DMZ configuration for iRecruitment (Oracle Apps 11i) – Part II
Posted by kalpit on May 4, 2007
This post is in continuation to DMZ configuration for iRecruitment (Oracle Apps 11i) – Part I
1. Creation of the External WebServer
Clone the internal Oracle E-Business suite middle tier to the machine that you identified to be the external web tier in the DMZ. Sharing file systems between the external web tiers and the internal middle tiers is not supported in any deployment option. However, sharing file systems such as APPL_TOP between multiple external web tiers or between multiple internal middle tiers supported.
2. Update Hierarchy Type
The following profile options are used to construct various URLs in an E-Business Suite 11i environment:
• Applications Web Agent
• Applications Servlet Agent
• Applications JSP Agent
• Applications Framework Agent
• ICX:Forms Launcher
• ICX: Oracle Discoverer Launcher
• ICX: Oracle Discoverer Viewer Launcher
• Applications Help Web Agent
• Applications Portal
• BOM:Configurator URL of UI Manager
• ASO : Configurator URL
• QP: Pricing Engine URL
• TCF:HOST
The default hierarchy type value for the above profile options is Security.
The Configuration of E-Biz Suite environment for DMZ requires these profile options hierarchy type to set to SERVRESP. To change the profile options hierarchy type values to SERVRESP, execute the following sql script.
sqlplus apps/apps-passwd @$FND_TOP/patch/115/sql/txkChangeProfH.sql SERVRESP
3. Update Node Trust Level
Oracle E-Business Suite 11i has the capability to restrict access to a predefined set of responsibilities based on the Web server from which the user logs in. This capability is provided by tagging web servers with a trust level. The server trust level indicates the level of trust associated with the web server. Currently, three trust levels are supported:
v Administrative
Servers marked as Administrative are typically those used exclusively by system administrators. These servers are considered secure and provide access to any and all E-Business Suite functions.
v Normal
Servers marked as Normal are those used by employees within a company’s firewall. Users logging in from normal servers have access to only a limited set of responsibilities.
v External
Servers marked as External are those used by customers or employees outside of a company’s firewall. These servers have access to an even smaller set of responsibilities.
Node Trust Level (NODE_TRUST_LEVEL) is a server profile option. The default value for this profile option for all E-Business Suite middle tiers is set to Normal.
Identify the external web tier in your Oracle E-business Suite 11i environment and set the NODE_TRUST_LEVEL profile option value at the server level to External. To change the value of the Node Trust Level profile option value for a particular node, perform the following steps:
- Login to Oracle E-Business Suite as sysadmin user using the internal URL
- Select System Administrator Responsibility
- Select Profile / System
- From the ‘Find system profile option Values’ window, select the server that you want to make external
- Query for %NODE%TRUST%. You will see a profile option named ‘Node Trust Level‘. The value for this profile option at site level will be Normal. Leave this setting as is
- Set the value of this profile option to External at the server level (not site level). The site-level value should remain Normal.
4. Update List of Responsibilities
It’s possible (and recommended) to restrict the general set of Applications Responsibilities based on the application server that you’re using. For example, there should be no reason to allow external users to modify your company’s Chart of Accounts, so that responsibility can’t be used if the end-user is logging in from outside the corporate intranet.After updating the server-level profile value for Node Trust Level for the external web tier(s) to External, users can no longer see any responsibilities when they login to the external web tier. In order for a responsibility to be available from the external E-Business Suite web tier, set the Responsibility Trust Level profile option value for that responsibility to External at the responsibility level.To change the value of the Responsibility Trust Level profile option at the responsibility level for a particular responsibility, perform the following steps:
1) Login to Oracle E-Business Suite as sysadmin user using the internal URL
2) Select System Administrator Responsibility
3) Select Profile / System
4) From the ‘Find system profile option Values’ window, select the responsibility that you want to make external
5) Query for %RESP%TRUST%. You will see a profile option named ‘Responsibility trust level‘. The value for this profile option at site level will be Normal. 6) Set the value of this profile option for the below responsibilities to External at responsibility level (not site level). The site-level value should remain Normal.
a) iRecruitment External Candidate
5. Update Home Page Mode to Framework
The new Oracle E-Business Suite 11i Home page based on the Oracle Applications Framework architecture is required for the deployment of the Oracle E-Business Suite in a DMZ configuration. To enable this set the self-service personal home page mode to “Framework Only” as shown in the diagram below.
