Oracle E-Business Suite R12 - erpra. · PDF fileOracle E-Business Suite R12 Configuration in a DMZ [ID 380490.1] Modified 22-DEC-2009 Type WHITE PAPER Status PUBLISHED Oracle E-Business

Oracle E-Business Suite R12 Configuration in a DMZ [ID 380490.1]

Modified 22-DEC-2009 Type WHITE PAPER Status PUBLISHED

Oracle E-Business Suite Release 12 Configuration in a DMZ

Last Updated: Dec 22 , 2009

The most current version of this document can be obtained in Oracle Metalink Note 380490.1. The change log at the end ofthis document tracks modifications.

Contents

Section 1: OverviewOracle E-Business Suite Release 12 Architecture in a DMZ ConfigurationTerminology

Section 2: DMZ Deployment OptionsOption 2.1: Using a Reverse Proxy and an External Web TierOption 2.2: Using Separate Oracle E-Business Suite Release 12 Web TiersOption 2.3: Using HTTP Hardware Load Balancers in DMZ ConfigurationsOption 2.4: Using Reverse Proxies only in DMZOption 2.5: Using Hardware Load Balancers With No External Web TierKnown RestrictionsSupport Considerations

Section 3: Required Patches for DMZ ConfigurationsSection 4: Creating an External Web Tier for E-Business SuiteSection 5: Configuring the E-Business Suite for DMZ Deployments

5.1: Update Hierarchy type5.2: Update Node Trust Level5.3: Update List of Responsibilities5.4: Configuration Details for Using Reverse Proxy and an external Web Tier in DMZ5.4.1: Update Oracle E-Business Suite Release 12 Applications Context File5.4.2: Run AutoConfig and Restart Oracle HTTP Server5.5: Configuration Details for Using Separate E-Business Suite Release 12 Web Tier in DMZ5.6: Configuration Details for Using HTTP Hardware Load Balancers in DMZ5.6.1: Update Oracle E-Business Suite Release 12 Applications Context File5.6.2: Run AutoConfig and Restart Oracle HTTP Server5.7: Enable Oracle E-Business Suite Application Server Security5.8: Enable Distributed Oracle Java Object Cache Functionality:5.9 Configuration Details for Using reverse proxy with No External Web Tier5.9.1: Create new Context Files for the External Entry Point5.9.2: Verify and Update the New Context Files Created for the External Entry Point5.9.3: Run AutoConfig and Restart Oracle Applications Processes5.10 Configuration Details for Using Hardware Load Balancers with No External Web Tier5.10.1: Create new Context Files for the External Entry Point5.10.2: Verify and Update the New Context Files Created for the External Entry Points5.10.3: Run AutoConfig and Restart Oracle Applications Processes

AppendicesA. List of External Facing Oracle E-Business Suite Release 12 ProductsB. Oracle E-Business Suite Release 12 Product Specific ConfigurationsC. Configuration Option for Functionally Directed Load DistributionD. Reverse Proxy ConfigurationE. Configuring the URL FirewallF. List of Ports to Open in a DMZ ConfigurationG. Configuring Multiple Web Entry Points and DMZs with Single Sign OnH. TroubleshootingI. Disabling E-Business Suite Release 12 Application Services on the External Web TierJ. Disabling "About this page" Link From the Release 12 Login Page

Oracle E-Business Suite R12 Configuration in a DMZ https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id...

1 of 43 1/6/2010 11:13 AM

K. Related Documentation

Section 1: Overview

This document describes methods for making a subset of Oracle E-Business Suite Release 12 functionality accessible via theInternet to external users. This document discusses supported network topologies and architectures for the E-Business Suite,including:

The use of reverse proxy servers in demilitarized zones (DMZ)The use of multiple domains -- where different E-Business Suite Release 12 users access the E-Business Suite viadifferent URLs -- with multiple application serversThe use of hardware-based load-balancers in these configurationsThe use of SSO servers within the DMZ

This document is intended for administrators who perform Oracle E-Business Suite Release 12 administration. It assumesknowledge of networking technologies. The procedures described in this document have security implications. Prior to theimplementation of any configuration options described this document, E-Business Suite system administrators are stronglyadvised to review deployment architectures with their enterprise networking and security groups.

Oracle E-Business Suite Release 12 Architecture in a DMZ Configuration

When configuring Oracle E-Business Suite in a DMZ configuration, firewalls are deployed at various levels as shown in FigureF2 to ensure that only authorized traffic is allowed to cross the firewall boundaries. The firewalls ensure that if intrusionattempts against machines in the DMZ are successful, the intrusion is contained within the DMZ, leaving the the machines in theintranet unaffected.

The following configuration options are supported:

Use of separate web node for external usageSetting of server level profile valuesAssociating trust levels to application middle tier nodesLimiting available responsibilities to a restricted set for the external web nodeDeploying a reverse proxy in front of the external web nodeConfiguring a URL firewall and mod security in the reverse proxyRunning only essential Oracle E-Business Suite Application services on the external web tier


2 of 43 1/6/2010 11:13 AM

Terminology

Below are definitions of some of the terms that are used in this document:

Firewall

Firewalls control access between the internet and a corporation's internal network or intranet. Firewalls define which internetcommunications will be permitted into the corporate network, and which will be blocked. A well-designed firewall can foil manycommon internet-based security attacks.

DMZ

The DMZ, which stands for DeMilitarized Zone consists of the portions of a corporate network that are between the corporateintranet and the Internet. The DMZ can be a simple one segment LAN or it can be broken down into multiple regions as shownin Figure F2. The main benefit of a properly-configured DMZ is better security: in the event of a security breach, only the areacontained within the DMZ is exposed to potential damage, while the corporate intranet remains somewhat protected.

Load Balancer

Load balancers distribute an application's load over many identically configured servers. This distribution ensures consistentapplication availability even when one or more servers fail.

Reverse Proxy

A reverse proxy server is an intermediate server that sits between a client and the actual web server and makes requests tothe web server on behalf of the client. You can find more information on reverse proxy servers and how to configure them inappendix D. Reverse Proxy Configuration of this document.

Service

A service is a functional set of Oracle E-Business Suite application processes running on one or more nodes.

Node

A node is referred to as a server that runs a set of E-Business Suite R12 application processes or database processes. In asingle node installation of Oracle E-Business Suite, all the application processes including the database processes run on onenode whereas in a multi node installation, the processes run on multiple nodes.

Internal Applications Middle Tier

The internal applications middle tier is the server configured for internal users to access Oracle E-Business Suite. It runs thefollowing major application services:

Web and Forms ServicesAdministration and Concurrent Manager ServicesReports and Discoverer Services

External Applications Web Tier

The external applications web tier is the server configured for external users for accessing Oracle E-Business Suite. It runs thefollowing application service:

Web server

URL Firewall

URL Firewall contains a white list of URLs, for the externally exposed E-Business Suite Modules, that may be accessed fromthe Internet. You can find more information on URL Firewall and how to configure it in appendix E. Configuring the URL Firewallof this document.


3 of 43 1/6/2010 11:13 AM

Section 2: DMZ Deployment Options

Option 2.1: Using a Reverse Proxy and an External Web Tier

The architecture diagram in Figure F3 represents a reverse proxy in the demilitarized zone (DMZ) behind an external firewall,and an Oracle E-Business Suite Release 12 external web tier in another demilitarized zone behind an internal firewall. Thisoption allows multiple domain names for external and internal middle tiers. For example, external users may access theE-Business Suite via "partners.external.com", and internal users may access the same E-Business Suite instance via"employees.internal.com".

In this configuration, the reverse proxy server can be set up with Oracle HTTP Server or third-party reverse proxy servers.Please refer to Appendix D. Reverse Proxy Configuration for more information on configuring the E-Business Suite to supportreverse proxy servers.

In this configuration, the external Applications web tier is required to:

Restrict access to a limited set of Oracle Applications responsibilities for users logging in via the Internet1.Allow user access to only Oracle E-Business Suite Release 12 products that can be deployed for Internet access2.

Option 2.2: Using Separate Oracle E-Business Suite Release 12 Web Tiers

The architecture diagram in Figure F4 represents an Oracle E-Business Suite Release 12 external web tier in a demilitarizedzone (DMZ) behind a DMZ external firewall. This option allows multiple domain names for external and internal middle tiers.This deployment option requires the external Oracle E-Business Suite web tier in order to meet the same security requirementsdiscussed in 2.1: Using a Reverse Proxy and an External Web Tier.




4 of 43 1/6/2010 11:13 AM

Option 2.3: Using HTTP Hardware Load Balancers in DMZ Configuration

The architecture diagram in Figure F5 represents multiple Oracle E-Business Suite Release 12 external web tiers that areload-balanced by a HTTP hardware load balancer in a demilitarized zone (DMZ) behind a DMZ external firewall. Another HTTPLayer Hardware load balancer is used to distribute load across multiple Oracle E-Business Suite internal middle tiers in theintranet. This option allows separate domain names for external and internal middle tiers to be deployed in a highly scalableand fault tolerant configuration.




5 of 43 1/6/2010 11:13 AM

Option 2.4: Using Reverse Proxy with no External Web Tier

This configuration requires a distinct Oracle HTTP Server/OC4J instance configured per Web Entry Point. You can notshare the configuration of one web entry point with another. For example, you can not share Oracle HTTP Serverconfigured for internal.us.oracle.com with external.us.oracle.com . There has to be two Oracle HTTP Server/oc4j runningfor each of the Web Entry Points

The architecture diagram shown in the figure below represents a reverse proxy server configured to forward external clientrequests to an Oracle HTTP listener running on an intranet application middle tier server. In this configuration, internal andexternal users use different http listeners and oc4j processes to access Oracle E-Business Suite.


6 of 43 1/6/2010 11:13 AM

Proceed to Section 5.9 for detailed instructions on how to configure the topology shown in the figure above.

You can also configure a dedicated middle tier server in the intranet and front end this server with a reverse proxy in the DMZfor external users. See diagram below:


7 of 43 1/6/2010 11:13 AM

Option 2.5: Using Hardware Load Balancers With No External Web Tier

This configuration requires an instance of Oracle HTTP Server/OC4J configured per Web Entry Point. You can not sharethe configuration of one web entry point with another.

