Oracle E-Business Suite R12 Configuration in a DMZ [ID 380490.1]

Oracle E-Business Suite R12 Configuration in a DMZ [ID 380490.1]Modified: Apr 22, 2013 Type: WHITE PAPER Status: PUBLISHED Priority: 3

Applies to:

Oracle Applications Technology Stack - Version 12.0 to 12.1.3 [Release 12.0 to 12.1]Information in this document applies to any platform.

Abstract

This document describes methods for making a subset of Oracle E-Business Suite Release 12 functionality accessible via the Internet to external users

History

Updated-Date: 26-NOV-2012

Details

This document describes methods for making a subset of Oracle E-Business Suite Release 12 functionality accessible via the Internet to external users

Summary

Oracle E-Business Suite Release 12 Configuration in a DMZ

Last Updated: November 26, 2012

The most current version of this document can be obtained in Oracle Metalink Note 380490.1. The change log at the end of this document tracksmodifications.

Contents

Section 1: OverviewOracle E-Business Suite Release 12 Architecture in a DMZ ConfigurationTerminology

Section 2: DMZ Deployment OptionsOption 2.1: Using a Reverse Proxy and an External Web TierOption 2.2: Using Separate Oracle E-Business Suite Release 12 Web TiersOption 2.3: Using HTTP Hardware Load Balancers in DMZ ConfigurationsOption 2.4: Using Reverse Proxies only in DMZOption 2.5: Using Hardware Load Balancers With No External Web TierKnown RestrictionsSupport Considerations

Section 3: Required Patches for DMZ ConfigurationsSection 4: Creating an External Web Tier for E-Business SuiteSection 5: Configuring the E-Business Suite for DMZ Deployments

5.1: Update Hierarchy type5.2: Update Node Trust Level5.3: Update List of Responsibilities5.4: Configuration Details for Using Reverse Proxy and an external Web Tier in DMZ5.4.1: Update Oracle E-Business Suite Release 12 Applications Context File5.4.2: Run AutoConfig and Restart Oracle HTTP Server5.5: Configuration Details for Using Separate E-Business Suite Release 12 Web Tier in DMZ5.6: Configuration Details for Using HTTP Hardware Load Balancers in DMZ5.6.1: Update Oracle E-Business Suite Release 12 Applications Context File5.6.2: Run AutoConfig and Restart Oracle HTTP Server5.7: Enable Oracle E-Business Suite Application Server Security5.8: Enable Distributed Oracle Java Object Cache Functionality:5.9 Configuration Details for Using reverse proxy with No External Web Tier5.9.1: Create new Context Files for the External Entry Point5.9.2: Verify and Update the New Context Files Created for the External Entry Point5.9.3: Run AutoConfig and Restart Oracle Applications Processes5.10 Configuration Details for Using Hardware Load Balancers with No External Web Tier5.10.1: Create new Context Files for the External Entry Point5.10.2: Verify and Update the New Context Files Created for the External Entry Points5.10.3: Run AutoConfig and Restart Oracle Applications Processes

AppendicesA. List of External Facing Oracle E-Business Suite Release 12 ProductsB. Oracle E-Business Suite Release 12 Product Specific ConfigurationsC. Configuration Option for Functionally Directed Load DistributionD. Reverse Proxy ConfigurationE. Configuring the URL FirewallF. List of Ports to Open in a DMZ ConfigurationG. Configuring Multiple Web Entry Points and DMZs with Single Sign OnH. TroubleshootingI. Disabling E-Business Suite Release 12 Application Services on the External Web TierJ. Disabling "About this page" Link From the Release 12 Login PageK. Related Documentation

Document Display https://support.oracle.com/epmos/faces/ui/km/SearchDocDisplay.jspx...

1 of 31 7/11/2013 12:10 PM

Section 1: Overview

This document describes methods for making a subset of Oracle E-Business Suite Release 12 functionality accessible via the Internet to external users. Thisdocument discusses supported network topologies and architectures for the E-Business Suite, including:

The use of reverse proxy servers in demilitarized zones (DMZ)The use of multiple domains -- where different E-Business Suite Release 12 users access the E-Business Suite via different URLs -- with multipleapplication serversThe use of hardware-based load-balancers in these configurationsThe use of SSO servers within the DMZ

This document is intended for administrators who perform Oracle E-Business Suite Release 12 administration. It assumes knowledge of networkingtechnologies. The procedures described in this document have security implications. Prior to the implementation of any configuration options described thisdocument, E-Business Suite system administrators are strongly advised to review deployment architectures with their enterprise networking and securitygroups.

Oracle E-Business Suite Release 12 Architecture in a DMZ Configuration

When configuring Oracle E-Business Suite in a DMZ configuration, firewalls are deployed at various levels as shown in Figure F2 to ensure that onlyauthorized traffic is allowed to cross the firewall boundaries. The firewalls ensure that if intrusion attempts against machines in the DMZ are successful, theintrusion is contained within the DMZ, leaving the the machines in the intranet unaffected.

The following configuration options are supported:

Use of separate web node for external usageSetting of server level profile valuesAssociating trust levels to application middle tier nodesLimiting available responsibilities to a restricted set for the external web nodeDeploying a reverse proxy in front of the external web nodeConfiguring a URL firewall and mod security in the reverse proxyRunning only essential Oracle E-Business Suite Application services on the external web tier

Terminology

Below are definitions of some of the terms that are used in this document:

Firewall

Firewalls control access between the internet and a corporation's internal network or intranet. Firewalls define which internet communications will bepermitted into the corporate network, and which will be blocked. A well-designed firewall can foil many common internet-based security attacks.

DMZ

The DMZ, which stands for DeMilitarized Zone consists of the portions of a corporate network that are between the corporate intranet and the Internet. TheDMZ can be a simple one segment LAN or it can be broken down into multiple regions as shown in Figure F2. The main benefit of a properly-configured DMZis better security: in the event of a security breach, only the area contained within the DMZ is exposed to potential damage, while the corporate intranetremains somewhat protected.

Load Balancer

Load balancers distribute an application's load over many identically configured servers. This distribution ensures consistent application availability even whenone or more servers fail.

Reverse Proxy


2 of 31 7/11/2013 12:10 PM

A reverse proxy server is an intermediate server that sits between a client and the actual web server and makes requests to the web server on behalf of theclient. You can find more information on reverse proxy servers and how to configure them in appendix D. Reverse Proxy Configuration of this document.

Service

A service is a functional set of Oracle E-Business Suite application processes running on one or more nodes.

Node

A node is referred to as a server that runs a set of E-Business Suite R12 application processes or database processes. In a single node installation of OracleE-Business Suite, all the application processes including the database processes run on one node whereas in a multi node installation, the processes run onmultiple nodes.

Internal Applications Middle Tier

The internal applications middle tier is the server configured for internal users to access Oracle E-Business Suite. It runs the following major applicationservices:

Web and Forms ServicesAdministration and Concurrent Manager ServicesReports and Discoverer Services

External Applications Web Tier

The external applications web tier is the server configured for external users for accessing Oracle E-Business Suite. It runs the following application service:

Web server

URL Firewall

URL Firewall contains a white list of URLs, for the externally exposed E-Business Suite Modules, that may be accessed from the Internet. You can find moreinformation on URL Firewall and how to configure it in appendix E. Configuring the URL Firewall of this document.

Section 2: DMZ Deployment Options

Option 2.1: Using a Reverse Proxy and an External Web Tier

The architecture diagram in Figure F3 represents a reverse proxy in the demilitarized zone (DMZ) behind an external firewall, and an Oracle E-Business SuiteRelease 12 external web tier in another demilitarized zone behind an internal firewall. This option allows multiple domain names for external and internalmiddle tiers. For example, external users may access the E-Business Suite via "partners.external.com", and internal users may access the same E-BusinessSuite instance via "employees.internal.com".

In this configuration, the reverse proxy server can be set up with Oracle HTTP Server or third-party reverse proxy servers. Please refer to Appendix D.Reverse Proxy Configuration for more information on configuring the E-Business Suite to support reverse proxy servers.

In this configuration, the external Applications web tier is required to:

Restrict access to a limited set of Oracle Applications responsibilities for users logging in via the Internet1.Allow user access to only Oracle E-Business Suite Release 12 products that can be deployed for Internet access2.


3 of 31 7/11/2013 12:10 PM

Option 2.2: Using Separate Oracle E-Business Suite Release 12 Web Tiers

The architecture diagram in Figure F4 represents an Oracle E-Business Suite Release 12 external web tier in a demilitarized zone (DMZ) behind a DMZexternal firewall. This option allows multiple domain names for external and internal middle tiers. This deployment option requires the external OracleE-Business Suite web tier in order to meet the same security requirements discussed in 2.1: Using a Reverse Proxy and an External Web Tier.



Option 2.3: Using HTTP Hardware Load Balancer in DMZ Configuration

The architecture diagram in Figure F5 represents multiple Oracle E-Business Suite Release 12 external web tiers that are load-balanced by a HTTP hardwareload balancer in a demilitarized zone (DMZ) behind a DMZ external firewall. Another HTTP Layer Hardware load balancer is used to distribute load acrossmultiple Oracle E-Business Suite internal middle tiers in the intranet. This option allows separate domain names for external and internal middle tiers to bedeployed in a highly scalable and fault tolerant configuration.




4 of 31 7/11/2013 12:10 PM

Option 2.4: Using Reverse Proxy with no External Web Tier

This configuration requires a distinct Oracle HTTP Server/OC4J instance configured per Web Entry Point. You can not sharethe configuration of one web entry point with another. For example, you can not share Oracle HTTP Server configured forinternal.us.oracle.com with external.us.oracle.com . There has to be two Oracle HTTP Server/oc4j running for each of theWeb Entry Points

The architecture diagram shown in the figure below represents a reverse proxy server configured to forward external client requests to an Oracle HTTPlistener running on an intranet application middle tier server. In this configuration, internal and external users use different http listeners and oc4j processesto access Oracle E-Business Suite.

Proceed to Section 5.9 for detailed instructions on how to configure the topology shown in the figure above.

You can also configure a dedicated middle tier server in the intranet and front end this server with a reverse proxy in the DMZ for external users. Seediagram below:

Option 2.5: Using Hardware Load Balancers With No External Web Tier

This configuration requires an instance of Oracle HTTP Server/OC4J configured per Web Entry Point. You can not share the


5 of 31 7/11/2013 12:10 PM

configuration of one web entry point with another.

