1. Administering Oracle Identity Cloud Service
  2. Manage Oracle Identity Cloud Service Components
  3. Use the E-Business Suite Asserter to Enable SSO for Oracle E-Business Suite with Oracle Identity Cloud Service
  4. Configure E-Business Suite Asserter Integration
  5. Configure and Deploy the E-Business Suite Asserter

Configure and Deploy the E-Business Suite Asserter

After registering the E-Business Suite Asserter in Oracle Identity Cloud Service, you must configure and deploy the E-Business Suite Asserter that will act as an interface between an identity token issued by Oracle Identity Cloud Service and a user session created in Oracle E-Business Suite.

Create a Wallet for the E-Business Suite Asserter

For security purposes, the E-Business Suite Asserter component uses a wallet to register the client ID, client secret, and Oracle Identity Cloud Service URL as parameters.

  1. Log in to the E-Business Suite Asserter application server machine, and navigate to the /opt/ebssdk folder.
    Make sure the user has enough privileges to perform the following actions.
  2. Access the folder where the idcs-wallet-<version>.jar file is located.
  3. Run the command java -jar idcs-wallet-<version>.jar, and then provide the following values when prompted:
    • Enter Client ID: Enter the client ID generated while registering and activating the E-Business Suite Asserter in Oracle Identity Cloud Service.
    • Enter Client Secret: Enter the client secret for the client ID.
    • Enter IDCS base URL: Enter Oracle Identity Cloud Service base URL. For example: https://MYTENANT.identity.oraclecloud.com.
    The command line creates a wallet file named cwallet.sso in the provided path.
Make note of the path of the cwallet.sso file.

Update the E-Business Suite Asserter Configuration File

After you register the Identity Cloud Service E-Business Suite Asserter (EBS Asserter), you can configure the asserter configuration file to connect with Oracle Identity Cloud Service during authentication.

Starting from Identity Cloud Service E-Business Suite Asserter version 19.1.4-1.4.0 onward, the asserter contains a properties file called bridge.properties. This file is located inside the ebs.war file. You need to update the information in the bridge.properties file, and then regenerate the ebs.war file, before deploying it to a WebLogic Server.

Note:

For E-Business Suite Asserter versions before 19.1.4-1.4.0 release, the war file may not contain the bridge.properties file inside. You need to create this file in a folder of the E-Business Suite Asserter's WebLogic server, update its content as per step 3, save the file, and then set an environment variable, as per the following example: export ebs_property_file="/opt/ebssdk/bridge.properties"
  1. In the server where you downloaded the E-Business Suite Asserter zip file, navigate to the location where you decompressed the ebs.war file.
  2. Using a zip utility, decompress the ebs.war file, locate the bridge.properties file, and open the file for editing.
  3. Uncomment the following properties by removing the # from the beginning of each line, and update their values as follows:
    
###########################################################
## SSO Bridge for E-Business Suite
###########################################################
# Properties File
app.url=https://ebsasserter.example.com:7002/ebs
app.serverid=APPL_SERVER_ID_value
ebs.url.homepage=https://ebs.example.com:8001/OA_HTML/OA.jsp?OAFunc=OANEWHOMEPAGE
ebs.ds.name=visionDS
ebs.user.identifier=username
idcs.iss.url=https://identity.oraclecloud.com
idcs.aud.url=https://idcs-example.identity.oraclecloud.com
#post.logout.url=https://ebs.example.com:8001/OA_HTML/OA.jsp?OAFunc=OANEWHOMEPAGE
wallet.path=[FULL_PATH_OF_THE_WALLET_FILE]
whitelist.urls=https://ebs.example.com:8001/OA_HTML/RF.jsp,https://ebs.example.com:8001/OA_HTML/OA.jsp,https://ebs.example.com:8001/OA_HTML/BneApplicationService,https://ebs.example.com:8001/OA_HTML/jsp/fnd/close.jsp
ebs.renew.session=true
proxy.mode=true
proxy.home.url=https://ebs.example.com:8001/OA_HTML/RF.jsp?function_id=1031198&resp_id=-1&resp_appl_id=0&security_group_id=0&lang_code=US
#istore.pages=ibeCZzdMinisites.jsp,ibeCAcpSSOLoginR.jsp
#idcs.user.identifier=email/username
###########################################################

    The following table provide the description for each bridge.properties parameter and optional parameters supported by each EBS Asserter version.