The architecture diagram shown in the figure F11 below represents a hardware load balancer configured to balance the loadfrom the external clients among the Oracle HTTP listeners running on the intranet application middle tier servers. In thisconfiguration, internal and external users use different http listeners and oc4j processes to access the Oracle E-BusinessSuite. As shown in the diagram below, only the load balancer configured within the DMZ, while all the other servers remainwithin the intranet or the internal network. This configuration make use of the Shared file system technology described inOracle Metalink Note 384248.1 and the internal servers effectively perform the functions of both the internal as well as theexternal web tier. Because in this configuration there is no external application tier and all application web nodes use the samefile system with different configurations, then we can take advantage of the Shared File System technology described in OracleMetalink Note 384248.1.


8 of 43 1/6/2010 11:13 AM

Proceed to Section 5.10.1 for detailed instructions to configure the topology shown in the figure F11 above.

Known Restrictions

Sharing file systems between the external web tiers and the internal middle tiers is not supported in any deployment option.However, sharing applications file systems such as APPL_TOP among external web tiers or among internal middle tiers issupported.

Support Considerations

All customer configurations will be supported. However, the level of supportability will be dependent upon the implementation.

Customers who follow the instructions and implement a tested and certified topology as documented in this Note arefully supported. Oracle recommends the use of one of the configurations described in this Note.

1.

Customers who implement an alternative topology not listed in this note are supported on a best-efforts basis . TheOracle Applications Technology Group will aim to provide an adequate solution to address a customer’s problem.Severity 1 bugs in this category will only be accepted for situations where a customer's production system is down.Otherwise, an escalated Severity 2 status is the highest supported severity rating.

2.

SSL Terminator Configuration

If you are terminating SSL connection at a web entry point other than the application tier node, you must ensure thatssl_terminator.conf file is included in the httpd.conf on the application tiers. For more information refer Oracle Metalink

Note : 376700.1 "Enabling SSL in Oracle Applications Release 12".


9 of 43 1/6/2010 11:13 AM

Section 3: Required Patches for DMZ Configurations

No additional patches are currently required to support DMZs for E-Business Suite Release 12.

Section 4: Creating an External Web Tier for E-Business Suite

The process of implementing a DMZ configuration for your E-Business Suite environment will vary depending on thedeployment option that you select. The implementation process described here assumes that you have a fully-configuredE-Business Suite with an internal Application web tier, and that you would like to add an external web tier to that existingconfiguration. Regardless of the DMZ deployment option selected in Section 2, the following core steps must be completed:

Step 1. Identify Release 12 modules for external deployment

Verify that the Oracle E-Business Suite Release 12 modules that you need for external deployment have been certified for thatconfiguration. A list of certified Oracle E-Business Suite modules for external deployment is listed in Appendix A - List ofExternal Facing Oracle E-Business Suite Products. If you plan on deploying a product that is not listed, log a Service Requestwith Oracle Support requesting certification of that product for external deployment.

Step 2. Clone the internal web tier to create a new external web tier

Clone the internal Oracle E-Business suite middle tier to the machine that you identified to be the external web tier in the DMZ.For additional information on cloning Oracle Applications, see Metalink Note 406982.1 Cloning Oracle Applications Release 12with Rapid Clone.

Step 3. Deploy a reverse proxy server (Optional)

If you plan to use a reverse proxy server in your configuration, deploy that server in front of your newly-created externalApplication web tier. See Appendix D. Reverse Proxy Configuration for more information on configuring the E-Business Suite tosupport reverse proxy servers.

Step 4. Ensure that network firewalls are configured correctly

Ensure that the network firewall rules have been defined correctly and are permitting authorized E-Business Suite trafficbetween all network segments:

Verify that access between intranet-based desktop clients and the internal Application web tier is permitted and working1.Verify that access between the internal Application web tier and the Applications database server is permitted andworking

2.

If a reverse proxy server is not part of your deployment, communication between Internet-based desktop clients and theexternal web tier servers must be permitted and working.

3.

If a reverse proxy server is configured:Communication between Internet-based desktop clients and the reverse proxy server must be permitted andworkingCommunication between the reverse proxy server and the external Application web tier must be permitted andworking

4.

Verify that access between the Applications external web tier servers to the Applications database server is permittedand working.

5.

Section 5: Configuring the E-Business Suite for DMZ Deployments

This section provides the configuration instructions for the deployment models described in this document. Certain commonconfiguration steps must be carried out regardless of which deployment model is used. The details for these common stepsare explained from section 5.1 through section 5.4. After completing the common steps, you can proceed to either section 5.5,section 5.6 or section 5.7 depending on which deployment option is chosen.

5.1: Update Hierarchy Type

Several user profile options are used to construct various URLs in an E-Business Suite R12 environment. These user profiles


10 of 43 1/6/2010 11:13 AM

are as follows:

User Profile Name Internal Name

1. Applications Web Agent APPS_WEB_AGENT

2. Applications Servlet Agent APPS_SERVLET_AGENT

3. Applications JSP Agent APPS_JSP_AGENT

4. Applications Framework Agent APPS_FRAMEWORK_AGENT

5. ICX:Forms Launcher ICX_FORMS_LAUNCHER

6. ICX: Oracle Discoverer Launcher ICX_DISCOVERER_LAUNCHER

7. ICX: Oracle Discoverer Viewer Launcher ICX_DISCOVERER_VIEWER_LAUNCHER

8. Applications Help Web Agent HELP_WEB_AGENT

9. Applications Portal APPS_PORTAL

10. BOM:Configurator URL of UI Manager CZ_UIMGR_URL

11. QP: Pricing Engine URL QP_PRICING_ENGINE_URL

12. TCF:HOST TCF:HOST

The default hierarchy type value for the above profile options is Security. See diagram below:

The configuration of the E-Business Suite environment for DMZ requires these profile options hierarchy type to be set toSERVRESP.

1. To change the profile options hierarchy type values to SERVRESP, execute the txkChangeProfH.sql SQL script as shownbelow:

sqlplus <apps-schema-name>/<apps-passwd> @<FND_TOP>/patch/115/sql/txkChangeProfH.sql SERVRESP

2. After the txkChangeProfH.sql script executes successfully, run AutoConfig on all nodes to complete the profile optionsconfiguration.

5.2: Update Node Trust Level


11 of 43 1/6/2010 11:13 AM

Oracle E-Business Suite Release 12 has the capability to restrict access to a predefined set of responsibilities based on theWeb server from which the user logs in. This capability is provided by tagging web servers with a trust level indicated by theNode Trust Level (NODE_TRUST_LEVEL) server profile option. The Node Trust Level indicates the level of trust associatedwith a particular web server. Currently, three trust levels are supported:

Administrative

Servers marked as Administrative are typically those used exclusively by system administrators. These servers

are considered secure and provide access to any and all E-Business Suite functions.Normal

Servers marked as Normal are those used by employees within a company’s firewall. Users logging in fromnormal servers have access to only a limited set of responsibilities.

ExternalServers marked as External are those used by customers or employees outside of a company’s firewall. These

servers have access to an even smaller set of responsibilities.

The default value for this profile option for all E-Business Suite middle tiers is Normal. If you wish to learn more about the

Node Trust Level profile option, please refer to Oracle Applications System Administrators Guide .

Set the NODE_TRUST_LEVEL profile option value on the external web tier in your Oracle E-business Suite Release 12environment to External. See diagram below.

To change the value of the Node Trust Level profile option value to External for a particular node, perform the following steps:

Login to Oracle E-Business Suite as sysadmin user using the internal URL1.Select the System Administrator Responsibility2.Select Profile / System3.From the 'Find system profile option Values' window, select the server that you want to designate as the external webtier

4.

Query for %NODE%TRUST%. You will see a profile option named 'Node Trust Level'. The value for this profile option at

the site level will be Normal. Leave this setting unchanged.

5.

Set the value of this profile option to External at the server level. The site level value should remain set to Normal6.

5.3: Update List of Responsibilities

The steps described in this section are required only if you have marked any of the Oracle E-Business Suite Release 12 middletiers as External as described in section 5.2.

After updating the server-level profile value for Node Trust Level for the external web tier(s) to External, users can no longer

see any responsibilities when they login via the external web tier. In order for a responsibility to be available from the externalE-Business Suite web tier, set the Responsibility Trust Level profile option value for that responsibility to External at the

responsibility level. For information on additional product specific responsibilities that can be made externally accessible fromthe external E-Business Suite middle tier, please refer to Appendix B1. Oracle E-Business Suite Product SpecificConfigurations.

To change the value of the Responsibility Trust Level profile option at the responsibility level for a particular responsibility,perform the following steps:


12 of 43 1/6/2010 11:13 AM

Login to Oracle E-Business Suite as sysadmin user using the internal URL1.Select System Administrator Responsibility2.Select Profile / System3.From the 'Find system profile option Values' window, select the responsibility that you want to make available to userslogging in via the external web tier

4.

Query for %RESP%TRUST%. You will see a profile option named 'Responsibility trust level'. The value for this profile

option at site level will be Normal. Leave this setting unchanged.

5.

Set the value of this profile option for the chosen responsibility to External at the responsibility level. The site-levelvalue should remain Normal.

6.

Repeat for all responsibilities that you want to make available from the external web tier.7.

5.4: Configuration Details for Using Reverse Proxy and an External Web Tier in DMZ

The steps described in this section assume that you have already set up the reverse proxy server of your choice and you areready to make modifications to the Oracle E-Business Suite Applications Context file on the external web tier. To complete theconfiguration for this option, follow the steps given below.

Oracle does not certify specific reverse proxy solutions from third-party vendors. The instructions included in thisdocument are generally applicable to third-party reverse proxy solutions, including (but not restricted to) Apache,Microsoft Proxy Server, and other products.

5.4.1: Update Oracle E-Business Suite Applications Context File

On the external Oracle E-Business Suite web node, run the AutoConfig Context Editor as documented in the Oracle MetaLinknote 387859.1 "Using AutoConfig to Manage System Configurations with Oracle Applications Release 12". In the ContextDetail screen, set the following configuration values:

set the webentry point, s_webentryhost, to the reverse proxy serverset the webentry domain, s_webentrydomain, to the domain name of the reverse proxy serverset the external URL, s_external_url to the external web node URL.set the active webport, s_active_webport, to the port where the reverse proxy server listen for client requests. Forexample port 80 for HTTP or 443 for HTTPSset the webentry protocol, s_webentryurlprotocol, to the protocol value the clients use to access the reverse proxyserverset the login page, s_login_page, to <webentry protocol>://<webentry point>.<webentry domain>:<active webport>.Replace <webentry protocol>, <webentry point>, <webentry domain>, and <active webport> with their respectivevaluesset the help web agent s_help_web_agent to <webentry protocol>://<webentry point>.<webentry domain>:<activewebport>. Replace <webentry protocol>, <webentry point>, <webentry domain>, and <active webport> with theirrespective values

5.4.2: Run AutoConfig and Restart Oracle Application Server Processes

Run AutoConfig on each Applications middle tier . Please refer to the Oracle MetaLink note 387859.1 "Using AutoConfigto Manage System Configurations with Oracle Applications R12 " for more information on AutoConfig.

