Oracle Access Manager 11.1.1.3 Certified with E-Business Suite 12

Oracle Access Manager 11gR1 (11.1.1.3) is now certified for use with E-Business Suite Releases 12.0.6 and 12.1.1 and up.

Architecture diagram showing Oracle Access Manager and E-Business Suite

There are two certification paths available: one for new users, and one for users upgrading from Oracle Single Sign-On Server 10gR3 (OSSO).

  • First Time Users:  Users who are implementing single sign-on for the first time may integrate OAM 11gR1 using Oracle E-Business Suite AccessGate Release 1.1. Oracle E-Business Suite AccessGate is a Java EE application that resides on a separate application server (Oracle WebLogic Server), and provides direct integration between Oracle E-Business Suite and Oracle Access Manager through OAM WebGate. Oracle E-Business Suite AccessGate is available at no cost to licensed Oracle E-Business Suite customers.

  • Upgrading from SSO:  Users who are upgrading from OSSO 10gR3 can leverage their existing integration by using OAM 11gR1 with the mod_osso agent. This option allows you to migrate your existing partner application registrations from OSSO 10gR3 to OAM 11gR1, with minimal disruption to existing application integration and functionality. This integration does not require Oracle E-Business Suite AccessGate, and is supported for upgrading users only.
Prerequisites
  • Oracle E-Business Suite Release 12.1 RUP 1 (12.1.1) or higher; Release 12.0 RUP 6 (12.0.6)
  • Oracle Access Manager 11gR1 (11.1.1.3) with Bundle Patch 02 (BP02)
  • Oracle Internet Directory 11gR1 PS2 (11.1.1.3) or higher
  • Oracle WebLogic Server 11gR1 PS2 (10.3.3) or higher

Certification of Oracle Access Manager 11gR1 with Oracle E-Business Suite Release 11i is not scheduled at this time.

Certified Platforms

The Oracle E-Business Suite AccessGate Java application is certified to run on any operating system for which Oracle WebLogic Server 11g is certified. Refer to the Oracle Fusion Middleware 11g System Requirements for more details.

Integration with mod_osso is supported on all fully certified Oracle E-Business Suite Release 12 platforms. Refer to the My Oracle Support Certifications section for more details.

For information on operating systems supported by Oracle Access Manager and its components, refer to the Oracle Identity and Access Management 11gR1 certification matrix.

Integration with Oracle Access Manager involves components spanning several different suites of Oracle products. There are no restrictions on which platform any particular component may be installed so long as the platform is supported for that component.

References

Related Articles


Comments:

Hi, We would like to know if there are plan to certify AccessManager 11gR1 with EBS R11. Thanks Roy Antman & Revital Altshuler

Posted by Revital Altshuler & Roy Antman on June 01, 2011 at 06:52 PM PDT #

Hi, Roy, Revital, The article above states: "Certification of Oracle Access Manager 11gR1 with Oracle E-Business Suite Release 11i is not scheduled at this time." This is still true. Regards, Steven

Posted by Steven Chan on June 02, 2011 at 03:15 AM PDT #

Dear Steven,

Does this mean that OAM is ceritifed with R12 Forms and Reports and all components ?`

Posted by Ghassan Qobrosi on June 25, 2011 at 06:41 PM PDT #

Dear Ghassan,

Yes. When we release a given certification of any certification with the E-Business Suite, it means that that configuration is certified with all E-Business Suite technology stack components. This includes things like Oracle Forms, Reports, OA Framework, Workflow, AutoConfig, and so on.

Regards,
Steven

Posted by Steven Chan on June 27, 2011 at 03:11 AM PDT #

Dear Steven,

We are planning to implement SSO with our R12 (12.1.3). Since this is new integration of SSO with R12, we have to go with OAM 11gR1 and Accessgate. However, I am not able to see the place to download Oracle Access Manager 11gR1 (11.1.1.3) alone!! Do I have to download "Oracle Identity and Access Management (11.1.1.3.0)"? Also, for this integration, do I need to install SOA Suite also?

Thanks for your help.

