DMZ configuration for iRecruitment (Oracle Apps 11i) – Part I
Posted by kalpit on March 26, 2007
Purpose:
If you’ve been wondering how to support end-users who’d like connect to your E-Business Suite environment from outside of your corporate firewall, a combination of a demilitarized zone and a reverse proxy might be an alternative to traditional VPN-based solutions. This document describes methods for making a iRecruitment of Oracle E-Business Suite 11i functionality accessible via the Internet to external users. This document describes network topologies and architectures, including the use of reverse proxy servers in demilitarized zones (DMZs), and the use of hardware-based load-balancers in these configurations. For the purpose of clarity I will post this in two parts. Part I will deal with introduction and general information, part II will mainly talk about actual steps.
Introduction to DMZ:
A DMZ (De-Militarized Zone) is a separate part of an organization’s network which is a shielded and ‘cut off ‘ from the main corporate network and its systems. The DMZ contains technical equipment to prevent access from external parties (say on the Internet) from gaining access to your main systems. In the IT industry, a demilitarized zone is a single or multi-segment perimeter network that demarks the portion of the corporate network that lies between the intranet and outside networks. Corporate DMZ borders are enforced by firewalls and other dedicated networking devices.
DMZ Setup System Requirements:
- 1) Reverse Proxy Server:
Model: HP-Unix
Host Name: reverseproxy.external.com
IP Address: 123.123.123.123
OS: HP-Unix
OS User: applmgr
2) External Web Server
Model: HP-Unix
Host Name: hostname.external.com
IP Address: 123.123.123.123
OS: HP-Unix
OS User: applmgr
3) Database Server
Model: HP-Unix
Host Name: dbhost.internal.com
IP Address: 123.123.123.123
OS: HP-Unix
OS User: oracle
Please note that we are taking HP-UX as an example OS for the setup. In theory this can be setup for any OS that support Oracle Apps 11i.
Proposed DMZ Configuration Architecture
Image taken from metalink note:287176.1
Design Considerations, Assumptions, Limitations:
When configuring Oracle E-Business Suite in a DMZ configuration, firewalls are deployed at various levels to ensure that only the traffic that the architecture expects is allowed to cross the firewall boundaries. The firewalls ensure that if intrusion attempts against machines in the DMZ are successful, the intrusion is contained within the DMZ and the machines in the intranet are not affected. To make Oracle E-Business Suite modules as secure as possible, the following tasks may need to be performed.
- Use of separate web node for external usage
- Setting of server level profile values
- Associate trust levels to application middle tier nodes
- Mark a subset of responsibilities as available on an external web node
- Deploy a Reverse proxy in front of the external web node
- Configuring a URL firewall and mod security in the reverse proxy
- Run only the required Oracle E-Business Suite Application services on the external web tier
Pre-requisite Patches:
This concludes Part I of this main post and I will continue with DMZ setup steps in my next one…..
References:
287176.1 – DMZ Configuration with Oracle E-Business Suite 11i
364439.1 – Tips and Queries for Troubleshooting Advanced Topologies
DMZ configuration for iRecruitment (Oracle Apps 11i) - Part II « Practical Apps DBA said
[...] Posts RAC with 11iDMZ configuration for iRecruitment (Oracle Apps 11i) – Part IApps ArchitectureCloning BasicsWelome our new Blogger [...]
vinay said
Hi Navdeep,
I have a requirement where i need to install R12 on a machine wich is accessed via., DMZ. But this is a Vision installation for test and there is no need to leverage any DMZ benefits etc. The only issue is that the machine which has been given to me for installation is behind DMZ.
In this scenario, what are the things that i have to take care of ?
Regards
Vinay
Navdeep Saini said
Vinay
Vision instance should not cause any issues.
regards
Nav
Indrashish Sengupta said
How feasible do you think it will be to have the internal web server on Solaris and the external server on Linux ( cheaper H/W )
Is this kind of a mixed OS Model a good sugegstion for implementation if at all it is ever feasible and also for future support
vasu said
Hi,
We are having SCM, financials and hrms(core without sshr,Irecritment/OLM)
modules implementation for one of our client ( 11.5.10.2 on Solaris 10).
Client are ordered Hardware as folows.
2 No’s Externel application servers with network loadbalancer
2 No’s Internal Application servers with network load balancer
2 No’s database servers with RAC
For 11.5.10.2 on Sun solaris.
My doubt is we are not using any i-modules(means Web enabled modules) but
client requirement is they have to use this application from internet as
well as from LAN/WAN users.
Is We can Do entire application DMZ for internet users and How ? Please
let me know the steps?
