DMZ Configuration with Oracle E-Business Suite 11i [ID 287176.1] Modified 10-JUN-2010 Type WHITE PAPER Status PUBLISHED Oracle E-Business Suite 11i Configuration in a DMZ Last Updated: JUNE 2010 The most current version of this document can be obtained in Oracle Metalink Note 287176.1 . The change log at the end of this document tracks modifications. Contents Section 1: Overview General Architecture of Oracle E-Business Suite 11i Oracle E-Business Suite 11i Architecture in a DMZ Configuration Terminology Section 2: Planning Deployment Options 2.1: Using Reverse Proxies in DMZ 2.2: Using Separate E-Business Suite 11i Web Tier in DMZ 2.3: Using HTTP Hardware Load Balancers in DMZ 2.4: Using Reverse Proxy Configuration With No External Web Tier 2.5: Using Hardware Load Balancers With No External Web Tier 2.6: Supportability of Topologies Section 3: Planning E-Business Suite 11i Functionality for the DMZ Section 4: Required Patches for DMZ Configuration 4.1: Patch Requirements for Oracle E-Business Suite 11i Release 11i10 4.2: Patch Requirements for Oracle E-Business Suite 11i Release 11i9 Section 5: Configuring Oracle E-Business Suite 11i in DMZ 5.1: Update Hierarchy type 5.2: Update Node Trust Level 5.3: Update List of Responsibilities 5.4: Update Home Page Mode to Framework and Set Validation Level 5.5: Configuration Details for Using Reverse Proxies in DMZ
Transcript
DMZ Configuration with Oracle E-Business Suite 11i [ID 287176.1]
Modified 10-JUN-2010 Type WHITE PAPER Status PUBLISHED
Oracle E-Business Suite 11i Configuration in a DMZ
Last Updated: JUNE 2010
The most current version of this document can be obtained in Oracle Metalink Note 287176.1. The change log at the end of this document tracks modifications.
Contents
Section 1: Overview
General Architecture of Oracle E-Business Suite 11iOracle E-Business Suite 11i Architecture in a DMZ ConfigurationTerminology
Section 2: Planning Deployment Options
2.1: Using Reverse Proxies in DMZ2.2: Using Separate E-Business Suite 11i Web Tier in DMZ2.3: Using HTTP Hardware Load Balancers in DMZ2.4: Using Reverse Proxy Configuration With No External Web Tier2.5: Using Hardware Load Balancers With No External Web Tier 2.6: Supportability of Topologies
Section 3: Planning E-Business Suite 11i Functionality for the DMZ
Section 4: Required Patches for DMZ Configuration
4.1: Patch Requirements for Oracle E-Business Suite 11i Release 11i104.2: Patch Requirements for Oracle E-Business Suite 11i Release 11i9
Section 5: Configuring Oracle E-Business Suite 11i in DMZ
5.1: Update Hierarchy type5.2: Update Node Trust Level5.3: Update List of Responsibilities5.4: Update Home Page Mode to Framework and Set Validation Level 5.5: Configuration Details for Using Reverse Proxies in DMZ
5.5.1: Update Oracle E-Business Suite 11i Applications Context File5.5.2: Run AutoConfig and Restart Oracle HTTP Server5.5.3: Configuration details for using reverse proxies with no external web tier
5.5.3.1: Create a new context file for the external entry point5.5.3.2: Verify and update the new context file created for the external entry point5.5.3.3: Instantiate new configuration files for the external entry point
5.5.4: Configuration details for using hardware load balancers with no external web tier
5.5.4.1: Create a new context file for the external entry point5.5.4.2: Verify and update the new context file for the external entry point5.5.4.3: Instantiate new configuraton files for the external entry point
5.6: Configuration Details for Using Separate E-Business Suite 11i Web Tier in DMZ5.7: Configuration Details for Using HTTP Hardware Load Balancers in DMZ
5.7.1: Update Oracle E-Business Suite 11i Applications Context File5.7.2: Run AutoConfig and Restart Oracle HTTP Server
5.8: Enable Oracle E-Business Suite Application Server Security
A. List of External Facing Oracle E-Business Suite 11i ProductsB. Oracle E-Business Suite 11i Product Specific ConfigurationsC. Configuration Option for Functionally Directed Load DistributionD. Reverse Proxy ConfigurationE. Configuring the URL FirewallF. List of Ports to Open in a DMZ ConfigurationG. Configuring Multiple Web Entry Points and DMZs with Single Sign-OnH. TroubleshootingI. Disabling E-Business Suite 11i Application Services on the External Web TierJ. Related Documentation
Section 1: Overview
Security is becoming increasingly important as more and more Internet-accessible applications are developed and deployed. In the past, nearly all applications were accessible only from intranet's whose attackers were limited to the employees or contractors. Compared to intranet-only accessible applications, Internet-accessible applications have a far larger number of potential attackers, who have less to lose and who enjoy a greatly reduced chance of apprehension and punishment.
Internet-accessible sites must now defend themselves against attackers whom they have little chance of locating or punishing. These sites must therefore deploy firewalls, reverse proxy servers, and other landing servers to defend against determined attacks by highly skilled and knowledgeable people. In addition to enhanced security requirements, Internet-accessible applications often need to conform to higher scalability and availability as these may be accessed by users 24x7 from different parts of the globe.
This document describes methods for making a selected subset of Oracle E-Business Suite 11i functionality accessible via the Internet to external users. This document reviews various network topologies and architectures, including the use of reverse proxy servers in demilitarized zones (DMZs), the use of multiple domains -- where different E-Business Suite 11i users access the E-Business Suite via different URLs -- with multiple application servers, and the use of hardware-based load-balancers in these configurations.
This document is intended for administrators who perform Oracle E-Business Suite 11i administration and it assumes knowledge of networking technologies. The procedures described have security implications. E-Business Suite system administrators are advised to review this document with their enterprise networking and security groups.
AttentionOracle E-Business Suite 11i configuration in a DMZ is certified only for the releases 11.5.10 and 11.5.9 . All customers who are on an earlier release of 11i must upgrade to one of these releases to configure E-Business Suite in a DMZ.
General Architecture of Oracle E-Business Suite 11i
Oracle E-Business Suite 11i architecture is a framework for multi-tiered, distributed computing. In this model, various services are distributed among multiple levels or tiers as shown in Figure F1 below. Refer to Oracle Applications Concepts document to learn more about Oracle E-Business Suite architecture.
Oracle E-Business Suite 11i Architecture in a DMZ Configuration
When configuring Oracle E-Business Suite in a DMZ configuration, firewalls are deployed at various levels as shown in Figure F2 to ensure that only the traffic that the architecture expects is allowed to cross the firewall boundaries. The firewalls ensure that if intrusion attempts against machines in the DMZ are successful, the intrusion is contained within the DMZ and the machines in the intranet are not affected. To make Oracle E-Business Suite modules as secure as possible, the following tasks may need to be performed.
Use of separate web node for external usage Setting of server level profile values Associate trust levels to application middle tier nodes Mark a subset of responsibilities as available on an external web node Deploy a Reverse proxy in front of the external web node Configuring a URL firewall and mod security in the reverse proxy Run only the required Oracle E-Business Suite Application services on the external web tier
Refer to Oracle MetaLink Note 217368.1 for more information on Advanced Configurations and Topologies for Enterprise Deployments of Oracle E-Business Suite 11i.
Terminology
Below are definitions of some of the terms that are used in this document:
Firewall
Firewalls control access between the full internet and a corporation's internal network or intranet. Firewalls define which internet communications will be permitted into the corporate network, and which will be blocked. A well-designed firewall can foil many common internet-based security attacks.
DMZ
The DMZ, which stands for DeMilitarized Zone consists of the portions of a corporate network that are between the corporate intranet and the Internet. The DMZ can be a simple one segment LAN or it can be broken down into multiple regions as shown in Figure F2. The main benefit of a properly-configured DMZ is better security: in the event of a security breach, only the area contained within the DMZ is exposed to potential damage, while the corporate intranet remains somewhat protected.
Load Balancer
Load balancers distribute an application's load over many identically configured servers. This distribution ensures consistent application availability even when one or more servers fail.
Reverse Proxy
A reverse proxy server is an intermediate server that sits between a client and the actual web server and makes requests to the web server on behalf of the client. You can find more information on reverse proxy servers and how to configure them in appendix D. Reverse Proxy Configuration of this document.
Service
A service is a functional set of Oracle E-Business Suite application processes running on one or more nodes.
Node
A node is referred to as a server that runs a set of E-Business Suite 11i application processes or database processes. In a single node installation of Oracle E-Business Suite, all the application processes including the database processes run on one node whereas in a multi node installation, the processes run on multiple nodes.
Internal Applications Middle Tier
The internal applications middle tier is the server configured for internal users to access Oracle E-Business Suite. It runs the following major application services:
Web and Forms Services Administration and Concurrent Manager Services Reports and Discoverer Services
External Applications Web Tier
The external applications web tier is the server configured for external users for accessing Oracle E-Business Suite. It runs the following application service:
Web server
URL Firewall
URL Firewall contains a white list of URLs, for the externally exposed E-Business Suite Modules, that may be accessed from the Internet .You can find more information on URL Firewall and how to configure it in appendix E. Configuring the URL Firewall of this document.
Section 2: Planning Deployment Options
2.1: Using Reverse Proxies in DMZ
The architecture diagram in Figure F3 represents a reverse proxy in the demilitarized zone (DMZ) behind an external firewall, and an Oracle E-Business Suite 11i external web tier in another demilitarized zone behind a internal firewall. This option allows multiple domain names for external and internal middle tiers. For example, external users may access the E-Business Suite via "partners.external.com", and internal users may access the same E-Business Suite instance via "employees.internal.com".
In Figure F3, the reverse proxy server can be set up with Oracle HTTP Server or any other reverse proxy server product .Please refer to appendix D. Reverse Proxy Configuration for more information on reverse proxy configuration.
In Figure F3, the external Applications web tier is required to:
1. Restrict access to a limited set of Oracle Applications responsibilities depending on the web server from which the user logs in
2. Allow user access to only Oracle E-Business Suite 11i products that can be deployed for Internet access 3. Support user logins from servers running in multiple domains
2.2: Using Separate Oracle E-Business Suite 11i Web Tier in DMZ
The architecture diagram in Figure F4 represents an Oracle E-Business Suite 11i external web tier in a demilitarized zone (DMZ) behind a DMZ external firewall. This option allows multiple domain names for external and internal middle tiers. This
deployment option requires the external Oracle E-Business Suite web tier in order to meet the same security requirements as discussed in 2.1: Using Reverse Proxies
2.3: Using HTTP Hardware Load Balancers in DMZ
The architecture diagram in Figure F5 represents multiple Oracle E-Business Suite 11i external web tiers that are load-balanced by a HTTP hardware load balancer in a demilitarized zone (DMZ) behind a DMZ external firewall. Another HTTP Layer Hardware load balancer is used to distribute load across multiple Oracle E-Business Suite internal middle tiers in the intranet. This option allows separate domain names for external and internal middle tiers. The external Oracle E-Business Suite web tiers are required in order to meet the same security requirements as discussed in 2.1: Using Reverse Proxies
For information on configuring the Oracle E-Business Suite 11i with HTTP Hardware load balancer, see the following document:
Advanced Configurations and Topologies for Enterprise Deployments of E-Business Suite 11i (Note 217368.1)
Refer to Section 5.7 for configuration details.