To change the value of the Home page mode, perform the following steps:
- Login to Oracle E-Business Suite as sysadmin user using the internal URL
- Select System Administrator Responsibility
- Select Profile / System
From the ‘Find system profile option Values’ window, query for %HOME%MODE%. You will see a profile option named ‘Self Service Personal Home Page Mode‘ , set the value of this profile option to Framework Only.
6. Configuration Details for using Reverse Proxies in DMZ
6.1 Update Oracle E-Business Suite Application Context file
On the external Oracle E-Business Suite web node, run the AutoConfig. In the Context Detail screen, set the following configuration values:Ø set the webentry point, s_webentryhost, to the reverse proxy server (hostname). Ø Set the webentry domain, s_webentrydomain, to the domain name of the reverse proxy server (domainname.com). Ø set the active webport, s_active_webport, to the port where the reverse proxy server listen for client requests. For example port 80 for HTTP or 443 for HTTPS. Ø Set the webentry protocol, s_webentryurlprotocol, to the protocol value the clients use to access the reverse proxy server (https). Ø Set the login page, s_login_page, to <webentry protocol>://<webentry point>.<webentry domain>:<active webport>.Replace <webentry protocol>, <webentry point>, <webentry domain>, and <active webport> with their respective values.
5.2 Enable Oracle E-Business Suite Application Server Security.
The Server Security feature supports authentication of application server machines and code modules in order to access the database. When Server Security is activated, Application Servers are required to supply server IDs (like passwords) and/or code IDs to access a database server. Server IDs identify the machine from which the connection is originating. Code IDs identify the module and patch level from which the connection is originating. Code IDs are included in applications code by development. The database server can be set to allow access only from specific machines and/or by code at a desired patch level.
The application server security feature is not activated by default for pre 11.5.10 E-Business Suite installations. 1. Set the value of Application Server Security Authentication (s_appserverid_authentication) to SECURE 2. Run AutoConfig on each Applications middle tier to complete the configuration. 3. After AutoConfig completes successfully, restart the Oracle HTTP server
5.3 Run AutoConfig and Restart Oracle HTTP Server.
Ø Run AutoConfig on External Server.
¨ cd $COMMON_TOP/admin/scripts/$CONTEXT_NAME
¨ adautocfg.sh
Start Oracle HTTP server on External Server.
Sumil said
Hi
Any idea how can we implememt SSL on DMZ , i will be going in for verisgn certificate . I have done DMZ without reverse proxy ..
would really appreciate any advice ..
Thanks
Sumil
Kalpit said
Hi Sumil,
I appologize for late reply..
Which layer you are planning to implement SSL (Web server or Database). If you are planning to configure SSL with Oracle database server (required for istore , iRecruitment etc..), You have to import verisign certificate using Oracle Wallet Manager(OWM) and need to set “Oracle Wallert Directory” Profile.
Please check DocId: 123718.1 (11i: A Guide to Understanding and Implementing SSL for Oracle Applications) and DocId: 300969.1 (Troubleshooting SSL with Oracle Applications 11i) for more details..
Thanks,
kalpit
Navdeep Singh said
We have implemented SSL on irecruitment by importing verisign and root certificate parts of the certificate into the Oracle Wallet and setting up oracle wallet profile.
Thanks
Navdeep
Mohammad Muhtadi said
I have a customer who is planning to implement SSL for Oracle iRecruitment (Version: 11.5.10.2) that is going to be deployed in a DMZ configuration.
As I know, SSL can be implemented on 3 Layers; HTTP Web Server, Form Server, and Database Server Layer.
My Question is: Can they configure SSL for the Web Server Layer Only, or it is required to configure SSL for the Database Layer also.
Please Advise ?
Kalpit said
Mohammad,
iRecruitment product requires to configure SSL for Database Layer.
‘Let me try to explain why they need proper setup of wallets on database. ‘
‘ iRecruitment ships with five different seeded resume templates in HTML folder on the application server. Database needs to pull in these different templates as necessary for resume generation. For this, database uses the URL specified in APPS_FRAMEWORK_AGENT (at the appropriate level) to make a request for the templates. Since this URL is set to https, that is where database tries to connect to. This database request is failing in their case because of the lack of proper certificate setup on database side.’
