E-Business Suite (Apps R12) integration with OAM 11g : inter component communication and Ports to open in FireWall

In this post we are going to cover various components which are part of EBS (Apps R12) integration with Oracle Access Manager and ports required to open across firewall for them from our EBS-OAM Integration Training..

Oracle Access Manager (OAM) 11g integration with EBS and Fusion Middleware (WebCenter, UCM & OBIEE) is covered in chapter 12 of Atul Kumar’s (Oracle ACE & Author) Book Oracle Identity and Access Manager 11g for Administrators.

EBS (R12) – OAM 11g integration components 

a) Oracle E-Business Suite Middle Tier –  consists of two ORACLE Homes (10.1.2 where forms/reports and 10.1.3 where Web Server or OHS run). When you type EBS R12 URL you hit Oracle HTTP Server (OHS) running from 10.1.3 Web Server. If there is firewall between Users and EBS Middle Tier then open 10.1.3 OHS Listener Port

b) Oracle E-Business Suite Database (DB) Tier – consists of database and database listener. Oracle EBS Middle Tier connect to DB Tier on database listener port. If there is firewall between EBS Middle Tier and Database then open Database listener Port

c) Oracle HTTP Server 11g with WebGate – This is another Web-Server (11g) deployed as part of EBS Integration with OAM with WebGate. Oracle E-Business Suite Profile Option “Application Authentication Agent” is set to this OHS and user is redirected to this URL for authentication.  If there is firewall between Users and OHS 11g with WebGate then open OHS 11g Listener Port

d) WebGate – is Policy Enforcement Point (PEP) which interacts with OAM Server’s Proxy Port and forwards user request to OAM Server.  WebGate is installed with Web Server (OHS 11g in this case) . If there is firewall between OHS 11g and OAM’s Proxy Server then open OAM Proxy Server Port (Note : OAM Server’s proxy port 5575 is different from WebLogic’s Managed Server Port 14100 on which OAM Server runs)

e) Oracle Internet Directory (OID) Server – OID server is LDAP server from Oracle where users are stored. OAM 11g is integrated with OID for Authentication. OID 11g by default listen on two ports LDAP (3060) and LDAPS (3131). Depending on OID port used for OAM-OID integration open OID port, if there is firewall between OID and a OAM then open OID (LDAP/LDAPS) port from OAM to OID server.

f) Directory Integration Platform (DIP)
– is a J2EE application deployed on WebLogic Server (wls_ods1) and used by user provisioning engine for EBS/OID user synchronization. DIP Server communicates to Oracle E-Business Suite Database (DB) Tier on Database Listener Port, if there is firewall between DIP and Oracle E-Business Suite Database (DB) Tier then open EBS Database Port port from DIP to EBS-DB server. Note: In OID 10g, DIP is part of ODISRV daemon

g) E-Business Access Gate (EBS AG)
– is a J2EE application deployed on WebLogic Server and used during Authentication to validate (identity assertion) a user in OID with User in E-Business Suite (FND_USER). EBS Access Gate communicates to Oracle E-Business Suite Database (DB) Tier on Database Listener Port, if there is firewall between EBS-AG and Oracle E-Business Suite Database (DB) Tier then open EBS Database Port port from EBS-AG node to EBS-DB server.
All requests to E-Business Access Gate (EBS AG) to proxied via OHS 11g with WebGate (explained in C) so if there is any firewall between OHS 11g(with WebGate) and WebLogic Server on which EBS Access Gate (EBS AG) is deployed, then open WebLogic Server port across firewall.

For request Flow for E-Business (Apps R12) integrated with OAM 11g check chapter 12 of Atul Kumar’s (Oracle ACE & Author) Book Oracle Identity and Access Manager 11g for Administrators  (This chapter also cover steps to integrate OAM 11g with )

We provided a dedicated module for Troubleshooting where we cover Logging in WebGate, OHS, EBS Accessgate, DIP, OAM, and OID in our EBS-OAM/OID Integration Training, more about training here

If you have not yet downloaded FREE eBook – 7 Docs every Oracle Apps DBA must read for EBS R12 integration with OAM/OID for SSO get a copy in your Email

banner__

Share This Post with Your Friends over Social Media!

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Oracle Gold Partner specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

28 comments
Ramasamy says July 29, 2011

Atul,

Based on DOC ID: 1309013.1, could you also please advice on the following questions?

