This document provides the information required to enable and configure supplemental technologies to the Oracle E-Business Suite Information Discovery, Release 12.2V6 (12.2.5.6) installation. The configuration steps for the following technologies are included in this document:
- Installing Oracle E-Business Suite Information Discovery Release 12.2 V6 within Oracle E-Business Suite Release 12.2 DMZ.
- Enabling SSL communication between Oracle E-Business Suite Information Discovery Release 12.2 V6 Studio Component and Oracle E-Business Suite Release 12.2 .
Oracle Endeca Information Discovery is also referred to as EID (Endeca Information Discovery) or Endeca in some contexts of this document.
The most current version of this document can be obtained in My Oracle Support Knowledge Document 2038186.1
In This Document
This document is divided into the following sections:- Section 1: Overview
- Section 2: Configuration steps for setting up Oracle E-Business Suite Information Discovery Release 12.2 V6 in Oracle E-Business Suite Release 12.2 DMZ
- Section 3: Configuring SSL for Oracle E-Business Suite Information Discovery Release 12.2 V6 Studio and Oracle E-Business Suite Release 12.2.
Section 1: Overview
Section 2 of this note details the steps to configure Oracle E-Business Suite Information Discovery Release 12.2 V6 in an Oracle E-Business Suite Release 12.2 DMZ.Section 3 documents the steps to enable SSL for the Oracle Endeca Information Discovery (EID) Studio component integrated with an Oracle E-Business Suite Release 12.2 installation. The Studio component (also referred to as the Portal Studio), manages the content displayed within an Oracle E-Business Suite application from the Endeca system.
The instructions for both of the above configurations should be used in conjunction with the installation document for the Endeca version being integrated:
My Oracle Support Knowledge Document 1970071.1.
Section 2: Configuration steps for setting up Oracle E-Business Suite Information Discovery Release 12.2 V6 in Oracle E-Business Suite Release 12.2 DMZ.
To install Oracle E-Business Suite Information Discovery - Release 12.2 V6 within Oracle E-Business Suite 12.2 DMZ, modifications are needed to the Endeca installation as well as the Oracle E-Business Suite environment.The Oracle E-Business Suite Release 12.2 environment will need to be configured as per Document 380490.1 Oracle E-Business Suite R12 Configuration in a DMZ.
The following diagram highlights the placement and integration of Oracle E-Business Suite Information Discovery within an E-Business Suite 12.2 DMZ installation:
The High level configuration steps for Oracle E-Business Suite Information Discovery - Release 12.2 V6 and the Oracle E-Business Suite are:
- Install Oracle E-Business Suite Information Discovery or identify an existing installation.
- Configure Oracle E-Business Suite Information Discovery for the DMZ.
- Clone the existing Endeca Domain to create a separate Weblogic domain for DMZ.
- Configure the new DMZ domain with a second Studio for the external Oracle E-Business Suite instance in the DMZ. - Configure Oracle E-Business Suite instances to integrate with the Oracle E-Business Suite Information Discovery in the DMZ.
2.1 Installing and Configuring Oracle E-Business Suite Extensions for Oracle Endeca, Release 12.2 V6
You need to install Oracle E-Business Suite Information Discovery within the internal firewall to connect with the internal Oracle E-Business Suite instance. Refer to Installing Oracle E-Business Suite Information Discovery, Release 12.2 V6, My Oracle Support Knowledge Document Document 1970071.1 for instructions on setting up EID (Endeca Information Discovery) with Oracle E-Business Suite Release 12.2.The steps and the examples in the note makes the assumption that the EID system is installed on a separate host than the Oracle E-Business Suite system, within the internal firewall, to integrate with the internal Oracle E-Business Suite instance.
The existing DMZ environment requires key ports to be opened, the DMZ configuration by default may have them accessible, for example the ports being used to connect the external Oracle E-Business Suite to the Studio created for DMZ needs to be accessible between each other.
2.2 Configure the Oracle E-Business Suite Information Discovery for DMZ
Perform these steps in the Oracle E-Business Suite Information Discovery installation to be incorporated into an existing Oracle E-Business Suite 12.2 DMZ setup.The Endeca portal content from the Studio component needs to be displayed in the internal and external Oracle E-Business Suite middle-tiers of a DMZ setup. For the sake of clarity, the two E-Business Suite Web-tiers are noted as the external Oracle E-Business Suite (placed outside of the internal firewall to be accessible to external users) and the internal Oracle E-Business Suite (installed within the internal firewall for intranet users).
The following tasks need to be completed to create a Studio managed server serving the external Oracle E-Business Suite instance in the DMZ (Detailed steps of these tasks are noted below) :
- Create a Weblogic template from the Endeca domain in the existing Endeca installation :
- Use the WebLogic Template Builder to clone a template of the Endeca domain
- Create a DMZ domain from the template :
- Use the WebLogic Configuration Utility (config.sh) to create the new domain for DMZ from the cloned template.