2.4: Using Reverse Proxy With No External Web Tier
AttentionThis configuration requires an instance of Oracle HTTP Server/Jserv configured per Web Entry Point. You can not share the configuration of one web entry point with another.
The architecture diagram shown in the figure below represents a reverse proxy server configured to forward external client requests to an Oracle HTTP listener running on an intranet application middle tier server. In this configuration, internal and external users use different http listener and jserv processes to access the Oracle E-Business Suite. As shown in the diagram below, there is only the reverse proxy server within the DMZ, while all the other servers remain within the intranet or the internal network. This configuration make use of the Shared file system technology described in Oracle Metalink Note 233428.1 and the internal servers effectively perform the functions of both the internal as well as the external web tier.
Proceed to Section 5.5.3 for detailed instructions to configure the topology shown in the figure F9 above. An alternate configuration with dedicated web tier configured in the intranet for external users is shown in figure F10 below.
2.5: Using Hardware Load Balancers With No External Web Tier
AttentionThis configuration requires an instance of Oracle HTTP Server/Jserv configured per Web Entry Point. You can not share the configuration of one web entry point with another.
The architecture diagram shown in the figure below represents a hardware load balancer configured to balance the load from the external clients among the Oracle HTTP listeners running on the intranet application middle tier servers. In this configuration, internal and external users use different http listeners and jserv processes to access the Oracle E-Business Suite. As shown in the diagram below, there is only the load balancer configured within the DMZ, while all the other servers remain within the intranet or the internal network. This configuration make use of the Shared file system technology described in Oracle Metalink Note 233428.1 and the internal servers effectively perform the functions of both the internal as well as the external web tier.
Proceed to Section 5.5.4 for detailed instructions to configure the topology shown in the figure F11 above.
2.6: Supportability of Topologies
All customer configurations will be supported. However, the level of supportability will be dependent upon the implementation.
1. Customers who follow the instructions and implement a tested and certified topology as documented in this MetaLink Note 287176.1 are fully supported. This is the preferred implementation.
2. Customers who implement an alternative topology that is not in listed this MetaLink Note 287176.1 are supported on a best-efforts basis. The Oracle Applications Technology Group will aim to provide an adequate solution to address a customer’s problem. Severity 1 bugs in this category will only be accepted for situations where a customer's production system is down. Otherwise, an escalated P2 status is the highest severity rating.
Section 3:Planning E-Business Suite Functionality for the DMZ
1. Identify the Oracle E-Business Suite 11i modules that you need for external deployment. A list of certified Oracle E-Business Suite modules for external deployment is listed in Appendix A - List of External Facing Oracle E-Business Suite Products for your reference.
2. Apply the required patches mentioned in Section 4: Required Patches on the internal Oracle E-Business Suite middle tier.
3. Clone the internal Oracle E-Business suite middle tier to the machine that you identified to be the external web tier in the DMZ. For additional information on cloning Oracle Applications, refer to the Oracle Metalink note 230672.1 - Cloning Oracle Applications Release 11i with Rapid Clone.
AttentionSharing file systems between the external web tiers and the internal middle tiers is not supported in any deployment option. However, sharing file systems such as APPL_TOP between multiple external web tiers or between multiple internal middle tiers is supported.
Section 4: Required Patches for DMZ Configuration
4.1: Patch Requirements for Oracle E-Business Suite 11i Release 11i10
In order to configure your Oracle E-Business Suite Release 11i10 environment in a DMZ, you must apply the patches listed under the "Required Patches" column of the table below. The AutoPatch utility will inform you of any prerequisite patches that must also be applied.
Required Patch No
Description Comments
3240000 11.5.10 Oracle E-business Suite Consolidated Update 1
This patch is not required for customers who have performed the following:
Upgraded your E-Business Suite Instance to 11.5.10 ORACLE E-BUSINESS SUITE CONSOLIDATED UPDATE 2 (3460000)
4204335 WTI LITE PATCH This patch is not required for customers who have performed the following:
Upgraded your E-Business Suite Instance to 11.5.10 ORACLE E-BUSINESS SUITE CONSOLIDATED UPDATE 2 (3460000)
or
Upgraded your E-Business Suite Instance to 11.5.10 CU2 or later for ATG Product family (4125550)
3942483 AUTOCONFIG SUPPORT This patch is not required if your E-business
FOR REVERSE PROXY, URL FIREWALL AND DMZ CONFIGURATION (PHASE 1)
Suite instance have been upgraded to 11.5.10 CU2 or later and also it has been upgraded to TXK.M (4709948) patchset or later.
1. Apply the above patches in the order shown 2. Proceed to Section 5: Configuration Details
4.2: Patch Requirements for Oracle E-Business Suite 11i Release 11i9
In order to configure your Oracle E-Business Suite Release 11i9 environment in a DMZ, you must apply the patches listed under the "Required Patches" column of the table below. The AutoPatch utility will inform you of any prerequisite patches that must also be applied.
Required Patches Description Comments
3072811 Oracle 9iAS 1.0.2.2.2 HTTP Server RUP 4
This patch is not required for customers who have performed the following:
Upgraded your iAS ORACLE_HOME to any 11.5.10 level of techstack by following the Oracle MetaLink Note 146468.1
or
Applied the latest Oracle Critical Patch Update July 2005 (4393827) or later.
4334965 11i.ATG_PF.H RUP3 This patch is not required for customers who have applied ATG_PF.H RUP4 4676589 or later
3942483 TXK:AUTOCONFIG SUPPORT FOR REVERSE PROXY, URL FIREWALL AND DMZ CONFIGURATION (PHASE 1)
This patch is not required if your E-business Suite instance have been upgraded to 11.5.10 CU2 or later and also it has been upgraded to TXK.M (4709948) patchset or later.
1. Apply the above patches in the order shown 2. Proceed to section 5 Configuring Oracle E-Business Suite 11i in DMZ
Section 5: Configuring Oracle E-Business Suite 11i in DMZ
AttentionBefore proceeding with the configuration steps detailed in this section, ensure that the network firewall rules have been defined and are working. Access between the Applications external web tier servers to the Applications database server must be working. If reverse proxy server is configured communication between the client and the reverse proxy server must be working as well.
This section provides the instructions for configuring the deployment models described in this document. There are, however, certain common configuration steps that must be carried out regardless of which deployment model is used. The details for these common steps are explained from section 5.1 through section 5.4. After completing the common steps, you can proceed to either section 5.5, section 5.6 or section 5.7 depending on which deployment option is chosen. Before you start, ensure that you have completed the steps described in Section 4: Required Patches for DMZ Configuration
5.1: Update Hierarchy Type
There are a number of user profiles that are used to construct various URLs in an E-Business Suite 11i environment. These user profiles are as follows:
10. BOM:Configurator URL of UI Manager CZ_UIMGR_URL
11. ASO : Configurator URL ASO_CONFIGURATOR_URL
12. QP: Pricing Engine URL QP_PRICING_ENGINE_URL
13. TCF:HOST TCF:HOST
The default hierarchy type value for the above profile options is Security. See diagram below:
The configuration of the E-Business Suite environment for DMZ requires these profile options hierarchy type to be set to SERVRESP. To change the profile options hierarchy type values to SERVRESP, execute the following SQL script as shown below:
After successfully completing the above sql script, run Autoconfig in all nodes to complete the profile options configuration.
5.2: Update Node Trust Level
Oracle E-Business Suite 11i has the capability to restrict access to a predefined set of responsibilities based on the Web server from which the user logs in. This capability is provided by tagging web servers with a trust level. The server trust level indicates the level of trust associated with the web server. Currently, three trust levels are supported:
Administrative Servers marked as Administrative are typically those used exclusively by system administrators. These servers are considered secure and provide access to any and all E-Business Suite functions. Normal Servers marked as Normal are those used by employees within a company’s firewall. Users logging in from normal servers have access to only a limited set of responsibilities. External Servers marked as External are those used by customers or employees outside of a company’s firewall. These servers have access to an even smaller set of responsibilities.
Node Trust Level (NODE_TRUST_LEVEL) is a server profile option. The default value for this profile option for all E-Business Suite middle tiers is set to Normal. If you wish to learn more about the Node Trust Level, please refer to Oracle Applications System Administrators Guide .
Identify the external web tier in your Oracle E-business Suite 11i environment and set the NODE_TRUST_LEVEL profile option value at the server level to External. See diagram below.
To change the value of the Node Trust Level profile option value for a particular node, perform the following steps:
1. Login to Oracle E-Business Suite as sysadmin user using the internal URL 2. Select System Administrator Responsibility 3. Select Profile / System 4. From the 'Find system profile option Values' window, select the server that you want to make external 5. Query for %NODE%TRUST%. You will see a profile option named 'Node Trust Level'. The value for this profile
option at site level will be Normal. Leave this setting as is 6. Set the value of this profile option to External at the server level (not site level). The site-level value should remain
Normal.
5.3: Update List of Responsibilities
The steps described in this section are required only if you have marked any of the Oracle E-Business Suite 11i middle tiers as External as described in section 5.2.
After updating the server-level profile value for Node Trust Level for the external web tier(s) to External, users can no longer see any responsibilities when they login to the external web tier. In order for a responsibility to be available from the external E-Business Suite web tier, set the Responsibility Trust Level profile option value for that responsibility to External at the responsibility level. For information on additional product specific responsibilities that can be made externally accessible from the external E-Business Suite middle tier, please refer to Appendix B1. Oracle E-Business Suite Product Specific Configurations.
To change the value of the Responsibility Trust Level profile option at the responsibility level for a particular responsibility, perform the following steps:
1. Login to Oracle E-Business Suite as sysadmin user using the internal URL 2. Select System Administrator Responsibility 3. Select Profile / System 4. From the 'Find system profile option Values' window, select the responsibility that you want to make external 5. Query for %RESP%TRUST%. You will see a profile option named 'Responsibility trust level'. The value for this
profile option at site level will be Normal.
6. Set the value of this profile option for the chosen responsibility to External at responsibility level (not site level). The site-level value should remain Normal.
Perform the above steps for all responsibilities that you want to make available from the external web tier.
5.4: Update Home Page Mode to Framework & Set Validation Level
The new Oracle E-Business Suite 11i Home page based on the Oracle Applications Framework architecture is required for the deployment of the Oracle E-Business Suite in a DMZ configuration. To enable this, apply the required patches mentioned in Section 4 and set the self-service personal home page mode to "Framework Only" as shown in the diagram below.
To change the value of the Home page mode, perform the following steps:
1. Login to Oracle E-Business Suite as sysadmin user using the internal URL 2. Select System Administrator Responsibility
3. Select Profile / System 4. From the 'Find system profile option Values' window, query for %HOME%MODE%. You will see a profile option
named 'Self Service Personal Home Page Mode' , set the value of this profile option to Framework Only.
To change the value of the various validation levels, perform the following steps:
1. Login to Oracle E-Business Suite as sysadmin user using the internal URL 2. Select System Administrator Responsibility 3. Select Profile / System 4. From the 'Find system profile option Values' window, query for %FND%VALIDATION%LEVEL. You will see a profile
option named 'FND Validation Level ', set the value of this profile option to ERROR 5. From the 'Find system profile option Values' window, query for %FND%FUNCTION%VALIDATION%. You will see a
profile option named 'FND Function Validation Level ', set the value of this profile option to ERROR 6. From the 'Find system profile option Values' window, query for %FRAMEWORK%VALIDATION%. You will see a
profile option named 'Framework Validation Level ', set the value of this profile option to ERROR 7. From the 'Find system profile option Values' window, query for %FND%RESTRICT% .You will see a profile option
named 'FND Restrict Input ', set the value of this profile option to YES
5.5: Configuration Details for Using Reverse Proxies in DMZ
The steps described in this section assume that you have already setup the reverse proxy server of your choice and is ready to make modifications to the Oracle E-Business Suite Applications Context file on the external web tier. To complete the configuration for this option, follow the steps given below.