The architecture diagram shown in the figure F11 below represents a hardware load balancer configured to balance the load from the external clients amongthe Oracle HTTP listeners running on the intranet application middle tier servers. In this configuration, internal and external users use different http listenersand oc4j processes to access the Oracle E-Business Suite. As shown in the diagram below, only the load balancer configured within the DMZ, while all theother servers remain within the intranet or the internal network. This configuration make use of the Shared file system technology described in OracleMetalink Note 384248.1 and the internal servers effectively perform the functions of both the internal as well as the external web tier. Because in thisconfiguration there is no external application tier and all application web nodes use the same file system with different configurations, then we can takeadvantage of the Shared File System technology described in Oracle Metalink Note 384248.1.

Proceed to Section 5.10.1 for detailed instructions to configure the topology shown in the figure F11 above.

Known Restrictions

Shared file system (APPL_TOP, COMMON_TOP, ORA_TOP) cannot be shared between external web tier and internal middle tier. However, this restrictiondoes not apply to configuration Option 2.4 and 2.5 : Using Reverse Proxy/Load Balancer with no External Web Tier (Figure 9 / Figure F10) where an externalweb tier is simulated on the same physical internal middle tier by using a 2nd NIC card.

Support Considerations

All customer configurations will be supported. However, the level of supportability will be dependent upon the implementation.

Customers who follow the instructions and implement a tested and certified topology as documented in this Note are fully supported. Oraclerecommends the use of one of the configurations described in this Note.

1.

Customers who implement an alternative topology not listed in this note are supported on a best-efforts basis . The Oracle Applications TechnologyGroup will aim to provide an adequate solution to address a customerâs problem. Severity 1 bugs in this category will only be accepted for situationswhere a customer's production system is down. Otherwise, an escalated Severity 2 status is the highest supported severity rating.

2.

SSL Terminator Configuration

If you are terminating SSL connection at a web entry point other than the application tier node, you must ensure thatssl_terminator.conf file is included in the httpd.conf on the application tiers. For more information refer OracleMetalink Note : 376700.1 "Enabling SSL in Oracle Applications Release 12".

Section 3: Required Patches for DMZ Configurations

No additional patches are currently required to support DMZs for E-Business Suite Release 12.

Section 4: Creating an External Web Tier for E-Business Suite

The process of implementing a DMZ configuration for your E-Business Suite environment will vary depending on the deployment option that you select. Theimplementation process described here assumes that you have a fully-configured E-Business Suite with an internal Application web tier, and that you wouldlike to add an external web tier to that existing configuration. Regardless of the DMZ deployment option selected in Section 2, the following core steps mustbe completed:


6 of 31 7/11/2013 12:10 PM

Step 1. Identify Release 12 modules for external deployment

Verify that the Oracle E-Business Suite Release 12 modules that you need for external deployment have been certified for that configuration. A list of certifiedOracle E-Business Suite modules for external deployment is listed in Appendix A - List of External Facing Oracle E-Business Suite Products. If you plan ondeploying a product that is not listed, log a Service Request with Oracle Support requesting certification of that product for external deployment.

Step 2. Clone the internal web tier to create a new external web tier

Clone the internal Oracle E-Business suite middle tier to the machine that you identified to be the external web tier in the DMZ. For additional information oncloning Oracle Applications, see Metalink Note 406982.1 Cloning Oracle Applications Release 12 with Rapid Clone.

Step 3. Deploy a reverse proxy server (Optional)

If you plan to use a reverse proxy server in your configuration, deploy that server in front of your newly-created external Application web tier. See AppendixD. Reverse Proxy Configuration for more information on configuring the E-Business Suite to support reverse proxy servers.

Step 4. Ensure that network firewalls are configured correctly

Ensure that the network firewall rules have been defined correctly and are permitting authorized E-Business Suite traffic between all network segments:

Verify that access between intranet-based desktop clients and the internal Application web tier is permitted and working1.Verify that access between the internal Application web tier and the Applications database server is permitted and working2.If a reverse proxy server is not part of your deployment, communication between Internet-based desktop clients and the external web tier serversmust be permitted and working.

3.

If a reverse proxy server is configured:Communication between Internet-based desktop clients and the reverse proxy server must be permitted and workingCommunication between the reverse proxy server and the external Application web tier must be permitted and working

4.

Verify that access between the Applications external web tier servers to the Applications database server is permitted and working.5.

Section 5: Configuring the E-Business Suite for DMZ Deployments

This section provides the configuration instructions for the deployment models described in this document. Certain common configuration steps must becarried out regardless of which deployment model is used. The details for these common steps are explained from section 5.1 through section 5.4. Aftercompleting the common steps, you can proceed to either section 5.5, section 5.6 or section 5.7 depending on which deployment option is chosen.

5.1: Update Hierarchy Type

Several user profile options are used to construct various URLs in an E-Business Suite R12 environment. These user profiles are as follows:

User Profile Name Internal Name

1. Applications Web Agent APPS_WEB_AGENT

2. Applications Servlet Agent APPS_SERVLET_AGENT

3. Applications JSP Agent APPS_JSP_AGENT

4. Applications Framework Agent APPS_FRAMEWORK_AGENT

5. ICX:Forms Launcher ICX_FORMS_LAUNCHER

6. ICX: Oracle Discoverer Launcher ICX_DISCOVERER_LAUNCHER

7. ICX: Oracle Discoverer Viewer Launcher ICX_DISCOVERER_VIEWER_LAUNCHER

8. Applications Help Web Agent HELP_WEB_AGENT

9. Applications Portal APPS_PORTAL

10. BOM:Configurator URL of UI Manager CZ_UIMGR_URL

11. QP: Pricing Engine URL QP_PRICING_ENGINE_URL

12. TCF:HOST TCF:HOST

The default hierarchy type value for the above profile options could be either Security/Server. See diagram below:


7 of 31 7/11/2013 12:10 PM

The configuration of the E-Business Suite environment for DMZ requires these profile options hierarchy type to be set to SERVER-RESPONSIBILITY TYPE.

1. To change the profile options hierarchy type values to SERVRESP, execute thetxkChangeProfH.sqlSQL script as shown below:

sqlplus apps/apps@/patch/115/sql/txkChangeProfH.sql SERVRESP

2. After thetxkChangeProfH.sqlscript executes successfully, run AutoConfig on all nodes to complete the profile options configuration.

5.2: Update Node Trust Level

Oracle E-Business Suite Release 12 has the capability to restrict access to a predefined set of responsibilities based on the Web server from which the userlogs in. This capability is provided by tagging web servers with a trust level indicated by the Node Trust Level (NODE_TRUST_LEVEL) server profile option.The Node Trust Level indicates the level of trust associated with a particular web server. Currently, three trust levels are supported:

AdministrativeServers marked as Administrative are typically those used exclusively by system administrators. These servers are considered secure and provideaccess to any and all E-Business Suite functions.

NormalServers marked as Normal are those used by employees within a companyâs firewall. Users logging in from normal servers have access to only alimited set of responsibilities.

ExternalServers marked as External are those used by customers or employees outside of a companyâs firewall. These servers have access to an evensmaller set of responsibilities.

The default value for this profile option for all E-Business Suite middle tiers is Normal. If you wish to learn more about the Node Trust Level profile option,please refer to Oracle Applications System Administrators Guide .

Set the NODE_TRUST_LEVEL profile option value on the external web tier in your Oracle E-business Suite Release 12 environment to External. Seediagram below.

To change the value of the Node Trust Level profile option value to External for a particular node, perform the following steps:

Login to Oracle E-Business Suite as sysadmin user using the internal URL1.Select the System Administrator Responsibility2.Select Profile / System3.From the 'Find system profile option Values' window, select the server that you want to designate as the external web tier4.Query for%NODE%TRUST%. You will see a profile option named 'Node Trust Level'. The value for this profile option at the site level will be Normal.Leave this setting unchanged.

5.

Set the value of this profile option to External at the server level. The site level value should remain set to Normal6.

5.3: Update List of Responsibilities

The steps described in this section are required only if you have marked any of the Oracle E-Business Suite Release 12 middle tiers as External as describedin section 5.2.


8 of 31 7/11/2013 12:10 PM

After updating the server-level profile value for Node Trust Level for the external web tier(s) to External, users can no longer see any responsibilities whenthey login via the external web tier. In order for a responsibility to be available from the external E-Business Suite web tier, set the Responsibility Trust Levelprofile option value for that responsibility to External at the responsibility level. For information on additional product specific responsibilities that can bemade externally accessible from the external E-Business Suite middle tier, please refer to Appendix B1. Oracle E-Business Suite Product SpecificConfigurations.

To change the value of the Responsibility Trust Level profile option at the responsibility level for a particular responsibility, perform the following steps:

Login to Oracle E-Business Suite as sysadmin user using the internal URL1.Select System Administrator Responsibility2.Select Profile / System3.From the 'Find system profile option Values' window, select the responsibility that you want to make available to users logging in via the external webtier

4.

Query for%RESP%TRUST%. You will see a profile option named 'Responsibility trust level'. The value for this profile option at site level will beNormal. Leave this setting unchanged.

5.

Set the value of this profile option for the chosen responsibility to External at the responsibility level. The site-level value should remain Normal.6.Repeat for all responsibilities that you want to make available from the external web tier.7.

5.4: Configuration Details for Using Reverse Proxy and an External Web Tier in DMZ

The steps described in this section assume that you have already set up the reverse proxy server of your choice and you are ready to make modifications tothe Oracle E-Business Suite Applications Context file on the external web tier. To complete the configuration for this option, follow the steps given below.

Oracle does not certify specific reverse proxy solutions from third-party vendors. The instructions included in thisdocument are generally applicable to third-party reverse proxy solutions, including (but not restricted to) Apache,Microsoft Proxy Server, and other products.

5.4.1: Update Oracle E-Business Suite Applications Context File

On the external Oracle E-Business Suite web node, run the AutoConfig Context Editor as documented in the Oracle MetaLink note 387859.1 "UsingAutoConfig to Manage System Configurations with Oracle Applications Release 12". In the Context Detail screen, set the following configuration values:

set the webentry point, s_webentryhost, to the reverse proxy serverset the webentry domain, s_webentrydomain, to the domain name of the reverse proxy serverset the external URL, s_external_url to the external web node URL.set the active webport, s_active_webport, to the port where the reverse proxy server listen for client requests. For example port 80 for HTTP or443 for HTTPSset the webentry protocol, s_webentryurlprotocol, to the protocol value the clients use to access the reverse proxy serverset the login page, s_login_page, to <webentry protocol>://<webentry host>.<webentry domain>:<active web port>. Replace <webentryprotocol>, <webentry host>, <webentry domain>, and <active web port> with their respective valuesset the help web agent s_help_web_agent, to <webentry protocol>://<webentry host>.<webentry domain>:<active web port> . Replace<webentry protocol>, <webentry host>, <webentry domain>, and <active web port> with their respective values.

