Provision an Oracle E-Business Suite Instance

This chapter covers the following topics:

Requirements for Provisioning a New Environment

With the automated provisioning options in Oracle E-Business Suite Cloud Manager, you can create a new environment of Oracle E-Business Suite.

For information on options for new environments, see Section 4.2.1, Provisioning Oracle E-Business Suite in My Oracle Support Knowledge Document 2517025.1, Getting Started with Oracle E-Business Suite on Oracle Cloud Infrastructure.

Cloud Services Minimum Resource Recommendations

To provision a new environment, we recommend that you have cloud service resources that match or exceed those specified in the following table:

Table 9-1 Cloud Services Minimum Resource Recommendations
Description Machine Type Number of Machines OCPUs Memory Storage External IPs
Oracle E-Business Suite Cloud Manager VM 1 1 7 GB 55 GB (block) 1
A load balancer (You can use your own load balancer or Load Balancer as a Service [LBaaS]) Not applicable Not applicable Not applicable Not applicable Not applicable 1
Application tier VM n (where 'n' is the number of application tier nodes in the target environment) n*m (where 'm' is the number of OCPUs in the shape selected for the application tier; the minimum for 'm' is 1) Release 12.2 = 14 GB per VM
Release 12.1 = 7 GB per VM		 Shared application tier: 170 GB + 40 GB for each additional application tier (block)
Non-shared application tier: 170 GB x n (block)
Per language: 16 GB (block)		 n
Database tier on Oracle Cloud Infrastructure Compute VM 1 2 14 GB Vision demo: 300 GB
Fresh install: 200 GB		 1
Database tier on Base Database Service 1-Node DB System (Single Instance) VM 1 2 14 GB Vision demo: 256 GB
Fresh install: 256 GB
Total storage: 712 GB [1]		 1
Database tier on Base Database Service 2-Node DB System (Oracle RAC) VM 2 2 per VM 30 GB per VM Vision demo: 256 GB
Fresh install: 256 GB
Total storage: 912 GB [1]		 2
Database tier on Exadata Database Service Dedicated (Oracle RAC) [2] See footnote [2] See footnote [2] See footnote [2] See footnote [2] See footnote [2] See footnote [2]

Footnotes on Table 9-1:

  1. The Available Storage Size and Total Storage Size are different. For more information, see About Oracle Base Database Service.

  2. For a database tier on Exadata Database Service Dedicated, the minimum requirement is an Exadata X10M, X9M, X8M, X7, or X6 base model with a 2-node Oracle RAC.

One-Click Provisioning

One-Click Provisioning streamlines the process of provisioning a new environment by using preset topology options.

In Oracle E-Business Suite Cloud Manager 24.1.1 and later, you have the option to provision your environment using a fresh install image, in addition to the demo install image available in previous versions. Use the demo install image to conduct demonstrations with example data and explore new features. Use the fresh install image to tailor the resulting environment and data to your specific business needs.

The One-Click option is available if your network administrator created the necessary network resources for your Oracle E-Business Suite Virtual Cloud Network (VCN), using the ProvisionOCINetwork.pl script. These resources are grouped into a default network profile called DEFAULT_PROFILE_ONECLICK. Your Oracle E-Business Suite Cloud Manager administrator must also upload this network profile using the UploadOCINetworkProfile.pl script. One-Click Provisioning uses the subnets and security lists defined in the DEFAULT_PROFILE_ONECLICK network profile. See Create Network Resources For Deploying Oracle E-Business Suite Instances.

Your new environment will be created with the application tier and database tier on a single Compute instance using default configuration options. With the demo install image, the Enterprise Command Center Framework tier is included. Your environment has the following characteristics:

Note the following:

To create a more advanced deployment, instead of using One-Click Provisioning you can follow the steps in the section Advanced Provisioning.

Prerequisites

Provision an Environment using One-Click Provisioning

  1. On the Oracle E-Business Suite Cloud Manager Environments page, click Provision Environment and select One-Click.

  2. Enter the values for your new environment:

    • Environment Name: Accept the system-generated name or enter a new name for your environment. For example: usdev1

    • Database: Vision Demo Install or Fresh Install

    • EBS Version: Select the Oracle E-Business Suite version for your environment.

    • DB Version: Select the database version for your environment.

    The available database versions depend on the Oracle E-Business Suite version you selected. See Section 4.2.1, Provisioning Oracle E-Business Suite in My Oracle Support Knowledge Document 2517025.1, Getting Started with Oracle E-Business Suite on Oracle Cloud Infrastructure.

    For information on options for new environments, see.

  3. Enter a new password for the APPS account. This password will also be used for the APPLSYS and APPS_NE accounts.

  4. Enter a new EBS_SYSTEM password. This password must contain alphanumeric characters only. For more information on the Oracle E-Business Suite System Schema and the EBS_SYSTEM password, see My Oracle Support Knowledge Document 2755875.1, Oracle E-Business Suite Release 12.2 System Schema Migration.

  5. Enter a new WebLogic Server password. The password must be at least eight characters, and it must contain at least one alphabetic character plus at least one special character from ! " # $ % & ( ) * + , - . / : ; = < > ? @ ][ ^ _ ` { | } ~ or at least one numeric character.

  6. Optionally enter tagging information in the Tags region.

    • Tag Namespace: Select a predefined tag namespace or select None (add a free-form tag).

    • Tag Key: Enter the name you use to refer to the tag.

    • Value: Enter the value for the tag key.

  7. Click Submit.

  8. You can check the status of the job to provision the environment in the Jobs page.

    After the environment is successfully provisioned, perform any necessary post-provisioning steps listed below.

Post-Provisioning Steps for One-Click Provisioning

After the One-Click environment is successfully provisioned, you must follow instructions in Perform Post-Provisioning and Post-Cloning Tasks to enable user access. Specifically, you must follow the instructions in these steps:

  1. Manually Configure Firewall When Using Oracle HTTP Server or an On-Premises Load Balancer as the Web Entry Point (Conditionally Required)

  2. Update Web Entry Host and Domain Name (Conditionally Required)

  3. In addition, if you chose the Vision Demo Install and plan to use Enterprise Command Centers in this environment, follow these instructions:

Advanced Provisioning

With Advanced Provisioning you can configure your own topology for a new environment, instead of using the basic preset topology options in One-Click Provisioning. Environments are created using the following sources:

Note these additional key attributes:

In addition, you can configure multiple zones in your environment. Each zone has its own web entry point and application tier nodes. Each zone can have its own load balancer to manage traffic, or multiple zones of the same type can share a load balancer. One zone is created by default when you provision an environment. For more information on using zones, see: My Oracle Support Knowledge Document 1375670.1, Oracle E-Business Suite Release 12.2 Configuration in a DMZ.

In the example in the following illustration, internal zones and external zones are configured. Internal users can access the private zones in the virtual cloud network over VPN through the Dynamic Routing Gateway (DRG). Each of the two internal zones includes a load balancer that directs the traffic to a set of application tier nodes. Likewise, external users can access the external zones using different URLs. This example shows that you can share a single load balancer between multiple zones. This load balancer is in a public subnet, allowing external users' requests to be passed into the DMZ by the Internet Gateway (IGW). The database is deployed in a private subnet in this configuration.

Example Virtual Cloud Network with an Internal Zone and External Zone

the picture is described in the document text

Prerequisites

Additional Requirements for Exadata Database Service Dedicated

If you plan to use Oracle E-Business Suite Cloud Manager Advanced Provisioning to provision your database to a pre-existing Exadata Database Service Dedicated instance, you must first ensure that the SSH keys associated with the Oracle E-Business Suite Cloud Manager Virtual Machine (VM) are added to the associated Exadata VM cluster. Follow the instructions below to obtain the Oracle E-Business Suite Cloud Manager VM SSH key and copy it to the Exadata VM cluster. For more information about Oracle E-Business Suite Cloud Manager deployment prerequisites, refer to Deploy Oracle E-Business Suite Cloud Manager on Oracle Cloud Infrastructure.

  1. Log in to the Oracle E-Business Suite Cloud Manager VM using the oracle user ID, as shown below:

    $ cd ~/.ssh
$ cat id_rsa.pub

  2. Copy the contents to the clipboard.

  3. Sign in to the Oracle Cloud Infrastructure Console.

  4. Using the menu, navigate to Oracle Database, then Oracle Exadata Database Service on Dedicated Infrastructure.

  5. Choose the compartment where your infrastructure is located.

  6. Under Oracle Exadata Database Service on Dedicated Infrastructure, select Exadata infrastructure, and click on your Exadata infrastructure resource to go to the Exadata Infrastructure Details page.

