WebSEAL and Oracle EBS R12 Forms SSO – Mk II

Background:

In the latest release of Oracle E-Business, there has been a number of modifications to the security that is applied to their default login form.

I captured the initial changes in a blog entry that was posted to on this site here: https://philipnye.com/posts/webseal-forms-sso-into-oracle-ebs-v12/

Disabling the security parameters to make the standard login forms work with WebSEAL is not always possible, so we have found an alternative Forms SSO mechanism to log into an EBS server.

Summary:
This approach differs from the previous approach by creating a new custom login page based on Oracle documented processes. This login page is not required to submit the javascript generated parameters which makes it very simple to use the standard WebSEAL forms based SSO functionality.

Custom Login Pages

System Administrators can create custom login pages. The custom page will need to post to the servlet AuthenticateUser, which requires two attributes: username and password. Once the user is successfully authenticated, the servlet will redirect the user to a destination defined inrequestUrl or the default APPSHOMEPAGE. If the authentication fails, the servlet will redirect the user to the login page with the error message in the parameter errCode.

To deploy a custom login page:

  1. Place the new servlet in the OA_HTML directory.
  2. Create a new function (FND_FORM_FUNCTION) – the web_html value of this function should be populated with file name of your new login page. The function code should begin with ‘APPS_LOGIN’.
  3. Assign this function to the APPS_LOGIN_DEFAULT menu. As this menu is already granted to all users (including guest), the grant flag is not needed.
  4. Update the profile option APPS_LOGIN_FUNCTION with new function name. The drop-down for this profile will query only function codes starting with APPS_LOGIN.

The above snippet was from the:
Oracle E-Business Suite Security Guide
Release 12.2
Part Number E22952-09

It makes use of a servlet for authentication, available as follows:

http://<host>/OA_HTML/AuthenticateUser

A simple test can be performed to test it’s functionality by using the following:

http://<host>/OA_HTML/AuthenticateUser?username=<username>&password=<password>

Create a Custom Login Page

Create a simple JSP page, that POST’s the parameters to the Servlet above.

<html>
<body>
Custom Login Form
<form method="POST" 
action="/OA_HTML/AuthenticateUser?requestUrl=http://redirecthere">
Username: <input type="text" name="username"><br/>
Password: <input type="text" name="password">
<input type="submit">
</form>
</body>
</html>

A JSP seems to be necessary (or a Servlet) since this appears to be necessary to be an acceptable redirect for the Default Login Page, and a ‘requestUrl’ seemed to be mandatory, even if it wasn’t used.

Deploy on the Oracle Application Server

Place the JSP in the OA_HTML directory, in my environment it was located here:

 /data/oracle/PROD/apps/apps_st/comn/webapps/oacore/html/customLogin.jsp

By default in Oracle EBS R12, jsp pages aren’t compiled at runtime, but are precompiled. As such, a script needs to be run to compile the JSP.

I found instructions for it here: http://knoworacleappsdba.blogspot.com.au/2012/04/custom-jsp-file-in-oracle-ebs-r12.html

On my environment I ran the following command:

[root@oracletam admin]# /data/oracle/PROD/apps/apps_st/appl/fnd/12.0.0/patch/
115/bin/ojspCompile.pl --compile -s customLogin.jsp -conf ojspCompile.conf
WARNING! Could not find perl executable: $ORACLE_HOME/Apache/perl/bin/perl 
(/data/oracle/PROD/apps/tech_st/10.1.3/Apache/perl/bin/perl)
  /data/oracle/PROD/apps/apps_st/appl/fnd/12.0.0/patch/115/bin/ojspCompile.pl 
  requires mod_perl from Apache or
  the default perl on the path must have its libs set up correctly!
  If you set up the environment variable PERLLIB or PERL5LIB, this
  warning will not be displayed and exec mod_perl will not be attempted

logfile set: /data/oracle/PROD/inst/apps/PROD_oracletam/logs/appl/rgf/ojsp/
ojspc_error.log
starting...(compiling delta)
using 10i internal ojsp ver: 10
synchronizing dependency file:
  loading deplist...8095
  enumerating jsps...8096
  updating dependency...2
  parsing jsp...2
  writing deplist...8096
initializing compilation:
  files to compile...1
  eliminating children...1 (-0)
  searching uncompiled...1
translating and compiling:
  searching untranslated...1
  translating jsps...1/1 in 1s
  compiling jsps...1/1 in 2s
Finished!

Now navigating to the login page produced my login page.

customlogin

Set Login page as the new default

Either follow the steps from the manual above ‘Custom Login Pages’. Or you can modify the login page default by setting the existing login page to be the new one.

ebsconfig

Be sure to save the old value before overwriting it.

I found it was necessary to purge the cache before testing.

cache

Testing

Navigating to the URL http://<yourserver>/OA_HTML/AppsLocalLogin.jsp

should now redirect you to your custom login form via RF.jsp:

ebslogin

Test that the login completes correctly.

Forms SSO with WebSEAL

The form should now be a simple form to use the WebSEAL forms SSO capabilities, with no active scripting required.

One thought on “WebSEAL and Oracle EBS R12 Forms SSO – Mk II

Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: