Implement Oracle E-Business Suite data retention on Oracle Cloud Infrastructure

Enterprises are going through a tremendous transformation with existing enterprise resource planning (ERP) systems moving to software-as-a-service (SaaS) platforms or switching ERP systems but needing data retention of retiring ERP system for regulatory and compliance needs.

If you want to move Oracle E-Business Suite to Oracle Cloud Infrastructure (OCI), or are looking to retain your existing Oracle E-Business Suite historical data, you can migrate your entire Oracle E-Business Suite database solution onto OCI, keeping it in a handy read-only state with secure, easy to use prebuilt reports. The reports are presented with ease through the low-code or no-code development framework of Oracle APEX, along with single-sign-on (SSO) access for Oracle APEX integrated with built-in Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) capabilities.

You will continue to have secure access to the Oracle E-Business Suite data whenever you need to fulfill those crucial audits, regulatory, and compliance requirements. This solution is applicable for Oracle E-Business Suite Database version 10.2.0.4 or higher and Oracle E-Business Suite Application versions 11.5.10.2, 12.1.3, or 12.2.X.

This solution offers the following benefits:

• Low maintenance: Oracle Autonomous Database Serverless technology is used as the target database for retaining the Oracle E-Business Suite data and meeting cutting-edge expectations like automated backups, automated patching, automatic upgrades, and autotuning without human intervention.
• Low costs: You can optimize resource usage by utilizing the on-demand capability of autonomous databases, enabling you to start and stop the database, which helps to manage and reduce costs, as needed to generate reports for auditing purposes.
• No license or support fees: You are not required to pay existing yearly license and support fees for the retiring Oracle E-Business Suite database and application. We are moving away from the license and support model to an Oracle Autonomous Database Serverless subscription model in which customers pay only for CPUs and storage that are consumed.
• Compliance needs through the Oracle E-Business Suite reports interface: A preconfigured, fully managed, secure Oracle APEX offers you the ability to create reports based on Oracle E-Business Suite data to meet compliance and regulatory needs.
• Secure user access: Secure Oracle APEX user login for accessing Oracle E-Business Suite reports is accomplished through SSO using the built-in IAM capabilities within OCI and allowing users with role-based access to the required Oracle APEX and Oracle E-Business Suite modules.
• Open data framework: Standard interface capabilities and data extraction tools are provided to enable customers to import and extract application data. They can configure the data extraction tools to extract information that the organization requires and in numerous formats, including XML, CSV, PDF, and Excel. 

Architecture

This reference architecture describes how you can migrate your on-premises Oracle E-Business Suite Database to Oracle Cloud Infrastructure and create a solution which provides read only access to historical Oracle E-Business Suite data.

The following section covers the high level steps for this reference architecture. For detailed information and procedures, see the links in the Explore More section.

• Oracle E-Business Suite database migration: The entire Oracle E-Business Suite database is migrated on to Oracle Autonomous Database Serverless with Oracle Autonomous Data Warehouse-Shared, residing in a private end point, making the Oracle E-Business Suite data both easily accessible and secure.
• Oracle E-Business Suite control plane setup: The default integrated low-code application development platform, Oracle APEX Application Development (Oracle APEX), that comes with Oracle Autonomous Database produces prebuilt screens that provide read-only Oracle E-Business Suite pages with a user-friendly presentation layer. Currently, the prebuilt Oracle E-Business Suite modules reports available include payable invoices, general ledger, cash management, receivables, iProcurement, iExpenses, human resources, payroll, fixed assets, and projects.
• Comprehensive migration of other systems of record: The external attachments, such as those residing outside the Oracle E-Business Suite Database like Markview, WebCenter, and file storage, also form an important part of the Oracle E-Business Suite reporting system. Whether they are weblinks, text files, documents, PDFs, or images, these attachments are analyzed and securely migrated into OCI Object Storage buckets and tightly integrated to the attachments within the Oracle APEX and Oracle E-Business Suite reports.

• Oracle Database Security Policies: The policies are provided as a part of Oracle Database Real Application Security.

• Reporting: Oracle E-Business Suite reports through the Oracle APEX interface retrieval supports the segregation of Oracle E-Business Suite data for multiple organizations.

The following diagram illustrates this reference architecture.

Description of the illustration oci-ebs-data-retention.png

oci-ebs-data-retention-oracle.zip

The architecture has the following components:

• Oracle E-Business Suite

  Oracle E-Business Suite comprises a set of products (human capital management, order management, procurement, and logistics) that supports evolving business models, drives productivity, and meets the demands of the modern mobile user.

  You can provision Oracle E-Business Suite on Oracle Cloud Infrastructure or migrate Oracle E-Business Suite environments from their data center to Oracle Cloud Infrastructure, creating multihost, secure, and high-availability topology.

• Object storage

  Oracle Cloud Infrastructure Object Storage provides quick access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich content such as images and videos. You can safely and securely store and then retrieve data directly from the internet or from within the cloud platform. You can scale storage without experiencing any degradation in performance or service reliability. Use standard storage for "hot" storage that you need to access quickly, immediately, and frequently. Use archive storage for "cold" storage that you retain for long periods of time and seldom or rarely access.

• APEX Service

  Oracle APEX is a low-code development platform that enables you to build scalable, feature-rich, secure, enterprise apps that can be deployed anywhere that Oracle Database is installed. You don't need to be an expert in a vast array of technologies to deliver sophisticated solutions. Oracle APEX includes built-in features such as user interface themes, navigational controls, form handlers, and flexible reports that accelerate the application development process.

