Oracle E-Business suite application reference architecture

To support Oracle E-Business applications (EBS) Access Gateway supports multiple approaches, typically referred to as rapid and classic. In the rapid architecture, so named because it can be implemented in less then a day, an Access Gateway agent interacts with an Oracle database using a Database Connect Descript file (DBC) file created by an Oracle DBA. Using this file and knowledge of EBS application URLs, rapid EBS application integration is quick and easy.

When an integration requires interfacing to Oracle AccessGate, EBS classic is required. With Access Gateway EBS classic, integrations use Oracle AccessGate, an OID/OUD instance, and associated URLs and ports to integrate.

Approach

To deploy Access Gateway to secure applications in an environment described above, it is best to begin deployment of a base architecture and then add specific features as needed. This methodology will allow an organization to begin moving forward in an agile fashion and not become overly bogged down in requirements analysis.

Key steps in determining an overall architecture include:

  • Identify how applications are to be integrated with Okta and Access Gateway. Typical integrations include:
  • Identify how many users will access the applications and how often. This will help determine how many instances of Access Gateway are required, what number of load balancers are necessary and generally how the architecture components will be distributed.
  • Identify which applications should be accessible through Access Gateway from the internet and which should require the user have access to the internal network. Typically this starts as a subset of applications, and expands over time.

 

Access Gateway EBS architectures

Access Gateway EBS installations can be deployed in any number of possible combinations. Common architecture are:

EBS internal - rapid

The simplest of all Oracle E-Business architectures, the EBS internal rapid architecture supports accessing an internal use only EBS application.
Does not require Oracle AccessGate or Oracle OID/UID.

EBS external - rapid

An expansion of the EBS internal rapid architecture, the EBS external rapid architecture, sometimes referred to as a VPN replacement, supports accessing an EBS application from the external internet.
Does not require Oracle AccessGate or Oracle OID/UID.

EBS external - classic When Oracle Access Gate and OID/OUD are required the EBS classic architecture can be used.

Architectures are broken down into the following functional areas:

External internet The external internet represents clients that access applications, as well as including your Okta Org.
DMZ The DMZ houses an Access Gateway cluster, and associated components, to allow access to applications from the external internet.
Internal The internal network houses the applications being protected by Access Gateway as well as other components required to make these applications widely available.

The EBS internal Access Gateway architecture represents a set of components required for protecting an internal use only Oracle E-Business Suite installation using Access Gateway.
This architecture represents a baseline or starting point for other architectures where an Access Gateway cluster protects and provides SSO for an EBS internal use only application.

This architecture is designed to meet the following requirements:

  • Protect an internal access only Oracle E-Business Suite application.
  • Fault tolerant - Providing additional instances of Access Gateway, as cluster workers, such that if one is unavailable the cluster continues to perform normally.
  • Manage capacity - Providing additional instances of Access Gateway to handle expected load.
  • Provide a baseline for testing and development.

Benefits and drawbacks

Benefits Drawbacks
  • Relatively simple installation
  • Provides basic fault tolerance and capacity support
  • Can be expanded with additional workers as required to add capacity
  • Load balanced
  • Internal only
  • Pre Access Gateway DMZ based load balancer must support session affinity (sticky sessions)
 

Architecture

Components

Location

Component Description

External internet

 Okta org

Your Okta org, providing identity services.

Firewall

External internet to DMZ

Traditional firewall between the external internet and the DMZ hosting Access Gateway.







Internal network

Users

Oracle E-Business Suite users, located in the internal network.  Accessing Oracle E-Business Suite applications also located within the internal network

Pre Access Gateway load balancer

Balances load between clients and the Access Gateway cluster.
Positioned between clients and Access Gateway cluster.

Access Gateway admin Access Gateway admin node, handling configuration, configuration backups, log forwarding and similar activities. Accessed by administrators within the internal network.

Access Gateway workers

and EBS SSO Agent

Access Gateway cluster, located in the DMZ is used to provide access to applications used by external internet clients.
Containing a pre-configured Oracle EBS SSO agent.
Typically hosted in a virtual environment such as Amazon Web Services, MS Azure, Oracle OCI or something similar. See Manage Access Gateway deployment.
Database Oracle EBS Database, accessed using a previously defined Database Connect Descriptor file (DBC)
Protected EBS application The set of protected E-Business Suite web resources.

Other considerations

The Access Gateway EBS SSO agent passes various header attributes to the underlying Oracle E-Business Suite application.

The EBS external Access Gateway architecture represents a set of components required for protecting an external use only Oracle E-Business Suite installation using Access Gateway.

This architecture is designed to meet the following requirements:

  • Provide external access to an Oracle E-Business Suite application.
  • Fault tolerant - Providing additional instances of Access Gateway, as cluster workers, such that if one is unavailable the cluster continues to perform normally.
  • Manage capacity - Providing additional instances of Access Gateway to handle expected load.
  • Provide a baseline for testing and development.