5.4.2: Run AutoConfig and Restart Oracle Application Server Processes

Run AutoConfig on each Applications middle tier . Please refer to the Oracle MetaLink note 387859.1 "Using AutoConfig to Manage SystemConfigurations with Oracle Applications R12 " for more information on AutoConfig.

1.

After AutoConfig completes successfully, restart Oracle Application server processes on the external web tier.2.

Proceed to the Appendices for any additional Oracle E-Business Suite product specific settings that needs to be done.

5.5: Configuration Details for Using Separate Oracle E-Business Suite Web Tier in DMZ

There are no extra steps needed for this configuration. Proceed to the Appendices for any additional Oracle E-Business Suite product specific settings thatneeds to be done.

5.6: Configuration Details for Using HTTP Hardware Load Balancers in DMZ

To complete the configuration for this option, follow the steps given below.

5.6.1: Update Oracle Applications Context File

On the internal Applications middle-tier nodes, run the AutoConfig Context Editor as documented in the Oracle MetaLink note 387859.1 "Using AutoConfig toManage System Configurations with Oracle Applications R12 ". In the Context Detail screen, set the following configuration values:


9 of 31 7/11/2013 12:10 PM

set the webentry point, s_webentryhost, to the load balancer that is used to load balance the internal Applications middle tiersset the webentry domain, s_webentrydomain, to the domain name of the load balancerset the active webport, s_active_webport, to the value of the load balancer's external portset the webentry protocol, s_webentryurlprotocol, to the load balancer's protocol e.g. "http" or "https".set the login page, s_login_page, to<webentry protocol>://<webentry host>.<webentry domain>:<active web port>. Replace <webentryprotocol>, <webentry host>, <webentry domain>, and <active web port> with their respective valuesset the help web agent, s_help_web_agent, to<webentry protocol>://<webentry host>.<webentry domain>:<active web port> . Replace<webentry protocol>, <webentry host>, <webentry domain>, and <active web port> with their respective values

On the external Applications web tier node, run the AutoConfig Context Editor as documented in the Oracle MetaLink note 387859.1 "Using AutoConfig toManage System Configurations with Oracle Applications R12 ". In the Context Detail screen, set the following configuration values:

set the webentry point, s_webentryhost, to the load balancer that is used to load balance the external Applications middle tiersset the webentry domain, s_webentrydomain, to the domain name of the load balancerset the external URL, s_external_url to the external web node URL.set the active webport, s_active_webport, to the value of the load balancer's external portset the webentry protocol, s_webentryurlprotocol, to the load balancer's protocol e.g. "http" or "https"set the login page, s_login_page, to <webentry protocol>://<webentry host>.<webentry domain>:<active web port>. Replace <webentryprotocol>, <webentry host>, <webentry domain>, and <active web port> with their respective values.set the help web agent, s_help_web_agent, to<webentry protocol>://<webentry host>.<webentry domain>:<active web port> . Replace<webentry protocol>, <webentry host>, <webentry domain>, and <active web port> with their respective values

5.6.2: Run AutoConfig and Restart Oracle Applications Processes

Run AutoConfig on each Applications middle tier to complete the configuration. Please refer to the Oracle MetaLink note 387859.1 "Using AutoConfigto Manage System Configurations with Oracle Applications R12 " for more information on AutoConfig.

1.

After AutoConfig completes successfully, restart Oracle Applications server processes.2.

Proceed to the Appendices for any additional Oracle E-Business Suite product specific settings that needs to be done.

5.7: Enable Oracle E-Business Suite Application Server Security

Oracle E-Business Suite Release 12 is deployed in a multi-tier configuration with one Database Server and many possible middle-tier Application Servers. TheApplication Servers include Apache JSP/Servlet, Forms, Discoverer and also some client programs such as Application Desktop Integrator, Oracle DiscovererAdmin Edition. Any program which makes a SQLNET connection to the Oracle E-Business Suite database needs to be trusted at some level. This securityfeature ensures that such SQLNET connections are coming from trusted machines and/or trusted programs.

The Server Security feature supports authentication of application server machines and code modules in order to access the database. When Server Securityis activated, Application Servers are required to supply server IDs (like passwords) and/or code IDs to access a database server. Server IDs identify themachine from which the connection is originating. Code IDs identify the module and patch level from which the connection is originating. Code IDs areincluded in applications code by development. The database server can be set to allow access only from specific machines and/or by code at a desired patchlevel.

The application server security feature is activated by default for all E-Business Suite installations. It is recommended that you ensure that the server securityfeature is enabled by performing the steps given below:

Run the AutoConfig Context Editor as documented in the Oracle MetaLink note 387859.1 "Using AutoConfig to Manage System Configurations with OracleApplications R12 ". In the Context Detail screen, review the following configuration values for both internal and external nodes:

Value of Application Server Security Authentication (s_appserverid_authentication) is set to SECURE .If the value is not set to SECURE, follow theinstructions given below:

Set the value of Application Server Security Authentication (s_appserverid_authentication) to SECURERun AutoConfig on each Applications middle tier to complete the configuration. Please refer to the Oracle MetaLink note 387859.1 "UsingAutoConfig to Manage System Configurations with Oracle Applications R12 " for more information on AutoConfigAfter AutoConfig completes successfully, restart Oracle HTTP Server and OC4J processes

5.8: Enable Distributed Oracle Java Object Cache Functionality

Distributed caching functionality has to be enabled in a DMZ environment to avoid data inconsistencies for data such as profiles, menu, responsibilities andproduct specific data. To complete this configuration, follow the steps given below:

Identify the highest number of JVMs that serve the oacore JVM group in the internal and external middle tiers. For eg: if there are 3 JVMs in theinternal and 2 JVMs configured for the external middle tier, take the number as 3.Identify the number of java processes spawned by the concurrent manager tier. For eg: if there are 3 JVMs spawned by the ICM, take the number as3 . Add this to the number of oacore JVMs . In the example given above, the total number JVMs thus become 6 . So, six ports need to be opened inthe firewall. You can use the 'pstree' command to check the number of java processes spawned by the concurrent manager parent process. For eg:pstree -p 26258 where 26258 is the process ID of the FNDSM process.Identify the ports to open in the firewall that separates the external middle tier and the internal middle tier . For eg: if the JVM count is 3, you have toopen 3 ports on this firewall.This range of ports need to be specified as a value for the autoconfig variable ( s_fnd_cache_port_range ) . Please make sure that the value issame in all the applications context files . The value should be specified as a range. For eg: 36500-36505. When AutoConfig completes theconfiguration, the value specified for this variable in the context file will get updated in the FND_CACHE_PORT_RANGE profile option.In addition to the ports specified above, you must ensure that the Java Object Cache Port specified as a value for the autoconfig variables_java_object_cache_port is also open on the firewall that separate the external and internal middle tiers.

You must run Autoconfig to complete the configuration after editing the applications context file.

AttentionIn a multinode installation, the AutoConfig variable s_java_object_cache_port must be set identically on all nodes.Similarly, s_fnd_cache_port_range must be set identically on all nodes. Please note that s_java_object_cache_port must beset to a different value from s_fnd_cache_port_range in the same applications context file to avoid port conflicts.


10 of 31 7/11/2013 12:10 PM

5.9: Configuration Details for Using reverse proxy with No External Web Tier

This configuration requires your internal application middle tier server to have at least two network interfaces. One network interface is required for theexternal entry point and another for the internal entry point. These network interfaces must be configured to resolve to two different hostnames in theDNS.

For example:

/etc/hosts of Internal Server 1

130.30.21.1 internal1.company.com internal1130.30.21.2 external1.company.com external1

5.9.1: Create a new context file for the external Web Entry Point

To create a context file for the external entry point, execute the commands shown in the table below:1.

$ perl $COMMON_TOP/clone/bin/adclonectx.pl \contextfile=$CONTEXT_FILE \outfile= <name of the output file including location>

For example:

Internal Server Name 1: internal1.company.com

External Server Name 1: external1.company.com

Context file for Internal Entry Point on Internal Server 1 including its location: /d1/applmgr/visappl/admin/VIS_internal1.xml

Context file to be created for External Entry Point on Internal Server 1 including its location: /d1/applmgr/visappl/admin/VIS_external1.xml

The script will prompt for various inputs from the user as shown in the table below. please note that the default prompt values are provided for referencepurpose only and may not reflect the actual values in your environment.

Prompt Required Value Comments

Enter the Apps password

Target System Hostname (virtual or normal) [internal1]: external1Enter the physical hostname.Not the virtual hostname

Do you want the inputs to be validated (y/n) [n] ?: Y

Target system database SID [VIS] VIS Enter the target database SID

Target System Database Server Node [db-node] db-nodeEnter the hostname where the newdatabase instance is running

Target System Base directory /d1/home/user9/R12/appsEnter the base directory of APPSinstall

Target System Instance Home Directory [/d1/home/user9/R12/inst]:

/d1/home/user9/R12/inst

Username for the applications file system owner [applmgr] applmgr

Group for the applications file system owner [dba]: dba

Target System Root Service [enabled] : enabledMust be enabled if configuring 'WebEntry Point Services' or 'WebApplication Services'.

Target System Web Entry Point Services [enabled] : enabledMust be enabled if configuring 'WebEntry Point Services'

Target System Web Application Services [enabled]: enabledMust be enabled if configuring 'WebEntry Point Services'.

Target System Batch Processing Services [enabled] : enabledMust be enabled if configuring 'BatchProcessing Services'.

Target System Other Services [disabled] : enabledMust be enabled if configuring 'OtherService Group'.

Do you want to preserve the Display set to internal:0.0 (y/n)[y] ?:

Y

Do you want to preserve the port values from the sourcesystem on the target system (y/n) [y] ?

Y

It is possible that adclone utiity willreport an error and prompt you tochoose an alternative port pool if theservices for the internal instance isrunning. To prevent this fromhappening, shutdown the application


11 of 31 7/11/2013 12:10 PM

tier services when you run this utility.

After you provide all the required inputs, the clonectx utility will proceed and create the new context file for the external entry point at the locationspecified in the command

5.9.2: Verify and Update the New Context Files Created for the External Entry Point

AutoConfig Variable Required Value Comments

s_isWeb YESMake sure s_isWeb is set to YES. This is the default setting for all nodetypes

s_isWebDev YESMake sure s_isWebDev is set to YES.

This is the default setting for all node types

s_http_listen_parameter New Port for the http listener Pick a port that is not used by any other service

s_https_listen_parameter New Port for the https listener Pick a port that is not used by any other service

s_webentryurlprotocolSet the value to the web entryprotocol

For example, value will be either http or https

s_webentryhost Set the value to the webentry host

s_webentrydomainSet the value to the webentrydomain

s_active_webport Set the value to the active port

s_login_pageSet the value to point to the newwebentry configuration

s_server_ip_addressSet the value of this variable to theIP address of the external facingnetwork interface


Run AutoConfig on each Applications middle tier to complete the configuration. Please refer to the Oracle MetaLink Note 387859.1 "Using AutoConfigto Manage System Configurations with Oracle Applications R12 " for more information on AutoConfig.

