The Oracle EBS connector provides the ability to manage users (their info and responsibilities) in the Oracle EBS system. The operations that could be performed by using OpenIAM include create, modify, end date for user, add responsibility to user, modify user's membership and remove membership. Synchronization is also an effective tool to pull the set of responsibilities from the Oracle EBS instance and bring them into OpenIAM for further usage.
Installation and connection to OpenIAM
In an RPM installation please use the general startup script to start the connector. The Dockerized version is also available for the connector.
During Managed System configuration you should provide login (service account username), password, and full path to the DBC file in the host url field.
Steps to be performed on the Oracle EBS side
1. Creating APPS connect user in EBS
- Navigate to System Administrator > Security > User > Define
- Create a user and assign "System Administrator"
- Navigate to Roles & Responsibility Management and assign the UMX|APPS_SCHEMA_CONNECT role to this user.
- Run the Workflow Background Process to reflect new roles assigned to the user. (Reset user password with first time login).
- Provide the created user id & password to OpenIAM for connection.
2. Register external server as node in EBS
- Download EBS SDK for Java from Patch 13882058 and use fndext.jar to generate Desktop DBC file with below command.
- To register the external server with the Oracle E-Business Suite instance, the system administrator should run the following command, passing the name of the external application server node.
java oracle.apps.fnd.security.AdminDesktop <apps user>/<apps pwd> \CREATE \NODE_NAME=<node name of the external application server> \[IP_ADDRESS=<IP address of external application server>] \DBC=<full name and path of existing standard dbc_file>
- The CREATE command should only be run once for a given node. If the node has already been registered with the Oracle E-Business Suite instance, use the UPDATE command instead.
- Standard DBC file should be present in $FND_SECURE directory. If it is not present the DBA should generate this file using auto-config.
- The resulting Desktop DBC file should be provided to OpenIAM for connection.
3. Set following profile options in application
|Profile option name||Profile option code and recommended setting|
|FND: Validate User Type||FND_SERVER_SEC - Desktop Only (internal value D) at the site level|
|FND: Validate IP address||FND_SERVER_IP_SEC - Desktop Only (internal value D) at the site level|
|FND: Desktop Nodes allowed||FND_SERVER_DESKTOP_USER - < comma separated list of external nodes for which IP restriction is required > For example: NODENAME1, NODENAME2 where NODENAME1 and NODENAME2 are values for column NODE_NAME in the fnd_nodes table for the desktop nodes. Set this option at the user level for the user with the Apps Schema Connect role (that is, the AppsDataSource user).|
4. Compile database objects as shown below.
From SYSDBA User
From xx_iam User
From apps User
Define an attribute provisioning rules
The out-of-the-box configuration of Oracle EBS managed system provides rules for writing to following user fields:
Instructions on how to set up synchronization is provided in a separate document. However, OpenIAM provides out-of-the-box user sync and role sync configurations for Oracle EBS.
- Example of a user search query: * to grab all users; other filters are : userName/effectiveDate/userId/employeeId/lastUpdateDate
- Example of a role search query: * to grab all roles; other filters are : responsibilityName/applicationId/menuId/effectiveDate/lastUpdateDate/managedSys/sourceTrack/status
Connector Troubleshooting and Tips
Connector troubleshooting can be done by raising logging level to DEBUG mode: