Sean's Oracle Technology Ramblings: September 2006

Friday, September 29, 2006

Security Experts Worried Over Computer Crime Laws

Here is an interesting article from CIO.com

Moves by several European countries to tighten laws against computer hacking worry security professionals who often use the same tools as hackers but for legitimate purposes.

The United Kingdom and Germany are among the countries that are considering revisions to their computer crime laws in line with the 2001 Convention on Cybercrime, a Europe-wide treaty, and with a similar European Union measure passed in early 2005.

But security professionals are scrutinizing those revisions out of concern for how prosecutors and judges could apply the laws. Security professionals are especially concerned about cases where the revisions apply to programs that could be used for bad or good. Companies often use hacking programs to test the mettle of their own systems.

"One useful utility in the wrong hands is a potentially malicious hacking tool," said Graham Cluley, senior technology consultant at Sophos in Abingdon, England.

In the United Kingdom, legislators are debating amendments to the Computer Misuse Act (CMA) of 1990. The proposed revisions would make it illegal to create or supply a tool to someone who intends to use it for unauthorized computer access or modification.

Likewise, the proposed changes to German law would also criminalize making and distributing hacking tools. The German government said the changes will bring it into compliance with the 2001 Convention on Cybercrime.

Several German security companies are planning to lobby against the law, as they fear it could hamper those who test security systems, said Alexander Kornbrust, founder and chief executive officer of Red-Database-Security in Neunkirchen, Germany. For example, tools to check the strength of passwords, often freely distributed, could also be used by malicious hackers, he said.

"The security community is very unhappy with this approach," Kornbrust said. "The concern is that the usage and possession of so-called hacker tools will become illegal."

The United Kingdom and Germany are trying to align their laws with Article 6 of the convention, which bans the creation of computer programs for the purpose of committing cybercrime.

So far, 43 countries have signed the convention, which indicates their willingness to revise their laws to comply. Fifteen have ratified the convention. After a country changes its laws, it can ratify the convention and put it into force.

The convention does not mandate a deadline for when countries must comply, and the process of changing laws can be lengthy depending on the country, said Margaret Killerby, head of the European Committee on Crime Problems, which tracks implementation of the convention.

But the goal is for Europe—and other countries, such as the United States, which also said it will implement the convention soon—to mount a consistent defense against computer criminals, given the transnational nature of computer crime, Killerby said.

A key point of the convention requires countries to have a law enforcement contact available at all times to assist foreign authorities in obtaining electronic evidence, which can disappear quickly without quick moves by law enforcement.

"What we want to have is an institution to allow states to cooperate with each other as rapidly as possible," she said.

Those requirements are devoid of controversy. Individual countries can draft their own customized legislation to comply with the convention, which can be used as a checklist, Killerby said. The council has provided assistance to countries in central and eastern Europe in creating computer crime laws where none was on the books, Killerby said.

Countries with existing laws will have to find a medium that satisfies their own legal requirements and the convention. In the United Kingdom, the House of Lords is scheduled next month to debate changes in the part of the CMA concerning creation and distribution of hacking tools.

The proposed revision to the CMA says a person is guilty of an offense if he makes or supplies something intending it to be used to commit an offense or "believing that it is likely to be so used."

But officials are confident that the wording can be smoothed. The controversy could be dampened merely by changing "likely" to "primarily," which could "make sure we don’t catch the legitimate penetration testers," said Merlin Erroll, a lord who sits on the All Party Parliamentary Internet Group, during a recent presentation in London.

-Jeremy Kirk, IDG News Service (London Burea

Tuesday, September 26, 2006

Zero Faith in Zero Defects

E-Week ran an interesting story on Oracle’s Fusion Applications. Among other things, the story broke the news that Oracle has instituted a zero-defect policy for the first release of the Fusion Applications. I personally got a bit of a chuckle over the zero-defect policy. Based on experience, I have zero faith in zero defects - especially for an initial release.

Zero defects is a very worthwhile and commendable goal, but one practically impossible to obtain. The nearer a project comes to delivery, the more pressure is applied to compromise on the zero defects goal. As any project manager worth his or her salt will tell you, the key issue in project management is balancing the classic triple constraint: cost, schedule and quality. Choosing an absolute standard for any one of these constraints will increase the value of the other two. In the case of zero defects, costs increase and the schedule grows longer.

Now couple a zero-defect policy with the promise that the Fusion Applications will be released in 2008. We now have some absolute boundaries on not one, but two constraints: zero defects delivered by the end of 2008. Assuming that the quality and schedule constraints can both be obtained (and I’m only conceding this point for the moment), that leaves us “wiggle room” with only one constraint - cost. Simply put, hitting both the schedule and quality goal will likely cost some pretty big piles of cash. Hmmm, saving cash versus software quality…which concern do you think will take priority?

