Oracle by Example brandingPerforming Post-Provisioning and Post-Cloning Tasks for Oracle E-Business Suite on Oracle Cloud Infrastructure

section 0Before You Begin

This tutorial shows you how to perform required tasks for environments you have provisioned or cloned using Oracle E-Business Suite Cloud Manager on Oracle Cloud Infrastructure.

Background

After you provision or clone an environment, you must perform some tasks to configure access and secure the environment. You may also need to perform other tasks depending on your Oracle E-Business Suite release, Oracle Database release, and the cloud service on which the database tier resides. These tasks apply for new environments created through either One-Click Provisioning or Advanced Provisioning, for environments created from a backup through Advanced Provisioning, and for environments created through cloning in Oracle E-Business Suite Cloud Manager.

What Do You Need?

section 1Access Your Oracle E-Business Suite Environment

This section describes how users can access the login page for an Oracle E-Business Suite environment that was created using Oracle E-Business Suite Cloud Manager and how administrators can access the application tier and database tier nodes that make up the Oracle E-Business Suite environment.

User access: Before users can log in to Oracle E-Business Suite from a client computer, they must configure a DNS entry for the Oracle E-Business Suite host name in the local hosts file on that computer. This entry lets the DNS server resolve the host name for the web entry point to the IP address.

Provide users the host name of the web entry point for the environment, including the domain name, that they should use in the DNS entry. For example, if the host for the web entry point is myhost and the domain is example.com, then the host name in the DNS entry should be: myhost.example.com

Additionally, provide users the IP address for the web entry point, to which the host name should be mapped in the DNS entry. Check the Oracle E-Business Suite Cloud Manager environment details page for your environment to find the IP address for the web entry point.

Each user must then perform the following steps.

  1. Update the /etc/hosts file on your client computer by adding a DNS entry in the following format:
    <external_IP_address> <host_name>
  2. You can now navigate to the Oracle E-Business Suite login page at the following URL:
    [http|https]://<host_name>:<port>/OA_HTML/AppsLogin

    For example:

    http://myhost.example.com:8000/OA_HTML/AppsLogin

    The Oracle E-Business Suite Cloud Manager environment details page includes a link to the Oracle E-Business Suite login page URL.

Administrator access: After you create an Oracle E-Business Suite environment, as a database administrator (DBA) for the environment you will need to perform tasks such as starting and stopping services, applying patches, modifying files, and so on. One method to access the nodes that make up the environment is to connect through the Oracle E-Business Suite Cloud Manager Compute instance, as follows:

  1. First, connect to your Oracle E-Business Suite Cloud Manager Compute instance that was created according to Section 4, "Create Oracle E-Business Suite Cloud Manager Compute Instance," in My Oracle Support Knowledge Document 2434500.1, Deploying Oracle E-Business Suite Cloud Manager on Oracle Cloud Infrastructure. To connect, follow the instructions in Connecting to an Instance.
  2. After you have logged on to the Cloud Manager Compute instance, change to the oracle user.
    $ sudo su - oracle
  3. You can now connect directly from the Cloud Manager Compute instance to the node you want in your Oracle E-Business Suite environment using the node's private IP address. Check the Oracle E-Business Suite Cloud Manager environment details page for your environment to find the private IP address for each application tier node and database tier node in the environment.
    $ ssh <private_IP>

If you deployed a separate bastion server and you plan to manage access to the Oracle E-Business Suite environments from that bastion server, then you can copy the private key in /u01/install/APPS/.ssh/id_rsa from the Oracle E-Business Suite Cloud Manager VM to the appropriate home directories on the bastion server. Alternatively, you can create accounts for each individual user on the bastion host and a corresponding user on the Oracle E-Business Suite VMs that the user needs to manage. On each VM host, grant the user "sudo to oracle" access.

Database administration access: When you provision an environment through Advanced Provisioning, you must specify a database admin password as part of the database tier details. You can use this password to log in to the database as the SYS user and perform database administration tasks.

