R12 Singel Sign On

Integrating Oracle E-Business Suite Release 12 with Oracle Internet Directory and Oracle Single Sign-On
Page 1 of 42
Integrating Oracle E-Business Suite Release 12 with Oracle Internet Directory and Oracle Single Sign-On [ID
376811.1]
Modified 04-FEB-2010
Type HOWTO
Status PUBLISHED
January 2010
This document contains information for integrating Oracle Application Server 10g Enterprise Edition with Oracle E-Business Suite release 12. You should
read and understand all content described here before you begin your installation.
The most current version of this document can be obtained in Metalink Note 376811.1
There is a change log at the end of this document.
Section 1: Overview
Section 2: Features and Supported Architectures
Section 3: Components and Build Versions
Section 4: Before You Begin
Section 5: Pre-Install Tasks
Section 6: Implement Oracle Single Sign-On Support for the E-Business Suite
Section 7: Available Documentation
Appendix A: Advanced Configuration - Manual OSSO/OID Registration
Appendix B: Product-Specific OSSO Exceptions
Appendix C: Known Issues
Conventions
Convention
Meaning
Represents 'line continuation character'. It can be used to to break command (in UNIX) into
two or more lines.
Mono space text
Represents command line text. Type this text exactly as shown.

Text enclosed in angled or square brackets represents a variable. Substitute an appropriate
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=376811.1
8/10/2010
[ ] or { }
value for the variable text. Do not type the brackets.
Directory Paths
Directory paths in this document are relative to the top level installation directory for the Oracle
E-Business Suite. e.g. if you installed the Oracle E-Business Suite under a directory
named /my/appsinstall then [iAS_ORACLE_HOME]/Apache in this document will mean the
fully qualified path: /my/appsinstall/apps/tech_st/10.1.3/Apache.
Page 2 of 42
Full path to the Applications context file on the application tier or database tier. The default
locations are as follows.
CONTEXT_FILE
Application tier context file:

$INST_TOP/admin/[CONTEXT_NAME].xml
Database tier context file:
[RDBMS ORACLE_HOME]/appsutil/[CONTEXT_NAME].xml
CONTEXT_NAME
The CONTEXT_NAME variable specifies the name of the Applications context that is used by
AutoConfig. The default is [SID]_[hostname]. To find exact value of your instance
CONTEXT_NAME you can refer variable s_contextname in Application tier context file.
Important Directory Locations

This section helps you identify some important directories of E-Business suite Instance, which are relevant for this document. Make sure you understand
the purpose and location of these directories as explained below:
Abbreviation
Directory Location
[DB_ORACLE_HOME]
The ORACLE_HOME where your applications database is installed. The default

location is .../db/tech_st/10.2.0
[ORIGINAL_ORACLE_BASE]
This is the directory under which the HTTP ORACLE_HOME and the 10.1.2
technology stack ORACLE_HOME is installed. The default location for this
directory is [top level apps install directory]/apps/tech_st
[ORAHTTP_TOP]
The directory where your HTTP Server is installed. The default location is
[HTTP_ORACLE_HOME]/Apache
8/10/2010
[HTTP_ORACLE_HOME]
The ORACLE_HOME where 10.1.3.0 or your HTTP Server is installed. The

default location is .../apps/tech_st/10.1.3
AS 10.1.2 ORACLE_HOME
ORACLE_HOME installed by Oracle Applications on Application Tier used for

forms/reports. Ex. [ORIGINAL_ORACLE_BASE]/10.1.2
AS 10.1.3 ORACLE_HOME
ORACLE_HOME installed by Oracle Applications on Application Tier used for

HTTP server and JAVA. Ex. [ORIGINAL_ORACLE_BASE]/10.1.3
Page 3 of 42
Advisory for E-Business Suite Customers using Oracle Application Server 10g
Oracle recommends that customers apply only OracleAS 10g Enterprise Edition releases and patches that have been certified with the E-Business Suite
Release 12, as documented in the following Metalink Notes:
Integrating Oracle E-Business Suite Release 12 with Oracle Internet Directory and OracleAS Single Sign-On (Note 376811.1)
Using Discoverer 10.1.2 with Oracle E-Business Suite Release 12 (Note 373634.1)
Enabling SSL in Oracle E-Business Suite Release 12 (Note 376700.1)
Using Oracle Portal 10g with Oracle E-Business Suite Release 12 (Note 380484.1)
Installing and Configuring Web Cache 10g and Oracle E-Business Suite 12 (380486.1)
There may be specific circumstances where it is necessary for E-Business Suite customers to apply uncertified OracleAS 10g Enterprise Edition one-offs,
patchsets, or MLRs. Oracle strongly recommends applying such patches only if the circumstances clearly demand it. Customers apply uncertified
OracleAS 10g Enterprise Edition patches at their own risk, and Oracle strongly recommends that customers take complete backups of their OracleAS 10g
+ E-Business Suite integrated environments prior to patch application.
E-Business Suite customers may verify the certification status of specific OracleAS 10g Enterprise Edition patches by logging Service Requests via Oracle
Metalink using the following information:
Product: "Oracle Applications Technology Stack"

Type of Problem: "Oracle Application Server 10g"
Section 1: Overview
This document contains information for integrating Oracle Application Server 10g Enterprise Edition with the E-Business Suite. Benefits of this
configuration include E-Business Suite support for the following services running on servers external to the E-Business Suite environment:
Oracle Single Sign-On (OSSO) 10g

Oracle Internet Directory (OID) 10g
8/10/2010
Page 4 of 42
Oracle Portal 10g

Oracle Discoverer 10g
Oracle Web Cache 10g
Third-party single sign-on solutions
Third-party Lightweight Directory Access Protocol (LDAP) directories
These services may run:
On one or more standalone servers external to the existing Oracle E-Business Suite Release 12 environment.
In separate ORACLE_HOMEs on existing servers
These services may not run:
In the existing Oracle E-Business Suite Release 12 Oracle Application Server 10g 10.1.2 ORACLE_HOME for Forms and Reports
In the existing Oracle E-Business Suite Release 12 Oracle Application Server 10g 10.1.3 ORACLE_HOME for Web and Java services
For more information about E-Business Suite Release 12 architectures, see Oracle Applications Concepts, Release 12 (Part No. B31450-01).
1. Install Oracle Application Server 10g Enterprise Edition on a standalone server or in a separate ORACLE_HOMEs on an existing server.
2. Install interoperability patches to integrate the Oracle Application Server 10g Enterprise Edition server with the E-Business Suite environment.
3. Synchronize user information between the Oracle Application Server 10g Enterprise Edition server and the E-Business Suite environment.
Section 2: Features and Supported Architectures

Accessing E-Business Suite Instances with Oracle Single Sign-On
Oracle Application Server 10g (10.1.4.01), Oracle Internet Directory , OracleAS Single Sign-on Server , are required to enable Single Sign-On functionality
for the E-Business Suite.
Implementing Oracle Single Sign-On (OSSO) functionality for the E-Business Suite allows organizations to share one user definition throughout multiple
parts of their enterprise. Typically, the common user definition is stored in a Lightweight Directory Access Protocol (LDAP) repository such as Oracle
Internet Directory (OID). Oracle Internet Directory serves as a central repository for user credentials and other user information for all Oracle products,
including Oracle Application Server 10g Enterprise Edition and Oracle Portal. This user information is periodically synchronized with the E-Business Suite
instance through a combination of Oracle Workflow and Oracle Applications patches.
For Oracle E-Business Suite Release 12, mod_osso is used for Oracle Single Sign-On authentication. Mod_osso is an Oracle HTTP Server module that
provides authentication to OracleAS applications. It replaces the Oracle Single Sign-On SDK used in earlier releases of Oracle Single Sign-On to integrate
partner applications. It allows the E-Business Suite to register as a partner application to the Oracle Single Sign-On Server, giving users the ability to
access other registered partner applications with a single credential (for example, a username/password combination).
8/10/2010
Page 5 of 42
As a partner application, the E-Business Suite also supports Single Sign-Off. Release 12 users can simultaneously terminate a Oracle Single Sign-On
session and log out of all active partner applications by logging out of a single partner application. Selecting Logout in a partner application returns users to
the Single Sign-Off page, where logout occurs
Integration with Third-Party Access Management Systems and LDAP Directories

