EBS Sysadmin Primer: Oracle Identity Management 11gR1

[Editor: This is the third in a multi-part series from Nirzari Raichura, a senior member of our ATG Certification team, on essential Fusion Middleware concepts and tools for the EBS sysadmin]

Oracle Identity Management (OIM) 11gR1 is part of Fusion Middleware 11gR1.   Oracle Identity Management 11gR1 provides the following components as part of its default installation:
Oracle Directory Services Components
  • OID - Oracle Internet Directory
  • DIP -  Oracle Directory Integration Platform
  • OVD - Oracle Virtual Directory
Oracle Identity Federation Components
  • OIF - Oracle Identity Federation
Management Components
  • EM - Enterprise Manager
  • ODSM - Oracle Directory Service Manager

oim_architecture.png
In order to use Oracle Identity Management 11gR1 with E-Business suite, you need OID and DIP products at a minimum.  Oracle Identity Management 11gR1 doesn't contain Oracle Single Sign-on.  You have the choice of either of the following two tools for for authentication: 
  • Oracle Single Sign-On 10gR3
  • Oracle Access Manager 10gR3

Oracle Access Manager 10gR3 is the preferred authentication solution going forward.  However, if you have plans to integrate any other products like Oracle Portal, Forms, Reports or Discoverer with E-Business Suite, you must select the Oracle Single Sign-On 10gR3 option. These products have hard dependencies on Oracle Single Sign-On 10gR3 and cannot be authenticated directly by Oracle Access Manager (you can do so indirectly, but that's a topic for a future article).

If you have already integrated your E-Business Suite environment with Oracle Single Sign-On and Oracle Internet Director 10gR3, you can upgrade Oracle Internet Directory 10gR3 to Oracle Internet Directory 11gR1 (which is part of Oracle Identity Management 11gR1). Your existing integration remains intact after the upgrade.


Oracle Identity Management 11gR1 Integration with E-Business Suite using OSSO 10gR3

Unlike Oracle Internet Directory 10g, which is tightly integrated with with Oracle Application Server 10g and and the Oracle database (to store its metadata repository), Oracle Identity Management 11gR1 provides various integration options. 

There is an option to manage it through the Oracle Fusion Middleware management framework by registering it with a local or a remote WebLogic Server administration domain.  You can do this during installation or via the command-line after installation. As I mentioned in my previous blog article, you can also install and configure it without WebLogic Server. In that case, you can manage Oracle Internet Directory using command-line tools and ODSM.

This table describes the components required for Oracle Identity management 11gR1 installation:

fmw_table.png
Useful Tools to administer and manage OIM 11gR1

OIM11gR1

Tool

Default Value

Oracle Enterprise Manager Fusion Middleware Control

http://host:port/em

Oracle Directory Services Manager (ODSM)

http://host:port/odsm

Oracle WebLogic Server Administrative Console

http://host:port/console/

Command-Line Utilities

OPMN

$ORACLE_INSTANCE/bin/opmnctl

Standard LDAP utilities

ORACLE_HOME/ldap

OIDPASSWD

WebLogic Scripting Tool (wlst)

ORACLE_HOME/common/bin/wlst.sh

OIDCTL For backward compatibility

References

Related Articles
Comments:

Steven,

I really appreciate the compilation of all the OSSO/OID/DIP info in one place. But, I and my client, have been stuck at Step 6( apply 8742001) of #876539.1 for over a month. Our S/R has been handed to every one but to no conclusion. Basically we can not run the required version of opatch (11.1.0.6.9) in the middleware home on a 64 bit AIX install. It works on every other home on the server. Oracle is looking very inept on this one. I don't expect you to solve this, just venting to a respected Oracle insider. No S/R number to maintain your deniability.

Thanks,

Maz

Posted by Maz Zankowski on July 26, 2010 at 09:10 AM PDT #

Maz,

I'm very sorry that you're having trouble with this upgrade.

Can you forward your SR number to me? I'd like to escalate this both within Support and my development team.

Regards,
Steven

Posted by Steven Chan on July 27, 2010 at 04:10 AM PDT #

S/R 3-1892954181

We all appreciate your interest, if it helps resolve this issue you will have converted several sceptics.

