1. Working with Oracle Forms
  2. Integration
  3. Integrating Oracle Forms with IAM Cloud Service

Integrating Oracle Forms with IAM Cloud Service

Oracle Forms supports using Oracle Identity and Access Management (IAM) Cloud Service to provide identity management, single sign-on (SSO), and identity governance for Forms applications.

To take advantage of IAM functionality, Oracle Forms applications must be launched using Java Web Start or Forms Standalone Launcher. Launching applications using the embedded applet configuration in Microsoft Internet Explorer or Edge (with IE-mode) is not supported.

To configure Oracle Forms with IAM, you'll need to perform these tasks:

  • Create an application on the IAM server
  • Create an App Gateway
  • Set up the App Gateway Client using docker
  • Enable SSO in an Oracle Forms application

These instructions assume that the IAM App Gateway will be configured on a Linux operating system.

Refer to the IAM documentation for additional details.

Before You Begin

Before you begin, make sure you have the necessary privileges and certificates.

You'll need:

  • Administration privileges in the IAM Service environment
  • Privileges to download and configure the IAM App Gateway on the middle tier or the desired alternative server where App Gateway will be configured
  • Privileges to access and make administrative changes to the middle tier software—in this case, Oracle Forms
  • A current SSL/TLS certificate (from a trusted CA) associated with the host that will be running the App Gateway client and/or the Forms middle tier. (Recommended but not required)

Enable IAM Integration in Oracle Forms

Now that the IAM App Gateway has been configured, configure Forms to use it.

To enable IAM for Forms:
  1. Using Fusion Middleware Control, access the Forms Web Configuration settings page.
  2. From the menu on the upper left side, expand the Forms node, then click the forms instance to be modified (for example, forms1).
  3. Click Web Configuration to access the administration screen.
  4. On the upper right side, click the padlock icon then select Lock & Edit.
  5. In the upper table, select the desired Section Name to be used with IAM. If enabling for all, select default.
  6. Scroll down to the lower table and expand the pop-list labeled "Show" and select sso from the list.
  7. Set the value of ssoMode to TRUE.
  8. If you plan to use Java Web Start to launch the applications, click Add at the top of the parameters table, then add the parameter webstart_codebase.

    The value is the URL pointing to the Forms codebase, but use the IAM host and port. For example:

    https://<IAM AppGateway host>:<port>/forms/java

  9. Click Apply above the current table.
  10. On the upper right side, click the padlock icon then select Activate Changes.
  11. To run your Forms app, use this format:
    https://<IAM AppGateway host>:<port>/forms/frmservlet?config=<Forms config name>
  12. Perform these steps to enable the JWS setting to automatically remove the downloaded jnlp file after it has been launched. Since the Java Web Start jnlp file cannot be reused, there is no reason to retain it after it has been used.
    This will help to improve the user’s experience by not creating duplicate files, as well as improve security.

    Note:

    These steps are recommended if this is an upgraded domain. For new installations and new domains, this is configured by default.
    1. In Fusion Middleware Control, navigate to the forms instance (for example, forms1) associated with this IAM configuration.
    2. From the Forms drop-down list, select Advanced Configuration.
    3. From the Activate Edit Session switch (padlock upper right side), select Lock & Edit.
    4. From Select Category, select Client Templates.
    5. From Select File, select either:
      • base.jnlp or webutil.jnlp if using a WebUtil enabled app
      • Your own custom jnlp template if one was created and is in use
    6. Add the following to the <resources> section of the template exactly as it appears here:
      <property name="jnlp.delete.jnlp.file" value="true"/>
  13. Click Apply to save the change.
  14. Using the Activate Edit Session switch (padlock upper right side), select Activate Changes.

Notes and Limitations

Review these notes when using IAM with Oracle Forms:

  • The use of Microsoft Internet Explorer or Microsoft Edge with IE-mode are not supported with this configuration.
  • The Oracle Cloud tenancy used for this configuration must offer Identity and Access Management (IAM) and not its predecessor Identity Cloud Service (IDCS). If your tenancy requires the creation of an Identity Domain, you are using IAM.
  • The use of a self-generated SSL/TLS certificate, as instructed in this document will result in various warnings during application startup. It is therefore recommended that a certificate be obtained from a known and trusted certificate authority.
  • The use of the provided Fusion Middleware SSL/TLS Demo/Example certificate is not supported for use with this configuration.
  • It may not be possible to use a self-generated SSL/TLS certificate if launching applications using the Forms Standalone Launcher (FSAL). A certificate provided by a known and trusted CA, as described above should be used.

Troubleshooting

If you encounter issues with the implementation, review these issues and causes before contacting Oracle Support.

When Did the Issue Occur? Issue/Error Possible Causes Corrective Actions
Setup The PATCH payload is invalid. The "op" or "Operations" attribute can't be null or empty.
  • The Edit panel Save button was pressed, but no changes were made.
  • You attempted to add a Resource or Policy without first saving previous changes.
  • Use the Cancel link rather than Save if no changes were entered.
  • Cancel current changes and save previous changes. Reattempt to add new changes.
Runtime HTTP-502 (Bad Gateway)
  • Forms Managed Server is not running.
  • WLS Managed Server is not accessible by the App Gateway client.
  • Verify the Managed Server is running.
  • Verify firewall (OS and/or external) is allowing communication between the App Gateway client and middle tier server and IAM Cloud Service and App Gateway client. (e.g. ports).
  • Verify the setting for the Origin server is correct.
Runtime HTTP-504 (Gateway Time-out) Origin server (Forms middle tier) not accessible.
  • Verify the setting for the Origin server is correct.
  • Verify the managed server is running.
  • Verify the managed server port is accessible through the firewall.
Runtime
  • "No subject alternative names present."

    or

  • "FRM-92575: SSL/TLS hostname verification failed."
  • You are using a self-generated SSL certificate or a certificate that is not properly formatted.
  • The server name (App Gateway client machine) and the server name used in the SSL certificate do not match.
  • Obtain a certificate from a trusted Certificate Authority (CA).
  • Ensure the server name used with the certificate request matches the server name (in the URL) on which the IAM App Gateway is running.
Runtime "FRM-93261: JNLP file launched from unexpected IP address"
  • You have attempted to copy the downloaded jnlp file (if configured to use Java Webstart) and moved the file to another machine.
  • The administrator has enabled the jnlpMatchIP setting (set to TRUE).
  • Be sure to not copy/move the downloaded jnlp file to another machine, as this is not supported.
  • Disable (set to FALSE) the Forms Web Configuration parameter jnlpMatchIP.
Runtime Java error indicating that extensions.jnlp cannot be downloaded when trying to run with Java Web Start. App Gateway client not running on same host with middle tier.
  • Verify that extensions.jnlp exists on the server and its file permissions are appropriate for accessing.
  • Verify the file can be downloaded from a web browser. Use the same protocol, IAM server hostname, and port used by the App Gateway client.
  • Set Forms Web Configuration parameter webstart_codebase. The value should reflect the same protocol, IAM server, and port used by the App Gateway client.