"This presentation is for informational purposes only and may not be incorporated into a contract or agreement"
Download ReportTranscript "This presentation is for informational purposes only and may not be incorporated into a contract or agreement"
"This presentation is for informational purposes only and may not be incorporated into a contract or agreement" Using Oracle Application Server 10g with Oracle E-Business Suite Release 11i April, 2006 "This presentation is for informational purposes only and may not be incorporated into a contract or agreement" Steven Chan Director, Applications Technology Integration Oracle Corporation "This presentation is for informational purposes only and may not be incorporated into a contract or agreement" Topics • Supported Architectures • Features and Benefits • Technical Integration Overview • Integration with Third Party Access Managers & LDAP Directories • Customer Snapshots • Roadmap • References Desupport Notices (Or, “Why You Should Plan for OracleAS 10g Now”) • Discoverer 4i October 2006 • Login Server 3.0.9 • Portal 3.0.9 • Oracle Internet Directory 3.0.1 July 2007 BUT: Sun may desupport JDK 1.3 -- the required prerequisite for 3.0.9 -- in ~ Fall 2006! • For more details, see http://blogs.oracle.com/schan Now Generally Available! • E-Business Suite 11i integrations with Oracle Application Server 10g 10.1.2.0.2 and 10.1.2.1 are now certified and Generally Available Simple Physical Architecture DMZ Firewall OracleAS 10g Server External Users Internal Users Internet Router • • • • • • • • Portal Single Sign-On Oracle Internet Directory Directory Integration & Provisioning Delegated Administration Services Discoverer OracleAS Certificate Authority OracleAS 10g Metadata Repository E-Business Suite 11i Application Server • • • • Intranet Firewall Oracle9i Application Server 1.0.2.2.2 Oracle HTTP Server Forms Server Reports Server Release 11i Database 11i Integration with OracleAS 10g • Release 11i instance runs Oracle9i Application Server 1.0.2.2.2 • 11i is integrated with a stand-alone Oracle Application Server 10g instance • The existing Release 11i application-tier server nodes continue to run on Oracle9i Application Server 1.0.2.2.2 Distributed Architecture Internal Users External Users Single Sign-On 10g Internet Internal 9iAS 1.0.2 Server Oracle Internet Directory Server 10g OracleAS 10g Infrastructure Database Reverse Proxy External 9iAS 1.0.2 Server Firewall Firewall Release 11i Database Firewall Portal 10g Discoverer 10g Distributed Architecture Benefits Enterprise Portal Server Oracle Portal Oracle Single Sign-On Server May be scaled & managed by separate organization responsible for corporate communications Oracle Internet Directory Enterprise Security Servers May be scaled & managed by separate organization responsible for corporate security and identity management Enterprise Application Servers 9iAS 1.0.2.2.2 Applications 11i Database May be scaled & managed by separate organization responsible for enterprise applications such as Oracle E-Business Suite Release 11i OracleAS 10g Integration Benefits 1. 2. 3. 4. Enable Single Sign-On for 11i Manage users in Oracle Internet Directory Access 11i via custom Portals Integrate 11i with third-party PKI, SSO & LDAP directories, and legacy applications 5. Analyse 11i with Discoverer workbooks 6. Accelerate 11i performance with WebCache Enable Single Sign-On for 11i User Single Sign-On 10g E-Business Suite 11i Application Server • E-Business Suite is a Single Sign-On partner application • Log on to Oracle Single Sign-On to get access to all registered partner applications, including 11i • Log off any one partner application to log off all of them Manage Users in Oracle Internet Directory Oracle Internet Directory 10g DIP Platform E-Business Suite 11i FND_USER • Synchronise user credentials