Tuesday Apr 30, 2013

Where Should EBS Concurrent Managers be Located?

This FAQ topic continues to bounce around, suggesting that this needs to be called out explicitly:

EBS concurrent managers do not need to be installed on database servers any more.

Nick Quarmby correctly noted this as one of five common mistakes that customers make when installed the E-Business Suite:

COMMON ERROR #2: Placing concurrent processing services and the database tier on the same node to improve performance.

ORACLE’S RECOMMENDATION: There is no significant performance benefit to placing concurrent processing and the database tier on the same node. Your system will be more scalable if your database tier hardware is dedicated solely to serving the needs of the database. Patching, cloning and E-Business Suite administration will also be much easier as you will have at least one less APPL_TOP and application tier technology stack to maintain. Placing concurrent processing on the database tier node to distribute load might suggest that your application tier hardware is already undersized. You should place concurrent processing on the same nodes as your web/forms services or create a dedicated concurrent processing tier in exceptionally busy environments.

Where is this correctly documented?

This is currently noted in our official documentation here:

  • Oracle E-Business Suite Technology Stack Release Notes for Release 12.1.3 [ID 1098650.1]
2.6 Updated Architectural Guidance

With fast local networks and the typical co-location of database and application tier machines, it is now generally preferable to perform concurrent processing on a separate machine from the database. This facilitates ease of management and maintenance, and provides deployment flexibility.

This is updated guidance is already reflected in our 12.1.3 Concepts Guide and Installation Guides, and will continue to be included in future versions of our documentation.

A shibboleth of sorts

Interestingly, this question is a bit of a shibboleth in the EBS sysadmin community.  DBAs who instinctively place the concurrent processing server on the same physical server as the database have been around a long time -- before gigabit network speeds made the placement irrelevant.

In fact, sharp-eyed readers might notice that this is incorrectly-documented even in some versions of our official R12 Installation Guides, which may state erroneously: "Batch Processing services must be installed on the same node as the database."

This is a documentation artifact from a bygone time.  This guidance doesn't apply any longer.


Monday Apr 29, 2013

How to Obtain Media Packs for Older Versions of Oracle Products

Installation media for all Oracle products can be downloaded from the Oracle Software Delivery Cloud (SDC, formerly called Oracle eDelivery). You can use this site to obtain Media Packs for the latest versions of all licensable Oracle products.  Media Packs are available in zip and ISO formats, which you can unzip or burn to DVDs, respectively.  All of the download links on the Oracle Technology Network (OTN) point to the Software Delivery Cloud, making the latter the authoritative source for all Oracle downloads.

Screenshot of Oracle Software Delivery Cloud

For more information about SDC, see:

Need to download older versions?

The Oracle Software Delivery Cloud hosts the latest released versions.  There may be times when you need a media pack for an older release.  

For example:

As of today, the latest version of Oracle Access Manager available for download is Oracle Access Manager 11.1.2.1.0.

We're certifying Oracle Access Manager 11.1.2.1.0 with the E-Business Suite right now.  In the interim, E-Business Suite customers should use only the 11.1.2.0.0 version.

If you need a Media Pack for an older release, you can log a Service Request requesting the specific release.  Oracle Support has a team that's dedicated to handling these types of shipping requests and other non-technical issues.  Also see:

Wednesday Apr 24, 2013

Seven EBS 12 Products Supported on Linux, Solaris, and AIX

Some earlier Oracle E-Business Suite R12 certifications on newer operating systems excluded the following products due to the lack of third-party product support:
  • Advanced Supply Chain Planning
  • Inventory Optimization
  • Constraint Based Optimization
  • Sourcing
  • Engineering
  • Work In Process
  • Manufacturing Scheduling

These restrictions are now lifted and the products are now officially supported on the following operating systems:

  • Oracle Linux 6 and Red Hat Enterprise Linux 6 on Linux x86 (32-bit)
  • Oracle Linux 6 and Red Hat Enterprise Linux 6 on Linux x86-64 (64-bit)
  • Novell SUSE Linux Enterprise Server (SLES) 11 on Linux x86-64 (64-bit)
  • Solaris 11 on Oracle Solaris on SPARC (64-bit)
  • AIX 7 on IBM AIX on Power Systems (64-bit)
References

Tuesday Apr 23, 2013

Using SAML-based Authentication for Web Services with Integrated SOA Gateway

Web services provided by Oracle E-Business Suite Integrated SOA Gateway are secured at the transport level through SSL and at the message level through authentication tokens – Username Token and SAML Token (Sender Vouches). I will discuss SAML Token (Sender Vouches) here.

