Steps to Integrate Discoverer 11g with OAM 11g

Of late, I was working on configuring Oracle BI Discoverer 11g Release 1 (11.1.1) single sign-on using Oracle Access Manager 11g. I Followed the procedure below to use Oracle Access Manager with Oracle BI Discoverer:

Assumptions :

  1. Oracle BI Discoverer is Installed and configured.
  2. Oracle Access Manager is Installed and configured.
  3. EBS Instance  is configured with WNA (Zero Sign on) using OAM/OID 11g (Read Atul’s Book “EBS integration with OAM 11g R2”).

Steps to configure Discoverer 11g with OAM:

  1. Register the OSSO agent (mod_osso) with OAM 11g.
  2. Open oamconsole and under System Configurations->Access Manager ->SSO agents->OSSO Agent, create one osso agent.

 

Following registration with OAM 11g, the mod_osso module:

  • Checks for an existing valid Oracle HTTP Server cookie
  • Redirects to the OAM Server if needed to contact the directory during authentication
  • Decrypts the encrypted user identity populated by the OSSO server
  • Sets the headers with user attributes

Base URL  http://cph-core-db01-s:8888 . It will create Application domain, resource URLs, host identifier, Authentication Policies and authorization policies.

Apply the changes

After it is created, it looks like below.

 

3. On Discoverer OHS server

Edit the mod_osso.conf file as follows:

  1. Copy the mod_osso.conf file from the
    $MW_HOME/instance_name/config/OHS/ohs1/backup/disabled directory to the
    $MW_HOME/instance_name/config/OHS/ohs1/moduleconf directory.
  2. Create a folder named ‘osso’ under the location $MW_HOME/instance_name/config/OHS/ohs1/ and copy the osso.conf file generated after registration (Step 2) at $DOMAIN_HOME/output/osss_agent_name/ (OAM Server)
  3. Edit the mod_osso.conf file from the location $MW_HOME/instance_name/config/OHS/ohs1/moduleconf and add the following lines:
  4. LoadModule osso_module “${ORACLE_HOME}/ohs/modules/mod_osso.so”
  5.  

<IfModule osso_module>

  OssoIpCheck off

  OssoIdleTimeout off

  OssoHttpOnly off

  OssoSecureCookies off

  OssoConfigFile MW_Home1/asinst_1/config/OHS/ohs1/osso/osso.conf

 

  <Location /discoverer/plus>

  require valid-user

  AuthType Osso

  </Location>

 

  <Location /discoverer/viewer>

  require valid-user

  AuthType Osso

  </Location>

 

  <Location /discoverer/app>

  require valid-user

  AuthType Osso

  </Location>

 

</IfModule>

  1. Save the mod_osso.conf file.
  2. Restart Oracle HTTP Server by running the following opmnctl commands located at ORACLE_INSTANCE\bin directory:
  3. opmnctl stopall
  4. opmnctl startall

 Post Steps :

  1. Ensure that the value of OssoConfigFile is set correctly in mod_osso.conf file. Ensure that the values of OssoIPCheck and OssoHTTPOnly parameters in the mod_osso.conf file are set to off.
  2. Start Fusion Middleware Control, and navigate to the Discoverer Administration page. Select the ‘Allow authenticated Oracle Single Sign-On (SSO) users to create and use private connections to SSO-enabled Oracle Applications databases, without entering a password’ check box. Verify attribute enableAppsSSOConnection=”true”in $DOMAIN_HOME/config/fmwconfig/servers/WLS_DISCO/applications/<discoverer_version>/configuration/configuration.xml
    1. Restart the Oracle Access Manager server that is hosting the OSSO Agent.
    2. Verify whether the Oracle BI Discoverer URLs can be accessed through the OAM authentication screen.

To enable WNA for application domain disco_agent

Policy Configuration ->Application domains->disco_agent->authentication Policy->protected Resource Policy

Change the Authentication Scheme to “KerbrosScheme” (one which is already being used by WNA enabled EBS Application domain)

 

Save the changes.

Add the TNS details for EBS to be accessed using Discoverer, on Discoverer side.

That EBS Instance must be SSO enabled and configured with Same OAM Instance.

Now,Open the URL : http://cph-core-db01-s:8888/discoverer/plus

Since its WNA enabled, you will directly see below page for my user (there are three connections defined).

 

To use SSO, we have to create private connections respectively for each user (Three defined for my user).

How to add a New Connection :

1. Access http://cph-core-db01-s:8888/discoverer/plus 

2. Click on create Connection Button.

3. Fill the details like its given in below snapshot

4. click continue and it will populate your username in user name field automatically

5.  Click Ccontinue, then select the responsibility from dropdown and click continue again.

6. Select end user type from dropdown, click continue (your connection is now created ) and will connect for first time to Disco plus applet.

 

Now this private connection will be visible on Discover Plus home page for your user.

