EBS R12 on IBM P-Series Running RedHat Linux

Few days ago, one of our customer had this interesting question which caught us little offguard. Question was, that whether EBS R12 is certified for RedHat Linux running on IBM P-series (IBM power based system) or not?

Checking metalink it looks that, it should just be fine. If you go to metalink you will see the following:

Which suggests that oracle database on Linux running on IBM Power-pSeries, runs just fine. However a closer look at metalink note:341507.1, you will find that no-where it talks of EBS R11i or R12 or related products. Another look at metalink certify:

Important thing to note here is that for Apps Tier on Linux, only x86 and x86-64 platforms are supported which means that only processor chipsets like x-86 (Intel based), AMD64,EMT64T are supported. Anyother processor chip (e.g. IBM P series which uses IBM POWER5+ or POWER5 processor) is NOT supported for APPS TIER, even though they can run Linux on it (as per RedHat certification: RedHat Enterprise Linux: Server Version comparison chart ).

Jist of the discussion is that on IBM Power with Linux, (pSeries, iSeries, System p5 and System i5) oracle EBS can run only in split configuration. Which means database tier can run on IBM Power with RedHat Linux and Apps Tier has to have AIX as OS software. However If you want to run Apps Tier on Linux, it has to be on supported chipsets only e.g. x-86, x-86-64 etc.

Oracle Apps Migration Path from HP-UX PA-RISC to HP-UX Itanium

Most of the HP shops running Applications are mostly on PA-RISC based systems. HP plans to offer PA-RISC-based servers through 2008 and support the systems through 2013, and continue to push for Itanium based servers. Apps customers are asking for possible migration paths to port their applications from PA-RISC to Itanium basesd systems. This post gives detailed summary of how you can achieve this.

For release 11i Oracle had certified HP Itanium under “split configuration”, wherein your database node can run on HP-Itanium and apps tier runs on other supported platforms. Note that as of 11.5.10.2 Apps Tier is NOT supported for HP-UX Itanium.
Currently Oracle supports following platforms for its middle tier:

1. HP Tru64
2. HP-UX PA-RISC
3. IBM AIX Based Systems
4. Linux x86
5. Solaris Operating System SPARC
6. Windows 2000/Windows Server 2003 (x86)

However as of R12, oracle has certified HP Itanium as certified platform for Apps Tier, which means both your db tier and apps tier can run on HP Itanium. Hence if you are planning to port your applications (both db and apps tier) to HP-UX Itanium, then you will have to upgrade to R12 first.

Here are the summarized steps:

Database Tier: The database migration from HP-UX on PA-RISC to HP-UX Itanium (IPF) and from Itanium (IPF) to PA-RISC by copying the datafiles is possible. Starting with RDBMS 9.2.0.7 and 10.2.0.2, it is supported to copy the database files (control files, redolog/archivelog files, data files) from HP-UX on PA-RISC to HP-UX Itanium (IPF) and from Itanium (IPF) to PA-RISC. While HP-UX on PA-RISC is big endian because of the processor, the Itanium processor adapts to the endianess of the OS and is in this case also big endian. Follow these steps to migrate db-tier.

1. Patch the target operating system to the required level and make sure it has all the required OS patches and packages (e.g. ar, cc,aCC, make etc.) for more details check:Oracle Applications Release 12.0.4 Installation Manual

2. Configure the target system as per Oracle installation and configuration guide.

3. Install the required Oracle RDBMS software (9.2.0.7 or above, 10.2.0.2 or above) on the target platform (Itanium)

4. Patch the Oracle RDBMS to the required level.

5. For copying the database (using tar, cpio, dd etc.) from the source to the target system, create the required volume groups, logical volumes, file systems, raw devices etc. on the target system

6. Shutdown the Oracle database on the source system

7. Copy all the required Oracle database files, including control files, date files, undo, redo logs, Oracle initialization file etc. to the target system.

8. If required, regenerate the control file (for example when changing the file locations on the target system).

9. Setup and configure the Oracle listener etc.

10. Startup the database on the target system.

Apps Tier: For Apps tier you will need to install R12 on itnanium (follow: Note 402307.1 – Oracle Applications Installation and Upgrade Notes Release 12 (12.0) for HP-UX Itanium) and upgrade to R12 running 4440000.drv on HP-UX Itanium platform.

More to follow on R12 upgrade later in my posts.

DMZ configuration for iRecruitment (Oracle Apps 11i) – Part II

This post is in continuation to DMZ configuration for iRecruitment (Oracle Apps 11i) – Part I

1. Creation of the External WebServer 

Clone the internal Oracle E-Business suite middle tier to the machine that you identified to be the external web tier in the DMZ. Sharing file systems between the external web tiers and the internal middle tiers is not supported in any deployment option. However, sharing file systems such as APPL_TOP between multiple external web tiers or between multiple internal middle tiers supported.

