OracleAS 10g with the Oracle E-Business Suite

Integrating Oracle E-Business Suite Release 11i with Oracle Internet Directory and Oracle Single Sign-On

Purpose of Internet Directory instead of storing the information directly in an Oracle database

User identities and credentials
User profiles
User application preferences
Application authorization policies
Application-discovery information
Application- and service-specific management and configuration data, and
Network configuration and management policy data

What is Oracle Application Server?

Oracle Application Server provides the infrastructure to develop and deploy e-business portals, transactional applications, and Web services.
Oracle AS 10g includes Oracle Containers for J2EE (OC4J), Oracle HTTP Server (powered by Apache), Oracle JDeveloper, Oracle Forms, Oracle Identity Management, Oracle Portal, Oracle Business Intelligence, Oracle Business Integration, and Oracle WebCache.

Installing Oracle Application Server 10g with Oracle E-Business Suite Release 11i Doc ID: Note:233436.1


Integrate AS10g with Apps 11i.
Go to FND_TOP/bin and run below script. Its located in FND_TOP.

[applmgr@sys4 bin]$ txkrun.pl -script=SetSSOReg

Enter the host name where Oracle iAS Infrastructure database is installed ? sys38.doyen.in
Enter the Oracle iAS Infrastructure database port number ? 1521
Enter the Oracle iAS Infrastructure database SID ? test
Enter the LDAP Port on Oracle Internet Directory server ? 389
Enter Oracle E-Business apps database user password ? apps
Enter Oracle iAS Infrastructure database ORASSO schema password ? orasso
Enter Oracle E-Business SYSTEM database user password ? oracle
Enter E-Business Suite existing SSOSDK schema password or choose a password to use with the new SSOSDK schema if the schema does not exist ? SSOSDK
Enter the Oracle Internet Directory Administrator (orcladmin) Bind password ? welcome99
Enter the instance password that you would like to register this application instance with ? welcome99
*** ALL THE FOLLOWING FILES ARE REQUIRED FOR RESOLVING RUNTIME ERRORS
*** Log File = /oracle/app/apps/viscomn/rgf/VIS_sys4/sso/txkSetSSOReg_Fri_Jan_4_16_00_37_2008.log
Program : /oracle/app/apps/visappl/fnd/11.5.0/patch/115/bin/txkSetSSOReg.pl started @ Fri Jan 4 16:01:22 2008

*** Log File = /oracle/app/apps/viscomn/rgf/VIS_sys4/sso/txkSetSSOReg_Fri_Jan_4_16_00_37_2008.log


######################## WARNING ########################################
This application works with SSOSDK version 9.0.2 or higher. If lower version
(3.0.9) of SSOSDK was installed in your system and you have a registered
partner application, this process will remove the 3.0.9 version of the SSOSDK
schema and install the 9.0.2 version.
######################## WARNING ########################################

Beginning input parameter validation for SSO registration.
Beginning loading SSO SDK into database if necessary.
Loading of SSO SDK into database completed successfully.
Input parameters validation for OID registration completed.

BEGIN SSO REGISTRATION:

Beginning to register partner application.
Partner application has been registered successfully.
Single Sign-On partner application registered successfully.


BEGIN OID REGISTRATION:

Beginning to register Application and Service containers if necessary.
Application and Service containers were created successfully.
Beginning to register application in Oracle Internet Directory.
Registration of application in Oracle Internet Directory completed successfully.
Beginning to register instance password in Oracle Internet Directory.
Registration of instance password in Oracle Internet Directory completed successfully.
Beginning to test application registration in Oracle Internet Directory.
Testing of application registration in Oracle Internet Directory completed successfully.
Beginning to register provisioning profile in Oracle Internet Directory.
Registration of provisioning profile in Oracle Internet Directory completed successfully.
Application is now registered successfully with provisioning in Oracle Internet Directory.
End of /oracle/app/apps/visappl/fnd/11.5.0/patch/115/bin/txkSetSSOReg.pl : No Errors encountered