Please let me know if you need more information.
Nikhil Mistry said
Navdeep,
Thanks for your article on website here,
I am currently searching documents to implement DMZ for our iSupplier project,
we are considering Figure 10 in 11i DMZ document,
to do this we have to download apache from apache.org without source code,
(this is the trouble part for me since it is without source code,I can not fine any way to complie it on window server) and than move on to configuring the apache for reverse proxy, any help will be apreciated.
Nikhil
nikhil.mistry@eon-us.com
678-849-3743
SRP Apps DBA said
iRecruitment product requires to configure SSL for Database Layer.
——————–
Hi
we completed our irecruitment setup on DMZ server, and it failed on last step as you mentioned. Oracle asked to configure WM (Oracle Wallet Manager) and certificate on Database Tier.
Our Architecture
1 Internal Tier full HR and Finanace implementation ,
1 External SSL enabled Tiere with irecruitment
1 Database server.
Both Internal and database tier or inside network and External(DMZ) is behind fire wall.
I have doubt here, while configuring OWM on database , do we need to request for a seperate certificate for Database server
or Can I use same certificate which I got for external Tier.
pls help me
Kalpit said
Hi,
You don’t need separate certification for database. You can copy the same certificate for external server and import into database.
Pleas let me know if you need more information.
Thanks,
kalpit
SRP Apps DBA said
Hi thanks a lot for your response. I prepared set of insructions to implement.
I need one last clarification. If we configure Wallet Management and apply certificate, will there be an access issues for regular internal Apps users.
SRP Apps DBA said
the instructions prepared are :
Section 1.3. Oracle Database Server
Oracle products such as Oracle Configurator, Order Management, iStore, Order Capture, Quoting, iPayment, iStore, and Pricing access data over the Internet in HTTP or HTTPS connection mode. The implementation of SSL for the Oracle database server which acts as a client sending requests to the Web server makes use of the Oracle Wallet Manager for setting up an Oracle wallet.
How SSL works with Oracle Database Server
The UTL_HTTP package is used for making HTTP callouts from SQL and PL/SQL to a Web node (Oracle HTTP server).
When the package fetches data from a Web site using HTTPS, it needs to specify the location to the Oracle wallet that resides on the database server. This wallet contains the certificate for the Certifying Authority (CA) who signed the Web node’s server certificate.
Option 2.3. Certificate Provisioning for Oracle Database Server
Oracle products such as Oracle Configurator, Order Management, iStore, Order Capture, Quoting, iPayment, iStore, and Pricing rely on the Oracle Wallet to establish a successful connection in SSL mode from the Database tier. This section contains instructions for the SSL Set-up for Oracle Database Server using the Oracle Wallet Manager.
Use Wallet Manager to create the wallet on the database server
E-Business Suite 11i10 customers using the Oracle Configurator batch validation feature (Order Management, iStore, Order Capture and Quoting) as well as all E-Business Suite 11i customers using iPayment (since 11i9) and Pricing need to create a wallet on the database tier containing the certificate for the Certifying Authority (CA) who signed the Middle Tier’s server certificate and have auto login enabled.
This section contains instructions to modify configuration files and profiles that may be maintained by the AutoConfig infrastructure.
1. Apply any pre-requisite patches
If your E-Business Suite system is 11.5.9 or below and you are using AutoConfig to manage your system, apply the Techstack Advanced Utilities patch (bug ref 2864765) and any pre-requisite patches.
If your E-Business Suite system is 11.5.9 or below and you are not using AutoConfig, you will need to apply the patch for bug ref 3797160 and any pre-requisite patches.
These patches are shipped with 11.5.10.
Patch No Description Comments
3797160 Provides new profile definition for FND_DB_WALLET_DIR for non AutoConfig-enabled
2864765 Advanced Utilities Patch for AutoConfig-enabled
2. Create a wallet directory on the database tier
Log on to the database tier as the user that owns the oracle files
Source the environment on the database tier.