1.


13 of 43 1/6/2010 11:13 AM

After AutoConfig completes successfully, restart Oracle Application server processes on the external web tier.2.

Proceed to the Appendices for any additional Oracle E-Business Suite product specific settings that needs to be done.

5.5: Configuration Details for Using Separate Oracle E-Business Suite Web Tier in DMZ

There are no extra steps needed for this configuration. Proceed to the Appendices for any additional Oracle E-Business Suiteproduct specific settings that needs to be done.

5.6: Configuration Details for Using HTTP Hardware Load Balancers in DMZ

To complete the configuration for this option, follow the steps given below.

5.6.1: Update Oracle Applications Context File

On the internal Applications middle-tier nodes, run the AutoConfig Context Editor as documented in the Oracle MetaLink note387859.1 "Using AutoConfig to Manage System Configurations with Oracle Applications R12 ". In the Context Detail screen,set the following configuration values:

set the webentry point, s_webentryhost, to the load balancer that is used to load balance the internal Applicationsmiddle tiersset the webentry domain, s_webentrydomain, to the domain name of the load balancerset the active webport, s_active_webport, to the value of the load balancer's external portset the webentry protocol, s_webentryurlprotocol, to the load balancer's protocol e.g. "http" or "https".set the login page, s_login_page, to <webentry protocol>://<webentry point>.<webentry domain>:<active webport>.Replace <webentry protocol>, <webentry point>, <webentry domain>, and <active webport> with their respectivevalues.set the help web agent s_help_web_agent to <webentry protocol>://<webentry point>.<webentry domain>:<activewebport>. Replace <webentry protocol>, <webentry point>, <webentry domain>, and <active webport> with theirrespective values

On the external Applications web tier node, run the AutoConfig Context Editor as documented in the Oracle MetaLink note387859.1 "Using AutoConfig to Manage System Configurations with Oracle Applications R12 ". In the Context Detail screen,set the following configuration values:

set the webentry point, s_webentryhost, to the load balancer that is used to load balance the external Applicationsmiddle tiersset the webentry domain, s_webentrydomain, to the domain name of the load balancerset the external URL, s_external_url to the external web node URL.set the active webport, s_active_webport, to the value of the load balancer's external portset the webentry protocol, s_webentryurlprotocol, to the load balancer's protocol e.g. "http" or "https"set the login page, s_login_page, to <webentry protocol>://<webentry point>.<webentry domain>:<active webport>Replace <webentry protocol>, <webentry point>, <webentry domain>, and <active webport> with their respectivevaluesset the help web agent s_help_web_agent to <webentry protocol>://<webentry point>.<webentry domain>:<activewebport>. Replace <webentry protocol>, <webentry point>, <webentry domain>, and <active webport> with theirrespective values

5.6.2: Run AutoConfig and Restart Oracle Applications Processes

Run AutoConfig on each Applications middle tier to complete the configuration. Please refer to the Oracle MetaLink note387859.1 "Using AutoConfig to Manage System Configurations with Oracle Applications R12 " for more information onAutoConfig.

1.

After AutoConfig completes successfully, restart Oracle Applications server processes.2.

Proceed to the Appendices for any additional Oracle E-Business Suite product specific settings that needs to be done.

5.7: Enable Oracle E-Business Suite Application Server Security

Oracle E-Business Suite Release 12 is deployed in a multi-tier configuration with one Database Server and many possiblemiddle-tier Application Servers. The Application Servers include Apache JSP/Servlet, Forms, Discoverer and also some clientprograms such as Application Desktop Integrator, Oracle Discoverer Admin Edition. Any program which makes a SQLNET


14 of 43 1/6/2010 11:13 AM

connection to the Oracle E-Business Suite database needs to be trusted at some level. This security feature ensures that suchSQLNET connections are coming from trusted machines and/or trusted programs.

The Server Security feature supports authentication of application server machines and code modules in order to access thedatabase. When Server Security is activated, Application Servers are required to supply server IDs (like passwords) and/orcode IDs to access a database server. Server IDs identify the machine from which the connection is originating. Code IDsidentify the module and patch level from which the connection is originating. Code IDs are included in applications code bydevelopment. The database server can be set to allow access only from specific machines and/or by code at a desired patchlevel.

The application server security feature is activated by default for all E-Business Suite installations. It is recommended that youensure that the server security feature is enabled by performing the steps given below:

Run the AutoConfig Context Editor as documented in the Oracle MetaLink note 387859.1 "Using AutoConfig to ManageSystem Configurations with Oracle Applications R12 ". In the Context Detail screen, review the following configuration valuesfor both internal and external nodes:

Value of Application Server Security Authentication (s_appserverid_authentication) is set to SECURE . If the value is not

set to SECURE, follow the instructions given below:Set the value of Application Server Security Authentication (s_appserverid_authentication) to SECURERun AutoConfig on each Applications middle tier to complete the configuration. Please refer to the OracleMetaLink note 387859.1 "Using AutoConfig to Manage System Configurations with Oracle Applications R12 " formore information on AutoConfigAfter AutoConfig completes successfully, restart Oracle HTTP Server and OC4J processes

5.8: Enable Distributed Oracle Java Object Cache Functionality

Distributed caching functionality has to be enabled in a DMZ environment to avoid data inconsistencies for data such asprofiles, menu, responsibilities and product specific data. To complete this configuration, follow the steps given below:

Identify the highest number of JVMs that serve the oacore JVM group in the internal and external middle tiers. For eg: ifthere are 3 JVMs in the internal and 2 JVMs configured for the external middle tier, take the number as 3.Identify the number of java processes spawned by the concurrent manager tier. For eg: if there are 3 JVMs spawnedby the ICM, take the number as 3 . Add this to the number of oacore JVMs . In the example given above, the totalnumber JVMs thus become 6 . So, six ports need to be opened in the firewall. You can use the 'pstree' command tocheck the number of java processes spawned by the concurrent manager parent process. For eg: pstree -p 26258

where 26258 is the process ID of the FNDSM process.

Identify the ports to open in the firewall that separates the external middle tier and the internal middle tier . For eg: if theJVM count is 3, you have to open 3 ports on this firewall.This range of ports need to be specified as a value for the autoconfig variable ( s_fnd_cache_port_range ) . Pleasemake sure that the value is same in all the applications context files . The value should be specified as a range. For eg:36500-36505. When AutoConfig completes the configuration, the value specified for this variable in the context file willget updated in the FND_CACHE_PORT_RANGE profile option.

In addition to the ports specified above, you must ensure that the Java Object Cache Port specified as a value for theautoconfig variable s_java_object_cache_port is also open on the firewall that separate the external and internal

middle tiers.

You must run Autoconfig to complete the configuration after editing the applications context file.

Attention

In a multinode installation, the AutoConfig variable s_java_object_cache_port must be set identically on all nodes.Similarly, s_fnd_cache_port_range must be set identically on all nodes. Please note that s_java_object_cache_port

must be set to a different value from s_fnd_cache_port_range in the same applications context file to avoid portconflicts.

5.9: Configuration Details for Using reverse proxy with No External Web Tier

5.9.1: Create a new context file for the external Web Entry Point

To create a context file for the external entry point, execute the commands shown in the table below:1.


15 of 43 1/6/2010 11:13 AM

$ perl $COMMON_TOP/clone/bin/adclonectx.pl \contextfile=<location of the context file including the file name of the internal midtier> \outfile=<enter name of the context file to be created including its location>

For example:

Internal Server Name 1: internal1.company.com

External Server Name 1: external1.company.com

Context file for Internal Entry Point on Internal Server 1 including its location: /d1/applmgr/visappl/admin/VIS_internal1.xml

Context file to be created for External Entry Point on Internal Server 1 including its location: /d1/applmgr/visappl/admin/VIS_external1.xml

The script will prompt for various inputs from the user as shown in the table below. please note that the default prompt values are provided forreference purpose only and may not reflect the actual values in your environment.

Prompt Required Value Comments

Enter the Apps password <apps schema password>

Target System Hostname (virtual or normal) [ap681wgs]: ap681wgsEnter the physical hostname. Notthe virtual hostname

Do you want the inputs to be validated (y/n) [n] ?: Y

Target system database SID [VIS] VIS Enter the target database SID

Target System Database Server Node [ap681wgs] ap681wgsEnter the hostname where the newdatabase instance is running

Target System Base directory /d1/home/user9/R12/appsEnter the base directory of APPSinstall

Target System Instance Home Directory [/d1/home/user9/R12/inst]:

/d1/home/user9/R12/inst

Username for the applications file system owner [applmgr] applmgr

Group for the applications file system owner [dba]: dba

Target System Root Service [enabled] : enabledMust be enabled if configuring 'WebEntry Point Services' or 'WebApplication Services'.

Target System Web Entry Point Services [enabled] : enabledMust be enabled if configuring 'WebEntry Point Services'

Target System Web Application Services [enabled]: enabledMust be enabled if configuring 'WebEntry Point Services'.

Target System Batch Processing Services [enabled] : enabledMust be enabled if configuring 'BatchProcessing Services'.

Target System Other Services [disabled] : enabledMust be enabled if configuring 'OtheService Group'.

Do you want to preserve the Display set to internal:0.0 (y/n) [y]?:

Y

Do you want to preserve the port values from the sourcesystem on the target system (y/n) [y] ?

Y

It is possible that adclone utiity willreport an error and prompt you tochoose an alternative port pool if theservices for the internal instance isrunning. To prevent this fromhappening, shutdown the applicationtier services when you run this utility


16 of 43 1/6/2010 11:13 AM

After you provide all the required inputs, the clonectx utility will proceed and create the new context file for the external entry point at the locationspecified in the command

5.9.2: Verify and Update the New Context Files Created for the External Entry Point

AutoConfig Variable Required Value Comments

s_isWeb YESMake sure s_isWeb is set to YES. This is the default setting for

all node types

s_isWebDev YESMake sure s_isWebDev is set to YES.

