4. Simple Architecture 11i 12
Oracle Application Server
• Portal
• Single Sign-On
• Oracle Internet Directory
Firewall
• Discoverer
• Other Fusion Middleware Components
External
Users
(via VPN)
E-Business Suite
Application Server Intranet E-Business Suite
Firewall Database
Internal
Users
5. E-Business Suite Integration with OracleAS 10g
11i • Runs Oracle9i Application Server 1.0.2.2.2 on mid-tier
• Runs Release 11i application-tier services such as Forms, Jserv
• Integrated with an external stand-alone Oracle Application
Server 10g instance for optional services (e.g. Single Sign-On)
12 • Runs Oracle Application Server 10g on mid-tier
• Runs Release 12 application-tier services such as Forms, OC4J
• Integrated with an external stand-alone Oracle Application
Server instance for optional services (e.g. Single Sign-On)
6. Distributed Architecture 11i 12
Internal
Users
External OracleAS 10g
Oracle
Users Infrastructure
Internet
Directory Database
Single Portal Internal EBS Server 10g
Sign-On 10g 10g Server
Internet Reverse
Proxy
EBS
External Database
EBS
Server
Firewall Firewall Firewall
7. OracleAS 10g Integration Options 11i 12
1. Access Apps via 8. Accelerate performance with
Oracle Single Sign-On WebCache
2. Access Apps via
Oracle Access Manager 9. Integrate applications via Oracle
SOA Suite
3. Manage users with
Oracle Internet Directory 10. Integrate with third-party signon
tools
4. Build enterprise mashups with
Oracle Web Center
11. Integrate with third-party LDAPs
5. Design custom portals with
Oracle Portal 12. Search EBS content with
Secure Enterprise Search
6. Analyse data with Discoverer
7. Analyse data with Business
Intelligence Applications
8. External Fusion Middleware Certifications
Oracle Application Server 10g Module Release 11i Release 12
Single Sign-On 10.1.4.3 10.1.4.3
Oracle Internet Directory 10.1.4.3 10.1.4.3
Web Center 10.1.3.4
Portal 10.1.4.2 10.1.4.2
Discoverer 10.1.2.3 10.1.2.3
Business Intelligence (EE+) 10.1.3.4 10.1.3.4
Business Intelligence Applications 7.9.6 7.9.6
Web Cache 10.1.2.3 10.1.2.3
Oracle SOA Suite (SOA development) 11.1.1.1 11.1.1.1
BPEL (prepackaged SOA integrations) 10.1.3.4
Secure Enterprise Search 10.1.8.4 10.1.8.4
9. Other Security-Related Certifications
Certified by Fusion Middleware Product Teams
11i 12
Access Manager via OSSO 10.1.4.3 10.1.4.3
Identity Manager 9.1.0.0 9.1.0.0
Enterprise Single Sign-On 10.1.4.0.1 10.1.4.0.1
Identity Federation via OSSO 11.1.1.1 11.1.1.1
Oracle Virtual Directory via OID 11.1.1.1 11.1.1.1
10. Access Apps via Oracle Single Sign-On 11i 12
E-Business Suite
User
Application Server
Single
Sign-On 10g
• E-Business Suite is a Single Sign-On partner application
• Log on to Oracle Single Sign-On to get access to all registered partner
applications, including EBS
• Log off any one partner application to log off all of them
11. Access Apps via Oracle Access Manager 11i 12
Oracle
Access E-Business
Manager Suite
Oracle Single
Sign-On
• Chain Oracle Access Manager with Oracle Single Sign-On
• Support complex third-party single sign-on architectures
12. Manage Users in Oracle Internet Directory 11i 12
DBMS_LDAP
Oracle E-Business Suite
Internet FND_USER
Directory
DIP
• Synchronise user credentials bidirectionally between Oracle Internet
Directory and E-Business Suite (FND_USER)
• Set master “source of truth” as OID, EBS, or both
• Manage user provisioning via powerful OID Directory Integration &
Provisioning (DIP) templates
• Link an OID userid with one or more EBS userids “on-the-fly”
13. Provision Users with Oracle Identity Manager 11i 12
OID E-Business
Suite
Oracle
LDAP Identity LDAP
Manager
• Use Oracle Identity Manager as a provisioning hub with third-party user
directories and applications
• Many connectors available, including OID, E-Business Suite’s
FND_USER and HRMS directories
14. Build Enterprise Mashups using Web Center 12
Web
E-Business Center Dashboards
Suite 10g
Mashups
PeopleSoft
• Build websites, collaborative applications, and enterprise mashups in Web Center
