PatchSet:
1. 11i.ATG_PF.H.delta.6 (RUP 5) or above.
2. 6117031 - 11i.ATG_PF.H RUP6 SSO 10g Integration,
Check and apply all the prerequisites.
Using OracleAS 10g with the Oracle E-Business Suite
Integrating Oracle E-Business Suite Release 11i with Oracle Internet Directory and Oracle Single Sign-On
Go to FND_TOP/bin
[applmgr@sys4 bin]$ txkrun.pl -script=SetSSOReg
Enter the host name where Oracle iAS Infrastructure database is installed ? sys38.doyen.in
Enter the Oracle iAS Infrastructure database port number ? 1521
Enter the Oracle iAS Infrastructure database SID ? test
Enter the LDAP Port on Oracle Internet Directory server ? 389
Enter Oracle E-Business apps database user password ? apps
Enter Oracle iAS Infrastructure database ORASSO schema password ? orasso
Enter Oracle E-Business SYSTEM database user password ? oracle
Enter E-Business Suite existing SSOSDK schema password or choose a password to use with the new SSOSDK schema if the schema does not exist ? SSOSDK
Enter the Oracle Internet Directory Administrator (orcladmin) Bind password ? welcome99
Enter the instance password that you would like to register this application instance with ? welcome99
*** ALL THE FOLLOWING FILES ARE REQUIRED FOR RESOLVING RUNTIME ERRORS
*** Log File = /oracle/app/apps/viscomn/rgf/VIS_sys4/sso/txkSetSSOReg_Fri_Jan_4_16_00_37_2008.log
Program : /oracle/app/apps/visappl/fnd/11.5.0/patch/115/bin/txkSetSSOReg.pl started @ Fri Jan 4 16:01:22 2008
*** Log File = /oracle/app/apps/viscomn/rgf/VIS_sys4/sso/txkSetSSOReg_Fri_Jan_4_16_00_37_2008.log
######################## WARNING
This application works with SSOSDK version 9.0.2 or higher. If lower version
(3.0.9) of SSOSDK was installed in your system and you have a registered
partner application, this process will remove the 3.0.9 version of the SSOSDK
schema and install the 9.0.2 version.
######################## WARNING
Beginning input parameter validation for SSO registration.
Beginning loading SSO SDK into database if necessary.
Loading of SSO SDK into database completed successfully.
Input parameters validation for OID registration completed.
BEGIN SSO REGISTRATION:
Beginning to register partner application.
Partner application has been registered successfully.
Single Sign-On partner application registered successfully.
BEGIN OID REGISTRATION:
Beginning to register Application and Service containers if necessary.
Application and Service containers were created successfully.
Beginning to register application in Oracle Internet Directory.
Registration of application in Oracle Internet Directory completed successfully.
Beginning to register instance password in Oracle Internet Directory.
Registration of instance password in Oracle Internet Directory completed successfully.
Beginning to test application registration in Oracle Internet Directory.
Testing of application registration in Oracle Internet Directory completed successfully.
Beginning to register provisioning profile in Oracle Internet Directory.
Registration of provisioning profile in Oracle Internet Directory completed successfully.
Application is now registered successfully with provisioning in Oracle Internet Directory.
End of /oracle/app/apps/visappl/fnd/11.5.0/patch/115/bin/txkSetSSOReg.pl : No Errors encountered
[applmgr@sys4 bin]$
a. do an anonymous bind...
ldapbind -h sys38.doyen.in -p 389
b. do a superuser bind....
ldapbind -h sys38.doyen.in -p 389 -D "cn=orcladmin" -w welcome99
c. do an encrypted super user bind...
ldapbind -h sys38.doyen.in -p 389 -U 1 -D cn=orcladmin -w welcome99
d. do a specific user bind....for example:
ldapbind -h sys38.doyen.in -p 389 -D "cn=orcladmin,cn=users,dc=doyen,dc=in" -w welcome99
Exporting Application Accounts into Intermediate LDIF File
Determine which accounts to migrate
Applications SSO Login Types (APPS_SSO_LOCAL_LOGIN) – An account will not be migrated if the user level profile value of the account is ‘LOCAL’, i.e. the account is a local account.