Additionally, if Transparent Data Encryption (TDE) is enabled for an environment created through Advanced Provisioning, then you can also use the same database admin password to access the TDE wallet for the new environment. TDE is enabled for the following types of environments provisioned using Advanced Provisioning:

  • All environments with a database tier on 1-Node VM DB System, 2-Node VM DB System, or Exadata DB System, including both new environments and environments created from a backup. Note that even if the source environment for a backup was not TDE-enabled, TDE is still enabled for environments that are created from that backup on 1-Node VM DB System, 2-Node VM DB System, or Exadata DB System.
  • All environments with a database tier on Compute that are created from a backup of a TDE-enabled source environment
  • Environments with a database tier on Compute that are created from a backup of a non-TDE source environment, if you select the Enable TDE option during provisioning.
  • New environments created with Advanced Provisioning with a database tier on Compute, if you select the Enable TDE option during provisioning.

Note that TDE is not enabled for environments created with One-Click Provisioning. Also, TDE is not enabled if you do not select the Enable TDE option when it appears during Advanced Provisioning for environments on Compute.


section 2Implement Workaround for Oracle Databases on Exadata DB Systems (Conditionally Required)

This workaround resolves a known issue that impacts SQL*Net configuration files on secondary nodes. The steps in this section are required only for a provisioned environment with the database on an Exadata DB System with Oracle Database Release 12.1.0.2.

  1. Identify the private IP address of each secondary Exadata DB System node from the Exadata DB Systems console.
  2. Perform steps 3-8 for all secondary Exadata DB System nodes.
  3. While logged in to the Oracle E-Business Suite Cloud Manager VM as the oracle user, use ssh to connect to the secondary Exadata DB Systems node.
  4. Obtain the ORACLE_HOME details from the oratab file:
    $ cat /etc/oratab 
  5. Source the environment file:
    $ cd <ORACLE_HOME>
    $ source <SID>_<HOSTNAME>.env
  6. Navigate to the $ORACLE_HOME/network/admin directory:
    $ cd $ORACLE_HOME/network/admin
  7. Using a text editor such as vi, edit the sqlnet.ora file. First, delete all existing lines from the sqlnet.ora file. Then add the following line:
    IFILE=<ORACLE_HOME>/network/admin/<SID>_<HOSTNAME>/sqlnet.ora
  8. Create a listener.ora file with a text editor such as vi, and add the following line:
    IFILE=<ORACLE_HOME>/network/admin/<SID>_<HOSTNAME>/listener.ora

section 3Update Profile Options (Conditionally Required)

If you provision an environment as part of a lift and shift process, then profile options, which impact the way your application looks and behaves, are carried over from the on-premise Oracle E-Business Suite environment to Oracle Cloud Infrastructure.

Profile options are handled in various ways by the automated lift and shift process through the Oracle E-Business Suite Cloud Backup Module and Oracle E-Business Suite Cloud Manager.

  • Oracle E-Business Suite Cloud Manager resets the site level and server level values of some instance-specific profile options containing a web entry point to match the Oracle Cloud Infrastructure deployment. For example, the APPS_FRAMEWORK_AGENT profile option value is set to the web entry point that you chose in the Oracle E-Business Suite Cloud Manager Advanced Provisioning UI.
  • Other profile option settings, including those at the user level and responsibility level, are preserved at their original on-premise values. The Oracle E-Business Suite Cloud Backup Module generates a report of the existing user level values for some commonly used profile options containing URLs that you must manually reset. This report is located in the /u01/install/APPS/apps/appsinfo/appsinfo.txt file on the target system. The report includes the following profile options: APPS_WEB_AGENT, APPS_SERVLET_AGENT, APPS_JSP_AGENT, APPS_FRAMEWORK_AGENT, ICX_FORMS_LAUNCHER, ICX_DISCOVERER_LAUNCHER, HELP_WEB_AGENT, and ICX_DISCOVERER_VIEWER_LAUNCHER.

Review all the profile options in your newly provisioned environment and modify them as required to reflect your Oracle Cloud Infrastructure configuration.

For more information about the use of profile options in Oracle E-Business Suite, see User Profiles and Profile Options in Oracle Application Object Library, Oracle E-Business Suite Setup Guide.


section 4Update Web Entry Host and Domain Name (Conditionally Required)

When you provision an Oracle E-Business Suite environment with One-Click Provisioning, the environment is automatically configured to use Load Balancer as a Service (LBaaS), with Transport Layer Security (TLS) enabled for inbound HTTP traffic. The login URL is automatically generated in the format <instance name>.example.com, and the listener for the load balancer is associated by default with a self-signed TLS certificate generated by Oracle E-Business Suite Cloud Manager.