Thanks,

Maz

Posted by Maz Zankowski on July 27, 2010 at 08:43 PM PDT #

Thanks for your SR number, Maz. I've asked someone in our Platforms Engineering team (and a couple of other folks) to follow-up with the Support Engineer assigned to your SR.

I can appreciate your frustration. Sometimes these platform-specific issues can take a while to unpack. Hang in there; we'll get this unstuck for you.

Regards,
Steven

Posted by Steven Chan on July 28, 2010 at 12:21 AM PDT #

Does the restriction on Discoverer only apply to Discoverer 10g or to Discoverer 11g as well? I am looking at an all-Oracle installation with EBS R12, Discoverer 11g, SOA Suite 11g, OBIEE 11g, and Weblogic 11g and it seems like I can't find an SSO solution that will work for all these products and that will also be supported past December 2011!

Posted by Ara on July 29, 2010 at 05:36 AM PDT #

Ara,

I guess you are asking about Discoverer 10g with SSO. Both, for Discoverer 10g and 11g, SSO is optional. My next blog titled "EBS Sysadmin Primer: Oracle BI Discoverer 11gR1", covers this in more detail. Hope you will get answer to your question with that. I am planning to cover other external componetns as well i my upcoming blogs.

Posted by Nirzari on July 29, 2010 at 04:09 PM PDT #

Steven,

Despite your intentions, we still are getting the same questions asked from support. I really need a con-call with some knowledgable analysts. If they were to recreate the installation we have done, it would be easier for them to see the issues we have encountered. We keep getting asked for logs that simply do not exist. Opatch is not creating any logs with version 11.1.0.6.9 and higher. Installation of opatch is an unzip! Your help is sorely needed.

Thanks,

Maz

Posted by Maz Zankowski on August 02, 2010 at 01:41 AM PDT #

Maz,

I'm so sorry that you're still stuck on this.

The SR is being handled by the Fusion Middleware team (not on the E-Business Suite side). This is correct, since the problem is originating with updating Fusion Middleware itself.

I have had E-Business Suite development engineers (including members of our Applications Platform Group) review your SR, and they've provided guidance to the Fusion Middleware Support team on recommended next steps. In addition, our Applications Technology Group Support management has been in direct contact with the Fusion Middleware management team on this escalation.

I've just asked our Applications Technology Group Support management team to follow up again with the Fusion Middleware Support team. Hang in there -- we'll get this unstuck for you.

Regards,
Steven

Posted by Steven Chan on August 02, 2010 at 02:10 AM PDT #

Steven,
When you say "However, if you have plans to integrate any other products like Oracle Portal, Forms, Reports or Discoverer with E-Business Suite, you must select the Oracle Single Sign-On 10gR3 option."

What does that mean for the Forms built into the E-Business Suite. Will they work with Oracle Identity Manager 11g or will I have to use the SSO 10gR3? I was a little unclear with the wording.

Mike

Posted by Mike Farmer on August 02, 2010 at 08:17 AM PDT #

Mike,

This statement is meant for single-signon, and not for OID. OID 11g is certified with E-Business suite, using both SSO 10gR3 and OAM. If you have any questions related to that, let me know.

HIH,
Nirzari.

Posted by Nirzari on August 02, 2010 at 03:21 PM PDT #

Nirzari,
Your response has further confused me. I was confused by the wording of blog entry when it said access manager is the prefered solution going forward but if you have plans to use any products such as Forms & Reports you will need to use Oracle Single Sign on R3.

We are in the planning phase of a R12 ERP implementation and would like to include a single sign in solution in our implementation. Since the EBS suite contains both Oracle Forms and Oracle Reports will we be required to use the Oracle Single Sign-On 10gR3 or can we use Oracle Access Manager 10gR3.

Thanks for your help
Mike

Posted by Mike Farmer on August 05, 2010 at 04:47 AM PDT #

Mike,

I apologize for the confusion. Let me clarify the technical prerequisites here on behalf of Nirzari.

If you're using Oracle E-Business Suite Release 12, you have the option of using either Oracle Single Sign-On or Oracle Access Manager. Oracle Single Sign-On is effectively in maintenance mode now, and Oracle Access Manager is the recommended solution for all new EBS 12 deployments at this point.