Once register sucessfully you can proceed below.

a. do an anonymous bind...

ldapbind -h sys38.doyen.in -p 389

b. do a superuser bind....

ldapbind -h sys38.doyen.in -p 389 -D "cn=orcladmin" -w welcome99

c. do an encrypted super user bind...

ldapbind -h sys38.doyen.in -p 389 -U 1 -D cn=orcladmin -w welcome99

d. do a specific user bind....for example:

ldapbind -h sys38.doyen.in -p 389 -D "cn=orcladmin,cn=users,dc=doyen,dc=in" -w welcome99

Exporting Application Accounts into Intermediate LDIF File

Determine which accounts to migrate

􀂃 Applications SSO Login Types (APPS_SSO_LOCAL_LOGIN) – An account will not be migrated if the user level profile value of the account is ‘LOCAL’, i.e. the account is a local account.

􀂃 Applications SSO LDAP Synchronization (APPS_SSO_LDAP_SYNC) -- An account will not be migrated if the user level profile value of the account is ‘N’, i.e. the account is marked to not to synchronize with Oracle Internet Directory.

Note: The site level profile value will be used in the cases where the user level profile value is not set.

Oracle E-Business Suite ships a number of standard accounts, such as SYSADMIN and GUEST. These accounts should not be migrated. To enforce this, the SYSADMIN and GUEST accounts are pre-seeded with Applications SSO Login Types (APPS_SSO_LOCAL_LOGIN) set to ‘LOCAL’ and Applications SSO LDAP Synchronization (APPS_SSO_LDAP_SYNC) set to ‘N’.

Administrators should check whether there are any additional accounts that should not be migrated, especially accounts with user_id less than 10 (check with: select user_name from FND_USER where user_id<10).>Use AppsUserExport to extract user information

For example:
java oracle.apps.fnd.oid.AppsUserExport \
-v \
-dbc $FND_TOP/secure/myebiz.dbc \
-o users.txt \
-pwd welcome \
-g \
-l users.log

The resulting data file and log file may contain confidential information, such as the start and end dates for a user’s account, and should therefore be secured appropriately.

java oracle.apps.fnd.oid.AppsUserExport -dbc /oracle/app/apps/visappl/fnd/11.5.0/secure/VIS_sys4/vis.dbc -o /oracle/app/apps/visappl/fnd/11.5.0/secure/VIS_sys4/vis01.out -pwd apps

User Export to /oracle/app/apps/visappl/fnd/11.5.0/secure/VIS_sys4/vis01.out
User Export to /oracle/app/apps/visappl/fnd/11.5.0/secure/VIS_sys4/vis01.out started..
User Export completed successfully. For further details please refer to log file at: /oracle/app/apps/visappl/fnd/11.5.0/secure/VIS_sys4/vis01.out.log


[oracle@sys38 ~]$ $ORACLE_HOME/bin/ldapsearch -h sys38 -p 389 -D "cn=orcladmin" -w welcome99 -b "cn=Provisioning Profiles, cn=Changelog Subscriber, cn=Oracle Internet Directory" -s sub "objectclass=*" > profiles.ldif



[oracle@sys38 ~]$ $ORACLE_HOME/bin/ldapsearch -h sys38 -p 389 -D "cn=orcladmin" -w welcome99 -s sub "orclguid=42E42E799F8C50F5E040A8C0260051FA" -b "" dn
orclApplicationCommonName=VIS,cn=EBusiness,cn=Products,cn=OracleContext,dc=doyen,dc=in


[oracle@sys38 ~]$ oidprovtool operation=disable ldap_host=sys38.doyen.in ldap_port=389 ldap_user_dn=cn=orcladmin ldap_user_password=welcome99 application_dn=orclApplicationCommonName=VIS,cn=EBusiness,cn=Products,cn=OracleContext,dc=doyen,dc=in profile_mode=BOTH

This Provisioning Profile is disabled.