bidirectionally between Oracle Internet Directory and Release 11i (FND_USER) • Set master “source of truth” as OID, Release 11i, or both • Manage user provisioning via powerful OID Directory Integration & Provisioning Platform templates • Link an OID userid with one or more 11i userids “on-the-fly” Access 11i via custom Portals Oracle Portal 10g E-Business Suite 11i • Access one or more E-Business Suite 11i instances from a single Oracle Portal instance • Add 11i portlets to custom Portal pages • Display data in 11i portlets based on 11i responsibilities Release 11i Portlets • Applications Navigator Access Applications menus based on user responsibilities • Applications Favorites Bookmark specific Applications links for quick access • Applications Worklist Summary of current workflow notifications • Oracle Balanced Scorecard Display status of strategic and tactical business objectives • Performance Management Viewer Display business intelligence key performance indicators in graphical and tabular format Applications Navigator Portlet Flat Mode Tree Mode Applications Favorites Portlet Applications Worklist Portlet Balanced Scorecard Portlets Integrate 11i with… 3rd Party LDAP Oracle Internet Directory 10g Release 11i (FND_USER) • Third-party LDAP directories • Prepackaged: Microsoft Active Directory, Sun ONE / iPlanet • Others via LDIF, custom connectors • Third-party single sign-on solutions • Microsoft Windows Native Authentication / Kerberos • Oblix, Entrust, IBM, RSA, Netegrity, Sun, Thor, and others • PKI X.509v3 digital certificates Integrate 11i with… Legacy Application Oracle Integration Release 11i • Over 250 adapters for Enterprise Application Integration with third-party applications • J2EE and open standards-based integration, including: • • • • E-Business Suite, third-party applications, database sources XML, JMS, JCA Web Services: SOAP, WSDL, UDDI B2B Protocols: RosettaNet, HIPAA, EDI Analyse 11i with Discoverer User • • • • Discoverer 10g E-Business Suite End-User Layer Access APPS_MODE End-User Layer via Business Intelligence System Discoverer workbooks secured by Applications responsibilities Provide powerful end-user reporting via ad hoc queries Drill-down into data via tabular & graphical analytical tools Run Discoverer on separate cluster for enhanced scalability, wide deployment Accelerate 11i Performance with WebCache User WebCache 10g E-Business Suite 11i Application Server • Cache and compress frequently used items • Reduce network consumption and accelerate response time • Can act as a reverse-proxy server • Can act as a load-balancer Technical Integration Overview Build Releases • E-Business Suite Interoperability Patch for OracleAS 10g integration released in Builds • • • • • • Build 1: Build 2.0: Build 2.2: Build 3.0: Build 3.1: Build 3.2: Jan 2004 – Mar 2004 Jul 2004 – Jan 2005 Feb 2005 – Jul 2005 Aug 2005 – Sep 2005 Feb 2006 Mar 2006 Released & Generally Available Configuration Options with 11i A. Single Sign-On Server Minimum requirement for single sign-on support. Release 11i and regions via OA Framework B. Portal and Single Sign-On Server Optional. C. Discoverer Optional. SSO also optional for Discoverer standalone implementations. OracleAS 10g + 11i Integration Points SSO Single Sign-On partner application via SSO SDK 9.0.2 OID Provisioning integrated application via Directory Integration & Provisioning Platform Oracle Applications Framework Web Provider & portlets Portal Discoverer APPS_MODE End-User Layer in 11i database Logical Architecture OracleAS 10g Enterprise Portal Portal Repository Portal 10g Single Sign-On 10g Apps Web Provider & Portlets Portal 3.0.9 (Req’d for JPDK 3.0.9) Metadata Repository OID 10g OID User Repository Directory Integration & Provisioning Platform OracleAS 10g Interoperability Patches 9iAS 1.0.2.2.2 Application Tier