Oracle E-Business suite classic external application reference architecture

The EBS classic external Access Gateway architecture represents a set of components required for protecting an external traditional use only Oracle E-Business Suite installation using Access Gateway, Oracle Access Gate and an instance of either Oracle Internet Directory (OID) or Oracle User Directory(OUD).
This architecture represents a starting point for other architectures where an Access Gateway cluster protects and provides SSO for an EBS external use application.
This architecture is designed to meet the following requirements:

  • Provide external access to an Oracle E-Business Suite application where Oracle AccessGate, and Oracle OID or Oracle OUD are required.
  • Fault tolerant - Providing additional instances of Access Gateway, as cluster workers, such that if one is unavailable the cluster continues to perform normally.
  • Manage capacity - Providing additional instances of Access Gateway to handle expected load.

Benefits and drawbacks

Benefits Drawbacks
  • Provides basic fault tolerance and capacity support
  • Can be expanded with additional workers as required to add capacity
  • Load balanced
  • Complex - Requires Oracle AccessGate, as well as either Oracle OID or Oracle OUD.
  • Pre Access Gateway DMZ based load balancer must support session affinity (sticky sessions)

Architecture

Components

Location Component Description
External internet  Okta org

Your Okta org, providing identity services.

EBS Users Oracle E-Business Suite users, located in the external network.  Accessing Oracle E-Business Suite applications located within the internal network.
Accessing Oracle E-Business Suite using URL ebs-external.example.com.
Firewall External internet to DMZ Traditional firewall between the external internet and the DMZ hosting Access Gateway.
DMZ Pre Access Gateway load balancer Balances load between external users (clients) and the Access Gateway cluster.
Positioned between clients and Access Gateway cluster.
Access Gateway workers Access Gateway cluster, located in the DMZ is used to provide access to applications used by external internet clients.
Firewall DMZ to internal Traditional firewall between the DMZ and the internal network.
Internal network Access Gateway workers Access Gateway cluster, located in the DMZ is used to provide access to applications used by external internet clients.
Access Gateway admin Access Gateway admin node, handling configuration, configuration backups, log forwarding and similar activities. Accessed by administrators within the internal network.
Oracle AccessGate instance Oracle AccessGate instance - used to obtain EBS session cookie.
Default port 6801.
In architecture shown using URL ebs-accessgate.example.com:6801
Oracle EBS Login Oracle EBS login - traditional internal EBS login.
Passed EBS session in header attributes.
In architecture shown using URL ebs-internal.example.com:8000
Default port 8000. Regularly synchronized with the EBS Database.
Oracle OID/OUD Oracle OUD/oid instance - used for user GUID lookup based on EBS user identity.
In architecture shown using URL ebs-oid.example.com:3060
Default port 3060. Regularly synchronized with the EBS Database.
Oracle EBS Database Oracle EBS Database - providing supporting details for Oracle OID/OUD.

Other considerations

Access Gateway creates a datastore to interact with Oracle OID/OUD.