Oracle On Demand Access
Objectives
 What Systems You May Access
 Your Accounts, Privileges, and Commands
 Request Exceptions In Advance
–
Access to Systems, Accounts, Privileges, or Commands
Not Contained in the Standards Require Written Approval
in Advance by Oracle On Demand
 Access Oversight
–
Misuse May Result in Loss Of Access
Oracle On Demand:
Access
Service Delivery Manager
Software Issues
Configurations
Information
Patches
Service Request
Customer/Implementer
Standard
Product
Support
Oracle
Metalink
Toll Free
Number
On Demand
HUB
Alerts, Patch Sets, Workarounds
Product
Development
Service Requests
Customer
Portal
OEM Alert Toggle
Systems
On Demand
Delivery
Agenda
 How You Connect to The On Demand Intranet
 On Demand Powerbroker Basics
 Your Capabilities
–
–
–
Linux
Technology Stack (DB & iAS)
Applications Administration
 How You Transfer Files To or From Oracle On
Demand
Note: This material is EBSO specific. OTO
Data Will be Included in a Future Update.
How You Connect
 @Oracle Model
–
Through the Oracle On Demand Hardware VPN
 Software VPN Connections Are Not Allowed
 Connections From an Intranet Other Than the Customer’s Are
Not Allowed
 @Customer Model
–
Through Customers’ Access Mechanisms
 You Do Not Have Access to the On Demand Intranet
On Demand Powerbroker Basics
 SAS 70 Type II Compliant
Powerbroker
Controlled Linux
Accounts
Powerbroker
–
Who, When, Where, What
 Limited Set of Customer Accessible
Accounts
 Controls Access to Accounts and
Functions
–
Powerbroker Policies Map Predefined
Accounts and Functions
 Provides Keystroke Logging
–
Named
Individual
Linux
Linux
Account
Account
Keystrokes, Standard Output, Standard
Error
On Demand Powerbroker Basics
Powerbroker
Controlled Linux
Accounts
Powerbroker
Named
Individual
Linux
Linux
Account
Account
 Controls Access to Accounts and
Functions
–
Powerbroker Policies Map Predefined
Accounts and Functions
 “customer”: Read Only Access to All
Database Objects, Access to Oracle
Applications Interface Tables
 “impanalyst”: Read Only Access to Product,
Write Access to XBOL_TOP
 “impdba”:
Write Access to Product,
XBOL_TOP
- “impdba” is now available. 2 accounts will be
granted with ‘impdba’ access initially. If more
accounts are needed with this profile for the
same customer, the exception will be
requested by the SDM and it will be subject
to approval.
Linux Map – Non-Privileged
Non-Privileged
Account
PB
Policy
DB
Tier
Mid
Tier
Directory / Schema
Named Linux
Account (Varies)
customer
NA
P, NP*
Requested via the Oracle On
Demand oSDM
SSH Based
Standard Linux Command Set
Default Login Directory
–Full Access
Standard File Systems
–UID,
GID Ranges Distinct From All
Others
–“world” Privilege Mask Applies
* P=Production, NP=Non-Production
Linux Map - Controlled
Controlled
Account
PB
Policy
apd<4 char custid>i Impdba
impanalyst
DB
Tier
Mid
Tier
Directory / Schema
NA
NP
AKA, “applmgr” Account, Linux Side
Powerbroker Controlled
–SSH
to Named Linux Account
–Invoke Powerbroker Policy
APPL_TOP (/SID/applmgr)
–Full Access
Special Operations Notes
–Only
Two Individual Linux
Accounts Allowed to Access
–Must File Informational SR When
Modifying Files In APPL_TOP
apt<4 char custid>i
impdba
impanalyst
NA
NP
Same as Above, Applied to Test
inf<4 char custid>i
impanalyst
impdba
NA
P, NP
See FTP Slides For Full Details
–FTP
Server Treatment For This
Account Different Than DB, iAS
Servers
Controlled Account Access
Procedure: Non-Production
 SSH Login to Target Server With Named Linux Account
 Invoke Powerbroker
–
General Format
 /usr/local/bin/pbrun <policy> -u [target user]
–
Specific Example: Dev Environment, “anon” 4 char custid
 /usr/local/bin/pbrun impanalyst -u apdanoni
 All Standard Linux Commands Available
 Perform Unix Commands
–
Keystroke Logging Is Active
 To Access Database or Oracle Applications, Use Password
Manager
–
General Format
 /usr/local/bin/pbrun <PB Policy> password-manager <Target Instance>
–
Example: policy:impanalyst, instance:ppmpti
 /usr/local/bin/pbrun impanalyst password-manager ppmpti
 Exit the Powerbroker Run Command
–
Type “exit” on the Unix Command Line
 SSH Logout
Controlled Account Access
Procedure: Production