This is the default setting for all node types

s_http_listen_parameter New Port for the <HTTP Listener> Pick a port that is not used by any other service

s_https_listen_parameter New Port for the <HTTPS Listener> Pick a port that is not used by any other service

s_webentryurlprotocol Set the value to the < web entry protocol> For example, value will be either http or https

s_webentryhostSet the value to the <webentry pointhostname>

s_webentrydomainSet the value to the <webentry pointhostname>

s_active_webport Set the value to the <web entry listener port>

s_login_page

Set the value to<s_webentryurlprotocol>://<s_webentryhost>.<s_webentrydomain>:<s_active_webport>/OA_HTML/AppsLogin

s_hostnameSet the value of this variable to the hostnameof the reverse proxy server

s_server_ip_addressSet the value of this variable to the IP addressof the external facing network interface


Run AutoConfig on each Applications middle tier to complete the configuration. Please refer to the Oracle MetaLinkNote 387859.1 "Using AutoConfig to Manage System Configurations with Oracle Applications R12 " for more informationon AutoConfig.

1.


5.10: Configuration Details for Using Hardware Load Balancers with No External Web Tier

Attention

This configuration requires your internal application middle tier server to have at least two networkinterfaces. One network interface is required for the external entry point and another for the internalentry point. These network interfaces must be configured to resolve to two different hostnames inthe DNS.

For example:

/etc/hosts of Internal Server 1


17 of 43 1/6/2010 11:13 AM

130.30.21.1 internal1.company.com internal1130.30.21.2 external1.company.com external1

/etc/hosts of Internal Server 2

130.30.21.3 internal2.company.com internal2130.30.21.4 external2.company.com external2

5.10.1: Create new Context Files for the External Entry Point

To create a context file for the external entry point, execute the commands shown in the table below:1.

$ perl $COMMON_TOP/clone/bin/adclonectx.pl \contextfile=<location of the context file including the file name of the internal midtier> \outfile=<enter name of the context file to be created including its location>

For example:






Context file to be created for External Entry Point on Internal Server 1 including its location: /d1/applmgr/visappl/admin/VIS_external1.xml


Context file to be created for External Entry Point on Internal Server 2 including its location:

/d1/applmgr/visappl/admin/VIS_external2.xml

Database ID: VIS

For the above given example, you will enter the command as

$ perl $COMMON_TOP/clone/bin/adclonectx.pl \contextfile= /d1/visappl/admin/VIS_internal1.xml \outfile=/d1/visappl/admin/VIS_external1.xml

$ perl $COMMON_TOP/clone/bin/adclonectx.pl \contextfile= /d1/visappl/admin/VIS_internal1.xml \outfile=/d1/visappl/admin/VIS_external2.xml

The script will prompt for various inputs from the user as shown in the table below. please note that the default prompt values are provided forreference purpose only and may not reflect the actual values in your environment.

Prompt Required Value Comments

Enter the Apps password <apps schema password>

Target System Hostname (virtual or normal) [ap681wgs]: ap681wgsEnter the current hostname.Most ofthe time it will be the same as


18 of 43 1/6/2010 11:13 AM

default value.

Do you want the inputs to be validated (y/n) [n] ?: Y

Target system database SID [VIS] VIS Enter the target database SID

Target System Database Server Node [ap681wgs] ap681wgsEnter the hostname where the newdatabase instance is running

Target System Base directory /d1/home/user9/R12/appsEnter the base directory of APPSinstall

Target System Instance Home Directory [/d1/home/user9/R12/inst]:

/d1/home/user9/R12/inst

Username for the applications file system owner [applmgr] applmgr

Group for the applications file system owner [dba]: dba

Target System Root Service [enabled] : enabledMust be enabled if configuring 'WebEntry Point Services' or 'WebApplication Services'.

Target System Web Entry Point Services [enabled] : enabledMust be enabled if configuring 'WebEntry Point Services'

Target System Web Application Services [enabled]: enabledMust be enabled if configuring 'WebEntry Point Services'.

Target System Batch Processing Services [enabled] : enabledMust be enabled if configuring 'BatchProcessing Services'.

Target System Other Services [disabled] : enabledMust be enabled if configuring 'OtheService Group'.

Do you want to preserve the Display set to internal:0.0 (y/n)[y] ?:

Y

Do you want to preserve the port values from the sourcesystem on the target system (y/n) [y] ?

Y

It is possible that adclone utiity willreport an error and prompt you tochoose an alternative port pool if theservices for the internal instance isrunning. To prevent this fromhappening, shutdown the applicationtier services when you run this utility.

After you provide all the required inputs, the clonectx utility will proceed and create the new context file for the external entry point at the locationspecified in the command

5.10.2: Verify and Update the New Context Files Created for the External Entry Points

Table given below gives a list of AutoConfig variables that need to be reviewed and edited if required.

AutoConfig Variable Required Value Comments

s_isWeb YESMake sure s_isWeb is set to YES.


s_isWebDev YESMake sure s_isWebDev is set to YES.


s_http_listen_parameter New Port for the <HTTP Listener> Pick a port that is not used by any other service

s_https_listen_parameter New Port for the <HTTPS Listener> Pick a port that is not used by any other service

s_webentryurlprotocol Set the value to the <web entry protocol> For example, value will be either http or https


19 of 43 1/6/2010 11:13 AM

s_webentryhostSet the value to the <webentry pointhostname>

s_webentrydomainSet the value to the <webentry pointhostname>

s_active_webport Set the value to the <web entry listener port>

s_login_page

Set the value to<s_webentryurlprotocol>://<s_webentryhost>.<s_webentrydomain>:<s_active_webport>/OA_HTML/AppsLogin

s_server_ip_addressSet the value of this variable to the IP addressof the external facing interface


Run AutoConfig on each Applications middle tier to complete the configuration. Please refer to the Oracle MetaLinkNote 387859.1 "Using AutoConfig to Manage System Configurations with Oracle Applications R12 " for more informationon AutoConfig.

1.


Appendices

A. List of External Facing Oracle E-Business Suite Release 12 ProductsB. Oracle E-Business Suite Release 12 Product Specific ConfigurationsC. Configuration Option for Functionally Directed Load DistributionD. Reverse Proxy ConfigurationE. Configuring the URL FirewallF. List of Ports to Open in a DMZ ConfigurationG. Configuring Multiple Web Entry Points and DMZs with Single Sign-OnH. TroubleshootingI. Disabling E-Business Suite Release 12 Application Services on the External Web TierJ. Disabling "About this page" Link From the Release 12 Login PageK. Related Documentation

Appendix A : List of External Facing Oracle E-Business Suite Release 12 Products

Below is a list of Oracle certified E-Business Suite Release 12 products that can be deployed for external use. If you areplanning on deploying a product that is not listed in the table below, log a Service Request with Oracle Support requestingcertification of that product for external deployment. The "URL Firewall Rules" column indicate whether there are any specialrules that need to be enabled in the URL FW for the product to function. An "Yes" in the column indicates there are specialrules.

Appendix B : Oracle E-Business Suit

Product NameProduct

ID

Product

CodeProduct Family

URL

FirewallRules

Patch

Requirement

iSupplier Portal 208 POS Procurement Yes

Oracle Sourcing 1273 PON ProcurementYes

Oracle Receivables 1106 OIR Financials Yes

iRecruitment 1193 IRC HumanResources

Yes


20 of 43 1/6/2010 11:13 AM

Product NameProduct

ID

Product

CodeProduct Family

URL

Firewall

Rules

Patch

Requirement

Oracle Time and Labor 310 OTL HumanResources

Yes

Oracle LearningManagement

810 OTA HumanResources

Yes

Self Service Benefits 290 BEN HumanResources

No

Self Service HumanResources

1566 SSHR HumanResources

No FP.KRup2

Oracle iSupport 381 IBU CRM Yes

Oracle iStore 384 IBE CRM Yes

Oracle Marketing 229 AMS CRM Yes

Oracle PartnerRelationshipManagement

1065 PRM CRM Yes

Oracle Survey 1578 IES CRM Yes

Oracle Transportation 1060 FTE Manufacturing Yes

Oracle Contracts Core 154 OKC ManufacturingN/A

Oracle ServiceContracts

432 OKS Manufacturing N/A

Oracle CollaborativePlanning

1037 SCE Manufacturing Yes

Oracle UserManagement

1475 UMX ApplicationObject Library

No

Order InformationPortal

660 ONT OrderManagement

No

Oracle Sales forHandhelds

1558 ASP CRM Yes

Oracle InternetExpenses

397 OIE Financials No

Oracle PerformanceManagement

2010 OPM HumanResources

No

CompensationWorkbench

4427 CWB HumanResources

No

Oracle Payroll 506 PAY HumanResources

No

e Release 12 Product Specific Configurations

B1: Oracle E-Business Suite Release 12 Product Specific Configurations

B1.1: Additional Configurations for iStore

B1.1.1: Time-To-Live Settings for Cached ObjectsB1.1.2: Deploying iStore Pages in Http & Https Configuration


21 of 43 1/6/2010 11:13 AM

B1.2: AltBatchValidateURL Setting for iStore Integration with Oracle Configurator

B2: Forward Proxy Configuration

B1: Oracle E-Business Suite R12 Product Specific Configurations

If any of the following products are installed and configured, you must refer to the respective documents as shown in the tablebelow for more information on which responsibilities can be made externally accessible from the Internet.

Please refer to section 5.3: Update List of Responsibilities for the necessary steps to make the responsibilities listed belowavailable on the external web server.

To perform any product-specific profile settings, you must refer to the respective product documents shown below.