• Add EBS portlets via WSRP 1.0 / JSR-168
• Access one or more E-Business Suite instances
• Display data in EBS portlets based on EBS responsibilities
16. Design Custom Portals using Oracle Portal 11i 12
E-Business Oracle
Suite Portal 10g
Apps
Portlets
• Single Sign-On is a prerequisite
• Access one or more E-Business Suite instances from Oracle Portal
• Add EBS portlets to custom Portal pages via JPDK
• Display data in EBS portlets based on EBS responsibilities
17. E-Business Suite Portlets
11i 12 • Applications Navigator
Access Applications menus based on user responsibilities
• Applications Favorites
Bookmark specific Applications links for quick access
• Applications Worklist
Summary of current workflow notifications
11i • Oracle Balanced Scorecard
Display status of strategic and tactical business objectives
• Performance Management Viewer
Display business intelligence key performance indicators in
graphical and tabular format
18. Apps Portlets in Third-Party Portals 12
WSRP 1.0 & JSR-168 compatible portlets:
• Application Navigator portlet
• Application Favorites portlet
• Application Worklist portlet
May be used in third-party portals
20. Analyse EBS with BI Applications 11i 12
User OBIEE Data
Warehouse
OBIEE
• Analytic dashboards running on Oracle Business Intelligence Suite
Enterprise Edition Plus
• Extracts data to external data warehouse
• Runs on separate cluster for enhanced scalability, wide deployment
21. Analyse EBS with BI Applications 11i 12
Drill
• Provide end-user reporting via ad hoc queries
• Drill-down into data via tabular & graphical analytical tools
• Consolidates data Siebel CRM, PeopleSoft Enterprise
22. Analyse EBS with Discoverer 10g 11i 12
User E-Business Suite
End-User Layer
Discoverer
• Access APPS_MODE End-User Layer via Business Intelligence System Discoverer
workbooks secured by Applications responsibilities
• Discoverer 10g End-User Layer resides in E-Business Suite database
• Run Discoverer on separate cluster for enhanced scalability, wide deployment
23. Why Upgrade Discoverer 4i to 10g? 11i
Tasty Carrots Big Stick
It’s better It’s necessary
• Automatic SQL trimming, per user • Discoverer 4i was desupported on
memory caps, faster, new features
October 31, 2006
It’s safe
• Installation upgrades a copy of 4i
End-User Layer to 10g
Upgrade now
It’s low-impact
• TIP: Run Discoverer 4i and 10g on
to avoid
different physical servers to avoid Support issues
Visibroker conflicts
• Compare 4i and 10g workbooks side-
by-side for User Acceptance Tests
It’s free
• Your existing Business Intelligence
product license includes 10g
24. Accelerate Performance with WebCache 11i 12
E-Business Suite
User
Application Server
WebCache 10g
• Cache and compress frequently used items
• Secured data (I.e. requiring authorization) is not cached
• Reduce network consumption and accelerate response time
• Can act as a reverse-proxy server or load-balancer
• Partial page refresh supported for Portal
25. Integrate EBS with Third-Party Apps 11i 12
Other E-Business Suite
Applications
Oracle
SOA Suite
• Build integrations via Service Oriented Architecture (SOA) technologies
• Over 250 adapters for Enterprise Application Integration J2EE and open
standards-based integration, including:
• E-Business Suite, third-party applications, database sources
• XML, JMS, JCA
• Web Services: SOAP, WSDL, UDDI
• B2B Protocols: RosettaNet, HIPAA, EDI
26. Integrate with EBS using BPEL 11i 12
Use Oracle BPEL
Process Manager to
integrate third-party
applications via
custom business
processes
29. Authentication vs. Authorization
Authentication Authorization
Oracle
E-Business
Single
Suite
Sign-On
Identifies data &
Identifies the
actions the user
user
can access
Checks user Checks user
credentials responsibilities
30. How Single Sign-On Works with EBS
EBS
Application
Server
… delegates user authentication to …
Oracle Single
Sign-On 10g
• Unauthenticated users are automatically redirected to Oracle
Single Sign-On 10g
31. How Single Sign-On Works with EBS