Brief on SAML, SAML Token, SAML Token Profile

Security Assertion Markup Language (SAML) is a XML-based framework to exchange security related information between Service Consumer, Identity Provider and Service Provider. The security information is expressed in terms of assertions. Statements about the subject or user form the SAML Token. 

WS-Security defines a set of security token profiles for different types of tokens embedded within the SOAP message as headers. SAML Token Profile is one of the WS-Security Token Profiles that describe the syntax and meaning of SAML Tokens. SAML Tokens are embedded within SOAP messages by placing assertion elements inside the SOAP Header.

As per WS-Security, there are three common methods to assure the Service Provider that the SOAP message came from the subject referenced in the token. The three common subject confirmation methods are Sender Vouches, Holder of Key, and Bearer. As of Oracle E-Business Suite Release 12.1.3, web services provided by Integrated SOA Gateway (inbound) support SAML Token using the Sender Vouches subject confirmation method.

SAML Token - Sender Vouches

SAML Tokens assert that the subject or user has already been authenticated. As the name suggests, in the Sender Vouches case, the Sender or SOAP web service client that sends the SOAP request message to SOAP web service vouches for the identity of the assertion’s subject.

SAML flow diagram

The SAML assertion may be provided by an external Identity Provider -- a SAML Authority or SAML Issuer. In this case, a client sends a SAML assertion request to a SAML Authority. The SAML Authority identifies the client, authenticates the subject, and sends SAML assertion as response to client. The client’s private key is used to sign both the assertion and the SOAP message body.

The E-Business Suite's Integrated SOA Gateway uses Oracle Application Server’s Web Services Security framework. It verifies the digital signature in a SOAP request and extracts the SAML Token. It validates the SAML assertion such as the issuer, validity period, and authentication statement. It extracts the SAML Subject Name Identifier and verifies the same with registered Oracle Internet Directory (OID) for single sign-on users or with FND_USER table in Oracle E-Business Suite (EBS) database for non-single sign-on users. It uses Oracle Internet Directory to map the single sign-on user with the equivalent EBS user. The EBS username is then used for the authorization check for the web service execution.

When to use SAML Sender Vouches based authentication for web services provided by Integrated SOA Gateway?

SAML Token with Sender Vouches is best used for following scenarios:

  • Single Sign On: As part of your business process, you may want to authenticate once and propagate the authenticated identity as a SAML assertion to subsequent EBS web service calls.
  • Subject or user needs to be authenticated locally (at web service client end) or centrally by Identity Provider (or SAML Authority), and propagate the assertion to an EBS web service.

How to use SAML Token Sender Vouches in Integrated SOA Gateway?

The steps to expose an EBS API as web service are described in Oracle E-Business Suite Integrated SOA Gateway Implementation Guide and Developer's Guide

  • Create Grant for EBS API methods that you want to expose as web service operations
  • Generate and Deploy the EBS API as web service with SAML Token (Sender Vouches) authentication type
  • Configure client and EBS (server) for SAML  

See Setting Up SAML Token Security for Oracle E-Business Suite Integrated SOA Gateway Release 12.1.3 [Note 1144313.1] 

This Note describes the steps to configure SOAP Web Service Client as well as Oracle E-Business Suite (SOAP Web Service Provider). In Integrated SOA Gateway, a SAML Token Sender Vouches policy is applied at the web service level or port level. You may have to configure EBS for SAML for all web services that are deployed with Authentication Type as SAML Token (Sender Vouches).

