Embed Size (px)
Citation preview
Using Oracle Application Server 10g with Oracle E-Business Suite
Steven ChanDirector, Applications Technology GroupOracle Corporation
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Topics
• Release 11i Supported Architectures• Features and Benefits• Technical Integration Overview• Integration with Third Party Access Managers & LDAP
Directories• Customer Snapshots
• Release 12 Technology Stack• Certification Roadmap• References
Last updated: April 15, 2007
<Insert Picture Here>
Release 11iCurrent Certifications
Desupport NoticesOr, “Why You Should Plan for OracleAS 10g Now”
• Discoverer 4i October 2006
• Login Server 3.0.9• Portal 3.0.9 July 2007• Oracle Internet Directory 3.0.1
For more details:http://blogs.oracle.com/schan/desupport
However…
Sun JDK 1.3 is the required prerequisite for 3.0.9. Sun desupported 1.3 in Dec 2006, so Sun’s desupport date overrides Oracle’s for these products.
Latest Release 11i Certifications
VersionSingle Sign-On & Oracle Internet Directory 10.1.4.0.1Access Manager 10.1.4.0.1Identity Manager 10.1.4.0.1Portal 10.1.2.2 Linux 10.1.4 Others
Discoverer 10.1.2.2 Linux 10.1.2.0.2 Others
10.1.2.0.2 Others
10.1.3.2 (Windows only)
Oracle Integration 10.1.2.0.2 Linux 10.1.2.0.2 Others
Oracle Enterprise Manager 10g Grid Control Release 3
Web Cache 10.1.2.2 Linux
Fusion Intelligence for E-Business
Optional External Integrations
Simple Physical Architecture
ExternalUsers
(via VPN)
InternalUsers
IntranetFirewall
Oracle Application Server 10g• Portal• Single Sign-On• Oracle Internet Directory• Directory Integration & Provisioning• Delegated Administration Services• Discoverer• OracleAS Certificate Authority• OracleAS 10g Metadata Repository
Firewall
Release 11i9iAS 1.0.2.2.2Application Server
Release 11iDatabase
11i Integration with OracleAS 10g
• Release 11i instance runs Oracle9i Application Server 1.0.2.2.2
• 11i is integrated with a stand-alone Oracle Application Server 10g instance
• The existing Release 11i application-tier server nodes continue to run on Oracle9i Application Server 1.0.2.2.2
Distributed Architecture
FirewallFirewall
Internet ReverseProxy
Firewall
OracleAS 10gInfrastructure
Database
OracleInternet
DirectoryServer 10gInternal 9iAS 1.0.2
Server
Release 11iDatabase
InternalUsers
ExternalUsers
External9iAS 1.0.2
Server
SingleSign-On 10g
Portal10g
Distributed Architecture Benefits
Enterprise Portal ServerMay be scaled & managed by separate organizations responsiblefor corporate communications
Enterprise Security ServersMay be scaled & managed by separate organizations responsiblefor corporate security and identity management
Enterprise Application ServersMay be scaled & managed by separate organizations responsiblefor enterprise applications such as Oracle E-Business SuiteRelease 11i
OracleAS 10g Integration Benefits
1. Enable Single Sign-On for 11i2. Manage users in Oracle Internet Directory3. Access 11i via custom Portals4. Integrate 11i with third-party PKI, SSO & LDAP
directories, and legacy applications5. Analyse 11i with Discoverer workbooks6. Analyse 11i with Fusion Intelligence7. Accelerate 11i performance with WebCache
Enable Single Sign-On for 11i
• E-Business Suite is a Single Sign-On partner application • Log on to Oracle Single Sign-On to get access to all registered partner
applications, including 11i• Log off any one partner application to log off all of them