Organizations that have standardized on third-party access management systems (for example, Microsoft Windows/Kerberos or CA Netegrity SiteMinder)
can optionally integrate them with Oracle Single Sign-On server. Integration is via APIs that enable the Oracle Single Sign-On server to act as an
authentication gateway between third-party single sign-on systems and the E-Business Suite.
In this configuration, the Oracle Single Sign-On server, the third-party single sign-on server, and the partner application form a chain of trust. The Oracle
Single Sign-On server delegates authentication to the third-party single sign-on server, becoming essentially a partner application to it. The E-Business
Suite and other Oracle products continue to work only with the Oracle Single Sign-On server, and are unaware of the third-party single sign-on server.
Implicitly, however, they trust the third-party server.
Organizations that have standardized on third-party Lightweight Directory Access Protocol (LDAP) directories can optionally integrate them with Oracle
Internet Directory. Oracle Internet Directory synchronizes with third-party meta directory solutions.
Supported Architectures and Configurations

1. Type of integration with Release 12
A.
B.
C.
D.
OSSO and OID only

OSSO and OID and Portal
Discoverer only
Discoverer with either A or B configurations above
2. Location of Oracle Application Server 10g Enterprise Edition install

A. On existing Release 12 application tier server node in separate ORACLE_HOMEs.
B. Physically separate standalone server.
3. Users are authenticated by

A.
B.
C.
D.
OSSO
External third-party access manager (e.g. Windows Native Authentication)
Native E-Business Suite combined with one of the above
Combination of the above
4. Master source-of-truth for user information
8/10/2010
Page 6 of 42
A. OID
B. External third-party user repository (e.g. Microsoft Active Directory)
C. Combination of the above
Note: FND_USER may not be used as the exclusive authentication source when Release 12 is integrated
with Oracle Application Server 10g Enterprise Edition.
5. Direction of synchronization of user information with third-party user repository

A. From OID to third-party user repository
B. From third-party user repository to OID
C. Combination of the above
6. Method for initial population of user information in OID and Release 12

A.
B.
C.
D.
E.
F.
From Release 12 to OID

From OID to Release 12
From third-party user repository to OID to Release 12
Independently in OID, independently in Release 12, then link on first sign-on with link-on-the-fly.
From third-party user repository to OID, independently in Release 12, then link on first sign-on with link-on-the-fly
7. Method for ongoing updates to user information

A.
B.
C.
D.
From Release 12 to OID

From OID to Release 12
From third-party user repository to OID to Release 12
For more detailed explanation, See Oracle Application System Administrator's Guide-Security, Release 12 (Part No. B3145103).
8. What the user sees after sign-on

A. Portal home page
B. Oracle Applications Framework home page
(Depending on the configuration)
9. Other supported options
8/10/2010
Page 7 of 42
A. Allow user to associate OID account with multiple Release 12 accounts
Section 3: Components and Supported Versions

3.1. Components
Oracle E-Business Suite Release 12
The following components must be used on the E-Business Suite instance:
Component Name
Release
Oracle E-Business Suite Release 12
12.0.x to 12.1.x
Oracle 10g Application Server
10.1.2
Oracle 10g Application Server
10.1.3
Oracle Developer 10g (includes Oracle Forms)
10.1.2
Oracle Application Server 10g Enterprise Edition

The following Oracle Application Server 10g Enterprise Edition components must be used on the standalone instance:
Component Name
Release
Oracle Single Sign-On 10g
10.1.4.3.0
Oracle Internet Directory 10g
10.1.4.3.0
Oracle Portal 10g (optional)
10.1.4.2.0
Oracle Web Cache 10g (optional)
10.1.2.3.0
Oracle Discoverer 10g (optional)
10.1.2.3.0
Section 4: Before You Begin

Before you proceed any further, ensure that you have obtained the following:
8/10/2010
Page 8 of 42
From the Oracle Store or the Oracle Technology Network :
CD Pack for Oracle Application Server 10g Release 2 Enterprise Edition
From Oracle MetaLink:
Oracle Applications Concepts, Release 12 (Part No. B31450-03)

Oracle Applications System Administrator's Guide-Security, Release 12 (Part No.B31451-03).
Note 373634.1 - Using Discoverer 10.1.2 with Oracle E-Business Suite Release 12
Note 380486.1 - Installing and Configuring Web Cache 10g and Oracle E-Business Suite 12
Note 314422.1 - Remote Diagnostic Agent (RDA) 4 - User Guide
Note 380484.1 - Using Oracle Portal 10g with Oracle E-Business Suite Release 12
Section 5: Pre-Install Tasks

Perform the following pre-install tasks before you start your installation:
Pre-Install Task 1: Install Oracle Remote Diagnostic Agent for E-Business Suite (optional)
Pre-Install Task 1, Step 1: Install Oracle Remote Diagnostic Agent
The Oracle Remote Diagnostic Agent may optionally be installed in your E-Business Suite environment to streamline the process of
gathering diagnostic information when filing Service Requests (SR's) with Oracle Support. If you plan to enable Oracle Single Sign-On for
multiple E-Business Suite instances, then each instance must have the Oracle Remote Diagnostic Agent installed.
Obtain Note 314422.1 Oracle Remote Diagnostic Agent (RDA) from Oracle MetaLink. Download and install the appropriate version of the
Oracle Remote Diagnostic Agent for your operating system platform.
Pre-Install Task 2: Install OracleAS Identity Management Infrastructure 10g (10.1.4.0.1)

If you already have an existing OracleAS 10g (10.1.2.0.2) instance, skip this step and proceed directly to the next Pre-Install step.
Perform this task to install 'OracleAS Identity Management Infrastructure 10g (10.1.4.0.1)' for the first time.
This task creates the standalone Oracle Application Server 10g Enterprise Edition server that will be associated with the E-Business Suite
server.
Pre-Install Task 2, Step 1:
8/10/2010
Page 9 of 42
Obtain the CD Pack for Oracle Application Server 10g Enterprise Edition for your operating system platform.
Note for OEL4.0 PLATFORM:

Apply patch 6198537. Refer patch readme for more details.

Review Chapters 1, 2 and 3 of the Oracle Application Server 10g Installation Guide for your operating system platform. That documentation
lists important architectural requirements for your Oracle Application Server 10g instance, some of which are:
Oracle Application Server 10g (10.1.4.0.1) provides a comprehensive Identity and Access Management solution. To enable Oracle
Single Sign-On Support for E-Business suite Release 12, one need to select 'Oracle Application Server Infrastructure 10g' as a
product during Install
The Oracle Application Server 10g application server installation and the Oracle Application Server 10g Infrastructure may reside on a
single host or on separate hosts
The Oracle Application Server 10g application server installation and the Oracle Application Server 10g Infrastructure must be in
separate ORACLE_HOMEs
The Oracle Application Server 10g Infrastructure must not be installed in the Oracle E-Business Suite Release 12 database. For more
details, see Oracle MetaLink Note 251627.1, Installing an OracleAS Metadata Repository with an Oracle E-Business Suite Database.
The application server installation and the infrastructure must not be installed in the ORACLE_HOME of an existing Oracle EBusiness Suite Release 12 application-tier server node
This is not a comprehensive list of architectural requirements for Oracle Application Server 10g Enterprise Edition. Review the
documentation and release notes for your operating system platform for additional details.

Ensure that the target host meets hardware requirements for Oracle Application Server 10g Enterprise Edition. Also ensure that all operating
system and software prerequisites have been met, including the latest version of Java 2 Standard Edition.

Follow the Oracle Application Server 10g Installation Guide for your operating system platform for instructions on installing an OracleAS 10g
Infrastructure into its own ORACLE_HOME. The OracleAS 10g Infrastructure includes the following OracleAS Metadata repository and
Oracle Identity Management Components:
If you wish to use OracleAS 10g to enable single sign-on for Release 12 environments, you will require (at minimum):
"Metadata Repository" option of the OracleAS Infrastructure 10g 10.1.4.0.1 Installation.