  • Invoke web service with SAML Token

The Note also describes steps to test web service invocation with a SAML Token. Depending upon the client program, you may programmatically insert SAML assertions or let web service security policy enforcement products such Oracle Web Services Manager (OWSM) insert a SAML Token in a SOAP request message.

References

Related Articles

Monday Apr 22, 2013

EBS 12 certified with Mac OS X 10.7 and 10.8 with Safari 6 and JRE 7

Apple logoOracle E-Business Suite Release 12 is now certified with the Safari 6 browser and the JRE 7 plugin on the following Apple Mac OS X desktop configurations:

  • Mac OS X 10.7 ("Lion" version 10.7.5 or higher) and 10.8 ("Mountain Lion" version 10.8.2 or higher)
  • Safari version 6 (6.0.2 or higher)
  • Oracle JRE 7 plugin (1.7.0_21 or higher)

Users should review all relevant information along with other specific patching requirements and known limitations posted in the Notes listed below.

Internationalization certification for non-English desktops is also in progress.

Where can I find more information?

Wednesday Apr 17, 2013

Java JRE 1.7.0_21 Certified with Oracle E-Business Suite

Java logoJava Runtime Environment 7u21 (a.k.a. JRE 7u21-b11) and later updates on the JRE 7 codeline are now certified with Oracle E-Business Suite Release 11i and 12 for Windows-based desktop clients.

All JRE 6 and 7 releases are certified with EBS upon release

Our standard policy is that all E-Business Suite customers can apply all JRE updates to end-user desktops from JRE 1.6.0_03 and later updates on the 1.6 codeline, and from JRE 7u10 and later updates on the JRE 7 codeline.  We test all new JRE 1.6 and JRE 7 releases in parallel with the JRE development process, so all new JRE 1.6 and 7 releases are considered certified with the E-Business Suite on the same day that they're released by our Java team. 

You do not need to wait for a certification announcement before applying new JRE 1.6 or JRE 7 releases to your EBS users' desktops.

What's needed to enable EBS environments for JRE 7?

EBS customers should ensure that they are running JRE 7u17, at minimum, on Windows desktop clients.

Of the compatibility issues identified with JRE 7, the most critical is an issue that prevents E-Business Suite Forms-based products from launching on Windows desktops that are running JRE 7. 

Customers can prevent this issue -- and all other JRE 7 compatibility issues -- by ensuring that they have applied the latest certified patches documented for JRE 7 configurations to their EBS application tier servers. 

These patches are compatible with JRE 6 and 7, production ready, and fully-tested with the E-Business Suite.  These patches may be applied immediately to all E-Business Suite environments. All other Forms prerequisites documented in the Notes above should also be applied. 

Where are the official patch requirements documented?

All patches required for ensuring full compatibility of the E-Business Suite with JRE 7 are documented in these Notes:

For EBS 11i:

For EBS 12

Prerequisites for 32-bit and 64-bit JRE certifications

JRE 1.70_21 32-bit + EBS 11.5.10.2

JRE 1.70_21 32-bit + EBS 12.0 & 12.1

JRE 1.7.0_21 64-bit + EBS 11.5.10.2

JRE 1.70_21 64-bit + EBS 12.0 & 12.1

EBS + Discoverer 11g Users

JRE 1.7.0_21 is certified for Discoverer 11g in E-Business Suite environments with the following minimum requirements:

Worried about the 'mismanaged session cookie' issue?

No need to worry -- it's fixed.  To recap: JRE releases 1.6.0_18 through 1.6.0_22 had issues with mismanaging session cookies that affected some users in some circumstances.

The fix for those issues was first included in JRE 1.6.0_23. These fixes will carry forward and continue to be fixed in all future JRE releases on the JRE 6 and 7 codelines.  In other words, if you wish to avoid the mismanaged session cookie issue, you should apply any release after JRE 1.6.0_22 on the JRE 6 codeline, and JRE 7u10 and later JRE 7 codeline updates.