With the simplified preset topology used in One-Click Provisioning, you cannot specify a different host and domain for the web entry point during provisioning. However, you can use the steps in this section to update the host and domain for the web entry point after provisioning is complete.

Note that if you plan to replace the self-signed certificate generated by Oracle E-Business Suite Cloud Manager with a certificate issued by a certificate authority (CA), then you must follow the steps in this section to change the domain name before you request the certificate, because you cannot obtain a certificate from a CA for the demonstration example.com domain.

If you provisioned an environment with Advanced Provisioning, you can also optionally use the steps in this section to update the host and domain for the web entry point if you need to change these values from those you initially specified during provisioning.

To update the host and domain, perform the following steps.

  1. Using a text editor such as vi, update the following variables in the context file on all application tier nodes.
    • s_webentryhost - Set the value for this variable to the new web entry host you want to use.
    • s_webentrydomain - Set the value for this variable to the new web entry domain you want to use.
    • s_external_url - Update the value for this variable to use the new web entry host and domain that you specified in the s_webentryhost and s_webentrydomain variables. Do not change any other parts of the URL value. The full new value should be in the following form:
       [http|https]://<web_entry_host>.<web_entry_domain>:<load_balancer_listener_port>
    • s_login_page - Update the value for this variable to use the new web entry host and domain that you specified in the s_webentryhost and s_webentrydomain variables. Do not change any other parts of the URL value. The full new value should be in the following form:
       [http|https]://<web_entry_host>.<web_entry_domain>:<load_balancer_listener_port>/OA_HTML/AppsLogin
  2. If you are finished updating the context file, then you should now run AutoConfig on all application tier nodes. See Using AutoConfig Tools for System Configuration, Oracle E-Business Suite Setup Guide.

    Note that if you plan to make additional changes in the context file in order to configure TLS, according to the instructions in section 5, 6, or 7 of this tutorial, then you can defer running AutoConfig until you are instructed to do so in those sections. In this case, you can skip this step and the following step. Instead, proceed to section 5 if you are using Load Balancer as a Service (LBaaS), section 6 if you are using an on-premises load balancer, or section 7 if you are not using a load balancer.

  3. After running AutoConfig, on all application tier nodes, stop and restart all services by running the adstpall.sh script and the adstrtal.sh script.

section 5 Upload TLS Certificate (Conditionally Required)

Perform the steps in this section to upload a certificate if you enabled or plan to enable Transport Layer Security (TLS) for your environment.

TLS is enabled during provisioning if you used One-Click Provisioning which deploys Load Balancer as a Service (LBaaS) with the https protocol automatically, or if you used Advanced Provisioning and you chose either New Load Balancer (LBaaS) or Application Tier Node as the web entry type and you chose the https protocol. In this case Oracle E-Business Suite Cloud Manager configures your environment to encrypt inbound HTTP traffic with TLS. The initial configuration uses a self-signed certificate generated by Oracle E-Business Suite Cloud Manager. It is mandatory that you replace this certificate with a TLS certificate issued by a certificate authority (CA) or your own self-signed certificate generated using the web entry host for your Oracle E-Business Suite instance.

If you did not enable TLS during provisioning, you can enable it manually as a post-provisioning step. TLS is not enabled during provisioning if you used Advanced Provisioning and you chose either New Load Balancer (LBaaS) or Application Tier Node as the web entry type and you chose the http protocol. As a prerequisite for enabling TLS, you must obtain and upload a TLS certificate issued by a certificate authority (CA) or generate and upload your own self-signed certificate using the web entry host for your Oracle E-Business Suite instance.

Additionally, if you are using an on-premises load balancer and you chose Manually Configured Load Balancer as the web entry type, you can enable TLS manually as a post-provisioning step. To do so, you must upload a TLS certificate as required for your load balancer.

New Load Balancer (LBaaS): If you configured TLS using LBaaS during provisioning or will manually perform this configuration, perform the following steps to upload your certificate.

  1. Obtain a TLS certificate valid for the name of the web entry host for your Oracle E-Business Suite instance, or generate a self-signed certificate. The web entry host name is formed by combining the values of the application tier context variables s_webentryhost and s_webentrydomain.

    Oracle Cloud Infrastructure provides a public IP address but does not provide a public host name, so you should ensure that appropriate DNS entries are present to resolve the web entry host name to the public IP address.

