During some special time periods, Business management wants to restrict users to access Oracle EBS Application but allow only one or two users to complete some dedicated tasks, such as month-end process.
Oracle EBS has a way to do that See below doc:
Doc ID 605538.1 (How To Lock Users Out Of E-Business Suite And Allow Specific Users). This only works if EBS application does not have multiple web nodes which may use load balancing in the middle.
R12.1.X
1. Backup file $ORA_CONFIG_HOME/10.1.3/Apache/Apache/conf/custom.conf
2. Edit file $ORA_CONFIG_HOME/10.1.3/Apache/Apache/conf/custom.conf and add a list of ip addresses for the users system that you want to allow access to the system.
The benefit of using custom.conf is that it is preserved when autoconfig is run.
$ vi $ORA_CONFIG_HOME/10.1.3/Apache/Apache/conf/custom.conf
<Location ~ "/OA_HTML">
Order deny,allow
Deny from all
Allow from 10.23.124.64--Users IP who allow to access EBS
#Allow from XX.XXX.XXX.XXX
#Allow from XX.XXX.XXX.XXX
#Allow from X.XXX.XXX.XXX
Allow from localhost
Allow from erpuatappl.nicsi.in
Allow from 10.24.248.33---Oracle EBS Application Server IP
</Location>
ErrorDocument 403 "Oracle Application Service is temporarily unavailable!!!. We are currently performing the maintenance activity. Normal Service will be restored soon........
Note:
You need to include localhost and your apps tier server name. One can use the PC name rather than IP address, however PC name is more sensitive to network config
3. Restart Apache
[applmgr@erpuatappl scripts]$ cd $ADMIN_SCRIPTS_HOME
[applmgr@erpuatappl scripts]$ ./adopmnctl.sh status
You are running adopmnctl.sh version 120.6.12010000.5
Checking status of OPMN managed processes...
Processes in Instance: UAT_erpuatappl.erpuatappl.nicsi.in
---------------------------------+--------------------+---------+---------
ias-component | process-type | pid | status
---------------------------------+--------------------+---------+---------
OC4JGroup:default_group | OC4J:oafm | 4925 | Alive
OC4JGroup:default_group | OC4J:forms | 4826 | Alive
OC4JGroup:default_group | OC4J:oacore | 4590 | Alive
HTTP_Server | HTTP_Server | 4501 | Alive
adopmnctl.sh: exiting with status 0
adopmnctl.sh: check the logfile /UATappl/inst/apps/UAT_erpuatappl/logs/appl/admin/log/adopmnctl.txt for more information ...
[applmgr@erpuatappl scripts]$ ./adapcctl.sh stop
You are running adapcctl.sh version 120.7.12010000.2
Stopping OPMN managed Oracle HTTP Server (OHS) instance ...
opmnctl: stopping opmn managed processes...
adapcctl.sh: exiting with status 0
adapcctl.sh: check the logfile /UATappl/inst/apps/UAT_erpuatappl/logs/appl/admin/log/adapcctl.txt for more information ...
[applmgr@erpuatappl scripts]$ ./adopmnctl.sh status
You are running adopmnctl.sh version 120.6.12010000.5
Checking status of OPMN managed processes...
Processes in Instance: UAT_erpuatappl.erpuatappl.nicsi.in
---------------------------------+--------------------+---------+---------
ias-component | process-type | pid | status
---------------------------------+--------------------+---------+---------
OC4JGroup:default_group | OC4J:oafm | 4925 | Alive
OC4JGroup:default_group | OC4J:forms | 4826 | Alive
OC4JGroup:default_group | OC4J:oacore | 4590 | Alive
HTTP_Server | HTTP_Server | N/A | Down
adopmnctl.sh: exiting with status 0
adopmnctl.sh: check the logfile /UATappl/inst/apps/UAT_erpuatappl/logs/appl/admin/log/adopmnctl.txt for more information ...