"Identity Management" option of the OracleAS Infrastructure 10g 10.1.4.0.1 Installation. The "Identity Management" option includes
8/10/2010
Page 10 of 42
Identity Management components like Oracle Internet Directory, Oracle Single Sign-On, and Delegated Administration Services, and
may be installed at the same time as the "Metadata Repository"
Pre-Install Task 3:Upgrade OracleAS 10g Infrastructure (10.1.2.0.2) to Oracle Identity Management 10g (10.1.4.0.1)
Before starting your upgrade, make a complete backup of your environment. In particular, ensure that you have backed up the Oracle
Application Server 10g, the Oracle Application Server 10g infrastructure, and the inventory location.
If you have an existing OracleAS 10.1.2.0.2 Infrastructure, upgrade it to Oracle Identity Management 10g (10.1.4.0.1) referring
'Upgrade and Compatibility Guide' for your operating system platform. Refer 'Chapter 3: Understanding Version Compatibility' in
particular, to identify existing Oracle Homes to upgrade.
Keep existing 10.1.2.0.2 Middle-Tier Instance(s) as it is. They will continue to function as normal with Oracle Identity Management 10g
(10.1.4.0.1)
No additional steps are required to refresh existing OSSO, OID, Portal and/or Discoverer registrations performed with E-Business
suite Release 12 using previous versions. These will be preserved and will continue to function as normal after upgrade to 10.1.4.0.1.
Pre-Install Task 4: Apply the latest certified Application Server Patchset

Oracle E-Business Suite Release 12 is certified with the Application Server Patch Sets listed in the table below:
Certified AS Patchset
Download Location
Oracle Identity Management 10g Release 3 Patch Set 1 (10.1.4.2)
5983637
Oracle Identity Management 10g Release 3 Patch Set 2 (10.1.4.3)
7215628
Oracle Application Server and Oracle Developer Suite 10g Release 2 (10.1.2) Patch Set 2 (10.1.2.2.0)
4960210
Oracle Application Server and Oracle Developer Suite 10g Release 2 (10.1.2) Patch Set 3 (10.1.2.3.0)
5983622
On
de
Follow the installation instructions provided in the patch README to install the patch on your Identity Management Server and to check
supported operating systems.
8/10/2010
Page 11 of 42
Oracle always recommends latest certified AS patchset for E-Business Suite customers.
Pre-Install Task 5: Apply patch 6652745 (Windows Platform Only)

Windows customers need to download the patch 6652745 from OracleMetalink and follow the install instructions in patch README.
Pre-Install Task 6: Apply patch 7362662

Customers need to download the patch 7362662 from OracleMetalink and follow the install instructions in patch README.
Pre-Install Task 7: Test your Oracle Application Server 10g environment

At a minimum, the following test is recommended to ensure that the Identity Management infrastructure is working correctly.
Start Oracle Internet Directory Delegated Administration Services by going to:

http://[host_name].[domain]:[Infrastructure http port number]/oiddas
Log in using the orcladmin userid

Navigate to Directory > Create.
Create a test userid, supplying a password and other user information. Click Submit.
Log out.
Log into Oracle Internet Directory Delegated Administration Services using the newly created test userid.
Ensure the Directory Integration and Provisioning Platform Server is running. The command ps -ef | grep odi should show a process called
$ORACLE_HOME/bin/odisrv running.
Pre-Install Task 8: Make a complete backup of your environment

After successfully testing your installation, make a complete backup of your environment. In particular, ensure that you have backed up the
Oracle Application Server 10g, the Oracle Application Server 10g infrastructure, and the inventory location.
Section 6: Implement Oracle Single Sign-On Support For the E-Business Suite
OSSO Task 1: Install E-Business Suite OSSO 10g Integration Patch
The E-Business Suite Release 12 Rapid Install includes all patches required for integration with Oracle Single Sign-On and Oracle Internet Directory 10g.
No additional patches are required.
8/10/2010
Page 12 of 42
Note: If you are integrating Oracle 10gAS OSSO/OID with AIX based Oracle E-Business Suite Release 12, then OID registration will fail with following
error. Apply patch 5855635 to AS 10.1.3 ORACLE_HOME of Release 12. See known issue section and patch readme for more details.
java.lang.UnsatisfiedLinkError: jmisc (A file or directory in the path name does not exist.)
OSSO Task 2: Configure Oracle Identity Management 10g (10.1.4.x) Components with E-Business Suite
Note: See Oracle Applications System Administrator's Guide - Security, Release 12 (Part No. B31451-03) , which provides various scenarios for
synchronizing user information between Oracle E-Business Suite and Oracle Internet Directory.
The following steps create a default configuration employing bidirectional synchronization of user information between Oracle Internet Directory and
the E-Business Suite. This default configuration meets the majority of customer requirements, but before proceeding further, you should review Oracle
Applications System Administrator's Guide - Security, Release 12 (Part No. B31451-03) to evaluate whether an alternate configuration better meets
your needs. If so, you may elect to perform a manual configuration, as detailed in Appendix A.
Perform the following steps on all application-tier web node(s).
OSSO Task 2, Step 1: Choose Registration Type - Default (Simple) or Advanced

The registration script automates both OSSO and OID registration. To simplify the registration process, the script defaults many parameters.
The default (Simple) registration process will result in a configuration that meets the needs of the majority of users.
System administrators should review the default settings to determine whether they apply to their environment. The features of the default
simple registration are:
10.1.3 Oracle Home Registration

Registers AS 10.1.3 Oracle Home in OID before OSSO or OID registration.
10.1.3 Oracle Home registration will happen only once per E-Business Suite deployment including multinode deployments. In
multi node configuration it can be done on any node.
OSSO Registration
Creates a single OSSO partner application
Listener Token is set to the site level value of profile option, Applications Database ID (APPS_DATABASE_ID)
OID Registration
Registers E-Business Suite with OID using the provisioningtype=1 provisioning profile. This will enable Bidirectional user
synchronization with user creation.
Requires that you have not changed the default OID password policy, i.e., at least 5 characters with 1 numeric character.
If you need to use different settings, please refer to Appendix A: Advanced Configuration - Manual OSSO/OID Registration
8/10/2010
Page 13 of 42
OSSO Task 2, Step 2: Compile Parameter Checklist

Before running the registration script, make sure you've gathered all the information in the following checklist.
Parameter Checklist:
Sr.
No
Parameter Description
Example
Comments
Hostname of Oracle
Application Server
Infrastructure database
{mandatory}
alpha.company.com
Fully qualified name recommended, e.g.

alpha.company.com rather than just alpha
LDAP port of Oracle

Internet Directory
{mandatory}
389
Check for LDAP port number in

$ORACLE_HOME/install/portlist.ini
LDAP SSL port of Oracle

636
Internet Directory
{mandatory}
Check for LDAP port number in

$ORACLE_HOME/install/portlist.ini
Password of Oracle EBusiness Suite database

user,
"APPS" {mandatory}
[password]
APPS user password.
Password of Oracle
Internet Directory admin
user, "orcladmin
{mandatory}
welcome123
No comment needed.
Password to register EBusiness Suite instance

with Oracle Internet
Directory {mandatory}
welcome123
No comment needed.
Oracle Internet Directory

administration user
name.
orcladmin
OID superuser name. Default value is

"cn=orcladmin".
apps name
s_contextname
This instance will be registered with OID

Server with this appname. Default value of
appname s_contextname.
8/10/2010
11
12
12
svcname
Provisiontype
ldaphost
dbldapauthlevel
s_contextname
This instance will be registered with OID

