Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle HTTP Server
11g Release 1 (11.1.1)

Part Number E10144-08
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

E OHS Module Directives

This appendix describes the directives available in the Oracle-developed modules supported by OHS. It contains these sections:

Note:

The directives described in this appendix are only for modules developed by Oracle. OHS also includes many Apache HTTP Server and third-party modules out-of-the-box. See "Apache HTTP Server and Third-party Modules in Oracle HTTP Server" in Chapter 3 for a list of these modules and a link to their documentation.

E.1 mod_certheaders

mod_certheaders accepts the following directives:

E.1.1 AddCertHeader

Specifies which headers should be translated to CGI environment variables. This can be achieved by using the AddCertHeader directive. This directive takes a single argument, which is the CGI environment variable that should be populated from a HTTP header on incoming requests. For example, to populate the SSL_CLIENT_CERT CGI environment variable. AddCertHeader is generally used for Web cache in front of OHS.

Category Value

Syntax

AddCertHeader environment_variable

Example

AddCertHeader SSL_CLIENT_CERT

Default

None


Note:

If a simulated SSL connection needs to be passed to WebLogic Server, AddCertHeader can be used with mod_wl_ohs as well. That module's directive, WLProxySSLPassThrough, ensures that the certificate is passed to the backend (irrespective of the real or simulated SSL connection).

E.1.2 SimulateHttps

mod_certheaders can be used to instruct Oracle HTTP Server to treat certain requests as if they were received through HTTPS even though they were received through HTTP. This is useful when Oracle HTTP Server is front-ended by a reverse proxy or load balancer, which acts as a termination point for SSL requests, and forwards the requests to Oracle HTTP Server through HTTPS. and SimulateHttps is used for load balancer type of devices.

Category Value

Syntax

SimulateHttps on|off

Example

SimulateHttps on

Default

off


E.2 mod_onsint

mod_certheaders accepts the OpmnHostPort directive.

E.2.1 OpmnHostPort

This directive enables you to specify a hostname and port that OPMN should use for pinging the Oracle HTTP Server instance that mod_onsint is running in. If OpmnHostPort is not specified, mod_onsint chooses an HTTP port automatically. However, in certain circumstances, you may want to choose a specific HTTP port and hostname that OPMN should use to ping the listener with.

Category Value

Syntax

OpmnHostPort host:Port

Example

OpmnHostPort localhost:7778

Default

None


E.3 mod_oradav

mod_oradav accepts the following directives:

E.3.1 ORAAllowIndexDetails

In an Oracle HTTP Server environment that is not OraDAV-enabled, mod_dav does not respond to HTTP GET requests. Instead, normal Oracle HTTP Server mechanisms are used to respond to GET requests.

The ORAAllowIndexDetails parameter controls how OraDAV responds when a GET request is performed on a DAV collection and no index.html file is found in the directory. In a typical Oracle HTTP Server environment, a separate module takes control, automatically generating and returning to the client HTML that represents an "index" of the resources (files) in that collection.

Category Value

Syntax

ORAAllowIndexDetails true | false

Example

ORAAllowIndexDetails true

Default

false


E.3.2 ORAAltPassword

Specifies the password for the user specified by the ORAUser parameter. The OraAltPassword uses a base-64 encoded character string. This parameter provides an alternative if you do not want the password to appear in unencoded plain text with the ORAUser parameter. If the ORAPassword parameter is not specified, this value is used for the password.

Category Value

Syntax

ORAAltPassword password

Example

ORAAltPassword myPassword

Default

None


E.3.3 ORACacheDirectory

Specifies the directory to use for disk caching operations, per these requirements:

  • The specified directory must exist and be readable by Oracle HTTP Server, but cannot be visible to normal GET requests. If the directory is visible to normal GET requests, security measures could be bypassed by users accessing the cache directory.

  • The directory should be located on a file system that supports a last accessed time. On Microsoft Windows systems, this means using NTFS, not FAT, formatted partitions.

  • You cannot use the cache directory for anything other than caching. Any files in the cache directory are subject to deletion.

If you use the ORACacheDirectory parameter, you must also use the ORACacheTotalSize parameter.

Category Value

Syntax

ORACacheDirectory directoryName

Example

ORACacheDirectory

Default

If not used, disk caching is not performed for OraDAV operations


E.3.4 ORACacheMaxResourceSize

Specifies the maximum cacheable resource size for disk caching operations. You can specify kilobytes (KB) or megabytes (MB) after an integer. If you do not specify a unit after the integer, then the default unit is bytes.

This parameter enables Web administrators to prevent large media files from dominating the cache. The performance benefit of caching a large file is greater than from caching a small file.

Category Value

Syntax

ORACacheMaxResourceSize nnKB|MB

Example

ORACacheMaxResourceSize 1024KB

Default

None


E.3.5 ORACachePrunePercent

Specifies the percentage of disk cache usage to be freed when the cache is full. When the disk cache is full, the oldest files in the cache are deleted until the cache disk usage is reduced by the ORACachePrunePercent value.