  7. Click on the name of the Exadata VM Cluster.

  8. Select Add SSH Keys.

  9. Select Paste SSH Keys, and paste the content previously copied into the SSH KEYS field.

  10. Click Save Changes.

Access the Advanced Provisioning Feature

Advanced Provisioning can be used to create a new environment or create an environment from a backup. Navigate to Advanced Provisioning using one of the following options. Then continue either to Enter Installation Details for a New Implementation or Enter Installation Details for an Environment from a Backup depending on the option you chose.

Enter Installation Details for a New Implementation

  1. Enter details for your new environment:

    • EBS Compartment: Select your Oracle E-Business Suite compartment. Only compartments that you have access to are available in the list. The default is your root compartment.

    • Network Profile: Select the network profile that contains the network resources you want to use to provision your environment. For example: DEFAULT_PROFILE_ADVANCED.

      Note: If you plan to provision an environment which contains a multinode application tier with a shared file system, your network profile must support FSS and therefore you cannot use the default profile.

      Click the information icon to view the Network Profile Details. You may wish to capture this information for use later in the interview.

    • Environment Name: Enter a name for your environment. For example: usdev1

  2. Ensure that the New Installation option is selected. Then enter values for the following:

    • Database: Select the type of environment you want to create, either Vision Demo Install or Fresh Install.

    • EBS Version: Select the Oracle E-Business Suite version for your environment.

    • DB Version: Select the database version for your environment. The available database versions depend on the Oracle E-Business Suite version you selected.

  3. Enter a new password for the APPS account. This password will also be used for the APPLSYS and APPS_NE accounts.

  4. If Oracle E-Business Suite System Schema Migration has been completed on the source environment, then enter a new EBS_SYSTEM password. This password must contain alphanumeric characters only. For more information on the Oracle E-Business Suite System Schema and the EBS_SYSTEM password, see My Oracle Support Knowledge Document 2755875.1, Oracle E-Business Suite Release 12.2 System Schema Migration.

  5. Enter a new WebLogic Server password. The password must be at least eight characters, and contain at least one alphabetic character plus at least one special character from ! " # $ % & ( ) * + , - . / : ; < = > ? @ ][ ^ _ ` { | } ~ or at least one numeric character.

  6. Optionally select your operating system time zone. This is the operating system time zone for your application and database tier nodes. For more information on time zone support, see: Time Zone Support in Oracle E-Business Suite Cloud Manager.

    The default value for a Fresh Install implementation is 'UTC'.

    For a Fresh Install instance, leave the Bypass Server Timezone Profile Validation box unchecked.

    The default value for a new implementation for Vision Demo Install is 'America/Chicago', the time zone for the Vision Demo instance.

    For a Vision Demo Install instance, Oracle E-Business Suite Cloud Manager will validate your selection for the server time zone, unless you check the box Bypass Server Timezone Profile Validation.

    Note: If you are provisioning on an Exadata Database Service Dedicated instance, when the Bypass Server Timezone Profile Validation box is unchecked, the system will set the time zone variable (TZ) in the database environment file and the SRVCTL utility will use this time zone value.

  7. Optionally enter tagging information in the Tags region.

    • Tag Namespace: Select a predefined tag namespace or select None (add a free-form tag).

    • Tag Key: Enter the name you use to refer to the tag.

    • Value: Enter the value for the tag key.

  8. Click Next. Now continue to the section Enter Database Information for the next steps.

Enter Installation Details for an Environment from a Backup

  1. Enter details for your new environment:

    • Environment Name: Enter a name for your environment. For example: usdev1

    • Network Profile: Select the network profile that contains the network resources you want to use to provision your environment. For example: DEFAULT_PROFILE_ADVANCED

      Click the information icon to view the Network Profile Details. You may wish to capture this information for use later in the interview.

  2. In the Installation Type region, ensure that the Provision from Object Storage Backup option is selected. Then enter values for the following:

    • Backup Bucket: Select the backup from which you want to provision the environment. If you navigated to Advanced Provisioning from the Backups page or from the Backups region in an environment details page, then the backup you chose there is selected by default.

    • Backup Encryption Password: Enter the encryption password that was specified for the backup when the backup was created.

    • Backup Apps Password: Enter the password for the Oracle E-Business Suite APPS schema for the source environment.

    • Source Wallet Password: (Conditionally Required) If you selected a backup created from a TDE-enabled source environment, enter the source wallet password.

    • New EBS_SYSTEM Password: If Oracle E-Business Suite System Schema Migration has been completed on the source environment, then enter a new EBS_SYSTEM password. This password must contain alphanumeric characters only. For more information on the Oracle E-Business Suite System Schema and the EBS_SYSTEM password, see My Oracle Support Knowledge Document 2755875.1, Oracle E-Business Suite Release 12.2 System Schema Migration.

    • New WebLogic Server Password: (Conditionally Required) Enter the password that you want to set for the Oracle WebLogic Server administration user on the target environment. This field appears only if you selected a backup created from a source environment on Oracle E-Business Suite Release 12.2. Note that this password should comply with the WebLogic Server Policy that was present on the source instance at the time the backup was taken. If the default policy was set for the source instance, then provide a password complying with the default policy. If a custom policy was set for the source instance, then provide a password complying with the custom policy.

  3. Optionally select your operating system time zone. This is the operating system time zone for your application and database tier nodes. For more information on time zone support, see: Time Zone Support in Oracle E-Business Suite Cloud Manager.

    Oracle E-Business Suite Cloud Manager will validate your selection for the server time zone, unless you check the box Bypass Server Timezone Profile Validation.

    Warning: If you choose to override the time zone defined in the backup environment, then the operating system for the new environment will be configured to use the selected time zone. After you provision your environment, and prior to starting any database and application tier services, you must set the TZ environment variable to match the Server Timezone profile option. Failure to do so could lead to data corruption. See: Time Zone Support in the Oracle E-Business Suite Setup Guide.

  4. Optionally enter tagging information in the Tags region.

    • Tag Namespace: Select a predefined tag namespace or select None (add a free-form tag).

    • Tag Key: Enter the name you use to refer to the tag.

    • Value: Enter the value for the tag key.

  5. Click Next. Oracle E-Business Suite Cloud Manager will validate all passwords. The WebLogic Server password will be validated based on the default/custom policy set on the source instance of the backup.

    If there are any validation issues, errors will be displayed. Correct the passwords and click Next to proceed.

Enter Database Information

  1. Select the Cloud Database Service option for your environment, either Compute, Virtual Machine DB System (Base Database Service 1-Node or 2-Node DB System), or Oracle Exadata Database Service (Exadata Database Service Dedicated).

  2. If you chose Compute for the Cloud database service, enter the following:

    • DB SID: Enter the database SID. For example: demodb

    • PDB Name: If the database version is 19c, enter the pluggable database (PDB) name.

    • Logical Hostname: Provide the logical hostname that will be used as part of the Oracle E-Business Suite configuration. Note that this is not the physical hostname.

    • Logical Domain: Provide the logical domain that will be used as part of the Oracle E-Business Suite configuration. Note that this is not the physical domain.

    • Operating System: Choose whether to deploy the new environment on Oracle Linux 7 or Oracle Linux 8.

      If the backup was taken on an instance that is on Oracle Linux 8, then in restoring the backup you can choose only Oracle Linux 8.

    • Shape: Select a shape. You can choose VM.Standard.E4.Flex or VM.Standard3.Flex shape based on the availability in the OCI region. Ensure that you have checked your quota in advance. When choosing a flexible shape option, use the slider to choose the number of OCPUs. Choose a number between 1 and 64.

      The amount of memory is determined by the number of OCPUs, and is currently set to 16 GB for each OCPU.

    • Enable TDE: Select this option if you want to enable Transparent Database Encryption (TDE) for a new environment on Compute, or for an environment on Compute that is created from a backup of a non-TDE source environment. If you provision an environment on Compute from a backup of a TDE-enabled source environment, then TDE is automatically enabled. Note that to run a TDE-enabled database on Compute, you must have or acquire the Advanced Security Option (ASO).

