SID # 283122 Leveraging enterprise identity management ... · - Delete all old profile options ( level_id 1007 and 1004 ) for external node - Run Autoconfig on all tiers Step # 5

SID # 283122 Leveraging enterprise identity management capabilities of Application Server 10g

with E-Business suite : A Customer Case Study

Arun Changamveetil Sr. Principal ArchitectFujitsu Consulting

Michael KronProject ManagerRegal Beloit Corporation

Agenda• Regal Beloit corporation

• Business requirement

• Current Architecture

• Various architecture options

• New Architecture

• Implementation steps

• Major road blocks

• Best Practices

• Business benefits

• Road to success

• Question and Answers

Regal-Beloit Corporation

Regal Beloit Corporation

Founded in 1955 ( Originally known as Beloit Tool )

Leading manufacturer of electrical and mechanical motion productions

11,000 employees

69 manufacturing and service /distribution facilities

# 1 fastest growing company in Wisconsin

USD $ 1.4 Billion net sales FY 2005

Acquired GE Motors in 2004

Visit us @ www.regalbeloit.com

Business Requirement

“We need to have a seamless environment for customers that are using i-Store , i-Supplier and i-Support modules of E Business suite “

Single Sign-on / point of entry for customers to CRM applications ,Portal , Discoverer reports and custom applications

Single Sign-on for employees

Central LDAP repository for all users (customers and employees )

Current Architecture

Various Architecture options

1. Implement AS 10g SSO/Portal with E Business suite DMZ configuration

2. Implement AS 10g SSO/Portal with E Business suite using Reverse proxy

3. Buy router technology for redirection e.g. Juniper , Cisco solutions

4. Buy third party SSO software

5. Implement AS 10g SSO/Portal with E Business suite no DMZ configuration

New Architecture

Implementation Steps

Implementation Steps – Overview1. Build AS 10g Infrastructure

2. Build AS 10g Middle Tier

3. Configure AS 10g Infrastructure to run on Reverse Proxy

4. Configure AS 10g Middle tier to run on Reverse Proxy

5. Eject E Business suite external node from E-Business Suite 11i farm

6. Configure Oracle Applications 11i to run with Reverse Proxy

7. Bulkload Oracle Applications 11i users for Oracle Internet directory

8. Integrate E Business suite 11i with Oracle Application Server 10g

9. Update Profile Options

Step # 1 & 2

Build AS 10g Infrastructure

Follow the Installation Documentation

Build AS 10g Middle Tier

Follow the Installation Documentation

Step # 3 Configure AS 10g Infrastructure to run on reverse proxy

Enable HTTP Server to run on port 80 chown root .apachectl

chmod 6750 .apachectl

Execute the ssocfg ScriptIssue this command in $ORACLE_HOME/sso/bin:

ssocfg.sh http sso.regalbeloit.com 80

Update the targets.xml File$ORACLE_HOME/sysman/emd/targets.xml

HTTPMachine , HTTPPort

Restart all Infrastructure services

opmnctl stopall

opmnctl startall


Update the httpd.conf File

KeepAlive Off

ServerName sso.regalbeloit.com

Port 80

Create a Virtual HostLoadModule certheaders_module libexec/mod_certheaders.so

NameVirtualHost infra.rbcmtg.com:7777

<VirtualHost infra.rbcmtg.com:7777>

ServerName sso.regalbeloit.com

Port 80

RewriteEngine On

RewriteOptions inherit

</VirtualHost>


Update Internet directory Operational URL

http://sso.regalbeloit.com/

Register mod_osso to Use the Proxy Host Namessoreg.sh

-oracle_home_path $ORACLE_HOME

-site_name regalsso1

-config_mod_osso TRUE

-mod_osso_url http://sso.regalbeloit.com

Restart Infrastructure Services

Validate SSO Login http://sso.regalbeloit.com/pls/orasso

Step # 4 Configure AS 10g Middle Tier with reverse proxy

Create a Virtual hostLoadModule certheaders_module libexec/mod_certheaders.so

NameVirtualHost mt hegel.rbcmtg.com:7778

<VirtualHost hegel.rbcmtg.com:7778>

ServerName portal.regalbeloit.com

Port 80

RewriteEngine On

RewriteOptions inherit

</VirtualHost>

Bounce Middle Tier

Configure loopback communication for internal servere.g. 127.0.0.1 loopback localhost

127.0.0.2 portal.regalbeloit.com

297.254.126.28 portal.regalbeloit.com

297.254.126.27 login.regalbeloit.com


Specify the Oracle AS Portal Published Address and Protocol

- update iasconfig.xml

- ptlconfig –encrypt ( Encrypt passwords )

- ptlconfig -dad portal -site -wc –em ( Update EM )

