Friday Jul 24, 2015

Quarterly EBS Upgrade Recommendations: July 2015 Edition

We've previously provided advice on the general priorities for applying EBS updates and creating a comprehensive maintenance strategy.   

Here are our latest upgrade recommendations for E-Business Suite updates and technology stack components.  These quarterly recommendations are based upon the latest updates to Oracle's product strategies, latest support timelines, and newly-certified releases

You can research these yourself using this Note:

Upgrade Recommendations for July 2015

  1. EBS 11i users should upgrade to 12.1.3 or 12.2.  Before upgrading, 11i users should be on the minimum 11i patching baseline.

  2. EBS 12.0 users should upgrade to 12.1.3 or 12.2.  Before upgrading, 12.0 users should be on the minimum 12.0 patching baseline.

  3. EBS 12.1 users should upgrade to 12.1.3 RPC3 or 12.2.

  4. EBS 12.2 users should upgrade to EBS 12.2.4, Database 12.1.0.2, the March 2015 AD/TXK tools, StartCD 49, and FMW 11.1.1.7.

  5. Users staying on EBS 11i and 12.1 should upgrade to Database 11.2.0.4 or 12.1.0.2.

  6. EBS 11i and 12 users of Oracle Single Sign-On 10g users should migrate to OAM 11gR2 Patchset 3 11.1.2.3.0.

  7. Oracle Internet Directory 10g users should upgrade to Oracle Internet Directory 11g 11.1.1.9.

  8. Oracle Discoverer users should migrate to Oracle Business Intelligence Enterprise Edition (OBIEE), Oracle Business Intelligence Applications (OBIA), or Discoverer 11g 11.1.1.7.

  9. Oracle Portal 10g users should migrate to Oracle WebCenter 11g 11.1.1.7 or upgrade to Portal 11g 11.1.1.6.

  10. All Windows desktop users should migrate from older Java releases (including JInitiator) to JRE 1.6.0_101 or later 1.6 updates or JRE 1.7.0_85 or later 1.7 updates or JRE 1.8.0_51 or later 1.8 updates.

  11. All EBS 11i, 12.0, 12.1, and 12.2 users must sign their environment's JAR files now.

  12. All Firefox users should upgrade to Firefox Extended Support Release 38.

  13. All EBS 11i, 12.0, 12.1, 12.2 users should apply the July 2015 Critical Patch Update.

  14. Windows XP and Office 2003 users should upgrade to later versions.

  15. All EBS customers on Exalogic and Exadata should follow the latest recommendations.

  16. All EBS customers should switch from Secure Socket Layer (SSL) to Transport Layer Security (TLS).

Related Articles

Friday Jul 17, 2015

Oracle Access Manager 11.1.2.3 Certified with E-Business Suite

I am pleased to announce that Oracle Access Manager 11gR2 Patchset 3 (11.1.2.3.0) is now certified with Oracle E-Business Suite Release 11i (11.5.10.2) and 12 (12.1.3+, 12.2.2+).  If you are implementing single sign-on for the first time, or are an existing Oracle Access Manager user, you may integrate with Oracle Access Manager 11gR2 using Oracle Access Manager WebGate and Oracle E-Business Suite AccessGate.


Platforms Certified

The Oracle E-Business Suite AccessGate Java application is certified to run on any operating system for which Oracle WebLogic Server 11g is certified.  You may refer to the Oracle Fusion Middleware Release 11g (11.1.1.x) Certification Matrix for more details.

For information on supported platforms for Oracle Access Manager 11gR2 and its components, you may refer to the Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) Certification Matrix.

Integration with Oracle Access Manager involves components spanning several different suites of Oracle products. There are no restrictions on which platform any particular component may be installed so long as the platform is supported for that component.

Choosing the Right Integration

Our previously published blog article and support note with single sign-on recommended and certified integration paths has been updated to include Oracle Access Manager 11gR2PS2:

References

You may refer to the following My Oracle Support Knowledge Documents for additional details regarding certified architectures and versions:

Related Articles

Wednesday Jul 15, 2015

Critical Patch Update for July 2015 Now Available

The  Critical Patch Update (CPU) for July 2015 was released on July 14, 2015.  Oracle strongly recommends applying the patches as soon as possible.

The Critical Patch Update Advisory is the starting point for relevant information. It includes a list of products affected, pointers to obtain the patches, a summary of the security vulnerabilities, and links to other important documents.

Supported products that are not listed in the "Supported Products and Components Affected" Section of the advisory do not require new patches to be applied.

Also, it is essential to review the Critical Patch Update supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.

The Critical Patch Update Advisory is available at the following location:

The next four Critical Patch Update release dates are:

  • October 20, 2015
  • January 19, 2016
  • April 19, 2016
  • July 19, 2016
E-Business Suite Releases 11i and 12 Reference

Tuesday Jun 23, 2015

Using a Reverse Proxy as an SSL/TLS Termination Point for EBS 12.1.3

[Contributing Author:  Madhu Majari]

We are currently working on the certification of SHA-2 with the Oracle HTTP Server (OHS) delivered with Oracle E-Business Suite 12.1.3.  As described in this blog article, a reverse proxy or load balancer can be used until that certification is available.  You can use a reverse proxy or load balancer as the end-point for the encrypted connection that is initiated by a client (for example, a browser). In other words, the reverse proxy or load balancer -- not Oracle HTTP Server -- acts as the TLS termination point.

Since that article was published, many customers have requested that we certify a reverse proxy for use as the TLS termination point with Oracle E-Business Suite Release 12.1. I’m pleased to announce that we have completed the certification of HAProxy 1.5.2 with Oracle E-Business Suite 12.1.3. HAProxy is an open source offering that provides load balancing and proxy solutions.

The certification of HAProxy 1.5.2 with Oracle E-Business Suite 12.1.3 provides the following configuration options:

  • Certificates signed with SHA-2 for inbound HTTP connections
  • TLS 1.2 with stronger cipher suites

Note: There are many reverse proxies and load balancers that can be used as an TLS termination point for Oracle E-Business Suite. If you already have a reverse proxy or load balancer deployed you may configure it as the TLS termination point for your Oracle E-Business Suite 12.1.3 environment. 

Deploying and Configuring HAProxy

For detailed installation instructions, refer to the following My Oracle Support Knowledge Document:

You may deploy HAProxy as follows:

  • On an existing Oracle E-Business Suite application tier
  • On a separate server or virtual machine

HAProxy is available as an installable RPM package as part of the Oracle Linux distribution. You can also download HAProxy and compile it for other operating systems (refer to the installation note for more details). On Oracle Linux you may install it as the root user with the following command: 

#yum install haproxy

The main configuration file is located here:

/etc/haproxy/haproxy.cfg

A summary of the configuration steps for HAProxy includes the following:

  • Define the IP address and and port for the Oracle E-Business Suite 12.1.3 environment.
  • Setup TLS protocols and avoid SSL 3.0. (This will the mitigate POODLE vulnerability.)
  • Enable strong cipher suites. (This will mitigate the FREAK vulnerability.)
  • Define the certificate (chain) with PEM files.
Example Deployment of HAProxy with Oracle E-Business Suite 12.1.3

If you have an existing Oracle E-Business Suite 12.1.3 environment configured with SSL/TLS per Enabling SSL in Oracle E-Business Suite Release 12 (Note 376700.1), then you may easily configure HAProxy to serve as the TLS termination point.