Category Value

Syntax

ORACachePrunePercent nn

Example

ORACachePrunePercent 40

Default

25


E.3.6 ORACacheTotalSize

Specifies the size of the cache to use for disk caching operations. You can specify MB (for megabytes) or GB (for gigabytes) after an integer. If you do not specify a unit after the integer, the default unit is bytes.

If you use the ORACacheDirectory parameter, you must also use the ORACacheTotalSize parameter.

The ORACacheTotalSize value should be large enough to hold either a significant amount of your Web site, or all of the most frequently accessed files plus 25 percent more space. If the value is too small, overall performance degrades because of the extra work of writing BLOB data to the file system and deleting files to make room for newer cache requests.

The actual space utilized by the disk cache might sometimes exceed the ORACacheTotalSize value, possibly by as much as the ORACacheMaxResourceSize value. You should also be aware of file system block size issues that could cause the cache to use more disk space than the ORACacheTotalSize value.

Category Value

Syntax

DAVParam ORACacheTotalSize nnMB|GB

Example

DAVParam ORACacheTotalSize 1GB

Default

None


E.3.7 ORAConnect

Specifies the Oracle database to connect to. The ORAConnect parameter lets you connect to a database that is not included in the tnsnames.ora file. The value must use the following format:

To connect to an Oracle database, you must specify one, and no more than one, of the parameters ORAConnect, ORAConnectSN, or ORAService. To connect to a database included in the tnsnames.ora file, use the ORAService parameter.

Category Value

Syntax

ORAConnect database_host:database_port:database_sid

Example

ORAConnect my-pc.example.com:1521:mysid

Default

None


E.3.8 ORAConnectSN

Specifies the Oracle database to connect to. The ORAConnectSN parameter lets you connect to a database that is not included in the tnsnames.ora file. The value for this parameter is a character string.The value must use the following format:

To connect to an Oracle database, you must specify one, and no more than one, of the parameters ORAConnect, or ORAService. To connect to a database included in the tnsnames.ora file, use the ORAService parameter.

Category Value

Syntax

ORAConnectSN database-host:database-port:database-service-name

Example

ORAConnectSN my-pc.example.com:1521:mysid

Default

None


E.3.9 ORAContainerName

Within the database user (schema) specified by the ORAUser parameter, there must exist a container, which is a set of PL/SQ packages and database tables that allow the storage of files in the database within a hierarchical structure. The ORAContainerName parameter specifies the name of the container to use for the location. The value for this parameter is a character string, up to 20 characters. For example, <Location/project1>.

Category Value

Syntax

ORAContainerName Location/project1

Example

ORAContainerName

Default

None


E.3.10 ORAException

Writes PL/SQL stack dumps in the Oracle HTTP Server log file, error_log, in the event of an exception in the PL/SQL package.

Category Value

Syntax

ORAException RAISE|NORAISE

Example

ORAException RAISE

Default

NORAISE


Note:

Although this parameter is useful for debugging purposes, it can use a large amount of disk space and can slow the performance of your system.

E.3.11 ORAGetSource

Specifies one or more file extensions to identify types of files that are not to be run, but rather opened for editing. This allows you to open files for editing that are usually run as a result of a GET operation. When entering filetypes, include dot separators (.) and use a comma to separate file extensions. The value for this parameter is enclosed within double quotation marks. For example:

".htm, .html, .jsp1, .jsp2"

This directive applies only to file system access.

Category Value

Syntax

ORAGetSource ".type[, .type, .type, .type]"

Example

ORAGetSource ".htm, .html, .jsp1, .jsp2"

Default

.JSP .SQLJSP


Note:

The .jsp and .sqljsp files are by default opened for editing; you do not need to specify them in the ORAGetSource parameter.

E.3.12 ORALockExpirationPad

Intended to be used in high-latency network environments to adjust the refresh lock behavior in Microsoft Office. Microsoft Office attempts to refresh locks on DAV resources just before the lock is set to expire. If the Microsoft Office client and the DAV server experience network congestion between the refresh, the request might arrive after the lock has expired.

OraDAV periodically looks for locks on resources that have expired and deletes those locks. The ORALockExpirationPad parameter can be used to provide some additional time between when a lock expires and when that lock is deleted. For example, if ORALockExpirationPad is set to 120, OraDAV does not actually delete locks for at least two minutes after the expiration time.

Category Value

Syntax

ORALockExpirationPad nn

Example

ORALockExpirationPad 90

Default

0


E.3.13 ORAPackageName

Identifies the OraDAV driver implementation that is to be called when issuing OraDAV commands. The default is the OraDAV driver, which is the ORDSYS.DAV_API_DRIVER package.

Category Value

Syntax

ORAPackageName name

Example

ORAPackageName

Default

The OraDAV driver


E.3.14 ORAPassword

Specifies the password for the user specified by the ORAUser parameter.

If you do not want to specify the password as an unencoded text string with the ORAPassword parameter, you can specify the password as a base-64 encoded string with the ORAAltPassword parameter.