Regards
Ramasamy

Posted by guest on July 27, 2011 at 08:03 AM PDT #

Ramasamy,

Yes, OAM is installed as part of the Identity and Access Management (IAM) Suite, which also includes Oracle Identity Manager (OIM), Oracle Adaptive Access Manager (OAAM), and a couple other products. Most Fusion Middleware products are only available as part of a suite of related products. You must download IAM to get OAM, but you may choose to only install and configure OAM if that's all you need.

SOA Suite is required if you plan to use Oracle Identity Manager. It is not needed for OAM alone.

Cheers,
Keith

Posted by Keith M Swartz on July 28, 2011 at 03:05 AM PDT #

Hi Keith,

Thanks a lot. The other question is whether the latest version of WebLogic Server 10.3.5 certified or not for this integration (single sign-on for the first time - integrate OAM 11gR1 using Oracle E-Business Suite AccessGate Release 1.1)? Or do we have to use only 10.3.4?

Thanks
Ramasamy

Posted by guest on July 28, 2011 at 06:06 AM PDT #

Ramasamy,

Each Fusion Middleware release is certified only with a corresponding WebLogic Server version. OAM 11.1.1.3 requires WLS 10.3.3, and does not work with any other version. Oracle E-Business Suite AccessGate will work with any version of WebLogic Server above 10.3.1.

For more information, I suggest speaking with one of the Identity Management support analysts.

Thanks,
Keith

Posted by Keith M Swartz on July 28, 2011 at 06:26 AM PDT #

Steven:

We are implementing smartcard authentication.what are the components we suppose to install inorder to implement our requirement.

Follwoing are the compoenents. Please advise

Components Included:-
--------------------
Access Manager
Adaptive Access Manager
Identity Navigator
Identity Manager
Platform Security Services
Authorization Policy Manager

Regards
Sudheer

Posted by Sudheer on August 05, 2011 at 04:41 AM PDT #

Hello, Sudheer,

Unfortunately, I don't have hands-on experience with Oracle Access Manager and smartcards and can't comment on this.

Your best bet would be to log a formal Service Request via My Oracle Support (formerly Metalink) to get one of our Oracle Access Manager specialists engaged.

Regards,
Steven

Posted by Steven Chan on August 05, 2011 at 04:58 AM PDT #

Hi Steven,

Could you please point me a good URL to help me in integrating OEB with OAM 11.1.1.3. I'm new to OEB and Fusion Middleware but I do have some knowledge Weblogic and OID. I have been reading DocID 1309013.1 where it point to an old DocID 876539.1 whith implemetation of OSSO 10.1.4.3/OAM 10.1.4.3.

I appreciate for your help.

Regards,
Quang

Posted by Quang on September 06, 2011 at 01:04 PM PDT #

Hello Quang,

You are in the right place. Doc ID 1309013.1 describes how to integrate Oracle E-Business Suite with OAM 11gR1 using Oracle E-Business Suite AccessGate, which is the recommended approach for all Release 12 users, except those upgrading from OSSO 10g.

Doc ID 876539.1 is for integration with OID. This document has not been updated to include OAM 11gR1 references, and I've just sent a note to the author asking for that to be corrected. Thank you for pointing this out.

The good news is that the references in there to OAM are unrelated to the version of OAM being used. So wherever it says "Oracle Access Manager 10g (10.1.4.3)", you can assume this applies to OAM 11gR1, as well.

Thanks,
Keith

Posted by Keith M Swartz on September 06, 2011 at 03:40 PM PDT #

Dear Ghassan,

You had posted a comment on here a few months ago asking about OAM support for Forms and Reports. I wanted to clarify Steven's comments just a tiny bit.

The use of Forms and Reports within Oracle E-Business Suite is protected by the built-in EBS security, and NOT Oracle Access Manager. In other words, all Applications Forms, including custom Forms built using our Framework, are accessed only through the EBS login.

If you have built your own standalone Forms or Reports applications, those also support OAM 11gR1, but require the mod_osso agent and are not supported by WebGate. However, the choice of agent should be transparent, and it does not need to be the same as the agent used to protect E-Business Suite.