AttentionOracle does not certify specific reverse proxy solutions from third-party vendors. The instructions included in the document are generally applicable to third-party reverse proxy solutions, including (but not restricted to) Apache, Microsoft Proxy Server, and other products.
5.5.1: Update Oracle E-Business Suite Applications Context File
On the external Oracle E-Business Suite web node, run the AutoConfig Context Editor as documented in the Oracle MetaLink Note 165195.1 "Using AutoConfig to Manage System Configurations with Oracle Applications 11i". In the Context Detail screen, set the following configuration values:
set the webentry point, s_webentryhost, to the reverse proxy server. set the webentry domain, s_webentrydomain, to the domain name of the reverse proxy server. set the active webport, s_active_webport, to the port where the reverse proxy server listen for client requests. For
example port 80 for HTTP or 443 for HTTPS. set the webentry protocol, s_webentryurlprotocol, to the protocol value the clients use to access the reverse proxy
server. set the login page, s_login_page, to <webentry protocol>://<webentry point>.<webentry domain>:<active webport>.
Replace <webentry protocol>, <webentry point>, <webentry domain>, and <active webport> with their respective values.
5.5.2: Run AutoConfig and Restart Oracle HTTP Server
1. Run AutoConfig on each Applications middle tier . Please refer to the Oracle MetaLink Note 165195.1 "Using AutoConfig to Manage System Configurations with Oracle Applications 11i" for more information on AutoConfig.
2. After AutoConfig completes successfully, restart the Oracle HTTP servers on the external web tier.
Proceed to the Appendices for any additional Oracle E-Business Suite product specific settings that needs to be done.
5.5.3: Configuration Details for Using Reverse Proxies With No External Web Tier
5.5.3.1: Create a new Context File for the External Entry Point
1. To create a context file for the external entry point, execute the commands shown in the table below:
$ perl $COMMON_TOP/clone/bin/adclonectx.pl \ contextfile=<location of the context file including the file name of the internal midtier> \ outfile=<enter name of the context file to be created including its location>
For example:
Internal Server Name: internal.company.com
External Server Name: external.company.com
Context file for Internal Entry Point including its location: /d1/applmgr/visappl/admin/VIS_internal.xml
Context file to be created for External Entry Point including its location: /d1/applmgr/visappl/admin/VIS_external.xml
Database ID: VIS
For the above given example, you will enter the command as
The script will prompt for various inputs from the user as shown in the table below. please note that the default prompt values are provided for reference purposeonly and may not reflect the actual values in your environment.
Prompt Required Value Comments
Do you want to use a virtual hostname for the target node (y/n) [n]
Y
Target hostname [internal]: external
Do you want the inputs to be validated (y/n) [n] ?:
Y
Target system database SID [VIS] VIS
Username for the applications file system owner [applmgr]
applmgr
Group for the applications file system owner [dba]:
dba
Target system database server node [internal]
internal
Target system database domain name [company.com]
company.com
Does the target system have more than one application tier server node (y/n) [y] ?:
N Enter 'Y' if you have a multinode system.
Does the target system application tier utilize multiple domain names (y/n) [n] ?:n
NEnter 'Y' if all the nodes are running on the same domain.
Is the target system APPL_TOP divided into multiple mount points (y/n) [n] ?:
NEnter 'Y' if the APPL_TOP is divided into multiple mount points.
Target system APPL_TOP mount point [/d1/applimgr/visappl]:
/d1/applimgr/visappl
Target system COMMON_TOP directory [/d1/applimgr/viscomn]:
/d1/applimgr/viscomn
Target system 8.0.6 ORACLE_HOME directory [/d1/applmgr/visora/8.0.6]
/d1/applmgr/visora/8.0.6
Target system iAS ORACLE_HOME directory [/d1/applmgr/visora/iAS]
/d1/applmgr/visora/iAS
Do you want to preserve the Display set to internal:0.0 (y/n) [y] ?:
Y
Do you want to preserve the port values from the source system on the target system (y/n) [y] ?
Y
It is possible that adclone utiity will report an error and prompt you to choose an alternative port pool if the services for the internal instance is running. To prevent this from happening, shutdown the application tier services when you run this utility.
After you provide all the required inputs, the clonectx utility will proceed and create the new context file for the external entry point at the location specified in the command
5.5.3.2: Verify and Update the New Context File Created for the External Entry Point
Table given below gives a list of AutoConfig variables that need to be reviewed and edited if required.
AutoConfig Variable
Required Value Comments
s_isWeb YES All the other Node type variables in the <oa_system_config> section must be set to NO as we are not intending to run
any service other than the web server for the external entry point
s_isWebDev YES
s_webport New Port for the< HTTP Listener>Pick a port that is not used by any other service
s_webport_pls New Port for the< HTTP PLS Listener> Pick a port that is not used by any other service
s_oprocmgr_port New Port for the <oprocmgr process >Pick a port that is not used by any other service
s_webentryurlprotocol
Set the value to the < web entry protocol>
For example, value will be either http or https
s_webentryhost Set the value to the <webentry point hostname>
s_webentrydomain
Set the value to the <webentry point hostname>
s_active_webport Set the value to the <web entry listener port>
s_login_pageSet the value to <s_webentryurlprotocol>://<s_webentryhost>.<s_webentrydomain>:<s_active_webport>/oa_servlets/AppsLogin
s_server_ip_address
Set the value to the IP address of the webentry host. Alternatively, you can also set the value of this variable to a different network address that is configured on the intranet middle tier server which is not present in fnd_nodes.
5.5.3.3: Instantiate New Configuration Files for the External Entry Point
1. Execute the Shared Oracle Home configuration script ( txkSOHM.pl ) as shown below to instantiate the required http server configuration files to a location of your choice.
$ cd $FND_TOP/patch/115/bin
$ perl txkSOHM.pl
The script will prompt the user for the following inputs:
Absolute path of Application's Context XML file : <Enter the location of the context file created for the external entry point including its name>
Type of Instance [primary/secondary] : secondary
Absolute path of 8.0.6 Shared Oracle Home : <Enter the location of the 8.0.6 ORACLE_HOME>
Absolute path of iAS Shared Oracle Home : <Enter the location of the iAS ORACLE_HOME>
Absolute path of config top: <This is the directory to which the script will instantiate the configuration files for the external entry point. Always remember to choose a new location as the configuration top can not be shared between multiple instances>
Context file for External Entry Point including its location: /d1/applmgr/visappl/admin/VIS_external.xmlAbsolute path of 8.0.6 Shared Oracle Home : /d1/applmgr/visora/8.0.6Absolute path of iAS Shared Oracle Home : /d1/applmgr/visora/iASAbsolute path of config top : /d1/applmgr/viscomn/conf/VIS_externalDatabase ID: VIS
For the example given above, you will enter the value as shown below:
Absolute path of Application's Context XML file : /d1/applmgr/visappl/admin/VIS_external.xmlType of Instance [primary/secondary] : secondaryAbsolute path of 8.0.6 Shared Oracle Home : /d1/applmgr/visora/8.0.6Absolute path of iAS Shared Oracle Home : /d1/applmgr/visora/iAS Absolute path of config top : /d1/applmgr/viscomn/conf/VIS_external
The script will run autoconfig at the end which will generate a new scripts directory under$COMMON_TOP/admin/scripts . You can use the scripts created under this new directory to start/stopservices for the external entry point.
Please note that you only need to run the main HTTP and the HTTP listener for the pl/sql requests for the external entry point. All the other services can be disabled. Please refer to appendix I. Disabling E-Business Suite 11i Application Services on the External Web Tier for instructionsto disable a service.
You can also refer to Oracle MetaLink Note 438744.1 Case History: Implementing a Reverse Proxy Alone in a DMZ Configuration for more detailed verbose instructions on implementing this toplogy.
5.5.4: Configuration Details for Using Hardware Load Balancers with No External Web Tier
AttentionThis configuration requires your application middle tier server to have atleast two network interfaces. One network interface is required for the external entry point and another for the internal entry point . These network interfaces must be configured to resolve to two different hostnames in the DNS.
5.5.4.1: Create new Context Files for the External Entry Point
1. To create a context file for the external entry point, execute the commands shown in the table below:
$ perl $COMMON_TOP/clone/bin/adclonectx.pl \ contextfile=<location of the context file including the file name of the internal midtier> \ outfile=<enter name of the context file to be created including its location>
For example:
Internal Server Name 1: internal1.company.comInternal Server Name 2: internal2.company.com
External Server Name 1: external1.company.comExternal Server Name 2: external2.company.com
Context file for Internal Entry Point on Internal Server 1 including its location: /d1/applmgr/visappl/admin/VIS_internal1.xml
Context file to be created for External Entry Point on Internal Server 1 including its location: /d1/applmgr/visappl/admin/VIS_external1.xml
Context file for Internal Entry Point on Internal Server 2 including its location: /d1/applmgr/visappl/admin/VIS_internal2.xml
Context file to be created for External Entry Point on Internal Server 2 including its location: /d1/applmgr/visappl/admin/VIS_external2.xml
Database ID: VIS
For the above given example, you will enter the command as
The script will prompt for various inputs from the user as shown in the table below. please note that the default prompt values are provided for reference purpose
only and may not reflect the actual values in your environment.
Prompt Required Value Comments
Do you want to use a virtual hostname for the target node (y/n) [n]
N
Target hostname [internal]: external1
Do you want the inputs to be validated (y/n) [n] ?:
Y
Target system database SID [VIS] VIS
Username for the applications file system owner [applmgr]
applmgr
Group for the applications file system owner [dba]:
dba
Target system database server node [internal]
internal1
Target system database domain name [company.com]
company.com
Does the target system have more than one application tier server node (y/n) [y] ?:
N Enter 'Y' if you have a multinode system.
Does the target system application tier utilize multiple domain names (y/n) [n] ?:n
NEnter 'Y' if all the nodes are running on the same domain.
Is the target system APPL_TOP divided into multiple mount points (y/n) [n] ?:
NEnter 'Y' if the APPL_TOP is divided into multiple mount points.
Target system APPL_TOP mount point [/d1/applimgr/visappl]:
/d1/applimgr/visappl
Target system COMMON_TOP directory [/d1/applimgr/viscomn]:
/d1/applimgr/viscomn
Target system 8.0.6 ORACLE_HOME directory [/d1/applmgr/visora/8.0.6]
/d1/applmgr/visora/8.0.6
Target system iAS ORACLE_HOME directory [/d1/applmgr/visora/iAS]
/d1/applmgr/visora/iAS
Do you want to preserve the Display set to internal:0.0 (y/n) [y] ?:
Y
Do you want to preserve the port values from the source system on the target system (y/n) [y] ?
Y
It is possible that adclone utiity will report an error and prompt you to choose an alternative port pool if the services for the internal instance is running. To prevent this from happening, shutdown the application tier services when you run this utility.
After you provide all the required inputs, the clonectx utility will proceed and create the new context file for the external entry point at the location specified in the command
5.5.4.2: Verify and Update the New Context Files Created for the External Entry Points
Table given below gives a list of AutoConfig variables that need to be reviewed and edited if required.