Implications of Java 6 End of Public Updates for EBS Users

The Support Roadmap for Oracle Java is published here:

The latest updates to that page (as of Sept. 19, 2012) state (emphasis added):

Java SE 6 End of Public Updates Notice

After February 2013, Oracle will no longer post updates of Java SE 6 to its public download sites. Existing Java SE 6 downloads already posted as of February 2013 will remain accessible in the Java Archive on Oracle Technology Network. Developers and end-users are encouraged to update to more recent Java SE versions that remain available for public download. For enterprise customers, who need continued access to critical bug fixes and security fixes as well as general maintenance for Java SE 6 or older versions, long term support is available through Oracle Java SE Support .

What does this mean for Oracle E-Business Suite users?

EBS users fall under the category of "enterprise users" above.  Java is an integral part of the Oracle E-Business Suite technology stack, so EBS users will continue to receive Java SE 6 updates from February 2013 to the end of Java SE 6 Extended Support in June 2017.

In other words, nothing will change for EBS users after February 2013. 

EBS users will continue to receive critical bug fixes and security fixes as well as general maintenance for Java SE 6. These Java SE 6 updates will be made available to EBS users for the Extended Support periods documented in the Oracle Lifetime Support policy document for Oracle Applications (PDF):

  1. EBS 11i Extended Support ends November 2013
  2. EBS 12.0 Extended Support ends January 2015
  3. EBS 12.1 Extended Support ends December 2018

How can EBS customers obtain Java 6 updates after the public end-of-life?

EBS customers can download Java 6 patches from My Oracle Support.  For a complete list of all Java SE patch numbers, see:

Will EBS users be forced to upgrade to JRE 7 for Windows desktop clients?

No. This upgrade is highly recommended but currently remains optional. JRE 6 will be available to Windows users to run with EBS for the duration of your respective EBS Extended Support period.  Updates will be delivered via My Oracle Support, where you can continue to receive critical bug fixes and security fixes as well as general maintenance for JRE 6 desktop clients. 

Coexistence of JRE 6 and JRE 7 on Windows desktops

The upgrade to JRE 7 is highly recommended for EBS users, but some users may need to run both JRE 6 and 7 on their Windows desktops for reasons unrelated to the E-Business Suite.

Most EBS configurations with IE and Firefox use non-static versioning by default. JRE 7 will be invoked instead of JRE 6 if both are installed on a Windows desktop. For more details, see "Appendix B: Static vs. Non-static Versioning and Set Up Options" in Notes 290807.1 and 393931.1.

Applying Updates to JRE 6 and JRE 7 to Windows desktops

Auto-update will keep JRE 7 up-to-date for Windows users with JRE 7 installed.

Auto-update will only keep JRE 7 up-to-date for Windows users with both JRE 6 and 7 installed. 

JRE 6 users are strongly encouraged to apply the latest Critical Patch Updates as soon as possible after each release. The Jave SE CPUs will be available via My Oracle Support.  EBS users can find more information about JRE 6 and 7 updates here:

The dates for future Java SE CPUs can be found on the Critical Patch Updates, Security Alerts and Third Party Bulletin.  An RSS feed is available on that site for those who would like to be kept up-to-date.

What will Mac users need?

Oracle will provide updates to JRE 7 for Mac OS X users. EBS users running Macs will need to upgrade to JRE 7 to receive JRE updates.

The certification of Oracle E-Business Suite with JRE 7 for Mac-based desktop clients accessing EBS Forms-based content is underway. Mac users waiting for that certification may find this article useful:

Will EBS users be forced to upgrade to JDK 7 for EBS application tier servers?

No. This upgrade will be highly recommended but will be optional for EBS application tier servers running on Windows, Linux, and Solaris.  You can choose to remain on JDK 6 for the duration of your respective EBS Extended Support period.  If you remain on JDK 6, you will continue to receive critical bug fixes and security fixes as well as general maintenance for JDK 6.

The certification of Oracle E-Business Suite with JDK 7 for EBS application tier servers on Windows, Linux, and Solaris as well as other platforms such as IBM AIX and HP-UX is planned.  Customers running platforms other than Windows, Linux, and Solaris should refer to their Java vendors's sites for more information about their support policies.

