Welcome to the Oracle Fusion Connector setup guide. This document provides a comprehensive overview for establishing a secure and efficient connection with Oracle Fusion Cloud Applications, leveraging best practices inspired by Savant's connection process.
Oracle Fusion Cloud Applications comprise a suite of SaaS solutions covering Customer Experience (CRM), Enterprise Resource Planning Supply Chain Management (FSCM), and Human Capital Management (HCM).
Features
Read data from Oracle Fusion Applications
Writing analysis outcome to Oracle Fusion Applications
Requirements
Before establishing a connection with Oracle Fusion, ensure the following requirements are met:
Valid Oracle Fusion Cloud Applications instance with credentials.
Appropriate API access rights for Oracle Fusion,
Network access with whitelisted IPs for your destination system
Administrative permissions within Oracle Fusion for configuring extract jobs and managing custom objects.
Familiarity with Oracle’s Business Intelligence Cloud Connector (BICC) process
The integration environment must support JDBC or REST-based connection methods as provided by Savant
IPs provided by Savant should be whitelisted
For SSO or MFA enabled instances, Savant app needs to be added to Oracle Cloud service and it should be enabled to pass the encrypted password to Savant application for secure token based authentication listed below.
Connection Methods
Savant supports multiple connection methods including the below mentioned for secure access:
OAuth Flow
Secure Token Authentication
For SSO or MFA enabled instances of Oracle Cloud, use the Secure Token Authentication method.
Step-by-Step Connection Guide
This step-by-step guide ensures you can efficiently set up your environment for optimal data integration.
Setting up Username and Roles
Step 1: Find the Server URL
Log in to Oracle Cloud:Access your Oracle Cloud account and navigate to the Application Console.
Locate Your Oracle Fusion Instance:For a CRM application instance, find the Service Environment URL (e.g.,
https://servername.fa.us2.oraclecloud.com).
Step 2: Create a User
Access the Security Console:Log in to the Oracle Fusion Cloud Application instance (you must have the Security Manager role).In the left-hand navigation pane, click Tools > Security Console.
Create a User Account:Go to the Users page and click Add User Account.Enter the user details (note down the User Name and Password).Click Save and Close.
Step 3: Create BICC and UCM Roles
Log in and Navigate to the Security Console:Ensure you have the Security Manager role.Go to Tools > Security Console, then select the Roles page and click Create Role.
Configure the Role:
Basic Information:
Role Name: e.g.,
BICC_SAVANT_ROLEorUCM_SAVANT_ROLERole Code: e.g.,
BICC_ADMIN_SAVANTorUCM_ADMIN_SAVANTRole Category: BI - Abstract Role
Uncheck Predefined Role.
Click Next through the Function and Data Security Policies pages.
Role Hierarchy:
Click Add Role and search for these roles:
ESS Administrator Role: To manage global data extract jobs.
BIA_ADMINISTRATOR_DUTY: To get job information and describe datastores.
OBIA_EXTRACTTRANSFORMLOAD_RWD: To view/download extracted files from UCM.
Click Add Role Membership.
Step 4: Assign the Role to the Created User:
On the Users page within the role configuration, click Add User and enter the user created earlier.
Review the summary and click Save and Close.
Step 5: Configure UCM Storage for BICC
Access the BI Applications Configuration Manager: Use the Server URL found in Step For example, if your URL is
https://my-oracle-fusion-cloud.oraclecloud.com, then navigate to:
arduinoCopyhttps://my-oracle-fusion-cloud.oraclecloud.com/biacm
Log In Using the Credentials:Use the User Name and Password created in Step Test UCM Connection:
Click Configure External Storage.In the UCM Connection tab, click Test UCM Connection.Ensure you receive an "External Storage Connection Succeeded" message. Click OK.
Step 6: Add Custom Objects to an Offering
Custom Datastores:
Follow Oracle documentation to add your custom object (datastore) to an offering.
Ensure the object is part of the offering; otherwise, it may be excluded from the sync.