Category Value

Syntax

ORAPassword password

Example

ORAPassword myPassword

Default

None


E.3.15 ORARootPrefix

Specifies the directory within the database repository to use as the root. If this parameter is specified, WebDAV clients see this directory as the root and are not be able to see the repository directories that lead up to it. Do not include a trailing slash (/) in the value.

WebDAV clients can view the /third directory and can navigate to the /third/fourth directory, but will not be able to view or navigate to the /first or /first/second directories.

Category Value

Syntax

ORARootPrefix /dirName1[/dirName1/dirName1/dirName1]

Example

ORARootPrefix /first/second

Default

None


E.3.16 ORAService

Specifies the Oracle database to connect to. The specified value must match a SID value in the tnsnames.ora file.

To connect to an Oracle database, you must specify one, and no more than one, of the parameters ORAConnect, ORAConnectSN, or ORAService. To connect to a database that is not included in the tnsnames.ora file, use the ORAConnect or ORAConnectSN parameter.

Category Value

Syntax

ORAService databaseName

Example

ORAService

Default

None


E.3.17 ORATraceEvents

Specifies the types of events to be recorded in the Oracle HTTP Server error log for debugging. The value for this parameter is one of the following:

  • getsource: traces GET activity against the file system

  • hreftoutf8: traces the HREF conversion from the native character set to UTF-8

  • request: traces DAV requests, responses, and status values handled by mod_oradav

Category Value

Syntax

ORATraceEvents getsource | hreftoutf8 | request

Example

ORATraceEvents getsource

Default

None


Note:

Although this parameter is useful for debugging purposes, it can use a large amount of disk space and can slow the performance of your system.

E.3.18 ORATraceLevel

Specifies the level of debugging (trace statements) that will be entered in the Oracle HTTP Server error log. The lowest level is 0 (the default), which performs no tracing. The highest level is 4, which performs maximum tracing. The value for this parameter is an integer between 0 and 4.

The higher the number for the debugging level, the more information is written to the error log file.

Category Value

Syntax

ORATraceLevel 0 | 1 | 2 | 3 | 4

Example

ORATraceLevel 2

Default

0


Note:

Although setting this parameter to a high number is useful for debugging purposes, it can use a large amount of disk space and can slow the performance of your system.

E.3.19 ORAUser

Specifies the database user (schema) to use when connecting to the service specified by the ORAConnect, ORAConnectSN, or ORAService parameter.

This user must have the following privileges:

  • CONNECT

  • RESOURCE

  • CREATE TABLESPACE

  • DROP TABLESPACE

  • CREATE ANY TRIGGER

Category Value

Syntax

ORAUser

Example

ORAUser

Default

None


E.4 mod_ossl

To configure SSL for your Oracle HTTP Server, enter the mod_ossl directives you want to use in the httpd.conf file.

The following directives are described in subsequent sections:

E.4.1 SSLAccelerator

Specifies if SSL accelerator is used. Currently only nFast card is supported.

Category Value

Syntax

SSLAccelerator yes|no

Example

SSLAccelerator yes

Default

SSLAccelerator no


Note:

The SSLAccelerator directive has been deprecated. For information on enabling SSL acceleration support using a wallet, refer to the Oracle Advanced Security Administrator's Guide on http://www.oracle.com/technology/documentation.

E.4.2 SSLCARevocationFile

Specifies the file where you can assemble the Certificate Revocation Lists (CRLs) from CAs (Certificate Authorities) that you accept certificates from. These are used for client authentication. Such a file is the concatenation of various PEM-encoded CRL files in order of preference. This directive can be used alternatively or additionally to SSLCARevocationPath.

Category Value

Syntax

SSLCARevocationFile file_name

Example

SSLCARevocationFile /ORACLE_HOME/Apache/Apache/conf/ssl.crl/ca_bundle.crl

Default

None


E.4.3 SSLCARevocationPath

Specifies the directory where PEM-encoded Certificate Revocation Lists (CRLs) are stored. These CRLs come from the CAs (Certificate Authorities) that you accept certificates from. If a client attempts to authenticate itself with a certificate that is on one of these CRLs, then the certificate is revoked and the client cannot authenticate itself with your server.

Category Value

Syntax

SSLCARevocationPath path/to/CRL_directory/

Example

SSLCARevocationPath /ORACLE_HOME/Apache/Apache/conf/ssl.crl/

Default

None


E.4.4 SSLCipherSuite

Specifies the SSL cipher suite that the client can use during the SSL handshake. This directive uses a colon-separated cipher specification string to identify the cipher suite. Table 11–2 shows the tags you can use in the string to describe the cipher suite you want. SSLCipherSuite accepts the following values:

  • none: Adds the cipher to the list

  • + : Adds the cipher to the list and place it in the correct location in the list

  • - : Remove the cipher from the list (can be added later)

  • ! : Remove the cipher from the list permanently

Tags are joined together with prefixes to form a cipher specification string. Cipher suite tags are listed in Table E-1 and Table E-2.

