oracle on demand access objectives what systems you may access your accounts, privileges, and...
TRANSCRIPT
Oracle On Demand Access
Objectives
What Systems You May Access Your Accounts, Privileges, and Commands Request Exceptions In Advance
– Access to Systems, Accounts, Privileges, or Commands Not Contained in the Standards Require Written Approval in Advance by Oracle On Demand
Access Oversight – Misuse May Result in Loss Of Access
Oracle On Demand:Access
Standard ProductSupport
Service Request
Customer/Implementer
Service Delivery Manager
On DemandHUB
ConfigurationsInformation
PatchesAlerts, Patch Sets, Workarounds
Software Issues
ProductDevelopment
On Demand Delivery
Toll FreeNumber
Service Requests
OracleMetalink
CustomerPortal
Systems
OEM Alert Toggle
Agenda How You Connect to The On Demand Intranet On Demand Powerbroker Basics Your Capabilities
– Linux– Technology Stack (DB & iAS)– Applications Administration
How You Transfer Files To or From Oracle On Demand
Note: This material is EBSO specific. OTO Data Will be Included in a Future Update.
How You Connect
@Oracle Model– Through the Oracle On Demand Hardware VPN
Software VPN Connections Are Not Allowed Connections From an Intranet Other Than the Customer’s Are
Not Allowed
@Customer Model– Through Customers’ Access Mechanisms
You Do Not Have Access to the On Demand Intranet
On Demand Powerbroker Basics
SAS 70 Type II Compliant– Who, When, Where, What
Limited Set of Customer Accessible Accounts
Controls Access to Accounts and Functions
– Powerbroker Policies Map Predefined Accounts and Functions
Provides Keystroke Logging– Keystrokes, Standard Output, Standard
ErrorIndividualLinux
Account
PowerbrokerControlled Linux
Accounts
Powerbroker
NamedLinux
Account
On Demand Powerbroker Basics
Controls Access to Accounts and Functions
– Powerbroker Policies Map Predefined Accounts and Functions
“customer”: Read Only Access to All Database Objects, Access to Oracle Applications Interface Tables
“impanalyst”: Read Only Access to Product, Write Access to XBOL_TOP
“impdba”: Write Access to Product, XBOL_TOP
“impdba” is now available. 2 accounts will be granted with ‘impdba’ access initially. If more accounts are needed with this profile for the same customer, the exception will be requested by the SDM and it will be subject to approval.
IndividualLinux
Account
PowerbrokerControlled Linux
Accounts
Powerbroker
NamedLinux
Account
Linux Map – Non-PrivilegedNon-Privileged
Account
PB
Policy
DB
Tier
Mid
Tier
Directory / Schema
Named Linux Account (Varies)
customer NA P, NP* Requested via the Oracle On Demand oSDMSSH BasedStandard Linux Command SetDefault Login Directory
–Full Access
Standard File Systems–UID, GID Ranges Distinct From All Others–“world” Privilege Mask Applies
* P=Production, NP=Non-Production
Linux Map - ControlledControlled
Account
PB
Policy
DB
Tier
Mid
Tier
Directory / Schema
apd<4 char custid>i Impdba
impanalyst
NA NP AKA, “applmgr” Account, Linux SidePowerbroker Controlled
–SSH to Named Linux Account–Invoke Powerbroker Policy
APPL_TOP (/SID/applmgr)–Full Access
Special Operations Notes–Only Two Individual Linux Accounts Allowed to Access–Must File Informational SR When Modifying Files In APPL_TOP
apt<4 char custid>i impdba
impanalyst
NA NP Same as Above, Applied to Test
inf<4 char custid>i impanalyst
impdba
NA P, NP See FTP Slides For Full Details–FTP Server Treatment For This Account Different Than DB, iAS Servers
Controlled Account Access Procedure: Non-Production SSH Login to Target Server With Named Linux Account Invoke Powerbroker
– General Format /usr/local/bin/pbrun <policy> -u [target user]
– Specific Example: Dev Environment, “anon” 4 char custid /usr/local/bin/pbrun impanalyst -u apdanoni All Standard Linux Commands Available
Perform Unix Commands– Keystroke Logging Is Active
To Access Database or Oracle Applications, Use Password Manager
– General Format /usr/local/bin/pbrun <PB Policy> password-manager <Target Instance>
– Example: policy:impanalyst, instance:ppmpti
/usr/local/bin/pbrun impanalyst password-manager ppmpti Exit the Powerbroker Run Command
– Type “exit” on the Unix Command Line SSH Logout