- Configure the DMZ domain to create a second Endeca Studio for DMZ
- Configure the second Endeca Studio in the DMZ domain to integrate with the external Oracle E-Business Suite installation in the DMZ
- Configure the External Oracle E-Business Suite instance to integrate with the new Endeca Studio for DMZ
The following diagram shows the additional domain in the Endeca WebLogic installation to be added for DMZ:
Note: Create a backup copy of the existing Endeca installation in /u01/Oracle directory, in case you need to revert back to the previous configuration.
2.2.1 Clone the Endeca Domain and configure a new Studio Managed Server for DMZ
Utilizing the WebLogic tools available within the WebLogic installation in EID, a new domain must be created to setup a duplicate Studio Portal specifically to serve the EID Portal data to the external Oracle E-Business Suite instance.
Use the WebLogic Domain Template Builder to clone the Endeca Domain:
From the directory /u01/Oracle/Middleware/wlserver_10.3/common/bin/ run config_builder.sh:
./config_builder.sh
Create New Template - Select Create Domain Template, then press Next button
Select a Template Domain Source : In the "Select a Domain" Tab, locate the /user1/Oracle/Middleware/user_projects/domains/endeca_domain folder as the source of the Domain Template. Hit Next button to go to the next screen.
Describe the Template - Enter the name "dmz_studio_domain" as the required Template Name and leave the default Version value in the form.
Specify Template Jar Name and Location - Enter a name for the template and save it in a folder you will access later. For this example, we put the templates in /u01/Oracle/Middleware/user_templates. Hit Next button to go to the next screen
Add or Omit Applications - Review the Current Application Path and Internal Application Path values and go to the next page. All Applications should be selected and checked.
Add Files - Locate the portal-ext.properties file from the left panel (File System View) and add it to the right Panel (Current Template value). The portal-ext.properties file can be found in the /u01/Oracle/Middleware/user_projects/domains directory. Hit Next button to go to the next screen.
AddSQL Scripts - Leave the default values in this screen and go to the next page.
Configure the Admin Server - for the Name field, enter AdminServerDMZ, leave the default values in Listen Address and change the default Port value in the Listen Port field. This example uses port number 8012, you can use any other available port in your environment and make a note of this port as you will need this value in subsequent installation steps.
img src="/epmos/main/downloadattachmentprocessor?parent=DOCUMENT&sourceId=2038186.1&attachid=1575921.1:wls-config-dmz6&clickstream=yes"alt="dmz" />
Configure Username and Password - Use the same username password used for the endeca domain. Leave all other default values and go to next page
Specify Start Menu entries - Leave default values and go to next page
Prepare Scripts and files for Replacement variables - Leave default values and go to next page
Review WebLogic Domain Template - Review the panel and hit the Create Button.
Review the information and make a note of the location of the template and press the Done button to end the WebLogic Domain Template Builder.
Note: You need to update all open ports in the second Portal Studio domain and managed server configuration to available ports for the particular runtime environment, especially address the requirement, that these open ports are different to those used in the first and original Portal Studio configuration pointing to the internal Oracle E-Business Suite installation
2.2.2. Create the DMZ domain from the cloned endeca domain template
Run the WebLogic Config program to create a new domain for DMZ.
Run the config.sh WebLogic script from /u01/Oracle/Middleware/wlserver_10.3/common/bin folder : ./config.sh
Welcome - Select the Create a new WebLogic domain checkbox and go to the next page
Select Domain Source - Select Base this domain on an existing template and Browse to the domain template you created previously using the WebLogic Template Builder in the Template Location field.
Specify Domain Name and Location - Enter dmz_endeca_domain as the required Name and leave the default values for the rest of the fields in this form. This domain name must be unique.
Configure Administrator Username and Password - Enter the username and password for this domain and go to the next page
Configure Server Start Mode and JDK - Select Production Mode and go to the next page
Configure JDBC Data Sources - Review the default values in this page and select the checkbox for the ebsdb datasource to test the connection. The Oracle E-Business Suite installation should be available for the test. Select the Next button to go to the next page
Test JDBC Data Sources, make sure the checkbox for the ebsdb is selected and test the connection.
The associated JDBC datasource connects to the Oracle E-Business Suite instance successfully.
Select Optional Configuration - check the Checkboxes Administration Server, managed servers, Clusters and Machines, Deployment and Services and go to the next page (Leave the RDBMS Security Store CheckBox un-checked).
Configure the Administration Server - Change the Name to AdminServerDMZ and check that the Listen Port has the new value that you specified when you created the Domain using the Domain Builder.
Configure Managed Servers - Change the name of the StudioManagedServer to StudioManagedServerDMZ, change the Listen Port to an available and a different value than the original Studio Portal managed server shown here by default. For this example, change it to 8014. Delete the second Managed Server Entry shown on the next line using the Delete red X choice on the top of the screen.
Clusters - SkipConfigure Machines - SkipSelect the StudioManagedServerDMZ Target on the left-hand side of the screen and UNCHECK the oracle.endecaserver#1.0 selection.
Target Services to Clusters or Servers - Make sure the JDBC services checkbox is checked when you have selected the StudioManagedServerDMZ Target Server on the left panel.