How many oracle homes we need (excluding EBS R12 OHs) for Integrating Oracle E-Business Suite with Oracle Access Manager 11g using Oracle E-Business Suite AccessGate?

1. OH for Metadata Repository Database (11gR2 – 11.2.0.2)
2. Oracle Internet Directory (OID) OH
3. Which OH will be called as Infrastructure OH (Is it OID or Repository Database)?
4. Oracle HTTP Server OH (Do I need separate OH for this? Or can we use the OID OH for this one?)
5. Do we need any other OHs?
6. If Oracle HTTP server containing WebGate is configured to use SSL and also Oracle EBS R12 is configured to use SSL, can WebLogic Server (where the Oracle E-Business Suite AccessGate is deployed) be run on non-SSL (http)?

An early reply is highly appreciated.

Thanks
Ramasamy

Reply
Atul Kumar says July 29, 2011

Q1: How many oracle homes we need (excluding EBS R12 OHs) for Integrating Oracle E-Business Suite with Oracle Access Manager 11g using Oracle E-Business Suite AccessGate?

A1: Apart from ORACLE Home for EBS, you need following additional oracle homes

a) Oracle Home for OID – Oracle_IDM1
b) Oracle Home for OAM – Oracle_IDM2
c) Oracle Home for OHS 11g with Webgate – Oracle_WT1
d) Oracle Home for 11g WebGate Oracle_OAM11gWanGate1

Q2: Which OH will be called as Infrastructure OH (Is it OID or Repository Database)?

A2: I think you are referring OID integration with OAM and in that reference this is OID OH

Q3: Oracle HTTP Server OH (Do I need separate OH for this? Or can we use the OID OH for this one?)
A3: You need separate OH for HTTP Server 11g than OID 11g. I am not aware of any OHS 11g shipped with OID 11g. You can keep these two OH (OID & OHS) in same MW_HOME (Middleware Home)

Q4: If Oracle HTTP server containing WebGate is configured to use SSL and also Oracle EBS R12 is configured to use SSL, can WebLogic Server (where the Oracle E-Business Suite AccessGate is deployed) be run on non-SSL (http)?

A4: Yes this is possible (though I have not tried myself). This is handled at mod_wl_ohs level (terminating SSL at OHS layer and forward request to WebLogic hostign EBS-AG on non ssl port) . http://onlineappsdba.com/index.php/2009/09/23/configure-oracle-http-server-infront-of-oracle-weblogic-server-mod_wl_ohs/

Reply
Ramasamy says July 29, 2011

Also, since WLS 10.3.x will be installed for OID, can we use this (WLS 10.3.x) as HTTP server also? Or do we have to install a separate HTTP server by using FMW 11gR1 (11.1.1.2) Identity Management media http://www.oracle.com/technetwork/middleware/downloads/oid-11g-161194.html?

If we have to install a separate HTTP server, can we use the same OH for both OID and HTTP Server as the FMW 11gR1 (11.1.1.2) media has both HTTP Server and OID… I have not installed yet, but curious to know whether we can install both in the same OH?

Also, since Webgate only installed in HTTP server OH, could you please tell me why we need a separate OH for 11g WebGate and Oracle_OAM11gWanGate1?

Thanks for your help.
– Ramasamy

Reply
Atul Kumar says July 30, 2011

@ Ramasamy,
Yes you are right from OID 11g onwards there is OHS shipped with OID Home (Just checked installer after you mentioned). You can use OHS which comes as part of OID 11g but I have not tried this. This could have dependency with OID 11g so not sure how it will behave in future (with OID upgrade.

Moreover OHS is web tier component which should sit in DMZ and OID is data tier (or application tier), If I am in your place my preference would be to install OHS 11g with webgate is different home on different server.

Regarding your webgate query, if this is 11g webgate then yes webgate and OHS must be installed in same MW_HOME but under their own Oracle Home .

For EBS R12 10g webgate is recommended solution.

We are planning to launch OAM integration with EBSR12, OBIEE11g, UCM11g, and WebCenter 11g with step by step instructions including how to debug and key issues (things good to know in this integration).

Reply
chetan Patil says August 5, 2011

Hi Atul ,

I want to apply patch 12346324 which is India localisation patch & has total 19 prerequisites so while applying on TEST instance every time I used to bring the system up & run the active user , just to ensure that there is no side effect. But now I want to apply it on production. I had checked all log files as there was no error. So can I directly bring the system up after application of all prerequisites & then main patch 12346324.