Controlled Account Access Procedure: Production SSH Login to Target Middle Tier Server With Named Linux
Account– View Only Configuration
Used To Access BOLINF and RAC_ACCNT Invoke Password Manager
– General Format All Passwords: /usr/local/bin/pbrun <PB Policy> password-manager
<Target Instance> Single Password: /usr/local/bin/pbrun <PB Policy> password-
manager <Target Instance> <Type>– Example: policy:impdba, instance:ppmpti, type:bolinf
All: /usr/local/bin/pbrun impdba password-manager ppmpti Single: /usr/local/bin/pbrun impdba password-manager ppmpti bolinf
Invoke Sql*plus– Use Data Returned from Password Manager
Logout From Sql*plus SSH Logout
Technology Stack Map - DBAccount PB
Policy
DB
Tier
Mid
Tier
Directory / Schema
BOLINF Customer P, NP P, NP Sqlnet Based–Any In Non-Production–ADI, ADE, and Discoverer Only in Prod
Standard Interface Table–Read, Write, Delete
Custom Schema–Full Access Including DML and DDL
RAC_ACCNT Customer P, NP P, NP Sqlnet Based–Any In Non-Production–ADI, ADE, and Discoverer Only in Prod
All Database Tables–Read Only
APPS impdba NA NP Usage Constrained by CEMLI Guidelines and Practices
Technology Stack Map – iAS / PortalAccount PB
Policy
DB
Tier
Mid
Tier
Directory / Schema
portal30 TBD NA P, NP Not Relevant for Standard EBSO–Associated only if Customer Runs Portal 3.0.9 with EBS0
Portal30_sso TBD NA P, NP Not Relevant for Standard EBSO–Associated only if Customer Runs Portal 3.0.9 with EBS0
Oracle EBSO Application Server (iAS) Specific Access and Functionality Provided By BOL_SETUP Account via Oracle Applications GUI as Detailed on Following Slides
– Examples: Form Registration Report Registration
Oracle Applications Administration Map
Account PB
Policy
DB
Tier
Mid
Tier
Directory / Schema
BOL_SETUP impdba NA P*, NP Oracle Applications GUIResponsibilities
–System Administrator: NP–*Application Administrator: P Consists of On Demand Specified Subset of System Administrator
Special Operations Notes–Must File Informational SR When Performing Any “High Impact” Change as Defined in the “Oracle Applications System Administrator’s Guide”–Must Run OEM Alert Toggle Prior to Starting or Stopping any Oracle Application Processes
OEM Blackout Command Line Interface (CLI)
Blackout Tool Prevents False Monitor Alerts Synchronized with Service Request Systems Accessible via the “impdba” Powerbroker Policy
– Specifics Subject To Change During Phased Rollout Command: blackout_ctl
– Parameters: Task [start | stop] Option [full | target | all_except_host] Duration (-d) [day HH:MM] User Name (-u) Reason (-r) [db_patch | app_patch | os_patch | agent_patch |
maint | unsched] Change Management Number (-cm) (optional) Ticket Number (-t) (optional) Comment (-c) (optional)
– Help Facility: blackout_ctl help
OEM Blackout CLI
Command: blackout_ctl (Con’t)– Line Mode example:
blackout_ctl start full –d 5 05:30 –u username –r db_patch –cm 333333 –t 88888888.999 –c “scheduled”
– Interactive Example: blackout_ctl
Please enter all required fields….Task [start | stop]:Option [full | target | all_except_host]:Duration [day HH:MM]:User Name:Reason [db_patch | app_patch | os_patch | agent_patch | maint |
unsched]:Change Management Number (optional): Ticket Number (optional):Comment (optional):
OEM Blackout CLI Procedure: Non-Production
SSH Login to Target Server With Named Linux Account Invoke Powerbroker
– Example: “impdba” Policy, Dev Environment, “anon” 4 char custid
/usr/local/bin/pbrun impdba -u apdanoni Blackout the Required Environment
– Example: Start A Full OEM Blackout for 4.5 Days Under Username “smith” for a database patch with change management approval number “1776” Related to Service Request 12345678.999 With the Comment “Fixing It”
blackout_ctl start full –d 4 12:00 –u smith –r db_patch –cm 1776 –t 12345678.999 –c “Fixing It”
Perform Necessary Activity Exit the Powerbroker Run Command
– Type “exit” on the Unix Command Line SSH Logout
File Transfers - FTP This Section Represents FTP in the @Oracle Model
Only @Customer, the Customer is Solely Responsible for
Implementing and Maintaining a File Transfer Model Specific to the Needs of Their Customer Application.
