1. Working with EPM Automate for Oracle Enterprise Performance Management Cloud
  2. About EPM Automate
  3. Using OAuth 2.0 Authorization Protocol with OCI (Gen2) Environments

Using OAuth 2.0 Authorization Protocol with OCI (Gen2) Environments

EPM Automate can use the OAuth 2.0 authentication protocol to access OCI (GEN 2) Oracle Enterprise Performance Management Cloud environments to execute commands, especially for automating the running of commands.

To enable OAuth 2.0 access, an Identity Domain Administrator must register your application as a public client in Oracle Cloud Identity Services. OAuth is enforced for the application; not across your subscription.

For detailed instructions on setting up OAuth 2.0 for your OCI (Gen 2) environments, see Authentication with OAuth 2 - Only for OCI (Gen 2) Environments in REST API for Oracle Enterprise Performance Management Cloud.

Note:

Basic authentication works even when OAuth is enabled for an environment. Be sure to not overwrite the existing encrypted password file if you plan to use it in the future.

Creating an Encrypted Password File Containing Refresh Token and Client ID

Service Administrators who want to use OAuth 2.0 for EPM Automate access to environments require these details to create their encrypted password file, which is then used to sign into the environment:

  • Refresh token

    See steps under "EPM Cloud Service Administrator tasks to get a refresh token:" in Authentication with OAuth 2 - Only for OCI (Gen 2) Environments in REST API for Oracle Enterprise Performance Management Cloud for detailed instructions on how to get the refresh token.

  • Client ID

    The Client ID is generated when the Identity Domain Administrator configures the application for OAuth. It is visible on the Configuration tab of the application, under General Information.

To create the encrypted password file for OAuth authentication:

  1. Start an EPM Automate session.
  2. Execute a command similar to the following:

    epmautomate encrypt REFRESH_TOKEN ENCRYPTION_KEY PASSWORD_FILE ClientID=CLIENT_ID, where, the REFRESH_TOKEN is the decrypted refresh token from the secure store and ENCRYPTION_KEY is any private key to encrypt the password, and PASSWORD_FILE is the name and location of the file that stores the encrypted refresh token. IThe password file must use the .epw extension.

    See encrypt for detailed instructions.
  3. Use the newly generated password file to sign in using OAuth. For automated script executions, be sure to update scripts to point to the newly generated password file.