Server with this svcname. Default value of
appname s_contextname.
It specifies provisioning type between instance

and OID Server. Allowed values are 1,2,3,4.
This are for 1. Bidirectional, 2.Instance to OID
Server, 3.OID Server to Instance,
4.Bidirectional no creation. Default value is 1.
beta.company.com
For Non-Colocated Infrastructure, i.e. if

ldaphost is different from infradbhost, pass
value of ldaphost for this parameter in
command line. Default value of ldaphost is
infradbhost.
authentication level between E-Business

database and OID Server for provisioning
purpose. Values are, 0 - Non-SSL
Communication, 1 - SSL with no
authentication, 2 - SSL with server
authentication, 3 - SSL with Client and Server
authentication.
13
dbwalletdir
FND_DB_WALLET_DIR
E-Business database wallet directory. This is

must if dbldapauthlevel > 1. Default
dbwalletdir is the value of site level profile
FND_DB_WALLET_DIR
14
dbwalletpass
[password]
E-Business database wallet password. This is

must if dbldapauthlevel > 1
15
rdbmsdn
Page 14 of 42
RDBMS DN of this E-Business database

instance that is registered with OID Server e.g.
cn=OracleContext
OSSO Task 2, Step 3: Refresh Environment Settings

As the owner of the application-tier file system,source the file $APPL_TOP/APPS[context_name].env to set the environment correctly.
OSSO Task 2, Step 4: Check Specific Environment Settings

OSSO Task 2, Step 4.1 - Ability to connect to E-Business Suite database
8/10/2010
Page 15 of 42
Check that the environment variable TWO_TASK (or LOCAL on Windows) is set correctly, by executing the command
sqlplus [apps user]/[apps password]@[two_task or local]
This will confirm that you are able to connect to the E-Business Suite database.
OSSO Task 2, Step 5: Run the Registration script

A perl script is used to register Oracle E-Business Suite instance with OracleAS Single Sign-On and Oracle Internet Directory. This
registration process allows the E-Business Suite to delegate user authentication to Oracle Single Sign-On, and for user information to be
synchronized between Oracle Internet Directory and the E-Business Suite.
For debugging purposes, it is strongly recommended that you keep careful records of all information entered in this step.
UNIX
On UNIX, you can split the command over multiple command lines, by entering the '\' continuation character followed by
[Return]. Execute the following command if you want to use the default (simple) registration that uses the bidirectional
provisioning:
$FND_TOP/bin/txkrun.pl -script=SetSSOReg
Execute the following command if you want to use the default (simple) registration, but with a different provisioning type:
$FND_TOP/bin/txkrun.pl -script=SetSSOReg \
-provisiontype=[Provision Type]
where [Provision Type] corresponds to the provisioning type that you wish to use.
WINDOWS
On Windows, you must pass all the arguments on a single command line, pressing [Return] once at the end. Execute the
following command if you want to use the default (simple) registration that uses bidirectional provisioning:
%ADPERLPRG% %FND_TOP%\bin\txkrun.pl -script=SetSSOReg
Execute the following command if you want to use the default (simple) registration, but with a different provisioning type:
8/10/2010
Page 16 of 42
%ADPERLPRG% %FND_TOP%\bin\txkrun.pl -script=SetSSOReg \

- provisiontype=[Provision Type]
where [Provision Type] corresponds to the provisioning type that you wish to use.
Parameter Prompts:
The registration script will prompt for several parameters. Use the parameter values from the Parameter Checklist that you compiled. The
script will prompt for the parameters in the following order:
Enter
Enter
Enter
Enter
Enter
Enter
the host name where Oracle iAS Infrastructure database is installed ? ap6013atg.us.oracle.com
the LDAP Port on Oracle Internet Directory server ? 13061
SSL LDAP Port on Oracle Internet Directory server ? 13131
the Oracle Internet Directory Administrator (orcladmin) Bind password ? manager2
the instance password that you would like to register this application instance with ? test123
Oracle E-Business apps database user password ? APPS
Note: You can use the default (simple) registration and still chose a different provisioning type. You can do so by passing
provisioningtype=[1-4] as part of script execution. For more details about Provisioning Types, please refer Appendix A: Section 4:
Provisioning
Here is an example that chooses OutBound Provisioning instead of the default:
UNIX
$FND_TOP/bin/txkrun.pl -script=SetSSOReg -provisiontype=3
WINDOWS
%ADPERLPRG% %FND_TOP%\bin\txkrun.pl -script=SetSSOReg \
- provisiontype=3
If you need to override additional registration parameters, please refer to Appendix A: Advanced Configuration - Manual OSSO/OID
Registration
8/10/2010
Page 17 of 42
OSSO Task 2, Step 6: Confirm Successful Script Completion

When the registration script completes successfully, it will print the following line:
End of [FND_TOP]/patch/115/bin/txkSetSSOReg.pl : No Errors encountered
If you do not see this confirmation, examine the following file to investigate the problem:
$APPLRGF/TXK/txkSetSSOReg_[timestamp].xml
OSSO Task 2, Step 7: Enable SQL*Net Access to the E-Business Suite Database for OracleAS 10g Hosts (Conditional)
Perform this step if your E-Business Suite environment has enabled the "Enable Restricted Access" feature. This security feature restricts
SQL*Net access to the E-Business Suite Release 12 database based on a white list of authorized hosts. If you already enabled this feature
in Release 12 and you are enabling Oracle Single Sign-On for the first time, you must add the Oracle Application Server 10g application tier
hosts to the SQL*Net white list before user information can be synchronized between Oracle Internet Directory and the E-Business Suite.
Oracle Applications Manager provides a wizard to restrict SQL*Net access to the database from your middle-tier hosts. If you enable the
SQL*Net Access security option, you can select which hosts have SQL*Net access to the database. (Navigation: Oracle Applications
Manager=>Applications Dashboard=>Security=>Manage Security Options)
Using this wizard you can specify a list of hosts that can access the Oracle Applications Database via SQL*Net. To do so, you need to
complete the following tasks.
1. Run this wizard
2. Run AutoConfig on Database Tier
3. Bounce the TNS Listener for the new settings to take effect
Note: All virtual hosts must be manually reconciled with the appropriate physical mapping. Individual physical machines must be registered. You
cannot specify subnet masks. You must register a resolvable network address.
OSSO Task 2, Step 8: Run Autoconfig

Execute adautocfg.sh script available under $ADMIN_SCRIPTS_HOME directory, on your E-Business suite middle-tier.
OSSO Task 2, Step 9: Restart Middle-tier services
8/10/2010
Page 18 of 42
The Oracle E-Business Suite Oracle HTTP Server must be stopped and restarted for your changes to take effect.
For information about autoconfig, stopping and starting Applications processes, see Using AutoConfig to Manage System Configurations with
Oracle E-Business Suite Release 12 (Oracle Metalink Note 387859.1)
OSSO Task 3: Validate that Oracle Single Sign-On is Working Correctly

To validate that Oracle E-Business Suite Release 12 has been properly registered as a partner application to Oracle Single Sign-On 10.1.2.0.2, perform
the following steps:
OSSO Task 3, Step 1: Run the Diagnostic Utility

OSSO Task 3, Step 1.1: Login locally to the E-Business Suite
Login as user "sysadmin" to the E-Business Suite locally using this URL:
http[s]://[server][:port]/OA_HTML/AppsLocalLogin.jsp
Where [server] and [port] reflect the correct values for your environment.
OSSO Task 3, Step 1.2: Launch Diagnostics
Select the responsibility "CRM HTML Administration" from the Navigator's left pane
Select the function "Diagnostics" from the Navigator's right pane. This will launch a new window. If you do not see a new window,
make sure any browser pop-up blockers are disabled.
OSSO Task 3, Step 1.3: Run OSSO Diagnostics

For 12.0.x Customers
Click on the "Basic" tab

Choose "Application Object Library" from the Applications drop down
Click on "SSO Setup Tests" - Click on "Run Without Pre-Requisite"
All the tests should complete successfully
Click on the "Report" icon for each test and verify the results
For 12.1.1.x Customers
Click "Selection Application" button
8/10/2010
Page 19 of 42
Enter "%Object%" in the field alongside "Search by Application Name" and click "Go" button
Check "Select" in the 'Application Object Library' row of the "Results" table and click "Select" button
Expand "SSO Setup Tests"
Select all of the tests and click "Execute" button
Click "Test Inputs" icon in the "E-Business account SSO Information" row
Click "Add Another Row" in the "Custom Inputs" table
Verify that "sysadmin2 is displayed in the "ebizAccount" field and click "Apply" button
Select all of the tests and click "Submit" button
Click "Refresh" button until all tests have completed
All Tests should complete successfully
If any errors are encountered click "View Report" icon for further details
Note: SSO Diagnostics will fail if E-Business Suite is SSL Enabled or using SSL Accelerator. You can ignore the error. Please refer
known issues: 5765693 and 8773543 for more details.
OSSO Task 3, Step 1.4: Run OID Diagnostics