References

Related Articles

Java JRE 1.6.0_45 Certified with Oracle E-Business Suite

The latest Java Runtime Environment 1.6.0_45 (a.k.a. JRE 6u45-b06) and later updates on the JRE 6 codeline are now certified with Oracle E-Business Suite Release 11i and 12 for Windows-based desktop clients.  

All JRE 6 and 7 releases are certified with EBS upon release

Our standard policy is that all E-Business Suite customers can apply all JRE updates to end-user desktops from JRE 1.6.0_03 and later updates on the 1.6 codeline, and from JRE 7u10 and later updates on the JRE 7 codeline.  We test all new JRE 1.6 and JRE 7 releases in parallel with the JRE development process, so all new JRE 1.6 and 7 releases are considered certified with the E-Business Suite on the same day that they're released by our Java team. 

You do not need to wait for a certification announcement before applying new JRE 1.6 or JRE 7 releases to your EBS users' desktops.

What's new in Java 1.6.0_45?

See the 1.6.0_45 Update Release Notes for details about what has changed in this release.  This release is available for download from the usual Sun channels and through the 'Java Automatic Update' mechanism. Java logo

32-bit and 64-bit versions certified

This certification includes both the 32-bit and 64-bit JRE versions.

32-bit JREs are certified on:

  • Windows XP Service Pack 3 (SP3)
  • Windows Vista Service Pack 1 (SP1) and Service Pack 2 (SP2)
  • Windows 7 and Windows 7 Service Pack 1 (SP1)

64-bit JREs are certified only on 64-bit versions of Windows 7 and Windows 7 Service Pack 1 (SP1).

Worried about the 'mismanaged session cookie' issue?

No need to worry -- it's fixed.  To recap: JRE releases 1.6.0_18 through 1.6.0_22 had issues with mismanaging session cookies that affected some users in some circumstances.

The fix for those issues was first included in JRE 1.6.0_23. These fixes will carry forward and continue to be fixed in all future JRE releases.  In other words, if you wish to avoid the mismanaged session cookie issue, you should apply any release after JRE 1.6.0_22.

Implications of Java 6 End of Public Updates for EBS Users

The Support Roadmap for Oracle Java is published here:

The latest updates to that page (as of Sept. 19, 2012) state (emphasis added):

Java SE 6 End of Public Updates Notice

After February 2013, Oracle will no longer post updates of Java SE 6 to its public download sites. Existing Java SE 6 downloads already posted as of February 2013 will remain accessible in the Java Archive on Oracle Technology Network. Developers and end-users are encouraged to update to more recent Java SE versions that remain available for public download. For enterprise customers, who need continued access to critical bug fixes and security fixes as well as general maintenance for Java SE 6 or older versions, long term support is available through Oracle Java SE Support .

What does this mean for Oracle E-Business Suite users?

EBS users fall under the category of "enterprise users" above.  Java is an integral part of the Oracle E-Business Suite technology stack, so EBS users will continue to receive Java SE 6 updates from February 2013 to the end of Java SE 6 Extended Support in June 2017.

In other words, nothing will change for EBS users after February 2013. 

EBS users will continue to receive critical bug fixes and security fixes as well as general maintenance for Java SE 6. These Java SE 6 updates will be made available to EBS users for the Extended Support periods documented in the Oracle Lifetime Support policy document for Oracle Applications (PDF):

  1. EBS 11i Extended Support ends November 2013
  2. EBS 12.0 Extended Support ends January 2015
  3. EBS 12.1 Extended Support ends December 2018

How can EBS customers obtain Java 6 updates after the public end-of-life?

EBS customers can download Java 6 patches from My Oracle Support.  For a complete list of all Java SE patch numbers, see:

Will EBS users be forced to upgrade to JRE 7 for Windows desktop clients?