    • Admin Password: Enter the admin password for the database. This password is also used for the users SYS, SYSTEM, and EBS_SYSTEM. This password must not contain the username 'SYS'. If TDE is enabled for the environment, then this password is also used as the TDE wallet password. The password must be 9 to 30 characters and contain at least two uppercase, two lowercase, two special, and two numeric characters. The special characters must be underscores (_), number signs (#), or hyphens (-). Re-enter the password in the next field to confirm it.

    • Fault Domain Selection: Select Automatic or Manual. If you choose Manual, you are prompted to select fault domains. Refer to Fault Domains for more information.

    • (Advanced Options) RMAN_CHANNEL_COUNT: Specify the number of Recovery Manager (RMAN) staging channels to allocate for restoring from the backup. The default value used by RMAN is 100% of the number of OCPUs. The minimum value is one channel. The maximum value is 255 irrespective of shape.

  3. If you chose Virtual Machine DB System for the Cloud database service, enter the following:

    • DB Name: Enter the database name. For example: vmdb1

    • DB Patch Level: Select a certified database patch level from the options provided, identified by the database version and the release year, month, and day.

    • Shape: Select the shape. Note that for an Oracle RAC environment, you must select a shape that supports it. For example: VM Standard2.2 (2 OCPU, 30GB RAM)

      You can choose VM.Standard.E4.Flex or VM.Standard3.Flex based on the availability in the OCI region. With these choices, you can choose the number of OCPUs and the amount of memory. For VM.Standard.E4.Flex, the default number of OCPUs is 4 and the default amount of memory is 64 GB.

    • Node Count: Select 1 for a Base Database Service 1-Node DB System (Single Instance), or select 2 for a Base Database Service 2-Node DB System (Oracle RAC).

    • DB Software Edition: Select the database software edition. If the Node Count is 2, then the only choice is Enterprise Edition Extreme Performance. If the Node Count is 1, then you can choose either Enterprise Edition, Enterprise Edition High Performance, or Enterprise Edition Extreme Performance.

    • Cluster Name: If the Node Count is 2, then this field appears and you can optionally enter a cluster name. For example: demo-1

    • License Type: Select License Included if you want to obtain a new license or Bring Your Own License (BYOL) if you want to use a license you already own.

    • PDB Name: If the database version is either 12.1.0.2 or 19c, enter the pluggable database (PDB) name. For example: vmdbpdb

    • Admin Password: Enter the admin password for the database. This password is used for the SYS user as well, and must not contain the username 'SYS'. This password is also used as the TDE wallet password. The password must be 9 to 30 characters and contain at least two uppercase, two lowercase, two special, and two numeric characters. The special characters must be underscores (_), number signs (#), or hyphens (-). Re-enter the password in the next field to confirm it.

    • Fault Domain Selection: Select Automatic or Manual. If you choose Manual, you are prompted to select fault domains. Refer to Fault Domains for more information.

    • (Advanced Options) RMAN_CHANNEL_COUNT: Specify the number of Recovery Manager (RMAN) staging channels to allocate for restoring from the backup. The default value used by RMAN is 100% of the number of OCPUs. The minimum value is one channel. The maximum value is 255 irrespective of shape.

  4. If you selected Oracle Exadata Database Service for the Cloud database service, enter the following:

    • Exadata VM Cluster Name: Select the name of the VM Cluster resource. The VM cluster is a child resource of the infrastructure resource, providing a link between your Exadata cloud infrastructure resource and Oracle Database. For information on using the cluster resource, see: Overview of X8M and X9M Scalable Exadata Infrastructure.

      Once you have selected the VM cluster, its corresponding Exadata infrastructure resource is displayed in the Exadata Infrastructure read-only field below.

      Note: This field displays only Exadata VM Clusters with a status of ACTIVE. If an action currently being performed on an Exadata VM Cluster causes the cluster to have the status UPDATING, then that cluster will temporarily be omitted from the list of values in this field. For example, if a user is adding SSH keys to an Exadata VM cluster, then it will have a status of UPDATING for a few minutes. Consequently, if you do not see the cluster you want to use, wait for the action being performed on the cluster to complete and then return to this page to select the cluster.

    • DB Name: Enter the database name. For example: exadb

    • PDB Name: If the database version is either 12.1.0.2 or 19c, enter the pluggable database (PDB) name. For example: exapdb

    • DB Patch Level: Select the database patch level, identified by the database version and the release year, month, and day.

    • Admin Password: Enter the admin password for the database. This password is used for the SYS user as well, and must not contain the username 'SYS'. This password is also used as the TDE wallet password. The password must be 9 to 30 characters and contain at least two uppercase, two lowercase, two special, and two numeric characters. The special characters must be underscores (_), number signs (#), or hyphens (-). Re-enter the password in the next field to confirm it.

    • (Advanced Options) RMAN_CHANNEL_COUNT: Specify the number of Recovery Manager (RMAN) staging channels to allocate for restoring from the backup. The default value used by RMAN is 16. The minimum value is one channel. The maximum value is 255 irrespective of shape.

  5. Click Next.

Enter Application Tier Information

  1. Define your zones. For more information on zones, refer to My Oracle Support Knowledge Document 1375670.1, Oracle E-Business Suite Release 12.2 Configuration in a DMZ.

    Note that you can have multiple zones across subnets. You can configure your environment such that your functional redirection per zone is in accordance with functional affinity.

    Also, you can have a load balancer shared between multiple zones of the same type. This configuration allows for two separate URLs to resolve to the same IP address and the shared load balancer will target one backend set or another.

    Note too that you have flexibility in your configuration. One zone, Zone A, can have one load balancer assigned to it, while another two zones, Zone B and Zone C, can have a second load balancer assigned to them.

    You must define your internal (primary) zone first, before optionally defining additional zones.

    Enter values for the following properties:

    • Name

    • Type

      Note: For the first zone that you define, which is your primary zone, the Type is Internal and is not selectable.

  2. In the Web Entry Point region, enter values for the following properties:

    • Web Entry Type: Choose one of the following: New Load Balancer (LBaaS), Use OCI Load Balancer to select an existing OCI load balancer, Manually Configured Load Balancer to select a manually deployed existing load balancer, or Application Tier Node to choose the primary application tier as the entry point.

    • Load Balancer Shape: If you chose New Load Balancer as the web entry type, a new flexible shape load balancer will be created. Select the maximum bandwidth for your new load balancer. For example: 100 Mbps. The minimum bandwidth will default to 10 Mbps.

    • OCI Load Balancer: If you chose OCI Load Balancer for the web entry type, select an existing OCI Load Balancer from the dropdown list.

      Note: If an existing load balancer is used, then load balancer resources, such as "listener", "backend set", "backend", and "certificate," are created anew during provisioning. Preexisting load balancer resources are not used.

    • Protocol: Select the protocol for access to the environment, either http or https.

    • Hostname: Enter the host name for your web entry point. The web entry host name must be in lowercase. For example: myhost

    • Domain: Enter the domain for your web entry point. The web entry domain name must be in lowercase. For example: example.com

    • Port: Select the port for your web entry point. If there is no load balancer, then the port is automatically populated depending on the protocol: 8000 for http and 4443 for https. Otherwise, select the appropriate port for use with your load balancer, such as 80 for http or 443 for https. Note that to allow access to the Oracle E-Business Suite login URL, your network administrator must define an ingress rule in the load balancer security list. See Create Network Resources For Deploying Oracle E-Business Suite Instances.

  3. For Storage, choose the File System Type: Non-Shared or Shared.

    If you choose Shared, then you are prompted for the File Storage Mount Target. If the File Storage Mount Target for the network profile specified earlier matches any of the Mount Targets in the network compartment created on the Oracle Cloud Infrastructure, then that Mount Target appears in the list.

    For a Shared File System Type, you can also specify Mount Options. Default parameters are shown. You can edit these options, but specifying a mount option or parameter that is not supported or recommended for a shared storage file system deployment may result in a provisioning failure. Exercise extreme caution when editing these parameters, as options are not validated in this page.

    If you choose Non-Shared, you must specify a value for the Block Volume Storage field for every node in the Application Tier Nodes field.

    Important: You must ensure you specify enough storage for your nodes. Refer to Oracle E-Business Suite Installation Guide: Using Rapid Install for guidelines on space usage.

  4. In the Logical Host region, enter values for the following properties:

    • Logical Host Option: Choose Automatic or Manual.