Converting Intermediate LDIF File to Final LDIF File

Before performing loading data into Oracle Internet Directory, the Oracle Internet Directory administrator needs to ensure that:

􀂃 The extracted data file is copied from the Oracle E-Business Suite instance to Oracle Internet Directory.

􀂃 If the provisioning profile has been set up for the Oracle E-Business Suite instance and the profile mode is either OUTBOUND or BOTH

To convert the intermediate LDIF file to the final LDIF format:

. Use oidprovtool with operation=DISABLE to disable the profile before the migration is started.

For example:

oidprovtool operation=disable ldap_host=sys38.doyen.in ldap_port=389 ldap_user_dn=cn=orcladmin ldap_user_password=welcome99 application_dn=orclApplicationCommonName=VIS,cn=EBusiness,cn=Products,cn=OracleContext,dc=doyen,dc=in profile_mode=BOTH


After migration is complete, update the lastchangenumber attribute of the profile:

First, find the current last change number in Oracle Internet Directory with the ldapsearch command:

ldapsearch –h sys38.doyen.in -p welcome99 -D cn=oracladmin -w welcome99 -s base -b "" "objectclass=*" lastchangenumber=2623


Next, use the following command to update the lastchangenumber attribute to the number n that was discovered in the last step:

[oracle@sys38 bin]$ oidprovtool operation=MODIFY ldap_host=sys38.doyen.in ldap_port=389 ldap_user_dn=cn=orcladmin ldap_user_password=welcome99 application_dn=orclApplicationCommonName=VIS,cn=EBusiness,cn=Products,cn=OracleContext,dc=doyen,dc=in orclLastAppliedChangeNumber=2623
The Provisioning Profile for the Application has been modified.

3. Use oidprovtool with operation=ENABLE to enable the profile.

[oracle@sys38 bin]$ oidprovtool operation=enable ldap_host=sys38.doyen.in ldap_port=389 ldap_user_dn=cn=orcladmin ldap_user_password=welcome99 application_dn=orclApplicationCommonName=VIS,cn=EBusiness,cn=Products,cn=OracleContext,dc=doyen,dc=in profile_mode=BOTH
This Provisioning Profile is enabled.


4. The intermediate LDIF file created by AppsUserExport has two variables that an Oracle Internet Directory administrator needs to instantiate using the Oracle Internet Directory ldifmigrator utility:

[oracle@sys38 bin]$ ldifmigrator "input_file=/home/oracle/mig_user/vis01.out" "output_file=data.ldif" "s_UserContainerDN=cn=users,dc=doyen,dc=in" "s_UserNicknameAttribute=uid"
Migration of LDIF data completed. All the entries are successfully migrated


Loading Final LDIF file into Oracle Internet Directory

Once the final LDIF file has been generated, the user data is ready to be loaded into Oracle Internet Directory using the Oracle Internet Directory bulkload tool.

Before performing a bulk load:

1. Stop all OID processes before using the bulkload utility to load the LDIF file:

$ORACLE_HOME/opmn/bin/opmnctl stopall

Note the OID password, which should be the same as the instance and orcladmin passwords. You will be prompted for this when running the utility.

2. In case the oidmon or oidctl commands were used to manually start the oid proceses, you must make sure that they have stopped:


On Unix Run: $ORACLE_HOME/ldap/bin/ldapcheck


[oracle@sys38 bin]$ ./ldapcheck


Checking Oracle Internet Directory Processes ...ALL

Not Running ---- Process oidmon
Not Running ---- Process oidldapd
Not Running ---- Process oidrepld
Not Running ---- Process odisrv
No LDAP Processes are Running



3. If any other OID processes such as odisrv are still running, you must stop them manually using:

oidctl connect=test server=oidsrv instance=1 stop

You must ensure that no OID processes are running before continuing with the bulkload.sh command.