Reply
chetan Patil says August 5, 2011

Hi Atul ,

I want to apply patch 12346324 which is India localisation patch & has total 19 prerequisites so while applying on TEST instance every time I used to bring the system up & run the active user , just to ensure that there is no side effect. But now I want to apply it on production. I had checked all log files as there was no error. So can I directly bring the system up after application of all prerequisites & then main patch 12346324.
also what should be approach in general like to bring system up only after application of main patch or as prerequisites are also having prerequisites so bring it after 1 level tree viz.main-prereq-prereq-prereq .

Thanks in advance……..

Regards,
Chetan

Reply
Atul Kumar says August 5, 2011

@ Chetan,
Yes please. Start system after all patches and then before releasing it to users do a health check.

Reply
Ramasamy says August 8, 2011

Atul,

How do we integrate the following?

The Company has an Enterprise SSO (ESSO) solution using Oracle Solution (OID, OAM, OIF, etc). Our EBS (R12.1.3) ia a partner application to the Enterprise SSO and has also OID, OAM, Accessgate.

Now my question is what is the best option to integrate these two systems… assuming that users are coming through Enterprise SSO? Or Can we integrate OAM (of ESSO) to OAM (EBS SSO)?

Thanks
Ramasamy

Reply
lohith says September 22, 2011

Hi Atul,

I am installing 10g webgate agter provisioning it with OHS 11g. When I give all the details, the webgate installer exits with the error “Access server you specified is currently down. Please check your access server :5575: Connection refused”

The port I mentioned is 5575 and I can see this as the right port in OAM console. Also, I see that oam_server1 is up. Also, both OAM, OAH are installed on the same server and on same weblogic 10.3.3. please help.

Thanks,
Lohith

Reply
Atul Kumar says September 22, 2011

@lohith,
Even if OAM managed server is up, there is possibility that oam application deployed on this managed server is down.

Check if anything is listening on this port 5575 (I had similar issue on HP-UX where port mentioned in OAM for proxy was 5575 where in oam-config.xml it was 5574).

netstat -an | grep 5575

Reply
lohith says September 22, 2011

Hi Atul,

Thanks for the pointer and it did resolve my issue. Port 5575 was not free and I changed OAM proxy port from 5575 to 5576 using OAM console, restarted OAM server and webgate instalation went through with this nre port 5576. Thanks again.

Lohith

Reply
lohithdc says September 26, 2011

Hi Atul,

I have a new isue now. After changing the OAM proxy port in OAM console, I cannot OHS 11g anymore and I get the below error message in console~OHS~1.log.

The AccessGate is unable to contact any Access Servers

Any pointers?

Thanks,
Lohith

Reply
Atul Kumar says September 28, 2011

@ lohithdc,
Is this 10g webgate or 11g webgate with OHS 11g ?

If this is 10g Webgate then you must reconfigure webgate and use new OAM access port.

If this is 11g then restart of OHS should fix. If not update this comment.

Reply
dvp says November 9, 2011

Hi Atul!
I have problem with OAM proxy. Where are no services listen port 5575 (OAM proxy port) after starting Admin and Managed WL servers.
And webgate can’t communicate with OAM server.
Also I see many errors
“Failed to communicate with any of configured Access Server, ensure that it is up and running”
in AdminServer start log, possible via OAM proxy problem. How to start OAM proxy listener?

Reply
dvp says November 9, 2011

Problem resolved, reason was in proxy port misconfiguration in config.xml.

I have one more question:

Can be all software stacks (OEBS,WLS,OID, OAM, OHS, WebGate) reside in same host ?

Reply
Atul Kumar says November 9, 2011

@ DVP,
OAM Proxy Port is Access Server which starts with OAM Managed server . WebGate connect to Access Sever on Proxy Port and are defined in oam-config.xml in $DOMAIN_HOME/config/fmwconfig. I am going to cover more on this here on my blog.

Q: Can be all software stacks (OEBS,WLS,OID, OAM, OHS, WebGate) reside in same host ?