    • Logical Hostname Prefix: If you chose Automatic, enter your desired hostname prefix.

      You do not need to enter this if you chose Manual for your logical host option, but you will be prompted for the Logical Hostname for your nodes in the Application Tier Nodes region.

    • Logical Domain: Enter the logical domain.

  5. In the Application Tier Nodes region, click Add Node to enter properties for your primary application tier node, and then for each additional application tier node in your environment.

    In the Add Node dialog window, the following properties appear. Enter the value for each property, except in the case where it has been generated for you.

    Note that you can define a specific shape for each application tier node.

    • Logical Hostname

    • Logical FQDN

    • Shape: Select a shape that is available in the OCI region. Ensure that you have checked your quota in advance. When choosing a flexible shape, for example, VM.Standard.E4.Flex, use the sliders to choose the number of OCPUs and the amount of memory (GB).

    • Block Volume Storage

      Note: If you chose a shared File System Type earlier, the Block Volume Storage value is 0.

    • Fault Domain: Select the fault domain. Refer to Fault Domains for more information.

    Click Add Node again to save your choices.

  6. Click Save Zone to save your zone definition.

  7. After you have saved the definition for your primary zone, choose a middleware licensing model, either BYOL or UCM. If you choose BYOL, you are indicating that you have purchased or transferred the perpetual licenses required for customized Oracle E-Business Suite Applications. If you choose UCM, you are adopting the Universal Credits subscription-based model, and paying for usage as you go. Make sure you understand the cost associated with this choice.

    Select either Oracle Linux 7 or Oracle Linux 8 for the operating system. Note that if you have multiple application tier nodes, this selection applies to all nodes (all nodes must be on the same operating system). Also, in restoring from a backup, if the backup is taken from an Oracle E-Business Suite instance where all application nodes are on Oracle Linux 8, then Oracle Linux 8 is the only option here.

  8. Define additional zones using the Add Zone button.

    For the additional internal zones, if New Load Balancer (LBaaS) is selected as the Web Entry Type for the first zone, then an extra option Reuse Internal Zone1 Load Balancer is displayed in the Web Entry Type list along with the options New Load Balancer (LBaaS), Use OCI Load Balancer, and Manually Configured Load Balancer.

  9. When you are finished adding application tier nodes, scroll to the top of the window and click Save Zone to save your zone definition.

  10. When you have completed adding your zones, click Next.

Specify Your Extensibility Options

You can optionally extend the provisioning job to meet your own requirements. By default, Oracle E-Business Suite Cloud Manager follows a standard job definition for provisioning. However, Oracle E-Business Suite Cloud Manager administrators can also create extended job definitions that include additional tasks as part of the provisioning job. In this case you can select the appropriate extended job definition for Oracle E-Business Suite Cloud Manager to follow when provisioning your environment. If you select an extended job definition, you may need to enter values for input parameters required by the additional tasks in that plan.

Additional Information: For more information on using the Extensibility Framework to extend job definitions, see Set Up the Extensibility Framework.

Additionally, whether you are using the standard provisioning job definition or an extended job definition, you can choose to have Oracle E-Business Suite Cloud Manager pause at specified points during the provisioning job. For example, if you want to perform your own validations after a particular phase before allowing Oracle E-Business Suite Cloud Manager to proceed to the next phase, you can add a pause at that point. You can then resume the provisioning job when you are ready to proceed. See Monitor Job Status.

Specify Your Job Definition

  1. Optionally select an extended job definition for provisioning your environment in the Job Definition field.

  2. In the Task Parameters tab, specify any parameter values required for the additional tasks in the job definition. Some parameters may include default values, which you can override as needed.

Specify Your Job Definition Details

  1. Click the Job Definition Details tab. This tab displays a list of the phases in the job definition and the tasks within each phase.

  2. To specify that Oracle E-Business Suite Cloud Manager should pause its processing before a particular phase, click the Actions icon next to that phase, and then select Add Pause.

    Note: Pauses occur before the phase at which they are defined.

  3. Click Next.

Enter SSH Keys

Optionally upload SSH keys for users.

Note: You cannot add keys after the provisioning process is completed.

Note: If you selected Exadata Infrastructure as your Cloud database service, then you can add keys to the application tier only.

  1. Click Add Key.

  2. Specify the tiers for the SSH key. Choose All Tiers, Application Tier, or Database Tier.

  3. Specify the pertinent OS User type. Choose All Users, Operating System Administrator, or Application Administrator.

  4. Upload the SSH key file. The file name will default in.

  5. The system will validate the SSH key. Click Next to continue.

Review Your Advanced Provisioning Details

  1. Review the installation details, including:

    • Installation details, including environment name, installation type, network profile, and operating system time zone.

    • Database details, including database service type, database name, and pluggable database name. For Exadata Database Service Dedicated instances, the cluster name is included. If the database service type is Compute, then the operating system is also listed.

    • Application tier details, including

      • Middleware licensing model

      • Operating system

      • Storage information. For the shared file system type, the mount target and mount options are shown.

      • Web entry details

      • Information on zones

    • Job definition details.

    • SSH Key information.

  2. To provision your environment, click Submit.

  3. You can check the status of the job to provision the environment in the Jobs page.

Known Issues for Advanced Provisioning

Workaround for Oracle Database 19c Restore Failure

When using the Oracle E-Business Suite Cloud Manager Advanced Provisioning to provision from a backup containing Oracle Database 19c, whether that backup is part of a lift and shift from on-premises or the result of a Create Backup operation in OCI, you may encounter the error "ORA-65174: invalid or conflicting name in service <service name> found in the pluggable database."

You can fix this issue by first deleting the conflicting service from the source environment. Here is the complete list of steps to work around the issue:

  1. On the database tier of the source environment, list the services registered with the database.

    $ source <cdb env file>
$ lsnrctl status <LISTENER_NAME>
$ sqlplus "/as sysdba"
$ select NAME,NETWORK_NAME,CON_NAME,CREATION_DATE from v$active_services

  2. Next, connect to the CDB:

    $ cd <19c home>
$ source <cdb_sid>_<hostname>.env

    and run the query shown to list all services in the database:

    $ select name,enabled,creation_date,pdb from cdb_services;

  3. Ensure the conflicting service name is not in the list of lsnrctloutput and v$active_services. Perform this step to ensure that you are not deleting active services on the source. If the service does appear in the list, then do not proceed with the next steps; instead, contact your Oracle Support representative.

  4. Connect to the container and delete the service causing the conflict.

    $ cd <19chome>
$ source <cdb_sid>_<hostname>.env
$ sqlplus "/as sysdba"
$ alter session set container="<PDB NAME>";
$ exec DBMS_SERVICE.DELETE_SERVICE('<CONFLICTING SERVICE NAME>');

  5. Repeat the backup and restore operation that originally failed:

    1. Recreate the backup by running the Oracle E-Business Suite Cloud Backup Module or running the Oracle E-Business Suite Cloud Manager Create Backup feature.

    2. Use Oracle E-Business Suite Cloud Manager Advanced Provisioning to provision your new environment.

Additional Patches for the Internal Concurrent Manager

You might see issues regarding Internal Concurrent Manager (ICM) startup failure after provisioning in 12.1.3 environments. You should apply the following patches and restart Concurrent Manager Services:

After the environment is successfully provisioned, perform any necessary post-provisioning steps and access your environment following the instructions provided in Perform Post-Provisioning and Post-Cloning Tasks.

Provision a New Environment without Public Internet Access (Government Cloud Regions Only)

To provision a new environment which uses an advanced topology when your VCN is not configured for public internet access, follow these high-level steps:

  1. Provision the environment of your choice (either a Vision Demo or a Fresh Install) using One-Click Provisioning. See One-Click Provisioning.

  2. Back up the environment to object storage. See Create a Backup of a Cloud-Based Oracle E-Business Suite Environment.

  3. Provision from that backup using Advanced Provisioning. See Advanced Provisioning.

This capability is provided with Oracle E-Business Suite Cloud Manager 24.1.1 and later.

Perform Post-Provisioning and Post-Cloning Tasks

After you provision or clone an environment, you must perform some tasks to configure access and secure the environment. You may also need to perform other tasks depending on your Oracle E-Business Suite release, Oracle Database release, and the cloud service on which the database tier resides. These tasks apply for new environments created through either One-Click Provisioning or Advanced Provisioning, for environments created from a backup through Advanced Provisioning, and for environments created through cloning in Oracle E-Business Suite Cloud Manager.