For 12.0.x Customers
Click on "OID Setup" - Click on "Run Without Pre-Requisite"

All the tests should complete successfully
Click on the "Report" icon for each test and verify the results
For 12.1.1.x Customers
Click "Selection Application" button

Enter "%Object%" in the field alongside "Search by Application Name" and click "Go" button
Check "Select" in the 'Application Object Library' row of the "Results" table and click "Select" button
Expand "OID Setup"
Select the test and click "Execute" button
Click "Submit" button
Click "Refresh" button until the test has completed
The Test should complete successfully
If any errors are encountered click "View Report" icon for further details
OSSO Task 3, Step 2 Verify OSSO integration with Oracle E-Business Suite
OSSO Task 3, Step 2.1
Request the appropriate E-Business Suite login link, of the form:
8/10/2010
Page 20 of 42
http://[host]:[port]/OA_HTML/AppsLogin
Where [host] and [port] reflect the correct values for your environment. This should direct you to the Oracle Single Sign-On
Login screen.
OSSO Task 3, Step 2.2:

Enter the username and password for a valid account in Oracle Internet Directory. You should be directed to either the Oracle
E-Business Suite home page or a page that shows "More Information Requested".

Click on the logout link on whichever of the pages that you see. You should now be directed to the Oracle Single Sign-On
Logout page. If so, then Oracle Single Sign-On integration has been carried out correctly.
Also see Single Sign-On Processes
OSSO Task 3, Step 3: Verify that your Oracle E-Business Suite instance is correctly integrated with Oracle Internet Directory.
OSSO Task 3, Step 3.1:
Check that there are no errors in the Oracle Internet Directory log files for the E-Business Suite instance you have just
configured. These files are on the machine that hosts Oracle Internet Directory, under $ORACLE_HOME/ldap/odi/log. There
are two log files for each provisioning direction, so there will either be two or four in total. The files for provisioning from Oracle
Internet Directory to E-Business Suite end with _E.aud and _E.trc. The files for provisioning from E-Business Suite to Oracle
Internet Directory end with _I.aud and _I.trc.

Depending on how provisioning has been configured, try to create a user from either E-Business Suite or Oracle Internet
Directory. If you used the default registration process, you may create a user in either E-Business Suite or Oracle Internet
Directory and see the newly-provisioned user appear in the other system within about two minutes. The user details should also
be visible in the relevant .aud log file mentioned above. If so, then provisioning configuration for Oracle Internet Directory has
been performed correctly.
Also see Directory-Enabled Oracle Single Sign-On
Section 7: Available Documentation
8/10/2010
Page 21 of 42
Documentation for creating the standalone Oracle Application Server 10g instance
Oracle Application Server 10g Documentation Library
Appendix A: Advanced Configuration - Manual OSSO/OID Registration

This appendix provides an overview of OSSO-OID Registration tools to register E-Business instance with OSSO Server and OID Server. It contains the
following sections:
Concepts
Section 1: Registration
To register E-Business instance with OSSO and OID servers.
Section 1.1: Register All
To register Oracle Home, with OSSO Server, instance with OID server in a single command.
Section 1.2. Register Instance
To Register Oracle Home only.
Section 1.3: Register OSSO
To register instance with OSSO Server only.
Section 1.4: Register OID
To register instance with OID Server only.
Section 2: Deregistration
To deregister E-Business instance with OSSO and OID servers.
Section 2.1: Deregister All
To deregister instance from OID Server, instance from OSSO server and Oracle Home in a single command.
Section 2.2: Deregister OID
To deregister instance from OID Server only.
Section 2.3: Deregister OSSO
To deregister instance from OSSO Server only.
Section 2.4: Deregister Instance
To deregister Oracle Home only.
Section 3: Remove References
Section 4: Provisioning
Section 5: Troubleshooting
Attention: Source the E-Business Suite environment file as the owner of the application tier file system before executing the utility for registration or
de-registration purpose.
Concepts
8/10/2010
Page 22 of 42
There are three components that can be registered or de-registered in Release 12 with the OSSO/OID registration utility. The utility automatically detects
the registered components and performs registration for the un-registered components. So there is no need to pass individual registration arguments.
If you have a Single Node deployment then run the utility for OSSO/OID Registration as after sourcing the Application Tier environment file:
txkrun.pl -script=SetSSOReg
And for Deregistration:

txkrun.pl -script=SetSSOReg -deregister=Yes
And if you have a Multi-node deployment then run the utility as above on each Web Node for Registration or De-Registration. Services needs to be
restarted after Registration and De-Registration.
Details about the three components are below.
Three Components
Oracle Home Registration
10.1.3 Oracle Home needs to be registered in the Infrastructure instance before either OID or OSSO registration can be attempted. We refer
to this as registering an Oracle Home instance i.e. "registerinstance". Oracle Home needs to be registered only once per EBusiness
Deployment including multinode deployments. In a multi node deployment, it can be done on any node.
Oracle Single Sign-On Registration

Single Sing-On registration involves registering EBusiness as a mod_osso based OSSO Partner Application. In the
[ORA_CONFIG_HOME]/10.1.3/Apache/Apache/conf/httpd.conf file, the directive to include "mod_osso.conf" is uncommented to enable the
mod_osso authentication. This is controlled by the Application Context variable "s_mod_osso_conf_comment" which should not have any
value if EBusiness instance is integrated with OSSO server. Otherwise it defaults to "#".
2.1 MultiNode Single Web Entry URL Deployment

In a multi node Load Balanced deployment scenario when there is only one Web Entry URL, only one partner
application is registered in the OSSO server. The OSSO configuration file generated from the partner application
registration will be used on all the nodes. To achieve this, you will have to run the registration utility on every
8/10/2010
Page 23 of 42
node. The registration utility automatically detects the components needs to be registered and performs
registration. When the OSSO configuration file is generated from the first node on which the utility is run, the file
gets uploaded to FND_LOBS table in the EBusiness Database. From other nodes, the OSSO registration is
detected and the file is pulled from the FND_LOBS table and copied to the config home.
2.2 DMZ Deployments With Multiple Web Entry URLs

In a multi node DMZ deployment, there are external Web Entry URL and internal Web Entry URLs. One
mod_osso based OSSO partner application is required for each Web Entry URL. The partner applications are
determined based on the unique APPS_FRAMEWORK_AGENT values from the
FND_PROFILE_OPTION_VALUES table. The utility performs partner application registration if that specific
partner application is not registered and uploads OSSO configuration files to the FND_LOBS table. When the
utility is run on other nodes, it detects the registration and gets the correct OSSO configuration file from the
FND_LOBS table and copies it to the CONFIG_HOME.
Oracle Internet Directory Registration

Oracle Internet Directory Synchronization and Provisioning needs to be done only once for any EBusiness Deployment. There are four
choices for the provisioning which is controlled by " provisiontype " command line option which takes one of four values i.e. 1, 2 , 3 or 4.
Provision Type
Description
-provisiontype=1
This is the default which enables BiDirectional Provisioning
-provisiontype=2
This enables InBound Provisioning i.e. EBusiness to OID
-provisiontype=3
This enables OutBound Provisioning i.e. OID to EBusiness
-provisiontype=4
This enables BiDiNoCreation Provisioning.
For details about provisioning see Section "Provisioning" below.
Section 1: Registration
OSSO-OID Registration can be done using a single command (Section 1.1). Even though it can be done in a single command it is divided into three parts.
Oracle Home Registration.