    If you changed the web entry host and domain for your environment in the previous section, ensure that you use the new host, domain, and URL when you request or generate a certificate. Note that if you deployed your environment with One-Click Provisioning and you plan to request a certificate from a CA, you must ensure that you have changed the domain name from the default example.com domain before you request the certificate, because you cannot obtain a certificate from a CA for the demonstration example.com domain.

  2. If you are using a self-signed certificate that you generated yourself, ensure that you import the certificates to the JDK trust stores.
  3. Log in to the Oracle Cloud Infrastructure console. From the navigation menu, select Networking > Load Balancers, and then select the load balancer you want to configure.
  4. Add your certificate bundle to the load balancer. See To upload an SSL certificate bundle to your load balancing system in the Oracle Cloud Infrastructure Services documentation.

    If you have multiple certificates that form a single certification chain, such as one or more intermediate certificates together with a root certificate, then you must include all relevant certificates in one file before you upload them to the system. See "Uploading Certificate Chains" in the section Working with SSL Certificates in the Oracle Cloud Infrastructure Services documentation.

  5. If you used One-Click Provisioning or if you chose the https protocol for LBaaS during Advanced Provisioning, and the load balancer listener is using the self-signed certificate generated by Oracle E-Business Suite Cloud Manager, then you should now update the certificate. To do so, on the Load Balancer page, click the Listeners link in the Resources menu. Click the Actions icon (three dots) for your listener, and select Edit from the context menu. In the Edit Listener pop-up, select the certificate bundle that you added in step 4 in the Certificate Name field. Then click Save Changes, and wait for the listener to be updated. See To edit a listener in the Oracle Cloud Infrastructure Services documentation.

Manually Configured Load Balancer: If you are using an on-premises load balancer, follow the instructions from your vendor to create and upload a certificate.

Application Tier Node: If you configured TLS at the application tier layer during provisioning, perform the following steps to upload your certificate. If you plan to configure TLS at the application tier layer manually, you will perform the certificate steps as part of that configuration in Section 8: Manually Enable TLS When Using Oracle HTTP Server as the TLS Termination Point.

  1. Obtain a TLS certificate valid for the name of the web entry host for your Oracle E-Business Suite instance, or generate a self-signed certificate. The web entry host name is formed by combining the values of the application tier context variables s_webentryhost and s_webentrydomain.

    Oracle Cloud Infrastructure provides a public IP address but does not provide a public host name, so you should ensure that appropriate DNS entries are present to resolve the web entry host name to the public IP address.

    If you changed the web entry host and domain for your environment in the previous section, ensure that you use the new host, domain, and URL when you request or generate a certificate. Note that if you deployed your environment with One-Click Provisioning and you plan to request a certificate from a CA, you must ensure that you have changed the domain name from the default example.com domain before you request the certificate, because you cannot obtain a certificate from a CA for the demonstration example.com domain.

  2. If you are using a self-signed certificate that you generated yourself, ensure that you import the certificates to the JDK trust stores.
  3. Upload your certificate to replace the initial certificate generated by Oracle E-Business Suite Cloud Manager.

section 6Manually Enable TLS When Using Load Balancer as a Service (LBaaS) as an Alternate Termination Point (Conditionally Required)

We highly recommend that you configure your environment to encrypt inbound HTTP traffic with Transport Layer Security (TLS). The steps in this section are applicable in either of the following cases:

  • You used Advanced Provisioning to deploy an environment using Load Balancer as a Service (LBaaS) as the web entry point and you did not enable Transport Layer Security (TLS) during provisioning. That is, you chose New Load Balancer (LBaaS) as the web entry type and you chose the http protocol for the web entry point.
  • You manually configured LBaaS but did not yet configure TLS.

We highly recommend that you perform the steps in this section to offload the encryption to the LBaaS and configure Oracle E-Business Suite to use HTTPS (HTTP over TLS).

Note that the configuration described here terminates TLS at the load balancer; that is, TLS is used only for communication between the client and the load balancer. Communication between the load balancer and the Oracle E-Business Suite instance does not use TLS. See "Terminating SSL at the Load Balancer" in the section Configuring SSL Handling in the Oracle Cloud Infrastructure Services documentation.

If you used One-Click Provisioning which deploys LBaaS with the https protocol automatically, or if you used Advanced Provisioning and chose to deploy LBaaS with the https protocol, you can also optionally perform the relevant steps in this section to update the port for the load balancer listener if you need to change this value from the port you initially specified during provisioning.

