Oracle by Example brandingPerforming Post-Provisioning and Post-Cloning Tasks for Oracle E-Business Suite on Oracle Cloud Infrastructure

section 0Before You Begin

This 15-minute tutorial shows you how to perform required tasks for environments you have provisioned or cloned using Oracle E-Business Suite Cloud Manager on Oracle Cloud Infrastructure.

Background

After you provision or clone an environment, you must perform some tasks to configure access and secure the environment. You may also need to perform other tasks depending on your Oracle E-Business Suite release, Oracle Database release, and the cloud service on which the database tier resides. These tasks apply for new environments created through either One-Click Provisioning or Advanced Provisioning, for environments created from a backup through Advanced Provisioning, and for environments created through cloning in Oracle E-Business Suite Cloud Manager.

What Do You Need?

section 1Review Database Admin Password

When you provision an environment through Advanced Provisioning, you must specify a database admin password as part of the database tier details. You can use this password to log in to the database as the SYS user and perform database administration tasks.

Additionally, if Transparent Data Encryption (TDE) is enabled for an environment created through Advanced Provisioning, then you can also use the same database admin password to access the TDE wallet for the new environment. TDE is enabled for the following types of environments provisioned using Advanced Provisioning:

  • All environments with a database tier on 1-Node VM DB System, 2-Node VM DB System, or Exadata DB System, including both new environments and environments created from a backup. Note that even if the source environment for a backup was not TDE-enabled, TDE is still enabled for environments that are created from that backup on 1-Node VM DB System, 2-Node VM DB System, or Exadata DB System.
  • All environments with a database tier on Compute that are created from a backup of a TDE-enabled source environment
  • Environments with a database tier on Compute that are created from a backup of a non-TDE source environment, if you select the Enable TDE option during provisioning.
  • New environments created with Advanced Provisioning with a database tier on Compute, if you select the Enable TDE option during provisioning.

Note that TDE is not enabled for environments created with One-Click Provisioning. Also, TDE is not enabled if you do not select the Enable TDE option when it appears during Advanced Provisioning for environments on Compute.


section 2Configure DNS Entry for Oracle E-Business Suite Host Name

After an environment is successfully created, the Environment Details page in Oracle E-Business Suite Cloud Manager displays the login page URL for the environment. However, before you can access the login page, you must first ensure that your DNS server is configured to resolve the Oracle E-Business Suite host name in the URL. If necessary, add an appropriate DNS entry to resolve the host name to the IP address.


section 3Implement Workaround for Oracle Databases on Exadata DB Systems (Conditionally Required)

This workaround resolves a known issue that impacts SQL*Net configuration files on secondary nodes. The steps in this section are required only for a provisioned environment with the database on an Exadata DB System with Oracle Database Release 12.1.0.2.

  1. Identify the private IP address of each secondary Exadata DB System node from the Exadata DB Systems console.
  2. Perform steps 3-8 for all secondary Exadata DB System nodes.
  3. While logged in to the Oracle E-Business Suite Cloud Manager VM as the oracle user, use ssh to connect to the secondary Exadata DB Systems node.
  4. Obtain the ORACLE_HOME details from the oratab file:
    $ cat /etc/oratab 
  5. Source the environment file:
    $ cd <ORACLE_HOME>
    $ source <SID>_<HOSTNAME>.env
  6. Navigate to the $ORACLE_HOME/network/admin directory:
    $ cd $ORACLE_HOME/network/admin
  7. Using a text editor such as vi, edit the sqlnet.ora file. First, delete all existing lines from the sqlnet.ora file. Then add the following line:
    IFILE=<ORACLE_HOME>/network/admin/<SID>_<HOSTNAME>/sqlnet.ora
  8. Create a listener.ora file with a text editor such as vi, and add the following line:
    IFILE=<ORACLE_HOME>/network/admin/<SID>_<HOSTNAME>/listener.ora

section 4Configure Additional Components When Using Load Balancer as a Service (LBaaS) (Conditionally Required)

If you have deployed your Oracle E-Business Suite Release 12.2 or 12.1 environment using Load Balancer as a Service (LBaaS), we highly recommend that you perform the steps in this section to encrypt the inbound HTTP traffic with Transport Layer Security (TLS). The steps in this section will offload the encryption to the LBaaS and configure Oracle E-Business Suite to use HTTPS (HTTP over TLS).