What usually happens is that, as the project comes close to the budgeted cost ceiling and the delivery day draws near, the decision is typically made to compromise on the zero-defects goal rather than exceed the budget and deliver late (for additional references on this trade-off, recall the early versions of the 11i E-Business Suite). I anticipate that the same trade-off will be made here, probably sometime in early 2008.

A zero-defects policy is a wonderful goal early in any development project. And I’ll tip my hat to anyone delivering a perfect initial release within budget and on schedule. However, experience indicates that software quality will usually lose out to cost and schedule. Do I expect the first release of Fusion Applications to be of higher quality than the early releases of the 11i E-Business Suite? Reading John Wookey’s words from that E-Week article, he sounds pretty serious about quality, so I’d say “yes”. However, any customer expecting zero defects should prepare for disappointment.

The Importance of Being 12

With apologies to Oscar Wilde for the title of this post, may I take a moment to consider the importance of Oracle E-Business Suite Release 12? R12 is due for release in the last quarter of 2006. As more information becomes available, each Oracle customer will have to decide for themselves whether or not a move to R12 has value for them. Some of us may opt to stick with what we have until the Fusion Applications picture becomes clear. Some will see value in R12 and make the leap in relatively short order. Others may move to another product line (or apps vendor) altogether. Regardless of our individual choices, R12 is important to everyone in the applications market space (including those who are not Oracle customers) because it’s an important step in the progress to achieving Oracle’s ambitious vision for Fusion Applications.

Please don’t misconstrue my meaning: R12 has importance, at least for Oracle E-Business customers, for reasons other than Fusion. R12 has 12 new application modules and over 2,300 new features, including the SWAN user interface, sub ledger accounting, new HRMS localizations, improved support for APAC manufacturing practices, Retek integration, and several new industry-specific business flows. Discounting R12 without seriously considering whether it holds significant value for your organization would be foolish, and I don’t mean to do so here. But my contention is that Release 12 represents a significant proof-point in the Fusion Applications evolution, and that the importance to Fusion is R12’s most essential feature.

R12 will be the first complete E-Business Suite release on Fusion middleware. This is the next step in a series of iterations toward Fusion applications technology that started with the Early Adopter Program for integration of 11i with the 9i Applications Server. While R12 is definitely not a Fusion Applications release, delivery of a high-quality E-Business Suite release on Fusion middleware will constitute a major milestone on the road to Fusion Applications.

E-Business Suite customers are about to find out just how well and reliably Fusion technology works with our apps environment, and the entire applications space is about to discover just how much progress Oracle has made in integrating all the moving pieces of this giant and complex technical puzzle. In other words, the rubber is about to meet the road…it should be an interesting drive!

OAUG Successfully Completed First Ever Enhancement Request Voting Cycle

The OAUG Enhancement Request System (ERS) completed its first ever full voting cycle. Users submitted enhancement requests for over 400 Oracle Applications products, including Oracle E-Business Suite, PeopleSoft and Oracle Retail. Ultimately, the system collected over 1,100 submissions for this voting cycle.When voting concluded at the end of July, over 6,200 total votes had been cast.

Thank you to those OAUG members who took the time to vote. The results are currently being compiled in preparation to being shared with SIG coordinators, specific Oracle representatives and the International Oracle User Council (IOUC). Any formal responses received from Oracle regarding individual enhancements will be loaded back into the ERS.

The OAUG is currently evaluating the input received from SIGs and OAUG members regarding the submission, evaluation and voting processes to identify opportunities for improvement. Once this input has been analyzed and feedback has been received from Oracle, the OAUG will work with the SIGs to develop a timeline for the next voting cycle.

If you missed this voting cycle and wish to submit enhancements for the next voting cycle, login to the Enhancement Request System to submit your enhancements. If you have any questions about the ERS or ideas for improving the process, please contact the OAUG by e-mailing at enhancements@oaug.org.

Friday, September 22, 2006

Oracle 10g Higher Availability using Data Guard

One of the biggest responsibilities for a DBA is to provide 100% availability and reduce unplanned downtime for a database & Oracle Data Guard is one of the most effective and comprehensive data availability, data protection and disaster recovery solutions available today .

Overview :
The database size is increasing dramatically every day and our critical business information system requires 24x7 uptime specially in an unplanned downtime when we can loose Data or it might get corrupted & it may take hours, even days to restore such a database. To minimize downtime and avoid data loss, we need a standby database that can take the role of the primary database in a timely fashion & here come the data guard in picture where Data Guard maintains these standby databases as transactionally consistent copies of the production database.