For example, given the following conditions for your Oracle E-Business Suite Oracle HTTP Server listener configuration:

  1. HTTP requests use port 8000
  2. HTTPS requests use port 4443


 Then, you may perform the following:

  1. Shutdown the Oracle HTTP Server HTTPS listener (port 4443)
  2. Install, configure and start HAProxy to listen on port 4443

Related Articles

References

Wednesday Apr 22, 2015

Quarterly EBS Upgrade Recommendations: April 2015 Edition

We've previously provided advice on the general priorities for applying EBS updates and creating a comprehensive maintenance strategy.   

Here are our latest upgrade recommendations for E-Business Suite updates and technology stack components.  These quarterly recommendations are based upon the latest updates to Oracle's product strategies, latest support timelines, and newly-certified releases

You can research these yourself using this Note:

Upgrade Recommendations for April 2015

  1. EBS 11i users should upgrade to 12.1.3 or 12.2.  Before upgrading, 11i users should be on the minimum 11i patching baseline.

  2. EBS 12.0 users should upgrade to 12.1.3 or 12.2.  Before upgrading, 12.0 users should be on the minimum 12.0 patching baseline.

  3. EBS 12.1 users should upgrade to 12.1.3 RPC3 or 12.2.

  4. EBS 12.2 users should upgrade to 12.2.4, the March 2015 AD/TXK tools, StartCD 49, and FMW 11.1.1.7.

  5. Users staying on EBS 11i and 12.1 should upgrade to Database 11.2.0.4 or 12.1.0.2.

  6. Users upgrading to EBS 12.2 should upgrade to Database 11.2.0.4.

  7. EBS 11i and 12 users of Oracle Single Sign-On 10g users should migrate to OAM 11gR2 Patchset 2 11.1.2.2.0.

  8. Oracle Internet Directory 10g users should upgrade to Oracle Internet Directory 11g 11.1.1.7.

  9. Oracle Discoverer users should migrate to Oracle Business Intelligence Enterprise Edition (OBIEE), Oracle Business Intelligence Applications (OBIA), or Discoverer 11g 11.1.1.7.

  10. Oracle Portal 10g users should migrate to Oracle WebCenter 11g 11.1.1.7 or upgrade to Portal 11g 11.1.1.6.

  11. All Windows desktop users should migrate from JInitiator and older Java releases to JRE 1.6.0_95 or later 1.6 updates or JRE 1.7.0_79 or later 1.7 updates or JRE 1.8.0_45 or later 1.8 updates.

  12. All EBS 11i, 12.0, 12.1, and 12.2 users must sign their environment's JAR files now.

  13. All Firefox users should upgrade to Firefox Extended Support Release 31.

  14. All EBS 11i, 12.0, 12.1, 12.2 users should apply the April 2015 Critical Patch Update.

  15. Windows XP and Office 2003 users should upgrade to later versions.

  16. All EBS customers on Exalogic and Exadata should follow the latest recommendations.

  17. All EBS customers should switch from Secure Socket Layer (SSL) to Transport Layer Security (TLS).

Related Articles

Wednesday Apr 15, 2015

Critical Patch Update for April 2015 Now Available

The  Critical Patch Update (CPU) for April 2015 was released on April 14, 2015.  Oracle strongly recommends applying the patches as soon as possible.

The Critical Patch Update Advisory is the starting point for relevant information. It includes a list of products affected, pointers to obtain the patches, a summary of the security vulnerabilities, and links to other important documents.

Supported products that are not listed in the "Supported Products and Components Affected" Section of the advisory do not require new patches to be applied.

Also, it is essential to review the Critical Patch Update supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.

The Critical Patch Update Advisory is available at the following location:

The next four Critical Patch Update release dates are:

  • July 14, 2015
  • October 20, 2015
  • January 19, 2016
  • April 19, 2016
E-Business Suite Releases 11i and 12 Reference

Thursday Feb 12, 2015

Database 12.1.0.2 Certified with E-Business Suite 11i

I’m pleased to announce that 12.1.0.2, the first patchset for Database 12c is now certified with Oracle E-Business Suite 11i. Be sure to review the 11i interoperability note.

Database support implications may also be reviewed in the database patching and support article. 

Screenshot of Database 12.1.0.2 OTN download page

Oracle E-Business Suite Release 11i

Prerequisites
  • 11.5.10.2 + ATG PF.H RUP 7 and higher

Certified Platforms

  • Linux x86-64 (Oracle Linux 5) -- Database-tier only
  • Linux x86-64 (RHEL 5) -- Database-tier only
  • Oracle Solaris on SPARC (64-bit) (10)
  • Oracle Solaris on x86-64 (64-bit) (10) -- Database-tier only

Pending Platform Certifications

  • IBM AIX on Power Systems (64-bit)
  • HP-UX Itanium
  • IBM: Linux on System z 

Database Feature and Option Certifications
The following database options and features are supported for use:

Pending Feature/Option Certifications

  • Data Guard Redo Apply with Physical Standby Databases

Certifications Not Planned

  • Active Data Guard
  • Oracle Multitenant
  • Oracle In Memory Database
  • Oracle Database Vault
  • Transportable Database and Transportable Tablespaces data migration processes

About the pending certifications

Oracle's Revenue Recognition rules prohibit us from discussing certification and release dates, but you're welcome to monitor or subscribe to this blog for updates, which I'll post as soon as soon as they're available.   

EBS 11i References

Related Articles


Thursday Jan 22, 2015

Using SHA-2 Signed Certificates with EBS

Secure Hash Algorithms (SHA) are used for a variety of cryptographic purposes including signing of public key infrastructure (PKI) certificates (e.g., code signing cerificates and Secure Socket Layer (SSL) or Transport Layer Security (TLS) server certificates). Currently, the SHA family of functions include SHA-0, SHA-1, SHA-2 and SHA-3. This article and reference notes focus on the use of the SHA256 hash function of SHA-2 with Oracle E-Business Suite.

Why is SHA-2 important to you?

Industry standards for encryption algorithms are constantly under review. Many certificate authorities are recommending or mandating SHA-2 as the minumum signature algorithm for issuing certificates. The time frame for moving to SHA-2 varies depending upon the certificate authority that is used. The requirement for SHA-2 also impacts intermediate certificates which must also be SHA2 in order to chain back to the end-entity SHA-2 certificate issued. Root certificates are not impacted.

When does Oracle E-Business Suite use certificates?

1. HTTPS clients (outbound connections)
HTTPS client connections that originate from Oracle E-Business Suite. For HTTPS clients, you may need to apply product patches to use SHA-2 certificates. Currently, the following products have identified additional requirements to support SHA-2 for HTTPS clients:

  • XML Gateway
    Follow the instructions in the patch README and apply the following patch: 19909850
  • iProcurement
    Follow the instructions for iProcurement in My Oracle Support Note 1937220.1.

In addition to products that initiate outbound connections from java code on the application tier, the Oracle Database may also act as an HTTP client when the UTL_HTTP package is utilized. Some Oracle E-Business Suite products leverage UTL_HTTP for outbound HTTPS connections. You may also use UTL_HTTP for external integrations and customizations.

