5
Oracle9iAS Middle-tier and Firewall Configuration

In an enterprise deployment of Oracle Portal, it is typical to have a separate Oracle HTTP Server powered for Apache listener serving Login Server request and one for Oracle Portal requests. For performance reasons and connection pooling, it makes sense to configure the Login Server on a separate listener so that it is dedicated to authentication service only.

Architecturally, the Login Server is designed to be a central authentication service. As such, several Partner Applications exist within the enterprise and are hosted on various hosts. These Partner Applications are then configured to share a centralized Login Server.

Specific topics covered include:

• Oracle Portal as a Partner Application

• Configuring Virtual Hosts

• Working with Firewalls and Load Balancers

• Configuring Load Balancing Routers

• Tuning the Oracle HTTP Server

5.1 Oracle Portal as a Partner Application

Oracle Portal is a Partner Application of the Login Server. The following figure illustrates such a configuration. Oracle Portal has a separate listener from the Login Server.

Figure 5-1 Oracle Portal as a Partner Application

Text description of the illustration partner.gif

You can set up Oracle Portal as a Partner Application in the following ways depending on preference, scalability, or manageability factors:

• Associating Oracle Portal to an existing Login Server (that you may not have any control over).

• Configuring a new Oracle Portal installation.

• Oracle Portal and the Login Server are serviced from separate middle-tier servers.

5.1.1 Associating Portal to an Existing Login Server That You Have No Control Over

If you do not have any administrative authority over the Login Server (for example, it is managed by the IT department), then you would associate an Oracle Portal node in the following way:

1. Inform the IT department that you need your Oracle Portal associated with the Login Server. Provide them with the following information:
   • Name of your application (arbitrary)

   • Home page URL

   • Success URL

   • Contact information - name and e-mail address

     Note: The Success URL points to a Web page where the browser is redirected after a successful login. It must correspond to the procedure that processes the user identification information from the Login Server. Your Oracle Portal's Success URL must be the full URL to the wwsec_app_priv.process_signon procedure in your Oracle Portal's schema. For example: http://server.domain.com:5000/pls/DAD/portal.wwsec_app_priv.process_signon

2. Based on this information, the IT department creates a new Partner Application entry on the Login Server for your Oracle Portal and provides you with the following information:
   • Site ID

   • Site Token

   • Encryption Key

3. Associate Oracle Portal to the Login Server by running the ssodatax script and entering the input information provided above. You need to know the following information to run the script:
   • Site ID

   • Site Token

   • Encryption Key

   • URL Prefix of the Login Server

   • Schema Name of the Login Server

Syntax

ssodatax <-i portal_site_id> <-t portal_site_token> <-k encryption_key> <-w 
portal_url> <-l login_server_url> <-s portal_schema> <-p portal_password> 
<-v cookie_version> <-o sso_schema> <-e pstore_schema> <-r pstore_password> 
<-b pstore_dblink> <-c connect_string> <-n ps_connect_string> 

See also: For syntax and parameter descriptions, see Section B.5, "Updating an Existing Portal Instance with the ssodatax Script".

Example (Windows NT/2000)

ssodatax.cmd -i 1234 -t A1B2C3 -k X9Y8Z7 -w 
http://webdbsvr.us.oracle.com:3000/pls/portal30/ -l 
http://webdbsvr.us.oracle.com:3000/pls/portal30_sso/ -s portal30 -p portal30 -v 
v1.1 -o portal30_sso -e portal30_sso_ps -r portal30_sso_ps -b portal30_dblink -c 
orcl -n orcl01 

After running the ssodatax script, your Oracle Portal is associated with the Login Server, each running on a separate listener providing you specified a different host name in the URL prefix for the Oracle Portal and the Login Server (ssodatax parameters -w and -l parameters respectively).

Note: If your Login Server is on a separate database instance, then you also need the Login Server administrator to provide you with the schema name, password, and connect string for the schema that your portal should use to access the Login Server's password store for External Applications. Your portal needs to create this link to support External Application providers which require access to mapped user's passwords to provide the single sign-on. These parameters are passed in the ssodatax script in the -e, -r and -n parameters, respectively. You also have the option of naming the database link with the -b parameter.

