeloit.com
297.254.126.28 portal.regalbeloit.com
297.254.126.27 login.regalbeloit.com
Step # 4 Configure AS 10g Middle Tier with reverse proxy
Specify the Oracle AS Portal Published Address and Protocol
- update iasconfig.xml
- ptlconfig –encrypt ( Encrypt passwords )
- ptlconfig -dad portal -site -wc –em ( Update EM )
Configure the Parallel Page Engine Loop-Back with the Load Balancing Router on portal.regalbeloit.comUpdate -
$ORACLE_HOME/j2ee/OC4J_Portal/applications/portal/portal/WEB-INF/web.xml
With the Middle tier HTTP port
Dcmctl updateconfig
Restart Middle tier services
Configure Oracle AS Web Cache with the Reverse Proxy Server on portal.regalbeloit.com
http://mt.regalbeloit.com:9400/webcacheadmin
-Site Definitions ( add portal.regalbeloit.com )
-Site to Server Mapping ( map portal.regalbeloit.com to mt.rbcmtg.com )
Step # 4 Configure AS 10g Middle Tier with reverse proxy
Configuring Seeded Providers and Locally Hosted Web Providers
Update -
$ORACLE_HOME/j2ee/OC4J_Portal/applications/portalTools/omniPortlet/WEB-INF/web.xml
With middle tier HTTP port , HTTP protocol
Re-register mod_osso on mt.regalbeloit.com
ssoreg.sh-site_name regalmtsso1-mod_osso_url http://sso.regalbeloit.com-config_mod_osso TRUE -oracle_home_path $ORACLE_HOME -config_file ORACLE_HOME/Apache/Apache/conf/osso/osso.conf-admin_info cn=orcladmin-virtualhost
Restart Middle Tier Services
opmnctl stopall
opmnctl startall
Test Portal thru Reverse Proxy
http://portal.regalbeloit.com/pls/portal
Step # 4 Eject E-Business suite external node from E-Business Suite 11i farm
- Delete all old profile options ( level_id 1007 and 1004 ) for external node
- Run Autoconfig on all tiers
Step # 5 Configure Oracle Applications 11i to run with Reverse Proxy and move ebiz.rbcmtg.com to ebiz.regalbeloit.com
- Configure Oracle Applications 11i to run on port 80
- Configure e-Business suite to use reverse proxy server
- S_webhost , S_webentryhost , S_webentrydomain ,S_login_page
- Run Autoconfig
- Grant Preferences SSWA to all users
- Test http://ebiz.rbcmtg.com/oa_servlets/AppsLogin.jsp
Step # 6 Password Restrictions
- Take out E Business suite password restrictions( e.g. profile option SIGNON PASSWORD CUSTOM )
- Take out OID password restrictions
Step # 7 Integrate E Business Suite 11i to Single Sign- Apply Integration patches
- 5035514 ( Build 3.2 )
- 4775907 ( Build 4.0 )
- Choose the registration type
- ProvBiDirection.tmp / simple / Bi-direction template
- Compile the parameter ChecklistAS 10g Infrastructure hostname , DB port, DB SID, LDAP port, E Business suite ( apps , system ) password, repository ( DB , orasso password ), registration password, provisioning profile path ( $FND_TOP/admin/template/provOIDToApps.tmp )
- Check perl version perl –v should be 5.005
environment variables (ADPERLPRG , PERL5LIB , PATH)
- Register txkrun.pl -script=SetSSOReg
Step # 7 Integrate E Business Suite 11i to Single Sign
- Confirm successful registration
- End of <FND_TOP>/patch/115/bin/txkSetSSOReg.pl: No errors encountered.