Profile Applications 11i Database Database Tier Single Sign-On Integration Single Sign-On 10g Chain of Trust OID 10g OID User Repository Delegates SSO to Release 11i 9iAS 1.0.2.2.2 FND_USER Applications 11i Database • Release 11i delegates user authentication to Single Sign-On • Single Sign-On authenticates users against Oracle Internet Directory • Authenticated users are redirected to Release 11i • Release 11i validates the user’s authorization (I.e. 11i Responsibilities) against FND_USER Oracle Internet Directory Integration Oracle Internet Directory 10g DIP Platform E-Business Suite 11i FND_USER • Oracle Internet Directory and FND_USER must be kept synchronised • Supported synchronisation directions: • From OID to FND_USER (Asynchronous via the Directory Integration & Provisioning Platform) • From FND_USER to OID (Synchronous via ldap calls) • Bidirectionally • Synchronisation events are raised via the Workflow-based Business Event System whenever users are added or modified Oracle Internet Directory Accounts linked with Release 11i Accounts Oracle Internet Directory Userid = “John.Smith” Release 11i (FND_USER) “Link Account” Global Unique Identifier (GUID) Userid = “jsmith” One-time User Registration • Done at setup time by system administrator • Optional: can be done by end-user on first logon (“Link on the fly”) • Useful for situations where existing accounts in Oracle Internet Directory 10g or a third-party LDAP directory differ from existing accounts in Release 11i. Associate OID Accounts with Multiple 11i Accounts Oracle Internet Directory Userid = “John.Smith” Release 11i (FND_USER) “Link Account” Userid = “jsmith” Userid = “testuser1” Userid = “testuser2” Portal Integration Portal 10g 11i Portlet OAF Web Provider OracleAS 10g • • • • JPDK 3.0.9 11i App Server 9iAS 1.0.2.2.2 Single Sign-On is a prerequisite for Portal Oracle Applications Framework Web Provider is registered in Portal 10g 11i portlets are added to custom Portal pages 11i Portlets communicate with 11i 9iAS 1.0.2.2.2 server: • • Oracle Applications Framework Web Provider JPDK 3.0.9 • 11i portlet users must have a valid 11i responsibility, validated via ICX_SESSION Discoverer Integration User Discoverer 10g E-Business Suite End-User Layer • Discoverer 10g End-User Layer resides in 11i database • APPS_MODE option enforces Applications security for all Discoverer users • Easy migration from Discoverer 4i • Installation upgrades a copy of 4i End-User Layer to 10g • Run 4i and 10g side-by-side for User Acceptance Tests • TIP: Run Discoverer 4i and 10g on different physical servers to avoid Visibroker conflicts Full Discoverer 10g Support for Single Sign-On • Earlier versions of Discoverer 10g did not support Single Sign-On & Oracle Internet Directory integration for E-Business Suite users • Full SSO/OID support is now available • No more dual-maintenance of E-Business Suite user passwords in both FND_USER and OID for standalone Discoverer connections • See Metalink Note 313418.1 for details Accelerate 11i Performance with WebCache User WebCache 10g E-Business Suite 11i Application Server • Frequently used items (e.g. images, static text) are cached, compressed, and served by WebCache • Secured data (I.e. requiring authorization) is not cached • Partial page refresh supported for Portal • Can act as a reverse-proxy server • Can act as a load-balancer 11i Integration with Third-Party Access Management & LDAP Directories If you already have an Enterprise Single Sign-On… • Oracle products integrate with Oracle SSO Server directly, so it must be installed. • Oracle SSO server can integrate with external authentication systems. • Windows Native Authentication via Kerberos • Entrust, IBM, RSA, Netegrity, Oblix, Sun, Thor, and others • PKI X.509v3 Digital Certificates • Other SSO systems via custom adapter Third-Party