I feel I took a long break here, but anyways I am back. In this section I would like to highlight some important things here which we have to take care before moving to implementation phase.
1. Understand the current Active Directory DIT (Directory Information Tree). This will help you in bulk load.
2. Get the information for AD Servers.
3. Get Read Only access to AD Servers.
4. Check for Kerberos Services are running on Server where you want to install it. Generally it is running on port 88.
5. Make sure you have fully qualified Domain Name entry added in /etc/hosts Like one below
100.2.70.234 hostname.domainname.com hostname
6. DO NOT IMPORT FND_USERS into OID.
Once you have above information with you, we are ready for Installation.
Happy Troubleshooting !!!
Tuesday, July 29, 2008
Monday, July 21, 2008
Oracle 10g SSO Integration with E-Biz 11.5.10.2 - Planning-2
I have to put a break in my earlier post to make you understand the important part of planning phase in deciding about how are we going to manage Users or we call it as User Management. Again I want to make it clear about the details, these are basis on our setup:
-----------------------------------------------------------------------------------
There are existing users in Active Directory and user accounts in Oracle E-Business Suite Rel11i installation. Users in Active Directory that access Oracle E-Business Suite Rel11i will need to exist in Oracle Internet Directory.
The process of provisioning users to Active Directory and Oracle E-Business Application Suite is in place at Our Setup. With Oracle Single Sign-On integration planned the provisioning process will remain the same. The diagram below shows Active Directory, Oracle Internet Directory and Oracle E-Business Suite and the provisioning and synchronization between the two directories.
-----------------------------------------------------------------------------------
There are existing users in Active Directory and user accounts in Oracle E-Business Suite Rel11i installation. Users in Active Directory that access Oracle E-Business Suite Rel11i will need to exist in Oracle Internet Directory.
The process of provisioning users to Active Directory and Oracle E-Business Application Suite is in place at Our Setup. With Oracle Single Sign-On integration planned the provisioning process will remain the same. The diagram below shows Active Directory, Oracle Internet Directory and Oracle E-Business Suite and the provisioning and synchronization between the two directories.
User account will be created in Active Directory. The user account will be migrated to Oracle Internet Directory. A user account will need to be created in Oracle E-Business Application Suite using user enrollment method. Minimal information from user account in Active Directory will be unidirectionally migrated from Active Directory to Oracle Internet Directory.
The Oracle Internet Directory and Oracle E-Business suite accounts are linked via the auto-link feature.
Now we will move to another section or phase of this document. I will take a break for a while and will come back again with development phase.
Happy Troubleshooting !!!
Oracle 10g SSO Integration with E-Biz 11.5.10.2 - Planning
As I have mentioned earlier too in my Blog regarding our SSO Setup. Today I am trying to put that in this Blog so that whosoever planning to setup same in their environment will get benefitted out of it. I am going to put my document under few stages- one of them will going to be planning. Which I am going to describe in this post. This Phase will going to make you understand what is required in your setup and how to achieve this. I am going to take example of my setup and requirement, this might be possible that you too require this setup. But definately this will not going to be same for all of you.
-----------------------------------------------------------------------------------
Following is the requirement for us :
Integrate existing Oracle E-Business Suite Rel11i replacing existing Netegrity Siteminder as the authentication mechanism. Netegrity Siteminder uses enterprise Active Directory as the user directory. Install and configure Oracle10g Identity Management (10.1.4.0.1) to replace the Netegrity Siteminder as the authentication mechanism.
· Use Oracle10g Identity Management to provide Windows Native Authentication for a seamless user experience, and propagate windows authenticated user identity to Oracle10g Single Sign-On using kerberos protocol.
. Use Oracle10g Identity Management external authentication plug-in as the fallback mechanism for non-kereberos capable browsers authenticating to Oracle E-Business Suite Rel 11i applications.
-----------------------------------------------------------------------------------
To achieve the Oracle10g Single Sign-On integration the following activities need to be done:
1. Install Oracle10g Identity Management (10.1.4.0.1) server co-located with Identity MR database or distributed components.
2. Configure Oracle E-Business Suite Rel 11i using Metalink Note 233436.1 Section 6 “Implement Single Sign-On Support For the E-Business Suite”. This step configures Oracle E-Business to delegates authentication to Oracle10g Single Sign-On.