Category Value

Example

SSLCipherSuite ALL:!LOW:!DH

In this example, all ciphers are specified except low strength ciphers and those using the Diffie-Hellman key negotiation algorithm.

Syntax

SSLCipherSuite cipher-spec

Default

ALL:!ADH:!EXPORT56:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP


Table E-1 SSLCipher Suite Tags

Function Tag Meaning

Key exchange

kRSA

RSA key exchange

Key exchange

kDHr

Diffie-Hellman key exchange with RSA key

Authentication

aNULL

No authentication

Authentication

aRSA

RSA authentication

Authentication

aDH

Diffie-Hellman authentication

Encryption

eNULL

No encryption

Encryption

DES

DES encoding

Encryption

3DES

Triple DES encoding

Encryption

RC4

RC4 encoding

Data Integrity

MD5

MD5 hash function

Data Integrity

SHA

SHA hash function

Aliases

SSLv3

All SSL version 3.0 ciphers

Aliases

EXP

All export ciphers

Aliases

EXP40

All 40-bit export ciphers only

Aliases

EXP56

All 56-bit export ciphers only

Aliases

LOW

All low strength ciphers (export and single DES)

Aliases

MEDIUM

All ciphers with 128-bit encryption

Aliases

HIGH

All ciphers using triple DES

Aliases

RSA

All ciphers using RSA key exchange

Aliases

DH

All ciphers using Diffie-Hellman key exchange


Note:

There are restrictions if export versions of browsers are used. Oracle module, mod_ossl, supports RC4-40 encryption only when the server uses 512 bit key size wallets.

Table E-2 Cipher Suites Supported in Oracle Advanced Security 10i

Cipher Suite Authentication Encryption Data Integrity

SSL_RSA_WITH_3DES_EDE_CBC_SHA

RSA

3DES (168)

SHA

SSL_RSA_WITH_RC4_128_SHA

RSA

RC4 (128)

SHA

SSL_RSA_WITH_RC4_128_MD5

RSA

RC4 (128)

MD5

SSL_RSA_WITH_DES_CBC_SHA

RSA

DES (56)

SHA

SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

DH anon

3DES (168)

SHA

SSL_DH_anon_WITH_RC4_128_MD5

DH anon

RC4 (128)

MD5

SSL_DH_anon_WITH_DES_CBC_SHA

DH anon

DES (56)

SHA

SSL_RSA_EXPORT_WITH_RC4_40_MD5

RSA

RC4 (40)

MD5

SSL_RSA_EXPORT_WITH_DES40_CBC_SHA

RSA

DES40 (40)

SHA

SSL_RSA_WITH_AES_128_CBC_SHA

RSA

AES (128)

SHA

SSL_RSA_WITH_AES_256_CBC_SHA

RSA

AES (256)

SHA

SSL_DHE_DSS_EXPORT_WITH_DES40_CBS_SHA

DH DSS

DES (40)

SHA

SSL_DHE_DSS_WITH_DES_CBC_SHA

DH DSS

DES (50)

SHA

SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

DH DSS

3DES (168)

SHA

SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA

DH RSA

DES (40)

SHA

SSL_DHE_RSA_WITH_DES_CBC_SHA

DH RSA

DES (56)

SHA

SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

DH RSA

3DES (168)

SHA

SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA

DH DSS

DES (40)

SHA

SSL_DHE_DSS_WITH_RC4_128_SHA

DH DSS

RC4 (128)

SHA

SSL_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA

DH DSS

RC4 (56)

SHA


E.4.5 SSLEngine

Toggles the usage of the SSL Protocol Engine. This is usually used inside a <VirtualHost> section to enable SSL for a particular virtual host. By default, the SSL Protocol Engine is disabled for both the main server and all configured virtual hosts. Example 11–1 is an example for using SSLEngine directive. The default SSL is 4443 on UNIX and 443 on Windows.

Category Value

Syntax

SSLEngine on|off

Example

SSLEngine on

Default

off


E.4.6 SSLLog

Specifies where the SSL engine log file will be written. (Error messages will also be duplicated to the standard Oracle HTTP Server log file specified by the ErrorLog directive.)

Place this file at a location where only root can write, so that it cannot be used for symlink attacks. If the filename does not begin with a slash (/), it is assumed to be relative to the ServerRoot. If the filename begins with a bar (|), then the string following the bar is expected to be a path to an executable program to which a reliable pipe can be established.

This directive should occur only once per virtual server configuration.

Category Value

Syntax

SSLLog path/to/file

Example

SSLLog

Default

None


E.4.7 SSLLogLevel

Specifies the verbosity degree of the SSL engine log file. The degrees, or levels, are (in ascending order, where each level is included in the levels preceding it):

  • none: No dedicated SSL logging is done. Messages of type 'error' are duplicated to the standard HTTP server log file specified by the ErrorLog directive.

  • error: Only messages of the type 'error' (conditions that stop processing) are logged.