 SSH Login to Target Middle Tier Server With Named Linux
Account
–
View Only Configuration
 Used To Access BOLINF and RAC_ACCNT
 Invoke Password Manager
–
General Format
 All Passwords: /usr/local/bin/pbrun <PB Policy> password-manager
<Target Instance>
 Single Password: /usr/local/bin/pbrun <PB Policy> passwordmanager <Target Instance> <Type>
–
Example: policy:impdba, instance:ppmpti, type:bolinf
 All: /usr/local/bin/pbrun impdba password-manager ppmpti
 Single: /usr/local/bin/pbrun impdba password-manager ppmpti bolinf
 Invoke Sql*plus
–
Use Data Returned from Password Manager
 Logout From Sql*plus
 SSH Logout
Technology Stack Map - DB
Account
PB
Policy
DB
Tier
BOLINF
Customer P, NP
Mid
Tier
Directory / Schema
P, NP
Sqlnet Based
–Any
In Non-Production
–ADI, ADE, and Discoverer Only in Prod
Standard Interface Table
–Read,
Write, Delete
Custom Schema
–Full Access
RAC_ACCNT
Customer P, NP
P, NP
Including DML and DDL
Sqlnet Based
–Any
In Non-Production
–ADI, ADE, and Discoverer Only in Prod
All Database Tables
–Read
APPS
impdba
NA
NP
Only
Usage Constrained by CEMLI Guidelines
and Practices
Technology Stack Map – iAS / Portal
Account
PB
Policy
DB
Tier
Mid
Tier
Directory / Schema
portal30
TBD
NA
P, NP
Not Relevant for Standard EBSO
–Associated
only if Customer Runs Portal
3.0.9 with EBS0
Portal30_sso
TBD
NA
P, NP
Not Relevant for Standard EBSO
–Associated
only if Customer Runs Portal
3.0.9 with EBS0
 Oracle EBSO Application Server (iAS) Specific Access
and Functionality Provided By BOL_SETUP Account
via Oracle Applications GUI as Detailed on Following
Slides
–
Examples:
 Form Registration
 Report Registration
Oracle Applications Administration
Map
Account
PB
Policy
DB
Tier
Mid
Tier
Directory / Schema
BOL_SETUP
impdba
NA
P*, NP
Oracle Applications GUI
Responsibilities
–System Administrator:
NP
–*Application Administrator: P Consists
of On Demand Specified Subset of
System Administrator
Special Operations Notes
–Must
File Informational SR When
Performing Any “High Impact” Change
as Defined in the “Oracle Applications
System Administrator’s Guide”
–Must Run OEM Alert Toggle Prior to
Starting or Stopping any Oracle
Application Processes
OEM Blackout Command Line
Interface (CLI)
 Blackout Tool Prevents False Monitor Alerts
 Synchronized with Service Request Systems
 Accessible via the “impdba” Powerbroker Policy
–
Specifics Subject To Change During Phased Rollout
 Command: blackout_ctl
–
Parameters:





Task [start | stop]
Option [full | target | all_except_host]
Duration (-d) [day HH:MM]
User Name (-u)
Reason (-r) [db_patch | app_patch | os_patch | agent_patch |
maint | unsched]
 Change Management Number (-cm) (optional)
 Ticket Number (-t) (optional)
 Comment (-c) (optional)
–
Help Facility:
 blackout_ctl help
OEM Blackout CLI
 Command: blackout_ctl (Con’t)
–
Line Mode example:
 blackout_ctl start full –d 5 05:30 –u username –r db_patch –
cm 333333 –t 88888888.999 –c “scheduled”
–
Interactive Example:
 blackout_ctl
Please enter all required fields….
Task [start | stop]:
Option [full | target | all_except_host]:
Duration [day HH:MM]:
User Name:
Reason [db_patch | app_patch | os_patch | agent_patch | maint |
unsched]:
Change Management Number (optional):
Ticket Number (optional):
Comment (optional):
OEM Blackout CLI Procedure: NonProduction
 SSH Login to Target Server With Named Linux Account
 Invoke Powerbroker
–
Example: “impdba” Policy, Dev Environment, “anon” 4 char
custid
 /usr/local/bin/pbrun impdba -u apdanoni
 Blackout the Required Environment
–
Example: Start A Full OEM Blackout for 4.5 Days Under
Username “smith” for a database patch with change
management approval number “1776” Related to Service
Request 12345678.999 With the Comment “Fixing It”
 blackout_ctl start full –d 4 12:00 –u smith –r db_patch –cm 1776
–t 12345678.999 –c “Fixing It”
 Perform Necessary Activity
 Exit the Powerbroker Run Command
–
Type “exit” on the Unix Command Line
 SSH Logout
File Transfers - FTP
 This Section Represents FTP in the @Oracle Model
Only
 @Customer, the Customer is Solely Responsible for
Implementing and Maintaining a File Transfer Model
Specific to the Needs of Their Customer Application.