Configuration Summary - Review the information displayed and press the Create and Done buttons respectively in the following screens when finished.Verify that the new domain directory and the associated artifacts exist in the /u01/Oracle/Middleware/user_projects/domains directory.2.2.3. Configure the new DMZ domain
- Rename the file (/u01/Oracle/Middleware/user_projects/domains/dmz_endeca_domain/plan.xml to (/u01/Oracle/Middleware/user_projects/domains/dmz_endeca_domain/plan.xml_hold)
- Bring up each of the servers (one at a time) for the original non-DMZ Endeca installation by running the script /u01/Oracle/quickinstall/bin/startAllEndeca.sh.
- Start dmz_endeca_domain for the first time, this will create the /servers directory under the new domain. cd /u01/Oracle/Middleware/user_projects/domains/dmz_endeca_domain
source /u01/Oracle/quickInstall/EidConfig.properties
./startWebLogic.sh on the command-line and enter the username and password when prompted. You can also specify the username and the password parameter in the security/boot.properties file under dms_endeca_domain directory.
source /u01/Oracle/quickInstall/EidConfig.propertiesAccess the new DMZ Studio Domain console by navigating to this url: <hostname>:8012/console ( the port number is the port that you assigned for the Domain Admin Server, the 8012 shown here is an example). Verify that the New Domain and the StudioMangedServerDMZ that you cloned are displayed.
cd /u01/Oracle/Middleware/user_projects/domains/<dmz_endeca_domain (the new DMZ domain)>/bin
nohup ./startWebLogic.sh > dmz_domain.log &
Go to Services on left-hand panel and click Lock and Edit to update the values.
Select 'ebsdb' and verify that the StudioManagedServerDMZ is noted as a target server. Go to the Connection Pool TAB and scroll down then click on the Advanced button to show the Advanced options. Make sure the 'Wrapped Data Type' checkbox is unselected- Managing the portal-ext.properties file for the two Studio Servers Each of the Studio installations require the portal-ext.properties system file to define the properties for each of the Oracle E-Business Suite instances that the Studio will serve. This section details the steps to create and place two separate portal-ext.properties files in their respective domain directories and update the WebLogic system files to specify the new location.
Place the portal-ext.properties files in the respective Studio domains (endeca_domain and dmz_endeca_domain).:$ cd /u01/Oracle/Middleware/user_projects/domains
$ cp ./portal-ext.properties /u01/Oracle/Middleware/user_projects/domains/endeca_domain/portal-ext.properties
$ cp ./portal-ext.properties /u01/Oracle/Middleware/user_projects/domains/dmz_endeca_domain/portal-ext.properties
$ mv ./portal-ext.properties ./portal-ext.properties_hold- Update the setDomainEnv.sh files for each of the two Studio instances.
The following example adds the JAVA_OPTIONS to setDomainEnv.sh file for the existing Studio Manager:
Go to the /u01/Oracle/Middleware/user_projects/domains/endeca_domain/bin directory and add the following directive to the setDomanEnv.sh file.
# Adding directive for Endeca DMZ Studio portal-ext.propertiesDo the same for the new DMZ Studio you just created :
JAVA_OPTIONS="${JAVA_OPTIONS} -Dexternal-properties=/u01/Oracle/Middlware/user_projects/domains/endeca_domain/portal-ext.properties"
export JAVA_OPTIONS
Go to the /u01/Oracle/Middleware/user_projects/domains/dmz_endeca_domain/bin directory and add the following directive to the setDomanEnv.sh file.
# Adding directive for Endeca DMZ Studio portal-ext.properties
JAVA_OPTIONS="${JAVA_OPTIONS} -Dexternal-properties=/u01/Oracle/Middlware/user_projects/domains/dmz_endeca_domain/portal-ext.properties"
export JAVA_OPTIONS
- Update the portal-ext.properties for DMZ Studio managed server.
Edit the portal-ext.properties in the dmz_endeca_domain directory to update the properties web.server.host, web.server.https.port, web.server.protocol. In addition to the address of the external EBS instance, add the liferay.home property as shown in the following example. The liferay.home directory points to the new domain directory. Update the file with the information about the External Oracle E-Business Suite instance.
##Note: The web.server.host and web.server.https.port identifies the endpoint for the external Oracle E-Business Suite. If the DMZ installation utilizes a proxy endpoint to the actual host and port of the external Oracle E-Business Suite installation, then you need to specify the host and port of the proxy (or reverse proxy) that redirects access to the external Oracle E-Business Suite.
## Portal Context
##
liferay.home=/u01/Oracle/Middleware/user_projects/domains/dmz_studio_domain
##
web.server.host=<OHS hostname of the external E-Business Suite>
web.server.https.port=<HTTPS Port of the external E-Business Suite>
web.server.protocol=<http or https>
- Create or update endeca.conf file for the DMZ setup.
Copy the /u01/Oracle/quickInstall/env/endeca.conf file to a separate location and update the existing default port number to the new port number you assigned for the Studio managed server for DMZ. You will need to replace the existing port number and address for the new DMZ studio managed server instance.
This endeca.conf file will be required for the external Oracle E-Business Suite Apache configuration. Copy this file over to the internal Oracle E-Business Suite location for subsequent steps noted later in this document and restart the Oracle E-Business Suite instance.