2. Update Hierarchy Type  

The following profile options are used to construct various URLs in an E-Business Suite 11i environment:

•        Applications Web Agent

•        Applications Servlet Agent

•        Applications JSP Agent

•        Applications Framework Agent

•        ICX:Forms Launcher

•        ICX: Oracle Discoverer Launcher

•        ICX: Oracle Discoverer Viewer Launcher

•        Applications Help Web Agent

•        Applications Portal

•        BOM:Configurator URL of UI Manager

•        ASO : Configurator URL

•        QP: Pricing Engine URL

•        TCF:HOST

The default hierarchy type value for the above profile options is Security.

The Configuration of E-Biz Suite environment for DMZ requires these profile options hierarchy type to set to SERVRESP. To change the profile options hierarchy type values to SERVRESP, execute the following sql script.

    sqlplus apps/apps-passwd @$FND_TOP/patch/115/sql/txkChangeProfH.sql SERVRESP

hierarchy-type1.jpg

3. Update Node Trust Level

Oracle E-Business Suite 11i has the capability to restrict access to a predefined set of responsibilities based on the Web server from which the user logs in. This capability is provided by tagging web servers with a trust level. The server trust level indicates the level of trust associated with the web server. Currently, three trust levels are supported:

node-trust-level.jpg

v      Administrative

Servers marked as Administrative are typically those used exclusively by system administrators. These servers are considered secure and provide access to any and all E-Business Suite functions.

v     Normal
Servers marked as Normal are those used by employees within a company’s firewall. Users logging in from normal servers have access to only a limited set of responsibilities.

 v      External

Servers marked as External are those used by customers or employees outside of a company’s firewall. These servers have access to an even smaller set of responsibilities.

Node Trust Level (NODE_TRUST_LEVEL) is a server profile option. The default value for this profile option for all E-Business Suite middle tiers is set to Normal.

Identify the external web tier in your Oracle E-business Suite 11i environment and set the NODE_TRUST_LEVEL profile option value at the server level to External. To change the value of the Node Trust Level profile option value for a particular node, perform the following steps:

1. Login to Oracle E-Business Suite as sysadmin user using the internal URL
2. Select System Administrator Responsibility
3. Select Profile / System
4. From the ‘Find system profile option Values’ window, select the server that you want to make external
5. Query for %NODE%TRUST%. You will see a profile option named ‘Node Trust Level‘. The value for this profile option at site level will be Normal. Leave this setting as is
6. Set the value of this profile option to External at the server level (not site level). The site-level value should remain Normal.

4. Update List of Responsibilities

It’s possible (and recommended) to restrict the general set of Applications Responsibilities based on the application server that you’re using. For example, there should be no reason to allow external users to modify your company’s Chart of Accounts, so that responsibility can’t be used if the end-user is logging in from outside the corporate intranet.After updating the server-level profile value for Node Trust Level for the external web tier(s) to External, users can no longer see any responsibilities when they login to the external web tier. In order for a responsibility to be available from the external E-Business Suite web tier, set the Responsibility Trust Level profile option value for that responsibility to External at the responsibility level.To change the value of the Responsibility Trust Level profile option at the responsibility level for a particular responsibility, perform the following steps:

1)     Login to Oracle E-Business Suite as sysadmin user using the internal URL

2)     Select System Administrator Responsibility

3)     Select Profile / System

4)     From the ‘Find system profile option Values’ window, select the responsibility that you want to make external

5)     Query for %RESP%TRUST%. You will see a profile option named ‘Responsibility trust level‘. The value for this profile option at site level will be Normal. 6)     Set the value of this profile option for the below responsibilities to External at responsibility level (not site level). The site-level value should remain Normal.

responsibility.jpg

a)    iRecruitment External Candidate

5. Update Home Page Mode to Framework

The new Oracle E-Business Suite 11i Home page based on the Oracle Applications Framework architecture is required for the deployment of the Oracle E-Business Suite in a DMZ configuration. To enable this set the self-service personal home page mode to “Framework Only” as shown in the diagram below.

