Oracle EBS

General information

Oracle EBS connector provides an ability to manage user (their info and responsibilities) in Oracle EBS system. The operations that could be performed by using OpenIAM are - create, modify, end date user, add responsibility to user, modify user's membership in it or remove membership. Synchronization is also a handy tool to pull set of responsibilities from Oracle EBS instance and bring them into OpenIAM for further usage.

Installation and connection to OpenIAM

In an RPM installation please use the general startup script to start the connector. Dockerized deployment version is also available for the connector.

General usage

During Managed System configuration you should provide login (service account username), password, and full path to DBC file in host url field.

Steps to be performed on Oracle EBS side

1. Creating APPS connect user in EBS

· Navigate to System Administrator > Security > User > Define · Create a user and attach responsibility "System Administrator" · Navigate to Roles & Responsibility Management and attach UMX|APPS_SCHEMA_CONNECT role to this user. · Run Workflow Background Process to reflect new roles attached to the user. (Reset user password with first time login). · Provide created user id & password to openIAM for connection.

2. Register external server as node in EBS

· Download EBS SDK for Java from Patch 13882058 and use fndext.jar to generate Desktop DBC file with below command. · To register the external server with the Oracle E-Business Suite instance, the system administrator should run the following command, passing the name of the external application server node.

java oracle.apps.fnd.security.AdminDesktop <apps user>/<apps pwd> \
CREATE \
NODE_NAME=<node name of the external application server> \
[IP_ADDRESS=<IP address of external application server>] \
DBC=<full name and path of existing standard dbc_file>
  • The CREATE command should only be run once for a given node. If the node has already been registered with the Oracle E-Business Suite instance, use the UPDATE command instead.
  • Standard DBC file should be present in $FND_SECURE directory. If it is not present DBA should generate this file using auto-config.
  • Resulting Desktop DBC file should be provided to OpenIAM for connection.

3. Set following profile options in application

Profile option nameProfile option code and recommended setting
FND: Validate User TypeFND_SERVER_SEC - Desktop Only (internal value D) at the site level
FND: Validate IP addressFND_SERVER_IP_SEC - Desktop Only (internal value D) at the site level
FND: Desktop Nodes allowedFND_SERVER_DESKTOP_USER - < comma separated list of external nodes for which IP restriction is required > For example: NODENAME1, NODENAME2 where NODENAME1 and NODENAME2 are values for column NODE_NAME in the fnd_nodes table for the desktop nodes. Set this option at the user level for the user with the Apps Schema Connect role (that is, the AppsDataSource user).

4. Compile the below database objects as below.

From SYSDBA User

  • xxfnd_grant_apps_to_iam.sql

From xx_iam User

  • xxfnd_db_object.sql
  • xxfnd_log_trg_who.sql
  • xx_iam_fnd_responsibility.ddl

From apps User

  • xxfnd_resp_view.sql
  • xxfnd_user_access_api_pkg.pkh
  • xxfnd_user_access_api_pkg.pkb

Define an attribute provisioning rules

Out of the box configuration of Oracle EBS managed system provides rules for writing into following user fields:

  • userName
  • description
  • emailAddress
  • employeeId
  • endDate
  • memberOf
  • startDate
  • unencryptedPassword

Synchronization

Instruction how to set up synchronization is provided in a separate document. But OpenIAM provides out of the box user sync and role sync configurations for Oracle EBS.

  • Example of user search query: * to grab all users; other filters are : userName/effectiveDate/userId/employeeId/lastUpdateDate
  • Example of role search query: * to grab all roles; other filters are : responsibilityName/applicationId/menuId/effectiveDate/lastUpdateDate/managedSys/sourceTrack/status

Connector Troubleshooting and Tips

Connector troubleshooting could be done by raising logging level to DEBUG mode (-Dlogging.level.org.openiam=DEBUG)