1.


5.10: Configuration Details for Using Hardware Load Balancer with No External Web Tier

Attention

This configuration requires your internal application middle tier server to have at least twonetwork interfaces. One network interface is required for the external entry point and another forthe internal entry point. These network interfaces must be configured to resolve to two differenthostnames in the DNS.

For example:





5.10.1: Create new Context Files for the External Entry Point

To create a context file for the external entry point, execute the commands shown in the table below:1.

$ perl $COMMON_TOP/clone/bin/adclonectx.pl \contextfile=<context file name> \outfile=<name of output file>

For example:


12 of 31 7/11/2013 12:10 PM






Context file to be created for External Entry Point on Internal Server 1 including its location: /d1/applmgr/visappl/admin/VIS_external1.xml


Context file to be created for External Entry Point on Internal Server 2 including its location:

/d1/applmgr/visappl/admin/VIS_external2.xml

Database ID: VIS

For the above given example, you will enter the command as

$ perl $COMMON_TOP/clone/bin/adclonectx.pl \contextfile= /d1/visappl/admin/VIS_internal1.xml \outfile=/d1/visappl/admin/VIS_external1.xml

$ perl $COMMON_TOP/clone/bin/adclonectx.pl \contextfile= /d1/visappl/admin/VIS_internal1.xml \outfile=/d1/visappl/admin/VIS_external2.xml

The script will prompt for various inputs from the user as shown in the table below. please note that the default prompt values are provided for referencepurpose only and may not reflect the actual values in your environment.

Prompt Required Value Comments

Enter the Apps password

Target System Hostname (virtual or normal) [internal1]: external1Enter the current hostname.Most ofthe time it will be the same asdefault value.

Do you want the inputs to be validated (y/n) [n] ?: Y

Target system database SID [VIS] VIS Enter the target database SID

Target System Database Server Node [db-node] db-nodeEnter the hostname where the newdatabase instance is running

Target System Base directory /d1/home/user9/R12/appsEnter the base directory of APPSinstall

Target System Instance Home Directory [/d1/home/user9/R12/inst]:

/d1/home/user9/R12/inst

Username for the applications file system owner [applmgr] applmgr

Group for the applications file system owner [dba]: dba

Target System Root Service [enabled] : enabledMust be enabled if configuring 'WebEntry Point Services' or 'WebApplication Services'.

Target System Web Entry Point Services [enabled] : enabledMust be enabled if configuring 'WebEntry Point Services'

Target System Web Application Services [enabled]: enabledMust be enabled if configuring 'WebEntry Point Services'.

Target System Batch Processing Services [enabled] : enabledMust be enabled if configuring 'BatchProcessing Services'.

Target System Other Services [disabled] : enabledMust be enabled if configuring 'OtherService Group'.

Do you want to preserve the Display set to internal:0.0 (y/n)[y] ?:

Y

Do you want to preserve the port values from the sourcesystem on the target system (y/n) [y] ?

Y

It is possible that adclone utiity willreport an error and prompt you tochoose an alternative port pool if theservices for the internal instance isrunning. To prevent this fromhappening, shutdown the applicationtier services when you run this utility.

After you provide all the required inputs, the clonectx utility will proceed and create the new context file for the external entry point at the locationspecified in the command


13 of 31 7/11/2013 12:10 PM

5.10.2: Verify and Update the New Context Files Created for the External Entry Points

Table given below gives a list of AutoConfig variables that need to be reviewed and edited if required.

AutoConfig Variable Required Value Comments

s_isWeb YESMake sure s_isWeb is set to YES.


s_isWebDev YESMake sure s_isWebDev is set to YES.


s_http_listen_parameter New Port for the http listener Pick a port that is not used by any other service

s_https_listen_parameter New Port for the https listener Pick a port that is not used by any other service

s_webentryurlprotocolSet the value to the webentryprotocol

For example, value will be either http or https

s_webentryhost Set the value to the webentry host

s_webentrydomainSet the value to the webentry hostdomain

s_active_webport Set the value to the active port

s_login_pageSet the value to point to the newwebentry configuration

s_server_ip_addressSet the value of this variable to theIP address of the external facinginterface


Run AutoConfig on each Applications middle tier to complete the configuration. Please refer to the Oracle MetaLink Note 387859.1 "Using AutoConfigto Manage System Configurations with Oracle Applications R12 " for more information on AutoConfig.

1.


Appendices

A. List of External Facing Oracle E-Business Suite Release 12 ProductsB. Oracle E-Business Suite Release 12 Product Specific ConfigurationsC. Configuration Option for Functionally Directed Load DistributionD. Reverse Proxy ConfigurationE. Configuring the URL FirewallF. List of Ports to Open in a DMZ ConfigurationG. Configuring Multiple Web Entry Points and DMZs with Single Sign-OnH. TroubleshootingI. Disabling E-Business Suite Release 12 Application Services on the External Web TierJ. Disabling "About this page" Link From the Release 12 Login PageK. Related Documentation

Appendix A : List of External Facing Oracle E-Business Suite Release 12 Products

Below is a list of Oracle certified E-Business Suite Release 12 products that can be deployed for external use. If you are planning on deploying a product thatis not listed in the table below, log a Service Request with Oracle Support requesting certification of that product for external deployment. The "URL FirewallRules" column indicate whether there are any special rules that need to be enabled in the URL FW for the product to function. An "Yes" in the columnindicates there are special rules.

Product Name ProductID

ProductCode

Product Family URL FirewallRules

PatchRequirement

iSupplier Portal 208 POS Procurement Yes

Oracle Sourcing 1273 PON ProcurementYes

Oracle Receivables 1106 OIR Financials Yes

iRecruitment 1193 IRC Human Resources Yes

Oracle Time and Labor 310 OTL Human Resources Yes

Oracle Learning Management 810 OTA Human Resources Yes

Self Service Benefits 290 BEN Human Resources No

Self Service Human Resources 1566 SSHR Human Resources No FP.KRup2


14 of 31 7/11/2013 12:10 PM

Product NameProduct

IDProduct

Code Product FamilyURL Firewall

RulesPatch

Requirement

Oracle iSupport 381 IBU CRM Yes

Oracle iStore 384 IBE CRM Yes

Oracle Marketing 229 AMS CRM Yes

Oracle Partner RelationshipManagement

1065 PRM CRM Yes

Oracle Survey 1578 IES CRM Yes

Oracle Transportation 1060 FTE Manufacturing Yes

Oracle Contracts Core 154 OKC ManufacturingN/A

Oracle Service Contracts 432 OKS Manufacturing N/A

Oracle Collaborative Planning 1037 SCE Manufacturing Yes

Oracle User Management 1475 UMX Application ObjectLibrary

No

Order Information Portal 660 ONT Order Management No

Oracle Sales for Handhelds 1558 ASP CRM Yes

Oracle Internet Expenses 397 OIE Financials No

Oracle PerformanceManagement

2010 OPM Human Resources No

Compensation Workbench 4427 CWB Human Resources No

Oracle Payroll 506 PAY Human Resources No

Oracle Quoting 1296 QOT CRM No

Oracle Field Service Third PartyPortal

747 FSE CRM No

Appendix B : Oracle E-Business Suite Release 12 Product Specific Configurations

B1: Oracle E-Business Suite Release 12 Product Specific Configurations

B1.1: Additional Configurations for iStore

B1.1.1: Time-To-Live Settings for Cached ObjectsB1.1.2: Deploying iStore Pages in Http & Https Configuration

B1.2: AltBatchValidateURL Setting for iStore Integration with Oracle Configurator

B2: Forward Proxy Configuration

B1: Oracle E-Business Suite R12 Product Specific Configurations

If any of the following products are installed and configured, you must refer to the respective documents as shown in the table below for more informationon which responsibilities can be made externally accessible from the Internet.

Please refer to section 5.3: Update List of Responsibilities for the necessary steps to make the responsibilities listed below available on the external webserver.

To perform any product-specific profile settings, you must refer to the respective product documents shown below.

Product Name Externally AccessibleResponsibilities

Addtional ProfileSettings

Additional Documents

iSupplier PortaliSupplier Portal FullAccessPOS Supplier Guest UserPlan to Pay Supplier ViewPlan, Source, Pay SupplierViewSource to Pay SupplierViewSupplier Profile ManagerProcure to Pay Supplier

POS: External URLPOS: Internal URL

Oracle iSupplier PortalDocumentation ResourcesR12 Note:396880.1Enable Web Access ByExternal Supplier Users toOracle iSupplier PortalDocumentation ResourcesR12 and Oracle SourcingDocumentation ResourcesR12 Note:396879.1


15 of 31 7/11/2013 12:10 PM

View

Oracle SourcingSourcing Supplier PON: External

ApplicationsFramework AgentPON: External loginURL

Oracle SourcingDocumentation ResourcesR12Enable Web Access ByExternal Supplier Users toOracle iSupplier PortalDocumentation ResourcesR12 and Oracle SourcingDocumentation ResourcesR12 (Note

iSupportiSupport Business UseriSupport Guest UseriSupport Individual UseriSupport Primary UseriSupport Site: BusinessUseriSupport Site: IndividualUseriSupport Site: Guest UseriSupport Site: PrimaryUser

Oracle iSupportImplementation andAdministration Guide

iStoreIBE_CUSTOMER IBE: iStore Secure

URLIBE: iStore NonSecure URL

Oracle iStore Implementationand Administration GuideRefer to Appendix B1.1 foradditional requiredconfiguration steps for iStore.

iRecruitmentiRecruitment External SiteVisitoriRecruitment ExternalCandidateiRecruitment EmployeeSite VisitoriRecruitment EmployeeCandidateiRecruitment Agency

Oracle iRecruitmentImplementation and UserGuide

Oracle LearningManagement Learner Self-Service Oracle Learning Management

Implementation Guide

Oracle iReceivablesiReceivables AccountManagamentiReceivables 2.0Anonymous Internal

Oracle iReceivablesImplementation Guide

OracleTransportation

Execution

Transportation ExecutionCarrier User

Oracle TransportationExecution User Guide in theVirtual ApplicationsDocumentation Library

Oracle PartnerRelationshipManagement

Partner Super UserDefault Partner User

PV: Locator ServerURLPV: System LoginURLPV: iStore LoginURLPV:Self Service URLwith WorkflowNotification

Oracle Partner ManagementImplementation andAdministration Guide

Oracle MarketingNone for this product AMS : Server URL Oracle Marketing

Implementation Guide


16 of 31 7/11/2013 12:10 PM

Oracle ContractsCore OKC: Contracts Online -

External Party Access

Oracle ServiceContracts Service Contracts

Electronic RenewalsService Contracts OnlineAcceptance

Oracle CollaborativePlanning Supply Chain

Collaboration PlannerSupply ChainCollaboration Manager

Oracle Collaborative PlanningImplementation and User'sGuide

Order InformationPortal Order Information

External UserOM: Records onSummary Page forExternal UsersOM: CustomerService FeedbackOM: CustomerService ReportDefect

Oracle Order ManagementImplementation Manual in inthe Virtual ApplicationsDocumentation Library.