Integration Logical Architecture End User Logs on to Third-Party Access Manager Authenticates user against Third-Party LDAP Profile Delegates SSO to Portal 10g Single Sign-On 10g OID 10g OID User Repository Directory Integration Platform 10g Delegates SSO to Release 11i 9iAS 1.0.2.2.2 FND_USER Applications 11i Database Profile If you already have an Enterprise User Directory… • Oracle products integrate with OID directly, so it must be installed and populated • OID must be synchronized with external directories via Directory Integration & Provisioning Platform: • • • • Microsoft Active Directory Sun ONE / iPlanet Prepackaged OID Connectors Any LDAP directory via LDIF files Any other directory via custom DIP agent • OID must synchronize user info with Release 11i (FND_USER) • Planned for OracleAS 10.1.4 Identity Management: Novell eDirectory, OpenLDAP "This presentation is for informational purposes only and may not be incorporated into a contract or agreement" Early Adopter Program Customer Snapshots (as of Sept. 3, 2005) Early Adopter Program Snapshot • Early Adopter Program duration 20 months • Total EAP customer registrants • Customers actively engaged 266 201 Deployed in Production • • • • • • Amdocs (Israel) Alcoa (Europe) Applied Materials (Israel) Atento (Norway) Bunnings (Australia) CapGemini / Councils Online (Australia) • Central Bank of Nigeria • Cisco Systems • Cox Communications (USA) • Fiera Milano (Italy) • General Dynamics Land Sys • General Electric (USA) • Guandong Unicom (China) • Inter-Arab Investment Guarantee (Kuwait) • International Enterprises (Singapore) • International Institute for Applied Systems Analysis (Austria) • Ireland Dept of Defence • Kansas State University • Mitac (Taiwan) • Phoenix Technologies • Putrajaya (Malaysia) • Rafael Armament Development Authority (Israel) • Telecom Italia Mobile (Italy) • Universal Weather & Aviation (USA) • Wind River Systems (USA) These are not customer references O/S Platform Usage Solaris 85 Linux 83 HP-UX 52 AIX 21 NT 8 Tru64 4 0 20 40 60 Customers 80 100 OracleAS 10g Usage X% : Percentage of active EAP cts SSO 96% Portal 75% Third-party LDAP 65% Discoverer 61% Third-party SSO 38% 0 191 148 129 120 76 50 100 Customers 150 200 250 Third-Party LDAP Usage X% : Percentage of customers using third-party LDAP MS Active Directory 89% SunONE 22% Novell 6 IBM Tivoli 6 Lotus Notes 115 29 3 Other Total exceeds 100% due to multiple directories in use at customer sites 3 0 20 40 60 Customers 80 100 120 140 Third-Party SSO X% : Percentage of cts using third-party SSO MS Kerberos 51% Netegrity 33% Other 12% Oblix 9% 7 WebSeal 9% 7 Novell 39 25 9 Total exceeds 100% due to multiple SSO solutions in use at customer sites 3 0 5 10 15 20 25 Customers 30 35 40 45 Customer Lessons Organisational & Staffing Tips • Proactively manage organisational politics: Corporate Security vs. E-Business administrators • Plan for complexity. Pad project plans with appropriate contingency • Experience helps. Trainee sysadmins may struggle. Customer Lessons (2) Organisational & Staffing Tips • Demand skilled consultants from consulting firms (including Oracle Consulting) • Read OracleAS 10g manuals, FAQs, get training • Skills required include: • • • • E-Business Suite system administration (e.g. AutoConfig) OracleAS 10g installation & configuration Security (e.g. LDAP, PKI) Networking (e.g. firewall, load-balancing router configuration) Customer Lessons (3) Systems Configuration Tips • Check Oracle CERTIFY on Metalink for platform availability (e.g. AIX & Tru64 weren’t available on 10.1.2.0.0) • Frequent complete backups • Stay current with certified OracleAS 10g releases & E-Business Suite technology stack patches • Only apply OracleAS 10g MLRs (emergency patchsets) that have been certified with the EBusiness Suite Customer Lessons (4) Systems