To manually enable TLS in an environment that uses LBaaS as an alternate termination point, perform the following steps:

  1. Ensure that you have obtained and uploaded a certificate according to the steps in Section 5: Upload TLS Certificate.
  2. Log in to the Oracle Cloud Infrastructure console. From the navigation menu, select Networking > Load Balancers, and then select the load balancer you want to configure.
  3. On the Load Balancer page, click the Listeners link in the Resources menu. Click the Actions icon (three dots) for your listener, and select Edit from the context menu.
  4. Edit the load balancer listener to enable TLS. Enter the port to use for secure communication, such as 443. Then check the Use SSL option and specify the certificate name. See To edit a listener in the Oracle Cloud Infrastructure Services documentation.
  5. Using a text editor such as vi, verify or update the following variables in the context file on all application tier nodes for your environment.
    • s_webentryurlprotocol - Set the value for this variable to https.
    • s_url_protocol - Set the value for this variable to http.
    • s_enable_sslterminator - Remove any value set for this variable; that is, the value should be left blank.
    • s_active_webport - Set the value for this variable to the port you specified for the load balancer listener, such as 443.
    • s_external_url - Update the value for this variable to use the https protocol and the port you specified for the load balancer listener. The full new value should be in the following form:
       https://<web_entry_host>.<web_entry_domain>:<new_load_balancer_listener_port>
      If you are using the default HTTPS port 443, then you should omit the colon separator and the port from this URL. That is, if you are using port 443, then the value should be in the following form:
       https://<web_entry_host>.<web_entry_domain>
    • s_login_page - Update the value for this variable to use the https protocol and the port you specified for the load balancer listener. The full new value should be in the following form:
       https://<web_entry_host>.<web_entry_domain>:<new_load_balancer_listener_port>/OA_HTML/AppsLogin
      If you are using the default HTTPS port 443, then you should omit the colon separator and the port from this URL. That is, if you are using port 443, then the value should be in the following form:
       https://<web_entry_host>.<web_entry_domain>/OA_HTML/AppsLogin

    For more information, see Using Load-Balancers with Oracle E-Business Suite Release 12.2, My Oracle Support Knowledge Document 1375686.1 or Using Load-Balancers with Oracle E-Business Suite Release 12.0 and 12.1, My Oracle Support Knowledge Document 380489.1.

    Additionally, ensure you have set other context file variables as needed for using the load balancer as the TLS termination point. For Release 12.2, see the "Changes When Using a TLS Termination Point Other than OHS" table in My Oracle Support Knowledge Document 1367293.1, Enabling TLS in Oracle E-Business Suite Release 12.2, Section 9: Alternate TLS Termination Point. For Release 12.1, see the "Changes When Using a TLS Termination Point Other than OHS" table in My Oracle Support Knowledge Document 376700.1, Enabling TLS in Oracle E-Business Suite Release 12.1, Section 9: Alternate TLS Termination Point.

    If you are running Oracle HTTP Server on a privileged port - that is, a port number below 1024 - then you must perform additional configuration steps. See Running Oracle HTTP Server on a Privileged Port in Managing Configuration of Oracle HTTP Server and Web Application Services in Oracle E-Business Suite Release 12.2, My Oracle Support Knowledge Document 1905593.1. For more information, see Enabling Oracle HTTP Server to Run as Root for Ports Set to Less Than 1024 (UNIX Only), Oracle Fusion Middleware Administrator's Guide and Starting Oracle HTTP Server on a Privileged Port, Oracle Fusion Middleware Administrator's Guide for Oracle HTTP Server.

  6. Run AutoConfig on all application tier nodes. See Using AutoConfig Tools for System Configuration, Oracle E-Business Suite Setup Guide.
  7. On all application tier nodes, stop and restart all services by running the adstpall.sh script and the adstrtal.sh script.
  8. If necessary, update the security lists for the load balancer subnets by adding a security rule that allows inbound communication on the port you specified for the load balancer listener, from the clients from which you will access the Oracle E-Business Suite URL. See Working with Security Lists. This step is required only if you updated the port for the load balancer listener; that is, if you chose the http protocol for LBaaS during Advanced Provisioning, or if you chose the https protocol for LBaaS during Advanced Provisioning or you used One-Click Provisioning, but used the preceding steps to change the port from the port specified during provisioning.