In short Oracle Data Guard is the management, monitoring, and automation software infrastructure that creates, maintains, and monitors one or more standby databases to protect enterprise data from failures, disasters, errors, and corruptions.

Data Guard Functional Components:
So here we will discuss what is needed to get the data guard working ....

a) Data Guard Config -A Data Guard configuration consists of one production (or primary) database and up to nine standby databases.

b)Redo Apply and SQL Apply - As Standbys are created from primary , we need the technology to make them at par with the primary by applying Redo to standby.

Data Guard provides two methods to apply this redo data to the standby database :

* Redo Apply, used for physical standby databases
* SQL Apply, used for logical standby databases

c)Role Management-Using Data Guard, the role of a database can be switched from a primary role to a standby role and vice versa, ensuring no data loss in the process, and minimizing downtime. There are two kinds of role transitions - a switchover and a failover.

Switchover - This is used for planned maintaince specially for patching & upgrades .

Failover - Is disaster recovery measure which comes in picture when Primary node is down .

d)Types of standby - there are 2 kinds of stanby data bases :

Physical Standby - this is a replica of primary database on Block-by-block basis.The database schema, including indexes, are the same.

Logical Standby - It has the same logical information as primary , but can be used as a seprate database for reporting etc .

e)Data Guard Protection Modes

Maximum Protection- this is also called no-data-loss mode as here no commit of transaction is done unless teh redo is shipped & applied to atleast one of the standby .But the issue here is that if standby becomes unavailable , primary shuts down .

Maximum Availability - the only diffenece this has from maximum performace mode is that it does not shut down the db when standby is down , it waits for standby to get up & running and then resync it with primary .

Maximum Performance- Archiver is used for this to ship the logs , thus the performance is more .The commit operation of the primary database does not wait for the standby database to acknowledge receipt .

f)Data Guard Broker
The Oracle Data Guard Broker is a distributed management framework that automates and centralizes the creation, maintenance, and monitoring of Data Guard configurations.

Thursday, September 21, 2006

Oracle Beginners...free training

Here is a link to a site that gives some good free training to people just beginning with the Oracle Apps.

Aliases, Maiden Names and Nicknames

You know, I've never really understood how nicknames are worked out. It makes sense that Jon can be short for Jonathon. But how do you get from John to Jack? And from William to Bill?

Regardless of the mystifying linguistic antecedents, you can accomodate this state of affairs for user management with the combination of Oracle Internet Directory and the E-Business Suite.

Linking Apps Users with OID Users
From previous posts, you know that we link user accounts in Oracle Internet Directory with their corresponding user accounts in the E-Business Suite, like this:

Every user in Oracle Internet Directory has a Global Unique Identifier (GUID). The E-Business Suite stores this Global Unique Identifier in its own user directory (FND_USER), creating a unique link between the two accounts.

Using Different Names in Apps and OID

Since the users are linked by a numerical Global Unique Identifier, it doesn't matter if their actual userids in the two namespaces don't match exactly. In addition to accomodating those mystifying nicknames, aliases, and maiden names, this is useful for integrating the E-Business Suite with LDAP directories with different userid naming conventions.

In the example above, the user's ID in Oracle Internet Directory is "john.smith", whereas his userid in Apps is "jsmith". The user logs on to Single Sign-On using his "john.smith" userid and transparently passes through to Apps with responsibilities tied to his "jsmith" account.

Assuming Multiple Identities

Consider this scenario. In a shared services business model, a single purchasing agent acts as the purchaser for different geographic organizations.

Each of these different organizations may have their own business setups, so separate user accounts have been created for each organization. A given purchasing agent logs into the E-Business Suite using different accounts.

The brute-force approach to handling this is to require the purchasing agent to remember different passwords for each account. A more elegant solution is to link his Oracle Internet Directory userid to each of the different Apps accounts, like this:

Using this approach, the purchasing agent logs into Single Sign-On using his "john.smith" account. One of the linked accounts is flagged as the default account, and he can easily switch to the other accounts without having to log out and back in again with a different userid.

Not in the Other Direction

This "one-to-many" link is fully supported with both Release 11i and 12. In other words, you can link a single Oracle Internet Directory account to multiple Apps accounts.

"Many-to-one" links are not supported, however. In other words, it's not possible to link multiple Oracle Internet Directory accounts with a single Apps account.

Integration with Third-Party LDAP Directories

You might have a third-party LDAP whose userid naming conventions differ from your E-Business Suite environment. If so, your best approach is to ensure that Oracle Internet Directory is populated with those third-party userids, like this:

Link Third-Party LDAPs With Apps:

Password Management with Third-Party Solutions

From my earlier posts you will know that passwords no longer need to be maintained in the E-Business Suite when you've implemented Single Sign-On 10g integration. What happens to passwords in a configuration that includes a third-party LDAP directory like Microsoft Active Directory, and a third-party single sign-on solution like Microsoft Kerberos?