E-Business Suite 11i Application Server
User
SingleSign-On 10g
Manage Users in Oracle Internet Directory
• Synchronise user credentials bidirectionally between Oracle Internet Directory and Release 11i (FND_USER)
• Set master “source of truth” as OID, Release 11i, or both• Manage user provisioning via powerful OID Directory Integration &
Provisioning (DIP) templates• Link an OID userid with one or more 11i userids “on-the-fly”
E-Business Suite 11i FND_USER
OracleInternetDirectory
DIP
DBMS_LDAP
Access 11i via custom Portals
• Access one or more E-Business Suite 11i instances from a single Oracle Portal instance
• Add 11i portlets to custom Portal pages• Display data in 11i portlets based on 11i responsibilities
OraclePortal 10g
E-BusinessSuite 11i
AppsPortlets
Release 11i Portlets
• Applications NavigatorAccess Applications menus based on user responsibilities
• Applications FavoritesBookmark specific Applications links for quick access
• Applications WorklistSummary of current workflow notifications
• Oracle Balanced ScorecardDisplay status of strategic and tactical business objectives
• Performance Management ViewerDisplay business intelligence key performance indicators in graphical and tabular format
Applications Navigator PortletFlat Mode Tree Mode
Applications Favorites Portlet
Applications Worklist Portlet
Balanced Scorecard Portlets
Integrate 11i with…
• Over 250 adapters for Enterprise Application Integration with third-party applications
• J2EE and open standards-based integration, including:• E-Business Suite, third-party applications, database sources• XML, JMS, JCA• Web Services: SOAP, WSDL, UDDI• B2B Protocols: RosettaNet, HIPAA, EDI
Release 11iLegacyApplication
OracleIntegration
Analyse 11i with Discoverer 10g
• Access APPS_MODE End-User Layer via Business Intelligence System Discoverer workbooks secured by Applications responsibilities
• Provide end-user reporting via ad hoc queries• Drill-down into data via tabular & graphical analytical tools• Run Discoverer on separate cluster for enhanced scalability, wide deployment
Discoverer
User E-Business Suite End-User Layer
Why Upgrade Discoverer 4i to 10g?
It’s better• Automatic SQL trimming, per user
memory caps, faster, new features
It’s safe• Installation upgrades a copy of 4i
End-User Layer to 10g
It’s low-impact• TIP: Run Discoverer 4i and 10g on
different physical servers to avoid Visibroker conflicts
• Compare 4i and 10g workbooks side-by-side for User Acceptance Tests
It’s free• Your existing Business Intelligence
product license includes 10g
It’s necessary• Discoverer 4i is desupported on
October 31, 2006
Start your upgrade now to avoid
Support issues
Tasty Carrots Big Stick
Analyse 11i with Fusion Intelligence
• Fusion Intelligence = Analytical dashboards for Oracle Daily Business Intelligence running on Oracle Business Intelligence Enterprise Edition 10.1.3.2 (formerly Siebel)
• Provide end-user reporting via ad hoc queries• Drill-down into data via tabular & graphical analytical tools• Run OBIEE on separate cluster for enhanced scalability, wide deployment• Available for Windows platforms today (UNIX platforms coming)
OBIEE
User E-Business Suite Metadata
Accelerate 11i Performance with WebCache
• Cache and compress frequently used items• Reduce network consumption and accelerate response time• Can act as a reverse-proxy server• Can act as a load-balancer