Oracle Access Manager works fine with Oracle E-Business Suite Release 12's Forms and Reports-based content (it integrates with the FND security layer).

For more details about how Oracle Access Manager works with the E-Business Suite, see:

Oracle E-Business Suite AccessGate Release 1.0.2 Now Available
http://blogs.oracle.com/stevenChan/2010/07/ebs_accessgate_102.html

Regards,
Steven

Posted by Steven Chan on August 05, 2010 at 05:17 AM PDT #

Nice summary! We are getting ready to implement OIM 11gR1 for our new Oracle 12.1.1 and 12.1.2 EBS environments.

Cheers,
Ben

Posted by Ben Prusinski on August 06, 2010 at 10:00 PM PDT #

Steven,

An update to our S/R

We did the following:

1 Stopped all weblogic processes; weblogic server, OID, DIP and required processes
2 Removed the weblogic FMW home and all directories under them (and oraInventory references via runInstaller)
3 Acquired the IBM 160 java software you recommended
4 Installed weblogic 10.3.2 under the SAME directory and unix ower as before
5 Installed the Weblogic OID products as before
6 Ran to completion the configuration process for OID install
7 Updated Opatch on the FMW ORACLE_HOME
8 Was able to run opatch lsinv successfully

Almost home free,

1 The configuration portion of the OID install does not start/restart after stop, the node manager or the weblogic server
2 We had the manually do the Node manager start, and weblogic server (admin) start during the config process
3 We are at at loss as the next step after applying 8752001.
4 The 10.3 SSO/OID ducoment has no references to weblogic commands to be executed for completion of SSO integration
5 This would have been Step4 (use doc 376811.1), but there are no weblogic described steps in the document.

By the way, we removed the FMW home and re-installed without stopping the database or the 10g AS (10.1.4.3) processes. so we were able to view all the FARM objects as soon as we were done with the install.

The original doc (876539.1) should clearly state the need for this JDK (IBM JDK 1.6.0 SR6+) for the Fusion Middleware portion of the process. We had used the jdk that was installed with the R12.1 installer for the all of the tasks, and every process appears to be fine with the exception of the FMW Opatch reqiuirement. Unless you can tell us to redo all of the installation we will leave it at the cuurent status.

Thanks for the support, we need a little bit more to finish.

Maz

Posted by Maz Zankowski on August 09, 2010 at 12:33 AM PDT #

Hello, Maz,

Glad to hear that you're almost through this. I strongly recommend that you post follow-ups directly to your Service Request instead of this blog. I can help with escalations but can't provide technical support via this blog, for obvious reasons.

It appears that you're stuck on the final few steps of Note 876539.1. This is owned by our ATG Support team, so I've asked the Fusion Middleware team to spin-off your original Service Request to allow the ATG Support team to help you with the final steps. Please monitor your existing SR 3-1892954181 for updates on that front.

Regards,
Steven

Posted by Steven Chan on August 09, 2010 at 06:20 AM PDT #

Hello, Ben,

Glad to hear about your plans. Good luck with your project. I'd be very interested in how that implementation goes; please drop me a line with the details once you get through it.

Regards,
Steven

Posted by Steven Chan on August 09, 2010 at 06:23 AM PDT #

Hello,
I'm puzzled by this statement, "In order to use Oracle Identity Management 11gR1 with E-Business suite, you need OID and DIP products at a minimum.".
Why is this the case? I would think that OIM would be able to directly provision users to the FND_USER table. This makes it sound like it will only provision users to OID, then wait for DIP to publish this information into EBS.
If this is the case, then how does OIM manage roles and responsibilites within EBS, while synching users between AD and EBS, can only do user accounts, not the roles and responsibilites?
Thanks!

Posted by Eriks Richters on September 27, 2010 at 11:07 PM PDT #

Hello,
Can you explain why OIM needs OID and DIP to manage users in EBS? If you're using the EBS Connectors, then I would think that OIM can write directly to the FND_USR table.
OIM should be able to handle things like password resets and account lockouts.
Thanks,
Eriks

Posted by Eriks Richters on September 28, 2010 at 03:17 AM PDT #

Hello, Eriks,

This is a repost of the reply to your related question to our other article.