OSSO Registration.
OID Registration.
8/10/2010
Page 24 of 42
Attention: If you are trying to integrate an Oracle E-Business Suite Release 12 Vision instance created by Rapid Install with Oracle Single
Sign-On or Oracle Internet Directory of Oracle AS 10g, following error will be displayed by the registration utility:
*** ERROR : Previous registration detected with application name : Vision la4008
See known issues section for workaround and other details.
Section 1.1: Register All

Section 1.1.1: Interactive Mode
$FND_TOP/bin/txkrun.pl -script=SetSSOReg
It prompts for required arguments as follows:

Enter the host name where Oracle iAS Infrastructure database is installed ?
ap6013atg.us.oracle.com
Enter the LDAP Port on Oracle Internet Directory server ? 13061
Enter SSL LDAP Port on Oracle Internet Directory server ? 13131
Enter the Oracle Internet Directory Administrator (orcladmin) Bind password ? manager2
Enter the instance password that you would like to register this application instance with ?
test123
Enter Oracle E-Business apps database user password ? APPS
It does following things:

It validates the arguments
Registers this instance with infrastructure host.
Registers this instance as a partner application to the OSSO Server.
Registers this instance with OID server
8/10/2010
Page 25 of 42
Creates the provisioning.
Note:
1. User need to restart the middle-tier services
2. If it fails to register instance itself, user can rerun this command with valid arguments.
3. If it fails after instance registration user can do OSSO Registration as explained in Section 1.3 and OID
Registration as explained in Section 1.4
Section 1.1.2: Non Interactive Mode

$FND_TOP/bin/txkrun.pl \
-script=SetSSOReg \
-infradbhost=ap6013atg.us.oracle.com \
-ldapport=13061 \
-ldapportssl=13131 \
[-ldaphost=ap6014atg.us.oracle.com \]
[-oidadminuser=cn=orcladmin \]
-oidadminuserpass=manager2 \
-appspass=APPS \
-instpass=test123 \
[-appname=[s_dbSid] \]
[-svcname=[s_dbSid] \]
[-provisiontype=1 \]
[-dbldapauthlevel=1 \]
[-dbldapport=13130 \]
[-dbwalletpass= \]
[-dbwalletdir= \]
[-rdbmsdn= ]
Purpose of optional arguments:

oidadminuser: This is OID admin DN. Default value is cn=orcladmin.
appname: This instance will be registered with OID Server with this appname. Default value of appname is [s_dbSid].
svcname: This instance will be registered with OID Server with this svcname. Default value of appname is [s_dbSid].
provisiontype: It specifies the provisioning type between instance and OID Server. Default value is 1. Allowed values
are as follows.
1 - Bidirectional. This is the default value.
8/10/2010
Page 26 of 42
2 - Instance to OID Server

3 - OID Server to Instance
4 - Bidirectional no creation
dbldapauthlevel: This is the selected authentication level between E-Business database and OID Server for
provisioning purpose.
0 - Non-SSL Communication. This is the default value
1 - SSL with no authentication.
2 - SSL with server authentication
3 - SSL with Client and Server authentication.
dbldapport: Port on OID Server used by E-Business database for provisioning. default value is ldapport.
ldaphost: For Non-Colocated Infrastructure, i.e. if ldaphost is different from infradbhost, pass value of ldaphost for this
parameter in command line. Default value of ldaphost is infradbhost.
dbwalletpass: E-Business database wallet password. This is must if dbldapauthlevel > 1
dbwalletdir: E-Business database wallet directory. This is must if dbldapauthlevel > 1. Default dbwalletdir is the value of
site level profile FND_DB_WALLET_DIR
rdbmsdn: RDBMS DN of this E-Business database instance that is registered with OID Server e.g. cn=OracleContext
Section 1.2: Register Instance

1.2.1: Interactive Mode
-script=SetSSOReg \
-registerinstance=yes

Enter the host name where Oracle iAS Infrastructure database is installed ?
ap6013atg.us.oracle.com
Enter SSL LDAP Port on Oracle Internet Directory server ? 13131
8/10/2010
Page 27 of 42

It registers this instance with Infrastructure host.
1.2.2: Non Interactive Mode

-script=SetSSOReg \
-registerinstance=yes \
-infradbhost=ap6013atg.us.oracle.com \
-ldapport=13061 \
-ldapportssl=13131 \
[-ldaphost=ap6014atg.us.oracle.com \]
-appspass=APPS

Purpose of all the optional arguments explained in Section 1.1.2: Purpose of optional arguments
Section 1.3: Register OSSO

1.3.1. Interactive Mode
-script=SetSSOReg \
-registersso=yes

8/10/2010
Page 28 of 42

It registers this instance as a partner application to the OSSO Server.
Note:
1. User needs to restart the services.
2. Instance should be registered with Infrastructure DB host already. Otherwise register the instance as explained in Section 1.2
and then try to register OSSO.
1.3.2. Non Interactive Mode

-script=SetSSOReg \
-registersso=yes \
-appspass=APPS
Section 1.4: Register OID

-script=SetSSOReg \
-registeroid=yes
It prompts for required arguments as follows

Enter LDAP Host name ? ap6013atg.us.oracle.com
Enter the instance password that you would like to register this application instance with ?
test123
8/10/2010
Page 29 of 42

It registers this instance with OID Server. Also creates provisioning.

-script=SetSSOReg \
-registeroid=yes \
-ldaphost=ap6013atg.us.oracle.com \
-ldapport=13061 \
-appspass=APPS \
-instpass=test123 \
[-appname=contextname \]
[-svcname=contextname \]
[-provisiontype=1 \]
[-dbldapauthlevel=1 \]
[-dbldapportssl=13130 \]
[-dbwalletpass= \]
[-dbwalletdir= \]
[-rdbmsdn= ]

Purpose of all the optional arguments explained in Section 1.1.2 Purpose of optional arguments:
Section 2: Deregistration
OSSO-OID Deregistration can be done using a single command (2.1). Even though it can be done in a single command it is divided into three parts
OID Deregistration
OSSO Deregistration
Instance Deregistration
Section 2.1: Deregister All
8/10/2010
Page 30 of 42

-script=SetSSOReg \
-deregister=yes

Enter the Oracle Internet Directory Administrator (orcladmin) Bind password ? manager
[ Enter LDAP Host name ? ap6013atg.us.oracle.com ]
[ Enter the LDAP Port on Oracle Internet Directory server ? 13061 ]

It validates the arguments.
Deletes the Provisioning.
Deregisters this instance with OID Server.
Deregisters this instance with OSSO Server.
Deregisters this instance with Infrastructure host.
Note:
1. Prompts for ldaphost and ldapport if those are not existing in the database as fnd user preferences.
2. If it fails to deregister this instance, same command can be executed by passing valid arguments.
3. If it fails to deregister this instance with OSSO server, the deregister this instance with OSSO server as explained in Section 2.3
and deregister this instance with infrastructure host as explained in Section 2.4
4. If it fails to deregister this instance with infrastructure host, then deregister this instance with infrastructure host as explained in
Section 2.4
2.1.2: Non Interactive Mode
8/10/2010
Page 31 of 42
-script=SetSSOReg \
-deregister=yes \
-appspass=APPS \
[-ldaphost=ap6013atg \]
[-ldapport=13061 \]
[-svcname=[s_dbSid] ]

Purpose of all the optional arguments explained in Section 1.1.2: Purpose of optional arguments
Note: appname, svcname should be provided if provided at the time of registration.
Section 2.2: Deregister OID

-script=SetSSOReg \
-deregisteroid=yes

[ Enter LDAP Host name ? ap6013atg.us.oracle.com ]
[ Enter the LDAP Port on Oracle Internet Directory server ? 13061 ]

8/10/2010
Page 32 of 42
It deletes the provisioning.

Deregisters this instance with OID Server.
Note: Prompts for ldaphost and ldapport if those are not existing in the database as fnd user preferences.

-script=SetSSOReg \
-deregisteroid=yes \
-appspass=APPS \
[-ldaphost=ap6013atg \]
[-ldapport=13061 \]
[-svcname=[s_dbSid] \]
Section 2.3: Deregister OSSO

-script=SetSSOReg \
-deregistersso=yes


Deregisters this instance with OSSO Server. User needs to restart the services.
8/10/2010
Page 33 of 42
-script=SetSSOReg \
-deregistersso=yes \
-appspass=APPS
Section 2.4: Deregister Instance

-script=SetSSOReg \
-deregisterinstance=yes


It deregisters this instance with infrastructure host.