Configure the Parallel Page Engine Loop-Back with the Load Balancing Router on portal.regalbeloit.comUpdate -

$ORACLE_HOME/j2ee/OC4J_Portal/applications/portal/portal/WEB-INF/web.xml

With the Middle tier HTTP port

Dcmctl updateconfig

Restart Middle tier services

Configure Oracle AS Web Cache with the Reverse Proxy Server on portal.regalbeloit.com

http://mt.regalbeloit.com:9400/webcacheadmin

-Site Definitions ( add portal.regalbeloit.com )

-Site to Server Mapping ( map portal.regalbeloit.com to mt.rbcmtg.com )


Configuring Seeded Providers and Locally Hosted Web Providers

Update -

$ORACLE_HOME/j2ee/OC4J_Portal/applications/portalTools/omniPortlet/WEB-INF/web.xml

With middle tier HTTP port , HTTP protocol

Re-register mod_osso on mt.regalbeloit.com

ssoreg.sh-site_name regalmtsso1-mod_osso_url http://sso.regalbeloit.com-config_mod_osso TRUE -oracle_home_path $ORACLE_HOME -config_file ORACLE_HOME/Apache/Apache/conf/osso/osso.conf-admin_info cn=orcladmin-virtualhost

Restart Middle Tier Services

opmnctl stopall

opmnctl startall

Test Portal thru Reverse Proxy

http://portal.regalbeloit.com/pls/portal

Step # 4 Eject E-Business suite external node from E-Business Suite 11i farm

- Delete all old profile options ( level_id 1007 and 1004 ) for external node

- Run Autoconfig on all tiers

Step # 5 Configure Oracle Applications 11i to run with Reverse Proxy and move ebiz.rbcmtg.com to ebiz.regalbeloit.com

- Configure Oracle Applications 11i to run on port 80

- Configure e-Business suite to use reverse proxy server

- S_webhost , S_webentryhost , S_webentrydomain ,S_login_page

- Run Autoconfig

- Grant Preferences SSWA to all users

- Test http://ebiz.rbcmtg.com/oa_servlets/AppsLogin.jsp

Step # 6 Password Restrictions

- Take out E Business suite password restrictions( e.g. profile option SIGNON PASSWORD CUSTOM )

- Take out OID password restrictions

Step # 7 Integrate E Business Suite 11i to Single Sign- Apply Integration patches

- 5035514 ( Build 3.2 )

- 4775907 ( Build 4.0 )

- Choose the registration type

- ProvBiDirection.tmp / simple / Bi-direction template

- Compile the parameter ChecklistAS 10g Infrastructure hostname , DB port, DB SID, LDAP port, E Business suite ( apps , system ) password, repository ( DB , orasso password ), registration password, provisioning profile path ( $FND_TOP/admin/template/provOIDToApps.tmp )

- Check perl version perl –v should be 5.005

environment variables (ADPERLPRG , PERL5LIB , PATH)

- Register txkrun.pl -script=SetSSOReg

Step # 7 Integrate E Business Suite 11i to Single Sign

- Confirm successful registration

- End of <FND_TOP>/patch/115/bin/txkSetSSOReg.pl: No errors encountered.

- Validate SSO by running tests

- Follow Note # 233436.1 for test details

- Run OID validation tests

- Follow Note # 233436.1 for test details

- Verify that the e-Business suite is correctly integrated with SSO

- http://ebiz.regalbeloit.com/oa_servelts/AppsLogin.jsp


- http://ebiz.regalbeloit.com/


- http://ebiz.regalbeloit.com/


- Check OID logs

$ORACLE_HOME/ldap/odi/log

_E.aud , _E.trc Provisioning from OID to e-Business Suite

_I.aud , _I.trc Provisioning from e-business suite from OID


- Create a user in E-Business suite

- Check provisioning

- Create a user in OID

- Check provisioning

Step # 8 Bulk Load Users

- Setup Environment variables

- export CLASSPATH=$APPL_TOP/JAVAI:$CLASSPATH- export ADPERLPRG=/idev/prodap/u01/app/iprodora/iAS/Apache/perl/bin/perl

PERL5LIB=/idev/prodap/u01/app/iprodora/iAS/Apache/perl/lib/5.00503:/idev/prodap/u01/app/iprodora/iAS/Apache/perl/lib/site_perl/5.005:/idev/prodap/u01/app/iprodappl/au/11.5.0/perl

- export PATH=/idev/prodap/u01/app/iprodora/iAS/Apache/perl/bin:$PATH


- Extract users from e Business suitejava oracle.apps.fnd.oid.AppsUserExport -v -pwd apps -g -dbc$FND_TOP/secure/plato_idev.dbc -o idev_fnduser.out -l idev_fnd_user.log


