The ins & outs of mobile applications for Oracle EBS
Gepubliceerd: Auteur: Richard Velden Categorie: OracleIn this article we will discuss the mobile applications from Oracle, currently available for Oracle E-Business Suite (EBS). We will provide an overview on the technical architecture, distribution and security of these mobile applications. How can these apps be secured, who is allowed access, how are apps distributed, how to keep control?
1st of October 2014: Oracle announced 14 smartphone applications for Oracle E-Business Suite.
“These new applications provide simple, actionable, on-the-go access to horizontal functions such as approvals, expenses, timecards, and employee requisitions as well as…” They are available at no additional cost, for versions Oracle E-Business Suite 12.1.3 and 12.2.
These applications have been built with Oracle Mobile Application Framework (MAF). This framework simplifies mobile development with the ability to build once and deploy to multiple platforms [1].
Technical Architecture
How does this work technically?
Basically we have:
- An application providing REST services
- A mobile app consuming these REST services
For some more detail we’ll first discuss the Oracle Mobile Application Framework architecture itself.
Oracle Mobile Application Framework Architecture
Oracle’s own Mobile Application Framework (MAF) has been introduced (in its current form) in 2014.
It enables developers to build a mobile application once, and deploy it to multiple device types (iOS/Android/Windows). Internally it leverages device services by means of Cordova (f.k.a. PhoneGap). This JavaScript library allows access to device capabilities such as camera / phone / contact lists etc.
Various other components such as a Java VM and a SQLite database complete this, providing a platform for developers to quickly assemble mobile applications. For integration purposes the Java VM enables the framework to consume SOAP and REST services [4].
On the other side we have the server backend, Oracle E-Business Suite.
EBS Integration Architecture
Oracle EBS is a database application, with both a Forms and a web-based (OAF) frontend. Integration has been implemented using the ‘Integrated SOA Gateway’ (ISG). It enables other applications to communicate with Oracle EBS using SOAP or REST protocols.
Using the ISG, many of the standard PL/SQL APIs have been service-enabled [5].
Bringing both architectures together and we’ll get the EBS Mobile Architecture.
EBS Mobile Architecture
“Oracle E-Business Suite mobile apps interact with the middle tier through REST-based data services and security services.”
When a user opens the mobile app, the security services are invoked for authentication. Once the login is successful the user can use the app, and the other Oracle E-Business Suite REST data services (see fig 7) [6].
These services are exposed using the SOA Integrated Gateway. Conceptually they are divided between Data and Security services.
Security Services are displayed in a separate category through the Integration Repository (see figure 8). They are predefined, pre-deployed REST services. Unlike other services these are by default granted to all users. With security services the mobile apps can authenticate user credentials and initialize application sessions [8, 9].
EBS Mobile Security
Authorization: who is allowed to use which mobile applications?
Each mobile app (except for the Approvals app) requires users to be assigned an ‘app specific’ role in Oracle User Management (UMX). Without the appropriate role, a user has no access to the mobile app.
- Mobile Time Entry UMX|HXC_MBL_TIME_ENTRY
- OLM Learner Mobile Application Role UMX|MBL|OTA_LRNR_MOB_ACC
- Access Role for Person Directory Mobile App UMX|MBL|PERSON_DIRECTORY_APP_ACCES
- iProcurement Mobile App Enquiry Role UMX|ICX_MBL_REQ_ENQUIRY
- Purchasing Mobile App Role UMX|PO_MOBILE_APP_ROLE
- Etc.
For some apps additional setup is also required before the mobile application will function properly. More on that can be found on the website of My Oracle Support (Doc ID: 1641772.1)
Authentication: verify user identity
Users are authenticated using the authentication REST services as discussed in the previous section on EBS Mobile Architecture. Basically there are two authentication types available: HTTP Basic and Web SSO.
Oracle Mobile supports both types. Be aware that SSO is not really a single sign-on for all your EBS mobile apps. Separate authentication per app is still needed. For Web SSO additional setup is needed.
More information can be found on https://docs.oracle.com/cd/E18727_01/doc.121/e64384/T656045T656049.htm#mobile_eag. Or you can check the ‘Oracle® E-Business Suite Mobile Apps Administrator's Guide’ [6].
EBS Mobile Network Security
Securing EBS functionality is one, and can be arranged using Oracle EBS user management (UMX). As mentioned above, securing who can access which specific mobile application is also managed from UMX by means of granting a separate ‘mobile role’ for each mobile application.
Network access to EBS however always (except for some modules) happens within the company firewall. Having actual physical access to the network on which Oracle EBS is running, is a separate concern for mobile devices.