3. Bulk migrate / Synchronize minimal user information from enterprise Active Directory to Oracle Internet Directory using Oracle Directory Integration Platform (DIP).
4. Existing accounts in Active Directory and in Oracle E-Business Suite Rel 11i will need to have their FND_USERS.USER_GUID column values set to null. Enable the “Application SSO Auto Link User” or ‘link-on-the-fly’ feature to link the OID user identity with Oracle E-Business Suite Rel11i user account.
-----------------------------------------------------------------------------------
Now you might be wondering what is meant by User Account Auto-Link, Here you go :
1. In the single sign-on handshake between Oracle Single Sign-On and Oracle E-Business Suite, Oracle Single Sign-On returns the GUID of the authenticated user to Oracle E-Business Suite Release 11i.
2. Oracle E-Business Suite Release 11i uses the GUID to try to locate User’s Oracle E-Business Suite Release 11i application account.
3. If the user is trying to access Oracle E-Business Suite Release 11i for the first time, FND_USERS.USER_GUID column value is null. No application account will be found.
4. When the “Application SSO Auto Link User” is set to “Y”, Oracle E-Business Suite Release 11i will try to locate the user by the account name. If successful, it will link the two accounts by GUID. If not successful, it will redirect the user to “Account Link” page for username to associate.
-----------------------------------------------------------------------------------
Continue ........
-----------------------------------------------------------------------------------
Following is the requirement for us :
Integrate existing Oracle E-Business Suite Rel11i replacing existing Netegrity Siteminder as the authentication mechanism. Netegrity Siteminder uses enterprise Active Directory as the user directory. Install and configure Oracle10g Identity Management (10.1.4.0.1) to replace the Netegrity Siteminder as the authentication mechanism.
· Use Oracle10g Identity Management to provide Windows Native Authentication for a seamless user experience, and propagate windows authenticated user identity to Oracle10g Single Sign-On using kerberos protocol.
. Use Oracle10g Identity Management external authentication plug-in as the fallback mechanism for non-kereberos capable browsers authenticating to Oracle E-Business Suite Rel 11i applications.
-----------------------------------------------------------------------------------
To achieve the Oracle10g Single Sign-On integration the following activities need to be done:
1. Install Oracle10g Identity Management (10.1.4.0.1) server co-located with Identity MR database or distributed components.
2. Configure Oracle E-Business Suite Rel 11i using Metalink Note 233436.1 Section 6 “Implement Single Sign-On Support For the E-Business Suite”. This step configures Oracle E-Business to delegates authentication to Oracle10g Single Sign-On.
3. Bulk migrate / Synchronize minimal user information from enterprise Active Directory to Oracle Internet Directory using Oracle Directory Integration Platform (DIP).
4. Existing accounts in Active Directory and in Oracle E-Business Suite Rel 11i will need to have their FND_USERS.USER_GUID column values set to null. Enable the “Application SSO Auto Link User” or ‘link-on-the-fly’ feature to link the OID user identity with Oracle E-Business Suite Rel11i user account.
-----------------------------------------------------------------------------------
Now you might be wondering what is meant by User Account Auto-Link, Here you go :
1. In the single sign-on handshake between Oracle Single Sign-On and Oracle E-Business Suite, Oracle Single Sign-On returns the GUID of the authenticated user to Oracle E-Business Suite Release 11i.
2. Oracle E-Business Suite Release 11i uses the GUID to try to locate User’s Oracle E-Business Suite Release 11i application account.
3. If the user is trying to access Oracle E-Business Suite Release 11i for the first time, FND_USERS.USER_GUID column value is null. No application account will be found.
4. When the “Application SSO Auto Link User” is set to “Y”, Oracle E-Business Suite Release 11i will try to locate the user by the account name. If successful, it will link the two accounts by GUID. If not successful, it will redirect the user to “Account Link” page for username to associate.