• Oracle Autonomous Data Warehouse

  Oracle Autonomous Data Warehouse is a self-driving, self-securing, self-repairing database service that is optimized for data warehousing workloads. You do not need to configure or manage any hardware, or install any software. Oracle Cloud Infrastructure handles creating, backing up, patching, upgrading, and tuning the database.

• Identity and Access Management (IAM)

  Oracle Cloud Infrastructure Identity and Access Management (IAM) is the access control plane for Oracle Cloud Infrastructure (OCI) and Oracle Cloud Applications. The IAM API and the user interface enable you to manage identity domains and the resources within the identity domain. Each OCI IAM identity domain represents a standalone identity and access management solution or a different user population.

Recommendations

Use the following recommendations as a starting point. Your requirements might differ from the architecture described here.

• VCN

  When you create a VCN, determine the number of CIDR blocks required and the size of each block based on the number of resources that you plan to attach to subnets in the VCN. Use CIDR blocks that are within the standard private IP address space.

  Select CIDR blocks that don't overlap with any other network (in Oracle Cloud Infrastructure, your on-premises data center, or another cloud provider) to which you intend to set up private connections.

  After you create a VCN, you can change, add, and remove its CIDR blocks.

  When you design the subnets, consider your traffic flow and security requirements. Attach all the resources within a specific tier or role to the same subnet, which can serve as a security boundary.

• Security

  Use Oracle Cloud Guard to monitor and maintain the security of your resources in Oracle Cloud Infrastructure proactively. Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for risky activities. When any misconfiguration or insecure activity is detected, Cloud Guard recommends corrective actions and assists with taking those actions, based on responder recipes that you can define.

  For resources that require maximum security, Oracle recommends that you use security zones. A security zone is a compartment associated with an Oracle-defined recipe of security policies that are based on best practices. For example, the resources in a security zone must not be accessible from the public internet and they must be encrypted using customer-managed keys. When you create and update resources in a security zone, Oracle Cloud Infrastructure validates the operations against the policies in the security-zone recipe and denies operations that violate any of the policies.

• Cloud Guard

  Clone and customize the default recipes provided by Oracle to create custom detector and responder recipes. These recipes enable you to specify what type of security violations generate a warning and what actions are allowed to be performed on them. For example, you might want to detect Object Storage buckets that have visibility set to public.

  Apply Cloud Guard at the tenancy level to cover the broadest scope and to reduce the administrative burden of maintaining multiple configurations.

  You can also use the Managed List feature to apply certain configurations to detectors.

• Security Zones

  For resources that require maximum security, Oracle recommends that you use security zones. A security zone is a compartment associated with an Oracle-defined recipe of security policies that are based on best practices. For example, the resources in a security zone must not be accessible from the public internet and they must be encrypted using customer-managed keys. When you create and update resources in a security zone, Oracle Cloud Infrastructure validates the operations against the policies in the security-zone recipe, and denies operations that violate any of the policies.

• Network security groups (NSGs)

  You can use NSGs to define a set of ingress and egress rules that apply to specific VNICs. We recommend using NSGs rather than security lists, because NSGs enable you to separate the VCN's subnet architecture from the security requirements of your application.

• Load balancer bandwidth

  While creating the load balancer, you can either select a predefined shape that provides a fixed bandwidth, or specify a custom (flexible) shape where you set a bandwidth range and let the service scale the bandwidth automatically based on traffic patterns. With either approach, you can change the shape at any time after creating the load balancer.

• Database

  Autonomous Data Warehouse database with private end point architecture provisioned. Provision Autonomous Data Warehouse with source character set and Private endpoint access only. Temporary public subnet with bastion instance can be used to provide continuous execution environment.

Considerations

When implementing this reference architecture, consider these options.

• Security
  • Authentication and Authorization are both done through Oracle Identity Cloud Service and Oracle APEX.
  • Users, groups, and confidential applications are created in Oracle Identity Cloud Service.
  • Authentication and Authorization schemes are updated in Oracle APEX as per the groups created exactly in Oracle Identity Cloud Service.
  • Access control to specified modules can be done at the Oracle APEX layer.
• Cost

  You can use this solution as a starting point to have wider strategic discussions around lowering costs and lowering risks. You might have other workloads like analytics, operational reporting, AI and machine learning (ML), predictive analytics, and a host of other solutions that OCI offers.

Explore More

Review these additional resources to learn more about the features of this reference architecture.

• Cloud Premigration Advisor Tool (CPAT) as described in Doc ID 2758371.1
• Installing and configuring Csscan in 10g and 11g (Database Character Set Scanner) Doc ID 745809.1)
• The Database Migration Assistant for Unicode (DMU) Tool (Doc ID 1272374.1) – for database from version 12c onwards since csscan is not supported.
• Import Procedures for Oracle Autonomous Database
• Database Migration Limitations to Oracle Autonomous Database
• Blog: Oracle E-Business Suite Data Retention on OCI
• Use Identity and Access Management (IAM) Authentication with Autonomous Database
• Security Policies with Oracle Autonomous Database
• Oracle Cloud Infrastructure Documentation
• Well-architected framework for Oracle Cloud Infrastructure
• Oracle Cloud Cost Estimator
• Cloud Adoption Framework
• Modern App Development

Acknowledgments

• Authors: Vijay Vudari Satyanarayana, Sudipta Kumar Panigrahi, Khyati Yadav, Karthik Siddireddy