FTP Architecture – Two TierCustomerHardware
VPN
Outer F
irewall
Inner Firew
all
OracleHardware
VPN
CustomerSSH / FTP
FTP01
Directory Structure
Customer DB Server
Directory Structure
Customer iAS Server
Directory StructureNFS
NFS
SSH/FTP
SSH/FTP
Customer Intranet
SSH
SSH
5 Min. Sweepers transfer from /src to appropriate $XBOL_TOP
NFS
Net AppsFile System
CustomerHardware
VPN
Outer F
irewall
Inner Firew
all
OracleHardware
VPN
CustomerSSH / FTP
FTP01
Directory Structure
Customer DB Server
Directory Structure
NFS
NFS
SSH/FTP
SSH/FTP
Customer Intranet
SSH
NFS
Customer iAS Server
Directory Structure
5 Min. Sweepers transfer from /src to appropriate $XBOL_TOP
Net AppsFile System
FTP Architecture – DMZ Configuration
FTP Connection Types & Transfer Programs
Secure Shell (SSH)– Secure Copy (SCP) May be Used to Transfer Data Within
an SSH Connection to FTP01 File Transfer Protocol (FTP) Based
– “ftp” Command Invoked Within an SSH Connection– Native “ftp” Invoked From the Customer’s Desktop– Native “ftp” Based Desktop Programs
There Are a Number of These Typically add a Graphical User Interface (GUI) May Also Provide File Transfer Interrupt / Resume Function
– Secure FTP (sftp)
FTP Account & File Types
Uses a Single Login to FTP01– Userid Format is: inf(4 char custid)i– Password Format is: inf(4 char custid)i– Example: Customer “Anonymous” “infanoni”
Allowed File Types– Dev, Test
*.rdf, *.fmb, *.fmx, *.ctl, *.sh, *.sql (Specific Function) *.dat, *.csv (Data)
– Prod *.dat, *.csv (Data Only)
FTP Directory Structure FTP01 Customer Visible Directory Structure
– Root is “/interface/inf(4 char custid)i”– Then Varies by Instance SID– Then “incoming”, “outgoing”, “archive”, “src”, “bad”
/interface/inf(4 char custid)i
/(DEV SID)
/incoming /outgoing /archive /src /bad
/(TEST SID)
/incoming /outgoing /archive /src /bad
/(PROD SID)
/incoming /outgoing /archive /src /bad
FTP Inbound Move Automation Files Automatically Moved From FTP01 Directory
Structure to Customer iAS Server on 5 Minute Interval– Test & Dev
*.rdf $XBOL_TOP/reports/US *.fmb $XBOL_TOP/forms/US/resource *.fmx $XBOL_TOP/forms/US *.ctl $XBOL_TOP/bin *.sh $XBOL_TOP/bin *.sql $XBOL_TOP/sql *.dat /interface/inf(4 char custid)i/(SID)/incoming *.csv /interface/inf(4 char custid)i/(SID)/incoming
– Prod *.dat /interface/inf(4 char custid)i/(SID)/incoming *.csv /interface/inf(4 char custid)i/(SID)/incoming
FTP Miscellaneous
May send checksum file with data file for optional customer verification before loading data
– File name = datafile_name.sum
Data transfer complete validated by CRON script– No data written in last 2 minutes
Oracle Applications Programmatic Interface Used to Load Data Into Database
Implementation Team Should Provide Detail of Invalid Data Loads
FTP Inbound Process
Open an FTP Session on Oracle Outsourcing FTP01– Username/Password Example: “infanoni/infanoni”
Navigate to the Appropriate Directory As Described Earlier
– /src: *.rdf, *.fmb, *.fmx, *.ctl, *.sh, *.sql – /incoming: *.dat, *.csv
Transfer DataCRON Script Moves Data As Described EarlierExecute API to import data into database
FTP Outbound ProcessAccount Notes
– Either the RAC_ACCNT or BOLINF May Be Used To Generate The Output File in the Linux File System.
– In Order to Submit the Concurrent Manager Job to Transfer the File, Your Individual Application User Account Must Have the “Application Administrator” Responsibility Coordinate The Assignment Of “Application Administrator”
Responsibility With the Customer Representatives
FTP Outbound Process
Submit Concurrent Manager “BOL – FTP process” Request With The Following:
– Ttype: Path of the FTP server where the file will be transferred from the EBSO server E.g.: /interface/inf(4 char custid)I/(Target SID)/outgoing
– File: Name of the file to be transferred E.g.: filename.out
– File Location: Path to File on Customer EBSO Server E.g.: /(Target SID)/applcsf/out
– Enable Timestamp: Option to enable a timestamp Values: No/Yes
– Enable Checksum: Option to enable a checksum Values: No/Yes
Open FTP Session on Oracle On Demand FTP01FTP File from Oracle On Demand FTP01