  • warn: Messages that notify of non-fatal problems (conditions that do not stop processing) are logged.

  • info: Messages that summarize major processing actions are logged.

  • trace: Messages that summarize minor processing actions are logged.

  • debug: Messages that summarize development and low-level I/O operations are logged.

Category Value

Syntax

SSLLogLevel none | error | warn | info | trace | debug

Example

SSLLogLevel error

Default

None


E.4.8 SSLMutex

Type of semaphore (lock) for SSL engine's mutual exclusion of operations that have to be synchronized between Oracle HTTP Server processes. Accepted values are:

  • none: Uses no mutex at all. Not recommended, because the mutex synchronizes the write access to the SSL session cache. If you do not configure a mutex, the session cache can become garbled.

  • file:path/to/mutex: Uses a file for locking. The process ID (PID) of the Oracle HTTP Server parent process is appended to the filename to ensure uniqueness. If the filename does not begin with a slash (/), it is assumed to be relative to ServerRoot. This setting is not available on Windows.

  • sem: Uses an operating system semaphore to synchronize writes. On UNIX, it would be a Sys V IPC semaphore; on Windows, it is a Windows Mutex. This is the best choice, if the operating system supports it.

Category Value

Syntax

SSLMutex none | file | sem

Example

SSLMutex file:/usr/local/apache/logs/ssl_mutex

Default

None


E.4.9 SSLOptions

Controls various runtime options on a per-directory basis. In general, if multiple options apply to a directory, the most comprehensive option is applied (options are not merged). However, if all of the options in an SSLOptions directive are preceded by a plus ('+') or minus ('-') symbol, then the options are merged. Options preceded by a plus are added to the options currently in force, and options preceded by a minus are removed from the options currently in force.

Accepted values are:

  • StdEnvVars: Creates the standard set of CGI/SSI environment variables that are related to SSL. This is disabled by default because the extraction operation uses a lot of CPU time and usually has no application when serving static content. Typically, you only enable this for CGI/SSI requests.

  • ExportCertData: Enables the following additional CGI/SSI variables:

    SSL_SERVER_CERT

    SSL_CLIENT_CERT

    SSL_CLIENT_CERT_CHAIN_n (where n= 0, 1, 2...)

    These variables contain the Privacy Enhanced Mail (PEM)-encoded X.509 certificates for the server and the client for the current HTTPS connection, and can be used by CGI scripts for deeper certificate checking. All other certificates of the client certificate chain are provided. This option is "Off" by default because there is a performance cost associated with using it.

    SSL_CLIENT_CERT_CHAIN_n variables are in the following order: SSL_CLIENT_CERT_CHAIN_0 is the intermediate CA who signs SSL_CLIENT_CERT. SSL_CLIENT_CERT_CHAIN_1 is the intermediate CA who signs SSL_CLIENT_CERT_CHAIN_0, and so forth, with SSL_CLIENT_ROOT_CERT as the root CA.

  • FakeBasicAuth: Translates the subject distinguished name of the client X.509 certificate into an HTTP basic authorization user name. This means that the standard HTTP server authentication methods can be used for access control. Note that no password is obtained from the user; the string 'password' is substituted.

  • StrictRequire: Denies access when, according to SSLRequireSSL or directives, access should be forbidden. Without StrictRequire, it is possible for a 'Satisfy any' directive setting to override the SSLRequire or SSLRequireSSL directive, allowing access if the client passes the host restriction or supplies a valid user name and password.

    Thus, the combination of SSLRequireSSL or SSLRequire with SSLOptions +StrictRequire gives mod_ossl the ability to override a 'Satisfy any' directive in all cases.

  • CompatEnvVars: Exports obsolete environment variables for backward compatibility to Apache SSL 1.x, mod_ssl 2.0.x, Sioux 1.0, and Stronghold 2.x. Use this to provide compatibility to existing CGI scripts.

  • OptRenegotiate: This enables optimized SSL connection renegotiation handling when SSL directives are used in a per-directory context.

Category Value

Syntax

SSLOptions [+-] StdEnvVars | ExportCertData | FakeBasicAuth | StrictRequire | CompatEnvVars | OptRenegotiate

Example

SSLOptions -StdEnvVars

Default

None


E.4.10 SSLPassPhraseDialog

Type of pass phrase dialog for wallet access. mod_ossl asks the administrator for a pass phrase in order to access the wallet. Accepted if values are:

  • builtin: when the server is started, mod_ossl prompts for a password for each wallet.

    This cannot be used when Oracle HTTP Server is managed by OPMN. No user interaction is allowed when Oracle HTTP Server is started by OPMN.

  • exec:path/to/program - when the server is started, mod_ossl calls an external program configured for each wallet. This program is invoked with two arguments: servername:portnumber and RSA or DSA.