5.1.2 Associating Portal to an Existing Login Server That You Have Control Over

If you have full administrative control over the Login Server, then you can perform the association between your Oracle Portal and the Login Server using the ssodatan script, providing that they both reside on the same database instance.

If the database instances are on separate instances, complete the following steps first on your Oracle Portal and then on the Login Server.

These steps are summarized below:

1. Install a standalone Login Server by running the linstall script:

   linstall <-o sso_schema> <-i pstore_password> <-s login_server_url> <-r random_
   seed> <-p sys_password> <-u default_tablespace> <-t temporary_tablespace> <-d 
   document_tablespace> <-l logging_tablespace> <-c connect_string>
   

   See also: For syntax and parameter descriptions, see Section B.3, "Manually Installing a Login Server with the linstall Script".

2. On the Oracle Portal Home Page, click the Administer tab.

3. In the Services portlet, click Login Server Administration.

4. Click Administer Partner Applications.

5. Click Add Partner Application.

6. In the Partner Application Login section, enter the Partner Application's name, the URL to the application's home page, and a success URL.

7. In the Valid Login Timeframe section, enter the dates when users can log on to the application through the Login Server. If you leave the End Date field blank, users can log on to the application indefinitely. In the Application Administrator section, enter an e-mail address and other information for the application's contact person or administrator.

8. Click OK. The new Partner Application appears in the Edit/Delete Partner Application list on the Partner Application page.

9. Run the ssodatax script and enter the input information generated above for your Oracle Portal.

   See also: For syntax and parameter descriptions, see Section B.5, "Updating an Existing Portal Instance with the ssodatax Script".

   After running the ssodatax script, your Oracle Portal is associated with the Login Server. Each one is running on a separate listener, if you specified a different host name in the URL prefix for the Oracle Portal and the Login Server (ssodatax parameters -w and -l parameters respectively).

10. Repeat steps 2-10 on the Login Server.

5.1.3 Login Server Configured with Oracle Internet Directory (OID)

With any of the previously described configurations, you can also use the Oracle Internet Directory as a user repository.

Figure 5-2 Login Server configured with Oracle Internet Directory (OID)

Text description of the illustration lsoid.gif

In this architecture, instead of authenticating the user's credentials against a local table, the Login Server authenticates the user's credentials against an LDAP directory (OID). The Login Server makes LDAP API calls to the configured LDAP directory and authenticates the credentials against the directory.

Such a configuration requires that the Login Server be able to establish LDAP protocol communications between the database instance it resides in with the LDAP directory.

So, depending on the placement of the LDAP directory, the Login Server, and any firewalls, it must be noted that the machine on which the Login Server database schema resides needs to be able to have LDAP protocol access to the LDAP server. The default port for LDAP communication is port 389, however, it is configurable.

See also: Configuring Oracle9iAS Portal for LDAP Authentication at: http://technet.oracle.com/products/iportal. Oracle9iAS Single Sign-On Administrator's Guide included in the Oracle9i Application Server documentation library.

5.2 Configuring Virtual Hosts

The Oracle9i Application Server HTTP server powered by Apache supports the configuration of virtual hosts. This allows a single machine and port to represent a number of virtual hosts. To configure virtual hosts, you must set this up on both Oracle Portal as well as on the Oracle HTTP Server.

In our example, let's assume that we want to access Oracle Portal as http://www.abc.com as well as http://www.xyz.com. Also, let's assume that the Login Server's URL is http://www.login.com.

The steps for configuring virtual hosts are:

1. In <ORACLE_HOME>/Apache/Apache/conf, open and edit the Oracle HTTP Server configuration file, http.conf. Verify that the contents of the file includes the similar information in the Virtual Hosts section:

   ### Section 3: Virtual Hosts
   NameVirtualHost 127.0.0.1
   
   <VirtualHost 127.0.0.1>
       ServerName www.abc.com
   </VirtualHost>
   
   <VirtualHost 127.0.0.1>
       ServerName www.xyz.com
   </VirtualHost>
   
   <VirtualHost 127.0.0.1>
       ServerName www.login.com
   </VirtualHost>
   

   See also: Section A.1.1, "Oracle HTTP Server Configuration File (httpd.conf)"

   This example uses the IP address 127.0.0.1, which represents the local machine. This can be any valid IP address.

