The mobile applications from Oracle, currently available for Oracle E-Business Suite (EBS). We will provide an overview on the technical architecture, distribution and security of these mobile applications. How can these apps be secured, who is allowed access, how are apps distributed, how to keep control?
Mobile Security in EBS:
Authorization: who is allowed to use which mobile applications?
Each mobile app (except for the Approvals app) requires users to be assigned an ‘app specific’ role in Oracle User Management (UMX). Without the appropriate role, a user has no access to the mobile app.
- Mobile Time Entry UMX|HXC_MBL_TIME_ENTRY
- OLM Learner Mobile Application Role UMX|MBL|OTA_LRNR_MOB_ACC
- Access Role for Person Directory Mobile App UMX|MBL|PERSON_DIRECTORY_APP_ACCES
- iProcurement Mobile App Enquiry Role UMX|ICX_MBL_REQ_ENQUIRY
- Purchasing Mobile App Role UMX|PO_MOBILE_APP_ROLE
For some apps additional setup is also required before the mobile application will function properly. More on that can be found on the website of My Oracle Support (Doc ID: 1641772.1)
Authentication: verify user identity
Users are authenticated using the authentication REST services as discussed in the previous section on EBS Mobile Architecture. Basically there are two authentication types available: HTTP Basic and Web SSO.
Oracle Mobile supports both types. Be aware that SSO is not really a single sign-on for all your EBS mobile apps. Separate authentication per app is still needed. For Web SSO additional setup is needed.
EBS Mobile Network Security
Securing EBS functionality is one, and can be arranged using Oracle EBS user management (UMX). As mentioned above, securing who can access which specific mobile application is also managed from UMX by means of granting a separate ‘mobile role’ for each mobile application.
Network access to EBS however always (except for some modules) happens within the company firewall. Having actual physical access to the network on which Oracle EBS is running, is a separate concern for mobile devices.
- Option 1: setup VPN on smartphone, and access EBS
- Option 2: setup EBS with DMZ and connect using external access point
- Option 3: setup Oracle Mobile Security Suite’s Mobile Security Access Server (MSAS) on the DMZ and containerize EBS apps.
EBS Mobile Distribution
Distribution of mobile apps can be pretty straightforward. One can go into the commercially available app stores, download the app and use it. For corporate apps this can be applied, just as for ordinary consumer app
- Are we in control, which versions do we support?
- Do we need to create our own corporate branded version?
- Once downloaded, users need to add the EBS endpoint URL
- Users might need to set up a VPN
- How to keep private and corporate data separately?
From Oracle E-Business Suite Mobile Foundation Release 4.0 it is possible to distribute Oracle’s apps internally. Oracle provides Mobile Application Archive (MAA) files for each of the mobile applications. These files allow distribution of the apps from the enterprise’s own site.
Apart from separate distribution, these MAA files also allow customization of Oracle’s mobile apps. Albeit limited to adding own corporate branding, and changing some links. You could always customize more, but one loses the guarantee it will work after patches or updates [9, 10].
Oracle Mobile Security Suite
Oracle offers a comprehensive Mobile Security Suite for managing and deploying mobile apps. It is a separate product providing:
- An app catalog
- App containerization: apps are run within a separate secure container
- Secure workspace: embedded encryption to isolate and secure corporate, from personal data
- App tunnel: no need for separate VPN solution
Oracle EBS mobile apps can also be distributed using Oracle Mobile Security Suite.
Enabling true single-sign on capabilities, without the need for setting up a separate VPN tunnel on