Oracle E-Business Suite Technology

Sharp-eyed readers of my OAUG Collaborate 06 presentation will have noticed some sneak previews of Oracle E-Business Suite Release 12's technology stack buried in an appendix.

The most significant news:  Oracle E-Business Suite Release 12 will use Oracle Application Server 10g for its application tier.  We're officially in the 21st Century now, so it's about time.

This long-awaited configuration will use:

• OracleAS 10g 10.1.2.x for Forms and Reports services.  This will replace the elderly 8.0.6 ORACLE_HOME provided by Oracle9i Application Server 1.0.2.2.2 in Release 11i.
  
  
• OracleAS 10g 10.1.3 for Oracle Containers for Java (OC4J).  This will
  replace the aging 8.1.7-based ORACLE_HOME provided by Oracle9i Application Server 1.0.2.2.2 in Release 11i, and herald our switch from JServ to Oracle Containers for Java.

[Cheering is heard from Oracle Applications DBAs worldwide]

Now, a word from Oracle Legal, which I'm obliged to append to all Release 12-related posts:

The above is intended to outline our general product direction.  It is intended for information purposes only, and may not be incorporated into any contract.   It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision.  The development, release, and timing of any features or functionality described for Oracle's products remains at the sole discretion of Oracle.

Related Articles:

• Updated User Interface for E-Business Suite Release 12
• Project Swan and Release 12, Redux
• E-Business Suite Release 12 to include 10gR2 Database
• Native Sun Plug-In to Replace Jinitiator in E-Business Suite Release 12
• Why Use Two ORACLE_HOMEs for Release 12's Application Tier?

Why use two different OracleAS 10g releases in two different ORACLE_HOMEs for the upcoming Oracle E-Business Suite Release 12?  Because you asked for it, of course.  Well, indirectly, perhaps.  You've been asking us when E-Business Suite users can take advantage of the latest Oracle technologies.  So, we're biting the bullet and putting them into our Release technology stack.

The latest version of Forms and Reports available today is included in Oracle Application Server 10g 10.1.2.0.2, so that release, at minimum, will be part of the E-Business Suite Release 12.

You've been clamoring for the ability to use Oracle Containers for Java (OC4J), the next-generation successor to JServ.  The latest version of Oracle Containers for Java available today is included in Oracle Application Server 10g 10.1.3, so that release, at minimum, will be part of the E-Business Suite Release 12, too.

The slightly tricky thing is using these two releases together.  In a nutshell, all major services will be started out of the 10.1.3 ORACLE_HOME.  The E-Business Suite modules (packaged in formsapp.eap) will be loaded into the OC4J-Forms instance running out of the 10.1.3 ORACLE_HOME, and frmweb will be invoked out of the 10.1.2 ORACLE_HOME.

The above is intended to outline our general product direction.  It is intended for information purposes only, and may not be incorporated into any contract.   It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision.  The development, release, and timing of any features or functionality described for Oracle's products remains at the sole discretion of Oracle.

E-Business Suite Release 12 will replace Oracle JInitiator with the native Sun Java2 Standard Edition (J2SE).

[More cheering from Oracle Apps DBAs]
As most of you know, Oracle JInitiator is an authorised version of Sun Microsystems' Java2 Standard Edition with some specific fixes required to support Oracle Forms.  JInitiator is currently required to run Oracle Forms in the E-Business Suite Release 11i, although we're running an Early Adopter Program that's evaluating the feasibility of eliminating this requirement for Release 11i.

Oracle JInitiator will no longer be required to run Oracle Forms in E-Business Suite Release 12.  Oracle Forms in Release 12 will run directly in the native Sun Java2 Standard Edition plug-in.  This will be our standard configuration for Release 12.

Related Articles:

• Replacing Oracle JInitiator with Sun's Native Plug-In
  

The above is intended to outline our general product direction.  It is intended for information purposes only, and may not be incorporated into any contract.   It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision.  The development, release, and timing of any features or functionality described for Oracle's products remains at the sole discretion of Oracle.

Oracle E-Business Suite Release 12 will include the 10gR2 Database (10.2) as part of its Rapid Install. 