   The domain names specified in the ServerName entries need to be valid domain names. If you are setting up Oracle Portal on a local laptop, make the appropriate entries in your local hosts file.

   
   # Copyright (c) 1993-1995 Microsoft Corp.
   #
   # This is a sample HOSTS file used by Microsoft TCP/IP
   # for Windows NT.
   #
   127.0.0.1 localhost
   127.0.0.1 www.abc.com
   127.0.0.1 www.xyz.com
   127.0.0.1 www.login.com
   

   See also: Section 3.1, "Configuring Oracle Portal on a Standalone Laptop"

2. For Single Sign-On on the Login Server to work properly, it must always be referenced by any Partner Application with the same hostname in the URL. This is because cookies are sent back only to the host that generated them. So, in the preceding example, the Login Server must always be referenced as http://www.login.com.

   Thus, you must register www.abc.com, www.xyz.com, and www.login.com as Partner Applications.

   1. Log on to the Login Server directly as an administrator with Full Privileges on the Login Server.

   2. Add a Partner Application entry for www.abc.com.

   3. Add a Partner Application for www.xyz.com.

   4. Add a Partner Application for the Login Server, www.login.com.

   5. Run the ssodatax script to create configuration entries on the Oracle Portal for each of these entry points.

      After running the ssodatax script for each of the Partner Applications, the aliases should be correctly configured.

      See also: Section B.5, "Updating an Existing Portal Instance with the ssodatax Script"

5.3 Parallel Page Engine Configuration

The Oracle Portal architecture is designed around a three-tier architecture that allows any browser to connect to it. This flexible architecture allows each component (browser, Oracle HTTP Server listener, Oracle8i database, and Oracle Portal) to be upgraded individually as required.

5.3.1 Configuring Parallel Page Engine Parameters

When a page is requested from Oracle Portal, the request is made from the browser to the Oracle HTTP Server listener. The returned page is comprised of many types of portlets. A portlet is an area on a portal page that contains data from a particular data source.

The Parallel Page Engine obtains the page metadata from the Portal Repository and is responsible for assembling the portlets on the page. You can tune the Parallel Page Engine for better performance by adding any of the following optional parameters in the zone.properties file.

See also: Section A.1.2, "JServ Configuration File (zone.properties)"

Table 5-1 Parallel Page Engine (PPE) parameters

Parameter	Description
logpath=<PATH>	Instructs the Parallel Page Engine on where to log messages during execution. The default is the JServ log path.
logmode=<debug>	Enables the Parallel Page Engine to run in debug mode. If this value is not set, the Parallel Page Engine runs in normal mode.
showError=<TRUE/FALSE>	Enables and disables the display of error messages in the Oracle Portal user interface. The default is TRUE.
poolSize=<some number>	Defines the total number of parallel fetchers to use in the page execution. The default is 25.
stall=<duration in sec>	Specifies the maximum amount of time, in seconds, that a fetcher should wait for a request to complete. The default is 120 seconds.
requesttime=<duration in sec>	Specifies the maximum amount of time, in seconds, that a fetcher should wait for an individual request to respond. Once a request starts responding, the fetcher waits for the rest of the data until the time specified by stall. The default is 40 seconds.
httpsports=<port1>:<port2>:...<portn>	Specifies which ports are configured for HTTPS.
prefix=<PLSQL prefix like /pls>	Contains the PL/SQL prefix path value. The default is /pls.
offlinePath=</path/offlinefile>	Allows you to take Oracle Portal offline for maintenance. The contents of the offline file are sent to all page requests.
proxyHost=<hostname>	Defines the host to use for requests which need to go through a proxy server.
proxyPort=<proxyPort>	Specifies the port to use for requests which need to go through a proxy server.
proxyIgnore=<domain1>&<domain2>&. . .<domainn>	Specifies those domains you want ignored for the proxy settings. According to the HTTP 1.1 standard, domains are required to start with a ".". For example, .oracle.com is valid, oracle.com is not.
useScheme=<http / https>	Forces the Parallel Page Engine to use the protocol specified on this line.
usePort=<port number>	Forces the Parallel Page Engine to always use the specified port number for all requests.
cacheBuffer	Specifies the size of the memory buffer to use to return a cached page from the middle tier. Set this value as close as possible to the actual byte size of a complete page. If the value is set too small multiple reads are performed to the disk. (This can be inefficient.) The default is 32768 bytes.