Product NameExternally Accessible

Responsibilities

Addtional Profile

SettingsAdditional Documents

iSupplier PortaliSupplier Portal FullAccessPOS SupplierGuest UserPlan to PaySupplier ViewPlan, Source, PaySupplier ViewSource to PaySupplier ViewSupplier ProfileManagerProcure to PaySupplier View

POS: ExternalURLPOS: InternalURL

Oracle iSupplierPortal DocumentationResources R12Note:396880.1Enable Web AccessBy External SupplierUsers to OracleiSupplier PortalDocumentationResources R12 andOracle SourcingDocumentationResources R12Note:396879.1

Oracle SourcingSourcing Supplier PON: External

ApplicationsFrameworkAgentPON: Externallogin URL

Oracle SourcingDocumentationResources R12Enable Web AccessBy External SupplierUsers to OracleiSupplier PortalDocumentationResources R12 andOracle SourcingDocumentationResources R12 (Note

iSupportiSupport BusinessUseriSupport GuestUseriSupport IndividualUseriSupport PrimaryUseriSupport Site:Business UseriSupport Site:Individual UseriSupport Site:Guest User

Oracle iSupportImplementation andAdministration Guide


22 of 43 1/6/2010 11:13 AM

iSupport Site:Primary User

iStoreIBE_CUSTOMER IBE: iStore

Secure URLIBE: iStoreNon SecureURL

Oracle iStoreImplementation andAdministration GuideRefer to AppendixB1.1 for additionalrequired configurationsteps for iStore.

iRecruitmentiRecruitmentExternal SiteVisitoriRecruitmentExternal CandidateiRecruitmentEmployee SiteVisitoriRecruitmentEmployeeCandidateiRecruitmentAgency

Oracle iRecruitmentImplementation andUser Guide

Oracle LearningManagement Learner

Self-Service

Oracle LearningManagementImplementation Guide

OracleiReceivables iReceivables

AccountManagamentiReceivables 2.0AnonymousInternal

Oracle iReceivablesImplementation Guide

OracleTransportation

Execution

TransportationExecution CarrierUser

Oracle TransportationExecution User Guidein the VirtualApplicationsDocumentation Library

Oracle PartnerRelationshipManagement

Partner Super UserDefault PartnerUser

PV: LocatorServer URLPV: SystemLogin URLPV: iStoreLogin URLPV:SelfService URLwith WorkflowNotification

Oracle PartnerManagementImplementation andAdministration Guide


23 of 43 1/6/2010 11:13 AM

OracleMarketing

AMS : ServerURL

Oracle MarketingImplementation Guide

OracleContracts Core OKC: Contracts

Online - ExternalParty Access

Oracle ServiceContracts Service Contracts

ElectronicRenewalsService ContractsOnline Acceptance

OracleCollaborative

Planning

Supply ChainCollaborationPlannerSupply ChainCollaborationManager

Oracle CollaborativePlanningImplementation andUser's Guide

OrderInformation

Portal

Order InformationExternal User

OM: Recordson SummaryPage forExternalUsersOM:CustomerServiceFeedbackOM:CustomerServiceReport Defect

Oracle OrderManagementImplementationManual in in the VirtualApplicationsDocumentationLibrary.

Refer to section 8.6 OrderInformation

Self ServiceHuman

Resource

EmployeeSelf-ServiceManagerSelf-Service

Oracle InternetExpenses Internet Expenses

Expenses Analysisand Reporting

Oracle PayrollOnline Payslip (Forlocalizations)W2 and W4 for USLegislation

B1.1: Additional Configurations for iStore


24 of 43 1/6/2010 11:13 AM

B1.1.1: Time-To-Live Setting for Cached Objects

iStore uses Java caching framework to cache frequently used objects in the JVM. Each JVM will have a copy of an object inthe Java Cache. When an object is updated by one JVM, it is invalidated in all JVMs across all Applications middle tier servers.

At the present time, cache updates in the Applications internal middle-tier server will not get reflected in the Applicationsexternal web server. There are a couple of options to work around this known issue:

Shutdown and restart the Oracle HTTP server on the Applications external web server when an object in a cache isupdated on the Applications internal middle-tier server. When JVMs are restarted, objects will be freshly fetched into thecache.

1.

Set Time-To-Live values for certain cache components so that these cache objects are invalidated on a periodic basis.Cache objects get refreshed when they are accessed for the first time after an invalidation. Since Time-To-Live values

themselves are cached, the Oracle HTTP server on the Applications external middle-tier server needs to be bouncedonce for the new values to take effect.

The exact Time-To-Live values will depend upon business requirements, how often objects in a cache component are

updated and what the tolerance level is for having stale objects in the cache. Information on setting up Time-To-Live

interval is available at:

Oracle® Applications CRM System Administrator’s Guide in the Virtual Applications Documentation LibrarySections Managing Component Caches and Editing Component Cache Details.

iStore uses Java Cache extensively to cache product catalog objects. Information on iStore Cache Components isavailable at:

Oracle® iStore Implementation and Administration Guide in the Virtual Applications Documentation LibrarySection Component Caches for Oracle iStore in JTT.

2.

B1.1.2: Deploying iStore Pages in Http & Https Configuration

For better performance, it is recommended to deploy iStore public pages under HTTP and employ HTTPS only for those pagesand processes that transmit sensitive data. In DMZ deployment, this requires the reverse proxy server to listen on two ports,one for HTTP and the other for HTTPS. Both the HTTP and HTTPS reverse proxy listeners should be configured to forward therequests to the external web server. In this configuration, values for profiles "IBE: iStore Non Secure URL" and "IBE: iStoreSecure URL" should point to HTTP and HTTPS reverse proxy server URL respectively.

If iStore public pages are also deployed via HTTPS, values of both the profiles "IBE: iStore Non Secure URL" and "IBE: iStoreSecure URL" should point to the HTTPS reverse proxy server and port and can not be left empty. Refer to section "Setting upSecure Socket Layer Connections" of Oracle® iStore Implementation and Administration Guide in the Virtual ApplicationsDocumentation Library for more details.

B1.1.3: AltBatchValidateURL Setting for iStore Integration with Oracle Configurator

In a DMZ configuration, it is likely that the database installed in the intranet can not communicate with the external applicationmiddle tier due to fact that the external web server port is not opened on the firewalls that separate the intranet servers fromdmz servers. In such situations, the AltBatchValidateURL should be set to the URL for the configurator servlet on the internal

application middle tier server.

B1.1.4: iStore Restrictions on Multiple Domains

iStore profile options IBE_SECURE_URL and IBE_NON_SECURE_URL are set at the site level for an E-Business Suiteenvironment.

Due to this restriction, deploying iStore in a DMZ configuration where the internal and external domains differ will result inintermittent losses of end-user session information and user redirects to the incorrect minisites. This known issue is expectedto be resolved in future iStore releases.

B2: Forward Proxy Configuration

The DMZ Forward Proxy should be configured whether or not a DMZ Reverse Proxy is used, and must be configured to handleoutbound DMZ-to-Internet and outbound DMZ-to-Intranet HTTP traffic.Oracle E-Business Suite Application Tier


25 of 43 1/6/2010 11:13 AM

configured in the DMZ must have access to a forward proxy server. This is required by the external modules configured in theDMZ for connecting to external/internal sites to perform certain tasks like resume parsing for iRecruitment. Other modules

that are known to use the forward proxy are Oracle Transportation Management and Oracle partner relationshipmanagement.

Set the proxy variables in the applications context file as shown in the table below and run autoconfig:

Context Variables

NameDefault Value Description

s_proxyhost null ForwardProxy Host

s_proxyport null ForwardProxy Port

s_proxybypassdomain s_domainname ForwardProxy BypassDomain

All application tier nodes both in the DMZ and intranet must use the same proxy server untill enhancement bug # 8431184 is

fixed which allows proxy servers to be set at server level.

Firewall Impact:

1.If the DMZ Forward Proxy is separated from the DMZ by a DMZ outbound firewall, then customer needs to change the DMZoutbound firewall configuration to allow for outbound DMZ-to-"DMZ Forward Proxy" HTTP communication.

2. If the DMZ Forward Proxy is within the DMZ, then the customer needs to change the DMZ outbound firewall configuration toallow for outbound "DMZ Forward Proxy"-to-Internet and outbound "DMZ Forward Proxy"-to-Intranet HTTP

communication.

Appendix C: Configuration Option for Functionally Directed Load Distribution

This is not a certified configuration option; it is currently supported on a best effort basis. Oracle E-Business Suite customerscan redirect load to specific machines based on user responsibilities.

Apply all the patches mentioned in Section 3: Required Patches.1.Use SERVRESP profile hierarchy type for the profiles mentioned in section 5.1: Update Hierarchy type.2.Assign values at the responsibility & server combination level for the profiles listed in section 5.1.3.

For example, setting the profiles listed in section 5.1 at the responsibility level for HR responsibilities will result in all HR usersgoing to one specific entry point. The entry point represents one specific machine or a load balanced group of machines (that isthe loadbalancer entry point).

Appendix D: Reverse Proxy Configuration

A reverse proxy server is an intermediate server that sits between a client and the actual web server and makes requests tothe web server on behalf of the client. The client is unaware of the presence of the reverse proxy.

Benefits of using a reverse proxy server are:

Adds a level of isolation between the client and the actual serverAllows using standard web port numbers (80 and 443) on the external interface while running the actual web server onhigher numbered ports thus avoiding having to start the actual web application server processes as root.Allows certain rules (or filters) to limit the http requests that are presented to the actual web serverOptionally allows for caching of contents

A number of options exist for choosing a reverse proxy:

Use Oracle 10g Application Server 10.1.3 shipped with Oracle Oracle E-Business Suite1.Use Oracle Application Server Webcache2.Use apache httpd from http://httpd.apache.org3.Use any of a number of commercially available reverse proxies, which often provide some level of added security as4.


26 of 43 1/6/2010 11:13 AM

well.

There are pros and cons for each of these solutions, and the customer must choose according to preferences, supportability,existing IT standards and local policies.

The table below present some advantages and disadvantages for each of the options mentioned above

Software Advantages Disadvantages

Oracle 10g ApplicationServer 10.1.3 Shipped withOracle Oracle E-BusinessSuite

Ships with OracleApplicationsSupported by OracleCan directly use the URLFirewall as mod_rewritemodule is configured with thisserverCertified with OracleE-Business Suite in DMZconfiguration

Standalone installation/configuration of the httpserver is not available

Oracle Application ServerWeb Cache

Standalone version availableSupported by OracleCan support caching ofE-Business Suite ContentSupports filtering of URLs

Does not understand therewrite rules of the URLFirewall

Apache server from ApacheSoftware Foundation

Reputable provider of opensource softwareAvailable on many platformsCan be configured and builtto only include the requiredmodulesWidely used Web serverCan directly use the URLFirewall as mod_rewritemodule can be configuredwith this serverCertified with OracleE-Business Suite in DMZconfigurationWell Known, Welldocumented

You will have to download,compile, install and test theproxy

Commercially AvailableReverse Proxy Servers

Supported by the softwarevendorMay support URL filteringand content rewritingMay integrate withpre-selected enterprise singlesign-on

Not certified withOracle E-BusinessSuite in DMZconfigurationMay not understandthe rewrite rules of theURL Firewall

If you choose to use Oracle WebCache as your reverse proxy server, please refer to the Oracle MetaLink Note 380486.1 :Installing and Configuring Web Cache 10g and Oracle E-Business Suite 12 .

In the remainder of this appendix we will describe the steps required to setup a reverse proxy based on apache2 fromhttpd.apache.org.