    In the Oracle Cloud Infrastructure console, open the security list for the load balancer and add a new entry under Allow rules for ingress with the following properties:

    • Source CIDR - The CIDR block for your on-premises network that includes the relevant clients
    • Protocol - TCP
    • Destination Port Range - The port you specified for the load balancer secure communication, such as 443

    Repeat these steps for each load balancer subnet.


section 7Enable TLS for Manually Configured Load Balancer (Conditionally Required)

The steps in this section are applicable if you used Advanced Provisioning to deploy an environment and chose Manually Configured Load Balancer as the web entry type. These steps apply whether you chose http or https as the protocol for the web entry point.

We highly recommend that you perform the steps in this section to perform the necessary encryption. First, encrypt the traffic between the client and the load balancer. Next, encrypt the traffic between the load balancer and the Oracle HTTP Server. After the encryption setup is complete, configure the Oracle E-Business Suite web entry point.

  1. Encrypt the traffic from the client to the load balancer by performing the configuration for an alternate TLS termination point for your Oracle E-Business Suite release.
  2. Encrypt the traffic between the load balancer and the Oracle HTTP Server.
    • If you have VPN set up between your on-premises network and Oracle Cloud, then you can optionally set up TLS end-to-end, or you can skip this setup and go to step 3.
    • If you do not have VPN set up between your on-premises network and Oracle Cloud, then we highly recommend that you set up TLS end-to-end.

    To set up TLS end-to-end, perform the appropriate configuration for your Oracle E-Business Suite release.

  3. You can now configure access to the Oracle E-Business Suite web entry point. To do so, perform the steps in Section 9: Manually Configure Firewall When Using Oracle HTTP Server or an On-Premises Load Balancer as the Web Entry Point.

section 8Manually Enable TLS When Using Oracle HTTP Server on the Application Tier Node as the Web Entry Point (Conditionally Required)

The steps in this section are applicable if you used Advanced Provisioning to deploy an environment using Oracle HTTP Server as the web entry point, without using a load balancer, and you did not enable Transport Layer Security (TLS) during provisioning. That is, you chose Application Tier Node as the web entry type and you chose the http protocol for the web entry point. In this case we highly recommend that you perform the following steps to encrypt the traffic between the client and the Oracle HTTP Server. After the encryption setup is complete, you must configure the Oracle E-Business Suite web entry point.

  1. Prepare the environment by applying the prerequisites for your Oracle E-Business Suite release.
  2. Encrypt the traffic from the client to the Oracle HTTP Server by performing the configuration for inbound connections for your Oracle E-Business Suite release.
  3. You can now configure access to the Oracle E-Business Suite web entry point. To do so, perform the steps in Section 9: Manually Configure Firewall When Using Oracle HTTP Server or an On-Premises Load Balancer as the Web Entry Point.

section 9Manually Configure Firewall When Using Oracle HTTP Server or an On-Premises Load Balancer as the Web Entry Point (Conditionally Required)

Perform the steps in this section to configure the required firewall rules if you are using Oracle HTTP Server or an on-premises load balancer as the web entry point. That is, you chose Application Tier Node or Manually Configured Load Balancer as the web entry type. We recommend limiting access to a specific CIDR range.

  1. First, on all application tier nodes, create firewall rules that allow inbound communication to the web entry port from the clients from which you will access the Oracle E-Business Suite URL. To do so, log on to the Oracle Cloud Infrastructure instance that hosts your Oracle E-Business Suite environment, using SSH. See Connecting to an Instance.

    Then switch to the root user:

    $ sudo su -

    Execute the following commands to create the required firewall rules:

    # firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=<source_CIDR_range> port port=<web_entry_port> protocol=tcp accept' --permanent
    # firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=<source_CIDR_range> port port=<web_entry_port> protocol=tcp accept'
    

    In these commands, replace <source_CIDR_range> with the set of IP addresses from which you will access the Oracle E-Business Suite URL. Replace <web_entry_port> with the appropriate port, for example 4443.

  2. Next, update the security list for the subnet that contains the application tier nodes by adding a security rule that allows inbound communication on the web entry port from the clients from which you will access the Oracle E-Business Suite URL. See Working with Security Lists.