See also: Page Generation and Assembly Scalability in Oracle9iAS Portal at: http://technet.oracle.com/products/iportal.

5.4 Working with Firewalls and Load Balancers

Once Oracle Portal is deployed for access over the Internet, there are typically other network devices that may complicate the configuration such as firewalls, reverse proxies, server farms, and so on.

5.4.1 Configuring Reverse Proxy Servers Over the Internet

A reverse proxy server is a host process which is used as part of a firewall architecture to isolate the internal hosts from the externally accessible host(s) by providing a proxy through which external requests must pass to access internal services. Typically, such a proxy server takes the form of a dual-homed host. This means that it is a host with two network interface cards. One interface connects to the external network, and the other interface connects to the internal network, or demilitarized zone (DMZ) of the firewall.

Figure 5-3 Internet configuration with reverse proxy server

Text description of the illustration proxy.gif

In this architecture, the browser accesses the server through a hostname which is published by the proxy server. The proxy server then forwards the request to the actual host within the firewall, which could be some other host name.

For this example, let's assume the following:

• The published address is www.myportal.com

• Internal to the firewall, the server name for the Oracle9i Application Server middle-tier is actually server.company.com.

• Externally, the server is addressed with the default port 80; however, internally, the server.company.com is listening on port 7777.

  Note: This configuration is only possible with Oracle Portal version 3.0.7 and above. Prior to 3.0.7, Oracle Portal was not using the ServerName specified by the Oracle HTTP Server powered by Apache configuration. Instead, it was using the Host value in the HTTP request. Thus, you could not control the generation of self-referential URLs.

Complete these steps to configure Oracle Portal for this architecture:

1. Define configuration settings that allow the Oracle9i Application Server middle-tier to listen on port 7777, but assert to the server that it is using port 80.

2. Create VirtualHost entries that accept the internal host name, but then assert the externally visible host name, using the ServerName directive, so that self-referential URLs rendered on the Oracle Portal pages are valid for the browser.

3. Edit the hosts file on the internal middle-tier servers to define the IP addresses for the ServerNames asserted above, so that they can resolve the hostnames that are generated by Oracle Portal, for HTTP calls looping back to fetch portlet content.

   See also: Section A.1.7, "Local HOSTS File"

4. Run the ssodatan or ssodatax script(s), as appropriate, using the externally published server names; for example, www.myportal.com

   See also: Section B.4, "Configuring a New Oracle Portal Instance and Login Server with the ssodatan Script" Section B.5, "Updating an Existing Portal Instance with the ssodatax Script"

5. Register the www.myportal.com domain name on a domain name server on the Internet, with IP address 196.12.67.8.

   Note: The IP addresses used in this example are for illustration purposes only and may not be valid IP addresses.

The following figure shows the server names and ports used in the preceding example:

Figure 5-4 Example of reverse proxy server configuration

Text description of the illustration proxyeg.gif

5.4.2 Configuring Oracle HTTP Server

You provide directives in the Oracle HTTP Server configuration file, httpd.conf, which specify the behavior described in the points above. The reverse proxy server contacts the internal middle-tier server as server.company.com over port 7777.

When the Oracle HTTP Server invokes the PL/SQL Gateway (mod_plsql), and mod_jserv, it then passes www.myportal.com as the ServerName and port 80. URLs that are generated by Oracle Portal code use www.myportal.com and port 80.

The directive "useCanonicalName on" instructs Apache to use the ServerName specified. Otherwise, it passes the name used in the Host field of the request.

The relevant sections in the httpd.conf file for the server.company.com Oracle9i Application Server configuration are shown in the following.

### Section 2: 'Main' server configuration
...
Port 80
Listen 7777
Listen 80

ServerName www.myportal.com
...
UseCanonicalName On
...
### Section 3: Virtual Hosts
#
# VirtualHost: If you want to maintain multiple domains/hostnames on 
# your machine you can setup VirtualHost containers for them.
#
# If you want to use name-based virtual hosts you need to define at
# least one IP address (and port number) for them.
#

# This section is mandatory for URLs that are generated by
# the PL/SQL packages of the Oracle Portal
# These entries dictate that the server should listen on port
# 7777, but will assert that it is using port 80, so that
# self-referential URLs generated specify www.myportal.com:80
# This will create URLs that are valid for the browser since
# the browser does not directly see the host server.company.com.
NameVirtualHost 123.45.67.8:7777

<VirtualHost server.company.com:7777>
ServerName www.myportal.com
Port 80
</VirtualHost>

# Since the previous virtual host entry will cause all links 
# generated by the Oracle Portal to use port 80, the server.company.com
# server needs to listen on 80 as well since the Parallel Page
# Engine will make connection requests to Port 80 to request the
# portlets.