For the Oracle Database to utilize a PKI (including SHA-2 signed) certificate, SSL/TLS for outgoing connections database connections must be configured.  Our testing in Oracle E-Business Suite development has confirmed that UTL_HTTP is SHA-2 compliant as of Oracle Database 11.1.0.7 (we have not tested with earlier database versions).The steps for enabling and testing SSL/TLS configuration for the Oracle Database are documented in the following:

2. Server Side
In addition to client side (outbound connections), the Oracle E-Business Suite application tier utilizes PKI certificates for code signing by AD Jar Signing and for the (inbound) SSL/TLS termination point using the Oracle HTTP Server.

AD JAR Signing
During patching, Oracle E-Business Suite uses certificates to sign JARs that will be delivered to the browser. As of Java 1.5, Java and its utilities keytool and jarsigner supports SHA-2 certificates. SHA-2 certificates are certified for JAR signing for all versions of Oracle E-Business Suite (11i, 12.0, 12.1 and 12.2) and Java 1.5 and higher.

Oracle HTTP Server (inbound connections)
SHA-2 certificates are also used by the Oracle HTTP server that is delivered with the Oracle E-Business Suite Applications Technology. The requirements for SHA-2 for the Oracle HTTP Server vary per Oracle E-Business Suite version as follows:

  • Oracle E-Business Suite Release 12.2
    SHA-2 certificates are certified with the Oracle HTTP Server delivered with Oracle E-Business Suite 12.2. The wallet management tools that are shipped with EBS 12.2 generate Certificate Signing Requests (CSRs) signed using MD5. The following note has been updated with the steps necessary to create CSRs signed with other algorithms including SHA-2:
  • Oracle E-Business Suite Releases 12.0 and 12.1
    We are currently working on the certification of SHA-2 certificates with the Oracle HTTP Server for Oracle E-Business Suite Release 12.0 and 12.1. As an option while we are working on this certification, you may use an alternate technology (ie, a load balancer, reverse proxy, etc) that supports SHA-2 as the SSL/TLS termination point. Another alternative is to request that your certificate authority issue a SHA-1 certificate.

  • Oracle E-Business Suite Release 11i
    SHA-2 certificates are certified with Oracle E-Business Suite Release 11i when using mod_ssl.so OpenSSL library version 0.98za or later.  To get the minimum mod_ssl.sl library required for EBS 11i and SHA-2, you must apply the July 2014 CPU. Note: We always recommend that you apply the most current CPU available to your environment. You may refer to the following note for additional details:

Related Articles

References

Tuesday Jan 20, 2015

Critical Patch Update for January 2015 Now Available

The  Critical Patch Update (CPU) for January 2015 was released on January 20, 2015.  Oracle strongly recommends applying the patches as soon as possible.

The Critical Patch Update Advisory is the starting point for relevant information. It includes a list of products affected, pointers to obtain the patches, a summary of the security vulnerabilities, and links to other important documents.

Supported products that are not listed in the "Supported Products and Components Affected" Section of the advisory do not require new patches to be applied.

Also, it is essential to review the Critical Patch Update supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.

The Critical Patch Update Advisory is available at the following location:

The next four Critical Patch Update release dates are:

  • April 14, 2015
  • July 14, 2015
  • October 20, 2015
  • January 19, 2016
E-Business Suite Releases 11i and 12 Reference

Thursday Jan 08, 2015

Database 12.1.0.2 Certified with E-Business Suite 12.2

I’m pleased to announce that 12.1.0.2, the first patchset for the 12c Database, is now certified with E-Business Suite 12.2.2 and higher. 

Database support implications may also be reviewed in this database patching and support article.

Oracle E-Business Suite Release 12.2.x
Certified Platforms
  • Linux x86-64 (Oracle Linux 5, 6)
  • Linux x86-64 (RHEL 5, 6)
  • Linux x86-64 (SLES 11)
  • Oracle Solaris on SPARC (64-bit) (10, 11) 
  • Oracle Solaris on x86-64 (10, 11)*
*This is a 'database tier only' or 'split tier configuration' certification where the application tier must be on a fully certified E-Business Suite platform.
Pending Platform Certifications
  • Microsoft Windows x64 (64-bit) 
  • IBM AIX on Power Systems (64-bit)
  • HP-UX Itanium
  • IBM: Linux on System z 
Database Feature and Option Certifications
The following database options and features are supported for use:

Pending Feature/Option Certifications

  • Oracle Multitenant
  • Oracle Database Vault
  • TDE Tablespace Encryption
  • Transportable Database and Transportable Tablespaces data migration processes

About the pending certifications

Oracle's Revenue Recognition rules prohibit us from discussing certification and release dates, but you're welcome to monitor or subscribe to this blog for updates, which will be posted as soon as soon as they're available.  

EBS 12.2 References

Related Articles
The preceding is intended to outline our general product direction.  It is intended for information purposes only, and may not be incorporated into any contract.   It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision.  The development, release, and timing of any features or functionality described for Oracle's products remains at the sole discretion of Oracle.

Monday Jan 05, 2015

Enhance E-Business Suite Security By Switching to TLS

It seems fitting to start 2015 with a security-related blog post about Secure Socket Layer (SSL) and Transport Layer Security (TLS).  TLS is the successor to SSL. TLS, like SSL, is a protocol that encrypts traffic between applications and servers. TLS is based on SSL 3.0. TLS 1.0 is sometimes referred to as SSL 3.1. Going forward you will hear us talk more about TLS and less about SSL.

TLS is considered to be more secure than SSL.  All systems that use SSL 3.0 may be vulnerable to a design vulnerability in SSL’s handling of block cipher mode padding.  The Padding Oracle on Downgraded Legacy Encryption (POODLE) attack is one possible attack vector for web browsers and web servers.

Oracle E-Business Suite customers can migrate to TLS and mitigate the effects of POODLE attacks by following:

Happy 2015!

.Related Articles

References

Tuesday Dec 16, 2014

Updated: Using Third-Party Identity Managers with E-Business Suite Release 12

This article is an updated version of two earlier articles: one written for EBS 11i + SSO + OID, and another written for EBS 12 + SSO + OID.  Oracle Single Sign-On has been superceded by Oracle Access Manager (OAM).  This latest article covers the latest options for using EBS Release 12.x (12.0, 12.1, and 12.2) and Oracle Access Manager with third-party authentication systems.

Like most of our customers, you probably already have a corporate identity management system in place. And, you've probably not been enjoying the experience of redundantly administering the same user in your corporate identity management system as well as the E-Business Suite. If this describes your environment, this in-depth article about integrating Oracle E-Business Suite Release 12, Oracle Access Manager, and Oracle Internet Directory with third-party identity management systems will show you a better way of managing your EBS users.

No More Redundant User Administration

It is possible to integrate the E-Business Suite with existing third-party LDAP and single sign-on solutions via Oracle Internet Directory and Oracle Access Manager and Oracle Internet Directory, respectively:

Architecture diagram EBS + Oracle Access Manager + OID + third party ldap

Third-party single sign-on solutions can be integrated with Oracle Access Manager, and third-party LDAP directories can be integrated with Oracle Internet Directory. Oracle Access Manager and Oracle Internet Directory are integrated, in turn, with the E-Business Suite.