    In the Oracle Cloud Infrastructure console, open the security list for the application tier subnet and add a new entry under Allow rules for ingress with the following properties:

    • Source CIDR - The CIDR block for your on-premises network that includes the relevant clients, as specified in your firewall rules
    • Protocol - TCP
    • Destination Port Range - The web entry port, for example 4443

section 10Implement Workaround for Oracle Databases on 2-Node VM DB System (Conditionally Required)

This workaround resolves a known issue on 2-Node VM DB System. The steps in this section are required only for an environment created using an Oracle E-Business Cloud Manager version prior to 19.3.1.1, with the database on a 2-Node VM DB System with Oracle Database Release 11.2.0.4.

Perform the following steps on the primary node of the VM DB System, except where noted.

  1. Get the database unique name using the following command. Run this command as root.
    $  dbcli list-databases --json|grep databaseUniqueName

    Copy the output from this command. This value will be referred to in subsequent steps as <DB_UNIQUE_NAME>.

  2. Remove the database from srvctl using the following command. Run this command as the oracle user.
    $  srvctl stop database -d <dbname>
    $ srvctl remove database -d <dbname>
  3. On both VM DB System nodes, change the db_unique_name value in the database using the following commands.
    $ sqlplus "/ as sysdba"
    $ startup nomount
    $ alter system set db_unique_name='<DB_UNIQUE_NAME>' sid='*' scope=spfile;
  4. On both VM DB System nodes, shut down the database using the following command.
    $ shutdown immediate 
  5. Add the new database unique name to CRS using the following commands.
    $ srvctl add database -d <DB_UNIQUE_NAME> -o /u01/app/oracle/product/11.2.0.4/dbhome_1
    $ srvctl add instance -d <DB_UNIQUE_NAME> -i <SID of instance1> -n <Node 1 HOST_NAME>
    $ srvctl add instance -d <DB_UNIQUE_NAME> -i <SID of instance2> -n <Node 2 HOST_NAME>
  6. On both VM DB System nodes, modify /etc/oratab as follows.
     <DB_UNIQUE_NAME>:/u01/app/oracle/product/11.2.0.4/dbhome_1:N              # line added by Agent 
  7. Start the database using the following command.
    $ srvctl start database -d <DB_UNIQUE_NAME> 

section 11Configure Security and Firewall Rules for Secure Access to the Fusion Middleware Control and WebLogic Server Administration Console (Conditionally Required)

The steps in this section are required only for Oracle E-Business Suite Release 12.2.

Administration of the Oracle Fusion Middleware 11g components delivered with Oracle E-Business Suite Release 12.2, including Oracle HTTP Server and Oracle WebLogic Server, requires secure access to the WebLogic Server administration ports running on the Oracle E-Business Suite primary application tier node. Ports 7001 and 7002 are the default WebLogic Server administration ports for the dual file system with Oracle E-Business Suite Release 12.2. The examples in this section use these default ports. If you have configured different port numbers, change the port numbers in the instructions to match the port numbers for your environment.

When you create an Oracle E-Business Suite Release 12.2 environment on Oracle Cloud Infrastructure, you should create a security rule and firewall rules that allow inbound communication on the WebLogic Server administration ports on the primary application tier node from the Oracle E-Business Suite Cloud Manager VM. These rules are required as a prerequisite so that a system administrator can securely access the administration ports and the Fusion Middleware Control and WebLogic Server Administration Console. See Accessing the Fusion Middleware Control and WebLogic Server Administration Console with SSH Port Forwarding for Oracle E-Business Suite on Oracle Cloud Infrastructure.

Perform the following steps to configure the required security rule and firewall rules:

  1. Update the security list for the primary application tier node by adding a security rule that allows inbound communication on ports 7001 and 7002 from the Oracle E-Business Suite Cloud Manager VM. See Working with Security Lists.

    In the Oracle Cloud Infrastructure console, open the security list for the Oracle E-Business Suite application tier subnet and add a new entry under Allow rules for ingress with the following properties:

    • Source CIDR - The CIDR for the Oracle E-Business Suite Cloud Manager VM
    • Protocol - TCP
    • Destination Port Range - 7001-7002
  2. Create firewall rules on the primary application tier node that allow inbound communication on ports 7001 and 7002 from the subnet that contains the Oracle E-Business Suite Cloud Manager VM. First, log on to the Oracle Cloud Infrastructure instance that hosts your Oracle E-Business Suite environment, using SSH. See Connecting to an Instance.