The specific database-tier point release is still undergoing internal review, but it is reasonably certain that the 10gR2 10.2.0.2 Database will be the minimum version included with the Release 12 Rapid Install, given that this database version is already certified with the E-Business Suite Release 11i.  The complementary JDBC 10.2 will be utilitized on the application-tier.

The above is intended to outline our general product direction.  It is intended for information purposes only, and may not be incorporated into any contract.   It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision.  The development, release, and timing of any features or functionality described for Oracle's products remains at the sole discretion of Oracle.

It's expected that the E-Business Suite Release 12 will feature an updated user interface, codenamed "Project Swan."  Aside from the unfortunate implication that the existing 11i user interface is an ugly duckling, Project Swan has some very appealing new aspects:

1. Background pattern for branding
2. Base font change to Tahoma 9pt
3. Button style change
4. Background color change
5. Tab style sub-tab layout with gradient background
6. Gradient background for header
7. Icon change
8. Table color update
9. Gradient background for footer
10. Vertical spacing change

For comparison, here's an existing Release 11i Self-Service Expenses screenshot (OA Framework):

I've received a sufficient number of emails on Project Swan, our Release 12 user interface facelift, that we'll take another run at it today.

There are many ways of getting information into and out of the E-Business Suite.  Until recently, however, these have been documented in a wild assortment of different places, including product-specific Apps manuals, the Electronic Technical Reference Manual (eTRM), and other unlikely sources.  If you've been subjected to the dubious pleasure of sifting through
our documentation in search of APIs and web services, this article should come as welcome news.

Apr 3, 2007 Update:  Release 12.0 includes WSRP 1.0-compliant versions of the following E-Business Suite portlets:  Applications Navigator, Applications Favorites, Applications Worklist.

I've briefly alluded to our Release 12 plans for portlets, but your feedback suggests that it's worth discussing our plans in more detail.

Oracle executives have been justifiably devoting a lot of slides in recent customer briefings to Oracle BPEL Process Manager: it's the cornerstone for our corporate integration strategy.  This begs the obvious question: what's going to be included in Release 12?

Workflow in Release 12

The Rapid Install for Release 12 will include Oracle Workflow out-of-the-box.  At present, we expect that the version included will be Workflow 2.6, but as always, this is subject to change. 

The practical implication of including Workflow in Release 12 is that all of your existing customized workflows will continue to function with minimal disruption and effort if you're upgrading from Release 11i.

Optional R12 Integration with BPEL Process Manager

If you're excited about working with BPEL Process Manager, you'll have the option of doing that, too. 

The E-Business Suite Release 12 Rapid Install is expected to include Java 5 (J2SE) for the application tier.  In addition, given that AutoConfig will be compiled as Java 5 objects, we'll be delivering Java 5 on the database tier, too.

Release 12's run time components will include Java 5 for the web tier (including JSP compilation), the Concurrent Processing tier, and for the AD utilities.  We're still working out the exact Java version now; feel free to subscribe to this blog if you'd like updates when more details get posted.

Related:

• Native Sun Plug-In to Replace Jinitiator in E-Business Suite Release 12
• More Release 12 Sneak Previews
  

The above is intended to outline our general product direction.  It is intended for information purposes only, and may not be incorporated into any contract.   It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision.  The development, release, and timing of any features or functionality described for Oracle's products remains at the sole discretion of Oracle. 

E-Business Suite Release 12 will include a raft of new SSL-related features, including a new mod_ossl plug-in, use of Oracle Wallet Manager, and optional use of Oracle Certificate Authority for PKI deployments.

The most significant change for Secure Sockets Layer (SSL) support in E-Business Suite Release 12 is expected to be the use of the mod_ossl module for the Oracle HTTP Server.  Like mod_ssl, the mod_ossl plug-in enables strong cryptography for Oracle HTTP Server.  In contrast to the OpenSSL module, mod_ossl is based on the Oracle implementation of SSL, which supports SSL 3, and is based on Certicom and RSA Security technology.

Release 12 SSL certificates will be managed by the Oracle Wallet Manager 10g, which will be accessible via a graphical user interface (GUI) or via a command line interface (CLI), for all of you die-hard purists out there.