Third-Party Integration In A Nutshell

Before we get to password management, I'd recommend that you review the earlier post.

If you're in a hurry, here's a quick recap of the key points:

Oracle Internet Directory is a mandatory hub for synchronizing user information between a third-party LDAP directory and the E-Business Suite
The third-party LDAP directory is usually considered to be the master "source of truth" for user credentials
Oracle Single Sign-On is a mandatory prerequisite for delegating E-Business Suite's user authentication to a third-party single sign-on solution

Using Oracle Internet Directory As A Hub

Recall that it's possible to integrate your E-Business Suite environment with a third-party LDAP directory using Oracle Internet Directory and its Directory Integration Platform as an intermediary, like this:

Oracle Internet Directory is a mandatory component in this chain. Oracle doesn't currently offer any methods of directly integrating a third-party LDAP with the E-Business Suite.

Third-Party LDAP As The Master "Source of Truth"

In the typical configuration, the third-party LDAP directory is the master "source of truth" for the user's credentials. For example, a change to the user's name would first be made in the third-party LDAP. The updated user's information would then be sent to Oracle Internet Directory via the Directory Integration Platform. Once in Oracle Internet Directory, the updated user's information would then be sent to the E-Business Suite via the Directory Integration Platform.

Extending the Chain of Trust

Remember that the E-Business Suite can delegate user authentication to Oracle Single Sign-On, effectively creating a chain of trust between the two components. When the E-Business Suite is integrated with a third-party single sign-on solution, that chain of trust is extended one level further, like this:

When the user logs on to the third-party single sign-on solution, she gets a set of security tokens that are recognized and trusted by Oracle Single Sign-On. Oracle Single Sign-On doesn't challenge the user again for her credentials.

In turn, Oracle Single Sign-On issues its own set of security tokens, which are recognized and trusted by the E-Business Suite. The E-Business Suite doesn't challenge the user again for her credentials.

What About Passwords?

Now that we've got the basics out of the way, understanding how passwords are handled in this scenario should be a bit easier. In the scenario above, the user is challenged only once for their userid and password. The third-party single sign-on solution handles that challenge and authenticates the user's credentials against the third-party LDAP.

It stands to reason that if the user is already logged in by the third-party single sign-on solution, and Oracle components never ask for the user's userid and password, there's no reason to keep the user's password anywhere in the Oracle namespaces.

And, that's true: when integrated as shown above, users' passwords are not stored locally in either Oracle Internet Directory or the E-Business Suite. Passwords are stored only in the third-party LDAP directory.

Delegating User Management

Since the third-party LDAP repository is the master source of truth, it handles all user password resets. Neither Oracle Internet Directory nor the E-Business Suite are interested in -- or even participate in the process -- of password management in this scenario. It's all delegated to the third-party LDAP.

For Advanced Readers Only

By this point, I've weeded out readers with short attention spans. For the handful of you who've toughed it out to this point, I should note that the above scenario is only one of many possible starting points. Other advanced scenarios are technically feasible, including those in which user credentials flow bidirectionally between Oracle Internet Directory and the third-party LDAP.

These can get pretty involved, so I'll have to leave these as an exercise for you to work out, for now. More information can be found in the Implementation Guide, which describes more variants on the basic scenario outlined here.

Related

Note: Everything in this article applies equally to both Release 11i and 12 environments.

Using Third-Party Identity Managers with the E-Business Suite Release 11i

No More Redundant User Administration

With the certification of Oracle Application Server 10g and Single Sign-On 10g, it is now possible to integrate the E-Business Suite with existing third-party LDAP and single sign-on solutions, like this:

Simple Third-Party LDAP SSO Integration:

Third-party single sign-on solutions can be integrated with Oracle Single Sign-On 10g, and third-party LDAP directories can be integrated with Oracle Internet Directory 10g. From there, it's a short hop to the E-Business Suite.

Example Scenario: The Deluxe "Zero Sign-On" Approach

A user logs on their PC using their Windows userid and password. Wanting to avoid real work, the user decides to file a long-overdue expense report for last year's company conference. He starts Firefox, opens Favourites, and selects a bookmarked link for the E-Business Suite's Self-Service Expenses.

Self-Service Expenses starts up, and the user begins the process of assembling rationalizations to justify that $450 dinner with their favourite Macerich blogger.

(This is a fictional example, of course; nobody takes bloggers out to dinner)

We sometimes call this "zero sign-on" because the user never actually logged on to any Oracle systems at all; their Windows Kerberos ticket gave them an all-access pass to the E-Business Suite automatically.

Magic? What Really Happened?

Brace yourself: some of the following material might require a couple of passes to sink in.

The scenario above illustrates the following integrations:

Microsoft Active Directory with Oracle Internet Directory 10g
Microsoft Kerberos Authentication with Oracle Single Sign-On 10g
Oracle Application Server 10g with the E-Business Suite

The user logged on to their PC, which authenticated them against Microsoft Active Directory. As part of that logon process, Microsoft Kerberos Authentication issued a valid Kerberos ticket to the user.

When the user attempted to access Self-Service Expenses via his bookmarked link, he was redirected to Oracle Single Sign-On 10g. Oracle Single Sign-On 10g recognized the Microsoft Kerberos ticket, issued its own Oracle security tokens to the user, and redirected the user back to the E-Business Suite.

The E-Business Suite recognized the Oracle Single Sign-On 10g security tokens and looked up the user's assigned Applications Responsibilities to ensure that he was authorized to access Self-Service Expenses. That done, it issued its own E-Business Suite security tokens and then passed the user through to Self-Service Expenses without requiring any additional logons.

Integration with Microsoft Active Directory Only

Not everyone uses Microsoft Kerberos Authentication. A simpler integration option omits Kerberos and includes only Microsoft Active Directory and Oracle Internet Directory, like this:

In this simpler architecture, when the user attempts to access Self-Service Expenses via his bookmarked link, he's redirected to Oracle Single Sign-On OracleAS 10g. Single Sign-On displays a login screen and collects the user's ID and password.

Single Sign-On passes the user's supplied ID and password to Oracle Internet Directory for validation. Oracle Internet Directory uses the Windows NT External Authentication plug-in (sometimes also called the Windows Native Authentication plug-in) to delegate user authentication to Microsoft Active Directory.

Microsoft Active Directory looks up the user's ID and password in its database, and informs Oracle Internet Directory that this is an authenticated user. Oracle Internet Directory informs Single Sign-On that the user was successfully authenticated.

Single Sign-On issues the user a set of security tokens and redirects the user to the E-Business Suite. The E-Business Suite recognizes the Single Sign-On security tokens and looks up the user's assigned Applications Responsibilities to ensure that he's authorized to access Self-Service Expenses. That done, it issues its own E-Business Suite security tokens and then passes the user through to Self-Service Expenses.

"Out-of-the-box" Third-Party LDAP Integration with Oracle Internet Directory

Due to the popularity of Microsoft Active Directory, Oracle Internet Directory provides a prebuilt connector out-of-the box, ready to use.

Synchronization of User Credentials with Third-Party LDAP Directories

If you've been paying close attention so far, you have likely gathered that user credentials need to be synchronized between the third-party LDAP, Oracle Internet Directory, and the E-Business Suite. The synchronization architecture looks like this:

Third-Party LDAP User Sync:

In this configuration, only the user name needs to be synchronized; the user's password is stored in the third-party LDAP directory. None of the Oracle products need to store the user's password, since they delegate user authentication to the third-party LDAP solutions.

The key concept here is that user authentication is still separated from user authorization even when a third-party LDAP is in place. So, the E-Business Suite still grants authenticated users access to E-Business Suite protected content based on the users' Applications Responsibilities, which are managed in the E-Business Suite exclusively.

Bringing It All Together

Assuming I haven't lost you so far, the following diagram shouldn't be too overwhelming:

Combined 3rd Party LDAP SSO:

This combines all of the concepts we've covered:

Third-party LDAP integration with Oracle Internet Directory
Third-party SSO integration with Oracle Single Sign-On
Synchronization of user credentials via the Oracle Internet Directory's Oracle Directory & Provisioning Platform to the E-Business Suite

Relax, It's Easy and Fun

Well, maybe not... but at least it's technically feasible. There are a number of E-Business Suite customers are running this configuration in production already.

There are many more options for integration with the E-Business Suite, including options for linking OID userids to different E-Business Suite userids, and so on. More information can be found in this document:

Integrating Oracle E-Business Suite Release 11i with Oracle Internet Directory and Oracle Single Sign-On (Metalink Note 261914.1)

Watch that Oracle stock today!

Oracle Reports Q1 GAAP EPS Up 28% to 13 Cents, Non-GAAP EPS Up 24% to 18 Cents

September 19, 2006 - Oracle Corporation today announced fiscal 2007 Q1 GAAP earnings per share were up 28% to $0.13, compared to the same quarter last year. First quarter total GAAP revenues were up 30% to $3.6 billion, while quarterly GAAP net income was up 29% to $670 million.