    Parameter Description EBS Asserter Version
    app.url The URL and port number for the E-Business Suite Asserter application. 19.1.4 onward
    app.serverid Corresponds to the APPL_SERVER_ID value in the .dbc file generated while registering the E-Business Suite Asserter. 19.1.4 onward
    ebs.url.homepage The URL address for the Oracle E-Business Suite home page. 19.1.4 onward
    ebs.ds.name The data source name to be created in the Oracle WebLogic Server where the E-Business Suite Asserter is deployed. 19.1.4 onward
    ebs.user.identifier Oracle E-Business Suite field used to match the Oracle Identity Cloud Service username. Allowed values are username (representing the FND_USERS.USER_NAME column) or email (representing the FND_USERS.EMAIL_ADDRESS column). Ensure that the attribute chosen here has unique values in FND_USERS otherwise the login will fail. 19.1.4 onward
    idcs.iss.url Oracle Identity Cloud Service issuer URL. This value can be found in the Oracle Identity Cloud Service Discovery Doc endpoint. The default value is https://identity.oraclecloud.com. This value must match the Issuer value set in the Oracle Identity Cloud Service OAuth settings. See Configure OAuth Settings. 19.1.4 onward
    post.logout.url This is an optional parameter. Uncomment this parameter so that E-Business Asserter redirects to this URL after logging the user out from the Single Sign-On. This value must match the value of the Post Logout Redirect URL parameter in Oracle Identity Cloud Service. 19.1.4 onward
    wallet.path The full path of the wallet file, including the file name. 19.1.4 onward
    whitelist.urls Lists the URL E-Business Suite Asserter can accept as the requestUrl parameter value. If the requestUrl value doesn't match one of the whitelist.urls values, then the test scenario for SSO Using the E-Business Suite Asserter Direct URL with a Redirect Parameter will fail. 19.1.4 onward
    ebs.renew.session This is an optional parameter. Use this parameter to control how the E-Business Suite Asserter manages the Oracle E-Business Suite session when the Oracle E-Business Suite cookie has expired. If you add this parameter to the bridge.properties file, and set the value to true, then the asserter refreshes the Oracle E-Business Suite Forms session after having reach the configured limit (ICX:Session Timeout). If the parameter is set to false, then after reaching the configured limit, the Forms session is invalidated closing all active Forms, however the Oracle E-Business Suite session in the browser will be active, allowing the user to reopen a new Forms session. 19.2.1 onward
    proxy.mode This is an optional parameter. Add this parameter to the bridge.properties file, and set the value to true to enable Oracle E-Business Suite Proxy User feature. Users trying to log in as a proxy user, are redirected to the URL you provide in the proxy.home.url parameter. 19.3.3-1.7.0 onward
    proxy.home.url This attribute is mandatory if proxy.mode=true. After the user signs in to Oracle Identity Cloud Service, the EBS Asserter redirects the proxy user to this URL. Typically this URL is Oracle E-Business Suite's Switch User page. For example: https://ebs.example.com:8001/OA_HTML/RF.jsp?function_id=1031198&resp_id=-1&resp_appl_id=0&security_group_id=0&lang_code=US 19.3.3-1.7.0 onward
    istore.pages Lists the comma separated value of iStore pages E-Business Suite Asserter will accept. If the requestUrl matches one of the istore.pages values, then user will be redirected to the requested iStore page post login. Add the iStore pages to the existing list of istore.pages. 19.3.3-1912170009 onward
    idcs.user.identifier