- Bounce the default Endeca components:
Stop the Endeca servers by running the stopAllEndeca.sh script located in the /u01/Oracle/quickInstall/bin directory and choosing option 1 - All. This option stops all the Managed Servers and Admin Servers in the required sequence. When prompted, enter the Oracle Endeca Domain Admin server username and password and the Oracle Endeca Integrator Domain Admin server username and password.
Start the Endeca servers by running the startAllEndeca.sh script located in the /u01/Oracle/quickInstall/bin directory and choosing option 1 - All. This option starts all the Managed Servers and Admin Servers in the required sequence. When prompted, enter the Oracle Endeca Domain Admin server username and password and the Oracle Endeca Integrator Domain Admin server username and password.
- Wait until all the domains and Managed Servers are successfully up and running.
- Start the new DMZ Processes: Start the DMZ domain server from the command line to initialize the new DMZ domain you created. After the domain server comes up successfully, start the DMZ Studio managed server. Check the server logs which are located under the new domain :
Note: Starting and stopping the DMZ servers : When starting the WebLogic servers from the command-line, source theEidConfig.properties file in /u01/Oracle/quickinstall directory to set the appropriate environment configuration.
Appendix B documents examples of the commands to start and stop the WebLogic servers on the Linux command line.
- Stop and restart the Oracle Endeca servers:
Stop the Endeca servers by running the stopAllEndeca.sh script located in the /u01/Oracle/quickInstall/bin directory and choosing option 1 - All. This option stops all the Managed Servers and Admin Servers in the required sequence. When prompted, enter the Oracle Endeca Domain Admin server username and password and the Oracle Endeca Integrator Domain Admin server username and password.
Start the Endeca servers by running the startAllEndeca.sh script located in the /u01/Oracle/quickInstall/bin directory and choosing option 1 - All. This option starts all the Managed Servers and Admin Servers in the required sequence. When prompted, enter the Oracle Endeca Domain Admin server username and password and the Oracle Endeca Integrator Domain Admin server username and password.
- Stop and start the external Oracle E-Business Suite instance.
- Stop and restart the new DMZ domain and Managed Servers and check the logs to confirm they are up and running successfully.
2.3 Configure the Oracle E-Business Suite installation for DMZ
The Oracle E-Business Suite web-tier installed to provide access from outside of the internal firewall (also noted as the external Oracle E-Business Suite in this document) needs to be configured to incorporate the Oracle Endeca system into the DMZ.
The steps required for the Oracle E-Business Suite installation need to be performed on the RUN file system. Please refer to Section 3.2 of this document for details.
The Apache system files need to be updated for configuration steps on the Oracle E-Business Suite installation for the DMZ setup.
Note: The external and the internal Oracle E-Business Suite in the DMZ setup needs to be updated with the patches that are recommended for Endeca integration with Oracle E-Business Suite Release 12.2 . You should review Document 1970071.1 for details of the patches required for the Endeca integration with Oracle E-Business Suite Release 12.2.
- The Apache HTTP/HTTPS configuration files that require updates for DMZ.
- Modify Apache HTTP server configuration files (including endeca.conf) for EID Studio as required for the second Portal installation.
- Update the Oracle E-Business Suite Profile Option FND_ENDECA_PORTAL_URL to include the internal E-Business Suite middle-tier.
2.3.1 Updating the Apache URL Access Configuration file for DMZ
Note: You should review Document 1574273.1 for details of updating the Apache configuration files in the external Oracle E-Business Suite instance.
- Copy the modified endeca.conf (in Step 4 in Section 3.2 above) to the Apache configuration directory in the Oracle E-Business Suite web-tier of the external instance. This endeca.conf has the new port number you added in Step 4 in Section 3.2 above.
- The Apache HTTP server configuration files need to be updated to incorporate the integration with the new Endeca Studio installation in the external Oracle E-Business Suite environment. Follow all the steps except the instruction to add the "include endeca.conf" in the configuration files. The following section documents the steps to place the inclusion of the endeca.conf file specifically for the external Oracle E-Business Suite instance in a DMZ.
To enable access to the iReceivables and iRecruitment products in a DMZ, the Apache HTTP server configuration file url_fw.conf is utilized. Please refer to the implementation guides for the product-specific configuration steps to provide access to these products for an external Oracle E-Business Suite instance in the DMZ.In this DMZ configuration, the "include" directive for the endeca.conf file needs to be changed from the way it is recommended for the non-DMZ or the internal Oracle E-Business Suite instance. You need to remove or comment out any "include" directives for the endeca.conf file and make the recommended changes appropriately. The steps are shown here as a guide :
- Confirm that the include statement is either commented out or not present in any of the Apache HTTP server configuration files in the HTTP server directories :
grep -i endeca.conf *.conf- Update url_fw.conf file to add the include statement for endeca.conf. The following excerpt shows the include directive for endeca.conf added to a specific section of the url_fw.conf file.
In the example below, the statement include "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/endeca.conf" is added before the section that redirects all URL's to 410, if none of the preceding rules in the url_fw.conf file are matched.