Cheers,
Keith

Posted by Keith M Swartz on September 08, 2011 at 07:06 AM PDT #

Hi Keith,

Many thanks for your response. I am now on the right track :-).

The Oracle Single Sign- section in the document "Oracle® E-Business Suite System Administrator's Guide - Security Release 12.1 Part No. E12843-05" is also in a need for revision as well.

Cheers,

Quang

Posted by guest on September 08, 2011 at 10:20 AM PDT #

Hi Ramasamy,

Would you be able to update me your implementation status? I'm doing the same thing as well but no luck so far :-(.

Cheers,
Quang

Posted by Quang Le on September 08, 2011 at 11:42 AM PDT #

We are still working on it and let you know as soon we complete with the integration.

I personally feel the Doc Id: 1309013.1 is little bit confusing and referencing many other documents. Also, the integration on IBM AIX based systems has some known bugs but not documented neither in the Release Documents or in the install documents..

Thanks
Ramasamy

Posted by Narayanasamy on September 09, 2011 at 03:50 AM PDT #

Ramasamy,

Can you email me the SRs where you've reported those issues? I'd like to investigate this further.

Regards,
Steven

Posted by Steven Chan on September 09, 2011 at 04:36 AM PDT #

Steve,

I have emailed all the SR numbers to you...

Thanks
Ramasamy

Posted by Narayanasamy on September 09, 2011 at 06:13 AM PDT #

Steve,

I have a question...

Assume that one department (say CIO) is implementing SSO solution for all the departments using Oracle's FMW 11g and each department is running (independently) its own EBS and other applications such as PeopleSoft, Siebel, etc. However, all the departments will be using the CIO's WebGate for accessing the department's applications...

Since partner applications such as EBS, need to install OID plus OAM for taking care of patching, upgrades, etc... Otherwise if wish to use CIO's OAM, then there will be many issues such as administration, patching, certification, etc.

Under this situation, does the CIO department need to install one OHS and WebGate for each partner applications?

Thanks for your help.

- Ramasamy

Posted by guest on September 14, 2011 at 12:59 PM PDT #

Hi Ramasamy,

Our expectation is that most companies will want a single SSO solution for their entire company, and our strategy is for E-Business Suite to fit squarely in with that solution.

There is nothing wrong with having all your E-Business Suite instances share a single WebGate -- in fact, that's the /recommended/ approach. The most secure deployment will have the fewest possible WebGates (one with a failover).

Strictly speaking, E-Business Suite does not require "OID plus OAM". It requires OAM for single sign-on, and it requires that OID be used for user population. But OAM 11g allows you to configure separate identity stores for each authentication scheme. So if the entire company is using OAM 11g with Active Directory, you can still create a separate identity store for OID, and use that for the authentication schemes that will be protecting each of your E-Business Suite instances.

Regarding issues of patching, certification, administration -- I think the administration issue is a typical trade-off when you want to have a single system used by an entire company. It's not specific to E-Business Suite. We designed our documentation with the assumption that a security administrator would be responsible for registering E-Business Suite instances, as part of a process to register any other partner application that wants to leverage single sign-on. Having multiple OAM servers may solve one problem, but trade it for another, as you've now doubled the amount of administrative effort required just to /maintain/ a second server -- not to mention the complexity of linking the two together, if you want true, corporate-wide single sign-on.

As far as patching and certification is concerned, our team makes a point of recognizing that OAM is not part of our techstack -- OAM sits on top of everything else. We're working hard to stay certified on the latest OAM releases, and we have never required any special patches on OAM itself (with the exception of a minimum baseline) to make it work with E-Business Suite. So I don't think you'll have much of a risk there.

Bottom line: a single OAM and a single WebGate (with failover) is the recommended configuration for all our customers. We don't think having separate installs for E-Business Suite is productive, nor warranted.

Hope this helps,
Keith

Posted by Keith M Swartz on September 20, 2011 at 06:16 AM PDT #

Dear Keith

We are looking at integrating OAM 11gR1 with our existing EBS 12.1.3 system to provide us with Single Sign On.