    This is an optional parameter. The Oracle Identity Cloud Service user attribute used to match with ebs.user.identifier. Allowed values are username (representing the username attribute in Oracle Identity Cloud Service), email (representing the email attribute in Oracle Identity Cloud Service), custom attribute name (representing the custom attribute of a user in Oracle identity Cloud Service e.g: employee_no). If this value is not provided in bridge.properties, then it will be defaulted to the value of ebs.user.identifier. Ensure that there is one-to-one mapping between the idcs.user.identifier attribute in Oracle Identity Cloud Service to the ebs.user.attribute attribute in FND_USERS otherwise the login will fail.

    Note:

    Ensure that the custom attribute used in idcs.user.identifier is added to the user schema in IDCS. The custom attribute feature is available in EBS Asserter version 20.1.3 onwards.
    		19.3.3-1912170009 onward

    base.lang

    		 The Oracle Identify Could Service EBS Asserter supports the user’s language configuration provided in EBS. If the FND_OVERRIDE_SSO_LANG profile option is enabled for a user in EBS, Asserter creates an EBS session based on the value of the ICX_LANGUAGE profile option of this user. If no language configuration is present for the users in EBS and the browser language needs to be overwritten across all the users of the application, the base.lang property can be set in the bridge.properties file. For example, if base.lang is set to US and user does not possess any language specific configuration in EBS, irrespective of the browser(with local languages) from which the user tries to login into EBS with Asserter, the EBS session is created in American English.Note: The base.lang configuration is relevant in case the EBS is enabled with multiple languages. If there’s only one language enabled in EBS, the asserter creates the EBS session with the base installed language even without a base.lang configuration.

    Oracle Identity Cloud Service release version
  4. Rebuild the ebs.war file and make sure it contains the updated version of the bridge.properties file. The structure of the ebs.war file is as follows:
    META-INF/
   MANIFEST.MF
WEB-INF/
   classes/
   lib/
   bridge.properties
   web.xml
   weblogic.xml

Configure Hostname Verification in WebLogic Console

You can configure the hostname verification in Oracle WebLogic Server Administration Console.

  1. Start the Oracle WebLogic Server Administration Console by entering http://wls_host:wls_port/console in the URL line of a web browser. For example, https://ebsasserter.example.com:7002/console.
  2. Log in to WebLogic console as an administrator.
  3. In the left panel, click Lock & Edit, expand Environment, select Servers.
  4. Click the name of the target server where you want to deploy the EBS Asserter. In this example, AdminServer.
  5. Click the SSL tab. Scroll down and expand the Advanced section.
  6. Update the Hostname Verification parameter with the value None, and then click Save.
  7. Click Activate Changes.
  8. Restart the servers.

Configure Keystores in WebLogic Console

If you are using Custom Trust Store in WebLogic for asserter deployment, instead of using Custom Identity and Custom Trust Store with WebLogic server, use Custom Identity and Java Trust Store. With this configuration, you do not need to import Oracle Identity Cloud Service certificate.

  1. Start the Oracle WebLogic Server Administration Console by entering http://wls_host:wls_port/console in the URL line of a web browser. For example, https://ebsasserter.example.com:7002/console.
  2. Log in to WebLogic console as an administrator.
  3. In the left panel, click Lock & Edit, expand Environment, select Servers.
  4. Click the name of the target server where you want to configure the keystore.
  5. Click Keystores under the Configuration tab.
  6. In the left panel, click Lock & Edit to make the changes.
  7. Select Custom Identity and Java Trust Store.
  8. Click Save and Activate Changes.
  9. Restart the WebLogic server.

Define the Data Source

In the Oracle WebLogic Server where E-Business Suite Asserter is deployed, you must configure database connectivity by adding data sources to your WebLogic domain. WebLogic Java Database Connectivity (JDBC) data sources provide database access and database connection management.