Note: You can optionally use the Extensibility Framework to automate some of these tasks by adding them to custom provisioning and cloning job definitions. See Set Up the Extensibility Framework.

Implement Workaround for Oracle Databases on Exadata Database Service Dedicated (Conditionally Required)

This workaround resolves a known issue that impacts SQL*Net configuration files on secondary nodes. The steps in this section are required only for a provisioned environment with the database on an Exadata Database Service Dedicated instance with Oracle Database Release 12.1.0.2.

  1. Identify the private IP address of each secondary Exadata Database Service Dedicated node from the Exadata Database Service Dedicated Console.

  2. Perform steps 3-8 for all secondary Exadata Database Service Dedicated nodes.

  3. While logged in to the Oracle E-Business Suite Cloud Manager VM as the oracle user, use ssh to connect to the secondary Exadata Database Service Dedicated node.

  4. Obtain the ORACLE_HOME details from the oratab file:

    $ cat /etc/oratab

  5. Source the environment file:

    $ cd <ORACLE_HOME>
$ source <SID>_<HOSTNAME>.env

  6. Navigate to the $ORACLE_HOME/network/admin directory:

    $ cd $ORACLE_HOME/network/admin

  7. Using a text editor such as vi, edit the sqlnet.ora file. First, delete all existing lines from the sqlnet.ora file. Then add the following line:

    IFILE=<ORACLE_HOME>/network/admin/<SID>_<HOSTNAME>/sqlnet.ora

  8. Create a listener.ora file with a text editor such as vi, and add the following line:

    IFILE=<ORACLE_HOME>/network/admin/<SID>_<HOSTNAME>/listener.ora

Update Profile Options (Conditionally Required)

If you provision an environment as part of a lift and shift process, then profile options, which impact the way your application looks and behaves, are carried over from the on-premises Oracle E-Business Suite environment to Oracle Cloud Infrastructure.

Profile options are handled in various ways by the automated lift and shift process through the Oracle E-Business Suite Cloud Backup Module and Oracle E-Business Suite Cloud Manager.

Review all the profile options in your newly provisioned environment and modify them as required to reflect your Oracle Cloud Infrastructure configuration.

For more information about the use of profile options in Oracle E-Business Suite, see User Profiles and Profile Options in Oracle Application Object Library, Oracle E-Business Suite Setup Guide.

Update Web Entry Host and Domain Name (Conditionally Required)

When you provision an Oracle E-Business Suite environment with One-Click Provisioning, the environment is automatically configured to use the application tier node as the web entry point, with Transport Layer Security (TLS) enabled for inbound HTTP traffic. The login URL is automatically generated in the format <instance name>.example.com, and the listener for the Oracle HTTP Server for the application tier is associated by default with a self-signed TLS certificate generated by Oracle E-Business Suite Cloud Manager.

With the simplified preset topology used in One-Click Provisioning, you cannot specify a different host and domain for the web entry point during provisioning. However, you can use the steps in this section to update the host and domain for the web entry point after provisioning is complete.

Note that if you plan to replace the self-signed certificate generated by Oracle E-Business Suite Cloud Manager with a certificate issued by a certificate authority (CA), then you must follow the steps in this section to change the domain name before you request the certificate, because you cannot obtain a certificate from a CA for the demonstration example.com domain.

If you provisioned an environment with Advanced Provisioning, you can also optionally use the steps in this section to update the host and domain for the web entry point if you need to change these values from those you initially specified during provisioning.

To update the host and domain, perform the following steps.

  1. Using a text editor such as vi, update the following variables in the context file on all application tier nodes.

    • s_webentryhost - Set the value for this variable to the new web entry host you want to use.

    • s_webentrydomain - Set the value for this variable to the new web entry domain you want to use.

    • s_external_url - Update the value for this variable to use the new web entry host and domain that you specified in the s_webentryhost and s_webentrydomain variables. Do not change any other parts of the URL value. The full new value should be in the following form:

      [http|https]://<web_entry_host>.<web_entry_domain>:<listener_port>

    • s_login_page - Update the value for this variable to use the new web entry host and domain that you specified in the s_webentryhost and s_webentrydomain variables. Do not change any other parts of the URL value. The full new value should be in the following form:

      [http|https]://<web_entry_host>.<web_entry_domain>:<listener_port>/OA_HTML/AppsLogin

  2. If you are finished updating the context file, then you should now run AutoConfig on all application tier nodes. See Using AutoConfig Tools for System Configuration, Oracle E-Business Suite Setup Guide.

    Note: If you plan to make additional changes in the context file to configure TLS, according to the instructions in later sections in this chapter, then you can defer running AutoConfig until you are instructed to do so in those sections. In this case, you can skip this step and the following step. Instead, proceed to the next task, Upload TLS Certificate.

  3. After running AutoConfig, on all application tier nodes, stop and restart all services by running the adstpall.sh script and the adstrtal.sh script.

Upload TLS Certificate (Conditionally Required)

Perform the steps in this section to upload a certificate if you enabled or plan to enable Transport Layer Security (TLS) for your environment.

TLS is enabled during provisioning if you used One-Click Provisioning, which automatically configures the application tier node as the web entry point with the https protocol, or if you used Advanced Provisioning and you chose either New Load Balancer (LBaaS), Use OCI Load Balancer, or Application Tier Node as the web entry type and you chose the https protocol. In this case Oracle E-Business Suite Cloud Manager configures your environment to encrypt inbound HTTP traffic with TLS. The initial configuration uses a self-signed certificate generated by Oracle E-Business Suite Cloud Manager. It is mandatory that you replace this certificate with a TLS certificate issued by a certificate authority (CA) or your own self-signed certificate generated using the web entry host for your Oracle E-Business Suite instance.

If you did not enable TLS during provisioning, you can enable it manually as a post-provisioning step. TLS is not enabled during provisioning if you used Advanced Provisioning and you chose either New Load Balancer (LBaaS), Use OCI Load Balancer, or Application Tier Node as the web entry type and you chose the http protocol. As a prerequisite for enabling TLS, you must obtain and upload a TLS certificate issued by a certificate authority (CA) or generate and upload your own self-signed certificate using the web entry host for your Oracle E-Business Suite instance.

Additionally, if you are using an on-premises load balancer and you chose Manually Configured Load Balancer as the web entry type, you can enable TLS manually as a post-provisioning step. To do so, you must upload a TLS certificate as required for your load balancer.

New Load Balancer (LBaaS) or Use OCI Load Balancer

If you configured TLS using LBaaS during provisioning or will manually perform this configuration, perform the following steps to upload your certificate.

  1. Obtain a TLS certificate valid for the name of the web entry host for your Oracle E-Business Suite instance, or generate a self-signed certificate. The web entry host name is formed by combining the values of the application tier context variables s_webentryhost and s_webentrydomain.

    Oracle Cloud Infrastructure provides a public IP address but does not provide a public host name, so you should ensure that appropriate DNS entries are present to resolve the web entry host name to the public IP address.

    If you changed the web entry host and domain for your environment in the previous section, ensure that you use the new host, domain, and URL when you request or generate a certificate.

  2. If you are using a self-signed certificate that you generated yourself, ensure that you import the certificate to the JDK trust stores.

    Note: If your environment was created from a backup, and the backup included an existing wallet in the $ORACLE_HOME/appsutil directory, then that wallet is preserved in the newly deployed environment. In this case, perform the following steps to import your self-signed certificate manually in the database tier node. These steps replace Section 5.3.2: Database Tier Setup in My Oracle Support Knowledge Document 1367293.1, Enabling TLS in Oracle E-Business Suite Release 12.2, or Section 5.3.2: Database Truststore Configuration in My Oracle Support Knowledge Document 376700.1, Enabling TLS in Oracle E-Business Suite Release 12.1.

    1. Copy the required zone certificate from /var/www/files/<env_name>/CACertificate_<env>_<zone>.crt to the scripts_dir directory in the database node.