#==========================================================
# Allow Endeca Files
#==========================================================
include "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/endeca.conf"
# If not allowed by list above - go away! [G] is '410 Gone'
RewriteRule .* - [G]
# END Positive list of URLs
</IfModule>
ErrorDocument 410 "<HTML><HEAD><TITLE>410 Gone</TITLE></HEAD><BODY bgcolor=white><H1>Gone</H1><BLOCKQUOTE>Access to the requested URI has been blocked by the URL Firewall.<p>If you believe that you have reached this page while performing valid operations within the application, please send mail to ohs_admin@us.oracle.com explaining what you were doing when you got this error.</BLOCKQUOTE><HR></BODY></HTML>
# end of URL FW RulesTo ensure that changes to the url_fw.conf file are preserved after subsequent autoconfig activities on the Oracle E-Business Suite instance, make the changes to the template file:
Please review and confirm the steps to preserve the updates to the Apache system file as per the section on Implementing AutoConfig Customizations in Document 387859.1 Using AutoConfig to Manage System Configurations in Oracle E-Business Suite Release 12.
- cd $FND_TOP/admin/template
- mkdir "/custom" directory (if it does not already exist)
- Copy url_fw_conf_FMW.tmp file to the /custom directory and update it with the above modifications.
Please confirm configuration changes for iRecruitment or iReceivables product integrations with Endeca for DMZ with the instructions provided in the product-specific guides (for the iRecruitment and iReceivables products) and Document 1970071.1Installing Oracle E-Business Suite Information Discovery, Release 12.2 V62.3.2 Updating the FND_ENDECA_PORTAL_URL profile option in the Oracle E-Business Suite instance
The FND_ENDECA_PORTAL_URL profile option should already be configured in the Oracle E-Business Suite instance.
Update the FND_ENDECA_PORTAL profile option to add a SERVER level value pointing to the external Oracle E-Business Suite. The SITE value should already be set to the internal Oracle E-Business Suite. (Use the same format of the value for the SERVER level for the profile option).2.4 Validating a successful configuration of DMZ
To confirm that the DMZ configuration performed on the EID Studio deployment and the Oracle E-Business Suite is correct, verify that the following tasks can be accomplished:
2.5 Known Issues and Troubleshooting tips:
- Internal access: Oracle E-Business Suite and the Endeca integration are accessible from within the intranet firewall
- Verify the EAM access by logging in as mnt user and selecting Maintenance Super User, Vision Operations responsibility. From the internal access, you should be able to see the EID content in Oracle E-Business Suite.
- The iRecruitment Endeca Application (/OA_HTML/iRcVisitor.jsp) is accessible from within the intranet firewall as well as outside the firewall to external users.
- External access: Limited access to the Oracle E-Business Suite system is provided as per the DMZ setup and documentation.
- You should be able to access <external E-Business Suite host:port >/OA_HTML/IrcVisitor.jsp and the links provided on that page.
- You should not be able to access the EAM Endeca integration from the external Oracle E-Business Suite login.
- DMZ Setup:
- Check the endeca.conf file to ensure that the Endeca host and ports are pointing to the second Studio installed for the external DMZ access.
- If the /OA_HTML/IrcVisitor.jsp is not visible by a client browser from outside of the DMZ, check the values of the properties in the portal-ext.properties file for the second Portal Studio installation created for the DMZ setup. The values should point to an endpoint to the external Oracle E-Business Suite as it would be accessible via the reverse proxy redirection configured in the DMZ. For example, the host, port for the web.server.host and web.server.https.port should point to the reverse-proxy redirection to the external Oracle E-Business Suite.
Section 3: Configuring SSL for Oracle E-Business Suite Extensions and Oracle Endeca Studio Integration
This section documents the steps to enable SSL communication between Oracle E-Business Suite Release 12.2 and the Endeca Studio installed on the WebLogic Applications Server.
The Endeca Studio manages the content that is processed by the Endeca system to be displayed within the integrated Oracle E-Business Suite application page. The interaction between the Oracle E-Business Suite and the Endeca Studio is the focus of enabling SSL (HTTPS connectivity) in this document.
To enable SSL for the other Endeca components in the integration (Endeca Integrator and Endeca Server), refer to Appendix A of this document for references.
The Oracle E-Business Suite Release 12.2 environment will need to be an SSL enabled system to enable integration with an SSL enabled EID Studio. This section details the steps to configure the EID Studio component and Oracle E-Business Suite environment to connect using the required certificate between the two systems.
To summarize, the steps are:
Note: If you have installed multiple Studio domains (for example, as in a DMZ environment), each of the Endeca Studio domains will need to be configured for SSL connectivity with the appropriate Oracle E-Business Suite instance.
- Create the SSL certificate and keystore for the Studio Server on the Endeca WebLogic Studio domain.
- Configure the Studio Managed Server in the Endeca Domain to enable SSL.
- Update the SSL-enabled Oracle E-Business Suite installation to use HTTPS connectivity with the EID-Studio system
- Configure the EID Studio files for HTTPS connectivity.
3.1 Create the SSL certificate and keystore for the Studio Server
The following steps detail the configuration updates needed for the Endeca Studio component in the WebLogic installation connecting to the Oracle E-Business Suite instance using HTTPS.
3.1.1 Generate certificates and certificate store for Studio Managed Server
The following steps will generate the SSL key with the certificates for the EID Studio:
- Search for the keytool on the Endeca installation host : find / -name keytool -ls.