WebCache 10g
User E-Business Suite 11i Application Server
<Insert Picture Here>
Technical Integration Overview
Apps 11i Configuration Options
A. Single Sign-On ServerMinimum requirement for single sign-on support. Includes Oracle Internet Directory.
B. Portal and Single Sign-On ServerOptional.
C. DiscovererOptional. SSO also optional for Discoverer standalone implementations.
OracleAS 10g + 11i Integration Points
SSO Single Sign-On partner application via SSO SDK 9.0.2
OID Provisioning integrated application via Directory Integration & Provisioning Platform
Portal Oracle Applications Framework Web Provider & portlets
Discoverer APPS_MODE End-User Layer in 11i database
Logical Architecture
Ext OracleAS Metadata
SingleSign-On
OracleInternet
Directory
Apps WebProvider &
Portlets
9iAS1.0.2.2.2
11iDatabase(FND_USER)
PortalMetadata
OID UserRepository
DirectoryIntegration
Platform 10g
Third-PartyLDAP(optional)
Third-PartySSO
(optional)
Asynchronousprovisioning
Synchronousprovisioning(DBMS_LDAP)
SSO SDK
Portal
External OracleAS 10g
11i Application Server 11i Database Server
JDB
C/SQ
L*Net
JDB
C/SQ
L*Net
DiscovererMetadata
DiscovererEnd-User
Layer
Authentication vs. Authorization
Identifies the user
OracleSingle
Sign-On
E-BusinessSuite
Authentication Authorization
Identifies data & actions the user
can access
Checks user credentials
Checks user responsibilities
How Single Sign-On Works with 11iOverview
• Unauthenticated users attempting E-Business Suite access are automatically redirected to Oracle Single Sign-On 10g
Oracle SingleSign-On 10g
E-BusinessSuite 9iAS1.0.2.2.2
… delegates user authentication to …
How Single Sign-On Works with 11iOverview
E-Business Suite 11iDatabase
SingleSign-On 10g OracleAS 10g
LDAP Directory
UserE-BusinessSuite 11iApplicationServer
Oracle InternetDirectory 10g
How Single Sign-On Works with 11i
• Step 1: Unauthenticated user attempts to access the E-Business Suite
E-Business Suite 11i Application Server
User
How Single Sign-On Works with 11i
• Step 2: E-Business Suite redirects user to Single Sign-On 10g for authentication
E-Business Suite 11i Application Server
User SingleSign-On 10g
How Single Sign-On Works with 11i
• Step 3: Single Sign-On challenges the user with a logon form
UserSingleSign-On 10g
LogonForm
How Single Sign-On Works with 11i
• Step 4: User provides her credentials via the logon form
User
LogonForm
SingleSign-On 10g
How Single Sign-On Works with 11i
• Step 5: Single Sign-On passes user credentials to Oracle Internet Directory for validation
SingleSign-On10g
Oracle InternetDirectory 10g
How Single Sign-On Works with 11i
• Step 6: Oracle Internet Directory authenticates the user credentials against the OracleAS 10g LDAP Directory (in the OracleAS 10g Metadata Repository)
OracleAS 10gLDAP Directory
Oracle InternetDirectory 10g
How Single Sign-On Works with 11i
• Step 7: Single Sign-On provides the authenticated user with a security token
SingleSign-On 10g
User
SSO SecurityToken
How Single Sign-On Works with 11i
• Step 8: User is redirected to E-Business Suite, which accepts the SSO security token as proof of an authenticated user
E-Business Suite 11iApplication Server
User
SSO SecurityToken
How Single Sign-On Works with 11i
• Step 9: E-Business Suite’s application server checks the user’s authorization (i.e Apps responsibilities) in FND_USER
E-Business Suite 11iApplication Server
E-Business Suite 11iDatabase (FND_USER)
How Single Sign-On Works with 11i
• Step 10: E-Business Suite issues its own Apps security tokens to the user, redirecting her to the requested Apps module
E-Business Suite 11iApplication Server
Apps SecurityToken
E-Business Suite 11iDatabase
User
How Single Sign-On Works with 11i
E-Business Suite 11iDatabase
SingleSign-On 10g OracleAS 10g
LDAP Directory
UserE-BusinessSuite 11iApplicationServer
Oracle InternetDirectory 10g
Oracle Internet Directory Integration
• Oracle Internet Directory and FND_USER must be kept synchronised• Supported synchronisation directions:
• From OID to FND_USER (Asynchronous via the Directory Integration & Provisioning Platform)
• From FND_USER to OID (Synchronous via dbms_ldap calls)• Bidirectionally
• Synchronisation events are raised via the Workflow-based Business Event System whenever users are added or modified
E-Business Suite 11i FND_USER
OracleInternetDirectory
DIP
DBMS_LDAP
Link Accounts
OracleInternet
Directory
Userid =“John.Smith”
Release 11i(FND_USER)
Userid =“jsmith”
“Link Account”Global Unique Identifier (GUID)
One-time User Registration• Done at setup time by system administrator
• Optional: can be done by end-user on first logon (“Link on the fly”)
• Useful for situations where existing accounts in Oracle Internet Directory 10g or a third-party LDAP directory differ from existing accounts in Release 11i.
