Easy EBS R12.2.

X and
APEX 5.X Integration:

You Can Do it Too!

Donald M Clarke III

March 15, 2016

DoubleTree Hotel
Williamsburg, Virginia
ABOUT

• 10+ years in HTML, JavaScript, CSS

• 3 years in APEX
• Presented ODTUG KSCOPE 14
• Contacts
o donaldmclarke3.blogspot.com
o dmclarke@zeusinc.com
Why we started using APEX

• Needed to move Discoverer based

HR Reports to another solution
• Must:
o Retain EBS Responsibility level security
o Facilitate a quick retirement of Discoverer
o Be adaptable for current known needs against old
Discoverer reports
o Be flexible enough for future unknown needs
o Have a relatively short learning curve
Requirements

1. Solution that requires only one login

(to EBS)
2. “Integrated feel” in the flow of the
application
3. Add a level of security to disallow direct
connects to the APEX applications
4. Strict adherence to E-Business
Responsibilities
Authentication Schemes for APEX

1. Open Door Credentials – use any

username
2. No authentication – no username
3. APEX account credentials
4. Database account authentication
5. LDAP directory
6. Oracle SSO and OAM
7. HTTP Header Variable
8. Custom
Our Approach

• Custom GWY.jsp called LaunchApex.jsp

o Capture EBS Session Cookie
o Rewrite Cookie for APEX

• EBS Responsibility & Menus

• Simple Authentication method
• Simple Authorization
• Simple table for controlling responsibility
based access to APEX apps
The EBS Session Cookie

• Each Instance will have a separate

named cookie for EBS
• To find
o Login to EBS
o Use browser based developer tools to find cookie name
ex:In chrome: CTRL + SHIFT + I, then Resources Tab

• Validate user session with the call

APP_SESSION.validate_icx_session('valueof(NQ_SE
SSION.ICX_SESSION_COOKIE)')

See “Integrating with Oracle E-Business Suite Security”

Oracle® Fusion Middleware Integrator's Guide for Oracle Business Intelligence
Enterprise Edition
at
https://docs.oracle.com/middleware/1221/biee/BIEIT/ebs_actions.htm#BIEIT1321
CREATE the Custom LaunchApex.jsp

Make a copy of GWY.jsp in each filesystem

and name it LaunchApex.jsp

For instance:
/u01/oracle/VIS/fs1/FMW_Home/Oracle_EBS-app1/applications/oacore/html/GWY.jsp
/u01/oracle/VIS/fs2/FMW_Home/Oracle_EBS-app1/applications/oacore/html/GWY.jsp

Copy to:
/u01/oracle/VIS/fs1/FMW_Home/Oracle_EBS-app1/applications/oacore/html/LaunchApex.jsp
/u01/oracle/VIS/fs2/FMW_Home/Oracle_EBS-app1/applications/oacore/html/LaunchApex.jsp
Insert Cookie Rewrite Code into LaunchApex.jsp
manager.logParams(params);

/** COOKIE REWRITE BEGIN **/

// COOKIE VARIABLES
String ebsCookieName = "<YourEBSCookieName>"; These 3 variable
String apexCookieName = “<YourAPEXCookieName>"; will change based
String apexDomain = "<.YourAPEXDomain.com>"; on instance and
String apexPath = "/"; domains
boolean isCookieSecure = false;

// RETRIEVE EBS COOKIE

Cookie[] cookies = request.getCookies();
Cookie ebsCookie = null;
if (cookies != null)
{ for (int i = 0; i < cookies.length; i++) {
Custom Code Begin/End if (cookies [i].getName().equals (ebsCookieName)) {
ebsCookie = cookies[i];
break;
}
}
}
// CREATE APEX COOKIE USING EBS COOKIE VALUE
Cookie apexCookie = new Cookie(apexCookieName, ebsCookie.getValue());
apexCookie.setDomain(apexDomain);
apexCookie.setPath(apexPath);
apexCookie.setSecure(isCookieSecure);

// ADD COOKIE INTO RESPONSE

response.addCookie(apexCookie);
/** COOKIE REWRITE END **/

manager.doForward(params, false);
Prepare LaunchApex.jsp in the EBS filesystem

Add Launch_Apex.jsp to filesystem

• <YourInstancePath>/fs1/FMW_Home/Oracle_EBS-app1/applications/oacore/html/
• <YourInstancePath>/fs2/FMW_Home/Oracle_EBS-app1/applications/oacore/html/

Compile Launch_Apex.jsp in both locations

• cd <YourInstancePath>/fs1/FMW_Home/Oracle_EBS-app1/applications/oacore/html/
• $FND_TOP/patch/115/bin/ojspCompile.pl --compile -s 'LaunchApex.jsp' --flush
• cd <YourInstancePath>/fs2/FMW_Home/Oracle_EBS-app1/applications/oacore/html/
• $FND_TOP/patch/115/bin/ojspCompile.pl --compile -s 'LaunchApex.jsp' --flush

Restart the Weblogic Server to serve the new LaunchApex.jsp

(this takes down the entire front end, so be mindful about when you do this)
• admanagedsrvctl.sh stop oacore_server1
• admanagedsrvctl.sh start oacore_server1
Create Simple Application

3 2

4
Create Simple Application – cont.

7
Create Simple Application – cont.

8
Run new application from APEX

9
Try to Login with APEX Credentials

SUCCESS!
Log Out of the new application
Requirements

1. Solution that requires only one login

(to EBS)
2. “Integrated feel” in the flow of the
application
3. Add a level of security to disallow direct
connects to the APEX applications –
4. Strict adherence to E-Business
Responsibilities
In EBS, as System Administrator, set Profile Value

Change the Site value to your appropriate path

and save, for example:
http://yourserver.yourdomain.com:8080/ords
As System Administrator, create Function

Create a new function

Select the
SSWA jsp function
type

Use Custom
LaunchApex.jsp
to start APEX app 900
As System Administrator, add Function to Menu

Example: Adding to
System Administrator
main menu
Try to Login from EBS with APEX Credentials

Click
ClickEBS
EBSLink
Link

We can get to the APEX app but

we still have to login twice
Add a simple Authentication Scheme
1

2
4

6
3
5
Add a simple Authentication Scheme – cont.