- Validate SSO by running tests
- Follow Note # 233436.1 for test details
- Run OID validation tests
- Follow Note # 233436.1 for test details
- Verify that the e-Business suite is correctly integrated with SSO
- http://ebiz.regalbeloit.com/oa_servelts/AppsLogin.jsp
Step # 7 Integrate E Business Suite 11i to Single Sign
- http://ebiz.regalbeloit.com/
Step # 7 Integrate E Business Suite 11i to Single Sign
- http://ebiz.regalbeloit.com/
Step # 7 Integrate E Business Suite 11i to Single Sign
- Check OID logs
$ORACLE_HOME/ldap/odi/log
_E.aud , _E.trc Provisioning from OID to e-Business Suite
_I.aud , _I.trc Provisioning from e-business suite from OID
Step # 7 Integrate E Business Suite 11i to Single Sign
- Create a user in E-Business suite
- Check provisioning
- Create a user in OID
- Check provisioning
Step # 8 Bulk Load Users
- Setup Environment variables
- export CLASSPATH=$APPL_TOP/JAVAI:$CLASSPATH- export ADPERLPRG=/idev/prodap/u01/app/iprodora/iAS/Apache/perl/bin/perl
PERL5LIB=/idev/prodap/u01/app/iprodora/iAS/Apache/perl/lib/5.00503:/idev/prodap/u01/app/iprodora/iAS/Apache/perl/lib/site_perl/5.005:/idev/prodap/u01/app/iprodappl/au/11.5.0/perl
- export PATH=/idev/prodap/u01/app/iprodora/iAS/Apache/perl/bin:$PATH
Step # 8 Bulk Load Users
- Extract users from e Business suitejava oracle.apps.fnd.oid.AppsUserExport -v -pwd apps -g -dbc$FND_TOP/secure/plato_idev.dbc -o idev_fnduser.out -l idev_fnd_user.log
Step # 8 Bulk Load Users
- Load all extracted users to OID
- Migrate the users list to OID compatible ldif file
ldifmigrator "input_file=/home/oracle/brxinf/as10g/idev_fnduser.ldif" "output_file=data.ldif" "s_UserContainerDN=cn=users,dc=rbcmtg,dc=com" "s_UserNicknameAttribute=uid“
- Shutdown ldap processes
- Disable provisioningoidprovtool operation=disable ldap_host=hobbes.rbcmtg.com ldap_port=389 ldap_user_dn=cn=orcladmin ldap_user_password=iaspass1
application_dn="orclApplicationCommonName=IDEV,cn=EBusiness,cn=Products,cn=OracleContext,dc=rbcmtg,dc=com"profile_mode=BOTH
Step # 8 Bulk Load Users
- Bulk load to OID
bulkload.sh -connect pinfdb1 -generate –check -load /home/oracle/brxinf/as10g/data.ldif
- Restart Infrastructure services
- Search for last change numberldapsearch -h hobbes.rbcmtg.com -D "cn=orcladmin" -w iaspass1 -s base -b "" "objectclass=*" lastchangenumber
- Update last change number oidprovtool operation=MODIFY ldap_host=hobbes.rbcmtg.com ldap_port=389 ldap_user_dn=cn=orcladmin ldap_user_password=iaspass1 application_dn
="orclApplicationCommonName=IDEV,cn=EBusiness,cn=Products,cn=OracleContext,dc=rbcmtg,dc=com“ orclLastAppliedChangeNumber=3055
- Enable provisioningoidprovtool operation=enable ldap_host=hobbes.rbcmtg.com ldap_port=389
ldap_user_dn=cn=orcladmin ldap_user_password=iaspass1 application_dn
="orclApplicationCommonName=IDEV,cn=EBusiness,cn=Products,cn=OracleContext,dc=rbcmtg,dc=com“ profile_mode=BOTH
Step # 8 Bulk Load Users
- Restart all instances in following sequence
- AS 10g middle tier
- AS 10g Infrastructure tier
- Oracle Applications Middle tier
- Oracle Applications Admin tier
- Test ebiz.regalbeloit.com/oa_servelets/AppsLogin.jsp
Step # 9 Update Profile Options
Applications SSO Auto Link User – Disable
Applications SSO Enable OID Identity Add Event – Disable
Applications SSO Login Types – SSO
Applications SSO Type- SSWA w/SSO
Applications Local Change Password URL -http://sso.regalbeloit.com/oiddas/ui/oracle/ldap/das/mypage/AppChgPwdMyPage?
Application SSO Change Password URLhttp://sso.regalbeloit.com/oiddas/ui/oracle/ldap/das/mypage/AppChgPwdMyPage?
Application SSO Forget Password URL
Best Practices
Always start from design not from metalink notes
Open up all ports – implement – close all ports
OID password became upper case after password change or user name change under case insensitive mode - Apply patch # 5331119
Calls to FND_USER_PKG.UpdateUser(..) that do not modify OiD information fails – Apply patch # 5370915
Implement an internal Reverse Proxy Server
At reverse proxy server level – implement the redirects after the integration
Terminate https connections at Reverse proxy server
Always have a Dev and Test environment
If you have $$$ use load balancer
Major Road-Blocks
DMZ Configuration
Provisioning
Loading users from e- Business suite to OID
Password security
Configuring AS 10g with reverse proxy server
Firewall ports
Backing out of DMZ Configuration
Password reset – Unable to login to apps after resetting the password
Business Benefits
Consolidated self registration process for all CRM applications and Portal
Usage of e Business Suite portlets on portal pages
Access to custom applications and to iStore from a single sign-on into Portal
Access to Discoverer from Portal
Simplified user maintenance
Road To Success – Documentations Followed
287176.1 Oracle E-Business Suite 11i Configuration in a DMZ
233436.1 Installing Oracle Application Server 10g with Oracle E-Business Suite Release 11i
305918.1 Using Oracle Portal 10g with Oracle E-Business Suite 11i
313418.1 Using Discoverer 10.1.2 with Oracle E-Business Suite 11i
340178.1 Enabling SSL with Oracle Application Server 10g and the E-Business Suite
123718.1 - 11i: A Guide to Understanding and Implementing SSL for Oracle Applications
201340.1 - Using Forms Listener Servlet with Oracle Applications 11iChapter 3. "Configuring SSL for AutoConfig-enabled System - 11i Administration Manual
Oracle Application Server Enterprise Deployment Guide 10g Release 2 (10.1.2)
Questions and Answers
THANK YOU