27 of 43 1/6/2010 11:13 AM

Apache 2.0 is selected for the following reasons :

can be built in a minimum configurationsupports HTTP/1.1 for better performanceIs well known, and the configuration steps described for the apache based reverse proxy will be useful when configuringany other reverse proxy

Building an Apache based Reverse Proxy from Source

Apache is available from httpd.apache.org. It is recommend that you download the source code and configure and build theexecutables locally. This will allow you to configure apache with only the modules required for reverse proxy duty. The followingmodules will be built and added to the apache server for additional security:

mod_ssl will be added to provide encrypted https connections across the internet. Please note that this may requireyou to purchase a certificate from a well-known and trusted Certificate Authority (CA) such as Verisign or GoDaddy.mod_security for its ability to discover and block requests that are obviously malformed, Null byte check, the urlencoding check, the directory traversal prevention and the UTF-8 Unicode checks.mod_rewrite as this is the engine used to implement the URL firewall.

If you are using an apache 1.3.x version, it is important to consider the load order (and thus the execution order) of the variousmodules in apache. The modules should be loaded in such an order as to ensure that the modules are executed in the followingorder:

mod_security - Reject obviously bad requests before anything else happens1.mod_rewrite - Check for allowed URL before mod_proxy hands the request over to the external web tier2.mod_proxy - Only proxy requests that seem valid (have passed the 2 above filtering steps) to the external web tier3.

Apache 2.0.x will require a source code change to ensure the proper execution order. This will be covered in the instructionsbelow.

Build Apache2 for Secure Proxy Configuration

The steps described below will compile and link the following modules with the Apache2 Server.

mod_ proxymod_proxy_httpmod_ rewritemod_sslmod_setenvifmod_security

Obtain the latest version of the apache (2.0.54) src code from http://httpd.apache.org/download.

$ export http_proxy=http://www-proxy:80 # if you need a proxy to get out$ cd ; mkdir src ; cd src # go to the build source directory$ lynx http://httpd.apache.org/download # navigate to a mirror and save .tar.gz and .md5$ wget http://www.modsecurity.org/download/modsecurity-1.8.7.tar.gz$ wget http://www.modsecurity.org/download/modsecurity-1.8.7.tar.gz.md5

Check that the tar balls and the md5s file are present in the directory and verify the MD5 checksum.


28 of 43 1/6/2010 11:13 AM

.

$ ls -l

total 7672

-rw-r--r-- 1 egravers egravers 59 Mar 5 07:47 modsecurity-1.8.7.tar.gz.md5

-rw-r--r-- 1 egravers egravers 313004 Mar 5 07:47 modsecurity-1.8.7.tar.gz

-rw-r--r-- 1 egravers egravers 54 Jul 14 14:34 httpd-2.0.54.tar.gz.md5

-rw-r--r-- 1 egravers egravers 7508193 Jul 14 14:36 httpd-2.0.54.tar.gz

$ md5sum -c httpd-2.0.54.tar.gz.md5 # should not produce any output

$ md5sum -c modsecurity-1.8.7.tar.gz.md5 # should not produce any output

Unpack the TAR balls:

$ tar xzvf httpd-2.0.54.tar.gz

$ tar xzvf modsecurity-1.8.7.tar.gz

Configure Apache - put this in a small script (runc.sh), that way you have a record of how it was configured

$ cd httpd-2.0.54

$ ./configure -prefix /dmz \--enable-ssl \--enable-setenvif \--enable-proxy \--enable-proxy_http \--enable-headers \--enable-rewrite \--enable-so \--disable-charset-lite \--disable-include \--disable-env \--disable-status \--disable-autoindex \--disable-asis \--disable-cgi \--disable-negotiation \--disable-imap \--disable-actions \--disable-userdir \--disable-alias

Before compiling, a small change need to be done to the source of mod_proxy.c. This is to ensure that mod_proxy does notproxy a request to the external web tier before the URL firewall based on mod_rewrite has a chance to reject it. It alsoensures that mod_proxy gets it's translate_name hook called after mod_rewrite's hook gets called.


29 of 43 1/6/2010 11:13 AM

$ cd ~/src ; # go to the build source directory

$ cd modules/proxy/

$ diff mod_proxy.c mod_proxy.c.dist

1085c1085 < ap_hook_translate_name(proxy_trans, NULL, NULL, APR_HOOK_FIRST); --- > ap_hook_translate_name(proxy_trans, aszSucc , NULL, APR_HOOK_FIRST);

All you have to do is change the second parameter in the ap_hook_translate_name from NULL to aszSucc and save the file.

As you can see, both modules want this hook to be called early (APR_HOOK_FIRST), however they do not specify anypreference with respect to ordering with other modules. So we just register that mod_proxy want to be called aftermod_rewrite.

$ cd ../.. # back to main build directory

$ make

Check that the expected modules are included (and no others)

$ ./httpd -l

Compiled in modules:

core.cmod_access.cmod_auth.cmod_log_config.cmod_headers.cmod_setenvif.cmod_proxy.cproxy_http.cmod_ssl.cprefork.chttp_core.cmod_mime.cmod_dir.cmod_rewrite.cmod_so.c

As root install apache to /dmz

$ su

# umask 022

# make install

# chown -R root:sys /dmz

As root - install mod_security


30 of 43 1/6/2010 11:13 AM

# cd ../modsecurity-1.8.7/apache2/

# /dmz/bin/apxs -cia mod_security.c

At this point apache 2.0 got installed in /dmz. Try to start the server using apachectl, however the installed httpd.conf file hassome directives for modules that were not included. You can remove these errors - one by one by attempting start and fixingthe problem reported until apache actually starts. The following directives had to be removed after completing the above steps:

UserDirAliasAliasMatchRedirectMatchScriptAliasIndexOptions FancyIndexing VersionSortAddIconByEncodingAddIconByTypeAddIconDefaultIconReadmeNameHeaderNameIndexIgnoreLanguagePriorityForceLanguagePriority

Once you have sanitized the default httpd.conf file you can proceed and test

Start apache without SSL

# /dmz/bin/apachectl start

Verify that server is running and is listening on port 80 (http)

# netstat -lntp | sort -t: +1n

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program nametcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3993/sshdtcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 24772/httpd

Success!! We have httpd listening on port 80.You can verify that the server is working by using a browser to go to http://site

/index.html.en . Note that you will have to specify the full name of the index.html.NN file, including language as we did notinclude mod_negotiation or mod_dir in this build of the apache server.

Stop the apache http server

# /dmz/bin/apachectl stop

Setting up the SSL certificate

Follow the instructions given below to generate a self signed certificate for test purposes. The encryption is as good as apurchased certificate, however web browsers will warn their users about a unrecognized (un-trusted) Certificate Authority. Foryour real deployment you will need to purchase a SSL certificate from a Certificate Authority.

Generating and installing a test certificate:


31 of 43 1/6/2010 11:13 AM

# cd /dmz/conf

# umask 022

# mkdir ssl.key

# mkdir ssl.crt

# mkdir ssl.crl

# openssl req \ -new \ -x509 \ -days 30 \ -keyout ssl.key/server.key \ -out ssl.crt/server.crt \ -subj '/CN=Test-Only Certificate'

# chmod 600 ssl.key/server.key # private key; root and only root should have access

Start apache with SSL

/dmz/bin/apachectl startssl

Verify that server is running and is listening on both port 80 (http) and 443 (https):



Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program nametcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3993/sshdtcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 24772/httpd tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 24772/httpd

Success!! We have httpd listening on port 80 and 443.

You can verify that the server is working by using a browser to go to http://site/index.html.en and https://site

/index.html.en.

As before, you will have to specify the full name of the index.html.NN file (including language) as the modules "mod_negotiation"or "mod_dir" was not compiled and configured in this build of the apache server. Note also that your browser will complainwhen accessing the https URL as it does not recognize the Certificate Authority that signed the SSL certificate.

At this point, all the required infrastructure pieces are working, it is time to configure the apache for proxy duty.

Following configuration files are needed in /dmz/conf:

httpd.conf -- apache configuration filesecurity.conf -- make mod_security stop obviously bad requestsurl_fw.conf -- allow only required URLs through (see appendix E. Configuring the URL Firewall)

This is covered in the Install and Configure section below.

Install and configure

When the executables have been built and installed it is time to configure the runtime settings in the configuration files, thisincludes

Configuring Apache httpd (on port 80)Configuring mod_ssl and certificate (on port 443)


32 of 43 1/6/2010 11:13 AM

Configure mod_proxy (pass entire URL space to external webtier)Configuring mod_securityConfiguring the URL Firewall

Below is a diagram of the deployment. Presumably you will have a firewall in front of the reverse proxy and another betweenthe reverse proxy and the external web tier.

Oracle recommends that all E-Business Suite traffic over the internet be encrypted, i.e. using HTTPS on the standard port443/tcp. Users may expect to just type the hostname of your external site into the address field of their browsers, which willcause the browser to prepend http:// and assume the default HTTP port 80/tcp. To accomodate such users, the reverse proxyshould allow this initial connect to the standard HTTP port 80/tcp and immediately redirect the browser to the standard HTTPSport.

This can be achieved by using the following rewrite rule for the port 80 virtual host:

RewriteRule ^/(.*) https://www.example.com/$1 [R,L]

The Oracle iStore product is using both HTTP and HTTPS for performance reasons, and the iStore application will switchbetween the two protocols as required.

This means that for deployments including iStore the http/80/tcp virtual host should not contain the 'redirect-all-to-https' rule. Inthis case, a careful selection of initial page and http and https links from it should be created. We also want to ensure that auser cannot call any of the URLs that are supposed to be run over HTTPS via HTTP. (A user could deliberately change theURL in his browser to be http:// rather than https://). We ensure that by only allowing the subset of iStores URL that areconsidered non sensitive to be accepted in the http virtual host.

You can download the fully functioning configuration files, httpd.conf and security.conf.

The assumptions made while creating these config files are:

the reverse proxy will be accessed via the hostname www.example.comthe E-Business Suite external webtier is called extweb.example.comthe server admin is [email protected] apache proxy was configured and installed to /dmz

You will have to modify the file to reflect your host and domain names and the location for /dmz. Once you have modified theabove two configuration files and copied them to /dmz/conf/ it is time to test the proxy.


33 of 43 1/6/2010 11:13 AM

# /dmz/bin/apachectl start #note that you do not need startssl




Once you have tested the reverse proxy with the above two configuration files, it is time to prepare for installation on theproduction hardware in the DMZ.