Link to Multiple 11i Accounts
• Note: It’s not possible to link multiple OID accounts to the same 11i account
OracleInternet
Directory
Userid =“John.Smith”
Release 11i(FND_USER)
Userid =“jsmith”
“Link Account”
Userid =“testuser1”
Userid =“testuser2”
Portal Integration
Portal 10g
Apps 11i Portlet
OAF WebProvider
11i App Server
JPDK 3.0.9
Portal Metadata
User
Portal Integration
• Single Sign-On is a prerequisite for Portal
• Oracle Applications Framework Web Provider is registered in Portal 10g
• 11i Portlets communicate with 11i 9iAS 1.0.2.2.2 server:
• Oracle Applications Framework Web Provider
• JPDK 3.0.9
• 11i portlets are added to custom Portal pages• 11i portlet users must have a valid 11i responsibility, validated via ICX_SESSION
Discoverer Integration
• Discoverer 10g End-User Layer resides in 11i database• APPS_MODE option enforces Applications security for all Discoverer
users• Discoverer 10g Server is often deployed standalone for performance
DiscovererServer 10g
User DiscovererEnd-User Layer forE-Business Suite
Full Discoverer 10g Support for Single Sign-On
• Earlier versions of Discoverer 10g did not support Single Sign-On & Oracle Internet Directory integration for E-Business Suite users
• Full SSO/OID support is now available
• No more dual-maintenance of E-Business Suite user passwords in both FND_USER and OID for standalone Discoverer connections
• See Metalink Note 313418.1 for details
Accelerate 11i Performance with WebCache
• Frequently used items (e.g. images, static text) are cached, compressed, and served by WebCache
• Secured data (I.e. requiring authorization) is not cached• Partial page refresh supported for Portal• Can act as a reverse-proxy server• Can act as a load-balancer
WebCache 10g
User E-Business Suite 11i Application Server
<Insert Picture Here>
Integrating the E-Business Suite with Third-Party Access Management & LDAP Directories
Third-Party Single Sign-On Integration
Oracle SingleSign-On 10g
E-BusinessSuite 9iAS1.0.2.2.2
Third-PartySSO
… delegates user authentication to …
… delegates user authentication to …
Supported Third-Party SSO Integrations
Integrate Oracle Single Sign-On with• Windows Native Authentication via Kerberos• CA Entrust, CA Netegrity, IBM Tivoli, RSA • PKI X.509v3 Digital Certificates• Biometric and smartcard systems• Other SSO systems via custom adapters
• Oracle Identity Federation• Formerly Oblix COREid Federation• SAML, WS-Federation, Liberty Alliance
• Oracle Access Manager• Formerly Oblix COREid Access & Identity
If you already have a third-party LDAP…
OracleInternetDirectory10g
E-BusinessSuite DB(FND_USER)
Third-PartyLDAP
… synchronizes user attributes with …
… synchronizes user attributes with …
Supported Third-Party LDAP Integrations
Integrate Oracle Internet Directory with• Microsoft Active Directory 2000/2003• Microsoft Exchange 2000/2003• Sun Java System Directory (Sun ONE / iPlanet) 5.2• Novell eDirectory 8.6 / 8.7• OpenLDAP 2.2• Any LDAP directory via LDIF files• Any other directory via custom DIP agent
• Oracle Identity Manager• Formerly Thor Xellerate Identity Provisioning• Also integrates directly with E-Business Suite FND_USER
• Oracle Virtual Directory• Formerly OctetString Virtual Directory Engine
E-BusinessDatabase(FND_USER)
OracleInternet
Directory
Third-PartyLDAP(optional)
User Password User Password User PasswordX X
Passwords Stored in Third-Party LDAP
• Third-party LDAP:• Handles user authentication, usually with a third-party authentication
solution• Commonly considered “Master” source-of-truth
• Oracle Internet Directory and E-Business Suite take minimal copies of master user definition -- excluding passwords