Step 7: Select Primary Keys for Custom Objects
Primary Key Configuration:
Log in to the BI Applications Configuration Manager.
Click Manage Offerings and Data Stores.
Choose the offering associated with your custom objects.
Select the datastore and navigate to the Edit Columns tab.
Mark the primary key columns and click Save.
OAuth Flow
Step 1: Access the My Services Dashboard:
Sign in to the My Services dashboard for your Oracle Identity Cloud Service tenant.
Find the Oracle Identity Cloud Service entry and click Identity Cloud.
Step 2: Copy the Service Instance URL:
On the Overview tab, under Service Instances, copy the Service Instance URL.
Extract the REST server portion (e.g.,
idcs-9a888b7e6ebb44b4b65.identity.oraclecloud.com).
Step 3: Locate the PSM App for API OAuth Support:
In the My Services dashboard, click Open Service Console.
Expand the Navigation Drawer and click on Applications.
Search for PSM and then select the application
Step 4: Retrieve the OAuth Credentials:
Under Configuration, copy the Client ID
Click Show Secret and copy the Client Secret.
Expand Resources and copy the Primary Audience URL.
In the Allowed Scopes section, copy the scope for 1PaaS Permission, for example:
urn:opc:resource:consumer::all
Step 5: Connect Savant to Oracle Fusion using following details
client-id: Your PSMApp client ID (e.g.,
PSMApp-cacct-9z8x7c6v5b4n3m_APPID)client-secret: Your PSMApp client secret (e.g.,
c53b437-1768-4cb6-911e-1e6eg2g3543)username: The Oracle Cloud Platform Service user name with administrator privileges.
password: The password for that user.
primary-audience-url: Your PSMApp primary audience URL (e.g.,
https://psm-cacct-9z8x7c6v5b4n3m.console.oraclecloud.com)identity-cloud-service-instance-url: The REST server portion of your Identity Cloud Service URL (e.g.,
idcs-9a888b7e6ebb44b4b65.identity.oraclecloud.com)
Secure Token Authentication
Please refer to the steps mentioned above for Username and role from 1 to 5 to configure user, roles and storage in Oracle and follow the steps below.
Step 1: Generate Keys Certificate via Terminal:
Generate a Private Key:
bashCopyopenssl genrsa 2048 | openssl pkcs8 -topk8 -out private.key -nocrypt
Create an X509 Certificate:
bashCopyopenssl req -new -x509 -key private.key -out publickey.cer -days 365
Step 2: Setup API Authentication Provider:
Log in to the Oracle Fusion instance and navigate to Tools > Security Console.
Navigate to the API Authentication page and click Create Oracle API Authentication Provider.
Click Edit on the details page, enter the following:
Trusted Issuer: [Enter Issuer Name]
Token Type: JWT
Save and note the Issuer Name.
Step 3: Upload the Public Certificate:
From the left-hand menu, select Inbound API Authentication Public Certificates.
Click Add New Certificate, enter the Certificate Alias, browse, and import the
publickey.cerfile.Click Save and then Done.
Step 4: Set up Connection in Savant
Destination Schema Prefix: Enter your desired prefix.
Server URL: Use the URL from Step 1 (format:
https://<instance_name>.oraclecloud.com).User Name: Enter the user created for JWT Authentication.
Authentication Method: Select Use JWT Authentication.
Issuer: Enter the Issuer Name created earlier.
Upload Keys:
Upload your private.key file.
Upload your publickey.cer file.
Troubleshooting
Verify that the server URL, user credentials, and authentication method are entered correctly.
Ensure the appropriate IP addresses are whitelisted and that network settings allow communication with Oracle Fusion.
Confirm that the user has been assigned the correct roles and permissions in the Security Console.
Re-check the BI Applications Configuration Manager to ensure UCM is correctly configured and accessible.
By following these steps, you will establish a robust connection with Oracle Fusion Cloud Applications, enabling seamless data extraction and synchronization using Savant.
If you encounter any issues or need further assistance, please consult Oracle’s documentation or reach out to Savant support team.