-script=SetSSOReg \
-deregisterinstance=yes \
-oidadminuserpass=manager2
-appspass=APPS

The purpose of all of the optional arguments is explained in Section 1.1.2: Purpose of optional arguments
8/10/2010
Page 34 of 42
Section 3: Remove References

OSSO-OID Registration stores a set of preferences on E-Business Database. If E-Business Instance is cloned from OSSO/OID Registered E-Business
Instance, cloned environment has same preferences as the source environment and throws errors while OSSO/OID Registration. So following command
should be called in post cloning phase or before proceeding for OSSO/OID Registration to remove all the preferences or settings from cloned
environments.
3.1 Interactive Mode

-script=SetSSOReg \
-removereferences=Yes

It removes the Oracle Home Instance preferences, OSSO Preferences and Site level profiles, and OID preferences from E-Business
Database.
3.2. Non Interactive Mode

-script=SetSSOReg \
-removereferences=yes \
-appspass=APPS
Section 4: Provisioning
There are four types of provisioning provided by the registration utility. These provisioning can be later customized to suit your needs.
4.1 BiDirectional Provisioning (-provisiontype=1)
8/10/2010
Page 35 of 42
This is set by "-provisiontype=1" command line argument during OID registration. This is the default provisioning type set by the
registration utility.
4.2 InBound Provisioning

This is set by "-provisiontype=2" command line argument during OID registration.
4.3 OutBound Provisioning

4.4. BiDiNoCreation Provisioning

4.5 Customizing Provisioning

If there is a need to customize the provisioning settings, then "oidprovtool" utility can be used to modify the existing
provisioning. You must ensure that OID registration must have completed successfully before you can modify the provisioning.
4.5.1 Determine from where you want to run "oidprovtool"

"oidprovtool" can be used from E-Business Suite RDBMS Oracle Home. Source the environment file under
RDBMS ORACLE_HOME.
OR
"oidprovtool" can be used from Infrastructure Oracle Home. Set the environment ensuring ORACLE_HOME is set
and ORACLE_HOME/bin is in PATH.
4.5.2 Ensure that provisioning is present in the OID before modification

See Oracle Metalink Note 295606.1, Section 6.12 "List Provisioning profiles" how to list provisioning profiles
4.5.3 Modify Provisioning Profile Using "oidprovtool"

The syntax for "oidprovtool" can be found in the "Oracle? Identity Management User Reference" guide. For
example the 10gR2 the guide is available at the following location.
8/10/2010
Page 36 of 42
Choose "profile_mode" from the following table:

If Provisioning Type is
Then profile_mode is
BOTH
INBOUND
OUTBOUND
BOTH
Here is an "example" to change an "INBOUND" or provisioning_type=2 type profile and realm is

"dc=us,dc=oracle,dc=com".
$ORACLE_HOME/bin/oidprovtool \
operation=modify \
ldap_host=[LDAP_HOST] ldap_port=[LDAP_PORT] \
ldap_user_dn="cn=orcladmin" ldap_user_password=[ORCLADMIN PASS] \
profile_mode=INBOUND \
application_dn=orclApplicationCommonName=[SID OF YOUR DB or
appName],cn=EBusiness,cn=Products, cn=OracleContext, dc=us, dc=oracle, dc=com \
event_permitted_operations="IDENTITY:dc=us,dc=oracle,dc=com:ADD
(cn,sn,mail,userpassword,description, facsimiletelephonenumber,
orclactivestartdate,orclactiveenddate, orclisenabled, telephonenumber, street, postalcode,
physicaldeliveryofficename, ou, st,l, displayname, employeenumber,employeetype, givenname,
homephone, manager, o,uid,c,postaladdress, title )" \
event_permitted_operations="SUBSCRIPTION:dc=us,dc=oracle,dc=com:ADD(*)" \
event_mapping_rules=FND::cn=users,dc=us,dc=oracle,dc=com \
event_mapping_rules=HR::cn=users,dc=us,dc=oracle,dc=com \
event_mapping_rules=TCA::cn=users,dc=us,dc=oracle,dc=com
4.5.4: Execute the step in 4.5.2 to ensure that provisioning has been modified as per the command.
Section 5: Troubleshooting Tips

1. Note that "ldap" utilities e.g. "ldapsearch", "ldapbind" are not available in the 10.1.3 Oracle Home. You can use those utilities from the RDBMS
Oracle Home or Infrastructure Oracle Home.
2. See the "$ORA_CONFIG_HOME/10.1.3/config/ias.properties" has the following properties defined correctly.
8/10/2010
Page 37 of 42
OIDhost=[Host of the OID Server]

OIDport=[LDAP port for OID Server]
OIDsslport=[SSL LDAP port for OID Server]
IASname=[Instance name]
IASpassword=[Encrypted String automatically generated during registration]
If the above properties are missing then the ORACLE_HOME has not been registered.
3. If registering for OSSO, verify that [ORA_CONFIG_HOME]/10.1.3/Apache/Apache/conf/httpd.conf has the directive to include "mod_osso.conf" is
uncommented.
4. Ensure that the DBC file has been generated correctly under $FND_SECURE directory.
5. Additional Notes in Oracle MetaLink Note 295606.1
Appendix B: Product-Specific OSSO Exceptions

Product ID
Product Name
229
Oracle Marketing
937
Oracle iLearning (Standalone)
OSSO Exception
Comments
Yes
While scripting components of Marketing do not use

OSSO, other components can do so.
Yes
Oracle iLearning is a standalone product and is not

part of E-Business Suite. It is not OSSO Compliant.
Oracle Learning Management is part of the EBusiness Suite and is certified with OSSO.
1129
Oracle Mobile Supply chain Application
Yes
OSSO does not support authentication using anything

but browsers. There is no API to validate users for
client/server style applications. Locally managed users
is a workaround for this issue.
1293
Oracle Projects
Yes
The Oracle Projects API login is not OSSO

compatible. The Application OSSO Login Types must
be set to 'Local' for Public API users.
1009
Oracle Sales Offline
Yes
Sales Offline requires the Application OSSO Login

Types to be set to 'Local' for users. This is
documented in "Oracle Sales Offline Implementation
Guide Release 12.1 Part No. E13565-02"
385
Oracle Warehouse Management
Yes
OSSO does not support authentication using anything

but browsers. There is no API to validate users for
8/10/2010
Page 38 of 42
client/server style applications. Locally managed users

is a workaround for this issue.
1193
Oracle iRecruitment
Yes
Application OSSO Login Types must be set to 'Local'

for users.
174
Oracle Workflow
Yes
If sign-on functionality is implemented for your site

through Oracle Internet Directory, and you want to use
password-based signatures, you must set the
Applications SSO Login Types profile option to either
Local or Both at user level for all users who need to
enter password-based signatures, and ensure that
these users have valid passwords defined in Oracle
Application Object Library.
757
Oracle XML Gateway
Yes
Application OSSO Login Types must be set to 'Local'

for users.
Appendix C: Known Issues

Bug No.
Problem
Workaround
1) Connect to DB using APPS schema user
9151196
7704258
Getting error while creating new user in Oracle E-Business suite Release
12 after enabling OSSO
Passwords are not properly synchronized between E-Business Suite and

OID
Applies only to 12.0.x:

5765834
If you are trying to integrate an Oracle E-Business Suite Release 12 Vision

instance created by Rapid Install with Oracle Single Sign-On or Oracle
Internet Directory of Oracle AS 10g, following error will be displayed by the
registration utility:
2) Run fnd_oid_plug.setPlugin as shown below:

SQL> execute fnd_oid_plug.setPlugin
(default_user_repository
=>'cn=Users,dc=us,dc=oracle,dc=com');
This issue is fixed in 12.1.1
Run the following command only once before performing

the OSSO or OID registration to remove the invalid
registration settings:
txkrun.pl -script=SetSSOReg \-removereferences=Yes
8/10/2010
Page 39 of 42
la4008
6058405
Registering two applications with same sid is not supported on 10.1.4.0.1