Example Scenario: The Deluxe "Zero Sign-On" Approach

A user logs on their PC using their Windows userid and password. The user decides to file an expense report for attending the OpenWorld conference. He starts Internet Explorer, opens Favorites, and selects a bookmarked link for the E-Business Suite's Self-Service Expenses.  Self-Service Expenses starts and the user begins the entering their expense report.

We sometimes call this "zero sign-on" because the user never actually logged on to any Oracle systems at all; the user's Windows Kerberos ticket from the Windows Primary Domain Controller (PDC) gave him access to the E-Business Suite automatically.

Magic? What Really Happened?

Brace yourself: some of the following material might require a couple of passes to sink in.

The "deluxe" scenario above illustrates the following integrations:

  • Microsoft Active Directory with Oracle Internet Directory
  • Microsoft Kerberos Authentication with Oracle Access Manager
  • Oracle Access Manager and Oracle Internet Directory integration with the E-Business Suite

Microsoft Active Directory MSAD integration with EBS and Windows Kerberos

The user logged on to their PC, which authenticated them against Microsoft Active Directory. As part of that logon process, the Windows Primary Domain Controller (PDC) issued a valid Kerberos ticket to the user.

When the user attempted to access Self-Service Expenses via his bookmarked link, he was redirected to Oracle Access Manager. Oracle Access Manager checked the user's credentials against the Windows Key Domain Controller (KDC), issued its own Oracle security tokens to the user, and redirected the user back to the E-Business Suite.

The E-Business Suite recognized the Oracle Access Manager security tokens and looked up the user's assigned Applications Responsibilities to ensure that he was authorized to access Self-Service Expenses. That done, it issued its own E-Business Suite security tokens and then passed the user through to Self-Service Expenses without requiring any additional logons.

Integration with Microsoft Active Directory Only

Not everyone uses Microsoft Kerberos Authentication. A simpler integration option omits Kerberos and includes only Microsoft Active Directory and Oracle Internet Directory, like this:

Microsoft Active Directory MSAD integration with EBS

In this simpler architecture, when the user attempts to access Self-Service Expenses via his bookmarked link, he's redirected to Oracle Access Manager. Oracle Access Manager displays a login screen and collects the user's ID and password.

Oracle Access Manager passes the user's credentials to Oracle Internet Directory.  Oracle Internet Directory uses the Microsoft Active Directory External Authentication Plug-In to pass the user's credentials to Microsoft Active Directory.

Microsoft Active Directory looks up the user's ID and password in its database, and informs Oracle Internet Directory that this is an authenticated user. Oracle Internet Directory informs Oracle Access Manager that the user was successfully authenticated.

Oracle Access Manager issues the user a set of security tokens and redirects the user to the E-Business Suite. The E-Business Suite recognizes the Oracle Access Manager security tokens and looks up the user's assigned Applications Responsibilities to ensure that he's authorized to access Self-Service Expenses. That done, it issues its own E-Business Suite security tokens and then passes the user through to Self-Service Expenses.

Synchronization of User Credentials with Third-Party LDAP Directories

If you've been paying close attention so far, you have gathered that user credentials need to be synchronized between the third-party LDAP, Oracle Internet Directory, and the E-Business Suite. The synchronization architecture looks like this:

Architecture diagram third-party LDAP directory integration with EBS

In this configuration, only the user name needs to be synchronized; the user's password is stored in the third-party LDAP directory. None of the Oracle products need to store the user's password, since they delegate user authentication to the third-party LDAP solutions.

Architecture diagram showing how passwords are stored in third-party LDAPs and not Oracle Internet Directory or E-Business Suite

The key concept here is that user authentication is still separated from user authorization even when a third-party LDAP is in place.

Architecture diagram distinguishing Authentication%20vs%20Authorization.png

So, the E-Business Suite still grants authenticated users access to E-Business Suite protected content based on the users' Applications Responsibilities, which are managed in the E-Business Suite exclusively.

Integration With Other Single Sign-On Solutions

It is also possible to integrate Oracle Access Manager with other single sign-on solutions, including:

  • CA Netegrity SiteMinder
  • Biometric devices like fingerprint readers
  • Smartcards
  • PKI X.509 digital certificates

When integrated with other single sign-on solutions, a chain of trust is established between the third-party, Oracle Access Manager, and the E-Business Suite. Users logging on via the third-party single sign-on solution are passed through transparently to Oracle Access Manager and the E-Business Suite.

Relax, It's Easy and Fun

Well, maybe not... but at least it's technically feasible. You might find it reassuring to note that a number of E-Business Suite customers are running this configuration in production already.

This is about as much detail as I think is appropriate for now. Feel free to post comments if you have questions about this topic.

References

For a survey of options for integrating Oracle Access Manager and Oracle Internet Directory with Oracle E-Business Suite Release 12, see:

Related Articles

Wednesday Oct 15, 2014

Critical Patch Update for October 2014 Now Available

The Critical Patch Update (CPU) for October 2014 was released on October 14, 2014.  Oracle strongly recommends applying the patches as soon as possible.

The Critical Patch Update Advisory is the starting point for relevant information. It includes a list of products affected, pointers to obtain the patches, a summary of the security vulnerabilities, and links to other important documents.

Supported products that are not listed in the "Supported Products and Components Affected" Section of the Advisory do not require new patches to be applied.

Also, it is essential to review the Critical Patch Update supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.

The Critical Patch Update Advisory is available at the following location:

The next four Critical Patch Update release dates are:
  • 13 January 2015
  • 14 April 2015
  • 14 July 2015
  • 13 October 2015

E-Business Suite Releases 11i and 12 Reference

Saturday Sep 27, 2014

Database 12.1.0.2 Certified with E-Business Suite 12.1

I’m pleased to announce that 12.1.0.2, the first patchset for the 12c Database, is now certified with E-Business Suite 12.1. 

Database support implications may also be reviewed in this database patching and support article.

Oracle E-Business Suite Release 12.1.x
Certified Platforms
  • Linux x86-64 (Oracle Linux 5, 6)
  • Linux x86-64 (RHEL 5, 6)
  • Linux x86-64 (SLES 11)
  • Oracle Solaris on SPARC (64-bit) (10, 11)
Pending Platform Certifications
  • Microsoft Windows x64 (64-bit) 
  • Oracle Solaris on x86-64 (64-bit)
  • IBM AIX on Power Systems (64-bit)
  • HP-UX Itanium
  • IBM: Linux on System z 
Database Feature and Option Certifications
The following database options and features are supported for use:

Pending Feature/Option Certifications

  • Oracle Multitenant
  • Oracle Database Vault
  • Export/Import process for EBS 12.0 or 12.1 with RDBMS 12cR1 Version 12.1.0.2
  • TDE Tablespace Encryption
  • Transportable Database and Transportable Tablespaces data migration processes

About the pending certifications

Oracle's Revenue Recognition rules prohibit us from discussing certification and release dates, but you're welcome to monitor or subscribe to this blog for updates, which I'll post as soon as soon as they're available.  

