Wednesday, January 11, 2017

SSO in Multiple EBS R12.2 by Single OID/OAM 11g for Multiple Sets of Users
SSO implementation in EBS R12.2 with common user base is well documented by Oracle. However, complexity of different sets of users for multiple EBS R12.2 is not well documented or not achieved before. The problem argument states that there are multiple sets of users – such as Developers, Testers, & setup users. These users will connect to multiple EBS environments. A scenario where one user may have access to only one, some, or all environments. Multiple groups – such as CVDV, CVIT, & CVUT - were created in Microsoft AD. These groups, then sync to OID and put them in multiple user containers under the same domain – such as CVDV, CVIT, and CVUT (Not the default Users). These user containers, then should get either linked or provisioned in the respective EBS environment.
In this BLOG, I will discuss a way to address the challenge described above. Most often, it seems that there are different OID and OAM combination to serve a specific environment or a group of environment with same set of users. For example, please see the flow chart below.


In the above example, I am using a single AD; which is the case mostly. However, there could be a development AD but you get the point.  Here there some potential pitfalls that I see:

  1. The same set of users have access to UAT and DEV environment. If they want to separate this then other OID and OAM environment has to be stacked up.
  2. Some development users may need access to UAT and or SIT or the granularity of access is not there.
  3. Licensing cost for stacking up multiple environment. Further maintenance cost and patch cycle time and effort.
  4. After cloning from PROD, if the users are not segregated at OID for UAT and DEV then all of those users may have access to UAT and DEV environments unless a precaution was taken to end date users after the clone.
After thinking through, I thought why not only have a single OID/OAM combination for all non-prod environment and separate set of users for all those – such as some users will only have access to UAT while others to DEV and SIT and some common users can have access to all or some. This will address issues mentioned above. The depiction will look like.


So the question is – how do we do it?
Here is how:
Before, I proceed; I will put a architecture diagram to illustrate. I have created python scripts to failover and failback in an active-passive cluster for Weblogic where the OID (opmn component) is an active-active cluster.


It is assumed that you already installed OID and OAM and is up and running with latest versions – 11g at the time of post. Further, EBS 12.2 is ready for OAM/OID.

Step 1: Please login to ODSM using a browser, I use FireFox. After addressing username password, you will end up on the home screen. Please navigate to Data browser and to your domain. I deleted the client domain name and inserted “abc” in place of it. This is now corp.abc.com.

Step -2 Please create the number of directory that you will be serving the EBS environments – such as CVIT for SIT environment. Here I am connecting three environments – such as UAT, SIT, and DEV. I took a prefix of CV for checking validity but you can put some meaningful name for your organization. You can do it either way and the easier way is create as and select Users as a source.





Step -3: Now we need ACLs for these directories similar to which Users has. SO we navigate to Security tab and create the same directories while selecting the Users as create as reference – such as CVIT, CVUT, and CVDV as indicated below.


Step-4: Now we navigate to advanced tab to create attribute uniqueness and create three attribute uniqueness pertaining to each one of them.

Step-5: Now we need to set the default search for Oracle to be a directory up than what default is. Please note that the default search and create are pointed to Users directory. We do not want to change the default create as that is still the case – Users. However, default search should be changed to a directory up so that entire directory is searched by OAM as indicated in the picture below.


While staying in advanced tab, please update the subscription for AD plugin from default Users to your specific one as:
Click on “oidexplg_bind_ad” à optional properties à Plug-in Subscriber DN List
Update it and add the three that we have created – such as CVIT, CVUT, and CVDV as:





And enable the plugin as:



Please repeat same for the “oidexplg_compare_ad” property on same page.
Step-6: Now we have to leave the ODSM and go to DIP through the enterprise manager console and create three synchronization profile in which each pointing to its directory structure created in ODSM – such as CVIT to CVIT and so forth. Here I am opening one such profile to demonstrate the process.



Step -7: In the same synchronization profile you need to get a user separation by filter. Here you need to ask Microsoft AD administrator to create the three groups who will have the memberships for the users those are pointed to each one of those environments. For example, we have created three groups as “CVDV”, “CVIT”, and “CVUT”. We can add or remove the memberships as often as we need and as often as required for changing users and their responsibility form DEV to UAT progression. However, there need to be a manual script at the OID UNIX level where it will delete the users who are already SYNCED to OID if the membership change requires one user to get removed from any users. So once the delete on OID happens, the users will get end dated at EBS site. We cannot use Oracle’s default delete SYNC as we are not using the directory tree mapping as 1:1 from AD to OID and the privilege that is needed for such process. Please ping me if you need the script to do this.


Step -8: Please edit the event configuration on the synchronization profile to match the directory that this profile is intended to. By default its pointing to Users directory. You can use “oidprovtools” or combination of ldapsearch and ldapdelete on this synchronization profile or use this screen to edit. It should look like:



Step -9: Now we should start making some changes in OAM to get things in perspective.  Here we will create three identity store, three authorization scheme, and there authentication module to separate the search. Please remember this authentication scheme is what we need to present when registering the EBS to OAM so that we separate all the environment with directories in ODSM. Let’s create three identity store that then can be selected for authentication scheme and module.
 So when you login to OAM, this is what is displayed:


Now select the configuration tab at the top where application security tab is selected.




