ORA SPACE

OracleAS 10g Middle-Tier talks to OracleAS 10g Single Sign-On (Component of OracleAS Infrastructure), which provides a mechanism to authenticate OracleAS application users against LDAP directory store i.e. Oracle Internet Directory.

OracleAS Infrastructue consists of Oracle HTTP Server, which acts as a web listener for Single Sign-On and Delegated Administraion Services. Whenever end-users accesses the SSO protected URL (OracleAS Middle-Tier applications e.g. Portal, Wireless), request got redirected to OracleAS SSO, serving the auth page via Oracle HTTP Server. Thus, end user will get SSO Login page containing URL of Oracle HTTP Server running at OracleAS Infrastructure Services.

Sometimes business needs to hide the OracleAS Infrastructure web URL and Port for security purposes. At that time, reverse proxy came into picture. End users as well as OracleAS Middle-Tier applications will talk to Reverse Proxy URL and Port for requests, which in turn will fetch the content from OracleAS Infrastructure and service the request.

It provides enhanced security model i.e. end user and applications will be aware of Reverse Proxy URL and Port only, not the original OracleAS Infrastructure services URL.

So, let us configure a reverse proxy in front of OracleAS Infrastructure. I have used Oracle HTTP Server Standalone 10.1.2 [Based on Apache 2.0] (OracleAS 10g 10.1.2.0.2 Media – Companion CD) as a reverse proxy. Assume that my OracleAS 10g 10.1.2.0.2 Portal and Wireless installation is functional with Infrastructure on two separate nodes:

URL: http://infra.mycompany.com:7777/

OS User: oracle

Node: infra

OracleAS Middle-Tier Services Node:

URL: http://portal.mycompany.com:7777/

OS User: oracle

Node: portal

Oracle HTTP Server (Reverse Proxy) Node:

URL: http://proxy.mycompany.com:7779/

OS User: oracle

Node: proxy

Install Oracle HTTP Server Standalone 10.1.2 at nodename proxy. During installation, chose Web Services 10.1.2.0.0 as a Product and Oracle HTTP Server (based on Apache 2.0) as an Installation Type. After installation, OHS Standalone is functional at URL: http://proxy.mycompany.com:7777

1. Navigate to OHS Standalone Home/ohs/conf directory. Edit httpd.conf to add following directives in respective sections.LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_connect_module modules/mod_proxy_connect.soProxyRequests Off

Order deny, allow
Allow from all

ProxyPass / http://infra.mycompany.com:7777/
ProxyPassReverse / http://infra.mycompany.com:7777/

2. Restart OHS

At this stage Oracle HTTP Server Standalone will be functional.

Now let us made changes at OracleAS Infrastructure tier

1. Navigate to $ORACLE_HOME/Apache/Apache/conf directory.

2. Edit httpd.conf to modify following directives with corresponding values:
KeepAlive off
ServerName proxy.mycompany.com
Port 7777

3. Add VirtualHost directive at end of httpd.conf file:

RewriteEngine On
RewriteOptions inherit

4. Save the httpd.conf, and update DCM Repository:
$ dcmctl updateconfig –ct ohs –v –d

5. Modify SSO Server Home URL to reverse proxy hostname and port:
$ORACLE_HOME/sso/bin/ssocfg.sh http proxy.mycompany.com 7777

6. Re-register mod_osso on SSO Middle-tier with reverse proxy hostname and port:
$ORACLE_HOME/sso/bin/ssoreg.sh
-oracle_home_path $ORACLE_HOME
-site_name inf1012.infra.mycompany.com
-config_mod_osso TRUE
-mod_osso_url http://proxy.mycompany.com:7777

7. Login to OID using OIDADMIN, and change orcldasurlbase attribute (Location: Entry Management->cn=OracleContext->cn=Products->cn=DAS->cn=OperationURLs) to reflect reverse proxy hostname and port i.e. http://proxy.mycompany.com:7777

8. Update DCM Repository:
$ dcmctl updateconfig –ct ohs –v –d

9. Restart OC4J_Security and Oracle HTTP Server at Infrastructure tier:
$ opmnctl restartproc process-type=HTTP_Server
$ opmnctl restartproc process-type=OC4J_Security

10. Verify by accessing the DAS and SSO Home using Reverse Proxy Hostname and Port:
SSO Home URL: http://proxy.mycompany.com:7777/pls/orasso
DAS URL: http://proxy.mycompany.com:7777/oiddas

11. Validate that login and logout URLs contains reverse proxy hostname and port only.

Now, let us re-configure OracleAS Middle-Tier to work with Reverse Proxy.

1. Re-register mod_osso at middle-tier:
$MID_ORACLE_HOME/sso/bin/ssoreg.sh
-site_name mid1012.portal.mycompany.com
-mod_osso_url http://portal.mycompany.com:7777
-config_mod_osso TRUE
-oracle_home_path $ORACLE_HOME
-admin_info cn=orcladmin

2. Re-register Portal with SSO Server:
$ ptlconfig -dad portal -pw -sso -host portal.mycompany.com -port 7777You need to retrieve Portal Schema password to execute the above command.

3. Clear Portal Cache

a. Stop all the middle-tier processes

b. Delete the content of following directories at Middle-Tier Home:
$ORACLE_HOME/Apache/modplsql/cache/plsql
$ORACLE_HOME/Apache/modplsql/cache/session

c. Start the middle-tier processes

d. Login to Portal as admin user, and navigate to Administration tab.

e. Click Global Settings link, and click on Cache tab.

f. Scroll down and select the checkbox Clear the entire Web Cache.

g. Click Apply, and then OK.

4. Update Cache for OID Parameters in Portal

a. Login to Portal as admin user, and navigate to Administration tab.

b. Click Global Settings link, and click on SSO/OID tab.

c. Scroll down, and select check box Refresh Cache for OID Parameters.

d. Click Apply.

e. Verify that DAS Host Name parameter in Cache for OID Parameters section is showing reverse proxy hostname and port.

5. Validate the Portal Logout link. It should contain reverse proxy hostname and port.

So, this completes our setup of Reverse Proxy in front of OracleAS Infrastructure Services.