[applmgr@erpuatappl scripts]$ ./adapcctl.sh start
You are running adapcctl.sh version 120.7.12010000.2
Starting OPMN managed Oracle HTTP Server (OHS) instance ...
opmnctl: opmn is already running.
opmnctl: starting opmn managed processes...
adapcctl.sh: exiting with status 0
adapcctl.sh: check the logfile /UATappl/inst/apps/UAT_erpuatappl/logs/appl/admin/log/adapcctl.txt for more information ...
[applmgr@erpuatappl scripts]$ ./adopmnctl.sh status
You are running adopmnctl.sh version 120.6.12010000.5
Checking status of OPMN managed processes...
Processes in Instance: UAT_erpuatappl.erpuatappl.nicsi.in
---------------------------------+--------------------+---------+---------
ias-component | process-type | pid | status
---------------------------------+--------------------+---------+---------
OC4JGroup:default_group | OC4J:oafm | 4925 | Alive
OC4JGroup:default_group | OC4J:forms | 4826 | Alive
OC4JGroup:default_group | OC4J:oacore | 4590 | Alive
HTTP_Server | HTTP_Server | 32156 | Alive
adopmnctl.sh: exiting with status 0
adopmnctl.sh: check the logfile /UATappl/inst/apps/UAT_erpuatappl/logs/appl/admin/log/adopmnctl.txt for more information ...
4. Now only the users who are assigned to the ip addresses added will have access. All other users will get a forbidden error when they attempt to login.
This is a very simple solution and what makes it good is that it can be done programatically.
If Any user tries to login he will get below error
The forbidden error looks like this:
Forbidden
You don’t have permission to access /OA_HTML/AppsLocalLogin.jsp on this server
If you want to change the message you can do this: edit custom.conf add a line as follows (change the text to suit your requirements)
ErrorDocument 403 “Forbidden oops, you cannot access the production instance as it is month end, only certain users have access at this time
ErrorDocument 403 "Oracle Application Service is temporarily unavailable!!!. We are currently performing the maintenance activity. Normal Service will be restored soon........
R12.2.X
If users use VPN or Normal to login onto company's network PC.
1. Backup file $IAS_ORACLE_HOME/instances/EBS_web_OHS1/config/OHS/EBS_web/custom.conf
2. Edit file $IAS_ORACLE_HOME/instances/EBS_web_OHS1/config/OHS/EBS_web/custom.conf
and add a list of ip addresses for the users system that you want to allow access to the system.
The benefit of using custom.conf is that it is preserved when autoconfig is run.
Only those users can access our Oracle EBS Application whose users IP allow in custom.conf file and all other users get "Forbidden oops." message on the login page.
$ vi $IAS_ORACLE_HOME/instances/EBS_web_OHS1/config/OHS/EBS_web/custom.conf
<Location ~ "/OA_HTML">
Order deny,allow
Deny from all
Allow from 10.23.124.64--Users IP who allow to access EBS
#Allow from XX.XXX.XXX.XXX
#Allow from XX.XXX.XXX.XXX
#Allow from X.XXX.XXX.XXX
Allow from localhost
Allow from erpuatappl.nicsi.in
Allow from 10.24.248.33---Oracle EBS Application Server IP
</Location>
Use "grep ohs_inst $CONTEXT_FILE" to identify the OHS# (i.e. EBS_web_OHS1) and the location.
3. Restart Apache
If load balancing is used, above method may not work because end-user's IP may not reach EBS server. Other ways can be used to accomplish this but additional work is needed.
1. Create a special Responsibility. Then, disable all other Responsibilities. Only users in the new Responsibility will be able to log into EBS site to do the work.
2. You can disable/enable users in bulk using API. But this will change last_update_date and last_updated_by of table fnd_user, and may become a security auditing concern (specially when we have bulk active users in the system. Huge worry is users' password would still work).
fnd_user_pkg.disableuser('<username>');
fnd_user_pkg.enableuser('<username>');
3. Ask internal firewall team to restrict access to the EBS Load Balancer URL to specific IP addresses.
4. Change the Load Balancer port to a temporary port that only will be given to the authorized users, and after the archive process is complete, the port can be switched back to the original port so it becomes available to all users.