IDM
NA
5440880
OSSO Partner application registration script create duplicate partner

application, even if partner application with same name already exists
Remove already existing partner application manually

using /pls/orasso
5765693
"SSO Setup Tests" under SSO Diagnostics fails with errors ie. "/AppsLogin
NA
MUST be mapped to java.lang.Class"
5855635
(IBM/AIX 5L)
AIX customers on base Release 12, OID registration will fail with below
exception:
Apply patch 5855635
java.lang.UnsatisfiedLinkError: jmisc (A file or directory in the path name
does not exist.)
Change Log
Date
Description
Jan 24, 2007
Initial document creation
Feb 23, 2007
Updated AIX platform requirement and patch detail.
8/10/2010
Page 40 of 42
*Corrected 'Oracle Workflow' link to point it to note: "396314.1 - Oracle Workflow Documentation Resources, Release 12".
*Modified link under "Integration with Third-Party Access Management Systems and LDAP Directories", as it was incorrect, to
"http://download-west.oracle.com/docs/cd/B28196_01/idmanage.1014/b15988/tpsso.htm#Integration"
July 23, 2007
July 23, 2007
Modified table under Under "Section 3: Components and Supported Versions, Section 3.1, Oracle Application Server 10g Enterprise
Edition"
July 23, 2007
Under Section 5: Pre-Install Tasks:

*Modified section title to "Pre-Install Task 2: Install OracleAS Identity Management Infrastructure 10g (10.1.4.0.1)" and matter below
it,
*Added section "Pre-Install Task 3:Upgrade OracleAS 10g Infrastructure (10.1.2.0.2) to Oracle IDM 10g (10.1.4.0.1)"
*Removed "Pre-Install Task 2, Step 5, as it is only IDM Installation"
Under "Section 6: Implement Oracle Single Sign-On Support For the E-Business Suite":
*OSSO Task 2, Step 2: Compile Parameter Checklist
July 23, 2007
Added following comment: (w/a for bug 5999577)

"IMP: For Non-Colocated Infrastructure, ie. if ldaphost is different from infradbhost, pass value of ldaphost instead of infradb host for
this parameter",
For:
Parameter "Hostname of Oracle Application Server Infrastructure database {mandatory}"
* OSSO Task 2, Step 5: Run the Registration script, Parameter Prompts:
Corrected:
From: "Enter LDAP Host name ? ap6013atg.us.oracle.com"
To: Enter the host name where Oracle iAS Infrastructure database is installed ? ap6013atg.us.oracle.com
*Added "OSSO Task 2, Step 8: Run Autoconfig"
July 23, 2007
Removed notebox under "Appendix A: Advanced Configuration - Manual OSSO/OID Registration, Section 2: Deregistration", as bug
5754706 is already fixed.
July 23, 2007
Added bugs 5999577, 6058405 and 5440880 as Known issues with w/a wherever available.
8/10/2010
Page 41 of 42
Aug 08, 2007
Removed Option C for "Supported Architectures and Configurations, 8. What the user sees after sign-on"
Oct 10, 2007
Added patch 6198537 details for "OEL4.0 PLATFORM", under Section 5, Pre-Install Task 2, Step 1.
Oct 10, 2007
Modified Section 3, 3.1- For Discoverer component version.
Nov 14, 2007
Added ldaphost parameter details under following sections:

1. Section 6, OSSO Task 2, Step 2: Compile Parameter Checklist
2. Appendix A, Section 1.1.2
3. Appendix A, Section 1.2.2
Jan 03, 2008
Added 10.1.4.2 patchset information as Pre-Install Task 4 in Section 5
Aug 28, 2008
Modified Section 3, 3.1- For AS components latest certified versions
Aug 28, 2008
Added Section "Pre-Install Task 4: Apply the latest certified Application Server Patchset" under "Section 5: Pre-Install Tasks" to
provide information about all certified patchsets
Jan 23, 2009
Removed all references of provisioning templates from note
Mar 06, 2009
Added bug 7362662 with w/a under 'Known Issues'
Apr 30, 2009
Added 12.1.1 release related details
Oct 06, 2009
Added column 'One-off Patch details (if any)' in table under "Section 5, Pre-Install Task 4: Apply the latest certified Application Server
Patchset"
Added information about patch 8811442
Nov 30, 2009
Updated known issues section with Bug#9151196.
Jan 15, 2010
Added 'Appendix B - Product-Specific OSSO Exceptions'

Added details about bug 5765693 and 8773543
Note 376811.1 by Oracle E-Business Suite Development

Copyright 2007 Oracle Corporation
Last updated : January 29, 2010
Related
Products
8/10/2010
Page 42 of 42
Oracle E-Business Suite > Applications Technology > Technology Components > Oracle Applications Technology Stack
Keywords
JAVA.LANG.UNSATISFIEDLINKERROR; UPGRADE TO 10.1.4.0.1
Back to top
8/10/2010

R12 Singel Sign On

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

R12 Singel Sign On

Uploaded by

Copyright:

Available Formats

Integrating Oracle E-Business Suite Release 12 with Oracle Internet Directory and Oracle Single Sign-On

Mono space text

Represents command line text. Type this text exactly as shown.

value for the variable text. Do not type the brackets.

Application tier context file:

Important Directory Locations

The ORACLE_HOME where your applications database is installed. The default

The ORACLE_HOME where 10.1.3.0 or your HTTP Server is installed. The

ORACLE_HOME installed by Oracle Applications on Application Tier used for

ORACLE_HOME installed by Oracle Applications on Application Tier used for

Product: "Oracle Applications Technology Stack"

Oracle Single Sign-On (OSSO) 10g

Oracle Portal 10g

These services may run:

These services may not run:

Section 2: Features and Supported Architectures

Integration with Third-Party Access Management Systems and LDAP Directories

Supported Architectures and Configurations

OSSO and OID only

2. Location of Oracle Application Server 10g Enterprise Edition install

3. Users are authenticated by

4. Master source-of-truth for user information

5. Direction of synchronization of user information with third-party user repository

6. Method for initial population of user information in OID and Release 12

From Release 12 to OID

7. Method for ongoing updates to user information

From Release 12 to OID

8. What the user sees after sign-on

9. Other supported options

A. Allow user to associate OID account with multiple Release 12 accounts

Section 3: Components and Supported Versions

Oracle E-Business Suite Release 12

Oracle 10g Application Server

Oracle 10g Application Server

Oracle Developer 10g (includes Oracle Forms)

Oracle Application Server 10g Enterprise Edition

Oracle Single Sign-On 10g

Oracle Internet Directory 10g

Oracle Portal 10g (optional)

Oracle Web Cache 10g (optional)

Oracle Discoverer 10g (optional)

Section 4: Before You Begin

From the Oracle Store or the Oracle Technology Network :

CD Pack for Oracle Application Server 10g Release 2 Enterprise Edition

From Oracle MetaLink:

Oracle Applications Concepts, Release 12 (Part No. B31450-03)

Section 5: Pre-Install Tasks

Pre-Install Task 2: Install OracleAS Identity Management Infrastructure 10g (10.1.4.0.1)

Pre-Install Task 2, Step 1:

Note for OEL4.0 PLATFORM:

Pre-Install Task 2, Step 2:

Pre-Install Task 2, Step 3:

Pre-Install Task 2, Step 4:

"Metadata Repository" option of the OracleAS Infrastructure 10g 10.1.4.0.1 Installation.

Pre-Install Task 3, Step 2:

Pre-Install Task 4: Apply the latest certified Application Server Patchset

Oracle Identity Management 10g Release 3 Patch Set 1 (10.1.4.2)

Oracle Identity Management 10g Release 3 Patch Set 2 (10.1.4.3)

Pre-Install Task 5: Apply patch 6652745 (Windows Platform Only)

Pre-Install Task 6: Apply patch 7362662

Pre-Install Task 7: Test your Oracle Application Server 10g environment

Start Oracle Internet Directory Delegated Administration Services by going to:

Log in using the orcladmin userid