Note that this method terminates TLS at the load balancer; that is, TLS is used only for communication between the client and the load balancer. Communication between the load balancer and the Oracle E-Business Suite instance does not use TLS. See "Terminating SSL at the Load Balancer" in the section Configuring SSL Handling in the Oracle Cloud Infrastructure Services documentation.

  1. Obtain a TLS certificate valid for the name of the web entry host for your Oracle E-Business Suite instance. The web entry host name is formed by combining the values of the application tier context variables s_webentryhost and s_webentrydomain.

    Oracle Cloud Infrastructure provides a public IP address but does not provide a public host name, so you should ensure that appropriate DNS entries are present to resolve the web entry host name to the public IP address.

  2. Log into the Oracle Cloud Infrastructure console. From the navigation menu, select Networking > Load Balancers, and then select the load balancer you want to configure.
  3. Add your certificate bundle to the load balancer. See To upload an SSL certificate bundle to your load balancing system in the Oracle Cloud Infrastructure Services documentation.

    If you have multiple certificates that form a single certification chain, such as one or more intermediate certificates together with a root certificate, then you must include all relevant certificates in one file before you upload them to the system. See "Uploading Certificate Chains" in the section Working with SSL Certificates in the Oracle Cloud Infrastructure Services documentation.

  4. Edit the load balancer listener to enable TLS. Enter the port to use for secure communication, such as 443. Then check the Use SSL option and specify the certificate name. See To edit a listener in the Oracle Cloud Infrastructure Services documentation.
  5. Using a text editor such as vi, update the following variables in the context file on all application tier nodes.
    • s_webentryurlprotocol - Set the value for this variable to https.
    • s_url_protocol - Set the value for this variable to https.
    • s_enable_sslterminator - Remove any value set for this variable; that is, the value should be left blank.
    • s_active_webport - Set the value for this variable to the port you specified for the load balancer listener, such as 443.
    • s_external_url - Update the value for this variable to use the https protocol and the port you specified for the load balancer listener. The full new value should be in the following form:
       https://<web_entry_host>.<web_entry_domain>:<new_load_balancer_listener_port>
      If you are using the default HTTPS port 443, then you should omit the colon separator and the port from this URL. That is, if you are using port 443, then the value should be in the following form:
       https://<web_entry_host>.<web_entry_domain>
    • s_login_page - Update the value for this variable to use the https protocol and the port you specified for the load balancer listener. The full new value should be in the following form:
       https://<web_entry_host>.<web_entry_domain>:<new_load_balancer_listener_port>/OA_HTML/AppsLogin
      If you are using the default HTTPS port 443, then you should omit the colon separator and the port from this URL. That is, if you are using port 443, then the value should be in the following form:
       https://<web_entry_host>.<web_entry_domain>/OA_HTML/AppsLogin

    For more information, see Using Load-Balancers with Oracle E-Business Suite Release 12.2, My Oracle Support Knowledge Document 1375686.1.

    If you are running Oracle HTTP Server on a privileged port - that is, a port number below 1024 - then you must perform additional configuration steps. See Running Oracle HTTP Server on a Privileged Port in Managing Configuration of Oracle HTTP Server and Web Application Services in Oracle E-Business Suite Release 12.2, My Oracle Support Knowledge Document 1905593.1. For more information, see Enabling Oracle HTTP Server to Run as Root for Ports Set to Less Than 1024 (UNIX Only), Oracle Fusion Middleware Administrator's Guide and Starting Oracle HTTP Server on a Privileged Port, Oracle Fusion Middleware Administrator's Guide for Oracle HTTP Server.

  6. Run AutoConfig on all application tier nodes. See Using AutoConfig Tools for System Configuration, Oracle E-Business Suite Setup Guide.
  7. On all application tier nodes, stop and restart all services by running the adstpall.sh script and the adstrtal.sh script.
  8. Update the security lists for the load balancer subnets by adding a security rule that allows inbound communication on the port you specified for the load balancer listener, from the clients from which you will access the Oracle E-Business Suite URL. See Working with Security Lists.

    In the Oracle Cloud Infrastructure console, open the security list for the load balancer and add a new entry under Allow rules for ingress with the following properties:

    • Source CIDR - The CIDR block for your on-premises network that includes the relevant clients
    • Protocol - TCP
    • Destination Port Range - The port you specified for the load balancer secure communication, such as 443

    Repeat these steps for each load balancer subnet.


section 5Configure Additional Components When Using an On-Premises Load Balancer (Conditionally Required)

If you have deployed your Oracle E-Business Suite Release 12.2 or 12.1 environment using an on-premises load balancer, we highly recommend that you perform the steps in this section to perform the necessary encryption. First, encrypt the traffic between the client and the load balancer. Next, encrypt the traffic between the load balancer and the Oracle HTTP Server. After the encryption setup is complete, configure the Oracle E-Business Suite web entry point.

  1. Encrypt the traffic from the client to the load balancer by performing the configuration for an alternate TLS termination point for your Oracle E-Business Suite release.
  2. Encrypt the traffic between the load balancer and the Oracle HTTP Server.
    • If you have VPN set up between your on-premises network and Oracle Cloud, then you can optionally set up TLS end-to-end, or you can skip this setup and go to step 3.
    • If you do not have VPN set up between your on-premises network and Oracle Cloud, then we highly recommend that you set up TLS end-to-end.

    To set up TLS end-to-end, perform the appropriate configuration for your Oracle E-Business Suite release.

  3. You can now configure access to the Oracle E-Business Suite web entry point. First, on all application tier nodes, create firewall rules that allow inbound communication to the web entry port from the clients from which you will access the Oracle E-Business Suite URL. To do so, log on to the Oracle Cloud Infrastructure instance that hosts your Oracle E-Business Suite environment, using SSH. See Connecting to an Instance.

    Then switch to the root user:

    $ sudo su -

    Execute the following commands to create the required firewall rules:

    # firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=<source_CIDR_range> port port=<web_entry_port> protocol=tcp accept' --permanent
    # firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=<source_CIDR_range> port port=<web_entry_port> protocol=tcp accept'
    

    In these commands, replace <source_CIDR_range> with the set of IP addresses from which you will access the Oracle E-Business Suite URL. Replace <web_entry_port> with the appropriate port, for example 4443.

  4. Next, update the security list for the subnet that contains the application tier nodes by adding a security rule that allows inbound communication on the web entry port from the clients from which you will access the Oracle E-Business Suite URL. See Working with Security Lists.

    In the Oracle Cloud Infrastructure console, open the security list for the application tier subnet and add a new entry under Allow rules for ingress with the following properties:

    • Source CIDR - The CIDR block for your on-premises network that includes the relevant clients, as specified in your firewall rules
    • Protocol - TCP
    • Destination Port Range - The web entry port, for example 4443

section 6Configure Additional Components When Not Using a Load Balancer (Conditionally Required)

If you have deployed your Oracle E-Business Suite Release 12.2 or 12.1 environment without using a load balancer, we highly recommend that you perform the steps in this section to encrypt the traffic between the client and the Oracle HTTP Server. After the encryption setup is complete, you must configure the Oracle E-Business Suite web entry point.

  1. Prepare the environment by applying the prerequisites for your Oracle E-Business Suite release.
  2. Encrypt the traffic from the client to the Oracle HTP Server by performing the configuration for inbound connections for your Oracle E-Business Suite release.
  3. You can now configure access to the Oracle E-Business Suite web entry point. First, on all application tier nodes, create firewall rules that allow inbound communication to the web entry port from the clients from which you will access the Oracle E-Business Suite URL. To do so, log on to the Oracle Cloud Infrastructure instance that hosts your Oracle E-Business Suite environment, using SSH. See Connecting to an Instance.

    Then switch to the root user:

    $ sudo su -

    Execute the following commands to create the required firewall rules:

    # firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=<source_CIDR_range> port port=<web_entry_port> protocol=tcp accept' --permanent
    # firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=<source_CIDR_range> port port=<web_entry_port> protocol=tcp accept'
    

    In these commands, replace <source_CIDR_range> with the set of IP addresses from which you will access the Oracle E-Business Suite URL. Replace <web_entry_port> with the appropriate port, for example 4443.