Forms Listener Servlet won't need a separate certificate, and will share the same wallet as the Oracle HTTP Server. 

If you're interested in deploying public key infrastructure (PKI) technologies in your organization, you will also have the option of using the Oracle Certificate Authority (OCA) to issue and manage X.509 digital client certificates.  End-users and servers will be able to use these digital certificates to authenticate themselves to Release 12.

The above is intended to outline our general product direction.  It is intended for information purposes only, and may not be incorporated into any contract.   It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision.  The development, release, and timing of any features or functionality described for Oracle's products remains at the sole discretion of Oracle. 

Editor Oct 9 Update:  See this article for a small update on upgrade paths.

There's a lot of certification work underway to ensure that it will be straightforward to upgrade to E-Business Suite Release 12.

If you recall, the E-Business Suite isn't explicitly certified with third-party networking components but is expected to work with them. 

If you're integrating the E-Business Suite with Oracle Application Server 10g, there's another piece that you can add to the puzzle.

Oracle Application Server 10g isn't explicitly certified with third-party networking components, either, but some testing has been performed with specific vendor products.

These tests cover load-balancers, firewalls, and SSL accelerators.  Some of the load-balancer vendors and products include F5's BIG-IP, Foundry, Citrix's NetScaler, Nortel, and Radware.  The firewall and SSL vendors include Check Point, Cisco, Sonic Wall, and Ingrian.

Remember that Oracle testing doesn't equate to certification.  It's the responsibility of the third-party vendor to certify their hardware with Oracle Application Server 10g.  Regardless of that, you might find it reassuring to know that Oracle's tried some of these combinations in the Oracle Application Server 10g labs. 

Even if your networking vendor hasn't certified their hardware explicitly Oracle Application Server (or even the E-Business Suite), it's generally expected that their products will work if they're standards-compliant.

References

• Oracle Application Server 10g (9.0.4, 10.1.2) Tested Load Balancers, Firewalls and Stand-Alone SSL Accelerators
• Oracle Application Server Enterprise Deployment Guide 10g Release 2 (10.1.2)
  

It's interesting how certain questions seem to surge in clusters.  Lately there's been a bountiful harvest of questions about using Virtual Private Database (VPD) functionality in E-Business Suite Release 11i environments.

VPD in a Nutshell

Virtual Private Database (VPD) enables programmers and database administrators to enforce security, to a fine level of granularity, directly on tables, views, or synonyms. Because security policies are attached directly to tables, views, or synonyms and automatically applied whenever a user accesses data, there's no way to bypass security.

When a user directly or indirectly accesses an object protected with a VPD policy, the server dynamically modifies the SQL statement of the user. The modification creates a WHERE condition returned by a function implementing the security policy. The statement is modified dynamically, transparently to the user.

In the example diagram above, a customer can only see his orders in the 'orders' table when he is listed in the 'customers' table.

Not a Walk in the Park

Apps makes some use of VPD internally in Release 11i, but enabling your own VPD policies across the E-Business Suite isn't as simple as flipping a switch, unfortunately.

For example, let's say you decide to apply VPD policies to a
particular Workflow or concurrent processing table.  If your custom VPD
policies lock out a set of users, there may be unknown side-effects in
other dependent Apps products that need generic administrative access
to these tables.

Although it's technically possible to use VPD to implement your own data security extensions, there's a decidedly non-trivial amount of custom work involved.  This requires deep understanding of the E-Business Suite data model and is not for the faint-hearted.  Supporting these kind of customizations is outside of our scope here in Apps Development, but there are Oracle Consultants who may have the right expertise for this.

Is It Supported for E-Business Suite Environments?

If you create custom VPD policies for your E-Business Suite environment, Oracle Support will regard these like any other customization or third-party products in your environment, namely:

• If you report issues that can be reproduced in standard, uncustomized environments, those issues will be resolved via workarounds or patches. 

• If the issues can't be reproduced in standard environments and are isolated to your custom VPD policies, the outcome will be a recommendation to remove or fix your VPD policies.
  