Create a directory under $ORACLE_HOME/appsutil to hold the new wallet using the following command:
% $ORACLE_HOME/appsutil/wallet
3. Start Wallet Manager
On UNIX, as the oracle user on the database-tier node,
Change to the wallet directory that you have just created.
% cd $ORACLE_HOME/appsutil/wallet
Ensure that your environment is correctly sourced.
Set the DISPLAY variable to display to the IP address from where you are working. For example:
% export DISPLAY=138. 22.155.16:0.0
where 138.22.155.16 is the IP address of your workstation.
For LINUX only – set the environment variable THREADS_FLAG=native. For example:
% export THREADS_FLAG=native
Run owm, which is located under the $ORACLE_HOME/bin directory of the Database tier. For example:
% $ORACLE_HOME/bin/owm &
On Windows NT/2000, run Oracle Wallet Manager using Start > Programs > Oracle for Windows NT > Oracle Wallet Manager
or Start > Programs > Oracle for Windows NT > Integrated Management Tools > Wallet Manager.
4. Create a new wallet
On the Oracle Wallet Manger Menu:
Navigate to Wallet -> New.
Select No when prompted with the message:
“Your default directory doesn’t exist. Do you wish to create it now?”
In the New Wallet dialogue box, create a Wallet Password and click OK.
Make sure you remember this password. You will be prompted for the password each time you open this wallet with Oracle Wallet Manager.
Select No when prompted with the message:
“A new empty wallet has been created. Do you wish to create a certificate request at this time?”
Oracle Wallet Manger includes the certificates for the most common CA’s every time a new wallet is created. If the CA who signed your server certificate is not in the default listing follow these instructions to include CA Certificates:
Access your web page.
Double-click on the padlock at the bottom of the page to view the Certificates.
NOTE:
if there is no padlock, then on the top toolbar select File->Properties->Certificates
Click on the Certification Path Tab.
For each certificate listed:
Click View Certificate
Click Details Tab
Click Copy to File – follow directions and export in the Base 64 encoded X.509 (.CER) format.
FTP these files in binary mode to the db tier and import into your wallet.
5. Be sure the AutoLogin feature is checked.
When the AutoLogin feature is checked the wallet can be accessed by OS processes (i.e. sqlplus) that are owned by the same owner who created the wallet. To open the wallet using Oracle Wallet Manager a password will still be required.
NOTE: On Windows NT/2000, the wallet files must be generated and owned by the same user that starts up both the Database and Listener services.
6. Save the wallet
Save the wallet in $ORACLE_HOME/appsutil/wallet and exit Wallet Manager.
Option 3.3 Configuring SSL with Oracle Database Server
Step 3.3.1. Required Patches and Prerequisite Steps
If your E-Business Suite system is 11.5.9 or below and you are using AutoConfig to manage your system, apply the following prerequisite patches to all Web, Forms, Admin, and Concurrent Processing nodes. The following patches are shipped with the E-Business Suite Release 11.5.10.
Patch No Description Comments
2864765 Advanced Utilities Patch for AutoConfig-enabled
Before proceeding with the configuration, you must also have completed Chapter 2, Option 2.3 – Certificate Provisioning for Oracle Database Server to create the necessary wallet files.
Step 3.3.2. Configuring SSL with Oracle Database Server
Update the Database Wallet Directory profile option using AutoConfig
Perform the steps listed below to update the Database Wallet Directory profile option value. Note that the Techstack Advanced Utilities Patch Rollup A (bug ref 2864765) and any pre-requisite patches must have been applied as required in step 3.3.1.
Follow Oracle MetaLink to copy AutoConfig to the RDBMS ORACLE_HOME under the section titled “Section 5: Maintaining System Configurations”.
Run AutoConfig on the database-tier node as per Oracle .
Option 5.3 Verifying SSL Set-up for Oracle Database Server
Test wallet setup
To test that the wallet is properly set up and accessible, login to SQLPLUS as the apps user and execute the following:
utl_http.request(‘[address to access]‘, ‘[proxy address]‘, ‘file:[full path to wallet directory]‘, null)
where:
‘[address to access]‘ = the url for your Oracle Applications Rapid Install Portal, for example: ‘https://www.oracle.com:4443′
[proxy address]‘ = the url of your proxy server, or NULL if you are not using a proxy server, for example: ‘http://proxy.com:80′
‘file:[full path to wallet directory]‘ = the location of your wallet directory, for example: ‘file:/d1/dg02db/9.2.0/appsutil/wallet’
The final parameter is the wallet password, which is set to null by default.