    2. Source the database environment file.

    3. Navigate to the $ORACLE_HOME/appsutil/wallet directory:

      cd $ORACLE_HOME/appsutil/wallet

    4. If you know the password for the existing wallet and you want to add your self-signed certificate to that wallet, use the following command to add the certificate:

       $ORACLE_HOME/bin/orapki wallet add -wallet . -trusted_cert -cert
<CERTIFICATE_FILE_FULL_PATH> -pwd <PASSWORD>

    5. If you do not want to use the existing wallet, you can create a new wallet and add the certificate to that wallet instead, using the following steps:

      • Take a backup of the existing wallet.

      • Create a new wallet using the following command:

         $ORACLE_HOME/bin/orapki wallet create -wallet . -auto_login_only;

      • Add your self-signed certificate to the new wallet using the following command:

        $ORACLE_HOME/bin/orapki wallet add -wallet . -trusted_cert -cert
<CERTIFICATE_FILE_FULL_PATH> -auto_login_only;

  3. Log in to the Oracle Cloud Infrastructure Console. From the navigation menu, select Networking > Load Balancers, and then select the load balancer you want to configure.

  4. Add your certificate bundle to the load balancer. See To upload an SSL certificate bundle to your load balancing system in the Oracle Cloud Infrastructure Services documentation.

    If you have multiple certificates that form a single certification chain, such as one or more intermediate certificates together with a root certificate, then you must include all relevant certificates in one file before you upload them to the system. See "Uploading Certificate Chains" in the section Working with SSL Certificates in the Oracle Cloud Infrastructure Services documentation.

  5. If you chose the https protocol for LBaaS during Advanced Provisioning, and the load balancer listener is using the self-signed certificate generated by Oracle E-Business Suite Cloud Manager, then you should now update the certificate. To do so, on the Load Balancer page, click the Listeners link in the Resources menu. Click the Actions icon (three dots) for your listener, and select Edit from the context menu. In the Edit Listener pop-up, select the certificate bundle that you added in step 4 in the Certificate Name field. Then click Save Changes, and wait for the listener to be updated. See To edit a listener in the Oracle Cloud Infrastructure Services documentation.

Manually Configured Load Balancer

If you are using an on-premises load balancer, follow the instructions from your vendor to create and upload a certificate.

Application Tier Node

If you configured TLS at the application tier layer during provisioning, perform the following steps to upload your certificate. TLS is configured at the application tier layer in the following cases:

Note: If you plan to configure TLS at the application tier layer manually, you will perform the certificate steps as part of that configuration instead in the task Manually Enable TLS When Using Oracle HTTP Server on the Application Tier Node as the Web Entry Point.

  1. Obtain a TLS certificate valid for the name of the web entry host for your Oracle E-Business Suite instance, or generate a self-signed certificate. The web entry host name is formed by combining the values of the application tier context variables s_webentryhost and s_webentrydomain.

    Oracle Cloud Infrastructure provides a public IP address but does not provide a public host name, so you should ensure that appropriate DNS entries are present to resolve the web entry host name to the public IP address.

    If you changed the web entry host and domain for your environment in the previous section, ensure that you use the new host, domain, and URL when you request or generate a certificate. Note that if you deployed your environment with One-Click Provisioning and you plan to request a certificate from a CA, you must ensure that you have changed the domain name from the default example.com domain before you request the certificate, because you cannot obtain a certificate from a CA for the demonstration example.com domain.

  2. If you are using a self-signed certificate that you generated yourself, ensure that you import the certificate to the JDK trust stores.

    Note: If your environment was created from a backup, and the backup included an existing wallet in the $ORACLE_HOME/appsutil directory, then that wallet is preserved in the newly deployed environment. In this case, perform the following steps to import your self-signed certificate manually in the database tier node. These steps replace Section 5.3.2: Database Tier Setup in My Oracle Support Knowledge Document 1367293.1, Enabling TLS in Oracle E-Business Suite Release 12.2, or Section 5.3.2: Database Truststore Configuration in My Oracle Support Knowledge Document 376700.1, Enabling TLS in Oracle E-Business Suite Release 12.1.

    1. Copy the required zone certificate from /var/www/files/<env_name>/CACertificate_<env>_<zone>.crt to the scripts_dir directory in the database node.

    2. Source the database environment file.

    3. Navigate to the $ORACLE_HOME/appsutil/wallet directory:

      cd $ORACLE_HOME/appsutil/wallet

    4. If you know the password for the existing wallet and you want to add your self-signed certificate to that wallet, use the following command to add the certificate:

       $ORACLE_HOME/bin/orapki wallet add -wallet . -trusted_cert -cert
<CERTIFICATE_FILE_FULL_PATH> -pwd <PASSWORD>

    5. If you do not want to use the existing wallet, you can create a new wallet and add the certificate to that wallet instead, using the following steps:

      • Take a backup of the existing wallet.

      • Create a new wallet using the following command:

         $ORACLE_HOME/bin/orapki wallet create -wallet . -auto_login_only;

      • Add your self-signed certificate to the new wallet using the following command:

        $ORACLE_HOME/bin/orapki wallet add -wallet . -trusted_cert -cert
<CERTIFICATE_FILE_FULL_PATH> -auto_login_only;

  3. Upload your certificate to replace the initial certificate generated by Oracle E-Business Suite Cloud Manager.

Manually Enable TLS When Using Load Balancer as a Service (LBaaS) as an Alternate Termination Point (Conditionally Required)

We highly recommend that you configure your environment to encrypt inbound HTTP traffic with Transport Layer Security (TLS). The steps in this section are applicable in either of the following cases:

We highly recommend that you perform the steps in this section to offload the encryption to the LBaaS and configure Oracle E-Business Suite to use HTTPS (HTTP over TLS).

Note that the configuration described here terminates TLS at the load balancer; that is, TLS is used only for communication between the client and the load balancer. Communication between the load balancer and the Oracle E-Business Suite instance does not use TLS. See "Terminating SSL at the Load Balancer" in the section Configuring SSL Handling in the Oracle Cloud Infrastructure Services documentation.

If you used Advanced Provisioning and chose to deploy LBaaS with the https protocol, you can also optionally perform the relevant steps in this section to update the port for the load balancer listener if you need to change this value from the port you initially specified during provisioning.

To manually enable TLS in an environment that uses LBaaS as an alternate termination point, perform the following steps:

  1. Ensure that you have obtained and uploaded a certificate according to the steps in Upload TLS Certificate.

  2. Log in to the Oracle Cloud Infrastructure Console. From the navigation menu, select Networking > Load Balancers, and then select the load balancer you want to configure.

  3. On the Load Balancer page, click the Listeners link in the Resources menu. Click the Actions icon (three dots) for your listener, and select Edit from the context menu.

  4. Edit the load balancer listener to enable TLS. Enter the port to use for secure communication, such as 443. Then check the Use SSL option and specify the certificate name. See To edit a listener in the Oracle Cloud Infrastructure Services documentation.

  5. Using a text editor such as vi, verify or update the following variables in the context file on all application tier nodes for your environment.

    • s_webentryurlprotocol - Set the value for this variable to https.

    • s_url_protocol - Set the value for this variable to http.

    • s_enable_sslterminator - Remove any value set for this variable; that is, the value should be left blank.

    • s_active_webport - Set the value for this variable to the port you specified for the load balancer listener, such as 443.

    • s_external_url - Update the value for this variable to use the https protocol and the port you specified for the load balancer listener. The full new value should be in the following form:

      https ://<web_entry_host>.<web_entry_domain>:<new_load_balancer_listener_port>

      If you are using the default HTTPS port 443, then you should omit the colon separator and the port from this URL. That is, if you are using port 443, then the value should be in the following form:

      https ://<web_entry_host>.<web_entry_domain>

    • s_login_page - Update the value for this variable to use the https protocol and the port you specified for the load balancer listener. The full new value should be in the following form:

      https ://<web_entry_host>.<web_entry_domain>:<new_load_balancer_listener_port>/OA_HTML/AppsLogin

      If you are using the default HTTPS port 443, then you should omit the colon separator and the port from this URL. That is, if you are using port 443, then the value should be in the following form:

      https ://<web_entry_host>.<web_entry_domain>/OA_HTML/AppsLogin

    For more information, see Using Load-Balancers with Oracle E-Business Suite Release 12.2, My Oracle Support Knowledge Document 1375686.1 or Using Load-Balancers with Oracle E-Business Suite Release 12.0 and 12.1, My Oracle Support Knowledge Document 380489.1.

    Additionally, ensure you have set other context file variables as needed for using the load balancer as the TLS termination point.