Benefits and drawbacks

BenefitsDrawbacks
  • Relatively simple installation
  • Provides basic fault tolerance and capacity support
  • Can be expanded with additional workers as required to add capacity
  • Load balanced
  • Pre Access Gateway DMZ based load balancer must support session affinity (sticky sessions)
 

Architecture

Components

Location

ComponentDescription

External internet

 

 Okta org

Your Okta org, providing identity services.

EBS Users

Oracle E-Business Suite users, located in the external network.  Accessing Oracle E-Business Suite applications located within the internal network

Firewall

External internet to DMZ

Traditional firewall between the external internet and the DMZ hosting Access Gateway.

DMZ

Pre Access Gateway load balancer

Balances load between external users (clients) and the Access Gateway cluster.
Positioned between clients and Access Gateway cluster.

Firewall

DMZ to internal

Traditional firewall between the DMZ and the internal network.

Internal network

Access Gateway admin Access Gateway admin node, handling configuration, configuration backups, log forwarding and similar activities. Accessed by administrators within the internal network.

Access Gateway workers

and EBS SSO Agent

Access Gateway cluster, located in the DMZ is used to provide access to applications used by external internet clients.
Containing a pre-configured Oracle EBS SSO agent.
Typically hosted in a virtual environment such as Amazon Web Services, MS Azure, Oracle OCI or something similar. See Manage Access Gateway deployment.
DatabaseOracle EBS Database, accessed using a previously defined Database Connect Descriptor file (DBC)
Protected EBS applicationThe set of protected E-Business Suite web resources.

Other considerations

The Access Gateway EBS SSO agent passes various header attributes to the underlying Oracle E-Business Suite application.

The EBS classic Access Gateway architecture represents a set of components required for protecting an external traditional use only Oracle E-Business Suite installation using Access Gateway, Oracle Access Gate and an instance of either Oracle Internet Directory (OID) or Oracle User Directory(OUD).
This architecture represents a starting point for other architectures where an Access Gateway cluster protects and provides SSO for an EBS external use application.

This architecture is designed to meet the following requirements:

  • Provide external access to an Oracle E-Business Suite application where Oracle AccessGate, and Oracle OID or Oracle OUD are required.
  • Fault tolerant - Providing additional instances of Access Gateway, as cluster workers, such that if one is unavailable the cluster continues to perform normally.
  • Manage capacity - Providing additional instances of Access Gateway to handle expected load.

Benefits and drawbacks

BenefitsDrawbacks
  • Provides basic fault tolerance and capacity support
  • Can be expanded with additional workers as required to add capacity
  • Load balanced
  • Complex - Requires Oracle AccessGate, as well as either Oracle OID or Oracle OUD.
  • Pre Access Gateway DMZ based load balancer must support session affinity (sticky sessions)
 

Architecture

Components

Location

ComponentDescription

External internet

 

 Okta org

Your Okta org, providing identity services.

EBS Users

Oracle E-Business Suite users, located in the external network.  Accessing Oracle E-Business Suite applications located within the internal network.
Accessing Oracle E-Business Suite using URL ebs-external.example.com.

Firewall

External internet to DMZ

Traditional firewall between the external internet and the DMZ hosting Access Gateway.

DMZ

Pre Access Gateway load balancer

Balances load between external users (clients) and the Access Gateway cluster.
Positioned between clients and Access Gateway cluster.

Access Gateway workers

Access Gateway cluster, located in the DMZ is used to provide access to applications used by external internet clients.

Firewall

DMZ to internal

Traditional firewall between the DMZ and the internal network.

Internal network

Access Gateway workers

Access Gateway cluster, located in the DMZ is used to provide access to applications used by external internet clients.

Access Gateway admin Access Gateway admin node, handling configuration, configuration backups, log forwarding and similar activities. Accessed by administrators within the internal network.
Oracle AccessGate instanceOracle AccessGate instance - used to obtain EBS session cookie.
Default port 6801.
In architecture shown using URL ebs-accessgate.example.com:6801
Oracle EBS Login Oracle EBS login - traditional internal EBS login.
Passed EBS session in header attributes.
In architecture shown using URL ebs-internal.example.com:8000
Default port 8000. Regularly synchronized with the EBS Database.
Oracle OID/OUD Oracle OUD/oid instance - used for user GUID lookup based on EBS user identity.
In architecture shown using URL ebs-oid.example.com:3060
Default port 3060. Regularly synchronized with the EBS Database.
Oracle EBS Database Oracle EBS Database - providing supporting details for Oracle OID/OUD.

Other considerations

Access Gateway creates a datastore to interact with Oracle OID/OUD.