Yes as long as you have enough memory and disk

Reply
dvp says November 9, 2011

>>Q: Can be all software stacks (OEBS,WLS,OID, >>OAM, >OHS, WebGate) reside in same host ?
>>

>Yes as long as you have enough memory and disk

Ok. I and must simply copy existing dbc-file to oebsAccessGate host instead register new external node and generate dbc-file? (2.1.2. Register the External Node and Generate the Desktop DBC File of Oracle E-Business Suite Software Development Kit for Java (includes AppsDataSource, Java Authentication and Authorization Service) Readme – Patch 9863609 [ID 974949.1])

Reply
qadar says February 12, 2012

how to apps version from BE and FE?

Reply
Abhinav says February 13, 2012

Hi Atul,

Is it possible to integrate OAM 11g with EBS 11i. Oracle metalink mentions that EBS11i is certified with OAM10gR3 but not 11g.

Still is it possible to achieve this integration?

If yes can you mention the steps if not can you please explain why.

Regards
Abhinav

Reply
Atul Kumar says February 14, 2012

@ Qadar,
What is BE and FE ?

Reply
Atul Kumar says February 14, 2012

@ Abhinav,
I have not tried integrating OAM 11g with EBS 11i, You can try same steps as mentioned for R12 (patches for 11i may differ)

For OAM 11g integration with Oracle Apps 12.x check our book http://onlineappsdba.com/index.php/book/

Reply
abhinav says April 13, 2012

hi Atul,

I patched my current OAM 11.1.1.5.0 with BP01 but after the install my already configured webgate for Apache 10g webgate is not able to connect to access server.

Can you tell me if I am missing any stuff.

Regards
Abhinav

Reply
Atul Kumar says April 13, 2012

@ Check if oam application up and in ACTIVE state. You can check this from WebLogic Server under deployments.

Reply
srshukla3 says November 20, 2012

Hi Atul,

I am trying to register OID with EBS, not familier with EBS.
Just want to know what is the instance password (-instpass in below command –

$FND_SECURE/bin/txkrun.pl \
> -script=SetSSOReg \
> -registeroid=yes \
> -ldaphost=oidlb.testdomain.com \
> -ldapport=389 \
>oidadminuser=cn=ebsadmin,cn=Users,dc=testdomain,dc=com \
> -oidadminuserpass=******* \
> -appspass=xxxx \
> -instpass=*******

Regards

Reply
Sunny says April 24, 2013

Hi Atul,

We have OAM 11.1.2 (AD) integrated with EBS application (internal) and working fine. We have external node (DMZ) setup & would like to exclude external URL from AD authentication. It is redirecting to OAM page now. Can you guide us how this can be achieved?

Regards

Reply
kamal says May 16, 2014

Atul,

Can you please assist. I am trying to deploy webgate (agent named DCC_WEBGATE) in DMZ for DCC purpose and my OAM server is in internal network. We have opened the required ports along with proxy port 5575 from WebgateDMZ server to OAM server getting below error in ohs.log.

[2014-05-15T17:24:25.0353+04:00] [OHS] [ERROR:32] [OHS-9999] [core.c] [client_id: 127.0.0.1] [host_id: HOSTNAME] [host_addr: IPAddress] [tid: 140202932647680] [user: appldev] [ecid: 004yN0rELcWBd5ypk49DiZ0003PT00000d] [rid: 0] [VirtualHost: main] The Access Server has returned a fatal error with no detailed information.

and below error in OAM diagnostics.