1. Run the bulkload utility with the -check and –generate options to verify that there are no duplicate users.

For example:

bulkload.sh –connect -check –generate

[oracle@sys38 bin]$ ./bulkload.sh -connect "test" -check -generate /home/oracle/orainfra/opmn/bin/data.ldif

Verifying node "test"
-----------------------------
This tool can only be executed if you know database user password
for OiD on test
Enter OiD password ::

------------------------------------------------------------------
Checking Internet Directory current schema state
------------------------------------------------------------------

-------------------------------------------------------------------
Checking and Generating Internet Directory data for bulk loading
-------------------------------------------------------------------

Schema Check Errors are logged in : /home/oracle/orainfra/ldap/log/bulkload.log

Bad Entries are logged in : /home/oracle/orainfra/ldap/load/badentry.ldif

Non-Unique Distinguished Names are logged in : /home/oracle/orainfra/ldap/log/duplicateDN.log


-------------------------------------------------------------------
Data Generated for bulk loading
-------------------------------------------------------------------

Please Remove the errors


[oracle@sys38 bin]$ ./bulkload.sh -connect "test" -check -generate /home/oracle/orainfra/opmn/bin/data.ldif

Verifying node "test"
-----------------------------
This tool can only be executed if you know database user password
for OiD on test
Enter OiD password ::

------------------------------------------------------------------
Checking Internet Directory current schema state
------------------------------------------------------------------

-------------------------------------------------------------------
Checking and Generating Internet Directory data for bulk loading
-------------------------------------------------------------------

No Schema Check Errors.

No Bad Entries found.

No Duplicate DN Entries.


-------------------------------------------------------------------
Data Generated for bulk loading
-------------------------------------------------------------------





2. Check the log file for duplicate users

If you get any Bad Entries and Duplicate DN Entries, Just remove those entries and run again setp 1.

3. If the log file indicates duplicate users, manually remove these users from the LDIF file.

4. Rerun Step 1 to verify all duplicates have been successfully removed.

5. Once all duplicates are removed, run the bulkload utility with the –load option to load the users.

For example:

bulkload.sh –connect –load

[oracle@sys38 bin]$ ./bulkload.sh -connect "test" -load /home/oracle/orainfra/opmn/bin/data.ldif

Verifying node "test"
-----------------------------
This tool can only be executed if you know database user password
for OiD on test
Enter OiD password ::
It is recommended to use -check option before generating/loading data
Do you want to continue (y/n?) [n]
y
Loading data on : "test"
===============================

------------------------------------------------------------------
Preparing Internet Directory schema for bulk data loading
------------------------------------------------------------------


------------------------------------------------------------------
Initiating bulk load...
------------------------------------------------------------------