Category Value

Syntax

SSLPassPhraseDialog builtin | exec

Example

SSLPassPhraseDialog exec:/usr/local/apache/sbin/pfilter

Default

builtin


E.4.11 SSLProtocol

Specifies SSL protocol(s) for mod_ossl to use when establishing the server environment. Clients can only connect with one of the specified protocols. Accepted values are:

  • SSLv2

  • SSLv3

  • TLSv1

  • All

Category Value

Syntax

SSLProtocol [+-] SSLv2 | SSLv3 | TLSv1 | All

Example

SSLProtocol +SSLv3

Default

ALL


E.4.12 SSLRequire

Denies access unless an arbitrarily complex boolean expression is true.

Category Value

Syntax

SSLRequire expression (see Understanding the Expression)

Example

SSLRequire word ">=" word |word "ge" word

Default

None


Understanding the Expression

The expression must match the following syntax (given as a BNF grammar notation):

expr ::= "true" | "false"
"!" expr
expr "&&" expr
expr "||" expr
"(" expr ")"

comp ::=word "==" word | word "eq" word
word "!=" word |word "ne" word
word "<" word |word "lt" word
word "<=" word |word "le" word
word ">" word |word "gt" word
word ">=" word |word "ge" word
word "=~" regex
word "!~" regex
wordlist ::= word
wordlist "," word

word ::= digit
cstring
variable
function

digit ::= [0-9]+

cstring ::= "..."

variable ::= "%{varname}"

Table E-3 and Table E-4 list standard and SSL variables. These are valid values for varname.

function ::= funcname "(" funcargs ")"

For funcname, the following function is available:

file(filename)

The file function takes one string argument, the filename, and expands to the contents of the file. This is useful for evaluating the file's contents against a regular expression.

Table E-3 lists the standard variables for SSLRequire varname.

Table E-3 Standard Variables for SSLRequire Varname

Standard Variables Standard Variables Standard Variables

HTTP_USER_AGENT

PATH_INFO

AUTH_TYPE

HTTP_REFERER

QUERY_STRING

SERVER_SOFTWARE

HTTP_COOKIE

REMOTE_HOST

API_VERSION

HTTP_FORWARDED

REMOTE_IDENT

TIME_YEAR

HTTP_HOST

IS_SUBREQ

TIME_MON

HTTP_PROXY_CONNECTION

DOCUMENT_ROOT

TIME_DAY

HTTP_ACCEPT

SERVER_ADMIN

TIME_HOUR

HTTP:headername

SERVER_NAME

TIME_MIN

THE_REQUEST

SERVER_PORT

TIME_SEC

REQUEST_METHOD

SERVER_PROTOCOL

TIME_WDAY

REQUEST_SCHEME

REMOTE_ADDR

TIME

REQUEST_URI

REMOTE_USER

ENV:variablename

REQUEST_FILENAME

 

 


Table E-4 lists the SSL variables for SSLRequire varname.