• E-Business Suite doesn’t maintain user passwords in this configuration
<Insert Picture Here>
How Third-Party Identity Management works withthe E-Business Suite
Third-Party Integration Architecture
Single Sign-On 10g
OracleInternetDirectory 10g
Third-PartySSO
Third-PartyLDAP
Apps 11iDatabase(FND_USER)
EndUser
Apps 11i9iAS 1.0.2.2.2
How Third-Party Logons Work with 11i
• Step 1. User provides userid & password to third-party single sign-on system
Third-PartySSO
How Third-Party Logons Work with 11i
• Step 2. Third-party single sign-on sends user’s credentials to third-party LDAP for authentication
Third-PartyLDAP
Third-PartySSO
How Third-Party Logons Work with 11i
• Step 3. Third-party single sign-on provides authenticated user with third-party security token
Third-PartySSO
Third-PartyToken
How Third-Party Logons Work with 11i
• Step 4. User attempts to access E-Business Suite, and is redirected to Oracle Single Sign-On 10g
E-BusinessSuite
Single Sign-On10g
How Third-Party Logons Work with 11i
• Step 5. Oracle Single Sign-On recognizes the third-party security token, then issues its own
Single Sign-On 10g
SSO Security Token
How Third-Party Logons Work with 11i
• Step 6. User is redirected back to E-Business Suite, which recognizes the SSO security token and issues its own
Single Sign-On 10gApps
SecurityToken
E-BusinessSuite
Third-Party Integration Architecture
Single Sign-On 10g
OracleInternetDirectory 10g
Third-PartySSO
Third-PartyLDAP
Apps 11iDatabase(FND_USER)
EndUser
Apps 11i9iAS 1.0.2.2.2
<Insert Picture Here>
Customer Case Studies
Deployed Widely in Production • Amdocs (Israel)• Alcoa (Europe)• Applied Materials (Israel)• Atento (Norway)• Berwind Pharmaceuticals (USA)• Bunnings (Australia)• CapGemini / Councils Online (Australia)• Central Bank of Nigeria• Cisco Systems• Cox Communications (USA)• Fiera Milano (Italy)• General Dynamics Land Sys• General Electric (USA)• Google (USA)
• Guandong Unicom (China)• Inter-Arab Investment Guarantee (Kuwait)• International Enterprises (Singapore)• International Institute for Applied Systems
Analysis (Austria)• Ireland Dept of Defence• Kansas State University• Libgo Travel (USA)• Mitac (Taiwan)• Phoenix Technologies (USA)• Putrajaya (Malaysia)• Telecom Italia Mobile (Italy)• Texas Instruments (USA)• Universal Weather & Aviation (USA)• Wind River Systems (USA)• World Wide Technology
These are not customer references
Integration with MicrosoftActive Directory Only
Single Sign-On10g
OracleInternetDirectory 10g
MicrosoftActiveDirectory
Apps 11i9iAS 1.0.2.2.2
EndUser
Apps 11iDatabase(FND_USER)
Integration with MicrosoftActive Directory & Kerberos
Single Sign-On 10g
OracleInternetDirectory 10g
Microsoft WindowsNative Authenticationvia Kerberos
Microsoft ActiveDirectory
Apps 11i9iAS 1.0.2.2.2
Apps 11iDatabase(FND_USER)
EndUser
Internal / External Configuration
FirewallFirewall
Internet ReverseProxy
Firewall
External9iAS 1.0.2
Server
OracleAS 10gInfrastructure
Database
OracleInternet
DirectoryServer 10gInternal 9iAS
1.0.2 Server
Release 11iDatabase
SingleSign-On 10g
InternalUsers
ExternalUsers
Shared 11i Filesystem
RAC 1 RAC 2
Highly Available
FirewallFirewall
ExternalUsers
Internet ReverseProxy
Firewall
InternalUsers
WebNode 3
WebNode 4
HTTP LBR2
HTTPLBR1
WebNode 2
WebNode 1
LBR1
SSONode 2
SSONode 1
OracleAS 10gInfrastructure DB
OID 1 OID 2
<Insert Picture Here>
Release 12Technology Stack
Release 12 Technology Stack 3-Tier Logical Architecture
Application
JSP
Forms
Reports
BC4J
OC4J
Web
Lis
tene
rUIX
DatabaseClient
Data Guard
Partitioning
RAC & ASM
Global Single Data Model
JDB
C/SQ
L Net
HTTP / S