FTP Architecture – Two Tier
Oracle
Hardware
VPN
SSH
SSH/FTP
SSH/FTP
Customer
DB Server
FTP01
SSH
Customer
SSH / FTP
Directory Structure
Directory
Structure
NFS
Net Apps
File System
Customer
Hardware
VPN
Customer Intranet
NFS
Directory Structure
NFS
Customer iAS Server
Outer Firewall
Inner Firewall
5 Min. Sweepers transfer
from /src to appropriate
$XBOL_TOP
FTP Architecture – DMZ Configuration
Oracle
Hardware
VPN
SSH
SSH/FTP
SSH/FTP
Customer
DB Server
FTP01
Customer
SSH / FTP
Directory Structure
Directory
Structure
NFS
Net Apps
File System
Customer
Hardware
VPN
Customer Intranet
NFS
Directory Structure
NFS
Outer Firewall
Inner Firewall
5 Min. Sweepers transfer
from /src to appropriate
$XBOL_TOP
Customer iAS Server
FTP Connection Types & Transfer
Programs
 Secure Shell (SSH)
–
Secure Copy (SCP) May be Used to Transfer Data Within
an SSH Connection to FTP01
 File Transfer Protocol (FTP) Based
–
–
–
“ftp” Command Invoked Within an SSH Connection
Native “ftp” Invoked From the Customer’s Desktop
Native “ftp” Based Desktop Programs
 There Are a Number of These
 Typically add a Graphical User Interface (GUI)
 May Also Provide File Transfer Interrupt / Resume Function
–
Secure FTP (sftp)
FTP Account & File Types
 Uses a Single Login to FTP01
–
–
–
Userid Format is: inf(4 char custid)i
Password Format is: inf(4 char custid)i
Example: Customer “Anonymous”  “infanoni”
 Allowed File Types
–
Dev, Test
 *.rdf, *.fmb, *.fmx, *.ctl, *.sh, *.sql (Specific Function)
 *.dat, *.csv (Data)
–
Prod
 *.dat, *.csv (Data Only)
FTP Directory Structure
 FTP01 Customer Visible Directory Structure
– Root is “/interface/inf(4 char custid)i”
– Then Varies by Instance SID
– Then “incoming”, “outgoing”, “archive”, “src”, “bad”
/interface/inf(4 char custid)i
/(DEV SID)
/incoming
/outgoing
/archive
/src
/bad
/incoming
/outgoing
/archive
/src
/bad
/incoming
/outgoing
/archive
/src
/bad
/(TEST SID)
/(PROD SID)
FTP Inbound Move Automation
 Files Automatically Moved From FTP01 Directory
Structure to Customer iAS Server on 5 Minute Interval
–
Test & Dev








–
*.rdf  $XBOL_TOP/reports/US
*.fmb  $XBOL_TOP/forms/US/resource
*.fmx  $XBOL_TOP/forms/US
*.ctl  $XBOL_TOP/bin
*.sh  $XBOL_TOP/bin
*.sql  $XBOL_TOP/sql
*.dat  /interface/inf(4 char custid)i/(SID)/incoming
*.csv  /interface/inf(4 char custid)i/(SID)/incoming
Prod
 *.dat  /interface/inf(4 char custid)i/(SID)/incoming
 *.csv  /interface/inf(4 char custid)i/(SID)/incoming
FTP Miscellaneous
 May send checksum file with data file for optional
customer verification before loading data
–
File name = datafile_name.sum
 Data transfer complete validated by CRON script
–
No data written in last 2 minutes
 Oracle Applications Programmatic Interface Used to
Load Data Into Database
 Implementation Team Should Provide Detail of Invalid
Data Loads
FTP Inbound Process
 Open an FTP Session on Oracle Outsourcing FTP01
–
Username/Password Example: “infanoni/infanoni”
 Navigate to the Appropriate Directory As Described
Earlier
–
–
/src: *.rdf, *.fmb, *.fmx, *.ctl, *.sh, *.sql
/incoming: *.dat, *.csv
 Transfer Data
 CRON Script Moves Data As Described Earlier
 Execute API to import data into database
FTP Outbound Process
 Account Notes
–
–
Either the RAC_ACCNT or BOLINF May Be Used To Generate
The Output File in the Linux File System.
In Order to Submit the Concurrent Manager Job to Transfer the
File, Your Individual Application User Account Must Have the
“Application Administrator” Responsibility
 Coordinate The Assignment Of “Application Administrator”
Responsibility With the Customer Representatives
FTP Outbound Process
 Submit Concurrent Manager “BOL – FTP process”
Request With The Following:
–
Ttype: Path of the FTP server where the file will be transferred
from the EBSO server
 E.g.: /interface/inf(4 char custid)I/(Target SID)/outgoing
–
File: Name of the file to be transferred
 E.g.: filename.out
–
File Location: Path to File on Customer EBSO Server
 E.g.: /(Target SID)/applcsf/out
–
Enable Timestamp: Option to enable a timestamp
 Values: No/Yes
–
Enable Checksum: Option to enable a checksum
 Values: No/Yes
 Open FTP Session on Oracle On Demand FTP01
 FTP File from Oracle On Demand FTP01