EBS 12 References

    Related Articles
    The preceding is intended to outline our general product direction.  It is intended for information purposes only, and may not be incorporated into any contract.   It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision.  The development, release, and timing of any features or functionality described for Oracle's products remains at the sole discretion of Oracle.

    Friday Sep 19, 2014

    Database 12.1.0.1 Certified with EBS 12.2

    [Oct. 7, 2014 update: Added Data Guard and Active DataGuard options to the list of pending certifications]

    I’m pleased to announce that 12.1.0.1, the base release for the 12c Database, is now certified with E-Business Suite 12.2. This expands on our previously-announced certification for EBS 11i, 12.0, and 12.1.

    Database support implications may also be reviewed in this database patching and support article.

    Oracle E-Business Suite Release 12.2.2 and higher
    Certified Platforms
    • Linux x86-64 (Oracle Linux 5, 6)
    • Linux x86-64 (RHEL 5, 6)
    • Linux x86-64 (SLES 11)
    • Oracle Solaris on SPARC (64-bit) (10, 11)
    • Oracle Solaris on x86-64 (64-bit) (10, 11) -- Database-tier only
    Pending Platform Certifications
    • Microsoft Windows x64 (64-bit)
    • IBM AIX on Power Systems (64-bit)
    • HP-UX Itanium
    • IBM: Linux on System z 
    Database Feature and Option Certifications
    The following database options and features are supported for use:

    Pending Feature/Option Certifications

    • Oracle Multitenant
    • Oracle Database Vault
    • Transportable Database and Transportable Tablespaces data migration processes
    • Oracle DataGuard
    • Oracle Active DataGuard

    About the pending certifications

    Oracle's Revenue Recognition rules prohibit us from discussing certification and release dates, but you're welcome to monitor or subscribe to this blog for updates, which I'll post as soon as soon as they're available.    

    EBS 12 References

    Related Articles
    The preceding is intended to outline our general product direction.  It is intended for information purposes only, and may not be incorporated into any contract.   It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision.  The development, release, and timing of any features or functionality described for Oracle's products remains at the sole discretion of Oracle.

    Monday Sep 15, 2014

    Preventing "Java was blocked" IE Warnings with Oracle EBS

    Microsoft Internet Explorer (IE) started warning users about out-of-date ActiveX controls running through any security zone except the 'Local intranet' or the 'Trusted sites' zones when using IE 8 or later. Attempts to run any Java content from your desktop using older JRE releases -- releases prior to the latest Critical Patch Updates (CPU) on any JRE codeline -- through any other zone now result in a warning message. This may prevent you from accessing Java-based or Forms-based content within Oracle E-Business Suite.

    IE will not block functionality for end-users who meet any of these conditions:

    • Are running EBS through the browsers "Local Intranet" or "Trusted sites" zones
    • Have the latest Java Runtime Environment (JRE) Critical Patch Update (CPU) release on Java 6 or 7

    IE will block end-users whose desktops meet all of the following conditions:

    • Users are running the E-Business Suite in the the "Internet" zone
    • Users do not have latest Java Runtime Environment (JRE) Critical Patch Update (CPU) release on Java 6 or 7

    Affected end-users will see the following warning:

    Java(TM) was blocked because it is out of date and needs to be updated

    How do I prevent this Issue?

    OPTION 1

    Follow our documented recommendations to run Oracle E-Business Suite through the "Trusted sites" zone. 

    See the "Recommended Internet Explorer Browser Settings" section within:

    OPTION 2

    Follow Microsoft's workaround to turn this feature off:

    OPTION 3

    Upgrade to the latest JRE release. See:

    Related Articles

    Wednesday Jul 16, 2014

    Critical Patch Update for July 2014 Now Available

    The  Critical Patch Update (CPU) for July 2014 was released on July 15, 2014.  Oracle strongly recommends applying the patches as soon as possible.

    The Critical Patch Update Advisory is the starting point for relevant information. It includes a list of products affected, pointers to obtain the patches, a summary of the security vulnerabilities, and links to other important documents.

    Supported products that are not listed in the "Supported Products and Components Affected" Section of the advisory do not require new patches to be applied.

    Also, it is essential to review the Critical Patch Update supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.

    The Critical Patch Update Advisory is available at the following location:

    The next four Critical Patch Update release dates are:

    • October 14, 2014
    • January 13, 2015
    • April 14, 2015
    • July 14, 2015
    E-Business Suite Releases 11i and 12 Reference

    Wednesday Apr 16, 2014

    Critical Patch Update for April 2014 Now Available

    The  Critical Patch Update (CPU) for April 2014 was released on April 15, 2014.  Oracle strongly recommends applying the patches as soon as possible.

    The Critical Patch Update Advisory is the starting point for relevant information. It includes a list of products affected, pointers to obtain the patches, a summary of the security vulnerabilities, and links to other important documents.

    Supported products that are not listed in the "Supported Products and Components Affected" Section of the advisory do not require new patches to be applied.

    Also, it is essential to review the Critical Patch Update supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.

    The Critical Patch Update Advisory is available at the following location:

    The next four Critical Patch Update release dates are:

    • July 15, 2014
    • October 14, 2014
    • January 13, 2015
    • April 14, 2015
    E-Business Suite Releases 11i and 12 Reference

    Wednesday Mar 05, 2014

    Oracle Database 11.2.0.4 Certified with E-Business Suite 12.2

    I'm very happy to announce the certification of Oracle Database 11.2.0.4 with Oracle E-Business Suite 12.2. 

    To begin planning your database upgrade to 11.2.0.4, you should review our documentation in this order:

    1. Interoperability Notes: Oracle E-Business Suite 12.2 with Oracle Database 11g Release 2 (Note 1623879.1) 

    2. R12.2 Consolidated List of Patches and Technology Bug Fixes (Note 1594274.1) .  The interoperability note references this note.  It is crucial that you review all requirements in Section 2.2, "Database 11.2.0.4 Patches and Bug Numbers" of this note.

    3. Database Initialization Parameters for Oracle E-Business Suite Release 12 (Note 396009.1).  Make certain that you review Section 4, "Release-Specific Database Initialization Parameters For Oracle 11gR2" and Section 6, "Additional Database Initialization Parameters for Oracle E-Business Suite Release 12.2".

    What does this mean if you are upgrading to R12.2?

    • This upgrade is highly recommended for all EBS 12.2 environments.

    • If you are just beginning your upgrade to R12.2 project, you should consider upgrading to Oracle Database 11.2.0.4 now. 

    • If your are currently in the midst of your R12.2 upgrade, you may continue as planned with Oracle Database 11.2.0.3 and upgrade to 11.2.0.4 as your R12.2 upgrade project and test plans permit.

    • If your go-live date is soon, you may choose to continue as planned with Oracle Database 11.2.0.3 and upgrade to 11.2.0.4 after you go-live with 12.2.