Applications SSO LDAP Synchronization (APPS_SSO_LDAP_SYNC) -- An account will not be migrated if the user level profile value of the account is ‘N’, i.e. the account is marked to not to synchronize with Oracle Internet Directory.
Note: The site level profile value will be used in the cases where the user level profile value is not set.
Oracle E-Business Suite ships a number of standard accounts, such as SYSADMIN and GUEST. These accounts should not be migrated. To enforce this, the SYSADMIN and GUEST accounts are pre-seeded with Applications SSO Login Types (APPS_SSO_LOCAL_LOGIN) set to ‘LOCAL’ and Applications SSO LDAP Synchronization (APPS_SSO_LDAP_SYNC) set to ‘N’.
Administrators should check whether there are any additional accounts that should not be migrated, especially accounts with user_id less than 10 (check with: select user_name from FND_USER where user_id<10). These standard accounts can only be used for local login and cannot be used to log into Single Sign-On. Use AppsUserExport to extract user information For
example:
java oracle.apps.fnd.oid.AppsUserExport \ -v \ -dbc $FND_TOP/secure/myebiz.dbc \ -o users.txt \ -pwd welcome \ -g \ -l users.log The resulting data file and log file may contain confidential information, such as the start and end dates for a user’s account, and should therefore be secured appropriately. java oracle.apps.fnd.oid.AppsUserExport -dbc /oracle/app/apps/visappl/fnd/11.5.0/secure/VIS_sys4/vis.dbc -o /oracle/app/apps/visappl/fnd/11.5.0/secure/VIS_sys4/vis01.out -pwd apps User Export to /oracle/app/apps/visappl/fnd/11.5.0/secure/VIS_sys4/vis01.out User Export to /oracle/app/apps/visappl/fnd/11.5.0/secure/VIS_sys4/vis01.out started.. User Export completed successfully. For further details please refer to log file at: /oracle/app/apps/visappl/fnd/11.5.0/secure/VIS_sys4/vis01.out.log [oracle@sys38 ~]$ $ORACLE_HOME/bin/ldapsearch -h sys38 -p 389 -D "cn=orcladmin" -w welcome99 -b "cn=Provisioning Profiles, cn=Changelog Subscriber, cn=Oracle Internet Directory" -s sub "objectclass=*" > profiles.ldif
[oracle@sys38 ~]$ $ORACLE_HOME/bin/ldapsearch -h sys38 -p 389 -D "cn=orcladmin" -w welcome99 -s sub "orclguid=42E42E799F8C50F5E040A8C0260051FA" -b "" dn
orclApplicationCommonName=VIS,cn=EBusiness,cn=Products,cn=OracleContext,dc=doyen,dc=in
[oracle@sys38 ~]$ oidprovtool operation=disable ldap_host=sys38.doyen.in ldap_port=389 ldap_user_dn=cn=orcladmin ldap_user_password=welcome99 application_dn=orclApplicationCommonName=VIS,cn=EBusiness,cn=Products,cn=OracleContext,dc=doyen,dc=in profile_mode=BOTH
This Provisioning Profile is disabled.
Task 2: Converting Intermediate LDIF File to Final LDIF File
Before performing loading data into Oracle Internet Directory, the Oracle Internet Directory administrator needs to ensure that:
The extracted data file is copied from the Oracle E-Business Suite instance to Oracle Internet Directory.
If the provisioning profile has been set up for the Oracle E-Business Suite instance and the profile mode is either OUTBOUND or BOTH
To convert the intermediate LDIF file to the final LDIF format:
. Use oidprovtool with operation=DISABLE to disable the profile before the migration is started.