# /dmz/bin/apachectl stop

# rm -f /dmz/logs/* # delete old log files

# rm -rf /dmz/manual* # delete the Apache documentation

# tar cvzf /dmz.tgz /dmz # tar up the runtime proxy

Copy the /dmz.tgz file from the test box to root's home directory on the DMZ host and install it.

dmz# cd /

dmz# tar xvzf ~/dmz.tgz # unpack the runtime proxy

Edit the configuration files to reflect host names and port numbers for the production DMZ, and install the real, CA signed SSLcertificate.

Then start the reverse proxy

dmz# /dmz/bin/apachectl start

dmz# netstat -lntp | sort -t: +1n



The next step is to configure the URL Firewall on the reverse proxy for the Oracle E-Business Suite products you wish toexpose to the external parties. Once done, make sure that you include in the reverse proxy configuration file the customizedurl_fw.conf configuration file from httpd.conf and bounce the reverse proxy.

Below is a list of references related to building a secure apache proxy, you want to check these out for additional explanationon many of the configuration decisions made above - or for better ideas on how to build your very own.

http://www.securityfocus.com/infocus/1818 -- Apache 2 with SSL/TLS Step-by-Step, Part 1http://www.securityfocus.com/infocus/1820 -- Apache 2 with SSL/TLS Step-by-Step, Part 2http://www.securityfocus.com/infocus/1823 -- Apache 2 with SSL/TLS Step-by-Step, Part 3


34 of 43 1/6/2010 11:13 AM

http://www.apacheweek.com/features/reverseproxies -- Running a Reverse Proxy with Apache (2)http://www.securityfocus.com/infocus/1739 -- Web Security Appliance With Apache and mod_securityhttp://httpd.apache.org/docs-2.0/install.html -- From the sourcehttp://httpd.apache.org/docs-2.0/mod/mod_proxy.html -- From the mod_proxy dochttp://www.modsecurity.org/ -- all you ever wanted to know about mod_security

Although the following topics are beyond the scope of this document, system administrators are advised to consider thesefactors prior to deploying a reverse proxy into a environment:

O/S HardeningLoad balancing for Redundancy (avoiding single points of failures)Fail-over strategiesLog rotation and analysis

Appendix E: Configuring the URL Firewall

The purpose of the URL Firewall is to ensure that only URLs required for the externally exposed functionality can be accessedfrom the internet.

The URL firewall is implemented as a whitelist list of URLs required; any URL request that is not matched in the whitelist list isrefused. This will limit the exposure of your Oracle E-Business Suite deployment by reducing the attack surface available toexternal parties.

The URL Firewall can be deployed on the external webtier or in the reverse proxy. If you are deploying a reverse proxy thatcan process mod_rewrite rules, we recommend that the URL Firewall be deployed on the reverse proxy in order to rejectun-authorized requests as early as possible.

The URL Firewall is shipped as an apache configuration file containing rewrite rules interpreted by mod_rewrite. The URLFirewall configuration file (url_fw.conf) will be generated on all the web tiers by the AutoConfig utility. To Include thisconfiguration file in Oracle HTTP Server configuration file (httpd.conf), perform the following steps:

Change value of the autoconfig variable s_enable_urlfirewall. By default the value of this variable is set to '#' which

indicates that the URL firewall is disabled. To enable the URL firewall, the pound sign '#' must be removed .

You must ensure that for nodes that are marked as external, this configuration file should be included in the http server

configuration.

The file consists of blocks of URLs that may be required depending on the deployed product mix and ends with a rule thatrejects the request if it has not been matched by one of the enabled rules. You will have to manually edit this file to enable theURLs in the block that corresponds to the product(s) you are deploying for external access.

The url_fw.conf file has the following blocks

INITIAL PAGE - defines the default start pageSTATIC - static files such as images, stylesheets, javascript and htmlCOMMON - common components used by multiple productsLOCAL - required for local loginFORMS - if your product mix requires the use of Oracle FormsXXX - where XXX is a product abbreviation

You will always need the STATIC, COMMON and LOCAL blocks. Depending on the product(s) you are deploying, you mayneed additional blocks of URLs enabled. This is summarized in the table below.

Product Name Product Code Product Family Blocks Required

iSupplier Portal POS Procurement POS

Oracle Sourcing PON Procurement PON

Oracle iReceivables OIR Financials OIR

iRecruitment IRC Human Resources IRC

Oracle Time & Labor OTL Human Resources OTL


35 of 43 1/6/2010 11:13 AM

Oracle Learning Management OTA Human Resources OTA

Oracle iSupport IBU CRM IBU

Oracle iStore IBE CRM IBE + CZ* optional

Oracle Marketing AMS CRM AMS

Oracle Partner Relationship Management PRM CRM PRM

Oracle Survey IES CRM IES

Field Sales ASP CRM ASP

Oracle Transportation FTE Manufacturing FTE

Oracle Contracts Core OKC Manufacturing none

Oracle Service Contracts OKS Manufacturing OKS

Personal Portfolio IGP IGP

Oracle Collaborative Planning SCE Manufacturing SCE+Forms

*) iStore needs the CZ block if it is integrated with the Configurator.

In addition to uncommenting the blocks of URLs specified above you will have to consider and decide how to handle thefollowing for your deployment:

Initial page - what page should be displayed when external users go to /Help - what should happen when external users click on the Help icon

The syntax of the ErrorDocument directive in url_fw.conf need modification (to use double quotes), if you have configuredapache2 as the reverse proxy server. The default file shipped uses Apache 1.3.x syntax.

Configure Initial Page

In the shipping version of url_fw.conf external users will be presented with the standard Apps Login page when they go to /(actually http://your.site.com ) on your external site.

If you are deploying products that allow users to surf part of the site prior to authentication, presenting them with a login pagemay not make any sense. For example if you are deploying iStore, users have an expectation to be able to browse the goodswithout logging in. If you are deploying iRecruitment, maybe external users can browse available job postings prior toidentifying themselves.

If you are integrating the external access to E-Business Suite via an existing company website, you may want to include a newpage with your corporate branding and links to the appropriate entry points of Oracle Applications.

To change the initial (/) page, locate the INITIAL PAGE block and change the first line in that block to provide the page of yourchoice.

RewriteRule ^/$ /OA_HTML/AppsLogin [R,L]

the rule says: upon a request for /, redirect ([R]edirect) to /OA_HTML/AppsLogin and stop further rewriting ([L]ast).

If your deployment is only iRecruitment or only iStore the above rule could be replaced with one of the following

RewriteRule ^/$ /OA_HTML/IrcVisitor.jsp [R,L] or RewriteRule ^/$ /OA_HTML/ibeCZzpHome.jsp[R,L]

For help in selecting an appropriate initial page, see the Implementation Guide for the products you are deploying externally.

URL Firewall Configuration for Webservices Deployed in the DMZ

A Webservices URL Firewall configuration file url_fw_ws.conf must be generated in the application tier nodes that host the


36 of 43 1/6/2010 11:13 AM

external modules to prevent unauthorized access to SOAprovider servlet. This configuration file can be generated byperforming the following steps:

$ txkrun.pl -script=GenWebServiceUrlFwConf

Successful completion of the the script given above will generate url_fw_ws.conf at $INST_TOP/ora/10.1.3/Apache

/Apache/conf . This configuration file will then be automatically included when autoconfig is executed on the external nodes.

Appendix F: List of Ports to Open in a DMZ Configuration

The diagram shown below represents the list of ports that need to be opened on the firewalls in a DMZ configuration.

If users need access to additional components like Oracle Forms in server mode and Oracle Discoverer Plus, then additionalports may need to be opened on the External, Internal and the Data Firewall.

Some of the Oracle E-Business Suite modules like Oracle Configurator use UTL_HTTP package to communicate from thedatabase to the application tier where the web server is installed. This is done over the HTTP(s) protocol. So, if there is afirewall configured between the application and database tier, http port must be opened on this firewall for this communicationto succeed.

Appendix G: Configuring Multiple Web Entry Points and DMZs with Single Sign-On

You can deploy Oracle E-Business Suite environments with DMZs and multiple web-entry points. These configurations mayoptionally be integrated with Oracle Single Sign-On or Oracle Access Manager for centralized authentication. Either of thesesolutions also requires Oracle Internet Directory.


37 of 43 1/6/2010 11:13 AM

Figure F8, shown above, depicts a configuration in which the internal and external users are authenticated via a singleOracle Single Sign On server installed in the DMZ. The LDAP directory, Oracle Internet Directory, remains on theinternal network.

Perform the following steps to implement this configuration:

Follow the instructions in Note 376811.1 to install and configure Oracle Application Server 10g with E-Business Suite.1.

Configure your DMZs and multiple web-entry points for your E-Business Suite environments as described in Sections 2to 5, above. Confirm that these environments are working properly before continuing.

2.

The configuration displayed in Figure F8 uses a reverse proxy server as the web entry point for both the externalapplication tier and the SSO server. must reconfigure both the SSO and the external application tier to point to thereverse proxy server. This configuration requires a virtual host be configured for both the SSO and External Applicationtier web entry point. This is required for the most secure deployment as no additional ports need to be opened on theexternal firewall.

3.

To register your E-Business Suite environment with Single Sign-On 10g, run the registration utility described in OracleMetaLink Note 376811.1, using the options appropriate for your deployment of Oracle Application Server 10g. The SSO/ OID registration utility automates the Single Sign-On 10g partner application registration process for multipleweb-entry point deployments. The registration utility automatically performs separate partner application registrationsfor each registered web-entry point, based on the E-Business database profile values forAPPS_FRAMEWORK_AGENT. No special command-line parameters are required. The registration utility only needs tobe run once, on any middle-tier server, regardless of whether the middle-tier server is located.

For example: You have two domains: partners.company.com and employees.company.com. Thepartners.company.com domain corresponds to the external middle-tier, and the employees.company.com domaincorresponds to the internal middle-tier. To register your E-Business Suite environment with Single Sign-On 10g, run theregistration utility once, on either the external or internal middle-tier server. The registration utility automatically detectsand registers both middle-tiers. There is no need to run the registration utility on each middle-tier separately.

4.


38 of 43 1/6/2010 11:13 AM

Run the AutoConfig utility as documented in the Oracle MetaLink Note 387859.1 "Using AutoConfig to Manage SystemConfigurations with Oracle Applications R12 " and restart the Oracle Application Tier processes.

5.

Please note that the figure F8 shown above lists only ports that are needed to be opened for that specific configuration.Additional ports may need to be opened if you have any other architecture variants. The configuration of external andinternal web entry points using multiple OSSO servers is not supported at this time.