Monday, September 18, 2006

Encrypting Traffic Between 11i Application and Database Tiers

It's now possible to encrypt the SQL*Net traffic that flows between your E-Business Suite Release 11i application and database tier servers.

This long-awaited certification is delivered through an Oracle database feature called Oracle Advanced Security Option (ASO). For reasons too arcane to discuss here, this is also referred to as Advanced Networking Option (ANO).

The process involves installing an E-Business Suite Concurrent Manager patch and Oracle Advanced Networking, changing several configuration files, and then relinking your Apps executables.

The minimum prerequisites for this configuration include:

Oracle Applications 11.5.10 users with RUP 3 or later (11i.ATG.PF.H RUP3 patch 4334965 or later)

Exception for HP-UX Users

HP-UX users cannot enable ANO/ASO until the resolution of bug 5398088. This bug prevents access to MOD PL/SQL from the $IAS_ORACLE_HOME.

Related
Encrypting EBS 11i Network Traffic using Advanced Security Option / Advanced Networking Option (Note 391248.1)

Saturday, September 16, 2006

Password Management with Oracle Internet Directory

User password resets - the bane of every sysadmin. Automating this tedium is a major benefit of integrating your E-Business Suite environment with Oracle Application Server 10g. By delegating user authentication to Single Sign-On 10g and Oracle Internet Directory 10g, you can take advantage of the latter's automatic password reset capabilities.

But First, Some Basics About Account Management

In a standard E-Business Suite environment, user passwords are stored and encrypted in the user's records in the E-Business Suite's FND_USER directory.

When an E-Business Suite environment is integrated with Single Sign-On and Oracle Internet Directory, Apps user accounts are linked to Oracle Internet Directory user accounts like this:

Where Does The User Log In?

When a user's E-Business Suite account is linked to an account in Oracle Internet Directory, sysadmins have the option of specifying how the user can log into the E-Business Suite. This can be specified for each individual user.

Available options are:

Users can log in externally via Single Sign-On
Users can bypass Single Sign-On and log in locally to the E-Business Suite
Users can log in via both of the methods above

E-Business Suite Doesn't Need To Store A Password

In the external scenario, all user authentication is handled by Single Sign-On and Oracle Internet Directory. For so-called external users, passwords are stored exclusively in Oracle Internet Directory. Single Sign-On displays a login screen and collects the user's userid and password, and Oracle Internet Directory checks that those credentials match the user's entry within the Oracle Internet Directory LDAP user directory.

After users successfully log into Single Sign-On, they receive security tokens that the E-Business Suite recognizes and uses to establish their E-Business Suite session, based on a chain of trust that looks like this:

The E-Business Suite uses those Single Sign-On security tokens in place of checking for a password. So, it doesn't need to store user passwords for external users at all.

No More Manual Password Changes

So, in a refreshing switch for veteran Apps sysadmins, all external users can reset their own passwords using Oracle Internet Directory's Delegated Administration Service. This represents the end of the era of manual password resets for Apps users.

Logging Into The E-Business Suite Directly

There are specific users that must always be able to log into the E-Business Suite directly. These users include Apps DBAs or system administrators, who still need to be able to get into Apps even if the external Single Sign-On and Oracle Internet Directory instances are unavailable due to maintenance windows.

These are considered to be local users, so their passwords are always stored in the E-Business Suite's FND_USER directory, not Oracle Internet Directory. Passwords for these users still need to be maintained manually using the regular E-Business Suite security forms that you know and love.

A Tricky Case: "Both"

There might be a subset of users who need to be able to access the E-Business Suite via Single Sign-On as well as locally. These users would be given access to both login methods, which means that passwords must be stored in both locations: Oracle Internet Directory and the E-Business Suite's FND_USER directory.

The password management overhead is higher for these users, so you'll want to use this option very sparingly:

Password changes made in the E-Business Suite are automatically sent to Oracle Internet Directory
Password changes made in Oracle Internet Directory must be manually repeated in the E-Business Suite using the E-Business Suite security forms

The asymmetry in the tasks above is because of this: we can decrypt passwords stored in the E-Business Suite, which allows us to send them to Oracle Internet Directory. Passwords in Oracle Internet Directory, however, are hashed, which prevents us from transmitting a copy to the E-Business Suite.

Friday, September 15, 2006

In-Depth: Synchronizing Oracle HRMS with OID

We often talk about managing E-Business Suite users with Oracle Internet Directory 10g. But what about situations where you need to manage Oracle Human Resources employees in Oracle Internet Directory? Or create E-Business Suite accounts automatically for new employees? That's where the Oracle HR Agent comes into the picture.