Overview
Oracle Internet
Directory 10g
User Single
Sign-On 10g OracleAS 10g
E-Business OID LDAP Directory
Suite
Application
Server
E-Business Suite
Database
32. How Single Sign-On Works with EBS
User
E-Business Suite
Application Server
• Step 1: Unauthenticated user attempts to access the
E-Business Suite
33. How Single Sign-On Works with EBS
User Single
Sign-On 10g
E-Business Suite
Application Server
• Step 2: E-Business Suite redirects user to Single
Sign-On 10g for authentication
34. How Single Sign-On Works with EBS
Logon
Form
User
Single
Sign-On 10g
• Step 3: Single Sign-On challenges the user with a
logon form
35. How Single Sign-On Works with EBS
Logon
Form
User
Single
Sign-On 10g
• Step 4: User provides her credentials via the logon
form
36. How Single Sign-On Works with EBS
Oracle Internet
Directory 10g
Single
Sign-On
10g
• Step 5: Single Sign-On passes user credentials to
Oracle Internet Directory for validation
37. How Single Sign-On Works with EBS
Oracle Internet
Directory 10g
OracleAS 10g OID
LDAP Directory
• Step 6: Oracle Internet Directory authenticates the
user credentials against the OracleAS 10g OID LDAP
Directory (in the OracleAS 10g Metadata Repository)
38. How Single Sign-On Works with EBS
SSO Security
Token
User
Single
Sign-On 10g
• Step 7: Single Sign-On provides the authenticated
user with a security token
39. How Single Sign-On Works with EBS
SSO Security
Token
User
E-Business Suite EBS
Application Server
• Step 8: User is redirected to E-Business Suite, which
accepts the SSO security token as proof of an
authenticated user
40. How Single Sign-On Works with EBS
E-Business Suite
Application Server
E-Business Suite EBS
Database (FND_USER)
• Step 9: E-Business Suite’s application server checks
the user’s authorization (i.e Apps responsibilities)
in FND_USER
41. How Single Sign-On Works with EBS
Apps Security
Token
User
E-Business Suite
Application Server
E-Business Suite
Database
• Step 10: E-Business Suite issues its own Apps
security tokens to the user, redirecting her to the
requested Apps module
42. How Single Sign-On Works with EBS
Oracle Internet
Directory 10g
User Single
Sign-On 10g OracleAS 10g
E-Business LDAP Directory
Suite EBS
Application
Server
E-Business Suite
Database
43. Oracle Internet Directory Integration
DBMS_LDAP
Oracle E-Business Suite
Internet FND_USER
Directory
DIP
• Oracle Internet Directory and FND_USER must be kept synchronised
• Supported synchronisation directions:
• From OID to FND_USER (Asynchronous via the Directory Integration &
Provisioning Platform)
• From FND_USER to OID (Synchronous via dbms_ldap calls)
• Bidirectionally
• Synchronisation events are raised via the Workflow-based Business
Event System whenever users are added or modified
44. Link Accounts
Oracle E-Business
Internet Suite
Directory (FND_USER)
Userid = “Link Account” Userid =
“John.Smith” Global Unique Identifier (GUID) “jsmith”
One-time User Registration
• Done at setup time by system administrator
• Optional: can be done by end-user on first logon (“Link on the fly”)
• Useful when existing accounts in Oracle Internet Directory 10g or a third-
party LDAP directory differ from existing E-Business Suite accounts
45. Link to Multiple EBS Accounts
E-Business
Oracle
Suite
Internet
(FND_USER)
Directory
Userid = “Link Account” Userid =
“John.Smith” “jsmith”
Userid =
“testuser1”
Userid =
“testuser2”
• Note: It’s not possible to link
multiple OID accounts to the
same EBS account
47. Third-Party Single Sign-On Integration
EBS
Application
Server
… delegates user authentication to …
Oracle Single
Sign-On 10g
… delegates user authentication to …
Third-Party
SSO
48. Supported Third-Party SSO Integrations
Integrate Oracle Single Sign-On with
• Windows Native Authentication via Kerberos
• CA Entrust, CA Netegrity, IBM Tivoli, RSA
• PKI X.509v3 Digital Certificates
• Biometric and smartcard systems
• Other SSO systems via custom adapters
• Oracle Identity Federation
• Formerly Oblix COREid Federation
