OSSO_OEBS Integration issue in cluster node
Hi All,
OSSO_OEBS integration issue in cluster node which had been there for more than a year has been fixed. Here, we have covered the details about the issue and its solution.
Environment details:
Oracle Single Sign on Server
——————————————-
Oracle application single sign on server 10.1.4.3 (HTTP, OC4J, and OID), OAM10g, OAS 10g and OIM 9.2 services existing in two nodes and it’s clustered. DB is in RAC mode.
OIM deployed in oracle application server. In our project OIM is a master source, user will create first in OIM and provisioned to respective tracks through connectors. Here, we are creating user in OIM and provisioning to OID and OEBS.
E-Business suite App tier
———————————–
It’s a multi node environment (12.1.3 unified APPL TOP) with forms, Application listener, web services and (concurrent) Report server existing in two nodes and it’s clustered. DB is in RAC mode. We have integrated OAM with OSSO using following document OAM 10g: Integrating Oracle Application Server Single Sign-On with Oracle Access Manager Step by Step [ID 979827.1]
Before OEBS version is 12.0.6 and then we tried to integrate OSSO with OEBS using this Integrating Oracle E-Business Suite Release 12 with Oracle Internet Directory and Oracle Single Sign-On 10gR3 (10.1.4.3) (Doc ID 376811.1)
Based on this above doc, we have executed following points in OEBS server.
1. Execute the following command
$FND_TOP/bin/txkrun.pl -script=SetSSOReg -provisiontype=2
Error occurred when execute the above script. The issue is
java.sql.SQLException: Io exception: The Network Adapter could not establish the connection.
Regarding this issue we have raised ticket with oracle, finally they have confirmed that it’s a product bug and they mentioned that, integration will be work if DB is in active/passive mode but our environment having active-active mode. After some month OEBS team enhance the product version into 12.1.3 from 12.0.6. Then we tried to re-execute the script again. This time, OSSO registration get succeed but unable to login into OEBS application.
Following workarounds help us to fix the above issues.
Troubleshooting tips:
- Upgrade the version from 12.0.6 to 12.1.3
- Register the OEBS with OSSO using following command in OEBS server
$FND_TOP/bin/txkrun.pl -script=SetSSOReg -provisiontype=2
- Verify the SSO system profile information
Application SSO LDAP Synchronization enabled
Applications SSO Auto Link User enabled
Applications SSO Enable OID Identity Add Event enabled
Applications SSO Login Types SSO (SYSADMIN and GUEST should be LOCAL)
Applications SSO Type Sswa w/sso
Applications SSO Linking Source of Truth Oracle internet directory
- After this, we tried to login into OEBS application using http://hostname.domain:port/OA_HTML/AppsLocalLogin
- Redirect to OSSO for authentication.
- Getting following error after OSSO authentication.
“Your Oracle E-Business Suite account has not been linked with the Single Sign-On account that you just entered.”
- Is not really an error. What the message is saying ORCLGUID attribute in OID for this user does not match the USER_GUID in the FND_USER table. This issue can occur when the E-Business suite users are not manually loaded into OID. Let’s look at an example user 45156
FILENAME = fnd_user.txt
1142 45156 29-OCT-11 1113 23-OCT-11 -1 102203 ZHE5B953B16EEDDA73606A216471D88061774105720DEA99234346BE6032628653AF90E6519B1C997166ABEE0C9C0425DA4F ZHF4168873BC5DE2A0D465244A87AF8A53022146263DCF5F13E429AD99201C89D6B5496179C96063C703199389BA5E2A3653 0 23-OCT-11 23-OCT-11 135 5204
>>>>From the SQL output we can see that no USER_GUID is set for the user 45156, However looking at OID for that user
ldapsearch -h hostname -p 389 -D "cn=orcladmin" -w admin123 -s subtree -b "" "uid=45156" orclguid
--------------------------------------------------------------------------------------------------------------------
-bash-3.00$ ./ldapsearch -h hostname -p 389 -D "cn=orcladmin" -w admin123 -s subtree -b "" "uid=45156" orclguid
cn=45156,cn=employee,cn=users,dc=co,dc=in
orclguid=AF8FD9D684051D61E040640A4D2568B5
We can see that the orclGUID is set
FND_USER = NULL(no value is match in OEBS)
OID = AF8FD9D684051D61E040640A4D2568B5
We should be able to bypass this issue by setting “Applications SSO Auto Link” to enable and this setting will help user signing in via SSO already exists in the FND_USER then the orclguid and USER_GUID are matched. Here it’s already enabled, so finger crossed again.
- We have “Applications SSO Auto Link” set to enabled but auto link is still not working
The most likely cause for this issue is discussed in
“Applications SSO Auto Link User” (APPS_SSO_AUTO_LINK_USER) Profile option doesn’t work and still ask to manually link the user (Doc ID 399117.1)
- Login to Oracle Applications as “SYSADMIN” user through the Oracle Applications Local Login Homepage:
http://hostname.domain:port/OA_HTML/AppsLocalLogin.jsp
- Select “System Administrator” responsibility.
- Select the “Security: User”, select “Define” function.
- Query for the user 45156
- Remove the value in the “end date” field if found.
- Re-test the login using user 45156
If the “Your Oracle E-Business Suite account has not been linked with the Single Sign-On account that you just entered.” error still occurs then perform the steps below
- Log a telnet session into one of the E-Business suite web tiers
- Open a SQLplus session as the APPS user and then run the commands below
SQL> set server output on
SQL> @$FND_TOP/patch/115/sql/fndssouu.sql 45156;
You should see message similar to the following:
PL/SQL procedure successfully completed.
Commit complete.
- Re-test the login using user 45156 and it’s succeeded.
I hope this blog will help you.Thanks
About the Author sarath
An Oracle Identity and Access Management professional, having working on Oracle Access Manager Single Sign-On implementations, Installation/Configuration of Identity Server, Web Pass, Web Gate, Access Gate, Policy Manager, Access Server, Policy Domains, Authentication /Authorization schemes, Single Sign-On (single and multi-domain), OIM, OVD, OID, OAAM, OIF, High Availability/Failover/ SSL deployment.