- Load all extracted users to OID

- Migrate the users list to OID compatible ldif file

ldifmigrator "input_file=/home/oracle/brxinf/as10g/idev_fnduser.ldif" "output_file=data.ldif" "s_UserContainerDN=cn=users,dc=rbcmtg,dc=com" "s_UserNicknameAttribute=uid“

- Shutdown ldap processes

- Disable provisioningoidprovtool operation=disable ldap_host=hobbes.rbcmtg.com ldap_port=389 ldap_user_dn=cn=orcladmin ldap_user_password=iaspass1

application_dn="orclApplicationCommonName=IDEV,cn=EBusiness,cn=Products,cn=OracleContext,dc=rbcmtg,dc=com"profile_mode=BOTH


- Bulk load to OID

bulkload.sh -connect pinfdb1 -generate –check -load /home/oracle/brxinf/as10g/data.ldif

- Restart Infrastructure services

- Search for last change numberldapsearch -h hobbes.rbcmtg.com -D "cn=orcladmin" -w iaspass1 -s base -b "" "objectclass=*" lastchangenumber

- Update last change number oidprovtool operation=MODIFY ldap_host=hobbes.rbcmtg.com ldap_port=389 ldap_user_dn=cn=orcladmin ldap_user_password=iaspass1 application_dn

="orclApplicationCommonName=IDEV,cn=EBusiness,cn=Products,cn=OracleContext,dc=rbcmtg,dc=com“ orclLastAppliedChangeNumber=3055

- Enable provisioningoidprovtool operation=enable ldap_host=hobbes.rbcmtg.com ldap_port=389

ldap_user_dn=cn=orcladmin ldap_user_password=iaspass1 application_dn

="orclApplicationCommonName=IDEV,cn=EBusiness,cn=Products,cn=OracleContext,dc=rbcmtg,dc=com“ profile_mode=BOTH


- Restart all instances in following sequence

- AS 10g middle tier

- AS 10g Infrastructure tier

- Oracle Applications Middle tier

- Oracle Applications Admin tier

- Test ebiz.regalbeloit.com/oa_servelets/AppsLogin.jsp

Step # 9 Update Profile Options

Applications SSO Auto Link User – Disable

Applications SSO Enable OID Identity Add Event – Disable

Applications SSO Login Types – SSO

Applications SSO Type- SSWA w/SSO

Applications Local Change Password URL -http://sso.regalbeloit.com/oiddas/ui/oracle/ldap/das/mypage/AppChgPwdMyPage?

Application SSO Change Password URLhttp://sso.regalbeloit.com/oiddas/ui/oracle/ldap/das/mypage/AppChgPwdMyPage?

Application SSO Forget Password URL

Best Practices

Always start from design not from metalink notes

Open up all ports – implement – close all ports

OID password became upper case after password change or user name change under case insensitive mode - Apply patch # 5331119

Calls to FND_USER_PKG.UpdateUser(..) that do not modify OiD information fails – Apply patch # 5370915

Implement an internal Reverse Proxy Server

At reverse proxy server level – implement the redirects after the integration

Terminate https connections at Reverse proxy server

Always have a Dev and Test environment

If you have $$$ use load balancer

Major Road-Blocks

DMZ Configuration

Provisioning

Loading users from e- Business suite to OID

Password security

Configuring AS 10g with reverse proxy server

Firewall ports

Backing out of DMZ Configuration

Password reset – Unable to login to apps after resetting the password

Business Benefits

Consolidated self registration process for all CRM applications and Portal

Usage of e Business Suite portlets on portal pages

Access to custom applications and to iStore from a single sign-on into Portal

Access to Discoverer from Portal

Simplified user maintenance

Road To Success – Documentations Followed

287176.1 Oracle E-Business Suite 11i Configuration in a DMZ

233436.1 Installing Oracle Application Server 10g with Oracle E-Business Suite Release 11i

305918.1 Using Oracle Portal 10g with Oracle E-Business Suite 11i

313418.1 Using Discoverer 10.1.2 with Oracle E-Business Suite 11i

340178.1 Enabling SSL with Oracle Application Server 10g and the E-Business Suite

123718.1 - 11i: A Guide to Understanding and Implementing SSL for Oracle Applications

201340.1 - Using Forms Listener Servlet with Oracle Applications 11iChapter 3. "Configuring SSL for AutoConfig-enabled System - 11i Administration Manual

Oracle Application Server Enterprise Deployment Guide 10g Release 2 (10.1.2)

Questions and Answers

THANK YOU

Documents

SID # 283122 Leveraging enterprise identity management ... · - Delete all old profile options ( level_id 1007 and 1004 ) for external node - Run Autoconfig on all tiers Step # 5