To change the value of the Home page mode, perform the following steps:

1. Login to Oracle E-Business Suite as sysadmin user using the internal URL
2. Select System Administrator Responsibility
3. Select Profile / System

From the ‘Find system profile option Values’ window, query for %HOME%MODE%. You will see a profile option named ‘Self Service Personal Home Page Mode‘ , set the value of this profile option to Framework Only.

homepage.jpg

6. Configuration Details for using Reverse Proxies in DMZ

6.1 Update Oracle E-Business Suite Application Context file

 

On the external Oracle E-Business Suite web node, run the AutoConfig. In the Context Detail screen, set the following configuration values:Ø       set the webentry point, s_webentryhost, to the reverse proxy server  (hostname). Ø       Set the webentry domain, s_webentrydomain, to the domain name of the reverse proxy server (domainname.com). Ø       set the active webport, s_active_webport, to the port where the reverse proxy server listen for client requests. For example port 80 for HTTP or 443 for HTTPS. Ø       Set the webentry protocol, s_webentryurlprotocol, to the protocol value the clients use to access the reverse proxy server (https). Ø       Set the login page, s_login_page, to <webentry protocol>://<webentry point>.<webentry domain>:<active webport>.Replace <webentry protocol>, <webentry point>, <webentry domain>, and <active webport>   with their respective values.

5.2 Enable Oracle E-Business Suite Application Server Security.

The Server Security feature supports authentication of application server machines and code modules in order to access the database. When Server Security is activated, Application Servers are required to supply server IDs (like passwords) and/or code IDs to access a database server. Server IDs identify the machine from which the connection is originating. Code IDs identify the module and patch level from which the connection is originating. Code IDs are included in applications code by development. The database server can be set to allow access only from specific machines and/or by code at a desired patch level.

The application server security feature is not activated by default for pre 11.5.10 E-Business Suite installations. 1.      Set the value of Application Server Security Authentication (s_appserverid_authentication) to SECURE 2.      Run AutoConfig on each Applications middle tier to complete the configuration. 3.      After AutoConfig completes successfully, restart the Oracle HTTP server  

5.3 Run AutoConfig and Restart Oracle HTTP Server.

Ø       Run AutoConfig on External Server.

¨       cd $COMMON_TOP/admin/scripts/$CONTEXT_NAME

¨       adautocfg.sh

Start Oracle HTTP server on External Server.

DMZ configuration for iRecruitment (Oracle Apps 11i) – Part I

Purpose:
If you’ve been wondering how to support end-users who’d like connect to your E-Business Suite environment from outside of your corporate firewall, a combination of a demilitarized zone and a reverse proxy might be an alternative to traditional VPN-based solutions.  This document describes methods for making a iRecruitment of Oracle E-Business Suite 11i functionality accessible via the Internet to external users. This document describes network topologies and architectures, including the use of reverse proxy servers in demilitarized zones (DMZs), and the use of hardware-based load-balancers in these configurations. For the purpose of clarity I will post this in two parts. Part I will deal with introduction and general information, part II will mainly talk about actual steps.

Introduction to DMZ:
A DMZ (De-Militarized Zone) is a separate part of an organization’s network which is a shielded and ‘cut off ‘ from the main corporate network and its systems. The DMZ contains technical equipment to prevent access from external parties (say on the Internet) from gaining access to your main systems. In the IT industry, a demilitarized zone is a single or multi-segment perimeter network that demarks the portion of the corporate network that lies between the intranet and outside networks. Corporate DMZ borders are enforced by firewalls and other dedicated networking devices.

DMZ Setup System Requirements:

1) Reverse Proxy Server:
Model: HP-Unix
Host Name: reverseproxy.external.com
IP Address: 123.123.123.123
OS: HP-Unix
OS User: applmgr
2) External Web Server
Model: HP-Unix
Host Name: hostname.external.com
IP Address: 123.123.123.123
OS: HP-Unix
OS User: applmgr
3) Database Server
Model: HP-Unix
Host Name: dbhost.internal.com
IP Address: 123.123.123.123
OS: HP-Unix
OS User: oracle

Please note that we are taking HP-UX as an example OS for the setup. In theory this can be setup for any OS that support Oracle Apps 11i.

Proposed DMZ Configuration Architecture

 

Image taken from metalink note:287176.1

Design Considerations, Assumptions, Limitations:
When configuring Oracle E-Business Suite in a DMZ configuration, firewalls are deployed at various levels to ensure that only the traffic that the architecture expects is allowed to cross the firewall boundaries. The firewalls ensure that if intrusion attempts against machines in the DMZ are successful, the intrusion is contained within the DMZ and the machines in the intranet are not affected. To make Oracle E-Business Suite modules as secure as possible, the following tasks may need to be performed.

• Use of separate web node for external usage
• Setting of server level profile values
• Associate trust levels to application middle tier nodes
• Mark a subset of responsibilities as available on an external web node
• Deploy a Reverse proxy in front of the external web node
• Configuring a URL firewall and mod security in the reverse proxy
• Run only the required Oracle E-Business Suite Application services on the external web tier

Pre-requisite Patches:

This concludes Part I of this main post and I will continue with DMZ setup steps in my next one…..

References:
287176.1 – DMZ Configuration with Oracle E-Business Suite 11i
364439.1 – Tips and Queries for Troubleshooting Advanced Topologies