[2014-05-15T17:40:15.754+04:00] [oam_server1] [TRACE:16] [] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: 004yN1jxvYVBd5ypk49DiZ0003UO000009,1:619526] [APP: oam_server#11.1.2.0.0] [URI: /index.html] [SRC_CLASS: oracle.security.am.controller.BaseRequest] [SRC_METHOD: getObjectAttribute] Getting Attr: authn_scheme, Current Object Map: [{resource_id=Type: HTTP Operation: HEAD Name: WebGateResource URL: /index.html Host: DCC_Webgate Port: 0}{sso_request_token= agentName=null version=3 type=1 partnerId=DCC_Webgate authType=null agentState=null siteTime=null requestedUrl=null clientIP=null encodedUrl=null requestedUrlPrefix=null agentHost=10.126.241.92 returnHost=nullAgent Version: 3 Agent Id: DCC_Webgate Request Params : {} Post parameters: Request Method: null FCP Method: }{audit_context=oracle.security.jps.service.audit.AuditContext@96d28b6}]
[2014-05-15T17:40:15.754+04:00] [oam_server1] [ERROR] [OAM-04029] [oracle.oam.proxy.oam] [tid: [ACTIVE].ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: 004yN1jxvYVBd5ypk49DiZ0003UO000009,1:619526] [APP: oam_server#11.1.2.0.0] [URI: /index.html] Error in generating AMEvent. Details Event Response status is STATUS_FAIL for GET_AUTHN_SCHEME event. Error code OAM-02073 status fail isExcluded false
[2014-05-15T17:40:15.755+04:00] [oam_server1] [ERROR] [OAM-04020] [oracle.oam.proxy.oam] [tid: [ACTIVE].ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: 004yN1jxvYVBd5ypk49DiZ0003UO000009,1:619526] [APP: oam_server#11.1.2.0.0] [URI: /index.html] Exception encountered while processing the request message:[[
oracle.security.am.proxy.oam.requesthandler.OAMProxyException: Event Response status is STATUS_FAIL for GET_AUTHN_SCHEME event. Error code OAM-02073 status fail isExcluded false
at oracle.security.am.proxy.oam.requesthandler.NGProvider.checkProtected(NGProvider.java:4542)
at oracle.security.am.proxy.oam.requesthandler.NGProvider.getIsRescProtectedResponse(NGProvider.java:1401)
at oracle.security.am.proxy.oam.requesthandler.NGProvider.getResponse(NGProvider.java:369)
at oracle.security.am.proxy.oam.requesthandler.RequestHandler.handleRequest(RequestHandler.java:366)
at oracle.security.am.proxy.oam.requesthandler.RequestHandler.handleMessage(RequestHandler.java:170)
at oracle.security.am.proxy.oam.requesthandler.ControllerMessageBean.getResponseMessage(ControllerMessageBean.java:122)
at oracle.security.am.proxy.oam.requesthandler.ControllerMessageBean_eo7ylc_MDOImpl.__WL_invoke(Unknown Source)
at weblogic.ejb.container.internal.MDOMethodInvoker.invoke(MDOMethodInvoker.java:35)
at oracle.security.am.proxy.oam.requesthandler.ControllerMessageBean_eo7ylc_MDOImpl.getResponseMessage(Unknown Source)
at oracle.security.am.proxy.oam.mina.ObClientToProxyHandler.messageReceived(ObClientToProxyHandler.java:223)
at org.apache.mina.common.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:743)
at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
at org.apache.mina.common.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:40)
at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:823)
at org.apache.mina.common.IoFilterEvent.fire(IoFilterEvent.java:54)
at org.apache.mina.common.IoEvent.run(IoEvent.java:62)
at oracle.security.am.proxy.oam.mina.CommonJWorkImpl.run(CommonJWorkImpl.java:41)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:184)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

]]
[2014-05-15T17:40:15.755+04:00] [oam_server1] [TRACE:16] [] [oracle.oam.proxy.oam] [tid: [ACTIVE].ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: 004yN1jxvYVBd5ypk49DiZ0003UO000009,1:619526] [APP: oam_server#11.1.2.0.0] [URI: /index.html] [SRC_CLASS: NGProvider] [SRC_METHOD: getIsRescProtectedResponse] RETURN OpCode = 1 [IsResrcOpProtected], SeqNo = 10 Message = ro=t%3d0%20o%3d%20no%3d%20r%3d%20nr%3d%20wu%3d/index.html%20wh%3dDCC_Webgate%20wo%3d8%20wa%3d0%20ws%3d%20wt%3dHTTP%20wp%3dHEAD ri= st=ma%3d3%20mi%3d2%20sg%3d1061550%20sm%3d rt=0

Reply
nitin says June 6, 2014

Kamal,

Did you get the issue resolved? I have the same issue right now. My error message is similar but it shows below in OAM
error: Error while checking if the resource null is protected or not, and stops at http://ohs_host:ohs_port/oam/server/auth_cred_submit

Reply
Anand says July 25, 2014

Hi Kamal and Atul,

Have you cleared the “”oracle.security.am.proxy.oam.requesthandler.OAMProxyException: Event Response status is STATUS_FAIL for GET_AUTHN_SCHEME event. Error code OAM-02073 status fail isExcluded false””.

I am getting the same error.Have you found any solution,

Anand

Reply
Add Your Reply

[index]
[index]
[523.251,1046.50]
[523.251,1046.50]
[523.251,1046.50]
[523.251,1046.50]
[i]
[i]
[index]
[index]
[523.251,1046.50]
[523.251,1046.50]