    Then switch to the root user:

    $ sudo su -

    Execute the following commands to create the required firewall rules:

    # firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=<EBS_Cloud_Admin_Tool_VM_CIDR> port port=7001 protocol=tcp accept' --permanent ;
    # firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=<EBS_Cloud_Admin_Tool_VM_CIDR> port port=7002 protocol=tcp accept' --permanent ;
    # firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=<EBS_Cloud_Admin_Tool_VM_CIDR> port port=7001 protocol=tcp accept';
    # firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=<EBS_Cloud_Admin_Tool_VM_CIDR> port port=7002 protocol=tcp accept';

section 12Enable and Set Oracle E-Business Account Passwords (Conditionally Required)

The steps in this section are required only for a new environment or for a cloned environment if the steps were not previously performed on the source environment. To ensure your environment is adequately protected, you must change your Oracle E-Business Suite account passwords.

If you created your environment from a backup, you can skip this section.

  1. Log on to the Oracle Cloud Infrastructure instance that hosts your Oracle E-Business Suite environment.
  2. Switch user from the opc user to the oracle user using the following command:
    $ sudo su - oracle
  3. Set the environment using the appropriate command for your Oracle E-Business Suite release:

    Release 12.2

    $ . /u01/install/APPS/EBSapps.env run

    Release 12.1.3

    $ . /u01/install/APPS/apps_st/appl/APPS_<CONTEXT_NAME>.env run
  4. Download Patch 24831241 to obtain scripts to enable the SYSADMIN user and to enable demo users in a VISION demo environment.

    Download Patch 24831241 to the $PATCH_TOP directory and unzip the patch using the following commands:

    $ cd $PATCH_TOP
    $ unzip p24831241_R12_GENERIC.zip –d /u01/install/APPS/scripts/
  5. To log in through the web interface, you must initially set a password of your choice for the SYSADMIN user. After the SYSADMIN user is active with the new password, you can create new users or activate existing locked users. To enable the SYSADMIN user, run the following commands:
    $ mkdir -p ~/logs
    $ cd  ~/logs
    $ sh /u01/install/APPS/scripts/enableSYSADMIN.sh

    When prompted, enter a new password for the SYSADMIN user.

    The SYSADMIN user can now connect to Oracle E-Business Suite through the web interface and create new users or activate existing locked users.

  6. For a VISION demo environment, you can run another script to unlock a set of 36 application users that are typically used when demonstrating Oracle E-Business using the VISION database. Run this script with the same environment as when running the enableSYSADMIN.sh script. To enable the demo users, run the following commands
    $ cd  ~/logs
    $ sh /u01/install/APPS/scripts/enableDEMOusers.sh

    When prompted, enter a new password.

    Do not run this script on a fresh or production environment.

For details about the default passwords set during installation, see:

  • Oracle E-Business Suite Release 12.2: Standard Installation, Oracle E-Business Suite Installation Guide: Using Rapid Install Release 12.2 (12.2.0)
  • Oracle E-Business Suite Release 12.1: Change Default Passwords, Oracle E-Business Suite Installation Guide: Using Rapid Install Release 12.1 (12.1.1)


section 13Apply Oracle E-Business Suite and Database Patches (Conditionally Required)

If you provisioned your environment from a backup of an existing on-premises environment, then you must now apply any additional patches required for your release level and database tier. For a cloned environment or an environment provisioned from a backup of a Cloud environment, these steps are required only if you did not already apply these patches on the source environment.

  1. Apply the Oracle E-Business Suite patches required for your release.
  2. This step is required only if your new database tier is on 1-Node VM DB System, 2-Node VM DB System, or Exadata DB System. Apply one-off database patches per the following:
    • For Oracle E-Business Suite Release 12.2, ETCC recommended database patches have been applied as part of the automated provisioning process. If you applied any additional one-off database patches beyond those recommended by ETCC to the source on-premises database, then you must now reapply those additional one-off patches to your new 1-Node VM DB System, 2-Node VM DB System, or Exadata DB System database.
    • For Oracle E-Business Suite Release 12.1, if you applied any one-off database patches to the source on-premises database, then you must now reapply those one-off patches to your new 1-Node VM DB System, 2-Node VM DB System, or Exadata DB System database.

    If your database tier is on an Oracle Cloud Infrastructure Compute VM, then you do not need to reapply any one-off database patches.


more informationWant to Learn More?