7
Try to Login from EBS with APEX Credentials

Click
ClickEBS
EBSLink
Link

Authentication scheme is working, but

no direct connect from EBS
Create Global Application Items
3

2
Repeat to create
the rest
Edit Login Page to use EBS Session Cookie

1
Right Click 2
Processes

4
Before Header Process - CreateSessionFromCookie

Retrieve APEX Cookie,

Check if a responsibility is
associated with the session,
And Validate Session

Continue only if a responsibility was

chosen in EBS – added security

Collect Session Information and

instantiate the Global Application Items

Log in to current APEX app with EBS

Session based information

Log In Disallowed
Try to Login from EBS with APEX Credentials

Click
ClickEBS
EBSLink
Link

APEX Session
Creation from EBS
Session cookie
successful
Requirements

1. Solution that requires only one login

(to EBS) - DONE
2. “Integrated feel” in the flow of the
application
3. Add a level of security to disallow direct
connects to the APEX applications
4. Strict adherence to E-Business
Responsibilities
What if we click the Log Out link

Logging out presents the standard Log In

box on page 101

Authentication doesn’t and shouldn’t work

Redirect the Log Out link back to EBS

Right Click 2
Processes

3
1
Redirect the Log Out link back to EBS – cont.

To control which process is used we

need to change the Condition
parameters of each process

4
5

6
Redirect the Log Out link back to EBS – cont.

Change the Post Logout URL to

include the Request Value
“ReturnToEBS” that will invoke
7 the redirect on the Log In Page

12

10

11

8
Redirect the Log Out link back to EBS – cont.
Change Text of Log Out link to “Return to EBS”

1
5

2
4
Try to Login from EBS with APEX Credentials

Click
ClickEBS
EBSLink
Link

Clicking “Return to
EBS” takes user
back to the EBS
Navigation Screen
Requirements

1. Solution that requires only one login

(to EBS) - DONE
2. “Integrated feel” in the flow of the
application - DONE
3. Add a level of security to disallow direct
connects to the APEX applications
4. Strict adherence to E-Business
Responsibilities
Remove Default Login Form from Log In Page
Direct Access to the app
still presents the default
Log In form

2
1
3
4
CTRL + Click to highlight
multiple items
Add a button to redirect to EBS Login

5
6
7 4
Create hidden item to hold button redirect link

4
1

A Dynamic Action on the button

press can also accomplish this 5
Log In Page direct access now

Log In page now has a button that

redirects user to EBS Log In page
Requirements

1. Solution that requires only one login

(to EBS) - DONE
2. “Integrated feel” in the flow of the
application - DONE
3. Add a level of security to disallow direct
connects to the APEX applications -
DONE
4. Strict adherence to E-Business
Responsibilities
Use EBS Responsibility based Authorization

5
Use EBS Responsibility based Authorization - cont

Script to find Responsibility IDs and Names

select
responsibility_id
,responsibility_name 6
from
fnd_responsibility_tl; 7

8
Responsibility IDs allowed
Can be placed in substitution variable

10
Enable Responsibility Based Authorization

1
2

Trying to Log In with a

disallowed Responsibility ID
An alternative to Authorization instr method

Create a table to hold your responsibility

to APEX app mapping

CREATE TABLE "APEX_EBS_RESP"

( "APEX_APP_ID" NUMBER,
"EBS_RESP_ID" NUMBER DEFAULT <<YOUR System Administrator Responsibility ID>>,
"EBS_RESP_NAME" VARCHAR2(40 BYTE) DEFAULT 'System Administrator',
"APEX_APP_NAME" VARCHAR2(40 BYTE)
);

Insert first record for APP 900

INSERT into APEX_EBS_RESP

(APEX_EBS_RESP, APEX_APP_ID, EBS_RESP_NAME, APEX_APP_NAME)
VALUES
(<<YOUR System Administrator Responsibility ID>>, 900, ‘System Administrator’,’AUTH_TEST’);
An alternative to Authorization instr method – cont.

2 3
4

Query responsibility map for authorization

Requirements

1. Solution that requires only one login

(to EBS) - DONE
2. “Integrated feel” in the flow of the
application - DONE
3. Add a level of security to disallow direct
connects to the APEX applications -
DONE
4. Strict adherence to E-Business
Responsibilities - DONE
Security points

• User has to be logged in to EBS to have a valid EBS

session cookie
• User has to have chosen a Responsibility ID
• APEX page has to be launched from an EBS menu
assigned to a responsibility
• APEX will check if the EBS session cookie represents a
valid session
• APEX may disallow entry if Responsibility ID has not
been explicitly allowed by the Authorization scheme
• No direct access to APEX App login
Further Discussion

• Oracle White Paper

“Extending Oracle E-Business Suite Release 12.1 and
above using Oracle Application Express”
• http://www.oracle.com/technetwork/developer-
tools/apex/learnmore/apex-ebs-extension-white-
paper-345780.pdf
• Plugins
• Consultant Engagements