I'm going through note 1309013.1 which I thought (hoped) would guide me through the entire installation. But the pre-requisites section mentions for Oracle Access Manager 11gR1 Patchset 1 (11.1.1.5) "This should already be installed and configured in your environment". Is note 1309013.1 based on already having OAM installed? And is there another note covering the OAM installation and configuration?

Best regards

Dave.

Posted by guest on November 01, 2011 at 04:25 AM PDT #

Hello Dave,

Yes, note 1309013.1 does assume that Oracle Access Manager 11g has already been installed and configured for your company's network. Note that this is not something we expect an Oracle E-Business Suite system administrator to do, as the requirements for OAM apply to your entire company, not just EBS. We assume that this portion is already done by a qualified network or security administrator. Once it is configured, then Oracle E-Business Suite may be integrated with it.

OAM is several orders of magnitude more complex than Oracle E-Business Suite AccessGate (which is nothing more than a Java application), so you likely won't find any single My Oracle Support notes covering this. There is, however, extensive documentation on installing Oracle Access Manager 11g in the Fusion Middleware documentation set -- please see http://download.oracle.com/docs/cd/E21764_01/nav/portal_booklist.htm.

Thanks,
Keith

Posted by Keith M Swartz on November 01, 2011 at 07:33 AM PDT #

Hi Keith

Thanks for your quick reply.

I think the words "Oh Dear" spring to mind here! I'll do some digging to find out if we have an OAM setup somewhere that we can integrate with. Basically, it sounds like the OAM 11gR1 configuration for SSO purposes is a completely different and more complex project in comparison to SSO 10gR2 (if there is not an existing OAM installation we can use).

If we don't already have an OAM setup to integrate our EBS system with, is there another SSO option you think that would be more applicable to our needs (I wasn't considering SSO 10gR2 due to it having no extended support)? Or, should we take this opportunity to install and configure OAM for our current and future needs?

Your advice here would be very much appreciated.

Best regards

Dave.

Posted by guest on November 02, 2011 at 09:11 PM PDT #

Hi Dave,

Now is definitely the time to start exploring Oracle Access Manager 11g for your single sign-on needs. This has been the strategic direction for Oracle for quite some time now, and with OSSO falling into sustaining support in just a few months -- as you've noticed -- this is really your only option looking into 2012 and beyond.

I think it's fair to say that OAM is no more or less complex than most single sign-on products, since they are intended to support a wide variety of access methods and operate across an entire enterprise (or multiple enterprises via federation). OSSO 10g may have been a little easier to install and set up, but that was mainly because it didn't offer nearly as much functionality or flexibility, so you usually had to add other products, customizations, or changes to the applications and processes themselves to reach the same goals. I think the bulk of the cost is the general investment in single sign-on, rather than OAM itself. But I also believe this is an infrastructural improvement that most companies find pays for itself very quickly.

I will close with some heartening news: installing OAM for test purposes is actually pretty easy. If you are only using OAM for single sign-on in a small organization, or just want to set it up for testing purposes, that usually doesn't take a great deal of effort and advance planning. It's only when you are preparing to roll it out across the company, and to both external/internal users, that you need to put in the bulk of the effort.

Cheers,
Keith

Posted by Keith M Swartz on November 03, 2011 at 07:06 AM PDT #

Thank you very much Keith for your quick and useful replies here. I like your closing bit in the response, and I will go ahead and try the OAM 11gR1 install. Wish me luck!

Thanks again for your help.

Regards

Dave.

Posted by Dave Norton on November 03, 2011 at 10:32 PM PDT #

Hi again Keith

Sorry, I have a few more question on OAM...

I've found a useful guide on SSO integration with EBS - "Oracle E-Business Suite System Administrator's Guide - Security" (Part Number E12843-05). This basically shows all the products and steps needed to implement AS 10g SSO with R12 and looks pretty clear. I know you mentioned above that I'm unlikely to find a single document covering the install for OAM. But is there a similar R12 security guide for SSO using OAM 11gR1?