• SAML, WS-Federation, Liberty Alliance
• Oracle Access Manager
• Formerly Oblix COREid Access & Identity
49. If you already have a third-party LDAP…
Third-Party
LDAP
… synchronizes user attributes with …
Oracle
Internet
Directory
10g
… synchronizes user attributes with …
E-Business
Suite DB
(FND_USER)
50. Available Oracle Internet Directory Connectors
• Microsoft Active Directory 2000/2003
• Microsoft Active Directory Application Mode (ADAM) 2003
• Microsoft Exchange 2000/2003
• Sun Java System Directory (Sun ONE / iPlanet) 5.2, 6.3
• Novell eDirectory 8.6 / 8.7
• OpenLDAP 2.2
• Any LDAP directory via LDIF files
• Any other directory via custom DIP agent
• Oracle Identity Manager
• Formerly Thor Xellerate Identity Provisioning
• Also integrates directly with E-Business Suite
FND_USER & HRMS
• Oracle Virtual Directory
• Formerly OctetString Virtual Directory Engine
51. Passwords Stored in Third-Party LDAP
Third-Party Oracle E-Business
LDAP Internet Database
(optional) Directory (FND_USER)
User Password
X
User Password
X
User Password
• Third-party LDAP:
• Handles user authentication, usually with a third-party authentication
solution
• Commonly considered “Master” source-of-truth
• Oracle Internet Directory and E-Business Suite take minimal
copies of master user definition -- excluding passwords
• E-Business Suite doesn’t maintain user passwords in this
configuration
53. Third-Party Integration Architecture
Third-Party
LDAP
Oracle
Third-Party Internet
SSO Directory 10g
EBS
Database
(FND_USER)
End
User
Single
Sign-On 10g
EBS Application
Server
54. User Logs onto Third-Party System
Third-Party
SSO
• Step 1. User provides userid & password to third-
party single sign-on system
55. Third-Party Authenticates User
Third-Party
LDAP
Third-Party
SSO
• Step 2. Third-party single sign-on sends user’s
credentials to third-party LDAP for authentication
56. Third-Party Grants User Access
Third-Party
Token
Third-Party
SSO
• Step 3. Third-party single sign-on provides
authenticated user with third-party security token
57. Logged-On User Attempts EBS Access
Single Sign-On
10g
E-Business
Suite
• Step 4. User attempts to access E-Business Suite,
and is redirected to Oracle Single Sign-On 10g
58. Oracle SSO Grants User Access
SSO Security Token
Single
Sign-On 10g
• Step 5. Oracle Single Sign-On recognizes the third-
party security token, then issues its own
59. EBS Grants User Access
Single
Apps
Sign-On 10g
Security
Token
E-Business
Suite
• Step 6. User is redirected back to E-Business Suite,
which recognizes the SSO security token and issues
its own
60. Third-Party Integration Architecture
Third-Party
LDAP
Oracle
Third-Party Internet
SSO Directory 10g
EBS
Database
(FND_USER)
End
User
Single
Sign-On 10g
EBS Application
Server
62. Deployed Widely in Production
• Amdocs (Israel) • Guandong Unicom (China)
• Inter-Arab Investment Guarantee (Kuwait)
• Alcoa (Europe)
• International Enterprises (Singapore)
• Applied Materials (Israel) • International Institute for Applied Systems
• Atento (Norway) Analysis (Austria)
• Berwind Pharmaceuticals (USA) • Ireland Dept of Defence
• Bunnings (Australia) • Kansas State University
• CapGemini / Councils Online (Australia) • Libgo Travel (USA)
• Central Bank of Nigeria • Mitac (Taiwan)
• Cisco Systems • Phoenix Technologies (USA)
• Putrajaya (Malaysia)
• Cox Communications (USA)
• Telecom Italia Mobile (Italy)
• Fiera Milano (Italy)
• Texas Instruments (USA)
• General Dynamics Land Sys • Universal Weather & Aviation (USA)
• General Electric (USA) • Wind River Systems (USA)
• Google (USA) • World Wide Technology
These are not customer references
63. Integration with Microsoft
Active Directory Only
Microsoft
Active
Directory Oracle
Internet
Directory 10g
EBS
Database
End (FND_USER)
User Single
Sign-On
10g
EBS Application
Server
64. Integration with Microsoft
Active Directory & Kerberos
Microsoft Active
Directory
Microsoft Windows Oracle
Native Authentication Internet
via Kerberos Directory 10g
End EBS
User Database
(FND_USER)