Future Plans for Documentation and Release 12

The Applications Technology Group doesn't currently document how VPD extensions should be performed in the E-Business Suite.  There are plans for future documentation that will describe what session context is available for use in VPD policies, but no firm schedules.

In Release 12, VPD will be used as part of the new implementation of Multi-Organization Access Control (MOAC).

The above is intended to outline our general product direction.  It is intended for information purposes only, and may not be incorporated into any contract.   It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision.  The development, release, and timing of any features or functionality described for Oracle's products remains at the sole discretion of Oracle. 

[Editor Update May 21, 2008:  Keith has moved on to another team within Oracle and, sadly, is no longer an active contributor to this blog.  Feel free to direct any questions about his posted articles directly to Steven Chan, instead.]

Oracle has been making big strides in the area of content management. A recent press release touted two new products, Oracle Content Database and Oracle Records Database (or just Content DB and Records DB, for short). In short, Content DB allows you to use a single Oracle database instance as a repository for all kinds of unstructured data, and gives you the ability to use powerful tools like SQL and database privileges to query and manage that data. Records DB offers additional lifecycle management utilities that allow you to apply policies for document auditing, retention, and disposal to meet regulatory compliance obligations.

A Brief History of Content Management at Oracle

If this sounds familiar to you, then you're one of the not-so-many people who's been paying attention to this space over the past few years. Oracle's content management offerings are not entirely new, having undergone several transformations, from iFS, to Oracle Files, to the more recent Oracle Content Services, introduced in Oracle Collaboration Suite 10g. Starting later this summer, this latter incarnation will be rechristened as Oracle Content Database, and will henceforth be available as an option for the Enterprise Edition of Oracle Database 10g.

This marks the first time that a content management product has moved out of being in its own collaboration offering, and into the head-of-the-class database suite. It makes a strong statement about the importance of having access to the right tools for managing the overwhelming amounts of data companies are juggling today. Hopefully making it easier to obtain and install that technology will be a big step toward easing the burden. (Note that shortly after Oracle made this announcement, Microsoft announced that their perpetually elusive WinFS project was being taken out of the operating system track, and integrated into their SQL Server product. Coincidence? One has to wonder.)

I Want It Now!

Today, there are a handful of E-Business Suite products that offer optional integration with Oracle Files and/or Oracle Content Services, including Product Lifecycle Management, Internal Controls Manager, and Oracle Tutor.

For instance, Oracle Document Management is an integral component of PLM that allows product designers & engineers to associate large numbers of files and documents that have their own lifecycle policies. It supports features such as check-in/check-out, major/minor revisions & versions, access control, associations (to E-Business Suite objects), and more...all on top of Oracle Content Services. Going forward, we expect that many more products will be enticed to provide support for both Oracle Content DB and Oracle Records DB.

Now in the Bullpen

To aid in this process, the folks here at Techstack Central are looking at how we can make it easier for E-Business Suite teams to offer such support in their products. Content DB and Records DB will be available starting in August, and our evaluation of these products for integration with Release 12 is already well underway.

Our Mail Filters Are Standing By

We will be making a decision at a later time regarding support with Release 11i, but in the meantime, if this combination is deemed critical for your company (and an upgrade to Release 12 is not in the cards), you can always help us out by letting us know about it, either by adding a comment to this blog entry, or by sending me or Steven an email.

Be sure to tell us which specific products you are interested in integrating with our content management solutions.

[May 27, 2008 Update:  The E-Business Suite is now certified to be IPv6-compatible; see this announcement for details.]

[May 9, 2007 Update:  As of today, this article still represents our latest status on IPv6 certification for the E-Business Suite, for both Release 11i and 12.  We have been briefed on the US Federal requirements for the 2008 changeover.  Aside from those US governmental organizations, if you haven't already contacted us about your IPv6 requirements, please drop me a line.]

A very small number of E-Business Suite customers have expressed interest in Internet Protocol Version 6, otherwise known as IPv6. From the the IPv6 Information Page:


Certification Plans for the E-Business Suite

Certification of the E-Business Suite with IPv6 is in the queue for evaluation and feasibility analysis, but we don't have any commitments or timelines that we can share at this point.