NameVirtualHost 123.45.67.8:80

<VirtualHost server.company.com:80>
ServerName www.myportal.com
Port 80
</VirtualHost>

If you need to support multiple aliases for the published address www.myportal.com, then some additional directives are needed. For example, if the server also needs to be accessible as www.portal.com, then you need to define additional virtual host entries on the internal server. This is so the reverse proxy directs requests from each corresponding published hostname to a related internal host alias which can assert the correct published name.

In this example, the VirtualHost sections appear as follows:

NameVirtualHost 123.45.67.8:7777

<VirtualHost server.company.com:7777>
ServerName www.myportal.com
Port 80
</VirtualHost>

<VirtualHost server2.company.com:7777>
ServerName www.portal.com
Port 80
</VirtualHost>

NameVirtualHost 123.45.67.8:80

<VirtualHost server.company.com:80>
ServerName www.myportal.com
Port 80
</VirtualHost>

<VirtualHost server2.company.com:80>
ServerName www.portal.com
Port 80
</VirtualHost>

5.4.3 Resolving Domain Names

A local HOSTS file can help resolve domain names that are not normally visible to the internal network. For example, the Oracle9i Application Server host for server.company.com makes requests to itself, but the URLs that it is requesting are referring to www.myportal.com. You must create host entries in the local HOSTS file on that machine allowing it to resolve this name, within the firewall. The hosts entry for this example should include the following lines:

# This is a sample HOSTS file used by Microsoft TCP/IP
# for Windows NT.
#
127.0.0.1    localhost
123.45.67.8  www.myportal.com

If you do not provide these entries in the local HOSTS file, then you need to set the Oracle9i Application Server host to recognize a proxy server that would take the request out to the Internet and back in through the reverse proxy (www.myportal.com). Avoid this setup as this may result in poor performance.

Note: On some platforms, such as HP, there is a file which indicates the search order that should be applied to the sources for IP name mapping. For the preceding example to work, if such a file exists on your platform, make sure that it specifies the local hosts file to be checked for IP mapping, before any DNS servers.

5.5 Configuring Load Balancing Routers

The purpose of a Load Balancing Router (LBR) is to provide a single published address to the client browsers, and provide a "farm" of Web servers which actually service the requests, based on the distribution of the requests done by the LBR. The LBR itself is a very fast network device which can distribute Web requests to a large number of physical servers.

If you want to install multiple Oracle9i Application Server middle-tier servers to handle a large load, you could configure Oracle Portal as illustrated in the following diagram:

Figure 5-5 Load balancing router configuration

Text description of the illustration load.gif

This example shows that each of the servers can handle requests for either the Login Server or Oracle Portal. Each of the middle-tier servers must have DAD entries for each of the databases. A good way to accomplish this is to have the middle-tier servers share a file system that contains the configuration information for the DADs, and allows them to share cache files.

The important points to consider with this configuration include:

• The Internet DNS maps the name www.myportal.com to the external IP address on the LBR.

• The LBR performs load balancing of requests to www.myportal.com to svr1.company.com, svr2.company.com, and svr3.company.com, addressing the request to their IP addresses, but still containing www.myportal.com in the Host: field of the HTTP request.

• Each of the middle-tier hosts accepts requests to www.myportal.com, and their httpd.conf files assert that name as the ServerName. Hence the names svr1, svr2, and so on are irrelevant.

• The local hosts files on svr1, svr2, and svr3 contain the entry www.myportal.com, each pointing to its own IP address.

• Unless your LBR does port mapping, you should configure the internal servers to use the same ports as the LBR.

• Optimal cache utilization can be realized by mounting a shared file system on which to write the cache files. If you decide not to have the middle-tier servers share a cache directory, caching will still work, but with a lower hit ratio.

