How to create external tier to enable SSL and configure reverse proxy for Oracle R12

First we have created a directory named “tatrac”. This directory will be used as an external tier instance top.

After setting apps env, run this command.

cd $COMMON_TOP/clone/bin
perl contextfile=/A01/TATTRNG2/inst/apps/TRAINING_london001/appl/admin/TRAINING_london001.xml outfile=/A01/TATTRNG2/tatrac/tatrac_ext.xml

Give following input as follows.
Target System Hostname (virtual or normal) [london001] : tatrac
Target System Database SID : TRAINING
Target System Database Server Node [tatrac] : LONDANDB
Target System Database Domain Name [] :
Target System Base Directory : /A01/TATTRNG2
Target System Tools ORACLE_HOME Directory [/A01/TATTRNG2/apps/tech_st/10.1.2] :
Target System Web ORACLE_HOME Directory [/A01/TATTRNG2/apps/tech_st/10.1.3] :
Target System APPL_TOP Directory [/A01/TATTRNG2/apps/apps_st/appl] :
Target System COMMON_TOP Directory [/A01/TATTRNG2/apps/apps_st/comn] :
Target System Instance Home Directory [/A01/TATTRNG2/inst] : /A01/TATTRNG2/tatrac
Username for the Applications File System Owner [oracle] :
Group for the Applications File System Owner [oracle] :
Target System Root Service [enabled] :
Target System Web Entry Point Services [enabled] :
Target System Web Application Services [enabled] :
Target System Batch Processing Services [enabled] :
Target System Other Services [disabled] :
Do you want to preserve the Display [london001:0.0] (y/n) : n
Target System Display [tatrac:0.0] :
Do you want the the target system to have the same port values as the source system (y/n) [y] ? :
Complete port information available at /A01/TATTRNG2/tatrac/out/TRAINING_tatrac/portpool.lst

Keep port values of target system same, else db ports will be changed.

Then create the following directory as mentioned below.

$ grep s_config_home /A01/TATTRNG2/tatrac/tatrac_ext.xml
<config_home oa_var="s_config_home">/A01/TATTRNG2/tatrac/apps/TRAINING_tatrac</config_home>
$ mkdir -p /A01/TATTRNG2/tatrac/apps/TRAINING_tatrac
[ bin]$ grep s_ora_config_home /A01/TATTRNG2/tatrac/tatrac_ext.xml
<ora_config_home oa_var="s_ora_config_home">/A01/TATTRNG2/tatrac/apps/TRAINING_tatrac/ora</ora_config_home>
[ bin]$ mkdir -p /A01/TATTRNG2/tatrac/apps/TRAINING_tatrac/ora
[ bin]$ grep s_logs_dir /A01/TATTRNG2/tatrac/tatrac_ext.xml
<logs_dir oa_var="s_logs_dir">/A01/TATTRNG2/tatrac/apps/TRAINING_tatrac/logs</logs_dir>
[ bin]$ mkdir -p /A01/TATTRNG2/tatrac/apps/TRAINING_tatrac/logs
[ bin]$ grep s_pids_dir /A01/TATTRNG2/tatrac/tatrac_ext.xml
<pids_dir oa_var="s_pids_dir">/A01/TATTRNG2/tatrac/apps/TRAINING_tatrac/pids</pids_dir>
[ bin]$ mkdir -p /A01/TATTRNG2/tatrac/apps/TRAINING_tatrac/pids

Now, check the port pool usage and port conflicts in new context file as discussed below.

Verify java is running from following location.
$ which java

Now, say your internal tier is running on port pool 7 [if http port on 8007], start the internal tier components and run this command.

[ bin]$ java oracle/apps/ad/util/PortPool -e /A01/TATTRNG2/tatrac/tatrac_ext.xml -pool 7
Log file located at PortPool_03100747.log

PORT POOL 7 is in use

[ bin]$ grep RC-50204 PortPool_03100747.log
RC-50204: Error: - RPC Port in use: Port Value = 1633
RC-50204: Error: - Web SSL Port in use: Port Value = 4
RC-50204: Error: - ONS Local Port in use: Port Value = 6107
RC-50204: Error: - ONS Request Port in use: Port Value = 6507
RC-50204: Error: - Web Listener Port in use: Port Value = 8007
RC-50204: Error: - OC4J JMS Port Range for Oacore in use: Port Value = 23035
RC-50204: Error: - OC4J JMS Port Range for Forms in use: Port Value = 23535
RC-50204: Error: - OC4J JMS Port Range for Oafm in use: Port Value = 24535
RC-50204: Error: - OC4J AJP Port Range for Oacore in use: Port Value = 21535
RC-50204: Error: - OC4J AJP Port Range for Forms in use: Port Value = 22035
RC-50204: Error: - OC4J AJP Port Range for Oafm in use: Port Value = 25035
RC-50204: Error: - OC4J RMI Port Range for Oacore in use: Port Value = 20035
RC-50204: Error: - OC4J RMI Port Range for Forms in use: Port Value = 20535
RC-50204: Error: - OC4J RMI Port Range for Oafm in use: Port Value = 25535

For the most part, the specific ports do have to be changed, but the port ranges do not. In almost all cases, the port ranges supplied are large enough to comfortably accommodate both web tiers.