    It may be useful to review the the Oracle Database 11gR2 support policies and dates as part of your decision-making process:

    Prerequisites

    • 12.2.2 and higher
    Certified Platforms
    • Linux x86-64 (Oracle Linux 5, 6)
    • Linux x86-64 (RH 5, 6)
    • Linux x86-64 (SLES 10, 11)
    • Oracle Solaris on SPARC (64-bit)  (10, 11)
    • Oracle Solaris on x86-64 (64-bit) (10, 11) -  Database tier only
    • IBM AIX on Power Systems (64-bit) (6.1, 7.1)
    • HP-UX Itanium (11.31)
    Pending Platform Certifications
    • Microsoft Windows x64 (64-bit)
    • IBM: Linux on System z 
    Database Feature and Option Certifications
    The following database features and options are certified:

    Pending Database Feature and Option Certifications

    • Database Vault

    About the pending certifications

    Oracle's Revenue Recognition rules prohibit us from discussing certification and release dates, but you're welcome to monitor or subscribe to this blog for updates, which I'll post as soon as soon as they're available.    

    References

    Related Articles
    The preceding is intended to outline our general product direction.  It is intended for information purposes only, and may not be incorporated into any contract.   It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision.  The development, release, and timing of any features or functionality described for Oracle's products remains at the sole discretion of Oracle.

    Wednesday Feb 12, 2014

    Oracle Access Manager 11.1.2.2 Certified with Oracle E-Business Suite

    I am happy to announce that Oracle Access Manager 11gR2 Patchset 2 (11.1.2.2.0) is now certified with Oracle E-Business Suite Release 11i (11.5.10.2) and 12 (12.0.6, 12.1.1+, 12.2.2+).  If you are implementing single sign-on for the first time, or are an existing Oracle Access Manager user, you may integrate with Oracle Access Manager 11gR2 using Oracle Access Manager WebGate and Oracle E-Business Suite AccessGate.

    Choosing the Right Integration

    Our previously published blog article and support note with single sign-on recommended and certified integration paths has been updated to include Oracle Access Manager 11gR2PS2:

    References

    You may refer to the following My Oracle Support Knowledge Documents for additional details regarding certified architectures and versions:

      Related Articles

      Tuesday Jan 14, 2014

      Critical Patch Update for January 2014 Now Available

      The  Critical Patch Update (CPU) for January 2014 was released on January 14, 2014.  Oracle strongly recommends applying the patches as soon as possible.

      The Critical Patch Update Advisory is the starting point for relevant information. It includes a list of products affected, pointers to obtain the patches, a summary of the security vulnerabilities, and links to other important documents.

      Supported products that are not listed in the "Supported Products and Components Affected" Section of the advisory do not require new patches to be applied.

      Also, it is essential to review the Critical Patch Update supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.

      The Critical Patch Update Advisory is available at the following location:

      The next four Critical Patch Update release dates are:

      • April 15, 2014
      • July 15, 2014
      • October 14, 2014
      • January 13, 2015
      E-Business Suite Releases 11i and 12 Reference

      Tuesday Nov 05, 2013

      Securing Flexfield Value Sets in EBS 12.2

      Separation of Duties in Flexfield Value Set Security

      Release 12.2 includes a new feature: flexfield value set security.

      This new feature gives you additional options for ensuring that different administrators have non-overlapping responsibilities, which in turn provides checks and balances for sensitive activities.  Separation of Duties (SoD) is one of the key concepts of internal controls and is a requirement for many regulations including:

      • Sarbanes-Oxley (SOX) Act
      • Health Insurance Portability and Accountability Act (HIPAA)
      • European Union Data Protection Directive.
      Its primary intent is to put barriers in place to prevent fraud or theft by an individual acting alone. Implementing Separation of Duties requires minimizing the possibility that users could modify data across application functions where the users should not normally have access.

      For flexfields and report parameters in Oracle E-Business Suite, values in value sets can affect functionality such as the rollup of accounting data, job grades used at a company, and so on. Controlling access to the creation or modification of value set values can be an important piece of implementing Separation of Duties in an organization.

      New Flexfield Value Set Security feature

      Flexfield value set security allows system administrators to restrict users from viewing, adding or updating values in specific value sets. Value set security enables role-based separation of duties for key flexfields, descriptive flexfields, and report parameters. For example, you can set up value set security such that certain users can view or insert values for any value set used by the Accounting Flexfield but no other value sets, while other users can view and update values for value sets used for any flexfields in Oracle HRMS. You can also segregate access by Operating Unit as well as by role or responsibility.

      Value set security uses a combination of data security and role-based access control in Oracle User Management. Flexfield value set security provides a level of security that is different from the previously-existing and similarly-named features in Oracle E-Business Suite:

      • Function security controls whether a user has access to a specific page or form, as well as what operations the user can do in that screen.
      • Flexfield value security controls what values a user can enter into a flexfield segment or report parameter (by responsibility) during routine data entry in many transaction screens across Oracle E-Business Suite.
      • Flexfield value set security (this feature, new in Release 12.2) controls who can view, insert, or update values for a particular value set (by flexfield, report, or value set) in the Segment Values form (FNDFFMSV).
      The effect of flexfield value set security is that a user of the Segment Values form will only be able to view those value sets for which the user has been granted access. Further, the user will be able to insert or update/disable values in that value set if the user has been granted privileges to do so.  Flexfield value set security affects independent, dependent, and certain table-validated value sets for flexfields and report parameters.

      Initial State of the Feature upon Upgrade

      Because this is a new security feature, it is turned on by default.  When you initially install or upgrade to Release 12.2.2, no users are allowed to view, insert or update any value set values (users may even think that their values are missing or invalid because they cannot see the values).  You must explicitly set up access for specific users by enabling appropriate grants and roles for those users.

      We recommend using flexfield value set security as part of a comprehensive Separation of Duties strategy. However, if you choose not to implement flexfield value set security upon upgrading to or installing Release 12.2, you can enable backwards compatibility--users can access any value sets if they have access to the Values form--after you upgrade.

      The feature does not affect day-to-day transactions that use flexfields.  However, you must either set up specific grants and roles or enable backwards compatibility before users can create new values or update or disable existing values.

      For more information, see:

      Friday Oct 18, 2013

      Sign E-Business Suite JAR Files Now

      Java Security logoOracle E-Business Suite uses Java, notably for running Forms-based content via the Java Runtime Environment (JRE) browser plug-in. 

      The default security settings for the JRE plug-in are expected to become more stringent over time.  To prepare for upcoming changes to Java security, all EBS 11i, 12.0, 12.1, and 12.2 system administrators must follow the procedures documented here:

      More information about Java security is available here:

      Getting help

      If you have questions about Java Security, please log a Service Request with Java Support.

      If you need assistance with the steps for signing EBS JAR files, please log a Service Request against the "Oracle Applications Technology Stack (TXK)" > "Java."


      Tuesday Oct 15, 2013

      Critical Patch Update for October 2013 Now Available

      The  Critical Patch Update (CPU) for October 2013 was released on October 15, 2013. Oracle strongly recommends applying the patches as soon as possible.

      The Critical Patch Update Advisory is the starting point for relevant information. It includes a list of products affected, pointers to obtain the patches, a summary of the security vulnerabilities, and links to other important documents.

      Supported products that are not listed in the "Supported Products and Components Affected" Section of the advisory do not require new patches to be applied.

      Also, it is essential to review the Critical Patch Update supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.