Table E-4 SSL Variables for SSLRequire Varname

SSL Variables SSL Variables SSL Variables

HTTPS

SSL_PROTOCOL

SSL_CIPHER_ALGKEYSIZE

SSL_CIPHER

SSL_CIPHER_EXPORT

SSL_VERSION_INTERFACE

SSL_CIPHER_USEKEYSIZE

SSL_VERSION_LIBRARY

SSL_SESSION_ID

SSL_CLIENT_V_END

SSL_CLIENT_M_SERIAL

SSL_CLIENT_V_START

SSL_CLIENT_S_DN_ST

SSL_CLIENT_S_DN

SSL_CLIENT_S_DN_C

SSL_CLIENT_S_DN_CN

SSL_CLIENT_S_DN_O

SSL_CLIENT_S_DN_OU

SSL_CLIENT_S_DN_G

SSL_CLIENT_S_DN_T

SSL_CLIENT_S_DN_I

SSL_CLIENT_S_DN_UID

SSL_CLIENT_S_DN_S

SSL_CLIENT_S_DN_D

SSL_CLIENT_I_DN_C

SSL_CLIENT_S_DN_Email

SSL_CLIENT_I_DN

SSL_CLIENT_I_DN_O

SSL_CLIENT_I_DN_ST

SSL_CLIENT_I_DN_L

SSL_CLIENT_I_DN_T

SSL_CLIENT_I_DN_OU

SSL_CLIENT_I_DN_CN

SSL_CLIENT_I_DN_S

SSL_CLIENT_I_DN_I

SSL_CLIENT_I_DN_G

SSL_CLIENT_I_DN_Email

SSL_CLIENT_I_DN_D

SSL_CLIENT_I_DN_UID

SSL_CLIENT_CERT

SSL_CLIENT_CERT_CHAIN_n

SSL_CLIENT_ROOT_CERT

SSL_CLIENT_VERIFY

SSL_CLIENT_M_VERSION

SSL_SERVER_M_VERSION

SSL_SERVER_V_START

SSL_SERVER_V_END

SSL_SERVER_M_SERIAL

SSL_SERVER_S_DN_C

SSL_SERVERT_S_DN_ST

SSL_SERVER_S_DN

SSL_SERVER_S_DN_OU

SSL_SERVER_S_DN_CN

SSL_SERVER_S_DN_O

SSL_SERVER_S_DN_I

SSL_SERVER_S_DN_G

SSL_SERVER_S_DN_T

SSL_SERVER_S_DN_D

SSL_SERVER_S_DN_UID

SSL_SERVER_S_DN_S

SSL_SERVER_I_DN

SSL_SERVER_I_DN_C

SSL_SERVER_S_DN_Email

SSL_SERVER_I_DN_L

SSL_SERVER_I_DN_O

SSL_SERVER_I_DN_ST

SSL_SERVER_I_DN_CN

SSSL_SERVER_I_DN_T

SSL_SERVER_I_DN_OU

SSL_SERVER_I_DN_G

SSL_SERVER_I_DN_I

 


E.4.13 SSLRequireSSL

Denies access to clients not using SSL. This is a useful directive for absolute protection of a SSL-enabled virtual host or directories in which configuration errors could create security vulnerabilities.

Category Value

Syntax

SSLRequireSSL

Example

SSLRequireSSL

Default

None


E.4.14 SSLSessionCache

Specifies the global/interprocess session cache storage type. The cache provides an optional way to speed up parallel request processing. The accepted values are:

  • none: disables the global/interprocess session cache. Produces no impact on functionality, but makes a major difference in performance.

  • shmht:/path/to/datafile[bytes]: Uses a high-performance hash table (bytes specifies approximate size) inside a shared memory segment in RAM, which is established by the /path/to/datafile. This hash table synchronizes the local SSL memory caches of the server processes.

  • shmcb:/path/to/datafile[bytes]: Uses a high-performance Shared Memory Cyclic Buffer (SHMCB) session cache to synchronize the local SSL memory caches of the server processes. The performance of shmcb is more uniform in all environments when compared to shmht.

Category Value

Syntax

SSLSessionCache none | shmht: /path/to/datafile[bytes] | shmcb:/path/to/datafile[bytes]

Examples

SSLSessionCache shmht: /ORACLE_HOME/Apache/Apache/logs/ssl_scache(512000)

SSLSessionCache shmcb: /ORACLE_HOME/Apache/Apache/logs/ssl_scache(512000)

Default

SSLSessionCache none


E.4.15 SSLSessionCacheTimeout

Specifies the number of seconds before a SSL session in the session cache expires.

Category Value

Syntax

SSLSessionCacheTimeout seconds

Example

SSLSessionCacheTimeout 120

Default

300


E.4.16 SSLVerifyClient

Specifies whether or not a client must present a certificate when connecting. The accepted values are:

  • none: No client certificate is required

  • optional: Client may present a valid certificate

  • require: Client must present a valid certificate

Category Value

Syntax

SSLVerifyClient none | optional | require

Example

SSLVerifyClient optional

Default

None


Note:

The level optional_no_ca included with mod_ssl (in which the client can present a valid certificate, but it need not be verifiable) is not supported in mod_ossl.

E.4.17 SSLWallet

Specifies the location of the wallet with its WRL, specified as a filepath.

Category Value

Syntax

SSLWallet file:path to wallet

Example

SSLWallet file:/etc/ORACLE/WALLETS/server

Default

None


E.4.18 SSLWalletPassword

Note:

SSLWalletPassword has been deprecated. A warning message is generated in the Oracle HTTP Server log if this directive is used. For secure wallets, you should get a SSO wallet, with auto-login enabled, instead.

Specifies the Wallet password needed to access the wallet specified within the same context. You can choose either a cleartext wallet password or an obfuscated password. The obfuscated password is created with the command line tool iasobf. If you must use a regular wallet, Oracle recommends that you use the obfuscated password instead of a cleartext password. If no password is required do not set this directive.

Note:

If you are using a wallet created with the Auto Login feature of Oracle Wallet Manager, do not set this directive because these wallets do not require passwords.

Category Value

Syntax

SSLWalletPassword password

Example

SSLWalletPassword myWalletPassword

Default

None


See Also:

"Using the iasobf Utility" on page 11-15

E.5 mod_osso

Note:

mod_osso is deprecated. You should use the Webgate plugin to achieve single sign on. For more information, see "Installing and Configuring Oracle HTTP Server 11g Webgate for OAM" in Oracle® Fusion Middleware Installation Guide for Oracle Identity Management.

mod_oddo accepts the following directives:

E.5.1 OssoConfigFile

Specifies the path to osso.conf.

Category Value

Syntax

OssoConfigFile path/to/osso.conf

Example

OssoConfigFile OracleOHS_Home/ohs/conf/osso/osso.conf

Default

None


E.5.2 OssoIdleTimeout

Specifies whether or not to enable cookie idle timeout.

Category Value

Syntax

OssoIdleTimeout ON | OFF

Example

OssoIdleTimeout OFF

Default

OFF


E.5.3 OssoIgnoreUri

Identifies which URLs OHS should ignore.

  • If ALL is specified, then all URLs are ignored.