AutoConfig Variable
Required Value Comments
s_isWeb YES
All the other Node type variables in the <oa_system_config> section must be set to NO as we are not intending to run any service other than the web server for the external entry point
s_isWebDev YES
s_webport New Port for the< HTTP Listener>Pick a port that is not used by any other service
s_webport_pls New Port for the< HTTP PLS Listener> Pick a port that is not used by any other service
s_oprocmgr_port New Port for the <oprocmgr process >Pick a port that is not used by any other service
s_webentryurlprotocol
Set the value to the < web entry protocol>
For example, value will be either http or https
s_webentryhost Set the value to the <webentry point hostname>
s_webentrydomain
Set the value to the <webentry point hostname>
s_active_webport Set the value to the <web entry listener port>
s_login_pageSet the value to <s_webentryurlprotocol>://<s_webentryhost>.<s_webentrydomain>:<s_active_webport>/oa_servlets/AppsLogin
s_server_ip_address
Set the value of this variable to the IP address of the external facing interface
5.5.4.3: Instantiate New Configuration Files for the External Entry Point
1. Execute the Shared Oracle Home configuration script ( txkSOHM.pl ) as shown below to instantiate the required http server configuration files to a location of your choice.
$ cd $FND_TOP/patch/115/bin
$ perl txkSOHM.pl
The script will prompt the user for the following inputs:
Absolute path of Application's Context XML file : <Enter the location of the context file
created for the external entry point including its name>
Type of Instance [primary/secondary] : secondary
Absolute path of 8.0.6 Shared Oracle Home : <Enter the location of the 8.0.6 ORACLE_HOME>
Absolute path of iAS Shared Oracle Home : <Enter the location of the iAS ORACLE_HOME>
Absolute path of config top: <This is the directory to which the script will instantiate the configuration files for the external entry point. Always remember to choose a new location as the configuration top can not be shared between multiple instances>
Context file for External Entry Point including its location: /d1/applmgr/visappl/admin/VIS_external1.xmlAbsolute path of 8.0.6 Shared Oracle Home : /d1/applmgr/visora/8.0.6Absolute path of iAS Shared Oracle Home : /d1/applmgr/visora/iASAbsolute path of config top : /d1/applmgr/viscomn/conf/VIS_external1Database ID: VIS
For the example given above, you will enter the value as shown below:
Absolute path of Application's Context XML file : /d1/applmgr/visappl/admin/VIS_external1.xmlType of Instance [primary/secondary] : secondaryAbsolute path of 8.0.6 Shared Oracle Home : /d1/applmgr/visora/8.0.6Absolute path of iAS Shared Oracle Home : /d1/applmgr/visora/iAS Absolute path of config top : /d1/applmgr/viscomn/conf/VIS_external
The script will run autoconfig at the end which will generate a new scripts directory under$COMMON_TOP/admin/scripts . You can use the scripts created under this new directory to start/stopservices for the external entry point.
Please note that you only need to run the main HTTP and the HTTP listener for the pl/sql requests for the external entry point. All the other services can be disabled. Please refer to appendix I. Disabling E-Business Suite 11i Application Services on the External Web Tier for instructionsto disable a service.
5.6: Configuration Details for Using Separate Oracle E-Business Suite Web Tier in DMZ
There are no extra steps needed for this configuration. Proceed to the Appendices for any additional Oracle E-Business Suite product specific settings that needs to be done.
5.7: Configuration Details for Using HTTP Hardware Load Balancers in DMZ
To complete the configuration for this option, follow the steps given below.
5.7.1: Update Oracle Applications Context File
On the internal Applications middle-tier nodes, run the AutoConfig Context Editor as documented in the Oracle MetaLink Note 165195.1 "Using AutoConfig to Manage System Configurations with Oracle Applications 11i". In the Context Detail screen, set the following configuration values:
set the webentry point, s_webentryhost, to the load balancer that is used to load balance the internal Applications middle tiers
set the webentry domain, s_webentrydomain, to the domain name of the load balancer set the active webport, s_active_webport, to the value of the load balancer's external port set the webentry protocol, s_webentryurlprotocol, to the load balancer's protocol e.g. "http" or "https". set the login page, s_login_page, to <webentry protocol>://<webentry point>.<webentry domain>:<active webport>.
Replace <webentry protocol>, <webentry point>, <webentry domain>, and <active webport> with their respective values.
On the external Applications web tier node, run the AutoConfig Context Editor as documented in the Oracle MetaLink Note 165195.1 "Using AutoConfig to Manage System Configurations with Oracle Applications 11i". In the Context Detail screen, set the following configuration values:
set the webentry point, s_webentryhost, to the load balancer that is used to load balance the external Applications middle tiers
set the webentry domain, s_webentrydomain, to the domain name of the load balancer set the active webport, s_active_webport, to the value of the load balancer's external port set the webentry protocol, s_webentryurlprotocol, to the load balancer's protocol e.g. "http" or "https". set the login page, s_login_page, to <webentry protocol>://<webentry point>.<webentry domain>:<active webport>.
Replace <webentry protocol>, <webentry point>, <webentry domain>, and <active webport> with their respective values.
If you are sharing APPL_TOP between the various middle tiers, then you must update the following configuration values.
set the FND_SECURE directory (s_fnd_secure) to a unique location.
For example:
For the internal middle tier shared APPL_TOP, set the following:
set s_fnd_secure to /d1/user4/11510/vis11510appl/fnd/secure/int-middle-tier-1 for internal middle tier 1
set s_fnd_secure to /d1/user4/11510/vis11510appl/fnd/secure/int-middle-tier-2 for internal middle tier 2
For the external web tier shared APPL_TOP, set the following:
set s_fnd_secure to /d1/user4/11510/vis11510appl/fnd/secure/ext-web-tier-1 for external web tier 1
set s_fnd_secure to /d1/user4/11510/vis11510appl/fnd/secure/ext-web-tier-1 for external web tier 2
set the dbc file name (s_dbc_file_name) in the Applications Context file to use the same name across all the middle tiers.
5.7.2: Run AutoConfig and Restart Oracle HTTP Server
1. Run AutoConfig on each Applications middle tier (external and internal) to complete the configuration. Please refer to the Oracle MetaLink Note 165195.1 "Using AutoConfig to Manage System Configurations with Oracle Applications 11i" for more information on AutoConfig.
2. After AutoConfig completes successfully, restart the Oracle HTTP server.
Proceed to the Appendices for any additional Oracle E-Business Suite product specific settings that needs to be done.
5.8: Enable Oracle E-Business Suite Application Server Security
Oracle E-Business Suite 11i is deployed in a multi-tier configuration with one Database Server and many possible middle-tier Application Servers. The Application Servers include Apache JSP/Servlet, Forms, Discoverer and also some client programs such as Application Desktop Integrator, Oracle Discoverer Admin Edition. Any program which makes a SQLNET connection to the Oracle E-Business Suite database needs to be trusted at some level. This security feature ensures that such SQLNET connections are coming from trusted machines and/or trusted programs.
The Server Security feature supports authentication of application server machines and code modules in order to access the database. When Server Security is activated, Application Servers are required to supply server IDs (like passwords) and/or code IDs to access a database server. Server IDs identify the machine from which the connection is originating. Code IDs identify the module and patch level from which the connection is originating. Code IDs are included in applications code by development. The database server can be set to allow access only from specific machines and/or by code at a desired patch level.
The application server security feature is not activated by default for pre 11.5.10 E-Business Suite installations. It is recommended that you enable the server security feature by performing the steps given below:
Run the AutoConfig Context Editor as documented in the Oracle MetaLink Note 165195.1 "Using AutoConfig to Manage System Configurations with Oracle Applications 11i". In the Context Detail screen, set the following configuration values for both internal and external nodes:
Set the value of Application Server Security Authentication (s_appserverid_authentication) to SECURE Run AutoConfig on each Applications middle tier to complete the configuration. Please refer to the Oracle MetaLink
Note 165195.1 "Using AutoConfig to Manage System Configurations with Oracle Applications 11i" for more information on AutoConfig
After AutoConfig completes successfully, restart the Oracle HTTP server
Distributed caching functionality has to be enabled in a DMZ environment to avoid data inconsistencies for data such as profiles, menu, responsibilities and product specific data. To complete this configuration, follow the steps given below:
Identify the highest number of JVMs that serve the oacore JVM group in the internal and external middle tiers. For eg: if there are 3 JVMs in the internal and 2 JVMs configured for the external middle tier, take the number as 3
Identify the number of java processes spawned by the concurrent manager tier. For eg: if there are 3 JVMs spawned by the ICM, take the number as 3 . Add this to the number of oacore JVMs . In the example given above, the total number JVMs become 6 . So, six ports need to be opened in the firewall.
Identify the ports to open in the firewall that separates the external middle tier and the internal middle tier . For eg: if the JVM count is 3, you have to open 3 ports on this firewall.
This range of ports need to be specified as a value for the autoconfig variable ( s_fnd_cache_port_range ) . Please make sure that the value is same in all the applications context files . The value should be specified as a range. For eg: 36500-36505. When AutoConfig completes the configuration, the value specified for this variable in the context file will get updated in the FND_CACHE_PORT_RANGE profile option
In addition to the ports specified above, you must ensure that the Java Object Cache Port specified as a value for the autoconfig variable s_java_object_cache_port is also open on the firewall that separate the external and internal middle tiers.
You must run Autoconfig to complete the configuration after editing the applications context file.
AttentionIn a multinode installation, the AutoConfig variable s_java_object_cache_port must be set identically on all nodes. Similarly, s_fnd_cache_port_range must be set identically on all nodes. Please note that s_java_object_cache_port must be set to a different value from s_fnd_cache_port_range in the same applications context file to avoid port conflicts.
Appendices
A. List of External Facing Oracle E-Business Suite 11i ProductsB. Oracle E-Business Suite 11i Product Specific ConfigurationsC. Configuration Option for Functionally Directed Load DistributionD. Reverse Proxy ConfigurationE. Configuring the URL FirewallF. List of Ports to Open in a DMZ ConfigurationG. TroubleshootingH. Disabling E-Business Suite 11i Application Services on the External Web TierI. Related Documentation
Appendix A : List of External Facing Oracle E-Business Suite 11i Products
Below is a list of Oracle certified E-Business Suite 11i products that can be deployed for external use. If you are planning on deploying a product that is not listed in the table below, please open a TAR with Oracle Support requesting certification of that product for external deployment. The "URL Firewall Rules" column indicate whether there are any special rules that need to be enabled in the URL FW for the product to function. An "Yes" in the column indicates there are special rules.
Product Name
Product ID
Product Code
Product Family
URL Firewall Rules
Minimum Code Level
Patch Requirement for 11i9
Patch Requirement for 11i10
iSupplier Portal
208 POS Procurement Yes 11i9 or 11i10
3824408 none
Oracle Sourcing
1273 PON Procurement Yes 11i9 or 11i10
3439889 4028294 - Oracle Sourcing J Rollup
4355344
Oracle Receivables
1106 OIR Financials Yes 11i9 or 11i10
3830660 - Oracle iReceivables 11.5.9 Rollup Patch 1 on top of OIR.D/OIR.E
4389615
Oracle Lease Management
1056 OKL Financials Yes 11i10 N/A
Customers who are on OKL Minipack G level must have the following patches applied to their system:
3981693 4298372 5919519
Customer who are on OKL Minipack H level must have the following patches applied to their system
4551977 5196112 5919519
iRecruitment 1193 IRC Human Resources
Yes 11i9 or 11i10
3197168 - IRC.C
4220842
4242220 or a patch that supercedes it is required for customers wishing to implementAgencies functionality and recommended for other iRecruitment customers.