      The Critical Patch Update Advisory is available at the following location:

      The next four Critical Patch Update release dates are:

      • January 14, 2014
      • April 15, 2014
      • July 15, 2014
      • October 14, 2013
      E-Business Suite Releases 11i and 12 Reference

      Friday Sep 27, 2013

      11.2.0.4 Database Certified with E-Business Suite

      I’m pleased to announce that 11.2.0.4, the terminal patchset for the 11gR2 Database is now certified with Oracle E-Business Suite. Be sure to review the interoperability notes for R11i and R12 for the most up-to-date requirements for deployment.

      Database support implications may also be reviewed in the database patching and support article.


      Oracle E-Business Suite Release 11i

      Prerequisites
      • 11.5.10.2 + ATG PF.H RUP 6 and higher
      Certified Platforms
      • Linux x86 (Oracle Linux 4, 5)
      • Linux x86 (RHEL 4, 5)
      • Linux x86 (SLES 10)
      • Linux x86-64 (Oracle Linux 4, 5) -- Database-tier only
      • Linux x86-64 (RHEL 4, 5) -- Database-tier only
      • Linux x86-64 (SLES 10--Database-tier only)
      Pending Platform Certifications
      • Oracle Solaris on SPARC
      • Oracle Solaris on x86-64 (64-bit)
      • IBM AIX on Power Systems
      • HP-UX Itanium
      • Microsoft Windows Server (32-bit)
      • Microsoft Windows x64 (64-bit)
      • HP-UX PA-RISC (64-bit)
      • IBM: Linux on System z 
      Oracle E-Business Suite Release 12.0.4 and higher
      Certified Platforms
      • Linux x86 (Oracle Linux 4, 5)
      • Linux x86 (RHEL 4, 5)
      • Linux x86 (SLES 10)
      • Linux x86-64 (Oracle Linux 4, 5)
      • Linux x86-64 (RHEL 4, 5)
      • Linux x86-64 (SLES 10)
      Pending Certifications
      • Oracle Solaris on SPARC 
      • Oracle Solaris on x86-64
      • IBM AIX on Power Systems (64-bit)
      • HP-UX Itanium
      • Microsoft Windows Server (32-bit)
      • Microsoft Windows x64 (64-bit)
      • HP-UX PA-RISC (64-bit)
      • IBM: Linux on System z
      Oracle E-Business Suite Release 12.1.1 and higher
      Certified Platforms
      • Linux x86 (Oracle Linux 4, 5, 6)
      • Linux x86 (RHEL 4, 5, 6)
      • Linux x86 (SLES 10)
      • Linux x86-64 (Oracle Linux 4, 5, 6)
      • Linux x86-64 (RHEL 4, 5, 6)
      • Linux x86-64 (SLES 10, 11)
      Pending Certifications
      • Oracle Solaris on SPARC 
      • Oracle Solaris on x86-64
      • IBM AIX on Power Systems (64-bit)
      • HP-UX Itanium
      • Microsoft Windows Server (32-bit)
      • Microsoft Windows x64 (64-bit)
      • HP-UX PA-RISC (64-bit)
      • IBM: Linux on System z
      Database Feature and Option Certifications
      The following database options and features are supported for use:
      About the pending certifications

      Oracle's Revenue Recognition rules prohibit us from discussing certification and release dates, but you're welcome to monitor or subscribe to this blog for updates, which I'll post as soon as soon as they're available.    

      EBS 11i References
      EBS 12 References
      Related Articles
      The preceding is intended to outline our general product direction.  It is intended for information purposes only, and may not be incorporated into any contract.   It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision.  The development, release, and timing of any features or functionality described for Oracle's products remains at the sole discretion of Oracle.

      12.1.0.1 Database Certified with Oracle E-Business Suite

      (Feb 19, 2014 Update: Article has been updated to correctly reflect Active Data Guard and Data Guard as pending certifications.)

      I’m pleased to announce that 12.1.0.1, the base release for the 12c Database is now certified. Be sure to review the interoperability notes for R11i and R12 for the most up-to-date requirements for deployment.

      Database support implications may also be reviewed in the database patching and support article.


      Oracle E-Business Suite Release 11i

      Prerequisites
      • 11.5.10.2 + ATG PF.H RUP 7 and higher
      Certified Platforms
      • Linux x86-64 (Oracle Linux 5) -- Database-tier only
      • Linux x86-64 (RHEL 5) -- Database-tier only
      • Oracle Solaris on SPARC (64-bit) (10)
      • Oracle Solaris on x86-64 (64-bit) (10) -- Database-tier only
      Pending Platform Certifications
      • Microsoft Windows x64 (64-bit)
      • IBM AIX on Power Systems (64-bit)
      • HP-UX Itanium
      • IBM: Linux on System z 
      Oracle E-Business Suite Release 12.0.6 and higher
      Certified Platforms
      • Linux x86-64 (Oracle Linux 5)
      • Linux x86-64 (RHEL 5)
      • Oracle Solaris on SPARC (64-bit) (10)
      • Oracle Solaris on x86-64 (64-bit) (10) -- Database-tier only
      Pending Platform Certifications
      • Microsoft Windows x64 (64-bit)
      • IBM AIX on Power Systems (64-bit)
      • HP-UX Itanium
      • IBM: Linux on System z 
        Oracle E-Business Suite Release 12.1.3 and higher
        Certified Platforms
        • Linux x86-64 (Oracle Linux 5, 6)
        • Linux x86-64 (RHEL 5, 6)
        • Linux x86-64 (SLES 11)
        • Oracle Solaris on SPARC (64-bit) (10, 11)
        • Oracle Solaris on x86-64 (64-bit) (10, 11) -- Database-tier only
        Pending Platform Certifications
        • Microsoft Windows x64 (64-bit)
        • IBM AIX on Power Systems (64-bit)
        • HP-UX Itanium
        • IBM: Linux on System z 
        Database Feature and Option Certifications
        The following database options and features are supported for use:

        Pending Feature/Option Certifications

        • Active Data Guard
        • Data Guard Redo Apply with Physical Standby Databases
        • Oracle Multitenant
        • Oracle Database Vault
        • Transportable Database and Transportable Tablespaces data migration processes

        About the pending certifications

        Oracle's Revenue Recognition rules prohibit us from discussing certification and release dates, but you're welcome to monitor or subscribe to this blog for updates, which I'll post as soon as soon as they're available.    

        EBS 11i References

        EBS 12 References
        Related Articles
        The preceding is intended to outline our general product direction.  It is intended for information purposes only, and may not be incorporated into any contract.   It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision.  The development, release, and timing of any features or functionality described for Oracle's products remains at the sole discretion of Oracle.

        Thursday Jul 18, 2013

        Oracle Access Manager 11gR2 11.1.2.1.0 Certified With E-Business Suite

        I am happy to announce that Oracle Access Manager 11gR2  Patchset 1 (11.1.2.1.0) is now certified with E-Business Suite Releases 11i, 12.0 and 12.1.

        Choosing the Right Architecture

        If you are implementing single sign-on for the first time, or are an existing Oracle Access Manager user, you may integrate with Oracle Access Manager 11gR2 Patchset 1 using Oracle Access Manager WebGate and Oracle E-Business Suite AccessGate. If you are using Oracle Single Sign-On 10gR3 (10.1.4.3) you may migrate to Oracle Access Manager 11gR2 Patchset 1 with Oracle E-Business Suite Access Gate.