For example:
oidprovtool operation=disable ldap_host=sys38.doyen.in ldap_port=389 ldap_user_dn=cn=orcladmin ldap_user_password=welcome99 application_dn=orclApplicationCommonName=VIS,cn=EBusiness,cn=Products,cn=OracleContext,dc=doyen,dc=in profile_mode=BOTH
After migration is complete, update the lastchangenumber attribute of the profile:
First, find the current last change number in Oracle Internet Directory with the ldapsearch command:
ldapsearch –h sys38.doyen.in -p welcome99 -D cn=oracladmin -w welcome99 -s base -b "" "objectclass=*" lastchangenumber=2623
Next, use the following command to update the lastchangenumber attribute to the number n that was discovered in the last step:
[oracle@sys38 bin]$ oidprovtool operation=MODIFY ldap_host=sys38.doyen.in ldap_port=389 ldap_user_dn=cn=orcladmin ldap_user_password=welcome99 application_dn=orclApplicationCommonName=VIS,cn=EBusiness,cn=Products,cn=OracleContext,dc=doyen,dc=in orclLastAppliedChangeNumber=2623
The Provisioning Profile for the Application has been modified.
3. Use oidprovtool with operation=ENABLE to enable the profile.
[oracle@sys38 bin]$ oidprovtool operation=enable ldap_host=sys38.doyen.in ldap_port=389 ldap_user_dn=cn=orcladmin ldap_user_password=welcome99 application_dn=orclApplicationCommonName=VIS,cn=EBusiness,cn=Products,cn=OracleContext,dc=doyen,dc=in profile_mode=BOTH
This Provisioning Profile is enabled.
4. The intermediate LDIF file created by AppsUserExport has two variables that an Oracle Internet Directory administrator needs to instantiate using the Oracle Internet Directory ldifmigrator utility:
[oracle@sys38 bin]$ ldifmigrator "input_file=/home/oracle/mig_user/vis01.out" "output_file=data.ldif" "s_UserContainerDN=cn=users,dc=doyen,dc=in" "s_UserNicknameAttribute=uid"
Migration of LDIF data completed. All the entries are successfully migrated
Task 3: Loading Final LDIF file into Oracle Internet Directory
Once the final LDIF file has been generated, the user data is ready to be loaded into Oracle Internet Directory using the Oracle Internet Directory bulkload tool.
Before performing a bulk load:
1. Stop all OID processes before using the bulkload utility to load the LDIF file:
$ORACLE_HOME/opmn/bin/opmnctl stopall
Note the OID password, which should be the same as the instance and orcladmin passwords. You will be prompted for this when running the utility.
2. In case the oidmon or oidctl commands were used to manually start the oid proceses, you must make sure that they have stopped:
On Unix Run: $ORACLE_HOME/ldap/bin/ldapcheck
[oracle@sys38 bin]$ ./ldapcheck
Checking Oracle Internet Directory Processes ...ALL
Not Running ---- Process oidmon
Not Running ---- Process oidldapd
Not Running ---- Process oidrepld
Not Running ---- Process odisrv
No LDAP Processes are Running
3. If any other OID processes such as odisrv are still running, you must stop them manually using:
oidctl connect=test server=oidsrv instance=1 stop
You must ensure that no OID processes are running before continuing with the bulkload.sh command.
1. Run the bulkload utility with the -check and –generate options to verify that there are no duplicate users.
For example:
bulkload.sh –connect
-check –generate
[oracle@sys38 bin]$ ./bulkload.sh -connect "test" -check -generate /home/oracle/orainfra/opmn/bin/data.ldif
Verifying node "test"
-----------------------------
This tool can only be executed if you know database user password
for OiD on test
Enter OiD password ::
------------------------------------------------------------------
Checking Internet Directory current schema state
------------------------------------------------------------------
-------------------------------------------------------------------
Checking and Generating Internet Directory data for bulk loading
-------------------------------------------------------------------
Schema Check Errors are logged in : /home/oracle/orainfra/ldap/log/bulkload.log
Bad Entries are logged in : /home/oracle/orainfra/ldap/load/badentry.ldif
Non-Unique Distinguished Names are logged in : /home/oracle/orainfra/ldap/log/duplicateDN.log
-------------------------------------------------------------------
Data Generated for bulk loading
-------------------------------------------------------------------
Please Remove the errors
[oracle@sys38 bin]$ ./bulkload.sh -connect "test" -check -generate /home/oracle/orainfra/opmn/bin/data.ldif
Verifying node "test"
-----------------------------
This tool can only be executed if you know database user password
for OiD on test
Enter OiD password ::
------------------------------------------------------------------
Checking Internet Directory current schema state
------------------------------------------------------------------
-------------------------------------------------------------------
Checking and Generating Internet Directory data for bulk loading
-------------------------------------------------------------------
No Schema Check Errors.