Help Influence Our Priorities

If your organization is committed to migrating IPv6, please add a comment to this article or drop me an email with the details, including timelines and how you expect this to affect your E-Business Suite deployments.  Your feedback helps us prioritize this certification for future releases.

A big part of an Apps DBA's job is patching, so I know the Patch Wizard in Oracle Applications Manager is something about which you have a few opinions.  These opinions are sometimes expressed in energetic and colorful language.  It's clear that some of you feel strongly about this area. 

Some of you have recently provided feedback on the Patch Wizard, which I forwarded to our development team.  They reviewed your comments and provided some glimpses of functionality to come in future versions such as Release 12.  Here's a sampling of your comments and some selected responses from the team:

1. Patch Wizard downloads patches which have already been downloaded
   
   This is by design in the current Release 11i version.  Release 12 will download a patch from Metalink only if it doesn't match an existing patch in your staging directory.
    
   
2. Patch Wizard gets some patch prerequisites wrong
    
   This is a known issue, complicated by the interrelationships between patches, Family Packs, and the wide array of bundles that patches can be delivered in.  The issue of handling patch prerequisites more sensibly is being revisited in Release 12.
    
3. Patch Wizard recommends patches included in already-installed patches
    
   This shouldn't happen for patches that are explicitly included, i.e. patches whose definitions directly include specific sub-patches.  If you encounter this behaviour, file a bug with Oracle Support and we'll investigate this.
    
   If a patch is implicitly included (i.e. all files in a patch are included in an already-applied patch), this can happen.
    
4. Patch impact analysis doesn't note when a patch is significantly changing your installed patch level, e.g. from Minipack H to Minipack J.
    
   This is true.  This is functionality that is slated to be improved in Release 12.
    
5. Patch Wizard should show analysis results even when no patches are recommended.
    
   This is a commonly requested enhancement request.  This functionality is slated to be delivered in Release 12.
    
6. There should be better correlation between analysis runs and concurrent requests.
    
   The technology used for concurrent requests places some restrictions on this; we're looking at what's feasible for future releases.
    
7. Analysis runs may take some time to complete.
    
   This is true.  Some of the current analysis being performed by the Patch Wizard take some serious computation time.
   
   It's expected that Release 12 will include some performance gains over earlier releases, partially resulting from avoiding downloads of existing patches, changes in .LDT file packaging, and changes in the logic used by the prerequisite analysis engine.
    
8. Large patches may trigger "out of memory" errors in some rare cases.
    
   If you encounter this behaviour, please file a bug and we'll investigate this. 

Stay tuned to this website for more patching updates for Release 12.  Thanks for your comments -- keep them coming, and I'll do my best to route them to the right teams.

Related

• OAM: A Toolbox for E-Business Suite Administrators
• Patch-Related Enhancements in Release 12
  

The above is intended to outline our general product direction.  It is intended for information purposes only, and may not be incorporated into any contract.   It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision.  The development, release, and timing of any features or functionality described for Oracle's products remains at the sole discretion of Oracle. 

If you've been keeping up with our E-Business Suite Release 12 sneak previews, you know that this release will include Oracle Application Server 10g for the application tier.  Here are a few more details about identity management for this release.

FND_USER Still The Default

Like Release 11i, Release 12 will use the local E-Business Suite user directory, FND_USER, for user authentication by default.  You may optionally integrate R12 with an external Oracle Application Server 10g instance and delegate user authentication to Single Sign-On 10g and Oracle Internet Directory 10g running externally. 

Integration with Third-Party LDAPs and Single Sign-On Solutions

It's possible to integrate R12 with a third-party LDAP (e.g. Microsoft Active Directory, SunONE/iPlanet) or single sign-on solution (e.g. Microsoft Windows Kerberos, Netegrity SiteMinder).  If you want to do this, you'll need to integrate those third-party solutions via an external Oracle Application Server 10g instance, as shown in the diagram above.

That creates a chain of trust:  R12 delegates user authentication to Oracle Single Sign-On; Oracle Single Sign-On delegates authentication to the third-party single sign-on solution.