Figure G9, shown above, depicts a configuration in which the internal and external users are authenticated by Oracle AccessManager and Oracle E-Business Suite AccessGate. The entry point, WebGate, resides in the DMZ along with OracleE-Business Suite AccessGate. The WebGate intercepts authentication requests and relays them to the Access Managerserver. The Access Manager servers are installed on the internal network, along with Oracle Internet Directory. OracleE-Business Suite AccessGate receives the authenticated session from Oracle Access Manager, and connects to the OracleE-Business Suite database in order to link the Oracle Internet Directory (OID) user to an Oracle E-Business Suite user. Oncethis mapping is done, the originally requested resource is returned with a valid authenticated Oracle E-Business Suite usersession. All subsequent requests for Oracle E-Business Suite resources are then returned directly to the user as long as theuser session remains valid.

Perform the following steps to implement this configuration:

Follow the instructions in My Oracle Support Knowledge Document 975182.1, to install Oracle E-Business SuiteAccessGate, and configure WebGate and Oracle Access Manager. (See the next step, however, for an importantchange when configuring in a DMZ.)

1.

When following the instructions to configure the Oracle E-Business Suite AccessGate in a DMZ, you will need to replace2.


39 of 43 1/6/2010 11:13 AM

any references to the values of [WebGate host]:[WebGate port] in two places with the hostname and port on

your reverse proxy that forwards to the WebGate:

Step 4d, when setting the Redirection URL for failed authentication attempts; andStep 6b, when setting the APPS_AUTH_AGENT profile option.

On the reverse proxy, you must then add a proxy rule to redirect URLs containing the context rule to the WebGate hostand port accordingly.

If you are configuring separate WebGates for internal and external users, you may set the APPS_AUTH_AGENT profileoption at the SERVER level, so that internal users are directed to one URL for authentication, and external users toanother.

3.

If you choose to implement the Lost Password or Reset Password on First Login features, you will need to install anadditional WebPass in the DMZ, as well. The WebPass requires that you open port 6022 on the internal firewall to allowit to communicate with the internal Identity Server. (Note: this is not shown in the diagram above.) Once you have

installed and configured a user-facing WebPass, make sure the APPS_AUTH_FORGOT_PASSWORD_LINK profileoption in Step 6b is updated to point to either this new WebPass host, or a reverse proxy that sits in front of it.

4.

Be sure to also review the setting for the Preferred HTTP Host parameter for your WebGate. For more information onconfiguring WebGate and Access Server with a reverse proxy, refer to the Oracle Access Manager Deployment Guide.

5.

Configure your DMZs and multiple web-entry points for your E-Business Suite environments as described in Sections 2to 5, above. Confirm that these environments are working properly before continuing.

6.

Note that it is not necessary to open ports in the data firewall for LDAP and LDAP/S connections. LDAP connections are made

only from the Oracle Access Manager's Access Server, which is located inside the firewall, and not from any of thecomponents located in the DMZ. If you previously had these ports open for Oracle Single Sign-On Server and are no longerusing OSSO for external authentication, you should close these ports on the data firewall for maximum security.

Appendix H: Troubleshooting

H1: Internal and External Middle Tiers in Different DomainsH2: Firewalls Disconnects SQL*Net ConnectionsH3: DNS Resolution of Machines and Devices Involved in the DMZ ConfigurationH4: HTTP Error 400 - Bad requestH5: HTTP Error 410 - GoneH6: Redirection to an incorrect server during login

H1: Internal and External Middle Tiers in Different Domains

If any of your middle tier servers or the reverse proxy server is running on machines with different domain names or differentvirtual host domain names, you must execute the following SQL command when logged into the database as the APPS user:

SQL> update icx_parameters set session_cookie_domain = null;SQL> commit;

H2: Firewalls Disconnects SQL*Net Connections

Most firewalls disconnect SQL*Net connections after 30 minutes of inactivity. To fix this problem, add the following parameterto the existing [RDBMS_ORACLE_HOME]/network/admin/<ORACLE_SID>_<hostname>/sqlnet.ora on the database tier:

SQLNET.EXPIRE_TIME=10

H3: DNS Resolution of Machines and Devices Involved in the DMZ Configuration

In a DMZ setup, there are a number of components involved in the configuration. For example network components such asfirewall devices, hardware load balancers, ssl accelerators and machines hosting the application software. A successfulconfiguration of these components require proper name resolution at machine and at DNS levels from various segments of yournetwork. Given below are some of the commonly used operating system utilties that can be used to verify the DNS setup.


40 of 43 1/6/2010 11:13 AM

nslookuppingtraceroutenmap

H4: HTTP Error 400 - Bad request

If you receive an "HTTP Error 400 - Bad request" on your browser, it means that the Oracle HTTP Server or the ReverseProxy Server denied the request due to a rule set in mod security. Review the error_log file to gather more information on whythe request was denied.

H5: HTTP Error 410 - Gone

If you receive an " HTTP Error 410 - Gone" on your browser, it means that the Oracle HTTP Server or the Reverse ProxyServer denied the request due to a rule set in the URL Firewall. Review the access_log or rewrite_log to gather moreinformation on why the request denied.

If you identify a URL that is being blocked that you think should be allowed for your deployment, simply add the URL to theurl_fw.conf file. Bounce the (Oracle HTTP Server or the Reverse Proxy Server) to make the change active.

H6: Redirection to an Incorrect Server During Login

If you are getting redirected to an incorrect server during the login process, check the following:

Whether the hirearchy type of the profile options mentioned in Section 5.1 is set to SERVRESP.

select PROFILE_OPTION_NAME,HIERARCHY_TYPE from fnd_profile_options where profile_option_name in ('APPS_WEB_AGENT','APPS_SERVLET_AGENT','APPS_JSP_AGENT','APPS_FRAMEWORK_AGENT', 'ICX_FORMS_LAUNCHER','ICX_DISCOVERER_LAUNCHER','ICX_DISCOVERER_VIEWER_LAUNCHER', 'HELP_WEB_AGENT','APPS_PORTAL','CZ_UIMGR_URL','QP_PRICING_ENGINE_URL','TCF:HOST');

Whether the profile option values for the fnd profile options (APPS_FRAMEWORK_AGENT, APPS_WEB_AGENT,APPS_JSP_AGENT, APPS_SERVLET_AGENT) are pointing to the correct node. Replace the node_id with the node_idof the external and internal web tier. For example:

select fnd_profile.value_specific('APPS_FRAMEWORK_AGENT',null,null,null,null,<node_id>) from dual;

Whether the dbc file pointed to by the JVM parameter (JTFDBCFILE) in oc4j.properties exists.

DJTFDBCFILE=<location-of-your-dbc-file>

Whether the value of the parameter APPL_SERVER_ID, set in the dbc file for the node is the same as the value of theserver_id in the fnd_nodes table.

select node_name,node_id,server_id from fnd_nodes;

Appendix I: Disabling E-Business Suite Release 12 Application Services on the External Web Tier

On the external web tier, you need to run only the Oracle E-Business Suite application services that are needed by the externalfacing E-Business Suite module. All services except the "Root Service Group", Web Entry Point Services and "Web

Application Services" must be disabled. In addition, you can disable the forms and oafm web application services .Todisable a service, perform the following steps:

Run the AutoConfig Context Editor as documented in the Oracle MetaLink Note 387859.1 "Using AutoConfig to Manage


41 of 43 1/6/2010 11:13 AM

System Configurations with Oracle Applications R12 ".Click on Site Map, AutoConfigSelect the Applications Context file of the external web tier, Click on Edit Parameters, ProcessesPerform the required updates and save the changes.

Appendix J: Disabling "About this page" Link From the Release 12 Login Page

There is a new link named "About this Page" on the Release 12 Login page. Displaying this link is the default for Release 12.The "About this Page" link points to a page that provides a wealth of information about the applications instance such asapplied patches, profiles, technology components, etc. to all users prior to authentication. This is not desirable on a DMZ typeof environment.

This link is displayed only when the profile option value for FND: Diagnostics is set to "YES" at SITE level. So, to disable thislink on all your servers all you have to do is set this profile option to NO at the SITE level.

To disable the link on a server by server basis follow these steps:

Change the hirearchy type of FND_DIAGNOSTICS profile option to Server-Responsibilty.1.Set the profile option value at server level to NO for the servers where the link is to be disabled, while keeping the Sitelevel value set to YES.

2.

Appendix K: Related Documentation

Oracle Applications System Administrator's Guide - SecurityOracle Applications System Administrators GuideBest Practices for Securing Oracle E-Business Suite R12Using Load-Balancers with Oracle E-Business Suite Release 12Using AutoConfig to Manage System Configurations with Oracle E-Business Suite Release 12Cloning Oracle Applications Release 12 with Rapid CloneSharing the Application Tier File System in Oracle E-Business Suite Release 12Enabling SSL in Oracle Application Release 12

Change Log

Change Log

Date Description

Dec 22, 2009Updated the Appendix A and Appendix B with latest DMZ certifiedproducts

Dec 21, 2009 Added Oracle Access Manager Configuration

Dec 04 , 2009 OIE added to the list of certified products

Sept 18, 2009 OIP added to the list of certified products

May 09, 2009 Instructions to enable webentry point services

April 15, 2009 Added Forward Proxy Configuration


42 of 43 1/6/2010 11:13 AM

March 03, 2009 OTL Added to list of certified products

February 06,2009

SSO configuration updates

January 21,2009

Removed reference to the configurator note as it does not exist.

September 30,2008

Added reverse proxy configuration (section 5.9), clarified web entrypoint requirements.

July 11, 2008Added SSHR product as certified in Appendix A and added "EnableSSL terminator" note into Option 2.4.

May 23, 2008 Added ASP product as certified in Appendix A .

April 23, 2008Added "Using Hardware Load Balancers With No External WebTier" section, "Removed jserv references " and added the step runautoconfig in section "Using Reverse Proxies only in DMZ ".

November 06,2007

Removed references to txkSOHM.pl since it is not used in R12.

March 21, 2007Added "Enable Distributed Oracle Java Object Cache Functionality"section and "Using Reverse Proxy Only in DMZ" section.

January 22 ,2007

Document creation date

Note 380490.1 by Oracle Applications Development

Copyright © 2009 Oracle CorporationLast updated: Dec 22, 2009

Attachments

reverseproxy_withsso_in_dmz.gif (28.59 KB)

OAM Configuration in DMZ (45.37 KB)

Related

Products

Oracle E-Business Suite > Applications Technology > Application Object Library > Oracle Application Object Library

Keywords

DMZ; R12


43 of 43 1/6/2010 11:13 AM