Refer to section 8.6 OrderInformation

Self Service HumanResource Employee Self-Service

Manager Self-Service

Oracle InternetExpenses Internet Expenses

Expenses Analysis andReporting

Oracle PayrollOnline Payslip (Forlocalizations)W2 and W4 for USLegislation

Oracle QuotingQuoting User

Oracle Field ServiceThird Party Portal

Field Service TechnicalPortalField Service Third PartyAdministrator PortalField Service Third PartyTechnician Portal

Oracle Sales forHandhelds Wireless Sales User

B1.1: Additional Configurations for iStore

B1.1.1: Time-To-Live Setting for Cached Objects

iStore uses Java caching framework to cache frequently used objects in the JVM. Each JVM will have a copy of an object in the Java Cache. When an object isupdated by one JVM, it is invalidated in all JVMs across all Applications middle tier servers.

At the present time, cache updates in the Applications internal middle-tier server will not get reflected in the Applications external web server. There are acouple of options to work around this known issue:

Shutdown and restart the Oracle HTTP server on the Applications external web server when an object in a cache is updated on the Applicationsinternal middle-tier server. When JVMs are restarted, objects will be freshly fetched into the cache.

1.

Set Time-To-Live values for certain cache components so that these cache objects are invalidated on a periodic basis. Cache objects get refreshedwhen they are accessed for the first time after an invalidation. Since Time-To-Live values themselves are cached, the Oracle HTTP server on theApplications external middle-tier server needs to be bounced once for the new values to take effect.

The exact Time-To-Live values will depend upon business requirements, how often objects in a cache component are updated and what thetolerance level is for having stale objects in the cache. Information on setting up Time-To-Live interval is available at:

OracleÂ® Applications CRM System Administratorâs Guide in the Virtual Applications Documentation LibrarySections Managing Component Caches and Editing Component Cache Details.

iStore uses Java Cache extensively to cache product catalog objects. Information on iStore Cache Components is available at:

2.


17 of 31 7/11/2013 12:10 PM

OracleÂ® iStore Implementation and Administration Guide in the Virtual Applications Documentation LibrarySection Component Caches for Oracle iStore in JTT.

B1.1.2: Deploying iStore Pages in Http & Https Configuration

For better performance, it is recommended to deploy iStore public pages under HTTP and employ HTTPS only for those pages and processes that transmitsensitive data. In DMZ deployment, this requires the reverse proxy server to listen on two ports, one for HTTP and the other for HTTPS. Both the HTTP andHTTPS reverse proxy listeners should be configured to forward the requests to the external web server. In this configuration, values for profiles "IBE: iStoreNon Secure URL" and "IBE: iStore Secure URL" should point to HTTP and HTTPS reverse proxy server URL respectively.

If iStore public pages are also deployed via HTTPS, values of both the profiles "IBE: iStore Non Secure URL" and "IBE: iStore Secure URL" should point to theHTTPS reverse proxy server and port and can not be left empty. Refer to section "Setting up Secure Socket Layer Connections" of OracleÂ® iStoreImplementation and Administration Guide in the Virtual Applications Documentation Library for more details.

B1.1.3: AltBatchValidateURL Setting for iStore Integration with Oracle Configurator

In a DMZ configuration, it is likely that the database installed in the intranet can not communicate with the external application middle tier due to fact thatthe external web server port is not opened on the firewalls that separate the intranet servers from dmz servers. In such situations, theAltBatchValidateURL should be set to the URL for the configurator servlet on the internal application middle tier server.

B1.1.4: iStore Restrictions on Multiple Domains

iStore profile options IBE_SECURE_URL and IBE_NON_SECURE_URL are set at the site level for an E-Business Suite environment.

Due to this restriction, deploying iStore in a DMZ configuration where the internal and external domains differ will result in intermittent losses of end-usersession information and user redirects to the incorrect minisites. This known issue is expected to be resolved in future iStore releases.

B2: Forward Proxy Configuration

The DMZ Forward Proxy should be configured whether or not a DMZ Reverse Proxy is used, and must be configured to handle outbound DMZ-to-Internetand outbound DMZ-to-Intranet HTTP traffic.Oracle E-Business Suite Application Tier configured in the DMZ must have access to a forward proxy server.This is required by the external modules configured in the DMZ for connecting to external/internal sites to perform certain tasks like resume parsing foriRecruitment. Other modules that are known to use the forward proxy are Oracle Transportation Management and Oracle partner relationshipmanagement.

Set the proxy variables in the applications context file as shown in the table below and run autoconfig:

Context VariablesName

DefaultValue

Changed Value Description

s_proxyhost null myproxy.company.com ForwardProxy Host

s_proxyport null 80 ForwardProxy Port

s_proxybypassdomain s_domainname *.company.com ForwardProxyBypassDomain

All application tier nodes both in the DMZ and intranet must use the same proxy server . Please work with your system administrator in obtaining the correctvalue for the proxy variables.

Firewall Impact:

1.If the DMZ Forward Proxy is separated from the DMZ by a DMZ outbound firewall, then customer needs to change the DMZ outbound firewall configurationto allow for outbound DMZ-to-"DMZ Forward Proxy" HTTP communication.

2. If the DMZ Forward Proxy is within the DMZ, then the customer needs to change the DMZ outbound firewall configuration to allow for outbound "DMZForward Proxy"-to-Internet and outbound "DMZ Forward Proxy"-to-Intranet HTTP communication.

Appendix C: Configuration Option for Functionally Directed Load Distribution

This is not a certified configuration option; it is currently supported on a best effort basis. Oracle E-Business Suite customers can redirect load to specificmachines based on user responsibilities.

Apply all the patches mentioned in Section 3: Required Patches.1.Use SERVRESP profile hierarchy type for the profiles mentioned in section 5.1: Update Hierarchy type.2.Assign values at the responsibility & server combination level for the profiles listed in section 5.1.3.

For example, setting the profiles listed in section 5.1 at the responsibility level for HR responsibilities will result in all HR users going to one specific entrypoint. The entry point represents one specific machine or a load balanced group of machines (that is the loadbalancer entry point).

Appendix D: Reverse Proxy Configuration

A reverse proxy server is an intermediate server that sits between a client and the actual web server and makes requests to the web server on behalf of theclient. The client is unaware of the presence of the reverse proxy.

Benefits of using a reverse proxy server are:


18 of 31 7/11/2013 12:10 PM

Adds a level of isolation between the client and the actual serverAllows using standard web port numbers (80 and 443) on the external interface while running the actual web server on higher numbered ports thusavoiding having to start the actual web application server processes as root.Allows certain rules (or filters) to limit the http requests that are presented to the actual web serverOptionally allows for caching of contents

A number of options exist for choosing a reverse proxy:

Use Oracle 10g Application Server standalone version1.Use Oracle Application Server Webcache2.Use apache httpd from http://httpd.apache.org3.Use any of a number of commercially available reverse proxies, which often provide some level of added security as well.4.

There are pros and cons for each of these solutions, and the customer must choose according to preferences, supportability, existing IT standards and localpolicies.

The table below present some advantages and disadvantages for each of the options mentioned above

Software Advantages Disadvantages

Oracle 10g Application ServerStandalone/ Oracle HTTPServer

Supported by OracleCan directly use the URL Firewall asmod_rewrite module is configured withthis serverCertified with Oracle E-Business Suite inDMZ configuration

Oracle Application Server WebCache

Standalone version availableSupported by OracleCan support caching of E-Business SuiteContentSupports filtering of URLs

Does not understand the rewrite rulesof the URL Firewall

Apache server from ApacheSoftware Foundation

Reputable provider of open sourcesoftwareAvailable on many platformsCan be configured and built to onlyinclude the required modulesWidely used Web serverCan directly use the URL Firewall asmod_rewrite module can be configuredwith this serverCertified with Oracle E-Business Suite inDMZ configurationWell Known, Well documented

You will have to download, compile,install and test the proxy

Commercially Available ReverseProxy Servers

Supported by the software vendorMay support URL filtering and contentrewritingMay integrate with pre-selected enterprisesingle sign-on

Not certified with OracleE-Business Suite in DMZconfigurationMay not understand the rewriterules of the URL Firewall

If you choose to use Oracle WebCache as your reverse proxy server, please refer to the Oracle MetaLink Note 380486.1 : Installing and Configuring WebCache 10g and Oracle E-Business Suite 12 .

In the remainder of this appendix we will describe the steps required to setup a reverse proxy based on apache2 from httpd.apache.org.

Apache 2.0 is selected for the following reasons :

can be built in a minimum configurationsupports HTTP/1.1 for better performanceIs well known, and the configuration steps described for the apache based reverse proxy will be useful when configuring any other reverse proxy

Building an Apache based Reverse Proxy from Source

Apache is available from httpd.apache.org. It is recommend that you download the source code and configure and build the executables locally. This willallow you to configure apache with only the modules required for reverse proxy duty. The following modules will be built and added to the apache server foradditional security:

mod_ssl will be added to provide encrypted https connections across the internet. Please note that this may require you to purchase a certificatefrom a well-known and trusted Certificate Authority (CA) such as Verisign or GoDaddy.mod_security for its ability to discover and block requests that are obviously malformed, Null byte check, the url encoding check, the directorytraversal prevention and the UTF-8 Unicode checks.mod_rewrite as this is the engine used to implement the URL firewall.

If you are using an apache 1.3.x version, it is important to consider the load order (and thus the execution order) of the various modules in apache. The


19 of 31 7/11/2013 12:10 PM

modules should be loaded in such an order as to ensure that the modules are executed in the following order:

mod_security - Reject obviously bad requests before anything else happens1.mod_rewrite - Check for allowed URL before mod_proxy hands the request over to the external web tier2.mod_proxy - Only proxy requests that seem valid (have passed the 2 above filtering steps) to the external web tier3.

Apache 2.0.x will require a source code change to ensure the proper execution order. This will be covered in the instructions below.