NOTE:
You must use the prefix ‘file:’ and only the directory is specified, not the actual wallet files.
Examples:
utl_http.request(‘https://www.oracle.com:4443′,’http://proxy.com:80′, ‘file:/d1/dg02db/9.2.0/appsutil/wallet ‘, null)
utl_http.request(https://www.oracle.com:4443′,null, ‘file:/d1/dg02db/9.2.0/appsutil/wallet ‘, null)
If the wallet has been properly set up, you will be returned the first 2,000 characters of the html page.
If you receive any errors check the following:
For AutoConfig enabled instances:
Be sure you have followed the instructions in Oracle MetaLink Note 165195.1 under the section titled “Section 5: Maintaining System Configurations” to copy AutoConfig to the RDBMS ORACLE_HOME and Run AutoConfig on the database tier node.
For non AutoConfig enabled instances:
Be sure the Database Wallet Directory profile option exactly matches the location of the wallet directory.
Appendix D. Converting OpenSSL Certificates to Wallet Format for use with Web Cache
Using Web Cache with SSL requires an Oracle Wallet. Your exisitng Apache server.key, server.crt, and ca.crt files on the Applications Middle Tier can be converted into an Oracle Wallet format using the following instructions and openssl version 0.9.7 or higher.
Copy the existing server.crt, ca.crt, and server.key files from $COMMON_TOP/admin/certs/apache/ssl.crt and $COMMON_TOP/admin/certs/apache/ssl.key directories to a temporary directory.
Run the following command which will combine the certificate’s public key, private key and root certficate into one file which can be be imported into Oracle Wallet Manager.
/usr/bin/openssl pkcs12 -export -descert -in server.crt -inkey server.key -certfile ca.crt -name -out ewallet.p12
where is a name you give for the certificate and private key.
You will be prompted to Enter Export Password:
This password will be required to open the wallet.
Copy ewallet.p12 to Webcache wallet directory as the user who owns the Web Cache file system.
If you FTP the file be sure to do so in binary mode.
Ensure that your Web Cache environment is correctly sourced.
Enable AutoLogin for the wallet
Set the DISPLAY variable to display to the IP address from where you are working.
For example: % export DISPLAY=138. 22.155.16:0.0
where 138.22.155.16 is the IP address of your workstation.
For LINUX only – set the environment variable THREADS_FLAG=native.
For example: export THREADS_FLAG=native
Run owm, which is located under the $ORACLE_HOME/bin directory.
For example: $ORACLE_HOME/bin/owm &
On Windows NT/2000, run Oracle Wallet Manager using Start > Programs > Oracle for Windows NT > Oracle Wallet Manager or Start > Programs > Oracle for Windows NT > Integrated Management Tools > Wallet Manager.
On the Oracle Wallet Manger Menu:
Navigate to Wallet -> Open
Select Yes when prompted with the message:
” Your default directory doesn’t exist. Do you wish to continue?”
Use the Select Directory window to navigate to your wallet directory.
Click ok and enter the wallet password when prompted to open the wallet.
On the Oracle Wallet Manger Menu:
Be sure the AutoLogin feature is checked.
When the AutoLogin feature is checked the wallet can be accessed by OS processes (i.e. sqlplus) that are owned by the same owner who created the wallet. To open the wallet using Oracle Wallet Manager a password will still be required.
Save the wallet and exit.
You should now have the following wallet files in your wallet directory.
ewallet.p12
cwallet.sso
Kalpit said
Hi,
Internal apps users should not have any issue.
Oracle database will only use OWM when you will make https call to external server from database server.
SRP said
Hi Kalpit
Thanks for your response, we were able to implement in production successfully.
Do you have any instructions for applying patches on DMZ server.
How to apply a patch on both internal and external tier.
I applied the OTA patchset on internal tier. Now I need to apply on External tier.
Could you give me instructions.