Likewise, user information from the third-party LDAP must be synchronized with Oracle Internet Directory 10g, which synchronizes its users with the E-Business Suite's FND_USER directory.  Synchronization is handled by the Oracle Directory Integration Platform.

New Local Login Page

The Release 12 local login page will feature the new Swan look-and-feel, offer multiple languages, and support customizations.

SSO Integration With Portal & Discoverer

As in Release 11i, the R12 Single Sign-On integration allows logged-in E-Business Suite users to access Portal and Discoverer content without having to log in again.

Switch to mod_osso

Under the covers, the R12 Single Sign-On integration switches from the older SSO SDK used in 11i to the latest mod_osso technology available in Oracle Application Server 10g.

From an end-user's perspective, nothing has changed; they're still authenticated by Single Sign-On 10g.  From a security perspective, mod_osso centralizes partner application session management and allows for simpler debugging and administration.

The above is intended to outline our general product direction.  It is intended for information purposes only, and may not be incorporated into any contract.   It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision.  The development, release, and timing of any features or functionality described for Oracle's products remains at the sole discretion of Oracle. 

User password resets - the bane of every sysadmin.  Automating this tedium is a major benefit of integrating your E-Business Suite environment with Oracle Application Server 10g.  By delegating user authentication to Single Sign-On 10g and Oracle Internet Directory 10g, you can take advantage of the latter's automatic password reset capabilities.

But First, Some Basics About Account Management

In a standard E-Business Suite environment, user passwords are stored and encrypted in the user's records in the E-Business Suite's FND_USER directory.  

When an E-Business Suite environment is integrated with Single Sign-On and Oracle Internet Directory, Apps user accounts are linked to Oracle Internet Directory user accounts like this:


Where Does The User Log In?

When a user's E-Business Suite account is linked to an account in Oracle Internet Directory,  sysadmins have the option of specifying how the user can log into the E-Business Suite.  This can be specified for each individual user.

Available options are:

• Users can log in externally via Single Sign-On
  
• Users can bypass Single Sign-On and log in locally to the E-Business Suite
• Users can log in via both of the methods above

E-Business Suite Doesn't Need To Store A Password

In the external scenario, all user authentication is handled by Single Sign-On and Oracle
Internet Directory.  For so-called external users, passwords are stored exclusively in Oracle Internet Directory.  Single Sign-On displays a login screen and collects the user's userid and password, and Oracle Internet Directory checks that those credentials match the user's entry within the Oracle Internet Directory LDAP user directory.

After users successfully log into Single Sign-On, they
receive security tokens that the E-Business Suite recognizes and uses
to establish their E-Business Suite session, based on a chain of trust that looks like this:


The E-Business Suite uses those Single Sign-On security tokens in place of checking for a password.  So, it doesn't need to store user passwords for external users at all. 

No More Manual Password Changes

So, in a refreshing switch for veteran Apps sysadmins, all external users can reset their own passwords using Oracle Internet Directory's Delegated Administration Service.  This represents the end of the era of manual password resets for Apps users.

Logging Into The E-Business Suite Directly

There are specific users that must always be able to log into the E-Business Suite directly.  These users include Apps DBAs or system administrators, who still need to be able to get into Apps even if the external Single Sign-On and Oracle Internet Directory instances are unavailable due to maintenance windows.

These are considered to be local users, so their passwords are always stored in the E-Business Suite's FND_USER directory, not Oracle Internet Directory.  Passwords for these users still need to be maintained manually using the regular E-Business Suite security forms that you know and love.

A Tricky Case:  "Both"

There might be a subset of users who need to be able to access the E-Business Suite via Single Sign-On as well as locally.  These users would be given access to both login methods, which means that passwords must be stored in both locations:  Oracle Internet Directory and the E-Business Suite's FND_USER directory. 

The password management overhead is higher for these users, so you'll want to use this option very sparingly:

• Password changes made in the E-Business Suite are automatically sent to Oracle Internet Directory
  
• Password changes made in Oracle Internet Directory must be manually repeated in the E-Business Suite using the E-Business Suite security forms

The asymmetry in the tasks above is because of this:  we can decrypt passwords stored in the E-Business Suite, which allows us to send them to Oracle Internet Directory.  Passwords in Oracle Internet Directory, however, are hashed, which prevents us from transmitting a copy to the E-Business Suite.