The EBS authorization stage depends upon the linkage between an external user in Oracle Internet Directory (provided by the ORCLGUID in Oracle Internet Directory) and the equivalent user in the E-Business Suite's FND_USER table. This applies to both the Single Sign-On integration as well as the Oracle Access Manager integration.

Therefore, if you remove Oracle Internet Directory, you lose the ORCLGUID from the picture, resulting in a situation where there's no way of determining what EBS responsibilities are assigned to a given externally-authenticated user.

As far as Oracle Identity Manager is concerned: yes, the OIM connectors can write information directly into the FND_USER tables, responsibilities and all. There is no OID dependency if you're simply pushing information from OIM into FND_USER. However, if you're integrating the E-Business Suite with either Oracle Single Sign-On or Oracle Access Manager, you need Oracle Internet Directory for the reasons noted above.

Regards,
Steven

Posted by Steven Chan on September 28, 2010 at 03:57 AM PDT #

Hi

I am trying to get EBS 12.1.3 integrated with IdM 11gR1 P2 & OAM 10.1.4.3. Note 876539.1 is great up to Install and Implement Oracle Access Manager 10g (10.1.4.3). Then it refers to Note 975182.1, this note expects to have OAM installed and configured. Is there a Note that is specific to integrating EBS with OAM?

Thanks
Charl

Posted by Charl Naude on October 19, 2010 at 05:10 PM PDT #

Chari,

Note: 876539.1 provides steps for Installing and configuring OID11gR1 with E-Business suite. For implementing Oracle SSO, if you have plans to use Oracle Access Manager 10g (10.1.4.3), you need to refer note:975182.1. This note provides steps to integrate EBS with OAM. Steps provided under "Install and Configure Oracle E-Business Suite and Oracle Access Manager" need to be performed to Integrate EBS with OAM. If you have any specific questions related to OAM install or EBS install, let me know.

Regards,
Nirzari.

Posted by Nirzari on October 28, 2010 at 04:33 PM PDT #

Hi Steve,

I have an architecture question for you. In our company we have in-house single sign on solution for our non-oracle applications. Now we want to impliment single sign on for our Oracle Applications. we have two instances of Oracle Apps, one running on R11i and the other on R12. we want to integrate the Oracle single sign on with our company's existing federated single sign on solution (Ping Federate + Site minder authentication with Sun One LDAP). We did a POC on the R11i system which worked fine. The users are authenticated in Siteminder againest Sun One LDAP then the token is converted to SAML through Ping, which is consumed by Oracle Identity Federation. Then OIF gives the Token to OID which will open a session with EBS R11i. The source of truth for the users is SunOne LDAP. This POC took us quite some time but we were successfull.

Now for the R12 oracle applications we have external supplier logging in to the system for the self service activities. Isupplier portal have the self registration process for the external suppliers. we want to know how to impliment single sign on for these external suppliers. Should we create the supplier identity records in OID and push them to SunOne LDAP. In this case we will have two source of truths for the identity records. For Employees the source of truth will be SunOneLdap and for Suppliers OID will be the source of truth.

One other approach we are thinking is for the external suppliers we will have an external application server with a diffrent URL than the normal internal Oracle application URL. Can we restrict one URL to have single sign on and the other URL (external suppliers URL) to have the normal EBS authentication. If so does it require any customization? Please let us know your recommendations.

Your help is greately appreciated.

Thanks & regards,
Pradeep

Posted by Pradeep Chukkapalli on November 08, 2010 at 03:06 AM PST #

Hi, Pradeep,

This is a pretty complex architecture and provisioning flow, so it's going to be hard to give you an authoritative recommendation just via a blog comment.