5.5.1 Placing a Firewall Between the Middle-tier and the Database

It is fairly typical to have a firewall with a SQL*Net proxy between the application server and the database for Oracle installations. Keep in mind though that the Oracle Portal architecture requires HTTP connects from the database to the middle-tier servers, for example, when the Oracle Portal makes an HTTP request to the Login Server to get the list of external applications. Or, when the Oracle Portal repository makes an HTTP request to a particular provider which may be a Web provider, potentially outside the Intranet firewall. Keep this communication path in mind when planning where firewalls should go and what traffic should be allowed through them.

You need to allow HTTP traffic to pass on the ports that are being used, through any firewall set up between the middle-tier and the database on which the Oracle Portal code resides.

Similarly, if the Login Server is setup for LDAP authentication, then LDAP traffic must be allowed to reach the LDAP server. The LDAP calls are made from the Login Server database instance.

See also: Section 5.5.1, "Placing a Firewall Between the Middle-tier and the Database"

5.6 Tuning the Oracle HTTP Server

However you choose to configure the Oracle HTTP Server powered by Apache listener, you can optimize performance by setting an approximate number of simultaneous requests that can be handled by the Apache listener.

On UNIX, in particular, since Apache is process-based, each process needs to open a database connection for each DAD that has requested it. As a result, the number of requests can be quite high, which may result in clients being "locked out" if the number of sessions allowable has been exceeded. However, setting too high of a value unnecessarily consumes resources.

The scenario is described below:

1. For every service request from an Oracle Portal DAD, there is one network connection and two sessions (the two sessions use the same physical connection).

   The first session is for "portal30" and the second is for "portal30_public".

2. If you are logging into Oracle Portal, then you'll need to open a connection for the Login Server DAD (SSO DAD). This will consume one network connection and two sessions.

   In this case, the first session is for "portal30_sso" and the second session is for "portal30_sso_public".

3. The Apache configuration setting that determines the maximum number of requests being handled simultaneously is named MaxClients. It defaults to 150.

   If each user were logging in and working in Oracle Portal, then scenario (1) and (2) above would result in four sessions per process. The total number of sessions for such a scenario is calculated as follows:

   150 * 4 = 600 
   
   

   600 sessions and approximately 300 database connections (2 sessions per connection)

5.6.1 Configuring the MaxClient Setting

Since login frequency is generally lower than Oracle Portal access frequency, it makes sense to configure the Login Server on a separate Oracle HTTP Server powered by Apache listener. The objective is to tune down the MaxClient setting to a value that is reasonable without affecting the needs of the portal system.

Oracle Portal makes extensive use of Apache mod_plsql which maintains a pool of connections to the database. The MaxClient parameter tunes the number of Apache processes which directly relates to the number of database connections pooled by mod_plsql.

Note: For more information, see Using the PL/SQL Gateway which is provided as part of the Oracle9i Application Server documentation set.

1. For the Login Server's listener, once you've determined the approximate value to set for the MaxClients parameter, edit this accordingly in the Apache configuration file, httpd.conf, which is located in:

   <ORACLE_HOME>/Apache/Apache/conf/
   
   

   Tune down the MaxClients setting to control the number of requests that Apache services on the Apache listener. This ultimately controls the maximum number of sessions that could be established.

2. For the Oracle Portal listener, you can separately tune the MaxClients parameter according to the needs of the Login Server and the needs of Oracle Portal, without affecting each other. This parameter directly corresponds to the number of sessions established and to the maximum workload that the Apache listener can handle on the Portal listener.

   The MaxClients section in the httpd.conf file is shown below:

   # Limit on total number of servers running, i.e., limit on the number
   # of clients who can simultaneously connect --- if this limit is ever
   # reached, clients will be LOCKED OUT, so it should NOT BE SET TOO LOW.
   # It is intended mainly as a brake to keep a runaway server from taking
   # the system with it as it spirals down...
   #
   MaxClients 150
   
   

   Notes: If you tune separately, you will have a separate listener for Oracle Portal and the Login Server. The former controlling the resources (sessions) on the portal database and the latter controlling the resources on the Login Server database. The number of sessions and connections that the database permits is limited by the value set in the Oracle8i database's init.ora. Refer to the Oracle8i database documentation library for more information.