Single
Sign-On 10g
EBS Application
Server
65. Internal / External Configuration
Internal
Users
External OracleAS 10g
Oracle
Users Infrastructure
Internet
Directory Database
Single Internal 9iAS Server 10g
Sign-On 10g 1.0.2 Server
Internet Reverse
Proxy
Release 11i
External Database
9iAS 1.0.2
Server
Firewall Firewall Firewall
66. Highly Available Internal
Users
Firewall
HTTP LBR2
SSO
Node 1
External LBR1 Web Web
Users
Node 3 Node 4
SSO
Node 2
Internet Reverse
Proxy
Web
Node 1
RAC 1 RAC 2 OID 1 OID 2
HTTP
LBR1
Web
Node 2
Shared 11i OracleAS 10g
Firewall Firewall Filesystem Infrastructure DB
68. Updated E-Business Suite Baselines
New features, patches and certifications released for the current
and previous ATG patchset (Note 363827.1)
E-Business Suite 12.0 baseline
• ATG Release Update Patch 6 (Patch 7237006)
• ATG Release Update Patch 4 (Patch 6272680)
E-Business Suite 11.5.10 baseline
• ATG Rollup Patchset 7 (Patch 6241631)
• ATG Rollup Patchset 6 (Patch 5903765)
69. New Support Policies for Technology Products
New patches released for
• Current patchset
• Previous patchset for 12 months after current patchset
Applies to
• Quarterly Critical Update Patches (security fixes)
• Patch bundles
• Interim patches (a.k.a. “one-off” or emergency patches)
70. Real Examples
Database
• Database 10.2.0.4 patchset released in February 2008
• Database 10.2.0.3 patchset supported until February 2009
• All previous patchsets (e.g. 10.2.0.2) desupported
Fusion Middleware
• Oracle Identity Management 10.1.4.3 patchset released in
November 2008
• Oracle Identity Management 10.1.4.2 patchset supported until
November 2009
• All previous patchsets (e.g. 10.1.4.0.1) desupported
71. Support Policy References
• Oracle Lifetime Support Policy
www.oracle.com/support/lifetime-support-policy.html
• Database, FMW, EM Grid Control, and OCS Software Error
Correction Support Policy
(Note 209768.1)
• Release Schedule of Current Database Patch Sets
(Note 742060.1)
• Oracle Application Server 10g Release 2 (10.1.2) Support Status
and Alerts
(Note 329361.1)
72. Implications for E-Business Suite Users
Articles on blogs.oracle.com/stevenChan
• On Database Patching and Support:
A Primer for E-Business Suite Users
• On Apps Tier Patching and Support:
A Primer for E-Business Suite Users
73. External Application Tier Desupport Notices
• Discoverer 4i Oct 2006
• Login Server 3.0.9 July 2007
• Portal 3.0.9 July 2007
• Oracle Internet Directory 3.0.1 July 2007
• Oracle Application Server 10.1.2.2 Mar 2009
(incl. Portal, Discoverer, WebCache)
• Single Sign-On / OID 10.1.4.2 Nov 2009
“Desupport” = “End of Premier Support”
75. The following is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracle’s
products remains at the sole discretion of Oracle.
76. Future Application Tier Certifications
E-Business Suite Release 11i Both 11i & 12
• Developer6i Forms • Oracle Access Manager 10gR3
Patchset 20 (direct integration with EBS)
• Oracle Internet Directory 11g
E-Business Suite Release 12 • Discoverer 11g
• SOA Suite 10.1.3.5 • Portal 11g
• BPEL 10.1.3.5 • Web Cache 11g
• OC4J 10.1.3.5 • Java SE (JDK) 7
• Web Center 11g
77. Oracle Access Manager & Oracle Internet Directory
Oracle Internet
Directory 10g or 11g
User Oracle Access
Manager 10gR3 OID LDAP
E-Business Directory
Suite
Application
Server
E-Business Suite
Database
78. Still Bubbling in the Labs
• Generate portlets based on selected OA Framework regions
(R12 only)
• Server-level configuration of authentication mechanism
(i.e. different authentication tools for internal vs. external users)
79. The preceding is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracle’s
products remains at the sole discretion of Oracle.
81. E-Business Suite Technology Stack Blog
blogs.oracle.com/stevenChan
• Direct from EBS Development
• Latest EBS techstack news
• Certification announcements
• Primers, FAQs, tips
• Desupport reminders
• Advanced architectures
• Statements of Direction
• Early Adopter Programs
• Subscribe via email & RSS