Users vs. Employees

For starters, let's distinguish between users and employees:

USER: An E-Business Suite user is someone who needs to be able to log into Apps. That user might need to file expense reports, view her payslip, or file purchase requisitions. All E-Business Suite users have userids and records in the FND_USER repository, and have associated responsibilities that govern what the functions and data that they can access.

EMPLOYEE: An employee is someone whose information is managed by the Human Resources module in the E-Business Suite. Oracle Human Resources tracks information like employee numbers, manager hierarchies, and other personally identifiable information like birthdates.

Employees aren't Necessarily Users

Not all employees are users, and vice versa. For example, a major retailer might use the E-Business Suite's Human Resources modules to manage employee information for their cashiers, but those cashiers may not be authorized to log into the E-Business Suite at all.

When Worlds Overlap

From an organizational standpoint, this distinction makes a lot of sense. The HR department manages employees, and the IT department manages E-Business Suite accounts.

But what happens when those worlds overlap? Following the example above, what about a scenario where the cashiers are permitted to view their payslips via the Self-Service Human Resources module?

In this scenario, the same person would be represented in two places:

In the Human Resources module
In the Apps FND_USER repository

For E-Business Suite environments that aren't integrated with Oracle Internet Directory, user records need to be individually maintained in each location.

Creating Employee Entries in Oracle Internet Directory

It's possible to use the Oracle Internet Directory Human Resources connector to push employee information from Oracle HR to Oracle Internet Directory.

HRMS to OID:

You can export a subset of employee data from Oracle Human Resources into Oracle Internet Directory. The connector includes both a prepackaged integration profile and an Oracle Human Resources agent that handles communication with Oracle Internet Directory.

You can schedule the Oracle Human Resources connector to run at any time, configuring it to extract incremental changes from the Oracle Human Resources system. You can also set and modify mapping between column names in Oracle Human Resources and attributes in Oracle Internet Directory.

Exportable HR Attributes

There's a long list of HR employee attributes that you can send to Oracle Internet Directory, including:

First name, last name
Title
Sex
Date of birth
Employee number
Email address
Others...

Making A Round Trip

You can synchronize user information between Oracle Internet Directory and the E-Business Suite's FND_USER like this (see article on sso with 11i for details) :

OID to FND_USER Sync:

Therefore, it's possible for employee information to make a round-trip like this:

HR to OID to FND_USER:

Not In the Opposite Direction

This architecture would support a business flow where a new employee is registered in E-Business Suite Human Resources by the HR department. That employee's information is then propagated via Oracle Internet Directory to FND_USER, where an IT administrator grants the appropriate Apps responsibilities to the user.

The opposite direction is not supported. It is not possible to have an employee created in Oracle HR based upon a new user entry in Oracle Internet Directory.

XML Publisher & The E-Business Suite

This is a pointer to one of the hottest new technologies for the E-Business Suite: XML Publisher (XMLP), which has been instrumental in changing the way we think about how Apps data can be used by end-users for reports and other business documents.

Into the Hands of End-Users

XML Publisher is interesting in that it allows end-users -- using tools such as Microsoft Word and Adobe Acrobat -- to create richly-formatted templates for reports and business documents containing Apps data.

XML data extracts from E-Business Suite concurrent programs are merged with those templates at runtime, generating output in PDF, HTML, RTF, EXCEL (HTML), or even text for use with EFT and EDI transmissions.

Advanced Tools for the Data Center

In addition to the potential of this tool to allow your end-users to create simple reports for themselves, there are advanced options for integration with email systems, faxes, WebDAV, FTP, HTTP, barcodes, and more.

Those topics are discussed in the excellent XML Publisher Blog, which features technical articles directly from the XML Development team. Note also that there will be several XMLP-related sessions at OpenWorld this year, which are linked to in this article.

John Wookey on Oracle's Apps Strategy

I am sure John Wookey doesn't have the luxury of writing articles every day. In fact, given that he's got the hardest job in Silicon Valley, it's amazing that he has the time to write anything at all.

Therefore, if he's taken time out of his schedule to update his blog, it must be something worth paying attention to. Even if you're an Apps DBA whose primary concern is applying ATG RUP 4, John's latest article discusses some of the thinking behind Oracle's Applications Unlimited commitments and warrants some reflection:
Understanding Oracle's Unique Apps Strategy

Thursday, September 14, 2006

Native Sun Plug-In to Replace Jinitiator in E-Business Suite Release 12

[More cheering from Oracle Apps DBAs]

As most of you know, Oracle JInitiator is an authorised version of Sun Microsystems' Java2 Standard Edition with some specific fixes required to support Oracle Forms. JInitiator is currently required to run Oracle Forms in the E-Business Suite Release 11i, although we're running an Early Adopter Program that's evaluating the feasibility of eliminating this requirement for Release 11i.