Oracle Time and Labor
310 OTL Human Resources
Yes 11i10 none none
Self Service Human
1566 SSHR Human Resources
No 11i10 none none
resources
Oracle Learning
Management
810 OTA Human Resources
Yes 11i10 none none
Oracle iSupport
381 IBU CRM Yes 11i10 or 11i9
4239373 none
Oracle iStore 384 IBE CRM Yes 11i9 or 11i10
none 4433232
Oracle Marketing
229 AMS CRM Yes 11i10 none 4164845 4365000
Oracle Partner
Relationship Management
1065 PRM CRM Yes 11i9 or 11i10
none none
Oracle Survey 1578 IES CRM Yes 11i9 or 11i10
none none
Oracle Transportatio
n
1060 FTE Manufacturing
Yes 11i9 or 11i10
none none
Oracle Contracts
Core
154 OKC Manufacturing
N/A 11i9 or 11i10
none none
Oracle Service
Contracts
432 OKS Manufacturing
N/A 11i9 or 11i10
none 4288444 4255999 4437993
Oracle Collaborative
Planning
1037 SCE Manufacturing
Yes 11i10 none 4231972
Oracle User Management
1475 UMX Application Object Library
No 11i10 NA None
Order Information Portal
660 ONT Order Management
No 11i10 NA 11.5.10CU1 + OM PRP (4665900 )
Oracle Internet Expenses
397 OIE Financials No
Oracle Sales for Handhelds
1558 ASP CRM Yes
Appendix B : Oracle E-Business Suite 11i Product Specific Configurations
B1: Oracle E-Business Suite 11i Product Specific Configurations
B1.1: Additional Configurations for iStore
B1.1.1: Time-To-Live Settings for Cached ObjectsB1.1.2: Deploying iStore Pages in Http & Https Configuration
B1.2: AltBatchValidateURL Setting for iStore Integration with Oracle Configurator
B2: Oracle E-Business Suite 11i Technology Stack Configurations
B3: Forward Proxy Configuration
B1: Oracle E-Business Suite 11i Product Specific Configurations
If any of the following products are installed and configured, you must refer to the respective documents as shown in the table below for more information on which responsibilities can be made externally accessible from the Internet.
Please refer to section 5.3: Update List of Responsibilities for the necessary steps to make the responsibilities listed below available on the external web server.
To perform any product-specific profile settings, you must refer to the respective product documents shown below.
Product Name
Externally Accessible Responsibilities
Addtional Profile Settings
Additional Documents
iSupplier Portal
iSupplier Portal Full Access
POS Supplier Guest User
Plan to Pay Supplier View
Plan, Source, Pay Supplier View
Source to Pay Supplier View
Supplier Profile Manager
Procure to Pay Supplier View
POS: External URL
POS: Internal URL
Oracle iSupplier Portal Implementation Guide (A95884-02) in the Virtual Applications Documentation Library.
Enable Web Access By External Supplier Users to Oracle iSupplier Portal and Oracle Sourcing (Note 308271.1)
Oracle Sourcing Supplier PON: Oracle
Sourcing External Applications Framework Agent
PON: External login URL (11i9 only)
Sourcing Implementation and Administration Guide (A97394-05) in the Virtual Applications Documentation Library.
Enable Web Access By External Supplier Users to Oracle iSupplier Portal and Oracle Sourcing (Note 308271.1)
iSupport iSupport Business User
iSupport Guest User
iSupport Individual User
iSupport Primary User
iSupport Site: Business User
iSupport Site: Individual User
iSupport Site: Guest User
iSupport Site: Primary User
Oracle iSupport Implementation and User Guide (B13661-01) in the Virtual Applications Documentation Library.
iStore IBE_CUSTOMER IBE: iStore Secure URL
IBE: iStore Non Secure URL
Oracle iStore Implementation and Administration Guide (B13549_01) in the Virtual Applicatio
ns Documentation Library.
Refer to Appendix B1.1 for additional required configuration steps for iStore.
iRecruitment iRecruitment External Site Visitor
iRecruitment External Candidate
iRecruitment Employee Site Visitor
iRecruitment Employee Candidate
iRecruitment Agency
Oracle iRecruitment Implementation Guide
SSHR Employee Self-Service
Manager Self-service
Oracle Learning
Management
Learner Self-Service
Oracle Learning Implementation Guide (B15515-01) in the Virtual Applications Documentation Library or Oracle MetaLink note 293387.1.
Oracle iReceivables
iReceivables Account Managament
Oracle iReceivables Implementation Guide (A97625-04) in the Virtual Applications Documentation Library.
Oracle Lease Management
Lease Customer Self Service
Lease Vendor Self Service
Oracle Transportation Execution
Transportation Execution Carrier User
Oracle Transportation Execution User Guide (B10666-02) in the Virtual Applications Documentation Library
Oracle Transportation Execution Implementation Manual (B10670-02) in the Virtual Applications Documentation Library
Oracle Partner
Relationship Management
Partner Super User Default Partner
User
PV: Locator Server URL
PV: System Login URL
PV: iStore Login URL
PV:Self Service URL with Workflow Notification
For 11i10, refer to the Oracle Partner Management Implementation Guide (B13539-01) in the Virtual Applications Documentation Library
For 11i9, refer to the Oracle Partners Implementation Guide (B10597-01) in the
Virtual Applications Documentation Library
Oracle Marketing
AMS : Server URL
Oracle Marketing Implementation and Administration Guide (B13545-01) in the Virtual Applications Documentation Library
Oracle Contracts
Core
OKC: Contracts Online - External Party Access
Oracle Service
Contracts
Service Contracts Electronic Renewals
Oracle Collaborative
Planning
Supply Chain Collaboration Planner
Supply Chain Collaboration Manager
Oracle Collaborative Planning Implementation and User's Guide (B12168_01) in the Virtual Applications Documentation Library
Order Information Portal
Order Information External User
OM: Records on Summary Page for
Oracle Order Management Implement
External Users
OM: Customer Service Feedback
OM: Customer Service Report Defect
ation Manual in in the Virtual Applications Documentation Library.
Refer to section 8.6 Order Information
Oracle Internet Expenses
Internet Expenses Expenses Analysis
and Reporting
B1.1: Additional Configurations for iStore
B1.1.1: Time-To-Live Setting for Cached Objects
iStore uses Java caching framework to cache frequently used objects in the JVM. Each JVM will have a copy of an object in the Java Cache. When an object is updated by one JVM, it is invalidated in all JVMs across all Applications middle tier servers.
At the present time, cache updates in the Applications internal middle-tier server will not get reflected in the Applications external web server. There are a couple of options to work around this known issue:
1. Shutdown and restart the Oracle HTTP server on the Applications external web server when an object in a cache is updated on the Applications internal middle-tier server. When JVMs are restarted, objects will be freshly fetched into the cache.
2. Set Time-To-Live values for certain cache components so that these cache objects are invalidated on a periodic basis. Cache objects get refreshed when they are accessed for the first time after an invalidation. Since Time-To-Live values themselves are cached, the Oracle HTTP server on the Applications external middle-tier server needs to be bounced once for the new values to take effect.
The exact Time-To-Live values will depend upon business requirements, how often objects in a cache component are updated and what is the tolerance level for having stale objects in the cache. Information on setting up Time-To-Live interval is available at:
Oracle® Applications CRM System Administrator’s Guide (B10354-01) in the Virtual Applications Documentation LibrarySection 8.10 Managing Component Caches andSection 8.11 Editing Component Cache Details
iStore uses Java Cache extensively to cache product catalog objects. Information on iStore Cache Components is available at:
Oracle® iStore Implementation and Administration Guide (B13549_01) in the Virtual Applications Documentation LibrarySection 18.3.1 Component Caches for Oracle iStore in JTT
B1.1.2: Deploying iStore Pages in Http & Https Configuration
For better performance, it is recommended to deploy iStore public pages under HTTP and employ HTTPS only for those pages and processes that transmit sensitive data. In DMZ deployment, this requires the reverse proxy server to listen on two ports, one for HTTP and the other for HTTPS. Both the HTTP and HTTPS reverse proxy listeners should be configured to forward the requests to the external web server. In this configuration, values for profiles "IBE: iStore Non Secure URL" and "IBE: iStore Secure URL" should point to HTTP and HTTPS reverse proxy server.
If iStore public pages are also deployed via HTTPS, values of both the profiles "IBE: iStore Non Secure URL" and "IBE: iStore Secure URL" should point to the HTTPS reverse proxy server and port and can not be left empty. Refer to section 18.4 "Setting up Secure Socket Layer Connections" of Oracle® iStore Implementation and Administration Guide (B13549_01) in the Virtual Applications Documentation Library for more details.
This configuration needs the following patch to be applied on all application web tiers.
Patch Number Description Notes
4433232 ACCESS DENIED ERROR FOR PPR SUBMIT WHEN CZ IS LAUNCHED FROM ISTORE
This patch is not required for customers who have performed the following:
Upgraded your E-Business Suite Instance to 11.5.10 ORACLE E-BUSINESS SUITE CONSOLIDATED UPDATE 2 (3460000)
or
Upgraded your E-Business Suite Instance to 11.5.10 CU2 for ATG Product family (4125550)
This patch is applicable only to Oracle E-Business Suite Release 11i10.
B1.1.3: AltBatchValidateURL Setting for iStore Integration with Oracle Configurator
In a DMZ configuration, it is likely that the database installed in the intranet can not communicate with the external application middle tier due to the fact that the web server port is not opened on the firewall. In such situations, the AltBatchValidateURL should be set to the URL for the configurator servlet on the internal application middle tier server. Please refer to the Oracle MetaLink Note 264934.1 "About Oracle Configurator in Oracle Supply Chain Management Family Pack J" for more information on how to set the AltBatchValidateURL .
B1.1.4: iStore Restrictions on Multiple Domains
iStore profile options IBE_SECURE_URL and IBE_NON_SECURE_URL are set at the site level for an E-Business Suite environment. In 11.5.10.x and earlier, these profile options cannot be set at the server or responsibility level.
Due to this restriction, deploying iStore in a DMZ configuration where the internal and external domains differ will result in intermittent losses of end-user session information and user redirects to the incorrect minisites. This known issue is expected to be resolved in future iStore releases (bug 4666171, enhancement request 3994787).
B2: Oracle E-Business Suite 11i Technology Stack Configurations
These steps are required only when Oracle Discoverer plus or Oracle forms need to be accessed by external users.
Technology Stack Component
Documents
Oracle Discoverer 4i Oracle9iAS Discoverer Plus and Viewer Configuration Guide (A90288-01) - Chapter 7. Configuring Discoverer Plus for Firewall Support
Oracle Developer 6i Customers who are planning to deploy Oracle Forms in servlet mode behind a reverse proxy server must upgrade to thelatest certified version of developer 6i. For more details, refer to Oracle Metalink Note 125767.1 - Upgrading Developer 6i with Oracle Applications 11i
B3: Forward Proxy Configuration
The DMZ Forward Proxy should be configured whether or not a DMZ Reverse Proxy is used, and must be configured to handle outbound DMZ-to-Internet and outbound DMZ-to-Intranet HTTP traffic.Oracle E-Business Suite Application Tier configured in the DMZ must have access to a forward proxy server. This is required by the external modules configured in the DMZ for connecting to external/internal sites to perform certain tasks like resume parsing for iRecruitment. Other modules that are known to use the forward proxy are Oracle Transportation Management and Oracle partner relationship management.