No Bad Entries found.
No Duplicate DN Entries.
-------------------------------------------------------------------
Data Generated for bulk loading
-------------------------------------------------------------------
2. Check the log file for duplicate users
If you get any Bad Entries and Duplicate DN Entries, Just remove those entries and run again setp 1.
3. If the log file indicates duplicate users, manually remove these users from the LDIF file.
4. Rerun Step 1 to verify all duplicates have been successfully removed.
5. Once all duplicates are removed, run the bulkload utility with the –load option to load the users.
For example:
bulkload.sh –connect –load
[oracle@sys38 bin]$ ./bulkload.sh -connect "test" -load /home/oracle/orainfra/opmn/bin/data.ldif
Verifying node "test"
-----------------------------
This tool can only be executed if you know database user password
for OiD on test
Enter OiD password ::
It is recommended to use -check option before generating/loading data
Do you want to continue (y/n?) [n]
y
Loading data on : "test"
===============================
------------------------------------------------------------------
Preparing Internet Directory schema for bulk data loading
------------------------------------------------------------------
------------------------------------------------------------------
Initiating bulk load...
------------------------------------------------------------------
Loading Attribute Search Catalogs..
battr_store001..
battr_store002..
battr_store003..
attr_store001..
attr_store002..
attr_store003..
c..
cn..
ctcaladmd..
ctcalcountry..
ctcalhost..
ctcalmobiletelephonetype..
ctcalorganization..
ctcalorgunit1..
ctcalorgunit2..
ctcalorgunit3..
ctcalorgunit4..
ctcalprmd..
ctcalpublishedtype..
ctcalresourcecapacity..
ctcalresourcenumber..
ctcalxitemid..
dc..
description..
employeenumber..
facsimiletelephonenumber..
generationqualifier..
givenname..
homephone..
initials..
krbprincipalname..
labeleduri..
l..
mail..
manager..
member..
middlename..
mobile..
name..
objectclass..
o..
orclaci..
orclcalendarhost..
orclcalendarresourcecapacity..
orclcalendarresourcenumber..
orclcalendarstore..
orclcertificatehash..
orclcertificatematch..
orclcommonkrbprincipalattribute..
orcldasispersonal..
orcldassearchable..
orcldasvalidatepwdreset..
orcldasviewable..
orcldbaqgeneric..
orcldbaqobjname..
orcldbaqobjowner..
orcldbaqobjtype..
orcldbaqpointerattr..
orcldbaqreglocation..
orcldbaqregnamespace..
orcldbaqregrejected..
orcldbaqregservers..
orcldbaqregsubscription..
orcldbaqregunreachable..
orcldbaqreguser..
orcldbdistinguishedname..
orcldbentroleassigned..
orcldbentuser..
orcldbglobalname..
orcldblscolumnname..
orcldblsfullname..
orcldblsgroupparent..
orcldblsnumerictag..
orcldbnativeuser..
orcldbroleoccupant..
orcldbservermember..
orcldbserverrole..
orcldbtargetuser..
orcldbtrusteddomain..
orcldbtrusteduser..
orclentrylevelaci..
orcleventtime..
orcleventtype..
orclglobalid..
orclguid..
orclhostname..
orclipaddress..
orclisenabled..
orclisvisible..
orcljazncodebase..
orcljaznjavaclass..
orcljaznpermissionactions..
orcljaznpermissiontarget..
orcljaznprincipal..
orcljaznrealmisexternal..
orcljaznsigner..
orcljaznsubscriberdn..
orclldapinstanceid..
orclldapprocessid..
orclmailaci..
orclmailaddresscategory..
orclmailemail..
orclmailfolderdn..
orclmailgroupadminmailid..
orclmailgrouphasarchive..
orclmailgroupisexternal..
orclmaillistsuspendedmember..
orclmailnewsfoldercreatetime..
orclmailnntpactivegroup..
orclmailnntplocalgroup..
orclmailnntpmoderatedgroup..
orclmailowner..
orclmailpublicdisplayname..
orclmailrenamedsharedfolder..