Oracle JInitiator will no longer be required to run Oracle Forms in E-Business Suite Release 12. Oracle Forms in Release 12 will run directly in the native Sun Java2 Standard Edition plug-in. This will be our standard configuration for Release 12.

E-Business Suite Technology Stack Overview

Hot off the presses, here's the latest Release 11i technology stack architecture diagram:

11i Architecture:

This is a nice summary showing how our latest technologies such as Web Services, BPEL, Web Cache, XML Publisher, and Enterprise Manager fit into the bigger E-Business Suite technology stack picture.

This was just released yesterday, so you can expect to see saturation coverage in future Oracle presentations and white papers. One of my colleagues jokingly suggested that we should get t-shirts, posters, and coffee mugs printed with this and I've half a mind to consider that seriously.

Updated User Interface for E-Business Suite Release 12

It's expected that the E-Business Suite Release 12 will feature an updated user interface, codenamed "Project Swan." Aside from the unfortunate implication that the existing 11i user interface is an ugly duckling, Project Swan has some very appealing new aspects:

Background pattern for branding
Base font change to Tahoma 9pt
Button style change
Background color change
Tab style sub-tab layout with gradient background
Gradient background for header
Icon change
Table color update
Gradient background for footer
Vertical spacing change

For comparison, here's an existing Release 11i Self-Service Expenses screenshot (OA Framework):

Expenses 11i Screenshot:

And here's a draft version of the Release 12 equivalent:

Here's an existing Release 11i Form for the Contacts Center:

And here's a draft version of the Release 12 equivalent:

Here's the Release 11i Login Screen:

Here's a draft of the Release 12 equivalent:

R12 Login Screenshot 2:

Here's an existing Release 11i CRM/JTT screenshot for iSupport:

11i iSupport Screenshot:

Here's a draft of the Release 12 equivalent:

Converting From Previous Versions

If you've customized or extended Release 11i screens according to our published customization standards, there shouldn't be significant effort involved in getting to the Project Swan look-and-feel. This is expected to vary a bit by the type of screen.

Oracle Applications Forms

Project Swan changes for Forms are limited to changing the color scheme and using non-boldfaced fonts for field values. These changes will be made in the technology layer, so no changes need to be made by Forms designers. There will be no change to the position or layout of any fields on the forms.

Oracle Applications Framework Screens

In most cases, no code changes will be needed, since the cosmetic changes will be implemented at the OAF technology layer. There may be specific cases where the use of custom stylesheets may require additional tweaks.

CRM/JTT Screens

Like OAF, in most cases, no code changes will be needed, since the cosmetic changes will be implemented at the technology layer. There may be specific cases (e.g. custom renderers, custom stylesheets) that require additional tweaks.

Migration Tools or Documents?

Given that the vast majority of existing screens should automatically be uplifted to the Swan UI, I haven't yet been told whether there will be tools to aid in conversions. It's likely that we'll provide you with the same internal Swan conversion guidelines that E-Business Suite product teams are using today (albeit with better spell-checking and grammar).

Alternate Colour Schemes

A common question at last month's OAUG conference was whether we would support alternate colour schemes, since many of you distinguish DEV, TEST, and PROD environments with different colours.

Short answer: Yes, you'll still be able to customize colour schemes in the new Swan UI. It isn't clear whether we'll provide you with a preset selection of different schemes, but you'll be able to design your own.

Tuesday, September 12, 2006

Here's a search I use in Mozilla that enables me to do quick and easy searches of the Oracle Application Server 10.1.3 documentation set.

Create a new file in the $MOZILLA_HOME/searchplugins directory, paste in this text, and restart Mozilla.

You'll then see a new "OTN 10.1.3 Doc Search" box added to your search engines.

Type in a keyword press enter.

Bam!

Go on, search yourself silly.

OTN Doc Search

<search
version="1.0"
name="OTN 10.1.3 Doc Search"
description="OTN 10.1.3 Doc"
searchForm="http://www.oracle.com/pls/as1013/as1013.drilldown"
action="http://www.oracle.com/pls/as1013/as1013.drilldown"
method="GET" >

 <input name="word" user>
 <input name="remark" value="">
 <input name="book" value="">
 <input name="preference" value="">
 <input name="method" value="TEXT">

 <interpret
   resultListStart="<!-- RESULT LIST START -->"
   resultListEnd="<!-- RESULT LIST END -->"
   resultItemStart="<!-- RESULT ITEM START -->"
   resultItemEnd="<!-- RESULT ITEM END -->"
 >
</search>

Sean's Oracle Technology Ramblings