This is the first time i am configuring DMZ. can you please help me out
Thanks and Regards
Vasu
Navdeep Saini said
Vasu
One easy option will be secure access via VPN. External users will be using secure VPN to connect to company’s network and from there access EBS. Not technically challenging as far DBAs are concerned but will need VPN setup and if you have large external user base, it will require very robust VPN infrastructure. (load balancer, multiple VPN servers etc).
Other way could be using reverse proxy for external web servers (or load balancers) in the DMZ zone. see metalink Note:241015.1 . Not many customers will feel very comfortable with this, if you are opening all the modules (esp, like FIN, HR) to external users. This works good for internet modules in EBS like, irec, istore, iproc etc..
Another option could be using Oracle’s Identity and Access Management suite, esp, Oracle Access manager to handle all authentication requests for EBS. It can be configured to use authentication methods like smart cards, SecureID tokens, one-time passwords or even biometrics. Oracle Access manager (OAM) integrates seamlessly with EBS via Oracle Single Sign-on Server (OSSO). Which means first you will have to implement SSO for EBS to achieve this.
This is the most advanced and complex method of achieving appropriate level of security if you open up your EBS to external users. Oracle Identity and Access Manager Suite is a separate product and will require addtional license to be used.
regards
Nav
Vasu said
Thanks a lot Navdeep
Regards
Vasu
Lance Thornhill said
Hi Navdeep,
I’m sorry, I am not an Oracle guy by any means. I work with our firewalls, etc (network security guy). I am being asked by our database group to make firewall allowances for what I see above in Figure 1. However, I am uncomfortable allowing even an internal DMZ web server (although it is sitting behind a proxy) sqlnet access to the DB server that houses our most security critical data. Is there any other solution for this? My vision was that Oracle, in their database omniscience, would have a way to do something like:
WEBSERVER APPSERVER DBSERVER
and not require WEBSERVER DBSERVER. Is my request possible? Thank you.
Lance Thornhill said
sorry, my lines/arrows got cut out. Here’s what I meant to say:
WEBSERVER APPSERVER DBSERVER
and not require WEBSERVER DBSERVER
Lance Thornhill said
WEBSERVER {–800x,900x,xxxx–} APPSERVER {–1521–} DBSERVER
and not require WEBSERVER {–1521–} DBSERVER
Lance Thornhill said
If WEBSERVER DBSERVER is the only way, what security do you put in place to assure that a compromised WEBSERVER can’t query all databases on the DBSERVER?
Lance Thornhill said
If WEBSERVER ==1521== DBSERVER is the only way, what security do you put in place to assure that a compromised WEBSERVER can’t query all databases on the DBSERVER?
Navdeep Saini said
Lance
I must say this is a very good question. The crux of the problem is that webserver has to talk to database to render all the request for the client and it has to work on some port (if not 1521) to connect to the database.
I have no simple answer to this. If you are worried about “external” webserver in DMZ, you can use the configuration where-in it is not required, e.g.:
http://practicalappsdba.files.wordpress.com/2008/05/without_external.jpg
or
http://practicalappsdba.files.wordpress.com/2008/05/without_external_loadbl.jpg
However my guess is that this still leaves some security hole as reverse-proxy or load balances will need to go across DMZ onto internal apps/web server. You can further enhance the security by configuring SSL to be used at HTTP Server(webserver), Forms 6i Server(appsserver) and Oracle Database Server level. You can also configure SSL for your external Webserver and use the configuration as shown above. For more information on how we can enable SSL connections refer to metalink notes:340178.1 and 123718.1 (ask your DBAs how to get these notes).
regards
Nav
Navdeep Saini said
Indrashish
Not sure how I missed your comment. Anyways, here is the answer:
1. yes it is very much feasible and also widely used (for cost reasons) to have mixed OS appstier nodes.
2. yes, it is well supported by oracle and will continue to be supported in future.
3. Downside to this will be that you cannot use shared appl_top (for external nodes you should not have it anyhow), and you will have to manage your Linux node speparately (patching, cloning) from your Solaris nodes.
regards
Nav
Lance Thornhill said
Thank you, Navdeep. If given the choice of letting the Internet talk to the
1) middletier appserver through the proxy or
2) oracle recommended webserver (no forms, etc) through the proxy,
I think the most secure is 2). Is this right, and is there a published list of security patches necessary to be as secure as possible? Thank you, again.
Navdeep Saini said
Lance
Yes, you are correct. Using option 2 as you mentioned (having external webserver) is more secure way of doing things as it gives us the flexibility to restrict access to limited set of Areas in applications where external customers can go.
As for patching, make sure your Oracle apps external Webserver has latest patches as per Oracle CPU (Critical Patch updates). Latest is April 08 CPU. See the following:
http://www.oracle.com/technology/deploy/security/alerts.htm
regards
Nav
shiju said
Hi Navdeep,
Can we configure external irecruitment to work for an eBiz site enabled with single sign on. SSO is configured for apps with AD as a source system with WNA enabled. As the users of external iRecruitment are not exists in AD (these are external candidates) these users are unable to login through external irecruitment. Is there any way to bypass the SSO for external irecruitment users.