No. This upgrade is highly recommended but currently remains optional. JRE 6 will be available to Windows users to run with EBS for the duration of your respective EBS Extended Support period.  Updates will be delivered via My Oracle Support, where you can continue to receive critical bug fixes and security fixes as well as general maintenance for JRE 6 desktop clients. 

Coexistence of JRE 6 and JRE 7 on Windows desktops

The upgrade to JRE 7 is highly recommended for EBS users, but some users may need to run both JRE 6 and 7 on their Windows desktops for reasons unrelated to the E-Business Suite.

Most EBS configurations with IE and Firefox use non-static versioning by default. JRE 7 will be invoked instead of JRE 6 if both are installed on a Windows desktop. For more details, see "Appendix B: Static vs. Non-static Versioning and Set Up Options" in Notes 290807.1 and 393931.1.

Applying Updates to JRE 6 and JRE 7 to Windows desktops

Auto-update will keep JRE 7 up-to-date for Windows users with JRE 7 installed.

Auto-update will only keep JRE 7 up-to-date for Windows users with both JRE 6 and 7 installed. 

JRE 6 users are strongly encouraged to apply the latest Critical Patch Updates as soon as possible after each release. The Jave SE CPUs will be available via My Oracle Support.  EBS users can find more information about JRE 6 and 7 updates here:

The dates for future Java SE CPUs can be found on the Critical Patch Updates, Security Alerts and Third Party Bulletin.  An RSS feed is available on that site for those who would like to be kept up-to-date.

References

Related Articles

Friday Apr 05, 2013

Covering our EBS Technology Stack Roadmap at OAUG Collaborate

OAUG Collaborate 2013 Denver logo

[Update Apr. 25, 2013:  The presentation is available for download here:

I have historically covered our technology certification roadmap for the E-Business Suite in two sessions at OAUG Collaborate every year:  once during the EBS technology stack Special Interest Group meeting on Sunday, and again later in the week as a formally-scheduled conference session.

We're trying to expand our coverage of other topics with other speakers.  This year you'll only have one chance -- not two -- to hear this material:

  • EBS Applications Technology Special Interest Group
    SIG chair: Srini Chavali, Cummins
    Sunday, April 07, 12:00 PM - 01:00 PM
    Location: Room 603

Please join us for this session if you'd like to hear about our latest E-Business Suite technology stack certification roadmap and updates to our support terms and policies. 

There will be a special panel in the same room at 1:15 PM where you will have the chance to ask questions of our Applications Technology Group staff members attending the conference.  These include Elke Phelps, Max Arderius, Kevin Hudson, Gustavo Jimenez, Isam Alyousfi, and me.  Other Oracle Development staff will be in the audience, too, since the dais can only seat a small number of us.

Related Articles


Monday Apr 01, 2013

New Whitepaper: Function Security + Role-Based Access Control in Oracle EBS

There are two main ways to implement security in Oracle E-Business Suite: “traditional” Oracle E-Business Suite responsibility-based security (usually referred to as “function security”) and Role-Based Access Control (RBAC).   Since they overlap in functionality, and RBAC incorporates and builds upon responsibility-based security, there is often confusion about how the two security models coexist and interact.

I am pleased to announce the availability of a new whitepaper to help eliminate that confusion:

RBAC vs. Grants

This heavily-illustrated whitepaper discusses the main similarities and differences between the two types of security setups, as well as the objects involved.  It includes the following topics:

  1. Responsibility-based security (Function Security)
  2. Role-Based Access Control
  3. Functions and Permissions
  4. Roles and Grants
  5. Role Hierarchy and Role Inheritance
  6. Using Role Hierarchies to Simplify User Administration
  7. Best Practices for Implementing RBAC and Function Security

This whitepaper is written for Oracle E-Business Suite system administrators, super-users, and implementers.  It applies to Oracle E-Business Suite Release 11i, 12.0, and 12.1.

Happy reading!


About

Search

Categories
  • Oracle
Archives
« April 2013 »
SunMonTueWedThuFriSat
 
2
3
4
6
7
8
9
10
11
12
13
14
15
16
18
19
20
21
25
26
27
28
    
       
Today