orclmailrulescope..
orclmailstore..
orclmailstoredn..
orclmailuserdldn..
orclnethostname..
orclnetservicename..
orclnewsgroupdn..
orclnormdn..
orclobjectguid..
orclodipagentname..
orclodipprofileexecgroupid..
orclodipprofilename..
orclownerguid..
orclrealmname..
orclreplicadn..
orclresourcename..
orclresourcetypename..
orclsamaccountname..
orclsecondaryuid..
orclservicemember..
orclservicesubtype..
orclservicetype..
orclstatus..
orclsuitetype..
orclumattendantextension..
orclumdeviceaddress..
orclumlocale..
orclumnamehash..
orcluserapplnprovstatus..
orcluserdn..
orclwirelessaccountnumber..
ou..
owner..
pager..
personalmobile..
personalpager..
postalcode..
pwdaccountlockedtime..
sn..
st..
street..
targetdn..
telephonenumber..
title..
uid..
uniquemember..
vpimmail..
x509issuer..
Loading Distinguished Name Catalog..
------------------------------------------------------------------
Performing post bulk load processing for Internet Directory schema
------------------------------------------------------------------
------------------------------------------------------------------
Creating Indexes ...
------------------------------------------------------------------
-------------------------------------------------------------
Verifying Index creation ...
-------------------------------------------------------------
All indexes created successfully
-------------------------------------------------------------
Index creation verification Done ...
-------------------------------------------------------------
-------------------------------------------------------------
Altering Index ...
-------------------------------------------------------------
-------------------------------------------------------------
Altering Index Done ...
-------------------------------------------------------------
------------------------------------------------------------------
Generating Database Statistics ...
------------------------------------------------------------------
-------------------------------------------------------------
Done.
-------------------------------------------------------------
Migrating Existing Accounts from Oracle Internet Directory to Oracle E-Business Suite Release 11i
The LDAPUserImport command-line utility takes an LDIF file generated from Oracle Internet Directory, and inserts appropriate data into the E-Business Suite schema. It can be used for bulk migration of existing accounts from Oracle Internet Directory to Oracle E-Business Suite. LDAPUserImport updates both FND and TCA schema.
Task 1: Export Oracle Internet Directory users into LDIF file Using ldifwrite
The Oracle Internet Directory ldifWrite command-line utility is used to create an LDIF file that can be loaded into the E-Business Suite schema via the LDAPUserImport command-line utility.
General Syntax:
ldifwrite –c -b -f
Example:
ldifwrite -c test -b "cn=Users,dc=doyen,dc=in" -f output.ldif
[oracle@sys38 bin]$ ldifwrite -c test -b "cn=Users,dc=doyen,dc=in" -f output.ldif
This tool can only be executed if you know database user password for OiD
Enter OiD Password ::
------------------------------------------------------------
Reading entries under BaseDN "cn=users,dc=doyen,dc=in"...
-------------------------------------------------------------
------------------------------------------------------------
1872 Entries are written to "output.ldif".
------------------------------------------------------------
There is no need to modify the output file output.ldif in any way before proceeding with Task 2.
Task 2: Import LDAP Users into Oracle E-Business Suite using LDAPUserImport
The LDAPUserImport tool is invoked from the command line.
1. Ensure the environment is set up properly: $APPL_TOP/java must be in the CLASSPATH environment variable),
2. Invoke the LDAPUserImport tool with the following syntax:
java oracle.apps.fnd.oid.LDAPUserImport \
-v \
-dbc $FND_TOP/secure/myebiz.dbc \
-f users.ldif \
-n uid \
-l users.log
For example:
[applmgr@sys4 VIS_sys4]$ java oracle.apps.fnd.oid.LDAPUserImport -v -dbc /oracle/app/apps/visappl/fnd/11.5.0/secure/VIS_sys4/vis.dbc -f /oracle/app/apps/visappl/fnd/11.5.0/secure/VIS_sys4/output.ldif -n uid -l ouput.log
LDAP user import from /oracle/app/apps/visappl/fnd/11.5.0/secure/VIS_sys4/output.ldif started..
LDAP user import completed sucessfully. For further details refer to log file at ouput.log