  4. Next, update the security list for the subnet that contains the application tier nodes by adding a security rule that allows inbound communication on the web entry port from the clients from which you will access the Oracle E-Business Suite URL. See Working with Security Lists.

    In the Oracle Cloud Infrastructure console, open the security list for the application tier subnet and add a new entry under Allow rules for ingress with the following properties:

    • Source CIDR - The CIDR block for your on-premises network that includes the relevant clients, as specified in your firewall rules
    • Protocol - TCP
    • Destination Port Range - The web entry port, for example 4443

section 7Implement Workaround for Oracle Databases on 2-Node VM DB System (Conditionally Required)

This workaround resolves a known issue on 2-Node VM DB System. The steps in this section are required only for a provisioned environment with the database on a 2-Node VM DB System with Oracle Database Release 11.2.0.4.

Perform the following steps on the primary node of the VM DB System, except where noted.

  1. Get the database unique name using the following command. Run this command as root.
    $  dbcli list-databases --json|grep databaseUniqueName

    Copy the output from this command. This value will be referred to in subsequent steps as <DB_UNIQUE_NAME>.

  2. Remove the database from srvctl using the following command. Run this command as the oracle user.
    $  srvctl stop database -d <dbname>
    $ srvctl remove database -d <dbname>
  3. On both VM DB System nodes, change the db_unique_name value in the database using the following commands.
    $ sqlplus "/ as sysdba"
    $ startup nomount
    $ alter system set db_unique_name='<DB_UNIQUE_NAME>' sid='*' scope=spfile;
  4. On both VM DB System nodes, shut down the database using the following command.
    $ shutdown immediate 
  5. Add the new database unique name to CRS using the following commands.
    $ srvctl add database -d <DB_UNIQUE_NAME> -o /u01/app/oracle/product/11.2.0.4/dbhome_1
    $ srvctl add instance -d <DB_UNIQUE_NAME> -i <SID of instance1> -n <Node 1 HOST_NAME>
    $ srvctl add instance -d <DB_UNIQUE_NAME> -i <SID of instance2> -n <Node 2 HOST_NAME>
  6. On both VM DB System nodes, modify /etc/oratab as follows.
     <DB_UNIQUE_NAME>:/u01/app/oracle/product/11.2.0.4/dbhome_1:N              # line added by Agent 
  7. Start the database using the following command.
    $ srvctl start database -d <DB_UNIQUE_NAME> 

section 8Configure Security and Firewall Rules for Secure Access to the Fusion Middleware Control and WebLogic Server Administration Console (Conditionally Required)

The steps in this section are required only for Oracle E-Business Suite Release 12.2.

Administration of the Oracle Fusion Middleware 11g components delivered with Oracle E-Business Suite Release 12.2, including Oracle HTTP Server and Oracle WebLogic Server, requires secure access to the WebLogic Server administration ports running on the Oracle E-Business Suite primary application tier node. Ports 7001 and 7002 are the default WebLogic Server administration ports for the dual file system with Oracle E-Business Suite Release 12.2. The examples in this section use these default ports. If you have configured different port numbers, change the port numbers in the instructions to match the port numbers for your environment.

When you create an Oracle E-Business Suite Release 12.2 environment on Oracle Cloud Infrastructure, you should create a security rule and firewall rules that allow inbound communication on the WebLogic Server administration ports on the primary application tier node from the Oracle E-Business Suite Cloud Manager VM. These rules are required as a prerequisite so that a system administrator can securely access the administration ports and the Fusion Middleware Control and WebLogic Server Administration Console.

Perform the following steps to configure the required security rule and firewall rules:

  1. Update the security list for the primary application tier node by adding a security rule that allows inbound communication on ports 7001 and 7002 from the Oracle E-Business Suite Cloud Manager VM. See Working with Security Lists.

    In the Oracle Cloud Infrastructure console, open the security list for the Oracle E-Business Suite application tier subnet and add a new entry under Allow rules for ingress with the following properties:

    • Source CIDR - The CIDR for the Oracle E-Business Suite Cloud Manager VM
    • Protocol - TCP
    • Destination Port Range - 7001-7002
  2. Create firewall rules on the primary application tier node that allow inbound communication on ports 7001 and 7002 from the subnet that contains the Oracle E-Business Suite Cloud Manager VM. First, log on to the Oracle Cloud Infrastructure instance that hosts your Oracle E-Business Suite environment, using SSH. See Connecting to an Instance.