  1. Enter the following URL in a web browser, replacing host:port with the host name and port for the WebLogic Administration Console:
    http://wls_host:wls_port/console

    For example, https://ebsasserter.example.com:7002/console.

  2. Log in to WebLogic console as an administrator.
  3. In the administration console under Domain Structure, expand Services and then click Data Sources.
  4. Under the Data Sources table heading, click the New drop-down list, and then select Generic Data Source.
  5. In the JDBC Data Source Properties section, specify the following values, and then click Next:
    • Name: visionDS
    • JNDI Name: visionDS
    • Database Type: oracle
    The value of the Name parameter must match the ebs.ds.name parameter in the E-Business Suite Asserter configuration file.
  6. Select a database driver, and then click Next.
    • If you are using an XA data source, select *Oracle's Driver (Thin XA) for Instance connections; Versions:any.
    • If you are using a non-XA data source, select *Oracle's Driver (Thin) for Instance connections; Versions:Any.
  7. In the Transaction Options section, perform one of the following, and click Next:
    • For a non-XA data source, uncheck the Supports Global Transactions check box.
    • For an XA data source, leave the check box checked.
  8. In the Connection Properties section, specify the following appropriate values and then click Next.
    • Database Name: EBSDB
    • Host Name: ebs.example.com
    • Port: 1521
    • Database Username: Enter the username you created earlier.
    • Password: Enter the password for the username.
  9. In the Driver Class Name field, enter one of the following:
    • oracle.apps.fnd.ext.jdbc.datasource.AppsDataSource if you use a non-XA data source.
    • oracle.apps.fnd.ext.jdbc.datasource.AppsXADataSource if you are using an XA data source.
    Optionally, you can use the oracle.jdbc.OracleDriver driver instead, but you need to provide administrative database credentials during this value. If you don't want to expose administrative database credentials to WebLogic administrators, use one of the two values provided for Driver Class Name in this task.
  10. In the Properties text box, keep the current value for user, add a new line, and enter the path to the dbc file as per the example below:
    user=IDETITYADMIN
dbcFile=/opt/ebssdk/EBSDB_ebsasserter.example.com.dbc

    Note:

    This field is case sensitive. Make sure the name of the file is correctly written with the correct uppercase and lowercase letters.
  11. Review the data source properties values, confirm that the database is running, and click Test Configuration.

    Make sure your network doesn't block communication between the E-Business Suite Asserter's WebLogic server machine and the Oracle E-Business Suite database through the port number you provided in the datasource.

  12. When you see the Connection test succeeded message, then click Next.
  13. In the Select Targets section, select the target server (for example, EBSAsserter_server), and click Finish.
  14. In the Change Center, click the Activate Changes button.

Deploy the E-Business Suite Asserter on Oracle WebLogic Server

You must deploy the E-Business Suite Asserter to the Administration Server instance of Oracle WebLogic Server for the purpose of performing end-to-end testing of the integration.

  1. Copy the E-Business Suite Asserter war file (ebs.war) to the working folder in the Oracle WebLogic Server /opt/ebssdk.
  2. Enter the following URL in a web browser, replacing host:port with the host name and port for the Oracle WebLogic Server Administration Console:
    http://wls_host:wls_port/console

    For example, https://ebsasserter.example.com:7002/console.

  3. Log in to the WebLogic console as an administrator.
  4. In the Change Center, click the Lock & Edit button.
  5. Under Domain Structure, click Deployments.
  6. On the right, under Deployments, click the Install button.
  7. Enter the path for the E-Business Suite Asserter war file as /opt/ebssdk.
  8. Select the ebs.war file and click Next.
  9. Select Install this deployment as an application, and then click Next.
  10. Select the target server (for example, EBSAsserter_server) and then click Next.
  11. Accept the default values and click Finish.
  12. Click Activate Changes.