Build Apache2 for Secure Proxy Configuration

The instructions to build Apache 2.0 based reverse proxy is provided as a convenience and although following these instructions is expected to provide aworking Apache 2.0 reverse proxy, these instructions and sample files are provided "as-is" and do not necessarily represent security best practice. You shouldtherefore confirm suitability by your own verification and testing. Oracle do not support Apache nor do we make any specific claims to its suitability for yourbusiness requirements. If you have any questions or issues about configuring Apache 2.0 as a reverse proxy, please review the Apache documentation(http://httpd.apache.org/docs/) and or direct your query to the appropriate Apache.org forum (http://httpd.apache.org/docs/2.2/faq/)

The steps described below will compile and link the following modules with the Apache2 Server.

mod_ proxymod_proxy_httpmod_ rewritemod_sslmod_setenvifmod_security

Obtain the latest version of the apache (2.0.54) src code from http://httpd.apache.org/download.

$ export http_proxy=http://www-proxy:80 # if you need a proxy to get out$ cd ; mkdir src ; cd src # go to the build source directory$ lynx http://httpd.apache.org/download # navigate to a mirror and save .tar.gz and .md5$ wget http://www.modsecurity.org/download/modsecurity-1.8.7.tar.gz$ wget http://www.modsecurity.org/download/modsecurity-1.8.7.tar.gz.md5

Check that the tar balls and the md5s file are present in the directory and verify the MD5 checksum.

.

$ ls -l

total 7672

-rw-r--r-- 1 egravers egravers 59 Mar 5 07:47 modsecurity-1.8.7.tar.gz.md5

-rw-r--r-- 1 egravers egravers 313004 Mar 5 07:47 modsecurity-1.8.7.tar.gz

-rw-r--r-- 1 egravers egravers 54 Jul 14 14:34 httpd-2.0.54.tar.gz.md5

-rw-r--r-- 1 egravers egravers 7508193 Jul 14 14:36 httpd-2.0.54.tar.gz

$ md5sum -c httpd-2.0.54.tar.gz.md5 # should not produce any output

$ md5sum -c modsecurity-1.8.7.tar.gz.md5 # should not produce any output

Unpack the TAR balls:

$ tar xzvf httpd-2.0.54.tar.gz

$ tar xzvf modsecurity-1.8.7.tar.gz

Configure Apache - put this in a small script (runc.sh), that way you have a record of how it was configured

$ cd httpd-2.0.54

$ ./configure -prefix /dmz \--enable-ssl \--enable-setenvif \--enable-proxy \--enable-proxy_http \--enable-headers \--enable-rewrite \--enable-so \--disable-charset-lite \--disable-include \--disable-env \--disable-status \--disable-autoindex \--disable-asis \--disable-cgi \--disable-negotiation \--disable-imap \--disable-actions \--disable-userdir \--disable-alias


20 of 31 7/11/2013 12:10 PM

Before compiling, a small change need to be done to the source of mod_proxy.c. This is to ensure that mod_proxy does not proxy a request to the externalweb tier before the URL firewall based on mod_rewrite has a chance to reject it. It also ensures that mod_proxy gets it's translate_name hook called aftermod_rewrite's hook gets called.

$ cd ~/src ; # go to the build source directory

$ cd modules/proxy/

$ diff mod_proxy.c mod_proxy.c.dist

1085c1085 < ap_hook_translate_name(proxy_trans, NULL, NULL, APR_HOOK_FIRST); --- > ap_hook_translate_name(proxy_trans, aszSucc , NULL, APR_HOOK_FIRST);

All you have to do is change the second parameter in the ap_hook_translate_name from NULL to aszSucc and save the file.

As you can see, both modules want this hook to be called early (APR_HOOK_FIRST), however they do not specify any preference with respect to orderingwith other modules. So we just register that mod_proxy want to be called after mod_rewrite.

$ cd ../.. # back to main build directory

$ make

Check that the expected modules are included (and no others)

$ ./httpd -l

Compiled in modules:

core.cmod_access.cmod_auth.cmod_log_config.cmod_headers.cmod_setenvif.cmod_proxy.cproxy_http.cmod_ssl.cprefork.chttp_core.cmod_mime.cmod_dir.cmod_rewrite.cmod_so.c

As root install apache to /dmz

$ su

# umask 022

# make install

# chown -R root:sys /dmz

As root - install mod_security

# cd ../modsecurity-1.8.7/apache2/

# /dmz/bin/apxs -cia mod_security.c

At this point apache 2.0 got installed in /dmz. Try to start the server using apachectl, however the installed httpd.conf file has some directives for modulesthat were not included. You can remove these errors - one by one by attempting start and fixing the problem reported until apache actually starts. Thefollowing directives had to be removed after completing the above steps:

UserDirAliasAliasMatchRedirectMatchScriptAlias


21 of 31 7/11/2013 12:10 PM

IndexOptions FancyIndexing VersionSortAddIconByEncodingAddIconByTypeAddIconDefaultIconReadmeNameHeaderNameIndexIgnoreLanguagePriorityForceLanguagePriority

Once you have sanitized the default httpd.conf file you can proceed and test

Start apache without SSL

# /dmz/bin/apachectl start

Verify that server is running and is listening on port 80 (http)

# netstat -lntp | sort -t: +1n

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program nametcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3993/sshdtcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 24772/httpd

Success!! We have httpd listening on port 80.You can verify that the server is working by using a browser to go to http://site/index.html.en . Note thatyou will have to specify the full name of the index.html.NN file, including language as we did not include mod_negotiation or mod_dir in this build of theapache server.

Stop the apache http server

# /dmz/bin/apachectl stop

Setting up the SSL certificate

Follow the instructions given below to generate a self signed certificate for test purposes. The encryption is as good as a purchased certificate, however webbrowsers will warn their users about a unrecognized (un-trusted) Certificate Authority. For your real deployment you will need to purchase a SSL certificatefrom a Certificate Authority.

Generating and installing a test certificate:

# cd /dmz/conf

# umask 022

# mkdir ssl.key

# mkdir ssl.crt

# mkdir ssl.crl

# openssl req \ -new \ -x509 \ -days 30 \ -keyout ssl.key/server.key \ -out ssl.crt/server.crt \ -subj '/CN=Test-Only Certificate'

# chmod 600 ssl.key/server.key # private key; root and only root should have access

Start apache with SSL

/dmz/bin/apachectl startssl

Verify that server is running and is listening on both port 80 (http) and 443 (https):



22 of 31 7/11/2013 12:10 PM


Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program nametcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3993/sshdtcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 24772/httpdtcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 24772/httpd

Success!! We have httpd listening on port 80 and 443.

You can verify that the server is working by using a browser to go to http://site/index.html.en and https://site/index.html.en.

As before, you will have to specify the full name of the index.html.NN file (including language) as the modules "mod_negotiation" or "mod_dir" was notcompiled and configured in this build of the apache server. Note also that your browser will complain when accessing the https URL as it does not recognizethe Certificate Authority that signed the SSL certificate.

At this point, all the required infrastructure pieces are working, it is time to configure the apache for proxy duty.

Following configuration files are needed in /dmz/conf:

httpd.conf -- apache configuration filesecurity.conf -- make mod_security stop obviously bad requestsurl_fw.conf -- allow only required URLs through (see appendix E. Configuring the URL Firewall)

This is covered in the Install and Configure section below.

Install and configure

When the executables have been built and installed it is time to configure the runtime settings in the configuration files, this includes

Configuring Apache httpd (on port 80)Configuring mod_ssl and certificate (on port 443)Configure mod_proxy (pass entire URL space to external webtier)Configuring mod_securityConfiguring the URL Firewall

Below is a diagram of the deployment. Presumably you will have a firewall in front of the reverse proxy and another between the reverse proxy and theexternal web tier.

Oracle recommends that all E-Business Suite traffic over the internet be encrypted, i.e. using HTTPS on the standard port 443/tcp. Users may expect to justtype the hostname of your external site into the address field of their browsers, which will cause the browser to prepend http:// and assume the defaultHTTP port 80/tcp. To accomodate such users, the reverse proxy should allow this initial connect to the standard HTTP port 80/tcp and immediately redirectthe browser to the standard HTTPS port.

This can be achieved by using the following rewrite rule for the port 80 virtual host:

RewriteRule ^/(.*) https://www.example.com/$1 [R,L]

The Oracle iStore product is using both HTTP and HTTPS for performance reasons, and the iStore application will switch between the two protocols asrequired.

This means that for deployments including iStore the http/80/tcp virtual host should not contain the 'redirect-all-to-https' rule. In this case, a careful selectionof initial page and http and https links from it should be created. We also want to ensure that a user cannot call any of the URLs that are supposed to be runover HTTPS via HTTP. (A user could deliberately change the URL in his browser to be http:// rather than https://). We ensure that by only allowing thesubset of iStores URL that are considered non sensitive to be accepted in the http virtual host.

You can download the fully functioning configuration files, httpd.conf and security.conf. Please note that an updated copy of the security.conf file is providedwith the Oracle E-Business Suite Installation. You must use the security.conf shipped with the Oracle E-Business Suite Instllation. The security.conf fileprovided with this document can be used only for reference.


23 of 31 7/11/2013 12:10 PM

The assumptions made while creating these config files are:

the reverse proxy will be accessed via the hostname www.example.comthe E-Business Suite external webtier is called extweb.example.comthe server admin is [email protected] apache proxy was configured and installed to /dmz

You will have to modify the file to reflect your host and domain names and the location for /dmz. Once you have modified the above two configuration filesand copied them to /dmz/conf/ it is time to test the proxy.

# /dmz/bin/apachectl start #note that you do not need startssl




Once you have tested the reverse proxy with the above two configuration files, it is time to prepare for installation on the production hardware in the DMZ.

# /dmz/bin/apachectl stop

# rm -f /dmz/logs/* # delete old log files

# rm -rf /dmz/manual* # delete the Apache documentation

# tar cvzf /dmz.tgz /dmz # tar up the runtime proxy

Copy the /dmz.tgz file from the test box to root's home directory on the DMZ host and install it.

dmz# cd /

dmz# tar xvzf ~/dmz.tgz # unpack the runtime proxy

Edit the configuration files to reflect host names and port numbers for the production DMZ, and install the real, CA signed SSL certificate.

Then start the reverse proxy

dmz# /dmz/bin/apachectl start

dmz# netstat -lntp | sort -t: +1n



The next step is to configure the URL Firewall on the reverse proxy for the Oracle E-Business Suite products you wish to expose to the external parties. Oncedone, make sure that you include in the reverse proxy configuration file the customized url_fw.conf configuration file from httpd.conf and bounce the reverseproxy.