Points to note :

1. http://cph-core-db01-s:8888/discoverer/plus  will be the single URL for users (we don’t need users to use connection key)

2. Since each user can have his/her own private connections, like for my user HARSN-IN (you will have different private connections for your respective user)

 

 

 

Private connections of one user, won’t be visible to another user and vice –versa.

So given that each user has made his/her private connection, when he /she will access this  http://cph-core-db01-s:8888/discoverer/plus URL . the user will see the connections defined for his/her user.

3.  When they will click on the connection they want to access , Discoverer Plus Applet will open without asking for any credentials directly (SSO working).

 

4.  Users will have to define connections themselves which they frequently use on Home page of discoverer Plus.

5.  AFAIK , SSO works for defined private connections only not for the below part of home page (Connect directly) :

  

 Refer The below Notes from Metalink :

Using Discoverer 11.1.1 with Oracle E-Business Suite Release 12 (Doc ID 1074326.1)

How To Integrate Discoverer 11g With Oracle Access Manager ( OAM / SSO ) 11g (Doc ID 1448235.1)

About the Author Masroof Ahmad

Leave a Comment:

16 comments
ashrafias says October 30, 2013

Hi Team

Thanks so much for the post.

Could you please give me the steps to integrate ESSO with Oracle E business suite R12.

Regards

Reply
    Harinderjit says October 31, 2013

    Hi ,

    I hope Below note will help you to achieve that :

    Integrating Oracle E-Business Suite Release 12 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate [ID 1484024.1]

    If this doesnt suffice, you can have a look into Atul’s Book ” EBS integration with OAM 11g R2 ” .

    Regards,
    Harinderjit

    Reply
Marcelo says February 18, 2014

Hello:

Could you please add more info about:
“Add the TNS details for EBS to be accessed using Discoverer, on Discoverer side.”

Thanks.

Reply
    Harinderjit says March 12, 2014

    Hi Marcelo,

    You can ssh to Discoverer server . Then open “/config/tnsnames.ora” and add the entries for EBS instances to be added .

    Regards,
    Harinderjit Singh

    Reply
Purva says March 7, 2014

Hello,

We have OAM11gR2PS2 integrated with EBS 12.1.3 with OID(synched with AD using DIP). We need to configure WNA for internal users. Could you please share the steps?

Thanks,
Purva

Reply
    Harinderjit says March 12, 2014

    Hi Purva,

    Get the Keytab generated for ur Host server from AD team . Place it on a location on ur host server (OAM Server ). Then using OAM console chnage the Authentication scheme to kerbros scheme in ur authentication policy . Do necessary changes to Kerbros Authentication module (path of keytab). Bounce OAM.

    Regards,
    Harinderjit Singh

    Reply
purva says March 12, 2014

Thanks HarinderJit!

WNA works fine without oam-ebs integration. In oam-ebs integrated env, OID is set as default id store.
I need to know if WNA can be configured in such an integration.

Thanks,
Purva

Reply
Harinderjit says March 12, 2014

Yes Purva, It will work .

Reply
purva says March 12, 2014

great!
Thanks Harinderjit!

Regards,
Purva

Reply
atlusr says April 1, 2014

Hi Atul,

Have a question. We setup SSO for Discoverer and now we want to use a VIP so our Base URL needs to be changed. Currently we access Discoverer using the below URL:

http://bdev01:8888/discoverer/plus

we need to use the below URL instead, rather than using the machine name we are using the alias

http://discod.mycomapny.com/discoverer/plus

Inside OAM we changed the based URL to http://discod.mycomapny.com

copied over the new mod_osso.conf to the discoverer OHS restarted OHS but it gives us SSO Error it’s not recognizing the new url. Is there anything else we need to do.

Thanks

Reply
imad says June 4, 2015

Hi,
thank you for this work.

i fellow your steps, but i used oam 11g R1 instead of oam 11g R2.

the rediction to oam auth succesd, but in oam page auth, this error displayed:

<>

have you any idea?

Reply
imad says June 4, 2015

Hi,
thank you for this work.

i fellow your steps, but i used oam 11g R1 instead of oam 11g R2.

the rediction to oam auth succesd, but in oam page auth, this error displayed:

System error. Please re-try your action. If you continue to get this error, please contact the Administrator.

have you any idea?

Reply
shashikant says July 3, 2016

Hi Can we integrate discover 11.1.17.0 with OAM 11GR2 PS3?. If so could you please provide high level steps?.

Reply
shashikant says July 3, 2016

Hi, someone who is integrated the oam with discover could share number?. It’s kind of urgent.

Reply
TT says May 24, 2017

Can we have OID as a single source of user authentication ? We do not have AD and WNA setup. All users are stored in OID. EBS already uses OID/OAM for SSO.

Thanks
Tony

Reply
Add Your Reply