Loading Attribute Search Catalogs..
battr_store001..
battr_store002..
battr_store003..
attr_store001..
attr_store002..
attr_store003..
c..
cn..
ctcaladmd..
ctcalcountry..
ctcalhost..
ctcalmobiletelephonetype..
ctcalorganization..
ctcalorgunit1..
ctcalorgunit2..
ctcalorgunit3..
ctcalorgunit4..
ctcalprmd..
ctcalpublishedtype..
ctcalresourcecapacity..
ctcalresourcenumber..
ctcalxitemid..
dc..
description..
employeenumber..
facsimiletelephonenumber..
generationqualifier..
givenname..
homephone..
initials..
krbprincipalname..
labeleduri..
l..
mail..
manager..
member..
middlename..
mobile..
name..
objectclass..
o..
orclaci..
orclcalendarhost..
orclcalendarresourcecapacity..
orclcalendarresourcenumber..
orclcalendarstore..
orclcertificatehash..
orclcertificatematch..
orclcommonkrbprincipalattribute..
orcldasispersonal..
orcldassearchable..
orcldasvalidatepwdreset..
orcldasviewable..
orcldbaqgeneric..
orcldbaqobjname..
orcldbaqobjowner..
orcldbaqobjtype..
orcldbaqpointerattr..
orcldbaqreglocation..
orcldbaqregnamespace..
orcldbaqregrejected..
orcldbaqregservers..
orcldbaqregsubscription..
orcldbaqregunreachable..
orcldbaqreguser..
orcldbdistinguishedname..
orcldbentroleassigned..
orcldbentuser..
orcldbglobalname..
orcldblscolumnname..
orcldblsfullname..
orcldblsgroupparent..
orcldblsnumerictag..
orcldbnativeuser..
orcldbroleoccupant..
orcldbservermember..
orcldbserverrole..
orcldbtargetuser..
orcldbtrusteddomain..
orcldbtrusteduser..
orclentrylevelaci..
orcleventtime..
orcleventtype..
orclglobalid..
orclguid..
orclhostname..
orclipaddress..
orclisenabled..
orclisvisible..
orcljazncodebase..
orcljaznjavaclass..
orcljaznpermissionactions..
orcljaznpermissiontarget..
orcljaznprincipal..
orcljaznrealmisexternal..
orcljaznsigner..
orcljaznsubscriberdn..
orclldapinstanceid..
orclldapprocessid..
orclmailaci..
orclmailaddresscategory..
orclmailemail..
orclmailfolderdn..
orclmailgroupadminmailid..
orclmailgrouphasarchive..
orclmailgroupisexternal..
orclmaillistsuspendedmember..
orclmailnewsfoldercreatetime..
orclmailnntpactivegroup..
orclmailnntplocalgroup..
orclmailnntpmoderatedgroup..
orclmailowner..
orclmailpublicdisplayname..
orclmailrenamedsharedfolder..
orclmailrulescope..
orclmailstore..
orclmailstoredn..
orclmailuserdldn..
orclnethostname..
orclnetservicename..
orclnewsgroupdn..
orclnormdn..
orclobjectguid..
orclodipagentname..
orclodipprofileexecgroupid..
orclodipprofilename..
orclownerguid..
orclrealmname..
orclreplicadn..
orclresourcename..
orclresourcetypename..
orclsamaccountname..
orclsecondaryuid..
orclservicemember..
orclservicesubtype..
orclservicetype..
orclstatus..
orclsuitetype..
orclumattendantextension..
orclumdeviceaddress..
orclumlocale..
orclumnamehash..
orcluserapplnprovstatus..
orcluserdn..
orclwirelessaccountnumber..
ou..
owner..
pager..
personalmobile..
personalpager..
postalcode..
pwdaccountlockedtime..
sn..
st..
street..
targetdn..
telephonenumber..
title..
uid..
uniquemember..
vpimmail..
x509issuer..

Loading Distinguished Name Catalog..
------------------------------------------------------------------
Performing post bulk load processing for Internet Directory schema
------------------------------------------------------------------


------------------------------------------------------------------
Creating Indexes ...
------------------------------------------------------------------


-------------------------------------------------------------
Verifying Index creation ...
-------------------------------------------------------------

All indexes created successfully

-------------------------------------------------------------
Index creation verification Done ...
-------------------------------------------------------------


-------------------------------------------------------------
Altering Index ...
-------------------------------------------------------------


-------------------------------------------------------------
Altering Index Done ...
-------------------------------------------------------------


------------------------------------------------------------------
Generating Database Statistics ...
------------------------------------------------------------------


-------------------------------------------------------------
Done.
-------------------------------------------------------------





Migrating Existing Accounts from Oracle Internet Directory to Oracle E-Business Suite Release 11i

The LDAPUserImport command-line utility takes an LDIF file generated from Oracle Internet Directory, and inserts appropriate data into the E-Business Suite schema. It can be used for bulk migration of existing accounts from Oracle Internet Directory to Oracle E-Business Suite. LDAPUserImport updates both FND and TCA schema.

Export Oracle Internet Directory users into LDIF file Using ldifwrite
The Oracle Internet Directory ldifWrite command-line utility is used to create an LDIF file that can be loaded into the E-Business Suite schema via the LDAPUserImport command-line utility.