Application Tier Overall Structure
COMMON TOP
APPL TOP
Apache 1.3
OC4J
RSF 10.1
AS 10.1.3Java Oracle Home
Reports 10
Forms 10
RSF 10.1
Developer 10.1.2C Oracle Home
RDBMSComponents
RSF 10.2
DatabaseOracle Home
R12 Application Server Tier
• OracleAS 10g 10.1.2 for Forms & Reports Services• Replaces the 8.0.6-based Oracle_Home provided by iAS 1.0.2.2 in
11i
• OracleAS 10g 10.1.3 for Oracle Containers for Java (OC4J)• Replaces the 8.1.7-based Oracle_Home provided by iAS 1.0.2.2 in
11i
• Oracle JDeveloper 10.1.3• JDBC 10.2• JDK 5.0 for web & concurrent processing
Optional External Integrations
Ext OracleAS Metadata
SingleSign-On
OracleInternet
Directory
Apps WebProvider &
Portlets
OracleAS10.1.3
R12Database(FND_USER)
PortalMetadata
OID UserRepository
DirectoryIntegration
Platform 10g
Third-PartyLDAP(optional)
Third-PartySSO
(optional)
Asynchronousprovisioning
Synchronousprovisioning(DBMS_LDAP)
mod_osso
Portal
External OracleAS 10g
R12 Application Server R12 Database Server
JDB
C/SQ
L*Net
JDB
C/SQ
L*Net
DiscovererMetadata
DiscovererEnd-User
Layer
Latest Release 12 Certifications
Version
Single Sign-On & Oracle Internet Directory 10.1.2.0.2
Access Manager 10.1.4
Identity Manager 10.1.4
Portal 10.1.4
Discoverer 10.1.2.0.2
Oracle Integration 10.1.2.0.2
Oracle Enterprise Manager 10g Grid Control Release 3
Optional External Integrations
Apps Portlets in Third-Party Portals
• WSRP 1.0 compatible E-Business Suite portlets may be used in third-party portals
• Available for:• Application Navigator portlet• Application Favorites portlet• Application Worklist portlet
New and Changed Features
• SSO integration using mod_osso• “SWAN” UI based new local login page• Support for adding custom local login pages• Synchronous provisioning from E-Business Suite to OID• Support for username changes• Pending user creation• On-demand user creation• Support for case-sensitive passwords• Support for E-Business Suite proxy user sessions
Local Login PageRelease 11i User Interface
Local Login PageRelease 12 User Interface
Local Login PageRelease 12 Login Assistance
Local Login Page Benefits
• Replaces the current local login page AppsLocalLogin.jsp• Ability to customize local login page• Automated password reset• Automated userid reminder• Accessibility mode for screen readers
<Insert Picture Here>
Release 11 & 12Certification Roadmap
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Upcoming Application Server Certifications
Release 11i
• Oracle Application Server 10g Ver. 10.1.2.2 for non-Linux platforms
• Business Intelligence 10g Ver. 10.1.3.2.xfor UNIX platforms (Siebel Business Analytics, “Maui” release)
Release 12
• Oracle Application Server 10g Ver. 10.1.2.2
• Oracle Application Server 10g Ver. 10.1.3.3
• Oracle Application Server 10g Ver. 10.1.4.0.1
• Oracle Identity Manager 10g
• Web Center 10g Ver. 10.1.3.2
• Business Intelligence 10g Ver. 10.1.3.2.xfor UNIX platforms (Siebel Business Analytics, “Maui” release)
• Web Cache 10g Ver. 10.1.2.2
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Oracle E-Business Suite Technology Stack Blog
http://blogs.oracle.com/schan
• Breaking Apps techstack news• Primers & FAQs• Certification, desupport announcements• Architectures, advanced configurations• Early Adopter Programs• Statements of Direction• Discuss Apps techstack topics with
senior Development Architects• Subscribe via email or RSS feedreaders
OracleAS + E-Business Suite Resources
• Application Server + 11i FAQ Note 186981.1• 11i Documentation Roadmap Note 207159.1
• Application Server + R12 FAQ Note 415007.1• R12 Documentation Roadmap Note 380482.1
• Statement of Direction Note 223927.1