The closest document I've found to integrating SSO with EBS using OAM 11gR1 is 1309013.1. But this then refers another note for using OID with EBS (876539.1) and also other guides like the OAM install guide and then branches on to further documentation. So there doesn't seem to be any clear guidelines showing exactly what's needed to integrate SSO OAM/R12 from scratch. It's for example confusing as to which FMW product contains OID (is it "Oracle Identity Management 11g Patch Set 4 (11.1.1.5.0) for Linux x86 V26013-01" or "Oracle Identity and Access Management 11g (11.1.1.5.0) V26461-01" or do I need both?).

We don't have any SSO implementation with our EBS setup at the moment, all we have is a 12.1.3 payroll system.

I'm really sorry for my confusion, maybe it's appropriate for me to put my questions into an SR.

But again I'd appreciate your thoughts and tips on this.

Cheers

Dave.

Posted by Dave on November 13, 2011 at 07:22 PM PST #

Hi Dave,

The System Administrator's Guide predates our OAM 11g integration, so it only covers the older instructions for integration with OSSO 10g. However, it does also cover OID integration -- a prerequisite for any SSO implementation -- and that material is still accurate and worth reviewing. Some of the implementation details are slightly different if you are using OAM (different arguments for command-line scripts, for example), but the architecture and profile options, for example, remain the same.

For integration with OAM 11g, you have hit upon the right resource: Document ID 1309013.1, as reported in this (and the later, OAM 11.1.1.5 related) blog article. While this My Oracle Support document does reference other documents, most of those are for tangential steps that are related to the aforementioned OID integration.

The references to the Oracle Access Manager installation material should be no surprise, as OAM is a large, complex, and completely separate product from Oracle E-Business Suite. As we state in our documentation, OAM should be installed and maintained by an experienced network administrator, and this is often not the same person who manages an EBS installation.

If you are looking for a single "cookbook" that will provide you all the steps you need to install OAM and OID and configure it for use with EBS, I'm afraid you won't find that, as there are simply too many variables to take into account for our users to provide a single one-stop-shop for implementation. This is especially true with identity management solutions, as nearly every company's requirements are different. Sure, we could provide you with a cheat-sheet to get a test install up and running, but the purpose here is to implement single sign-on, and that has no real value if you aren't implementing it across your entire enterprise. To do that, you need to get the identity management infrastructure right the first time.

This blog article, and our documentation (the combination of the System Administrator's Guide and My Oracle Support document 1309013.1) is all about integrating EBS with an EXISTING Oracle identity management infrastructure. If you need help installing identity management, I can only suggest reviewing their installation manuals and/or speaking with a support analyst for identity management, or someone from Oracle Consulting Services.

Once you have that infrastructure, then our manual and that one My Oracle Support document cover ALL of the architectural details and 95% of the implementation details to integrate with OAM. If you are just in the planning stages, and trying to figure out what you need to do and how to architect it, these two documents are all you need, and you don't need to worry about the referenced ones.

Hope this helps.

Keith

Posted by Keith M Swartz on November 14, 2011 at 05:23 AM PST #

Hi again Keith, and thanks for your time on the replies here.

We do use SSO for some of our other applications in our company which I'm looking into. But my initial findings are that none of the systems using SSO are EBS and there is no OAM implementation at present.

My understanding here is that EBS needs AccessGate, OID and OAM implemented before SSO can be enabled. This is why we have our dilemma of setting all this up from scratch. And the net result will probably be that only this particular EBS system will utilise the OID / OAM implementation. If there are any other options for us, please let me know, but for now I'll continue to read through the various notes which hopefully will allow me to pull together an appropriate upgrade plan.

Best regards

Dave.

Posted by Dave on November 15, 2011 at 06:47 PM PST #

Hi

Great work
I have a little question

If i use WLS 10.3.6 with that products will works well?

Posted by guest on June 23, 2013 at 01:00 AM PDT #

Hi, Guest,

This blog's contributors are all E-Business Suite specialists. I'd recommend logging a Service Request against the Oracle Access Manager Support team to check on the WLS prerequisites.

Regards,
Steven

Posted by Steven Chan on June 24, 2013 at 08:07 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Search

Categories
Archives
« July 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today