Set the proxy variables in the applications context file as shown in the table below and run autoconfig:
Context Variables Name
Default Values
Description
s_proxyhost null Forward Proxy Host
s_proxyport null Forward Proxy Port
s_proxybypassdomain
s_domainname
Forward Proxy Bypass Domain
All application tier nodes both in the DMZ and intranet must use the same proxy server until enhancement bug # 8431184 is fixed which allows proxy servers to be set at server level.
Firewall Impact:
1.If the DMZ Forward Proxy is separated from the DMZ by a DMZ outbound firewall, then customer needs to change the DMZ outbound firewall configuration to allow for outbound DMZ-to-"DMZ Forward Proxy" HTTP communication.
2. If the DMZ Forward Proxy is within the DMZ, then the customer needs to change the DMZ outbound firewall configuration to allow for outbound "DMZ Forward Proxy"-to-Internet and outbound "DMZ Forward Proxy"-to-Intranet HTTP communication.
Appendix C: Configuration Option for Functionally Directed Load Distribution
This is not a certified configuration option; it is currently supported on a best effort basis. Oracle E-Business Suite customers can redirect load to specific machines based on user responsibilities.
1. Apply all the patches mentioned in Section 4: Required Patches. 2. Use SERVRESP profile hierarchy type for the profiles mentioned in section 5.1: Update Hierarchy type. 3. Assign values at the responsibility & server combination level for the profiles listed in section 5.1.
For example, setting the profiles listed in section 5.1at the responsibility level for HR responsibilities will result in all HR users going to one specific entry point (representing one specific machine or loadbalancing between a specific group of machines)
Appendix D: Reverse Proxy Configuration
A reverse proxy server is an intermediate server that sits between a client and the actual web server and makes requests to the web server on behalf of the client. The client is unaware of the presence of the reverse proxy.
Benefits of using a reverse proxy server are:
Adds a level of isolation between the client and the actual server Allows using standard web port numbers (80 and 443) on the external interface while running the actual web server
on higher numbered ports thus avoiding having to start the actual web application server processes as root. Allows certain rules (or filters) to limit the http requests that are presented to the actual web server Optionally allows for caching of contents
A number of options exist for choosing a reverse proxy
1. Use Oracle 9i Application Server 1.0.2.2 as shipped with Oracle Oracle E-Business Suite 2. Use Oracle Application Server Webcache 3. Use apache httpd from http://httpd.apache.org 4. Use any of a number of commercially available reverse proxies, which often provide some level of added security as
well.
There are pros and cons for each of these solutions, and the customer must choose according to preferences, supportability, existing IT standards and local policies.
The table below present some advantages and disadvantages for each of the options mentioned above
Software Advantages Disadvantages
Oracle 9i Application Server 1.0.2.2 Shipped with Oracle Oracle E-Business Suite
Ships with Oracle Applications Supported by Oracle Can directly use the URL Firewall as
mod_rewrite module is configured with this server
Certified with Oracle E-Business Suite in DMZ configuration
Standalone installation/ configuration of the http server is not available
Can not be used as a reverse proxy to frontend the SSO servers
Oracle Application Server 10g based on Apache 2.0
Standalone version available Supported by Oracle
Supports filtering of URLs Can directly use the URL Firewall as
mod_rewrite module is configured with this server
Oracle Application Server Web Cache
Standalone version available Supported by Oracle Can support caching of E-Business
Suite Content Supports filtering of URLs
Does not understand the rewrite rules of the URL Firewall
Apache server from Apache Software Foundation
Reputable provider of open source software
Available on many platforms Can be configured and built to only
include the required modules Widely used Web server Can directly use the URL Firewall as
mod_rewrite module can be configured with this server
Certified with Oracle E-Business Suite in DMZ configuration
Well Known, Well documented
You will have to download, compile, install and test the proxy
Commercially Available Reverse Proxy Servers
Supported by the software vendor May support URL filtering and
content rewriting May integrate with pre-selected
enterprise single sign-on
Not certified with Oracle E-Business Suite in DMZ configuration
May not understand the rewrite rules of the URL Firewall
If you choose to use Oracle WebCache as your reverse proxy server, please refer to the Oracle MetaLink Note 306653.1 "Installing and Configuring Oracle Application Server Web Cache with Oracle E-Business Suite 11i "
In the remainder of this appendix we will describe the steps required to setup a reverse proxy based on apache2 from httpd.apache.org.
Apache 2.0 is selected for the following reasons :
can be built in a minimum configuration supports HTTP/1.1 for better performance Is well known, and the configuration steps described for the apache based reverse proxy will be useful when
configuring any other reverse proxy
Building an Apache based Reverse Proxy from Source
Apache is available from httpd.apache.org. It is recommend that you download the source code and configure and build the executables locally. This will allow you to configure apache with only the modules required for reverse proxy duty. The following modules will be built and added to the apache server for additional security:
mod_ssl will be added to provide encrypted https connections across the internet. Please note that this may require you to purchase a certificate from a well-known and trusted Certificate Authority (CA) such as Verisign or GoDaddy.
mod_security for its ability to discover and block requests that are obviously malformed, Null byte check, the url encoding check, the directory traversal prevention and the UTF-8 Unicode checks.
mod_rewrite as this is the engine used to implement the URL firewall.
If you are using an apache 1.3.x version, it is important to consider the load order (and thus the execution order) of the various modules in apache. The modules should be loaded in such an order as to ensure that the modules are executed in the following order:
1. mod_security - Reject obviously bad requests before anything else happens 2. mod_rewrite - Check for allowed URL before mod_proxy hands the request over to the external web tier 3. mod_proxy - Only proxy request that seem valid (have passed the 2 above filtering steps) to the external web tier
Apache 2.0.x will require a source code change to ensure the proper execution order. This will be covered in the instructions below.
Build Apache2 for Secure Proxy Configuration
The steps described below will compile and link the following modules with the Apache2 Server.
Obtain the latest version of the apache (2.0.54) src code from http://httpd.apache.org/download$ export http_proxy=http://www-proxy:80 # if you need a proxy to get out
$ cd ; mkdir src ; cd src # go to the build source directory
$ lynx http://httpd.apache.org/download # navigate to a mirror and save .tar.gz and .md5
-rw-r--r-- 1 egravers egravers 7508193 Jul 14 14:36 httpd-2.0.54.tar.gz$ md5sum -c httpd-2.0.54.tar.gz.md5 # should not produce any output
$ md5sum -c modsecurity-1.8.7.tar.gz.md5 # should not produce any output
Unpack the TAR balls:
$ tar xzvf httpd-2.0.54.tar.gz
$ tar xzvf modsecurity-1.8.7.tar.gz
Configure Apache - put this in a small script (runc.sh), that way you have a record of how it was configured
$ cd httpd-2.0.54 $ ./configure -prefix /dmz \
--enable-ssl \
--enable-setenvif \
--enable-proxy \
--enable-proxy_http \
--enable-headers \
--enable-rewrite \
--enable-so \
--disable-charset-lite \
--disable-include \
--disable-env \
--disable-status \
--disable-autoindex \
--disable-asis \
--disable-cgi \
--disable-negotiation \
--disable-imap \
--disable-actions \
--disable-userdir \
--disable-alias
Before compiling, a small change need to be done to the source of mod_proxy.c. This is to ensure that mod_proxy does not proxy a request to the external web tier before the URL firewall based on mod_rewrite has a chance to reject it. It also ensures that mod_proxy gets it's translate_name hook called after mod_rewrite's hook gets called.
$ cd ~/src ; # go to the build source directory
$ cd modules/proxy/ $ diff mod_proxy.c mod_proxy.c.dist
All you have to do is change the second parameter in the ap_hook_translate_name from NULL to aszSucc and save the file.
As you can see, both modules want this hook to be called early (APR_HOOK_FIRST), however they do not specify any preference with respect to ordering with other modules. So we just register that mod_proxy want to be called after mod_rewrite.
$ cd ../.. # back to main build directory
$ make
Check that the expected modules are included (and no others)
$ ./httpd -l
Compiled in modules:
core.c
mod_access.c
mod_auth.c
mod_log_config.c
mod_headers.c
mod_setenvif.c
mod_proxy.c
proxy_http.c
mod_ssl.c
prefork.c
http_core.c
mod_mime.c
mod_dir.c
mod_rewrite.c
mod_so.c
As root install apache to /dmz
$ su
# umask 022
# make install
# chown -R root:sys /dmz
As root - install mod_security
# cd ../modsecurity-1.8.7/apache2/
# /dmz/bin/apxs -cia mod_security.c
At this point apache 2.0 got installed in /dmz. Try to start the server using apachectl, however the installed httpd.conf file has some directives for modules that were not included. You can remove these errors - one by one by attempting start and fixing the problem reported until apache actually starts. The following directives had to be removed after completing the above steps:
Once you have sanitized the default httpd.conf file you can proceed and test
Start apache without SSL
# /dmz/bin/apachectl start
Verify that server is running and is listening on port 80 (http)
# netstat -lntp | sort -t: +1n
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3993/sshd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 24772/httpd
Success!! We have httpd listening on port 80.You can verify that the server is working by using a browser to go to http://site/index.html.en. Note that you will have to specify the full name of the index.html.NN file, including language as we did not include mod_negotiation or mod_dir in this build of the apache server.
Stop the apache http server
# /dmz/bin/apachectl stop
Setting up the SSL certificate
Follow the instructions given below to generate a self signed certificate for test purposes. The encryption is as good as a purchased certificate, however web browsers will warn their users about a unrecognized (un-trusted) Certificate Authority. For your real deployment you will need to purchase a SSL certificate from a Certificate Authority.
Generating and installing a test certificate:
# cd /dmz/conf
# umask 022
# mkdir ssl.key
# mkdir ssl.crt
# mkdir ssl.crl
# openssl req \
-new \
-x509 \
-days 30 \
-keyout ssl.key/server.key \
-out ssl.crt/server.crt \
-subj '/CN=Test-Only Certificate'
# chmod 600 ssl.key/server.key # private key; root and only root should have access
Start apache with SSL
/dmz/bin/apachectl startssl
Verify that server is running and is listening on both port 80 (http) and 443 (https):
# netstat -lntp | sort -t: +1n
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3993/sshd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 24772/httpd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 24772/httpd
Success!! We have httpd listening on port 80 and 443.
You can verify that the server is working by using a browser to go to http://site/index.html.en and https://site/index.html.en.
As before, you will have to specify the full name of the index.html.NN file (including language) as the modules "mod_negotiation" or "mod_dir" was not compiled and configured in this build of the apache server. Note also that your browser will complain when accessing the https URL as it does not recognize the Certificate Authority that signed the SSL certificate.
At this point, all the required infrastructure pieces are working, it is time to configure the apache for proxy duty.
Following configuration files are needed in /dmz/conf:
httpd.conf -- apache configuration file security.conf -- make mod_security stop obviously bad requests url_fw.conf -- allow only required URLs through (see appendix E. Configuring the URL Firewall)
This is covered in the Install and Configure section below.
Install and configure
When the executables have been built and installed it is time to configure the runtime settings in the configuration files, this includes
Configuring Apache httpd (on port 80) Configuring mod_ssl and certificate (on port 443)
Configure mod_proxy (pass entire URL space to external webtier) Configuring mod_security Configuring the URL Firewall
Below is a diagram of the deployment. Presumably you will have a firewall in front of the reverse proxy and another between the reverse proxy and the external web tier.