Configuration Tips • Deploy incrementally: • Get SSO & OID working first • Add Portal & Discoverer • Add third-party LDAP & SSO integration • Test in “production-like” environment as early as possible with firewalls, load-balancers, SSL accelerators, etc. • Load-balancers and firewalls = largest source of problems when moving from TEST to PRODUCTION Customer Lessons (5) Working with Oracle Support • Use the right Technical Assistance Request (TARs) template (see Note 233436.1) • Monitor closely and escalate TARs as needed • All TARs must go to E-Business Suite Technology Stack Support Specialists (“AOL Support”) • Escalate as needed Customer Lessons (5) Working with Oracle Support • Upload prepared environment summary: • Build and OracleAS 10g versions used, NLS languages • Network topology: third-party LDAP & SSO, loadbalancers, firewalls, SSL accelerators • Provide detailed, reproducible testcase. Bad testcase: “OID integration doesn’t work.” • File enhancement requests The more precisely the position is determined, the less precisely the momentum is known in this instant, and vice versa. ~ Heisenberg, 1927 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. Release 11i Certification Roadmap What’s Coming • Build 4.0 New systems administration features Second-generation diagnostic tools Automated RAC, SSL, DMZ Support • Portal 10.1.4 Certification • These statements are subject to change "This presentation is for informational purposes only and may not be incorporated into a contract or agreement" Release 12 Technology Stack Plans (Subject to Change) Applications Landscape Leveraging Fusion Middleware AS 10g Discoverer AS 10g Identity Mgt AS 10g Portal AS 10g WebCache E-Business Suite Collaboration Suite 10g AS 10g Integration PeopleSoft 3-Tier Logical Architecture R11i10 Technology Stack R12 Technology Stack Client Application Database 9iAS 1.0.2.2 9i or 10g Web Listener OC4J JSP SQL*Net BC4J UIX Reports Forms User Interface Application logic Database logic R12 Application Server Tier AS 10.1.3 ORACLE HOME Developer10.1.2 ORACLE HOME Database ORACLE HOME RSF 10.1 RSF 10.1 RSF 10.2 Apache 1.3 Forms 10 OC4J Reports 10 APPL TOP COMMON TOP RDBMS Components R12 Application Server Tier • OracleAS 10g 10.1.2 for Forms & Reports Services • Replaces the 8.0.6-based Oracle_Home provided by iAS 1.0.2.2 in 11i • OracleAS 10g 10.1.3 for Oracle Containers for Java (OC4J) • Replaces the 8.1.7-based Oracle_Home provided by iAS 1.0.2.2 in 11i • Oracle JDeveloper 10.1.3 • JDBC 10.2 • JDK 5.0 for web & concurrent processing R12 Preview: Deployment 10.1.3 ORACLE_HOME 10.1.2 ORACLE_HOME opmn formsapp.ear Apache frmweb OC4J-Forms OC4J-oacore OC4J-xmlsrv COMMON_TOP /html, /java Runtime processes started from 10.1.3 Oracle Home • OPMN, Apache • OC4J instances Forms runtime executable, frmweb, spawned by OC4J-Forms out of 10.1.2 O_HOME. oacore and xmlsrv OC4J instances use classes, html, jsp files from COMMON_TOP Optional on External Servers for R12 • OracleAS 10g Single Sign-On & Oracle Internet Directory 10.1.2.x • Discoverer 10.1.2.x • Portal 10.1.2.x • WebCache 10.1.2.x • Oracle Integration 10.1.2.x • Collaboration Suite 10gR2 • Enterprise Manager 10gR2 New E-Business Suite Technology Stack Blog • http://blogs.oracle.com/schan • • • • • Certification and desupport announcements Discussions about architectures, advanced configurations Early Adopter Programs and Statements of Direction Other E-Business Suite technology stack topics, presentations Supports RSS feedreaders Cut through the noise -- get the news directly from Development OracleAS + E-Business Suite Resources • • • • • • Frequently Asked Questions Installation Guide Implementation Guide Discoverer Installation Guide Documentation Roadmap Statement of Direction Note 186981.1 Note 233436.1 Note 261914.1 Note 313418.1 Note 207159.1 Note 223927.1