Kalpit said
You have to apply patches separately on External server and only copy and generate portions.
adpatch options=nodatabaseportion
Thanks,
Kalpit
Azeem said
select node_name, support_cp, support_web, support_admin, support_forms
from FND_NODES;
showing more than one node, but my installation is done on one system. Should i have to delete it and commit it will it solve the issue because reports output are not working through oracle Apps 11i.
SRP said
Hi
I want to configure second external Apps Tier on my DMZ server, which points to a separate database.
The current Apps Tier is running in SSL mode on 443 port.
For the second Apps Tier which port number I can use.
Could you help me on this.
And also could you help me on the following :
• FND Java Cache Port Range (s_fnd_cache_port_range)
On current system , this value is set be a range (36500-36503) that corresponds to the highest number (4) of OACore JVMs on any middle tier
New Apps Tier will be pointing towards a middle tier which has only one Jserv. Which port number should I use here.
Navdeep Saini said
SRP
You cannot use same ports for second apps tier on the same machine. You will have to choose some other port and since 443 is already table, you cannot have SSL for it. To achieve this you will need a separate machine for second apps tier.
As for s_fnd_cache_port_range, the value is set according to highest number of JVMs in your external and Internal middle tiers. In your case it is 4 on external and 1 on internal, so you will have to take 4 and choose a separate set of 4 ports.
regards
Nav
Husam said
Hi,
I am wondering if you have any info or views on using ASO/ANO under E-Business and how can it be used, if at all, in E-Business DMZ installations?
Further, I am also wondering if you have recommendations for for Web-Cache in DMZ configuration?
Thanks
Husam
Husam said
I also would like to ask about your recommendation about best practices/approach/methodology and project plan to implement DMZ installation under an existing installation?
Thanks
Husam
JuniorDBA said
I would like to know how to Test :
1) Connectivity between DMZ Server and Application Server
2) Application Serever to Database Server
3) Load Balancer to Application Server / Database Server
Please suggest the sequence of Steps to check the connectivity between these layers which will be immensely helpful for Troubleshooting.
Thanks,
sandeep sulakhe said
Hi,
In an SSO enabled EBS, how can we provide a non-SSO login page to external users once they complete their registration? Because when an external user is registered it will create only a LOCAL EBS user,and he will have no entries in the OID and LDAP
Thanks,
Sandeep
JuniorDBA said
Hi Navdeep,
Could you please give the information requested before:
I would like to know how to Test :
1) Connectivity between DMZ Server and Application Server
2) Application Serever to Database Server
3) Load Balancer to Application Server / Database Server
Please suggest the sequence of Steps to check the connectivity between these layers (Telnet, FTP Tests etc.) which will be immensely helpful for Troubleshooting.
Thanks,
JuniorDBA said
Hi,
Can anyone provide update for the information
requested above.
Thanks,
Junior DBA
Tayyab said
Hi Guys,
I have some Questions on iRecuitment and SSO and i hope someone would be able to help me on this.
We are implementing SSO for E-business suite 12 environment.Some of the modules are in DMZ and iRecuitument and iSupplier would be accessed from internent. Since SSO is all deployment choice so we have SSO for all the users (including internet users).
Our security practice have raised some concerns over the SSO usage for iRecruitment and iSupplier.
1. Password Management Policy for Internet users . Let us suppose a user is created on iRecruitment
Portal , Can we have a different encryption method for such users. In other
words , can we have a separate user management for internet users. Below are the main concerns raised by security .
What if we want to enforce user naming for irec usrs ? What if someone creates users with different formats (e.g one
user may choose first. last name and another may choose First initial.Last name
, some one may use email as the username . Is there any security
features available for Internet users who would be accessing irecuitment and iSupplier. All the below questions are on the same lines.
2. What if a iRecuritment user forgets the password , How can he request to change that ? In normal ebusiness suite environment we are aware about the process . What is the
case for the internet users with SSO enabled?
3. What if someone creates thousand users on irec portal. Any built-in Security features available
Any comments would be appreciated.
Regards,
Tayyab
Navdeep Saini said
Sandeep
When any user registers, whether external or internal (created by sysadmin) it goes to EBS fnd_user.