General Syntax:

ldifwrite –c -b -f

Example:

ldifwrite -c test -b "cn=Users,dc=doyen,dc=in" -f output.ldif

[oracle@sys38 bin]$ ldifwrite -c test -b "cn=Users,dc=doyen,dc=in" -f output.ldif
This tool can only be executed if you know database user password for OiD
Enter OiD Password ::

------------------------------------------------------------
Reading entries under BaseDN "cn=users,dc=doyen,dc=in"...
-------------------------------------------------------------

------------------------------------------------------------
1872 Entries are written to "output.ldif".
------------------------------------------------------------
There is no need to modify the output file output.ldif in any way before proceeding with Task 2.
Task 2: Import LDAP Users into Oracle E-Business Suite using LDAPUserImport

The LDAPUserImport tool is invoked from the command line.


1. Ensure the environment is set up properly: $APPL_TOP/java must be in the CLASSPATH environment variable),

2. Invoke the LDAPUserImport tool with the following syntax:

java oracle.apps.fnd.oid.LDAPUserImport \
-v \
-dbc $FND_TOP/secure/myebiz.dbc \
-f users.ldif \
-n uid \
-l users.log

For example:


[applmgr@sys4 VIS_sys4]$ java oracle.apps.fnd.oid.LDAPUserImport -v -dbc /oracle/app/apps/visappl/fnd/11.5.0/secure/VIS_sys4/vis.dbc -f /oracle/app/apps/visappl/fnd/11.5.0/secure/VIS_sys4/output.ldif -n uid -l ouput.log
LDAP user import from /oracle/app/apps/visappl/fnd/11.5.0/secure/VIS_sys4/output.ldif started..
LDAP user import completed sucessfully. For further details refer to log file at ouput.log



PatchSet:

1. 11i.ATG_PF.H.delta.6 (RUP 5) or above.
2. 6117031 - 11i.ATG_PF.H RUP6 SSO 10g Integration,
Check and apply all the prerequisites.

Important Metalink Documents

186981.1 : Frequently Asked Questions
293849.1 : Roadmap: Using OracleAS 10g with the Oracle E-Business Suite (Overview Presentation)
233436.1 : OracleAS 10g + E-Business Suite Installation Guide
261914.1 : Integrating Oracle E-Business Suite Release 11i with Oracle Internet Directory and Oracle Single Sign-On
305918.1: Portal 10g + E-Business Suite Installation Guide
313418.1: Discoverer 10g + E-Business Suite Installation Guide
306653.1: Web Cache 10g + E-Business Suite Installation Guide
223927.1 : Oracle Application Server Integration with Oracle E-Business Suite: Statement of Direction

6 comments:

Anonymous said...

Good job, Keep it up.. Sandy

Anonymous said...

Hi,
Thats a wonderful post on EBS-OID integration.
I know that the apps_sso_local_attribute be set to 'local' or 'both' to prevent a user from being redirected to SSO login.
when should the apps_sso_local_login should be set? before or after EBS-OID integration?

Thank you.

Anonymous said...

If you want to build an e-business or take your existing business online, the solutions offered by Infyecommerce can provide your business website with the tools and web hosting it needs. Please visit. http://www.infyecommercesolution.com/

Anonymous said...

Hi No doubts its a real helpful post . We have few quesries like we have integrated MS AD -> OID . We are ale to import user . OID -> to R12 application also we are able to import user but user names in fnd_user table are appearing john@domain name . Basicaly user names are stored in the fnd_user table in the form of username@domain name . But it should only store user like john in fnduser table .And when we are tring to login from application with john@domain name name its not allowing to loging . We are not doing any SSO inegartion . Without SSO integration it will work or not . thanks SS

Ragu said...

We are facing an issue after integration of OID/SUN one LDAP/ SSO.
If we change password from OIDDAS it says password changed successfully but does not actually change the password and we again have to login with old password.

It’s Apps 11i SSO OID Sunone Iplanet Integration and source of truth is OID. so paasswords are in OID

Why is it so ?

Rgds
Aashish

Anonymous said...

Very good job!

in our case we did a inital charge of users in EBS(11.5.10.2) and works fine, but new users in OID not export automatically to EBS...

any idea?