    If you are running Oracle HTTP Server on a privileged port - that is, a port number below 1024 - then you must perform additional configuration steps. See Running Oracle HTTP Server on a Privileged Port in Managing Configuration of Oracle HTTP Server and Web Application Services in Oracle E-Business Suite Release 12.2, My Oracle Support Knowledge Document 1905593.1. For more information, see Enabling Oracle HTTP Server to Run as Root for Ports Set to Less Than 1024 (UNIX Only), Oracle Fusion Middleware Administrator's Guide and Starting Oracle HTTP Server on a Privileged Port , Oracle Fusion Middleware Administrator's Guide for Oracle HTTP Server.

  6. Run AutoConfig on all application tier nodes. See Using AutoConfig Tools for System Configuration, Oracle E-Business Suite Setup Guide.

  7. On all application tier nodes, stop and restart all services by running the adstpall.sh script and the adstrtal.sh script.

  8. If necessary, update the security lists for the load balancer subnets by adding a security rule that allows inbound communication on the port you specified for the load balancer listener, from the clients from which you will access the Oracle E-Business Suite URL. See Working with Security Lists. This step is required only if you updated the port for the load balancer listener; that is, if you chose the http protocol for LBaaS during Advanced Provisioning, or if you chose the https protocol for LBaaS during Advanced Provisioning but used the preceding steps to change the port from the port specified during provisioning.

    In the Oracle Cloud Infrastructure Console, open the security list for the load balancer and add a new entry under Allow rules for ingress with the following properties:

    • Source CIDR - The CIDR block for your on-premises network that includes the relevant clients

    • Protocol - TCP

    • Destination Port Range - The port you specified for the load balancer secure communication, such as 443

    Repeat these steps for each load balancer subnet.

Enable TLS for Manually Configured Load Balancer (Conditionally Required)

The steps in this section are applicable if you used Advanced Provisioning to deploy an environment and chose Manually Configured Load Balancer as the web entry type. These steps apply whether you chose http or https as the protocol for the web entry point.

We highly recommend that you perform the steps in this section to perform the necessary encryption. First, encrypt the traffic between the client and the load balancer. Next, encrypt the traffic between the load balancer and the Oracle HTTP Server. After the encryption setup is complete, configure the Oracle E-Business Suite web entry point.

  1. Encrypt the traffic from the client to the load balancer by performing the configuration for an alternate TLS termination point for your Oracle E-Business Suite release.

  2. Encrypt the traffic between the load balancer and the Oracle HTTP Server.

    • If you have VPN set up between your on-premises network and Oracle Cloud, then you can optionally set up TLS end-to-end, or you can skip this setup and go to the next step 3.

    • If you do not have VPN set up between your on-premises network and Oracle Cloud, then we highly recommend that you set up TLS end-to-end.

    To set up TLS end-to-end, perform the appropriate configuration for your Oracle E-Business Suite release.

  3. You can now configure access to the Oracle E-Business Suite web entry point. To do so, perform the steps in Manually Configure Firewall When Using Oracle HTTP Server or an On-Premises Load Balancer as the Web Entry Point.

Manually Enable TLS When Using Oracle HTTP Server on the Application Tier Node as the Web Entry Point (Conditionally Required)

The steps in this section are applicable if you used Advanced Provisioning to deploy an environment using Oracle HTTP Server as the web entry point, without using a load balancer, and you did not enable Transport Layer Security (TLS) during provisioning. That is, you chose Application Tier Node as the web entry type and you chose the http protocol for the web entry point. In this case we highly recommend that you perform the following steps to encrypt the traffic between the client and the Oracle HTTP Server. After the encryption setup is complete, you must configure the Oracle E-Business Suite web entry point.

  1. Prepare the environment by applying the prerequisites for your Oracle E-Business Suite release.

  2. Encrypt the traffic from the client to the Oracle HTTP Server by performing the configuration for inbound connections for your Oracle E-Business Suite release.

  3. You can now configure access to the Oracle E-Business Suite web entry point. To do so, perform the steps in Manually Configure Firewall When Using Oracle HTTP Server or an On-Premises Load Balancer as the Web Entry Point.

Manually Configure Firewall When Using Oracle HTTP Server or an On-Premises Load Balancer as the Web Entry Point (Conditionally Required)

Perform the steps in this section to configure the required firewall rules if you are using Oracle HTTP Server or an on-premises load balancer as the web entry point. These steps apply if you used one of the following deployment options:

We recommend limiting access to a specific CIDR range.

  1. First, on all application tier nodes, create firewall rules that allow inbound communication to the web entry port from the clients from which you will access the Oracle E-Business Suite URL. To do so, log on to the Oracle Cloud Infrastructure instance that hosts your Oracle E-Business Suite environment, using SSH. See Connecting to an Instance.

    Then switch to the root user:

    $ sudo su -

    Run the following commands to create the required firewall rules:

    # firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=<source_CIDR_range> port port=<web_entry_port> protocol=tcp accept' --permanent
# firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=<source_CIDR_range> port port=<web_entry_port> protocol=tcp accept'

    In these commands, replace <source_CIDR_range> with the set of IP addresses from which you will access the Oracle E-Business Suite URL. Replace <web_entry_port> with the appropriate port, for example 4443.

    Run the following command to restart the firewall to activate the changes:

    # sudo systemctl restart firewalld

    Run the following command to verify the current firewall settings:

    # firewall-cmd --list-all

  2. Next, update the security list for the subnet that contains the application tier nodes by adding a security rule that allows inbound communication on the web entry port from the clients from which you will access the Oracle E-Business Suite URL. See Working with Security Lists.

    In the Oracle Cloud Infrastructure Console, open the security list for the application tier subnet and add a new entry under Allow rules for ingress with the following properties:

    • Source CIDR - The CIDR block for your on-premises network that includes the relevant clients, as specified in your firewall rules

    • Protocol - TCP

    • Destination Port Range - The web entry port, for example 443

Configure Security and Firewall Rules for Secure Access to the Fusion Middleware Control and WebLogic Server Administration Console (Conditionally Required)

The steps in this section are required only for Oracle E-Business Suite Release 12.2.

Administration of the Oracle Fusion Middleware 11g components delivered with Oracle E-Business Suite Release 12.2, including Oracle HTTP Server and Oracle WebLogic Server, requires secure access to the WebLogic Server administration ports running on the Oracle E-Business Suite primary application tier node. Ports 7001 and 7002 are the default WebLogic Server administration ports for the dual file system with Oracle E-Business Suite Release 12.2. The examples in this section use these default ports. If you have configured different port numbers, change the port numbers in the instructions to match the port numbers for your environment.

When you create an Oracle E-Business Suite Release 12.2 environment on Oracle Cloud Infrastructure, you should create a security rule and firewall rules that allow inbound communication on the WebLogic Server administration ports on the primary application tier node from the Oracle E-Business Suite Cloud Manager VM. These rules are required as a prerequisite so that a system administrator can securely access the administration ports and the Fusion Middleware Control and WebLogic Server Administration Console. See Access the Fusion Middleware Control and WebLogic Server Administration Console with SSH Port Forwarding for Oracle E-Business Suite on Oracle Cloud Infrastructure.

Perform the following steps to configure the required security rule and firewall rules:

  1. Update the security list for the primary application tier node by adding a security rule that allows inbound communication on ports 7001 and 7002 from the Oracle E-Business Suite Cloud Manager VM. See Working with Security Lists.

    In the Oracle Cloud Infrastructure console, open the security list for the Oracle E-Business Suite application tier subnet and add a new entry under Allow rules for ingress with the following properties:

    • Source CIDR - The CIDR for the Oracle E-Business Suite Cloud Manager VM

    • Protocol - TCP

    • Destination Port Range - 7001-7002

  2. Create firewall rules on the primary application tier node that allow inbound communication on ports 7001 and 7002 from the subnet that contains the Oracle E-Business Suite Cloud Manager VM. First, log on to the Oracle Cloud Infrastructure instance that hosts your Oracle E-Business Suite environment, using SSH. See Connecting to an Instance.