        Our previously published blog article and support note provides an overview of single sign-on integration options and recommendations:

        Platforms Certified

        The Oracle E-Business Suite AccessGate Java application is certified to run on any operating system for which Oracle WebLogic Server 11g is certified. Refer to the Oracle Fusion Middleware Release 11g (11.1.1.x) Certification Matrix for more details.

        For information on operating systems supported by Oracle Access Manager 11gR2 and its components, refer to the Oracle Identity and Access Management 11g Release 2 (11.1.2.1.0) Certification Matrix.

        Integration with Oracle Access Manager involves components spanning several different suites of Oracle products. There are no restrictions on which platform any particular component may be installed so long as the platform is supported for that component.

        References

          Related Articles

          (Article Contributor:  Allison Sparshott)

          Wednesday Jul 17, 2013

          Critical Patch Update for July 2013 Now Available

          The  Critical Patch Update (CPU) for July 2013 was released on July 16, 2013. Oracle strongly recommends applying the patches as soon as possible.

          The Critical Patch Update Advisory is the starting point for relevant information. It includes a list of products affected, pointers to obtain the patches, a summary of the security vulnerabilities, and links to other important documents.

          Supported products that are not listed in the "Supported Products and Components Affected" Section of the advisory do not require new patches to be applied.

          Also, it is essential to review the Critical Patch Update supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.

          The Critical Patch Update Advisory is available at the following location:

          The next four Critical Patch Update release dates are:

          • October 15, 2013
          • January 14, 2014
          • April 15, 2014
          • July 15, 2014
          E-Business Suite Releases 11i and 12 Reference

          Tuesday Apr 23, 2013

          Using SAML-based Authentication for Web Services with Integrated SOA Gateway

          Web services provided by Oracle E-Business Suite Integrated SOA Gateway are secured at the transport level through SSL and at the message level through authentication tokens – Username Token and SAML Token (Sender Vouches). I will discuss SAML Token (Sender Vouches) here.

          Brief on SAML, SAML Token, SAML Token Profile

          Security Assertion Markup Language (SAML) is a XML-based framework to exchange security related information between Service Consumer, Identity Provider and Service Provider. The security information is expressed in terms of assertions. Statements about the subject or user form the SAML Token. 

          WS-Security defines a set of security token profiles for different types of tokens embedded within the SOAP message as headers. SAML Token Profile is one of the WS-Security Token Profiles that describe the syntax and meaning of SAML Tokens. SAML Tokens are embedded within SOAP messages by placing assertion elements inside the SOAP Header.

          As per WS-Security, there are three common methods to assure the Service Provider that the SOAP message came from the subject referenced in the token. The three common subject confirmation methods are Sender Vouches, Holder of Key, and Bearer. As of Oracle E-Business Suite Release 12.1.3, web services provided by Integrated SOA Gateway (inbound) support SAML Token using the Sender Vouches subject confirmation method.

          SAML Token - Sender Vouches

          SAML Tokens assert that the subject or user has already been authenticated. As the name suggests, in the Sender Vouches case, the Sender or SOAP web service client that sends the SOAP request message to SOAP web service vouches for the identity of the assertion’s subject.

          SAML flow diagram

          The SAML assertion may be provided by an external Identity Provider -- a SAML Authority or SAML Issuer. In this case, a client sends a SAML assertion request to a SAML Authority. The SAML Authority identifies the client, authenticates the subject, and sends SAML assertion as response to client. The client’s private key is used to sign both the assertion and the SOAP message body.

          The E-Business Suite's Integrated SOA Gateway uses Oracle Application Server’s Web Services Security framework. It verifies the digital signature in a SOAP request and extracts the SAML Token. It validates the SAML assertion such as the issuer, validity period, and authentication statement. It extracts the SAML Subject Name Identifier and verifies the same with registered Oracle Internet Directory (OID) for single sign-on users or with FND_USER table in Oracle E-Business Suite (EBS) database for non-single sign-on users. It uses Oracle Internet Directory to map the single sign-on user with the equivalent EBS user. The EBS username is then used for the authorization check for the web service execution.

          When to use SAML Sender Vouches based authentication for web services provided by Integrated SOA Gateway?

          SAML Token with Sender Vouches is best used for following scenarios:

          • Single Sign On: As part of your business process, you may want to authenticate once and propagate the authenticated identity as a SAML assertion to subsequent EBS web service calls.
          • Subject or user needs to be authenticated locally (at web service client end) or centrally by Identity Provider (or SAML Authority), and propagate the assertion to an EBS web service.

          How to use SAML Token Sender Vouches in Integrated SOA Gateway?

          The steps to expose an EBS API as web service are described in Oracle E-Business Suite Integrated SOA Gateway Implementation Guide and Developer's Guide

          • Create Grant for EBS API methods that you want to expose as web service operations
          • Generate and Deploy the EBS API as web service with SAML Token (Sender Vouches) authentication type
          • Configure client and EBS (server) for SAML  

          See Setting Up SAML Token Security for Oracle E-Business Suite Integrated SOA Gateway Release 12.1.3 [Note 1144313.1] 

          This Note describes the steps to configure SOAP Web Service Client as well as Oracle E-Business Suite (SOAP Web Service Provider). In Integrated SOA Gateway, a SAML Token Sender Vouches policy is applied at the web service level or port level. You may have to configure EBS for SAML for all web services that are deployed with Authentication Type as SAML Token (Sender Vouches).

          • Invoke web service with SAML Token

          The Note also describes steps to test web service invocation with a SAML Token. Depending upon the client program, you may programmatically insert SAML assertions or let web service security policy enforcement products such Oracle Web Services Manager (OWSM) insert a SAML Token in a SOAP request message.

          References

          Related Articles

          Monday Apr 01, 2013

          New Whitepaper: Function Security + Role-Based Access Control in Oracle EBS

          There are two main ways to implement security in Oracle E-Business Suite: “traditional” Oracle E-Business Suite responsibility-based security (usually referred to as “function security”) and Role-Based Access Control (RBAC).   Since they overlap in functionality, and RBAC incorporates and builds upon responsibility-based security, there is often confusion about how the two security models coexist and interact.

          I am pleased to announce the availability of a new whitepaper to help eliminate that confusion:

          RBAC vs. Grants

          This heavily-illustrated whitepaper discusses the main similarities and differences between the two types of security setups, as well as the objects involved.  It includes the following topics:

          1. Responsibility-based security (Function Security)
          2. Role-Based Access Control
          3. Functions and Permissions
          4. Roles and Grants
          5. Role Hierarchy and Role Inheritance
          6. Using Role Hierarchies to Simplify User Administration
          7. Best Practices for Implementing RBAC and Function Security

          This whitepaper is written for Oracle E-Business Suite system administrators, super-users, and implementers.  It applies to Oracle E-Business Suite Release 11i, 12.0, and 12.1.

          Happy reading!


          About

          Search

          Categories
          Archives
          « July 2015
          SunMonTueWedThuFriSat
             
          1
          3
          4
          5
          7
          8
          9
          11
          12
          18
          19
          21
          23
          25
          26
          27
          28
          29
          30
          31
           
                 
          Today