- Generate the SSL key and certificates for Studio server.
The examples shown below use the JDK keytool command to generate a key, and create a self-signed certificate. The keystores including the certificate and associated artifacts will be mapped to the Studio managed server credential store. As per the keytool example, provide the information for your organization, either by specifying them on the command line as per keytool command syntax or interactively: Refer to Commonly Used Keytool Commands in Oracle® Fusion Middleware Securing Oracle WebLogic Server 11g Release 1 (10.3.6), for examples and details of the keytool command.Note: Weblogic is pre-configured with Demo certificates and stores that can also be used to setup the certificates for testing purposes, the keytool examples are shown here as a guide to administrators of the environment.Create a new directory for the keystore for the EID Studio Managed Server:
cd <MW_HOME> (/u01/Oracle/Middleware/)
mkdir keystores
cd keystores (/u01/Oracle/Middleware/keystores)Create a new Self-Signed Keystore for Weblogic Studio Managed Server:
The following keytool examples show the command syntax to generate self-signed artifacts, substitute the example parameter values with the relevant parameters for your environment.
keytool -genkeypair -alias wlskey -keyalg "RSA" -keysize 2048 -keystore weblogic.jks -validity 3650 -dname "CN=endecahost.example.com, OU=OAS, O=WLS, ST=AP, C=US"
You will be prompted to specify a password for the keystore and a password for the key, make a note of these passwords as they are used in the following keytool commands.
(This command creates weblogic.jks)
keytool -selfcert -alias wlskey -keystore weblogic.jks -dname "CN=endecahost.example.com, OU=OAS, O=WLS, ST=California, C=US"
Enter the keystore and key passwords when prompted.
keytool -export -alias wlskey -rfc -file jks_ca.crt -keystore weblogic.jks
Enter the keystore password when prompted.
(This command creates jks_ca.crt - Root Certificate of the Studio Managed Server Keystore that should be imported to the Oracle E-Business Suite Apache Wallet)3.1.2 Configuring WebLogic Studio Managed Server for SSL
The following section summarizes the steps to configure the WebLogic server for SSL. Refer to Configuring SSL in Oracle® Fusion Middleware Securing Oracle WebLogic Server 11g Release 1 (10.3.6) for additional details.The task summary noted below needs to be completed for the Studio Managed Server (details for each task are noted below that):Navigate through the WebLogic console as per the following order :Servers -> (Lock & Edit) StudioManagedServer -> Keystores tab -> change Keystores to Custom Identity and Custom Trust
- Set the Keystore type as Custom Identity and Custom Trust.
- Specify the 'weblogic.jks' file location (full path) for the Custom Identity and Custom Trust Keystores.
- Specify the Keystore Type as JKS and specify the passphrase used while creating the keystore.
- Check that under the SSL tab, the Trusted Certificate authorities are set as "from Custom Trust Keystore".
- Ensure that the SSL Port is enabled and does not conflict with any other ports in your environment.
Login to the Endeca Domain Admin Console: http://<ENDECA-DOMAIN-HOSTNAME>:<WLS_Port>/console.
- Expand 'Environment' then click 'Servers'
- Select the Keystores tab (Environments > Servers > StudioManagedServer > Keystores)
- Enter values for the following :
- Keystores - Click the 'Change' button, then Select 'Custom Identity and Custom Trust' (was originally Demo Identity and Demo Trust') then click 'Save'
- Custom Identity Keystore - /u01/Oracle/Middleware/keystores/weblogic.jks
- Custom Identity Keystore Type - JKS
- Enter password for "Custom Identity Keystore Passphrase" and "Confirm Custom Identity Keystore Passphrase" - <WebLogic Password> (or the password you have used so far in these steps).
- Custom Trust Keystore - /u01/Oracle/Middleware/keystores/weblogic.jks
- Custom Trust Keystore Type - JKS
- Enter password for "Custom Trust Keystore Passphrase" and "Confirm Custom Trust Keystore Passphrase" - <WebLogic Password>
- Click on the Save button.
- The following confirmation message is displayed: 'Settings updated successfully'
Select the SSL tab.
- Private Key Alias: wlskey, as specified (the default value is 'mykey' if an alias was not specified earlier when generating the keystore)
- Enter the "Private Key Passphrase" and "Confirm Private Key Passphrase" - <WebLogic Password>
- Click the 'Save' button then click the 'Advanced' link. Change the value of Hostname Verification to NONE.
- If Use Server Certs checkbox is checked, un-check it. For "Two Way Client Cert Behavior" - Select "Client Certs Not Requested".
- Click on the Save button (save the changes).
Click on the General Tab.
- Ensure that ' SSL Listen Port Enabled' is checked (selected), set the port value to an available port in the system (i.e. a port that is not already in use in this environment), click on the Save button.