Oracle Corp. recommends that all E-Business Suite traffic over the internet be encrypted, i.e. using HTTPS on the standard port 443/tcp. Users may expect to just type the hostname of your external site into the address field of their browsers, which will cause the browser to prepend http:// and assume the default HTTP port 80/tcp. To accomodate such users, the reverse proxy should allow this initial connect to the standard HTTP port 80/tcp and immediately redirect the browser to the standard HTTPS port.
This can be achieved by using the following rewrite rule for the port 80 virtual host:
The Oracle iStore product is using both HTTP and HTTPS for performance reasons, and the iStore application will switch between the two protocols as required.
This means that for deployments including iStore the http/80/tcp virtual host should not contain the 'redirect-all-to-https' rule. In this case, a careful selection of initial page and http and https links from it should be created. We also want to ensure that a user cannot call any of the URLs that are supposed to be run over HTTPS via HTTP. (A user could deliberately change the URL in his browser to be http:// rather than https://). We ensure that by only allowing the subset of iStores URL that are considered non sensitive to be accepted in the http virtual host.
You can download the fully functioning configuration files, httpd.conf and security.conf.
The assumptions made while creating these config files are:
the reverse proxy will be accessed via the hostname www.example.com the E-Business Suite external webtier is called extweb.example.com the server admin is [email protected] the apache proxy was configured and installed to /dmz
You will have to modify the file to reflect your host and domain names and the location for /dmz. Once you have modified the above two configuration files and copied them to /dmz/conf/ it is time to test the proxy.
# /dmz/bin/apachectl start #note that you do not need startssl
# netstat -lntp | sort -t: +1n
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3993/sshd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2472/httpd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2472/httpd
Once you have tested the reverse proxy with the above two configuration files, it is time to prepare for installation on the production hardware in the DMZ.
# /dmz/bin/apachectl stop
# rm -f /dmz/logs/* # delete old log files
# rm -rf /dmz/manual* # delete the Apache documentation
# tar cvzf /dmz.tgz /dmz # tar up the runtime proxy
Copy the /dmz.tgz file from the test box to root's home directory on the DMZ host and install it.
dmz# cd /
dmz# tar xvzf ~/dmz.tgz # unpack the runtime proxy
Edit the configuration files to reflect host names and port numbers for the production DMZ, and install the real, CA signed SSL certificate.
Then start the reverse proxy
dmz# /dmz/bin/apachectl start
dmz# netstat -lntp | sort -t: +1n
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 993/sshd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2234/httpd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2234/httpd
The next step is to configure the URL Firewall on the reverse proxy for the Oracle E-Business Suite products you wish to expose to the external parties. Once done, make sure that you include in the reverse proxy node configuration file the customized url_fw.conf configuration file from httpd.conf and bounce the reverse proxy.
Below is a list of references related to building a secure apache proxy, you want to check these out for additional explanation on many of the configuration decisions made above - or for better ideas on how to build your very own.
http://www.securityfocus.com/infocus/1818 -- Apache 2 with SSL/TLS Step-by-Step, Part 1 http://www.securityfocus.com/infocus/1820 -- Apache 2 with SSL/TLS Step-by-Step, Part 2 http://www.securityfocus.com/infocus/1823 -- Apache 2 with SSL/TLS Step-by-Step, Part 3 http://www.apacheweek.com/features/reverseproxies -- Running a Reverse Proxy with Apache (2) http://www.securityfocus.com/infocus/1739 -- Web Security Appliance With Apache and mod_security http://httpd.apache.org/docs-2.0/install.html -- From the source http://httpd.apache.org/docs-2.0/mod/mod_proxy.html -- From the mod_proxy doc http://www.modsecurity.org/ -- all you ever wanted to know about mod_security
Additional, important considerations for a production deployment of the reverse proxy such as
O/S Hardening Load balancing for Redundancy (avoiding single points of failures) Fail-over strategies Log rotation and analysis
are left as an exercise for the implementer.
Appendix E: Configuring the URL Firewall
AttentionThe URL Firewall configuration file l (url_fw.conf) shipped with the patch (3942483) applies only to Oracle E-Business Suite release 11.5.10 and later. For Oracle E-Business Suite 11.5.9 the version of the URL Firewall configuration file is TXK.M (4709948).
The purpose of the URL Firewall is to ensure that only URLs required for the externally exposed functionality can be accessed from the internet.
The URL firewall is implemented as a whitelist list of URLs required; any URL request that is not matched in the whitelist list is refused. This will limit the exposure of your Oracle E-Business Suite deployment by reducing the attack surface available to external parties.
The URL Firewall can be deployed on the external webtier or in the reverse proxy. If you are deploying a reverse proxy that can process mod_rewrite rules, we recommend that the URL Firewall be deployed on the reverse proxy in order to reject un-authorized requests as early as possible. To implement the URL Firewall configuration on the reverse proxy server, copy url_fw.conf from $IAS_CONFIG_HOME/Apache/Apache/conf/url_fw.conf on the external midtier to the reverse proxy host.
The URL Firewall is shipped as an apache configuration file containing rewrite rules interpreted by mod_rewrite. The URL Firewall configuration file (url_fw.conf) will be generated on all the web tiers by the AutoConfig utility. Inclusion of the configuration file url_fw.conf in the Oracle HTTP Server configuration file (httpd.conf) is decided based upon the trust level associated with the application node.Thus for nodes that are marked as external, the file will be automatically included by AutoConfig in the Oracle HTTP Server Configuration file httpd.conf. There could be scenarios where you may want to add custom or change the current rewrite rules for different deployment scenarios. Should such a requirement arise, use autoconfig customization as explained in Metalink Note 270519.1 .
The file consists of blocks of URLs that may be required depending on the deployed product mix and ends with a rule that rejects the request if it has not been matched by one of the enabled rules. You will have to manually edit this file to enable the URLs in the block that corresponds to the product(s) you are deploying for external access.
The url_fw.conf file has the following blocks:
INITIAL PAGE - defines the default start page STATIC - static files such as images, stylesheets, javascript and html COMMON - common components used by multiple products LOCAL - required for local login FORMS - if your product mix requires the use of Oracle Forms XXX - where XXX is a product abbreviation
You will always need the STATIC, COMMON and LOCAL blocks. Depending on the product(s) you are deploying, you may need additional blocks of URLs enabled. This is summarized in the table below.
*) iStore needs the CZ block if it is integrated with the Configurator.
In addition to uncommenting the blocks of URLs specified above you will have to consider and decide how to handle the following for your deployment:
Initial page - what page should be displayed when external users go to / Help - what should happen when external users click on the Help icon
The syntax of the ErrorDocument directive in url_fw.conf need modification (to use double quotes), if you have configured apache2 as the reverse proxy server. The default file shipped uses Apache 1.3.x syntax.
Configure Initial Page
In the shipping version of url_fw.conf external users will be presented with the standard Apps Login page when they go to / (actually http://your.site.com ) on your external site. If you are deploying products that allow users to surf part of the site prior to authentication presenting them with a login page may not make any sense. For example if you are deploying iStore, users have an expectation to be able to browse the goods without logging in. If you are deploying iRecruitment, maybe external users can browse available job postings prior to identifying themselves.
If you are integrating the external access to E-Business Suite via an existing company website, you may want to include a new page with your corporate branding and links to the appropriate entry points of Oracle Applications.
To change the initial (/) page, locate the INITIAL PAGE block and change the first line in that block to provide the page of your choice.
RewriteRule ^/$ /OA_HTML/AppsLocalLogin.jsp [R,L]
the rule says: upon a request for /, redirect ([R]edirect) to /OA_HTML/AppsLocalLogin.jsp and stop further rewriting ([L]ast).
If your deployment is only iRecruitment or only iStore the above rule could be replaced with one of the following
RewriteRule ^/$ /OA_HTML/IrcVisitor.jsp [R,L] or RewriteRule ^/$ /OA_HTML/ibeCZzpHome.jsp [R,L]
For help in selecting an appropriate initial page, see the Implementation Guide for the products you are deploying externally.
Configure Help Action
In the shipping version of url_fw.conf external users will be presented with an error when they click the Help icon in the top-right part of the Apps screen.
the rule says: upon a request for /OA_HTML/jsp/fnd/fndhelp.jsp, redirect ([R]edirect) to /help and stop further rewriting ([L]ast).
As /help/ does not exist, a 404 file-not-found error is reported to the user.
You will want to avoid getting page not found errors (broken links). You have a number of options for providing help,
1. Serving the full help by adding the following lines in the white list that makes up the URL Firewall,
#Include PLSQL HELP Files# HELP Pages from PLS landRewriteRule ^/OA_HTML/jsp/fnd/fndhelp.jsp$ - [L]RewriteRule ^/pls/[^/]*/fnd_help.search$ - [L]RewriteRule ^/pls/[^/]*/fnd_help.Advanced_Search_Page$ - [L]RewriteRule ^/pls/[^/]*/fndgfm/fnd_help.get/(.*) - [L]
2. Providing customized help by adding the following lines in the positive list that makes up the URL Firewall; you will have to provide the help that is being redirected to
# Do not include PLS Help - serve a (customer created) local help pageRewriteRule ^/OA_HTML/jsp/fnd/fndhelp\.jsp$ /OA_HTML/YourOwnHelpHere.html [L,PT]# or redirect to another siteRewriteRule ^/OA_HTML/jsp/fnd/fndhelp\.jsp$ http://myhelpsite/help/[R,L]
Appendix F: List of Ports to Open in a DMZ Configuration
The diagram shown below represents the list of ports that need to be opened on the firewalls in a DMZ configuration.
If users need access to additional components like Oracle Forms in server mode and Oracle Discoverer Plus, then additional ports may need to be opened on the External, Internal and the Data Firewall.
Some of the Oracle E-Business Suite modules like Oracle Configurator use UTL_HTTP package to communicate from the database to the application tier where the web server is installed. This is done over the HTTP(s) protocol. So, if there is a firewall configured between the application and database tier, http port must be opened on this firewall for this communication to succeed.
Appendix G: Configuring Multiple Web Entry Points and DMZs with Single Sign-On
You can deploy Oracle E-Business Suite environments with DMZs and multiple web-entry points. These configurations may optionally be integrated with Oracle Single Sign-On or Oracle Access Manager for centralized authentication. Either of these solutions also requires Oracle Internet Directory.
AttentionFigure F8, shown above, depicts a configuration in which the internal and external users are authenticated via a single Oracle Single Sign On server installed in the DMZ. The LDAP directory, Oracle Internet Directory, remains on the internal network.
Integrating E-Business Suite with Multiple Web-Entry Points and DMZs with External Single Sign-On & Oracle Internet Directory 10g Instances will be supported as of "SSO 10G Integration for 11.5.10 ATG Rollup 4 (Build 4.0)" patch. However, the level of supportability will be dependent upon the implementation.
1. Customers who follow the instructions and implement Single Sign-On 10g using a tested and certified DMZ topology as documented in this MetaLink Note 287176.1, are fully supported. This is the preferred implementation. The topology for a typical Single Sign-On 10g configuration is depicted in the diagram contained in Figure F8 above.
2. Customers who implement Single Sign-On 10g using an alternative topology, that is not listed in this MetaLink Note 287176.1, are supported on a best-efforts basis. The Oracle Applications Technology Group will work to provide an adequate solution to address each customer's specific problem. Severity 1 bugs in this category will only be accepted for situations where a customer's production system is down. Otherwise, an escalated P2 status is the highest severity rating.