That said, here are my thoughts:

a. iSupplier Portal has dependencies on the E-Business Suite local user repository (FND_USER). When the E-Business Suite is integrated with Oracle Internet Directory, iSupplier can be configured to use Oracle Internet Directory, too. There is no way of pointing this dependency directly to a third-party LDAP like SunONE.

b. That dependency means that you may be able to provision iSupplier users from OID to SunONE, but as you point out, that creates two sources of truth for two different sources of users. As part of that provisioning flow, you can create custom workflows to provision other attributes that you can use to differentiate the sources of these users.

c. It is also possible to use Oracle Identity Manager to both read and write information from the E-Business Suite's user repositories and provision that information to other LDAPs, including Oracle Internet Directory and SunONE. There are additional costs associated with using Oracle Identity Manager.

d. It is not possible to authenticate different servers (or groups of users) via different authentication methods in this kind of architecture. In other words, you can't authenticate internal users locally and external users via Oracle Single Sign-On.

If you're still working through the options, this might be a very good time to engage someone from our Oracle Protected Enterprise consulting practice. This team specializes in complex security architectures like this. You should ask your Oracle account manager to set up a call with them. If your Oracle account manager needs help in finding the leads for that team, drop me a private email and I'll provide some references.

Good luck with your implementation.

Regards,
Steven

Posted by Steven Chan on November 08, 2010 at 06:00 AM PST #

Hi Steven,

Thanks for your response. I will send you a personal email for getting the references.

Thanks & regards,
Pradeep

Posted by Pradeep Chukkapalli on November 09, 2010 at 02:48 AM PST #

Hi Steven/Nirzari,

I’m following note 876539.1 and other installation manuals to install OFM 11g. In the note, it says “Ultrasearch is installed by default with 11.1.1.0.6 and higher”, in conjunction with OFM 11gR1 is certified with Oracle Database 11g Release 2 (11.2.0.1) or higher, I installed the latest RDBMS - 11.2.0.2.0 and found Ultrasearch doesn't exist.

I opened a SR with RDBMS and was told that Ultra Search is desupported in 11.2 and I should interpret 11.1.1.0.6 and higher as ‘11.1.0.6 and 11.1.0.7’. My argument with them is that Restricted Premier Support for OSSO and DAS 10.1.4.x Ends - Dec 2012, why RDBMS 11gR2 already desupported OSSO’s dependent product and customer is forced to use 11gR1?

I came back read this article again. The column 1 clearly says Database 10gR2 OR Database 11gR1. If the information is incorporated into note 876539.1, it may avoid misunderstanding and reduce SRs.

Best Regards,
Jennifer.

Posted by Jennifer Chen on November 09, 2010 at 06:38 AM PST #

Hi Jennifer,

Thanks for pointing this out. I will definitely discuss this in our team and will change note: 876539.1.

Regards,
Nirzari.

Posted by Nirzari on November 09, 2010 at 05:12 PM PST #

Hi Nirzari,

The OFM team pointed me the Note:1069426.1 created June 2010 and modified 08-NOV-2010, which indicated that Ultrasearch is not required for OSSO 10.1.4.3. The latest OFM formal installation manual dated July 2010 doesn't seem to be updated accordingly.

Basically, in the original FMW 11g release (11.1.1.1.0) the Metadata Repository Creation Assistant (MRCA) 10.1.4.3.0 was used. With the releases of 11.1.1.2.0/11.1.1.3.0, there is an updated version of MRCA available - version 10.1.4.3.1. The updated version has fixes which allow it to be successfully run against Oracle Database 11.1 and 11.2 versions.

If you take a look at my SR 3-2326555437, it may help you for updating the EBS notes.

Best Regards,
Jennifer.

Posted by Jennifer Chen on November 10, 2010 at 01:41 AM PST #

Hi, Jennifer,

Thanks for raising this issue. We'll get the documentation updated as soon as possible.

We're discussing this directly with the Fusion Middleware team right now, and working with them on a coordinated response to your Service Request. Until the documentation is updated, please be assured that your Service Request will contain the latest joint recommendations from us and the Fusion Middleware team.

Regards,
Steven

Posted by Steven Chan on November 10, 2010 at 02:43 AM PST #

Hi Steven,

Thank you for looking into this. My SR just switched to ‘customer working’. So, I assume that the action plan comes from both EBS and OFM and I can continue my work...

Thanks again for your confirmation.

Best Regards,
Jennifer.

Posted by Jennifer Chen on November 10, 2010 at 04:53 AM PST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
4
5
6
7
8
9
10
11
12
13
14
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today