Go to the Advanced Configuration and check the checkboxes for "WebLogic Plug-In Enabled" & "Client Cert Proxy Enabled", click on the Save button.Go to the General tab of configuration under the Studio Managed Server and check the 'SSL Listen Port Enabled' checkbox, click on the Save button.Click 'Activate Changes' in the 'Change Center' pane (top left).The following confirmation message is displayed:
All changes have been activated. However 1 item must be restarted for the changes to take effect.Restart the Studio Managed Server to pick up the changes:cd /u01/Oracle/quickInstall/bin
./stopAllEndeca.sh
Choose Option 2 - Studio Managed Server, enter the Endeca Domain admin username and password when prompted
Choose Option 7 to exit
./startAllEndeca.sh
Choose Option 5 - Studio Managed Server, enter the Endeca Domain admin username and password when prompted
Choose Option 7 to exitNote: The certificate and associated artifacts created on the Endeca host will need to be copied over to the Oracle E-Business Suite and added to the Oracle Wallet, as noted in the next section.3.2 Configuring Oracle E-Business Suite to enable HTTPS based connectivity with the SSL-enabled EID installation
The Oracle Wallet Manager on the Oracle E-Business Suite side needs to be updated with the certificate you created on the EID Studio installation.
In the Oracle E-Business Suite Release 12.2 installation there are two file systems for Online Patching. The steps detailed in this section must be executed on the Run File System in order to ensure that during the next online patching the SSL setup to integrate Endeca Studio is then propagated to the Patch File System.
You will need to identify the value of several Application Context variables for subsequent steps, use the following commands to find them in the $CONTEXT_FILE :
grep -i s_web_ssl_directory $CONTEXT_FILE
grep -i s_file_edition_type $CONTEXT_FILENote: When working with wallets and certificates, you must use the Oracle Fusion Middleware 11g executables.
- Confirm that you are in the Run file system of the Oracle E-Business Suite environment :
- Source your application tier environment file (<sid_machine>.env), located in the APPL_TOP directory on the Run File System The file system with the Application Context file variable {s_file_edition_type} set to 'run' denotes the Run File System.
- Do not source the APPS<sid_machine>.env file, otherwise the 10.1.2 environment variables will be picked up, and Oracle Wallet Manager 11g will fail to start. After sourcing the environment file $FILE_EDITION environment variable should be 'run'.
- Set the PATH environment variable to include the Fusion Middleware Web Tier 11g location. For example: export PATH=$FMW_HOME/webtier/bin:$PATH
- Set the DISPLAY environment variable. For example: export DISPLAY= <hostname or ip address>:0.0
3.2.1 Add the certificate to the wallet used by Oracle E-Business Suite
Note: All trusted certificates that make up the chain must be imported into the EBS Oracle Wallet, especially if the certificate (for Endeca) was issued by a CA which provided an intermediate certificate which does not exist in the EBS Oracle Wallet, the root and intermediate certificate for the chain needs to be imported also. Refer to Document 1367293.1 , for additional details.
- Copy/SCP the certificate created on the EID Studio installation (jks_ca.crt) to the Oracle E-Business Suite {s_web_ssl_directory}/Apache directory.
- Import the trusted certificate into the Oracle Wallet Manager in Oracle E-Business Suite as per the steps noted below: (Refer toDocument 1367293.1 , Section 3 for reference and source of the following steps that you need to follow)
- On the Oracle E-Business Suite side, navigate to the {s_web_ssl_directory}/Apache directory and start the Oracle Wallet Manager (On the linux command line, owm & will invoke Oracle Wallet Manager as a background process).
- Open the existing wallet (you will need the password used when SSL was enabled on the Oracle E-Business Suite instance)
- Click on Operations -> Import Trusted Certificate
- Select the ENDECA certificate to be imported (jks_ca.crt)
- This should now be displayed under the list in the Wallet Manager (e.g. endecahost.example.com)
- Select Wallet > Save, to save the imported certificate in the Oracle E-Business Suite Wallet
3.2.2 Modify the OHS walletUse the following instructions to copy the {s_web_ssl_directory}/Apache wallet to {s_ohs_instance_loc}/config/OHS/{s_ohs_component}/keystores/default directory location:
- Navigate to the {s_ohs_instance_loc}/config/OHS/{s_ohs_component}/keystores/default directory location. Refer to the Application Context file for the exact location of the ohs_instance_loc variable (details the ohs instance location) and the ohs_component variables (name of a specific ohs component for example OHS).
- Move the existing wallet files to a backup directory.
- Copy the cwallet.sso from {s_web_ssl_directory}/Apache into the current directory.
3.2.3 Modify the OPMN walletNote: If the E-Business Suite instance does not have the OPMN directories, then this step can be skipped. For example, in a DMZ configuration, the external E-Business Suite instance may only be the web-tier installation.The default location for the OPMN wallet is in the {s_ohs_instance_loc}/config/OPMN/opmn/wallet directory. Refer to the Application Context file for the exact location of the {ohs_instance_loc} variable (gives details of the OHS instance location).Use the following steps to backup and copy the wallets to the OPMN location:
- Navigate to the {s_ohs_instance_loc}/config/OPMN/opmn/wallet directory.
- Copy the existing wallet files to a backup directory.
- Copy the cwallet.sso files from the {s_ohs_instance_loc}/config/OHS/{s_ohs_component}/keystores/default directory to the current directory.