Now to user identity store as:


Here is the example of one identity store that is pointing to the directory structure in OID.

Here is the example of creating an authentication module: [First navigate to the launch pad then authentication module]:





And here is the example of creating authentication scheme [Please see the authentication scheme in Access manager tab above on launch pad]:




Please repeat to have three of each - such as:







Step-10: Now we are ready for the OID and OAM registration at the EBS side. Please execute them in PTCH instance after enabling the ADOP phase – such as adop phase=prepare. Please note to execute it to all there environments if configuring them together!!
Please use following for OID registration on EBS R12.2.  Please pass the provisiontype as by default it will be bi-directional. You will need ldap hostname, port, orcladmin password and apps password to perform the following step.

$FND_TOP/bin/txkrun.pl -script=SetSSOReg -registeroid=yes
-provisiontype=3 
[One can provide non-default name for following parameters if CONTEXT_FILE name is not desired which is default. -appname=  -svcname=]

Please use following process to register the OAM in the same ADOP phase:
  • Install WebGate:
txkrun.pl -script=SetOAMReg -installWebgate=yes -webgatestagedir=/ebsstagesw/ebs1223/MCG [Please change to your directory]

  • Deploye AccessGate:
      perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources -contextfile=$CONTEXT_FILE  -deployApps=accessgate -SSOServerURL=http://oamdevuat.corp.abc.com:14100 -logfile=deployeag.log
  • Register EBS to OAM as [Please Note the Authentication Scheme here..]:
txkrun.pl -script=SetOAMReg -registeroam=yes -oamHost=http://oamdevuat.corp.abc.com:7002 -oamUserName=weblogic -ldapUrl=ldap://oamdevuat.corp.abc.com:3060 -oidUserName=cn=orcladmin -ldapSearchBase=cn=cvit,dc=corp,dc=abc,dc=com -ldapGroupSearchBase=cn=Groups,dc=corp,dc=abc,dc=com -authScheme=CVITAuthScheme -authSchemeMode=reference
Now ADOP phase should end as:
adop phase=finalize,cutover,cleanup finalize_mode=full cleanup_mode=full mtrestart=no

Step-11: Please start the new RUN FS and do following:
Sqlplus  apps/<apps password>
execute fnd_oid_plug.setPlugin();

Now select and verify that all is well here:
Verify the OID registration as:
select fnd_preference.get('#INTERNAL','LDAP_SYNCH','HOST') from dual;
Ldaphost.abc.com  -- This should return !!

select fnd_preference.get('#INTERNAL','LDAP_SYNCH','PORT') from dual;
3060  -- This should return !!

col preference_value format a45
set lines 120
SELECT preference_name,preference_value FROM fnd_user_preferences
WHERE user_name='#INTERNAL' AND module_name= 'OID_CONF';

PREFERENCE_NAME                PREFERENCE_VALUE
------------------------------ ---------------------------------------------
CREATE_BASE                    cn=cvit,dc=corp,dc=abc,dc=com
CREATE_BASE_opt_mode           STATIC
DEFAULT_CREATE_BASE            cn=cvit,dc=corp,dc=abc,dc=com
DEFAULT_CREATE_BASE_opt_mode   STATIC
DEFAULT_REALM                  dc=corp,dc=abc,dc=com
DEFAULT_REALM_opt_mode         STATIC
FIXUP                          NONE
FIXUP_opt_mode                 STATIC
PLUGIN_VERSION                 1.1
RDN                            cn
RDN_opt_mode                   STATIC
REALM                          dc=corp,dc=abc,dc=com
REALM_opt_mode                 STATIC

Step-12: Now please set the profile option at EBS level – such as.

NAME
USER_PROFILE_OPTION_NAME
LEVEL
VALUE
APPS_SSO
Applications SSO Type
SITE
SSWA w/SSO
APPS_SSO_LINK_SAME_NAMES
Link Applications user with OID user with same username
SITE
Enable
APPS_SSO_AUTO_LINK_USER
Applications SSO Auto Link User
SITE
Enable
APPS_SSO_OID_IDENTITY
Applications SSO Enable OID Identity Add Event
SITE
Enable

Step -13: Please now run the OID SYNC to manually pull the data based on the filter set on the SYNC profile to OID and see that those users are created in EBS (different environments will have different users based on the filter and directory on OID): I ran with 5 parallelism but if the user number is not that much then with “lp” be just fine.

syncProfileBootstrap -host oamdevuat.corp.abc.com -port 7005 -D weblogic -profile CVIT_AD2OID -lp 5
syncProfileBootstrap -host oamdevuat.corp.abc.com -port 7005 -D weblogic -profile CVUT_AD2OID -lp 5
syncProfileBootstrap -host oamdevuat.corp.abc.com -port 7005 -D weblogic -profile CVDV_AD2OID -lp 5

Now verify the users via ODSM first and then to EBS. Please note that some users were removed to protect the identity of the client.


Please use following SQL to check on EBS:
select user_name,start_date,end_date,user_guid,to_char(creation_date,'DD-MON-YY hh24:mi:ss') from fnd_user where trunc(creation_date) >= trunc(sysdate -2);

This should match with what OID reports in ODSM.
Once all is well, please try the EBS URL to get the SSO page and use the AD password to login.
This should redirect to OAM page with login screen. Please test!!