If you have implemented SSO with OID, then you also have configured synchronization of users with fnd_user and OID. By default it is two synch between OID and fnd_user. Hence you dont need to provide any separate link for external users, they will already be in OID.
regards
Nav
Navdeep Saini said
Tayyab
I think I answered this already:
http://practicalappsdba.wordpress.com/2007/03/26/dmz-configuration-for-irecruitment/#comment-2597
regards
Nav
Sam said
Hi Nav,
A customer that has got an Entrust certificate wants to use it with iRecruitment, has placed an external Apps Server in the DMZ, and has BlueCoat Reverse Proxy in DMZ with no firewall between BlueCoat and External Apps Server in the DMZ. My questions to you and colleagues are as follows:
- I am not sure what the certificate type is since there is the root certificate, Extended Validation SSL Certificates, Advantage, Standard, and Unified certificates? The certificate does not seem to load succesfully in the DB Wallet. How can I technically check this certificate? what is normally needed?
- Should I directly load certificate in the Wallet on DB side or should the Apps Server sign the certificate? what are the required steps (as detail as possible)?
- What is needed to be done on the BlueCoat side and, if possible, how?
- Is this setup supported by Oracle?
Thanks
Sam
Ravi said
Hi Navdeep,
Great article. I have implemented a DMZ node for EBS. The DMZ node is supposed to provide access to several external sites, (such as ADP, and other HR related sites) via menu options. It appears that the DMZ node always converts all links to https, whereas some of the external sites do not support https. Is there a way to prevent the apache server from converting the links to https?
Thanks,
Ravi
Jibran said
hai Friends,
Any idea about how to change url address in oracle application 11i.
waiting of ur response
Thnks
Regrds
Jibran
Oracle Apps DBA
Satya said
I owe you a ton. I raised a SEV 1 tar since a newly created iRec responsibility is not available on external site. They made me to do all sorts of things.
But I set the profile Responsibility Trust Level to external as per this page and it worked.
Thank you so much.
Craig said
Will this same setup work with Oracles iSupplier? I have an issue where you can log into iSupplier thru the DMZ but you get an error saying
Error: Cannot Display Page
You cannot complete this task because one of the following events caused a loss of page data:
Your login session has expired.
A system failure has occurred.
Any ideas?
Thanks
Craig
DBA
Narayana said
Hi Navdeep
we have implemented DMZ for irecruitment module, and SSO (AD->OID->Apps is the sync) is enabled for our EBusiness Suite.
authentication works for internal users, when NEW external user tries to register to irecruitment portal it works and entry gets created in OID and EBiz,but when the same user tries to logout and relogin again we are getting authentication failed please try again error.
to brief- new external user can register ,but when he tries to relogin it fails,
we are using AD->OID->Ebiz sync approach.
waiting of ur response
Thanks,
narayana
Nikhil said
Hi,
We are trying to implement SSL for iRecruitment , and as i understand from the above posts and metalink documents that i need to set up Wallets in the Database.
But my ques is what happens to the communication between the external web tier and client ? how is that getting encrypted ? Do we need to set us SSL on external web tier as well ? If yes do i need to buy two certificates from verisign ?
Also i browsed thru verisign , it seems that they have lot of certificates available. Which one should be opted for Oracle EBS 11i ?
Thanks,
Nik
Syed Shabuddin said
Hi
How i Create of the External WebServer plzzzzzzz guaid me.
syed.shabuddin@hotmail.com
Rajesh cs said
Hi
We are in a process of implementing Isupplier Module in R12 instance, we are trying to configure it for external user through internet.
We followed the document 380490.1 Oracle E-Business Suite R12 Configuration in a DMZ
we are planning to follow the method Option 2.4: Using Reverse Proxies only in DMZ
we have following Architecure
External supplier will login using url xxx.xxx.xx:443
Which will connect to reverse proxy server rever.xx.xx on port 443 , we are using pound reverse proxy on the backend service we have given value of virtual external web tier address.
i have doubt on configuration any body can help me ?
what is the value i have to give for following parameters , Oracle SR is not helped me.
s_Webentry_point :
s_web_host :
s_external_url :
s_web_entry_host :
S_web_entry_domain :
S_active_webport :
s_webentryurlprotocol :
s_login_page :
s_help_web_agent :
Thanks & Regards
Rajesh cs
Rajesh cs said
Hi Gurus
Please update me on DMZ setup