Thanks in Advacne
Shiju
Kalpit said
Hi Shiju,
Yes, Configuring external iRecruitment with SSO is fully supported. Please check Appendix G on 287176.1 document for firwall ports to be open for this configuration.
Regarding Login for external users, You can change the flow of Registration of iRecruitment candidate by applying patch# 4711849.
Expected Behaviour after patch.
1) Login to IRrecruitment portal
2) Click Register
3) Apply for a job
There is no prompting for SSO screen which is OK
For more information, check out Note:399420.1.
Vinod said
Hi Kalpit,
Regarding Note:399420.1: The note talks about resolving issues of un-registered users during External User Registration which is not the case which Shiju has mentioned. We have a problem with the log-in of registered external users.So,is there any mechanism that after the user registers himself,he is able to login as he would not be an AD user and he would be redirected to SSO/WNA login scree due the Ebiz integration with SSO at the Site level.
Regards,
Vinod
Sandeep said
Hi Vinod,
By any chance if you have got the solution for it,can you share it over here?? We have raised a P1 tar since a week for this process but even Oracle doesnt seem to know the answer.They just keep saying that if your e-business is SSO enabled then there is no way to make it non-SSO for externel candidate(which according to me is ridiculous as an external candidate wont ever have an entry in our OID)
Thanks,
SAndeep
Tayyab said
Hi Navdeep,
I have some question for you on SSO and EBS R12.
We are implementing SSO for E-business suite 12 environment. Some of the modules are in DMZ and iRecuitument and iSupplier would be accessed from internent. Since SSO is all deployment choice so we have SSO for all the users (including internet users).
Our security practice have raised some concerns over the SSO usage for iRecruitment and iSupplier.
1. Password encryption method for Internet users . Let us suppose a user is created on iRecruitment Portal , Can we have a different encryption method for such users. In other words , can we have a separate user management for internet users. Below are the main concerns raised by security .
Can we inforce usernanames policy for internet users ? We could do in the EBS and that sets the policy for all the users (Intranet and Internet). What if someone creates users with different formats (e.g one user may choose first. last name and another may choose First initial.Last name , some one may use email as the username .
2. Especial Password policy in OID for iRecuitment and iSupplier usres ( Since these users would be stored in FND_USER and then would be provisioned to OID) . What if a internet user forgets the password , How can he request to change that ? In normal ebusiness suite environment we are aware about the process . What is the case for these internet users?
3. How to change the passwords, if someone forgets the password.
4. How the internal users will go to irec portal and if they are presented SSO login what username/password they are going to enter. It will not challenge for username/password there because they are in the same organiation .
Regards,
Tayyab
Syed said
Dear all
I have Implemented SSO on R12 every thing is working fine all pre_req and post-Req is working
When Http url Requset to R12 its redirecting to SSO, When Login Using R12 A/C user.
Getting Error EBS user not link with SSO. Bit Confuse . Anyone have an Idea, plz….
Navdeep Saini said
Tayyab
Aplogies for replying late.
1. When user is registers in iRecruitment, it is registered in applications. They are part of applications. I think we cannot have separate user management for them.
Not sure we can inforce username policy for internet users, separately. Need to check that.
2. “Forget password” functionality is part of the Irecruitment Module. You will have to check with setup docs how to enable it. (I think it comes by default as enabled)
3. You can also manually change the passwords as sysadmin. however forget password functionality is embedded in most of the “I” modules.
4. No matter whether it is external or internal users, he will be challenged for credentials when accessing Irec page. Internal users can also register themselves in Irec, in this way they will have to provide their credentials.
regards
Nav
Navdeep Saini said
Syed
Did you configure synchronization between fnd_user and OID ? For more details check:
Note:261914.1 – Integrating Oracle E-Business Suite Release 11i with Oracle Internet Directory and Oracle Single Sign-On
regards
Nav
Dan Dunlap said
We were able to achieve bifurcated login where external users were directed to the non-SSO login page, and internal users were directed to the SSO login page, by enabling the rewrite rule “RewriteRule ^/$ /OA_HTML/AppsLocalLogin.jsp [R,L]” on the external tier. This basically overrides the generated SSO login page on the external tier (since SSO has to be enabled at the site level, not at a node level). We also had to modify the Workflow used for creating external users to set the profile option APPS_SSO_LOCAL_LOGIN at the user level to “LOCAL”. This was required because password management for these modules needs to be done within EBS (i.e. Purchasing Admins can reset external users passwords without knowing the actual password).
fazal said
Hi Navdeep Saini,
First let me congratulate for wonderful job that you’re doing.