In the following diagram (see figure 9) we showcase three network security options:
- Option 1: setup VPN on smartphone, and access EBS
- Option 2: setup EBS with DMZ and connect using external access point
- Option 3: setup Oracle Mobile Security Suite’s Mobile Security Access Server (MSAS) on the DMZ and containerize EBS apps.
In which for option 3 all Oracle EBS mobile apps are being run within a container application. This container manages authentication and secure connection to the backend (see figure 10) [7].
EBS Mobile Distribution
Distribution of mobile apps can be pretty straightforward. One can go into the commercially available app stores, download the app and use it. For corporate apps this can be applied, just as for ordinary consumer apps.
However:
- Are we in control, which versions do we support?
- Do we need to create our own corporate branded version?
- Once downloaded, users need to add the EBS endpoint URL
- Users might need to set up a VPN
- How to keep private and corporate data separately?
From Oracle E-Business Suite Mobile Foundation Release 4.0 it is possible to distribute Oracle’s apps internally. Oracle provides Mobile Application Archive (MAA) files for each of the mobile applications. These files allow distribution of the apps from the enterprise’s own site.
Apart from separate distribution, these MAA files also allow customization of Oracle’s mobile apps. Albeit limited to adding own corporate branding, and changing some links. You could always customize more, but one loses the guarantee it will work after patches or updates [9, 10].
Oracle Mobile Security Suite
Oracle offers a comprehensive Mobile Security Suite for managing and deploying mobile apps. It is a separate product providing:
- An app catalog
- App containerization: apps are run within a separate secure container
- Secure workspace: embedded encryption to isolate and secure corporate, from personal data
- App tunnel: no need for separate VPN solution
Oracle EBS mobile apps can also be distributed using Oracle Mobile Security Suite (see figure 11). Enabling true single-sign on capabilities, without the need for setting up a separate VPN tunnel on the mobile device [11, 12].
Follow up
In our next article we will discuss how to set up and enable one of the Oracle EBS mobile apps. Upcoming articles will focus on customization of these mobile applications and creating entirely new mobile apps for Oracle E-Business Suite.
References
[1] Oracle E-Business Suite Powers the Mobile Workforce with 14 Smartphone Applications, https://www.oracle.com/corporate/pressrelease/e-business-suite-100114.html
[2] Mobile App for Approvals for EBS 1.2.0 on iOS and Android, https://blogs.oracle.com/fusionmiddleware/entry/mobile_app_for_approvals_for
[3] Procurement for EBS, https://play.google.com/store/apps/details?id=com.oracle.ebs.prc.po.procurement&hl=en
[4] Introduction to Oracle Mobile Application Framework, http://docs.oracle.com/middleware/mobile200/mobile/develop-oepe/oepe-maf-about.htm
[5] Oracle Integrated SOA Gateway Architecture, http://www.slideshare.net/Berryclemens/con9437-ebs-mobile-apps-adf
[6] Oracle® E-Business Suite Mobile Apps Administrator's Guide, https://docs.oracle.com/cd/E18727_01/doc.121/e64384.pdf
[7] Oracle Mobile Security, http://www.oracle.com/us/products/middleware/identity-management/mobile-security/overview/index.html
[8] Timecards for EBS, https://play.google.com/store/apps/details?id=com.oracle.ebs.hr.hxc.timecards&hl=en_GB
[9] New Technology Features in EBS Mobile Apps Release 4.0, https://blogs.oracle.com/stevenChan/entry/oracle_e_business_suite_mobile
[10] Oracle® E-Business Suite Mobile Foundation Developer's Guide, http://docs.oracle.com/cd/E18727_01/doc.121/e69284.pdf
[11] Mobile Application Management (MAM) Support with Oracle Mobile Security Suite, https://docs.oracle.com/cd/E18727_01/doc.121/e64384/T656045T656052.htm
[12] Oracle Mobile Security Suite, http://www.oracle.com/technetwork/middleware/id-mgmt/overview/default-2099033.html
how to export the expense report from mobile app to the PC Browser ?
Excellent article!!! Richard, thank you very much for sharing your knowledge & experiences with us.
Just to add that Oracle has announced recently "Desupport Notice for Oracle Mobile Security Suite with Oracle E-Business Suite Mobile Apps (Doc ID 2105518.1)" which possible means that VPN setup on the mobile device is still required to access the EBS through DMZ.
According to Note 2105518.1 (Feb/2016) , ..."Oracle is now building support for third-party mobile device management solutions, like Airwatch, MobileIron, and Good, directly into Oracle Mobile Application Framework. .."
Unfortunately I can not find any furher confirmations related to this.
Hi all,
I wanted to shed light on another solution, AuraPlayer. They have mobile pre-packaged apps for Oracle EBS or you can build mobile apps for any EBS app.
www.auraplayer.com