Below is a list of references related to building a secure apache proxy, you want to check these out for additional explanation on many of the configurationdecisions made above - or for better ideas on how to build your very own.

http://www.symantec.com/connect/articles/apache-2-ssltls-step-step-part-1 -- Apache 2 with SSL/TLS Step-by-Step, Part 1http://www.symantec.com/connect/articles/apache-2-ssltls-step-step-part-2 -- Apache 2 with SSL/TLS Step-by-Step, Part 2http://www.symantec.com/connect/articles/apache-2-ssltls-step-step-part-3 -- Apache 2 with SSL/TLS Step-by-Step, Part 3http://www.apacheweek.com/features/reverseproxies -- Running a Reverse Proxy with Apache (2)http://www.securityfocus.com/infocus/1739 -- Web Security Appliance With Apache and mod_securityhttp://httpd.apache.org/docs-2.0/install.html -- From the sourcehttp://httpd.apache.org/docs-2.0/mod/mod_proxy.html -- From the mod_proxy dochttp://www.modsecurity.org/ -- all you ever wanted to know about mod_security

Although the following topics are beyond the scope of this document, system administrators are advised to consider these factors prior to deploying a reverseproxy into a environment:


24 of 31 7/11/2013 12:10 PM

O/S HardeningLoad balancing for Redundancy (avoiding single points of failures)Fail-over strategiesLog rotation and analysis

Appendix E: Configuring the URL Firewall

The purpose of the URL Firewall is to ensure that only URLs required for the externally exposed functionality can be accessed from the internet.

The URL firewall is implemented as a whitelist list of URLs required; any URL request that is not matched in the whitelist list is refused. This will limit theexposure of your Oracle E-Business Suite deployment by reducing the attack surface available to external parties.

The URL Firewall can be deployed on the external webtier or in the reverse proxy. If you are deploying a reverse proxy that can process mod_rewrite rules,we recommend that the URL Firewall be deployed on the reverse proxy in order to reject un-authorized requests as early as possible.

The URL Firewall is shipped as an apache configuration file containing rewrite rules interpreted by mod_rewrite. The URL Firewall configuration file(url_fw.conf) will be generated on all the web tiers by the AutoConfig utility. To Include this configuration file in Oracle HTTP Server configuration file(httpd.conf), perform the following steps:

Change value of the autoconfig variable s_enable_urlfirewall. By default the value of this variable is set to '#' which indicates that the URL firewallis disabled. To enable the URL firewall, the pound sign '#' must be removed .

You must ensure that for nodes that are marked as external, this configuration file should be included in the http server configuration.

The file consists of blocks of URLs that may be required depending on the deployed product mix and ends with a rule that rejects the request if it has notbeen matched by one of the enabled rules. You will have to manually edit this file to enable the URLs in the block that corresponds to the product(s) you aredeploying for external access.

The url_fw.conf file has the following blocks

INITIAL PAGE - defines the default start pageSTATIC - static files such as images, stylesheets, javascript and htmlCOMMON - common components used by multiple productsLOCAL - required for local loginFORMS - if your product mix requires the use of Oracle FormsXXX - where XXX is a product abbreviation

You will always need the STATIC, COMMON and LOCAL blocks. Depending on the product(s) you are deploying, you may need additional blocks of URLsenabled. This is summarized in the table below.

Product Name Product Code Product Family Blocks Required

iSupplier Portal POS Procurement POS

Oracle Sourcing PON Procurement PON

Oracle iReceivables OIR Financials OIR

iRecruitment IRC Human Resources IRC

Oracle Time & Labor OTL Human Resources OTL

Oracle Learning Management OTA Human Resources OTA

Oracle iSupport IBU CRM IBU

Oracle iStore IBE CRM IBE + CZ* optional

Oracle Marketing AMS CRM AMS

Oracle Partner Relationship Management PRM CRM PRM

Oracle Survey IES CRM IES

Field Sales ASP CRM ASP

Oracle Transportation FTE Manufacturing FTE

Oracle Contracts Core OKC Manufacturing none

Oracle Service Contracts OKS Manufacturing OKS

Personal Portfolio IGP IGP

Oracle Collaborative Planning SCE Manufacturing SCE+Forms

*) iStore needs the CZ block if it is integrated with the Configurator.

In addition to uncommenting the blocks of URLs specified above you will have to consider and decide how to handle the following for your deployment:

Initial page - what page should be displayed when external users go to /Help - what should happen when external users click on the Help icon

The syntax of the ErrorDocument directive in url_fw.conf need modification (to use double quotes), if you have configured apache2 as the reverse proxyserver. The default file shipped uses Apache 1.3.x syntax.

Configure Initial Page


25 of 31 7/11/2013 12:10 PM

In the shipping version of url_fw.conf external users will be presented with the standard Apps Login page when they go to / (actually http://your.site.com )on your external site.

If you are deploying products that allow users to surf part of the site prior to authentication, presenting them with a login page may not make any sense. Forexample if you are deploying iStore, users have an expectation to be able to browse the goods without logging in. If you are deploying iRecruitment, maybeexternal users can browse available job postings prior to identifying themselves.

If you are integrating the external access to E-Business Suite via an existing company website, you may want to include a new page with your corporatebranding and links to the appropriate entry points of Oracle Applications.

To change the initial (/) page, locate the INITIAL PAGE block and change the first line in that block to provide the page of your choice.

RewriteRule ^/$ /OA_HTML/AppsLogin [R,L]

the rule says: upon a request for /, redirect ([R]edirect) to /OA_HTML/AppsLogin and stop further rewriting ([L]ast).

If your deployment is only iRecruitment or only iStore the above rule could be replaced with one of the following

RewriteRule ^/$ /OA_HTML/IrcVisitor.jsp [R,L]orRewriteRule ^/$ /OA_HTML/ibeCZzpHome.jsp [R,L]

For help in selecting an appropriate initial page, see the Implementation Guide for the products you are deploying externally.

URL Firewall Configuration for Webservices Deployed in the DMZ

A Webservices URL Firewall configuration file url_fw_ws.conf must be generated in the application tier nodes that host the external modules to preventunauthorized access to SOAprovider servlet. This configuration file can be generated by performing the following steps:

$ txkrun.pl -script=GenWebServiceUrlFwConf

Successful completion of the the script given above will generate url_fw_ws.conf at $INST_TOP/ora/10.1.3/Apache/Apache/conf . Thisconfiguration file will then be automatically included when autoconfig is executed on the external nodes.

Appendix F: List of Ports to Open in a DMZ Configuration

The diagram shown below represents the list of ports that need to be opened on the firewalls in a DMZ configuration.

If users need access to additional components like Oracle Forms in server mode and Oracle Discoverer Plus, then additional ports may need to be opened onthe External, Internal and the Data Firewall.

Some of the Oracle E-Business Suite modules like Oracle Configurator use UTL_HTTP package to communicate from the database to the application tierwhere the web server is installed. This is done over the HTTP(s) protocol. So, if there is a firewall configured between the application and database tier, httpport must be opened on this firewall for this communication to succeed.

Appendix G: Configuring Multiple Web Entry Points and DMZs with Single Sign-On

You can deploy Oracle E-Business Suite environments with DMZs and multiple web-entry points. These configurations may optionally be integrated withOracle Single Sign-On or Oracle Access Manager for centralized authentication. Either of these solutions also requires Oracle Internet Directory.


26 of 31 7/11/2013 12:10 PM

Figure F8, shown above, depicts a configuration in which the internal and external users are authenticated via a singleOracle Single Sign On server installed in the DMZ. The LDAP directory, Oracle Internet Directory, remains on the internalnetwork. The "SSO server" can be OSSO 10g or Oracle Access Manager 11g (with mod_osso as the agent for Oracle E-BusinessSuite).

Perform the following steps to implement this configuration:

Follow the instructions in Note 376811.1 to install and configure Oracle Application Server 10g with E-Business Suite.1.

Configure your DMZs and multiple web-entry points for your E-Business Suite environments as described in Sections 2 to 5, above. Confirm that theseenvironments are working properly before continuing.

2.

The configuration displayed in Figure F8 uses a reverse proxy server as the web entry point for both the external application tier and the SSO server.must reconfigure both the SSO and the external application tier to point to the reverse proxy server. This configuration requires a virtual host beconfigured for both the SSO and External Application tier web entry point. This is required for the most secure deployment as no additional ports needto be opened on the external firewall.

3.

To register your E-Business Suite environment with Single Sign-On 10g, run the registration utility described in Oracle MetaLink Note 376811.1, usingthe options appropriate for your deployment of Oracle Application Server 10g. The SSO / OID registration utility automates the Single Sign-On 10gpartner application registration process for multiple web-entry point deployments. The registration utility automatically performs separate partnerapplication registrations for each registered web-entry point, based on the E-Business database profile values for APPS_FRAMEWORK_AGENT. Nospecial command-line parameters are required. The registration utility only needs to be run once, on any middle-tier server, regardless of whether themiddle-tier server is located.

For example: You have two domains: partners.company.com and employees.company.com. The partners.company.com domain corresponds to theexternal middle-tier, and the employees.company.com domain corresponds to the internal middle-tier. To register your E-Business Suite environmentwith Single Sign-On 10g, run the registration utility once, on either the external or internal middle-tier server. The registration utility automaticallydetects and registers both middle-tiers. There is no need to run the registration utility on each middle-tier separately.

4.

Run the AutoConfig utility as documented in the Oracle MetaLink Note 387859.1 "Using AutoConfig to Manage System Configurations with OracleApplications R12 " and restart the Oracle Application Tier processes.

5.

Please note that the figure F8 shown above lists only ports that are needed to be opened for that specific configuration.Additional ports may need to be opened if you have any other architecture variants. The configuration of external andinternal web entry points using multiple OSSO servers is not supported at this time.


27 of 31 7/11/2013 12:10 PM

Figure G9, shown above, depicts a configuration in which the internal and external users are authenticated by Oracle Access Manager 11gR2 and OracleE-Business Suite AccessGate. The entry point, WebGate, resides in the DMZ along with Oracle E-Business Suite AccessGate. The WebGate interceptsauthentication requests and relays them to the Access Manager server. The Access Manager servers are installed on the internal network, along with OracleInternet Directory. Oracle E-Business Suite AccessGate receives the authenticated session from Oracle Access Manager, and connects to the OracleE-Business Suite database in order to link the Oracle Internet Directory (OID) user to an Oracle E-Business Suite user. Once this mapping is done, theoriginally requested resource is returned with a valid authenticated Oracle E-Business Suite user session. All subsequent requests for Oracle E-Business Suiteresources are then returned directly to the user as long as the user session remains valid.Follow the instructions in My Oracle Support Knowledge Document ,to install Oracle E-Business Suite AccessGate, and configure WebGate and Oracle Access Manager 11gR2.