    Then switch to the root user:

    $ sudo su -

    Execute the following commands to create the required firewall rules:

    # firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=<EBS_Cloud_Admin_Tool_VM_CIDR> port port=7001 protocol=tcp accept' --permanent ;
    # firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=<EBS_Cloud_Admin_Tool_VM_CIDR> port port=7002 protocol=tcp accept' --permanent ;
    # firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=<EBS_Cloud_Admin_Tool_VM_CIDR> port port=7001 protocol=tcp accept';
    # firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=<EBS_Cloud_Admin_Tool_VM_CIDR> port port=7002 protocol=tcp accept';

section 9Enable and Set Oracle E-Business Account Passwords (Conditionally Required)

The steps in this section are required only for a new environment or for a cloned environment if the steps were not previously performed on the source environment. To ensure your environment is adequately protected, you must change your Oracle E-Business Suite account passwords.

If you created your environment from a backup, you can skip this section.

  1. Log on to the Oracle Cloud Infrastructure instance that hosts your Oracle E-Business Suite environment.
  2. Switch user from the opc user to the oracle user using the following command:
    $ sudo su - oracle
  3. Set the environment using the appropriate command for your Oracle E-Business Suite release:

    Release 12.2

    $ . /u01/install/APPS/EBSapps.env run

    Release 12.1.3

    $ . /u01/install/APPS/apps_st/appl/APPS_<CONTEXT_NAME>.env run
  4. Download Patch 24831241 to obtain scripts to enable the SYSADMIN user and to enable demo users in a VISION demo environment.

    Download Patch 24831241 to the $PATCH_TOP directory and unzip the patch using the following commands:

    $ cd $PATCH_TOP
    $ unzip p24831241_R12_GENERIC.zip –d /u01/install/APPS/scripts/
  5. To log in through the web interface, you must initially set a password of your choice for the SYSADMIN user. After the SYSADMIN user is active with the new password, you can create new users or activate existing locked users. To enable the SYSADMIN user, run the following commands:
    $ mkdir -p ~/logs
    $ cd  ~/logs
    $ sh /u01/install/APPS/scripts/enableSYSADMIN.sh

    When prompted, enter a new password for the SYSADMIN user.

    The SYSADMIN user can now connect to Oracle E-Business Suite through the web interface and create new users or activate existing locked users.

  6. For a VISION demo environment, you can run another script to unlock a set of 36 application users that are typically used when demonstrating Oracle E-Business using the VISION database. Run this script with the same environment as when running the enableSYSADMIN.sh script. To enable the demo users, run the following commands
    $ cd  ~/logs
    $ sh /u01/install/APPS/scripts/enableDEMOusers.sh

    When prompted, enter a new password.

    Do not run this script on a fresh or production environment.



section 10Apply Oracle E-Business Suite and Database Patches (Conditionally Required)

If you provisioned your environment from a backup of an existing on-premises environment, then you must now apply any additional patches required for your release level and database tier. For a cloned environment or an environment provisioned from a backup of a Cloud environment, these steps are required only if you did not already apply these patches on the source environment.

  1. Apply the Oracle E-Business Suite patches required for your release.
  2. This step is required only if your new database tier is on 1-Node VM DB System, 2-Node VM DB System, or Exadata DB System. Apply one-off database patches per the following:
    • For Oracle E-Business Suite Release 12.2, ETCC recommended database patches have been applied as part of the automated provisioning process. If you applied any additional one-off database patches beyond those recommended by ETCC to the source on-premises database, then you must now reapply those additional one-off patches to your new 1-Node VM DB System, 2-Node VM DB System, or Exadata DB System database.
    • For Oracle E-Business Suite Release 12.1, if you applied any one-off database patches to the source on-premises database, then you must now reapply those one-off patches to your new 1-Node VM DB System, 2-Node VM DB System, or Exadata DB System database.

    If your database tier is on an Oracle Cloud Infrastructure Compute VM, then you do not need to reapply any one-off database patches.


more informationWant to Learn More?