Perform the following steps to implement this configuration:
1. Follow the instructions in Note 233436. 1 to install and configure Oracle Application Server 10g with E-Business Suite
2. Configure your DMZs and multiple web-entry points for your E-Business Suite environments as described in Sections 2 to 5, above. Confirm that these environments are working properly before continuing
3. The configuration displayed in Figure F8 uses a reverse proxy server as the web entry point for both the external application tier and the SSO server. You must reconfigure both the SSO and the external application tier to point to the reverse proxy server.
4. To register your E-Business Suite environment with Single Sign-On 10g, run the registration utility described in "Appendix C: Advanced Configuration - Manual SSO/OID Registration," using the options appropriate for your deployment of Oracle Application Server 10g. The "SSO / OID registration utility automates the Single Sign-On 10g partner application registration process for multiple web-entry point deployments". The registration utility automatically performs separate partner application registrations for each registered web-entry point, based on the E-Business database profile values for APPS_FRAMEWORK_AGENT. No special command-line parameters are required. The registration utility only needs to be run once, on any middle-tier server, regardless of whether the middle-tier server is located.
For example: You have two domains: partners.company.com and employees.company.com. The partners.company.com domain corresponds to the external middle-tier, and the employees.company.com domain corresponds to the internal middle-tier. To register your E-Business Suite environment with Single Sign-On 10g, run the registration utility once, on either the external or internal middle-tier server. The registration utility automatically detects and registers both middle-tiers. There is no need to run the registration utility on each middle-tier separately.
5. Run the AutoConfig utility as documented in the Oracle MetaLink Note 165195.1 "Using AutoConfig to Manage System Configurations with Oracle Applications 11i".
Using Oracle Access Manager / Oracle E-Business Suite AccessGate
Figure G9, shown below, depicts a configuration in which the internal and external users are authenticated by Oracle Access Manager and Oracle E-Business Suite AccessGate.
The entry point, WebGate, resides in the DMZ along with Oracle E-Business Suite AccessGate. The WebGate intercepts authentication requests and relays them to the Access Manager server. The Access Manager servers are installed on the internal network, along with Oracle Internet Directory. Oracle E-Business Suite AccessGate receives the authenticated session from Oracle Access Manager, and connects to the Oracle E-Business Suite database in order to link the Oracle Internet Directory (OID) user to an Oracle E-Business Suite user. Once this mapping is done, the originally requested resource is returned with a valid authenticated Oracle E-Business Suite user session. All subsequent requests for Oracle E-Business Suite resources are then returned directly to the user as long as the user session remains valid.
Perform the following steps to implement this configuration:
1. Follow the instructions in My Oracle Support Knowledge Document 975182.1, to install Oracle E-Business Suite AccessGate, and configure WebGate and Oracle Access Manager. (See the next step, however, for an important change when configuring in a DMZ.)
2. When following the instructions to configure the Oracle E-Business Suite AccessGate in a DMZ, you will need to replace references to the values of [WebGate host]:[WebGate port] in two places with the hostname and port on your reverse proxy that forwards to the WebGate:
o Step 4d, when setting the Redirection URL for failed authentication attempts; and o Step 6b, when setting the APPS_AUTH_AGENT profile option.
On the reverse proxy, you must then add a proxy rule to redirect URLs containing the context rule to the WebGate host and port accordingly.
3. If you are configuring separate WebGates for internal and external users, you may set the APPS_AUTH_AGENT profile option at the SERVER level, so that internal users are directed to one URL for authentication, and external users to another.
4. If you choose to implement the Lost Password or Reset Password on First Login features, you will need to install an additional WebPass in the DMZ, as well. The WebPass requires that you open port 6022 on the internal firewall to allow it to communicate with the internal Identity Server. (Note: this is not shown in the diagram above.) Once you have installed and configured a user-facing WebPass, make sure the APPS_AUTH_FORGOT_PASSWORD_LINK profile option in Step 6b is updated to point to either this new WebPass host, or a reverse proxy that sits in front of it.
5. Be sure to also review the setting for the Preferred HTTP Host parameter for your WebGate. For more information on configuring WebGate and Access Server with a reverse proxy, refer to the Oracle Access Manager Deployment Guide.
6. Configure your DMZs and multiple web-entry points for your E-Business Suite environments as described in Sections 2 to 5, above. Confirm that these environments are working properly before continuing.
Note that it is not necessary to open ports in the data firewall for LDAP and LDAP/S connections. LDAP connections are made only from the Oracle Access Manager's Access Server, which is located inside the firewall, and not from any of the components located in the DMZ. If you previously had these ports open for Oracle Single Sign-On Server and are no longer using OSSO for external authentication, you should close these ports on the data firewall for maximum security.
Appendix H: Troubleshooting
H1: Internal and External Middle Tiers in Different DomainsH2: Firewalls Disconnects SQL*Net ConnectionsH3: DNS Resolution of Machines and Devices Involved in the DMZ ConfigurationH4: HTTP Error 400 - Bad requestH5: HTTP Error 410 - GoneH6: Redirection to an incorrect server during login
H1: Internal and External Middle Tiers in Different Domains
If any of your middle tier servers or the reverse proxy server is running on machines with different domain names or different virtual host domain names, you must execute the following SQL command when logged into the database as the APPS user:
SQL> update icx_parameters set session_cookie_domain = null;SQL> commit ;
H2: Firewalls Disconnects SQL*Net Connections
Most firewalls disconnect SQL*Net connections after 30 minutes of inactivity. To fix this problem, add the following parameter to the existing [RDBMS_ORACLE_HOME]/network/admin/<ORACLE_SID>_<hostname>/sqlnet.ora on the database tier:
SQLNET.EXPIRE_TIME=10
H3: DNS Resolution of Machines and Devices Involved in the DMZ Configuration
In a DMZ setup, there are a number of components involved in the configuration. For example network components such as firewall devices, hardware load balancers, ssl accelerators and machines hosting the application software. A successful
configuration of these components require proper name resolution at machine and at DNS levels from various segments of your network. Given below are some of the commonly used operating system utilties that can be used to verify the DNS setup.
nslookup ping traceroute nmap
H4: HTTP Error 400 - Bad request
If you receive an "HTTP Error 400 - Bad request" on your browser, it means that the Oracle HTTP Server or the Reverse Proxy Server denied the request due to a rule set in mod security. Review the error_log file to gather more information on why the request was denied.
H5: HTTP Error 410 - Gone
If you receive an " HTTP Error 410 - Gone" on your browser, it means that the Oracle HTTP Server or the Reverse Proxy Server denied the request due to a rule set in the URL Firewall. Review the access_log or rewrite_log to gather more information on why the request denied.
If you identify a URL that is being blocked that you think should be allowed for your deployment, simply add the URL to the url_fw.conf file. Bounce the (Oracle HTTP Server or the Reverse Proxy Server) to make the change active.
H6: Redirection to an Incorrect Server During Login
If you are getting redirected to an incorrect server during the login process, check the following:
Whether the hirearchy type of the profile options mentioned in Section 5.1 is set to SERVRESP .
select PROFILE_OPTION_NAME,HIERARCHY_TYPE from fnd_profile_options where profile_option_name in
Whether the profile option values for the fnd profile options (APPS_FRAMEWORK_AGENT, APPS_WEB_AGENT, APPS_JSP_AGENT, APPS_SERVLET_AGENT) are pointing to the correct node. Replace the node_id with the node_id of the external and internal web tier. For example:
select fnd_profile.value_specific('APPS_FRAMEWORK_AGENT',null,null,null,null,<node_id>) from dual;
Whether the dbc file pointed to by the JVM parameter (JTFDBCFILE) in jserv.properties exists.
Whether the value of the parameter APPL_SERVER_ID set in the dbc file for the node is the same as the value of the server_id in the fnd_nodes table.
select node_name,node_id,server_id from fnd_nodes;
Appendix I: Disabling E-Business Suite 11i Application Services on the External Web Tier
On the external web tier, you need to run only the Oracle E-Business Suite application services that are needed by the external facing E-Business Suite module. All services except the web server must be disabled. To disable a service, perform the following steps:
Run the AutoConfig Context Editor as documented in the Oracle MetaLink Note 165195.1 "Using AutoConfig to Manage System Configurations with Oracle Applications 11i".
Click on Site Map, AutoConfig. Select the Applications Context file of the external web tier, Click on Edit Parameters, Processes Set the value of the Applications Context variable s_apcstatus to enable which will enable the processes apache
and apache_pls. Note that the context variable s_apcstatus_pls should be set to disabled. Set the value for all the other process status variable to disabled Save the changes.
In addition to disabling the application services that are no longer required, you should also disable the starting of JVM processes for the respective Jserv groups. Perform the following steps to disable the Jserv groups:
To disable the discoverer4i jserv group: o Set the value of Applications Context variable ( s_disco_nprocs ) to 0 in the Applications Context File o Set the value of Applications Context variable ( s_disco_node_weight ) to 0 in the Applications Context File
To disable the forms jserv group: o Set the value of Applications Context variable ( s_forms_servlet_nprocs ) to 0 in the Applications Context
File o Set the value of Applications Context variable ( s_forms_node_weight ) to 0 in the Applications Context File
Appendix J: Related Documentation
Oracle Applications System Administrator's Guide - Security Oracle Applications System Administrators Guide Best Practices for Securing Oracle E-Business Suite 11i Advanced Configurations and Topologies for Enterprise Deployments of E-Business Suite 11i Using AutoConfig to Manage System Configurations with Oracle Applications 11i Cloning Oracle Applications Release 11i with Rapid Clone Sharing an APPL_TOP in Oracle Applications 11 i A Guide to Understanding and Implementing SSL with Oracle Applications 11i Oracle Application Server 10g (9.0.4) Tested Load Balancers, Firewalls and Stand-Alone SSL Accelerators DMZ Configuration for Test Environments with Inexpensive Hardware Case History: Implementing a Reverse Proxy Alone in a DMZ Configuration
Tips and Queries for Troubleshooting Advanced Topologies
Change Log
Change Log Date Description
MAY 2010 Added ASP product as certified in Appendix A
MAR 2010 Added OAM Configuration
DEC 2009 OIE added to the certified product list
SEPT 2009
Minor Updates
MAY 14, 2009
OIP added to the certified product list
APR 15, 2009
Added Forward Proxy Configuration
FEB 03, 2009
Appendix G updates
SEPT 30, 2008
Fixed Remarks, Web entry point requirement
AUG 19, 08
SSHR added to the list of certified products
JUL 25, 07 Added Load Balancing Configuration without External Web Tiers
JUL 11, 07 Remarks incorporated. Added new section 5.5.3
May 24, 07
Remarks incorporated,
Apr 09, 07 OKL added to the list of certified products
Feb 27, 07 Updated Doc with Java Object Cache requirements, DMZ configuration
with only reverse proxy server
Sept 27,06 Bug 5139016
August 24,2006
Various changes from webiv remarks as well as changes for Single Sign-On 10g/Oracle Internet Directory 10g support.
Added URL Firewall rules for 11.5.9, Added a section for Enabling Server Security
Aug 25, Final updates
2005
Aug 11, 2005
Incorporated changes from team review
Aug 9, 2005
Major updates to the doc . Included feedback from support, SAC, Internal reviewers and security team. updated the list of patches, reverse proxy config settings
![Oracle E-Business Suite R12 Configuration in a DMZ [ID 380490.1]](https://static.documents.pub/doc/80x56/55cf9c2d550346d033a8e5ac/oracle-e-business-suite-r12-configuration-in-a-dmz-id-3804901.jpg)