To deploy Oracle Access Manager and WebGates in a DMZ, refer to the Oracle®Fusion Middleware Enterprise Deployment Guide for Oracle IdentityManagement 11g Release 2 (11.1.2) , and Oracle® Fusion Middleware Administrator's Guide for Oracle Access Management 11g Release 2 (11.1.2), inparticular section Configuring 11g Webgate for Detached Credential Collection. Oracle recommends using a WebGate DCC in the DMZ. This offers a completeisolation of the OAM Server from the establishment of any unauthenticated network connection.

Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management 11g Release 2 (11.1.2) http://docs.oracle.com/cd/E27559_01/admin.1112/e28212/toc.htm

Oracle® Fusion Middleware Administrator's Guide for Oracle Access Management 11g Release 2 (11.1.2) Configuring 11g Webgate for Detached CredentialCollection http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/register.htm#AIAAG6684

To configure a WebGate DCC:

Activate the Allow Credential Operations option on the Webgate registration page. Include the DCC Webgate host and port as the Challenge Redirect URL of the Authentication Scheme. Specify the location of login pages deployed with the DCC Webgate in the Challenge URL: /oamsso-bin/login.pl.

Refer to Configuring 11g Webgate for Detached Credential Collection for further information.http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/register.htm#AIAAG6684

After you have configured a reverse proxy that forwards requests to WebGate, you need to make the following changes for your Oracle E-Business SuiteAccessGate deployment:

Specify the following E-Business Suite AccessGate deployment parameters as appropriate to your DMZ configuration:1.

For the value of parameter -DWebgateLogoutURL, replace the WebGate host and port with the reverse proxy host and port that forwardsequests to your WebGate host. For example: http://<reverse proxy host>:<reverse proxy port>/public/oacleanup.html. For the value of parameter -DOAMLogoutURL enter the full URL to the Detached Credentials Collector logout script: http://<reverse proxyhost>:<reverse proxy ort>/oamsso-bin/logout.pl.

2. Update Oracle E-Business Suite profile option "Applications Authenticate Agent" (APPS_AUTH_AGENT). Replace <webgatehost>:<port> with thehostname and port on your reverse proxy that forwards to WebGate If you are configuring separate WebGates for internal and external users, you may setthe APPS_AUTH_AGENT profile option at the SERVER level, so that internal users are directed to one URL for authentication, and external s to another.

Note that it is not necessary to open ports in the data firewall for LDAP and LDAP/S connections. LDAP connections are made only from the Oracle Access


28 of 31 7/11/2013 12:10 PM

Manager's Access Server, which is located inside the firewall, and not from any of the components located in the DMZ. If you previously had these ports openfor Oracle Single Sign-On Server and are no longer using OSSO for external authentication, you should close these ports on the data firewall for maximumsecurity.

Appendix H: Troubleshooting

H1: Internal and External Middle Tiers in Different DomainsH2: Firewalls Disconnects SQL*Net ConnectionsH3: DNS Resolution of Machines and Devices Involved in the DMZ ConfigurationH4: HTTP Error 400 - Bad requestH5: HTTP Error 410 - GoneH6: Redirection to an incorrect server during login

H1: Internal and External Middle Tiers in Different Domains

If any of your middle tier servers or the reverse proxy server is running on machines with different domain names or different virtual host domain names, youmust execute the following SQL command when logged into the database as the APPS user:

SQL> update icx_parameters set session_cookie_domain = null;SQL> commit;

H2: Firewalls Disconnects SQL*Net Connections

Most firewalls disconnect SQL*Net connections after 30 minutes of inactivity. To fix this problem, add the following parameter to the existing[RDBMS_ORACLE_HOME]/network/admin/_/sqlnet.ora on the database tier:

SQLNET.EXPIRE_TIME=10

H3: DNS Resolution of Machines and Devices Involved in the DMZ Configuration

In a DMZ setup, there are a number of components involved in the configuration. For example network components such as firewall devices, hardware loadbalancers, ssl accelerators and machines hosting the application software. A successful configuration of these components require proper name resolution atmachine and at DNS levels from various segments of your network. Given below are some of the commonly used operating system utilties that can be usedto verify the DNS setup.

nslookuppingtraceroutenmap

H4: HTTP Error 400 - Bad request

If you receive an "HTTP Error 400 - Bad request" on your browser, it means that the Oracle HTTP Server or the Reverse Proxy Server denied the request dueto a rule set in mod security. Review the error_log file to gather more information on why the request was denied.

H5: HTTP Error 410 - Gone

If you receive an " HTTP Error 410 - Gone" on your browser, it means that the Oracle HTTP Server or the Reverse Proxy Server denied the request due to arule set in the URL Firewall. Review the access_log or rewrite_log to gather more information on why the request denied.

If you identify a URL that is being blocked that you think should be allowed for your deployment, simply add the URL to the url_fw.conf file. Bounce the(Oracle HTTP Server or the Reverse Proxy Server) to make the change active.

H6: Redirection to an Incorrect Server During Login

If you are getting redirected to an incorrect server during the login process, check the following:

Whether the hirearchy type of the profile options mentioned in Section 5.1 is set to SERVRESP.

select PROFILE_OPTION_NAME,HIERARCHY_TYPE from fnd_profile_options where profile_option_name in ('APPS_WEB_AGENT','APPS_SERVLET_AGENT','APPS_JSP_AGENT','APPS_FRAMEWORK_AGENT', 'ICX_FORMS_LAUNCHER','ICX_DISCOVERER_LAUNCHER','ICX_DISCOVERER_VIEWER_LAUNCHER', 'HELP_WEB_AGENT','APPS_PORTAL','CZ_UIMGR_URL','QP_PRICING_ENGINE_URL','TCF:HOST');

Whether the profile option values for the fnd profile options (APPS_FRAMEWORK_AGENT, APPS_WEB_AGENT, APPS_JSP_AGENT,APPS_SERVLET_AGENT) are pointing to the correct node. Replace the node_id with the node_id of the external and internal web tier. Forexample:

select fnd_profile.value_specific('APPS_FRAMEWORK_AGENT',null,null,null,null,) from dual;

Whether the dbc file pointed to by the JVM parameter (JTFDBCFILE) in oc4j.properties exists.


29 of 31 7/11/2013 12:10 PM

DJTFDBCFILE=

Whether the value of the parameter APPL_SERVER_ID, set in the dbc file for the node is the same as the value of the server_id in thefnd_nodes table.

select node_name,node_id,server_id from fnd_nodes;

Appendix I: Disabling E-Business Suite Release 12 Application Services on the External Web Tier

On the external web tier, you need to run only the Oracle E-Business Suite application services that are needed by the external facing E-Business Suitemodule. All services except the "Root Service Group", Web Entry Point Services and "Web Application Services" must be disabled. In addition, youcan disable the forms and oafm web application services .To disable a service, perform the following steps:

Run the AutoConfig Context Editor as documented in the Oracle MetaLink Note 387859.1 "Using AutoConfig to Manage System Configurations withOracle Applications R12 ".Click on Site Map, AutoConfigSelect the Applications Context file of the external web tier, Click on Edit Parameters, ProcessesPerform the required updates and save the changes.

Appendix J: Disabling "About this page" Link From the Release 12 Login Page

There is a new link named "About this Page" on the Release 12 Login page. Displaying this link is the default for Release 12. The "About this Page" link pointsto a page that provides a wealth of information about the applications instance such as applied patches, profiles, technology components, etc. to all usersprior to authentication. This is not desirable on a DMZ type of environment.

This link is displayed only when the profile option value for FND: Diagnostics is set to "YES" at SITE level. So, to disable this link on all your servers all youhave to do is set this profile option to NO at the SITE level.

To disable the link on a server by server basis follow these steps:

Change the hirearchy type of FND_DIAGNOSTICS profile option to Server-Responsibilty.1.Set the profile option value at server level to NO for the servers where the link is to be disabled, while keeping the Site level value set to YES.2.

Appendix K: Related Documentation

Oracle Applications System Administrator's Guide - SecurityOracle Applications System Administrators GuideBest Practices for Securing Oracle E-Business Suite R12Using Load-Balancers with Oracle E-Business Suite Release 12Using AutoConfig to Manage System Configurations with Oracle E-Business Suite Release 12Cloning Oracle Applications Release 12 with Rapid CloneSharing the Application Tier File System in Oracle E-Business Suite Release 12Enabling SSL in Oracle Application Release 12

Change Log

Change Log

Date Description

Nov 26, 2012 OAM DCC Confguration updates

OCT 24. 2011 ASP added to the list of certified products

Dec 20. 2010 Oracle Quoting/ Third Party Portal Added to list of certified products

Dec 22, 2009 Updated the Appendix A and Appendix B with latest DMZ certified products

Dec 21, 2009 Added Oracle Access Manager Configuration

Dec 04 , 2009 OIE added to the list of certified products

Sept 18, 2009 OIP added to the list of certified products


30 of 31 7/11/2013 12:10 PM

May 09, 2009 Instructions to enable webentry point services

April 15, 2009 Added Forward Proxy Configuration

March 03, 2009 OTL Added to list of certified products

February 06, 2009 SSO configuration updates

January 21, 2009 Removed reference to the configurator note as it does not exist.

September 30, 2008Added reverse proxy configuration (section 5.9), clarified web entry pointrequirements.

July 11, 2008Added SSHR product as certified in Appendix A and added "Enable SSL terminator"note into Option 2.4.

May 23, 2008 Added ASP product as certified in Appendix A .

April 23, 2008Added "Using Hardware Load Balancers With No External Web Tier" section,"Removed jserv references " and added the step run autoconfig in section "UsingReverse Proxies only in DMZ ".

November 06, 2007 Removed references to txkSOHM.pl since it is not used in R12.

March 21, 2007Added "Enable Distributed Oracle Java Object Cache Functionality" section and "UsingReverse Proxy Only in DMZ" section.

January 22 , 2007 Document creation date

Note 380490.1 by Oracle Applications DevelopmentCopyright Â© 2012 Oracle CorporationLast updated: November 26 2012

References

NOTE:396880.1 - Oracle iSupplier Portal Documentation Resources R12NOTE:384248.1 - Sharing The Application Tier File System in Oracle E-Business Suite Release 12NOTE:380486.1 - Installing and Configuring Web Cache 10g and Oracle E-Business Suite 12NOTE:396879.1 - Oracle Sourcing Documentation Resources R12


31 of 31 7/11/2013 12:10 PM

Oracle E-Business Suite R12 Configuration in a DMZ [ID 380490.1]

Documents

ebusiness suitesection

oracle metalink

external web tier5

external web tieroption

external entry point5

configuration details

restart oracle http

external entry points5