Before: (this isn't the only 4443 in the context file)
<web_ssl_port oa_var="s_webssl_port" oa_type="PORT" base="4443" step="1"
range="-1" label="Web SSL Port">4443</web_ssl_port>
<web_ssl_port oa_var="s_webssl_port" oa_type="PORT" base="4444" step="1"
range="-1" label="Web SSL Port">4444</web_ssl_port>

Change the following lines as follows after changing the codes.
<TIER_DB oa_var="s_isDB">NO</TIER_DB>
<TIER_ADMIN oa_var="s_isAdmin">NO</TIER_ADMIN>
<TIER_WEB oa_var="s_isWeb">YES</TIER_WEB>
<TIER_FORMS oa_var="s_isForms">NO</TIER_FORMS>
<TIER_NODE oa_var="s_isConc">NO</TIER_NODE>
<TIER_NODEDEV oa_var="s_isConcDev">NO</TIER_NODEDEV>
<TIER_WEBDEV oa_var="s_isWebDev">YES</TIER_WEBDEV>

Additional edits

1. Set the webentry point, s_webentryhost, to the reverse proxy server hostname.
Final value = <webentryhost oa_var="s_webentryhost">tatrac</webentryhost>

2. Set the webentry domain, s_webentrydomain, to the domain name of the reverse proxy server.
Final value = <webentrydomain oa_var="s_webentrydomain"></webentrydomain>

3. Set the active webport, s_active_webport, to the reverse proxy listener port.
Final value = <activewebport oa_var="s_active_webport" oa_type="DUP_PORT" base="8000" step="1" range="-1" label="Active Web Port">443</activewebport>

4. Set the webentry protocol, s_webentryurlprotocol, to the webentry point protocol e.g.; "http" or "https".
Final value = webentryurlprotocol oa_var="s_webentryurlprotocol">https</webentryurlprotocol>

5. Set the login page, s_login_page, to <webentry protocol>://<webentry point>.<webentry domain>:<active webport>. Replace <webentry protocol>, <webentry point>, <webentry domain>, and <active webport> with their respective values.
Final value = <login_page oa_var="s_login_page"></login_page>

6. Set the reverse proxy server address, s_server_ip_address to the IP address of the reverse proxy server.
Final value = <login_page oa_var="s_login_page"></login_page>

7. Confirm that the value of s_oc4j_cluster_nodes indicates the actual middle tier and free port and not the name of the reverse proxy server. For example:

Original (clearly wrong):
<oc4j_cluster_nodes oa_var="s_oc4j_cluster_nodes"></oc4j_cluster_nodes>
Change (Use internal tier hostname and new port. This port is the same as the s_ons_remoteport which may be busy. See "Outstanding Issues 1, below) :
<oc4j_cluster_nodes oa_var="s_oc4j_cluster_nodes"></oc4j_cluster_nodes>

Final value = <oc4j_cluster_nodes oa_var="s_oc4j_cluster_nodes"></oc4j_cluster_nodes>

Very very important =
s_oc4j_cluster_nodes nodes should point to any free port[You may check it using netstat command]. In our case it is 6212. Also, you need to change s_ons_remoteport port value to the above port.
<ons_remoteport oa_var="s_ons_remoteport" oa_type="PORT" base="6200" step="1" range="-1" label="ONS Remote Port">6212</ons_remoteport>

8. If your reverse proxy server is also working as an SSL accelerator, then remove the '#' to use ssl_terminator.conf in ssl terminated environments. In XML syntax, this means:

Change the following line from this:
<sslterminator oa_var="s_enable_sslterminator">#</sslterminator>
to this:
<sslterminator oa_var="s_enable_sslterminator"/>

Final value = <sslterminator oa_var="s_enable_sslterminator"/>


After changing the above in context file, do the following steps.

Enter the full path to the Context file: /A01/TATTRNG2/tatrac/tatrac_ext.xml
Enter the APPS user password:

After setting the new env file, try to restart the new instance top using scripts.

You can check whether new instance is working or not by simply checking whether web port is listening or not through netstat command.

Additional changes I have done.

<chronosURL oa_var="s_chronosURL"></chronosURL>
<EndUserMonitoringURL oa_var="s_endUserMonitoringURL"></EndUserMonitoringURL>


After configuring external tier, in the web box, install and configure Apache as mentioned in the doc 380490.1 for this external tier to work..

Metalink reference
Case History: Implementing a Reverse Proxy Alone in a DMZ Configuration - R12 [ID 726953.1]

Oracle E-Business Suite R12 Configuration in a DMZ [ID 380490.1]

No comments :