Password Management With Third-Party Integrations

That's enough for today, but look out for a future article discussing password management when you integrate the E-Business Suite with a third-party LDAP directory or single sign-on solution.  Stay tuned.

Related

Note:  Everything in this article applies equally to both Release 11i and 12 environments.

• Identity Management in Release 12
• In-Depth: Using OracleAS 10g with E-Business Suite Release 11
• In-Depth: Using Single Sign-On 10g with E-Business Suite Release 11i
• In-Depth: Using Third-Party Identity Managers with the E-Business Suite Release 11i

Editor Jan. 12, 2007 Update:  Oracle Identity Management 10g 10.1.4.0.1 is now certified with the E-Business Suite. 

We've now demonstrated that passwords no longer need to be maintained in the E-Business Suite when you've implemented Single Sign-On 10g integration.  What happens to passwords in a configuration that includes a third-party LDAP directory like Microsoft Active Directory, and a third-party single sign-on solution like Microsoft Kerberos?

Third-Party Integration In A Nutshell

Before we get to password management, I'd recommend that you review my earlier article about integrating the E-Business Suite with third-party LDAP and single sign-on solutions. 

If you're in a hurry, here's a quick recap of the key points:

• Oracle Internet Directory is a mandatory hub for synchronizing user information between a third-party LDAP directory and the E-Business Suite
   
• The third-party LDAP directory is usually considered to be the master "source of truth" for user credentials
   
  
• Oracle Single Sign-On is a mandatory prerequisite for delegating E-Business Suite's user authentication to a third-party single sign-on solution
  

Using Oracle Internet Directory As A Hub

Recall that it's possible to integrate your E-Business Suite environment with a third-party LDAP directory using Oracle Internet Directory and its Directory Integration Platform as an intermediary, like this:

When the user logs on to the third-party single sign-on solution, she gets a set of security tokens that are recognized and trusted by Oracle Single Sign-On.  Oracle Single Sign-On doesn't challenge the user again for her credentials.

In turn, Oracle Single Sign-On issues its own set of security tokens, which are recognized and trusted by the E-Business Suite.  The E-Business Suite doesn't challenge the user again for her credentials.

What About Passwords?

Now that we've got the basics out of the way, understanding how passwords are handled in this scenario should be a bit easier.  In the scenario above, the user is challenged only once for their userid and password.  The third-party single sign-on solution handles that challenge and authenticates the user's credentials against the third-party LDAP.

It stands to reason that if the user is already logged in by the third-party single sign-on solution, and Oracle components never ask for the user's userid and password, there's no reason to keep the user's password anywhere in the Oracle namespaces.


And, that's true:  when integrated as shown above, users' passwords are not stored locally in either Oracle Internet Directory or the E-Business Suite.  Passwords are stored only in the third-party LDAP directory.
Delegating User Management

Since the third-party LDAP repository is the master source of truth, it handles all user password resets.  Neither Oracle Internet Directory nor the E-Business Suite are interested in -- or even participate in the process -- of password management in this scenario.  It's all delegated to the third-party LDAP.

For Advanced Readers Only

By this point, I've weeded out readers with short attention spans.  For the handful of you who've toughed it out to this point, I should note that the above scenario is only one of many possible starting points.  Other advanced scenarios are technically feasible, including those in which user credentials flow bidirectionally between Oracle Internet Directory and the third-party LDAP. 

These can get pretty involved, so I'll have to leave these as an exercise for you to work out, for now.  More information can be found in our Implementation Guide, which describes more variants on the basic scenario outlined here. 

If you have a burning need to discuss those with someone, drop me a line.  I'll connect you to specialists in our Protected Enterprise Consulting group for more guidance.

Related

Note:  Everything in this article applies equally to both Release 11i and 12 environments.

• Password Management with Oracle Internet Directory
• In-Depth: Using Third-Party Identity Managers with the E-Business Suite Release 11i
• Integrating Oracle E-Business Suite Release 11i with Oracle Internet Directory and Oracle Single Sign-On (Metalink Note 261914.1)