    Then switch to the root user:

    $ sudo su -

    Run the following commands to create the required firewall rules:

    # firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=<EBS_Cloud_Admin_Tool_VM_CIDR>   port port=7001 protocol=tcp accept' --permanent ;
# firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=<EBS_Cloud_Admin_Tool_VM_CIDR> port port=7002 protocol=tcp accept' --permanent ; 
# firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=<EBS_Cloud_Admin_Tool_VM_CIDR>  port port=7001 protocol=tcp accept'; 
# firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=<EBS_Cloud_Admin_Tool_VM_CIDR>  port port=7002 protocol=tcp accept';

    Run the following command to restart the firewall to activate the changes:

    # sudo systemctl restart firewalld

    Run the following command to verify the current firewall settings:

    # firewall-cmd --list-all

Set EBS_SYSTEM Password (Conditionally Required)

The steps in this section are required only for an environment created from a backup if the backup was created prior to the Oracle E-Business Suite Cloud Manager 23.3.1 release, and the following patches were present in the source system used to create the backup:

Among other changes, the R12.AD.C.Delta.13 and R12.TXK.C.Delta.13 release update packs introduce a new schema named EBS_SYSTEM. By default, Oracle Advanced Provisioning sets the password for the EBS_SYSTEM schema to the same value as the password for the SYSTEM schema. After Advanced Provisioning is complete, you should set the password for the EBS_SYSTEM schema to a new value.

To reset the password for the EBS_SYSTEM schema, perform the following steps on the database node.

  1. Source the database environment file.

    • For a multitenant 12c or 19c database, use the following commands to source the environment file:

      $ source <ORACLE_HOME>/<CDB SID>_<hostname>.env
$ export ORACLE_PDB_SID=<PDB NAME>

    • For a non-multitenant 11g or 12c database, use the following commands to source the environment file:

      $ source <CONTEXT_NAME>.env

  2. Run the following commands:

    $ sqlplus '/ as sysdba' 
SQL> alter user EBS_SYSTEM identified by "<new password>";

Enable and Set Oracle E-Business Account Passwords (Conditionally Required)

In Oracle E-Business Suite Cloud Manager Release 22.2.1 and later, the One-Click Provisioning and Advanced Provisioning pages prompt you to specify a new APPS user password, and, in the case of Oracle E-Business Suite Release 12.2, a new WebLogic Server password.

The additional steps in this section are required only for a new environment, or for a cloned environment if the steps were not previously performed on the source environment. To ensure your environment is adequately protected, you must change your Oracle E-Business Suite account passwords.

If you created your environment from a backup, you can skip this section.

  1. Log on to the Oracle Cloud Infrastructure instance that hosts your Oracle E-Business Suite environment.

  2. Switch user from the opc user to the oracle user using the following command:

    $ sudo su - oracle

  3. Set the environment using the appropriate command for your Oracle E-Business Suite release:

    • Release 12.2

      $ . /u01/install/APPS/EBSapps.env run

    • Release 12.1.3

      $ . /u01/install/APPS/apps_st/appl/APPS<CONTEXT_NAME>.env run

  4. Download Patch 24831241 to obtain scripts to enable the SYSADMIN user and to enable demo users in a VISION demo environment.

    Download Patch 24831241 to the $PATCH_TOP directory and unzip the patch using the following commands:

    $ cd $PATCH_TOP
$ unzip p24831241_R12_GENERIC.zip -d /u01/install/APPS/scripts/

  5. To log in through the web interface, you must initially set a password of your choice for the SYSADMIN user. After the SYSADMIN user is active with the new password, you can create new users or activate existing locked users. To enable the SYSADMIN user, run the following commands:

    $ mkdir -p ~/logs
$ cd ~/logs
$ sh /u01/install/APPS/scripts/enableSYSADMIN.sh

    When prompted, enter a new password for the SYSADMIN user.

    The SYSADMIN user can now connect to Oracle E-Business Suite through the web interface and create new users or activate existing locked users.

  6. For a VISION demo environment, you can run another script to unlock a set of 36 application users that are typically used when demonstrating Oracle E-Business using the VISION database. Run this script with the same environment as when running the enableSYSADMIN.sh script. To enable the demo users, run the following commands:

    $ cd ~/logs
$ sh /u01/install/APPS/scripts/enableDEMOusers.sh

    When prompted, enter a new password.

    Do not run this script on a fresh or production environment.

For details about the default passwords set during installation, see:

Apply Oracle E-Business Suite and Database Patches (Conditionally Required)

If you provisioned your environment from a backup of an existing on-premises environment, then you must now apply any additional patches required for your release level and database tier. For a cloned environment or an environment provisioned from a backup of a Cloud environment, these steps are required only if you did not already apply these patches on the source environment.

  1. Apply the Oracle E-Business Suite patches required for your release.

  2. This step is required only if your new database tier is on Base Database Service 1-Node or 2-Node DB System or Exadata Database Service Dedicated. Apply one-off database patches per the following:

    • For Oracle E-Business Suite Release 12.2, ETCC recommended database patches have been applied as part of the automated provisioning process. If you applied any additional one-off database patches beyond those recommended by ETCC to the source on-premises database, then you must now reapply those additional one-off patches to your new Base Database Service 1-Node or 2-Node DB System or Exadata Database Service Dedicated database.

    • For Oracle E-Business Suite Release 12.1, if you applied any one-off database patches to the source on-premises database, then you must now reapply those one-off patches to your new Base Database Service 1-Node or 2-Node DB System or Exadata Database Service Dedicated database.

    If your database tier is on an Oracle Cloud Infrastructure Compute VM, then you do not need to reapply any one-off database patches.

Configure Enterprise Command Centers after One-Click Provisioning (Conditionally Required)

If you create an environment with One-Click Provisioning and you want to use Enterprise Command Centers in that environment, perform the following configuration steps.

  1. Update the source system URL.

    • Log into your Oracle E-Business Suite environment as the sysadmin user, and select the ECC Developer responsibility.

    • Select Source System in the navigation pane of the Oracle Enterprise Command Center Framework administration UI.

    • In the Source System Definition page, enter your Oracle E-Business Suite login URL in the Source System URL field. For more information on the login URL, see User Access.

  2. Initially, the Oracle Enterprise Command Center Framework installation includes data only for the Oracle Assets Command Center (FA). Before you can access an Enterprise Command Center dashboard for any other products, you must perform a full load of the product-specific data into the Oracle Enterprise Command Center Framework installation.

    • Ensure that the Oracle E-Business Suite Cloud Manager VM can access the Oracle E-Business Suite login URL by either configuring a DNS entry for the Oracle E-Business Suite host name or updating the local hosts file on the VM. See User Access.

    • Run the data load concurrent program for your product as listed in Loading Product Data to Enterprise Command Centers, Installing Oracle Enterprise Command Center Framework, Release 12.2, My Oracle Support Knowledge Document 2495053.1. For more details about each data load program, see your product-specific Enterprise Command Center documentation.

Review Secure Configuration Recommendations for Oracle E-Business Suite (Conditionally Required)

When you provision an environment or promote a standby environment, if the environment is at one of the following code levels, then Oracle E-Business Suite Cloud Manager initially places your Oracle E-Business Suite system in lockdown mode to prompt you to review and respond to the secure configuration recommendations.

In this case, a system administrator must resolve or acknowledge the recommended security configurations in the Secure Configuration Console to unlock the system for normal usage. To access this console, a user must have a responsibility that includes the Applications System (OAM_APP_SYSTEM) function privilege, such as the seeded System Administration or System Administrator responsibilities, and must be registered as a local user with Oracle E-Business Suite. The administrator must log in to Oracle E-Business Suite using the local login page (http(s)://[host]:[port]/OA_HTML/AppsLocalLogin.jsp) to navigate to the console and unlock the system. If a user with local system administrator privileges is not available, you can access the Secure Configuration Console through a command line utility. For more information, see Secure Configuration Console, Oracle E-Business Suite Security Guide or Secure Configuration Console, Secure Configuration for Oracle E-Business Suite Release 12.1, My Oracle Support Knowledge Document 403537.1.

Additional Information: For more information on connecting to the Oracle E-Business Suite login page, see User Access.

If your environment is at a Release 12.2 code level earlier than Release 12.2.6 or the R12.ATG_PF.C.Delta.6 Release Update Pack, then the system will not be automatically placed into lockdown mode. However, it is highly recommended that you do the following:

  1. Review and comply with the secure configuration recommendations in the Secure Configuration Console. See Secure Configuration Console, Oracle E-Business Suite Security Guide.

  2. Update to the latest ATG_PF Release Update Pack as soon as possible.