3.2.4 Update the endeca.conf file to add the required SSL directivesNavigate to the {s_ohs_instance_loc}/config/OHS/{s_ohs_component}/ directory on the Oracle E-Business Suite Host.Add the following directives to the endeca.conf fileSSLProxyEngine on
SSLProxyWallet "<ebs-ohs-wallet-directory>"Replace <ebs_ohs_wallet-directory> with the values in your environment for {s_ohs_instance_loc}/config/OHS/{s_ohs_component}/keystores/defaultFor example:3.3 Configure the EID Studio for SSL based connectivityVerify that all of the Endeca URLs in the endeca.conf file specify 'https' and the https port.
SSLProxyEngine on
SSLProxyWallet "/u01/R122_EBS/fs2/FMW_Home/webtier/instances/EBS_web_ebs122_OHS1/config/OHS/EBS_web_ebs122/keystores/default"
The following steps detail the configuration updates needed for the Endeca Studio component connecting to the E-Business Suite instance using HTTPS.
3.3.1 Updating the portal-ext.properties file:
Edit the $EID_HOME/Oracle/Middleware/user_projects/domains/portal-ext.properties file to update the properties web.server.http.port and web.server.protocol. EID_HOME refers to the base directory of the EID Studio installation.
web.server.https.port=<HTTPS Port>
web.server.protocol=httpsThe value of web.server.https.port=<HTTPS Port> is the HTTPS Port specified in the endeca.conf file in the SSL-Enabled E-Business Suite that this Endeca environment is connecting to. Look for the value of Port under the section in httpd.conf that states:
# Port: The port to which the standalone server listens. For ports < 1024, you will need the httpd to be run as root initially
# This port is used when starting without SSL
Port <This is the SSL port number you need>
Listen <The Non-SSL port>You can also confirm this port number for the SSL-enabled Oracle E-Business Suite instance by going to the Oracle E-Business Suite URL which will show the HTTPS port in the URL itself.Update web.server.protocol property with the value "https" for SSL. Update the web.server.https.port property with the value of the SSL port.
web.server.host=<OHS hostname>
web.server.https.port=<HTTPS Port>
web.server.protocol=httpsRestart the Studio Managed Server for the new values to take effect:cd /u01/Oracle/quickInstall/bin
./stopAllEndeca.sh
Choose Option 2 - Studio Managed Server, enter the Endeca Domain admin username and password when prompted
Choose Option 7 to exit
./startAllEndeca.sh
Choose Option 5 - Studio Managed Server, enter the Endeca Domain admin username and password when prompted
Choose Option 7 to exitNote: Pay attention to the accuracy of the web.server.protocol and associated the web.server.https.port. For non-SSL connections, use the web.server.http.port.Various areas of the EBS-EID system are updated to ensure HTTPS-based connectivity between E-Business Suite and the EID Studio installation. To confirm that the SSL configuration you made on the EID Studio deployment and the E-Business Suite was done correctly, navigate to an EBS-EID Product integration for a specific E-Business Suite product that was deployed in this system and check that the Endeca-generated information can be viewed on the E-Business Suite side.Note: The FND_ENDECA_PORTAL_URL profile option in the E-Business Suite instance should be updated to the new HTTPS URL with the SSL port number.
Note: If the EBS is secured then the secured Map URLs need to be used for the Map component to be rendered successfully. Follow the steps shown below :
1- Go to Studio, Control Panel, Framework Settings.
2- Update the URLs for df.mapLocation and df.mapViewer to be https instead of http.
3- Click on "Update Settings".
URLs need to be explicitly set to:
df.mapLocation: <a target="_blank" href="https://elocation.oracle.com/elocation">https://elocation.oracle.com/elocation</a>
df.mapViewer: <a target="_blank" href="https://elocation.oracle.com/mapviewer">https://elocation.oracle.com/mapviewer</a>Appendix A: Enabling SSL for Endeca Server and Endeca Integrator components
Oracle E-Business Suite Product specific documentation for additional EID components:
To setup SSL connectivity for additional EID components after you have enabled SSL for the Endeca Studio connectivity with the Oracle E-Business Suite, please review the following documentation:
Endeca Server:
Endeca Integrator:
Endeca Studio:
The Endeca Studio Security Guide has instructions on securing the Studio with the other Endeca components.
Please check My Oracle Support for the most current versions of the documents noted in this Appendix.
Appendix B: Examples of Commands to Start and Stop WebLogic Servers
The following commands on the Linux command-line are examples of starting and stopping the WebLogic servers for the DMZ domain. Substitute the parameter values in these examples as per your particular environment.$ source /u01/Oracle/quickInstall/EidConfig.properties
$ cd <DMZ ENDECA SERVER DOMAIN>/bin
Starting WebLogic Domain
$ ./startWebLogic.sh > dmz_domain.log &
Starting DMZ Studio managed server :
$ ./startManagedWebLogic.sh StudioManagedServerDMZ t3://localhost:8012 > dmz_studio.log &
Stopping WebLogic Domain :
$ ./stopWebLogic.sh
Stopping DMZ Studio managed server :
$ ./stopManagedWebLogic.sh StudioManagedServerDMZ t3://localhost:8012
Srinithanks
No comments:
Post a Comment
No one has ever become poor by giving