-----------------------------------------------------------------------------------
Continue ........
iRec Resume Parsing issue - SSL Handshake Error
You might be wondering where I left for so many days with no update in the blog. We were busy with 10gR2 database upgrade for some off our Instance and other issues like getting error whenever we try to upload Resume via iRec Job Search. Our Jserve.log shows this (After setting Debug ) :
=======================================
javax.net.ssl.SSLException: SSL handshake failed: X509CertChainIncompleteErrat oracle.security.ssl.OracleSSLSocketImpl.startHandshake(Native Method)at oracle.security.ssl.OracleSSLSocketImpl.startHandshake(OracleSSLSocketImpl.java)at HTTPClient.HTTPConnection.getSSLSocket(HTTPConnection.java:1969)at HTTPClient.HTTPConnection.sendRequest(HTTPConnection.java:2938)at HTTPClient.HTTPConnection.handleRequest(HTTPConnection.java:2150)at HTTPClient.HTTPConnection.setupRequest(HTTPConnection.java:3561)at HTTPClient.HTTPConnection.ExtensionMethod(HTTPConnection.java:1570)at HTTPClient.HttpURLConnection.connect(HttpURLConnection.java:758)at HTTPClient.HttpURLConnection.getInputStream(HttpURLConnection.java:477)======================================================
We did the following to resolve this issue :
1. ftp server.crt to end user workstation
2. opened server.crt in MSIE
3. Exported each level as an x509 certificate.
==> Upper line = server1.cer
==>2nd line = server2.cer
==> 3rd line = server3.cer
4. ftp [ bin] server3.cer server2.cer server1.cer back to middle tier in $COMMON_TOP/admin/certs/apache/verisign directory
5. touch ca.crt
6. cat server3.cer server2.cer server1.cer >> ca.crt
7. copied the ca-bundle.crt from $IAS_ORACLE_HOME/Apache/Apache/conf/ssl.crt to $COMMON_TOP/admin/certs/apache/ssl.crt
8. copied ca.crt and server.crt from $COMMON_TOP/admin/certs/apache/verisign to $COMMON_TOP/admin/certs/apache/ssl.crt
9. Verified date on server.key in ssl.key directory
10. Bounced Apache [ adapcctl.sh [stopstart]
11. Tested upload resume > success
Happy Troubleshooting !!!
=======================================
javax.net.ssl.SSLException: SSL handshake failed: X509CertChainIncompleteErrat oracle.security.ssl.OracleSSLSocketImpl.startHandshake(Native Method)at oracle.security.ssl.OracleSSLSocketImpl.startHandshake(OracleSSLSocketImpl.java)at HTTPClient.HTTPConnection.getSSLSocket(HTTPConnection.java:1969)at HTTPClient.HTTPConnection.sendRequest(HTTPConnection.java:2938)at HTTPClient.HTTPConnection.handleRequest(HTTPConnection.java:2150)at HTTPClient.HTTPConnection.setupRequest(HTTPConnection.java:3561)at HTTPClient.HTTPConnection.ExtensionMethod(HTTPConnection.java:1570)at HTTPClient.HttpURLConnection.connect(HttpURLConnection.java:758)at HTTPClient.HttpURLConnection.getInputStream(HttpURLConnection.java:477)======================================================
We did the following to resolve this issue :
1. ftp server.crt to end user workstation
2. opened server.crt in MSIE
3. Exported each level as an x509 certificate.
==> Upper line = server1.cer
==>2nd line = server2.cer
==> 3rd line = server3.cer
4. ftp [ bin] server3.cer server2.cer server1.cer back to middle tier in $COMMON_TOP/admin/certs/apache/verisign directory
5. touch ca.crt
6. cat server3.cer server2.cer server1.cer >> ca.crt
7. copied the ca-bundle.crt from $IAS_ORACLE_HOME/Apache/Apache/conf/ssl.crt to $COMMON_TOP/admin/certs/apache/ssl.crt
8. copied ca.crt and server.crt from $COMMON_TOP/admin/certs/apache/verisign to $COMMON_TOP/admin/certs/apache/ssl.crt
9. Verified date on server.key in ssl.key directory
10. Bounced Apache [ adapcctl.sh [stopstart]
11. Tested upload resume > success
Happy Troubleshooting !!!
Wednesday, July 2, 2008
Oracle By Example (OBE)
I am using this site for quite sometime now. Thought of sharing with all who want to learn oracle products with examples. It really help to understand the product and its features with hands on examples with case study. Here is the site address :
http://www.oracle.com/technology/obe/start/index.html
Happy Troubleshooting !!!
http://www.oracle.com/technology/obe/start/index.html
Happy Troubleshooting !!!
Subscribe to:
Posts (Atom)