I have one issue regarding SSO for Oracle iRecruitment R12.
Oracle iRecruitment 12 & SSO implemented successfully.
External users are able to login on iRecruitment and register themselves successfully, but when they are relogin(registered users of iRecruitment) into irecruitment and using their existing user name and password system is redirecting to the SSO and hagging out after sometime.
Please let me know how I can resolve this issue.
Thanks&Regards
Fazal
Dan Dunlap said
Fazal-
Where do you want to validate the iRec users; in SSO or Locally in EBS FND Tables? If not SSO, then look at the user level profile options for one of your iRecuriment Users, and check the value of APPS_SSO_LOCAL_LOGIN; you’ll see that it’s probably not set, defaulting to the site level wich is SSO or Both.
sreenatha said
Hi Navdeep,
I have some doubts while implementing the isupport with no external web tier. Thing is isupport is working fine with in the intranet and with out any issues, but When i map to public ip(internet) I can login, but the session is getting closed once i clicked on any link.
Iam doubt about the context xml parameters.
my configuration is :- 10.2.5.190(internal EBS)
with virtual external webtier(internal application runs on 8005 and external webtier uses 8007)
10.2.5.187(reverse proxy)
Iam getting confuse since iam using virtual external tier, So can you please clarify me with these parameters….
s_webhost=10.2.5.190
s_external_url=http://10.2.5.190:8007
s_webentryhost=10.2.5.190
s_webentrydomain=mydomain.com(both internal and reverse proxy are on same domain)
s_webdomain=mydomain.com
s_server_ip_address=10.2.5.190
s_webport=8007
s_active_webport=8007
Please help me!!!!
Thank you,
Sreenath
sreenatha said
I had resolved my issue by chaning the context file parameters.
Thank you
Sree
Prakash said
Hi Navdeep,
I need a clarification on the integration between iRecruitment external candidate with Client JOB Portal.
we are not implementing any DMZ configuration , when an applicant registering any jobs using client JOB Portal , it should be integrate with iRecruitment external candidate.
As per my knowledge ,if we do the below setup that will be sufficient for the integration.
—————————-
1. Create external web server (Only Apache to be configured to run)
2. Update Hierarchy Type
(sqlplus apps/apps-passwd @$FND_TOP/patch/115/sql/txkChangeProfH.sql SERVRESP)
3. Update Node Trust Level Profile option for the External Server to Extenal.
4. Set Responsibility Trust level for ‘iRecruitment External candidate’ to ‘External’
5. Set profile value ‘Self Service Personal Home Page Mode’ to ‘Framework Only’
6. Set the following values in the context file to appropriate values: ( s_webentryurlprotocol
s_webentryhost
s_webentrydomain
s_active_webport
s_login_page
s_external_url )
6.Enable EBIZ Security
7. Run autoconfig and start application on the external web server.
————————-
Or could you please let me know how we can integrate Client JOB portal with iRecruitment external candidate without going for DMZ.
Prakash said
Hi Navdeep,
Also let me know what are the different ways to integrate customer job portal with oracle iRecruitment.
Since iam bit confuse with
(A).Integrate customer job portal with oracle iRecruitment external
(B). No Customer job portal , provide the Oracle iRecruitment external candidate access for applicant to apply jobs (Internet).
Could you please explain what are ways to do.
Thanks & Regards,
J.Prakash
Rami said
Hi Navadeep,
How r U? i am planning to write OCA exam. i already got Oracle 9i SQL Certification. so now i need to write Oracle 9i DBA Fundamental-1 exam for OCA. i am getting confuse that which material and questions i need to be prapre for good percentage. so can u pls give me a best suggestion for OCA. i mean which latest material and questions i need to be prapre. as finally i want to get vvvvvery good percentage. so pls help me in this case.
Advanced Thx a Lot
Regards
.,.Rami.,.
Rami said
Hi Navadeep,
How r U? i am planning to write OCA exam. i already got Oracle 9i SQL Certification. so now i need to write Oracle 9i DBA Fundamental-1 exam for OCA. i am getting confuse that which material and questions i need to be prapre for good percentage. so can u pls give me a best suggestion for OCA. i mean which latest material and questions i need to be prapre. as finally i want to get vvvvvery good percentage. so pls help me in this case.
Advanced Thx a Lot
Regards
.,.Rami.,.
Samir said
Hi,
How to have multiple irecruitment URL across multiple HR business groups be configured so that each business group has its unique URL and job postings
Rgds
Samir
Syed Shabuddin said
Hi Navadeep,
I have oracle applicaiton 11.5.10.2 with RDBMS 9i. and sperate oracle application server AS 10G.
How i confugure for reserve proxy using DMZ. Please guaid each steps with commands i will be vvery thank ful to u.
Regards.