  • If querystring is specified, URLs matching the query string are ignored.

Category Value

Syntax

OssoIgnoreUri ALL | querystring string

Example

OssoIgnoreUri ALL

or

OssoIgnoreUri querystring foo=bar,bar=baz\

Default

No URLs are ignored.


E.5.4 OssoIpCheck

When set to On, the directive enables a weak form of IP spoof checking. The incoming IP address is compared against the ClientIP header value.

Category Value

Syntax

OssoIpCheck ON | OFF

Example

OssoIpCheck ON

Default

OFF


E.5.5 OssoLegacyApp

Specifies whether or not to enable URI authentication for the location where it was set. When On, URI authentication is enabled.

Category Value

Syntax

OssoLegacyApp ON | OFF

Example

OssoLegacyApp ON

Default

OFF


E.5.6 OssoProtectedOnly

Specifies whether or not to create a cookie for an application that protects itself via dynamic sso directives. When ON this cookie is created.

Category Value

Syntax

OssoProtectedOnly ON | OFF

Example

OssoProtectedOnly ON

Default

OFF


E.5.7 OssoRedirectByForm

Specifies whether or not to enable redirect by form. When On, the redirect is enabled.

Category Value

Syntax

OssoRedirectByForm ON | OFF

Example

OssoRedirectByForm ON

Default

OFF


E.5.8 OssoSecureCookies

Specifies whether or not to enable secure cookies. When set to On, these cookies ar eenabled.

Category Value

Syntax

OssoSecureCookies ON | OFF

Example

OssoSecureCookies OFF

Default

ON


E.5.9 OssoSendCacheHeaders

For statically protected pages, this directive specifies whether or not the following headers are sent:

  • Pragma: no-cache

  • Cache-Control: no-store

  • Surrogate-Control: no-store

  • Expires: Thu, 01 Jan 1970 12:00:00 GMT

Category Value

Syntax

OssoSendCacheHeaders ON | OFF

Example

OssoSendCacheHeaders OFF

Default

ON


E.5.10 OssoHTTPOnly

Specifies whether or not to set HTTPOnly in the cookies created by the module. If ON, HTTPOnly is set.

Category Value

Syntax

OssoHttpOnly ON | OFF

Example

OssoHttpOnly OFF

Default

ON


E.6 mod_plsql

The mod_plsql configuration parameters are described in these sections:

E.6.1 plsql.conf

The following parameters are used with the plsql.conf file:

E.6.1.1 PlsqlDMSEnable

Enables Dynamic Monitoring Service (DMS) for the mod_plsql module.

Category Value

Syntax

PlsqlDMSEnable On | Off

Example

PlsqlDMSEnable On

Default

On


E.6.1.2 PlsqlLogEnable

Enables debug level logging for the mod_plsql module. Debug level logging is meant to be used for debugging purposes only.

When logging is enabled, Oracle HTTP Server log files are typically created in the ORACLE_INSTANCE/diagnostics/logs/OHS/config/OHS/component_name directory. However, the location specified in PlsqlLogDirectory determines the final location.

This parameter should be set to Off unless recommended by Oracle support to debug problems with the mod_plsql module.

To view more details about the internal processing of the mod_plsql module, set this directive to On. This causes the mod_plsql module to start logging every request that is processed. The log files are generated as specified by the PlsqlLogDirectory directive.

Category Value

Syntax

PlsqlLogEnable On | Off

Example

PlsqlLogEnable Off

Default

Off


E.6.1.3 PlsqlLogDirectory

Specifies the directory where debug level logs are written.

Set the directory name of the location where log files should be generated when logging is enabled. To avoid possible confusion about the location of this directory, an absolute path is recommended.

On UNIX, this directory must have write permissions by the owner of the child httpd processes.

Category Value

Syntax

PlsqlLogDirectory directory

Example

PlsqlLogDirectory ORACLE_INSTANCE/diagnostics/logs/OHS/component_name

Default

None


E.6.1.4 PlsqlIdleSessionCleanupInterval

Specifies the time (in minutes) in which the idle database sessions should be closed and cleaned by the mod_plsql module.

This directive is used in conjunction with connection pooling of database connections and sessions in the mod_plsql module. When a session is not used for the specified amount of time, it is closed and freed. This is done so that unused sessions can be cleaned, and the memory is freed on the database side.

Setting this time to a low number helps in faster cleanup of unused database sessions. If this number is too low, then this may adversely affect the performance benefits of connection pooling in the mod_plsql module.

If the number of open database sessions is not a concern, you can increase the value of this parameter for best performance. In such a case, if the site is accessed frequently enough that the idle session cleanup interval is never reached for a session, then the DAD configuration parameter PlsqlMaxRequestsPerSession can be modified so that it is guaranteed that a pooled database session gets recycled on a regular basis.

For most installations, the default value is adequate.

Category Value

Syntax

PlsqlIdleSessionCleanupInterval number

Example

PlsqlIdleSessionCleanupInterval 10

Default

15 (minutes)


E.6.2 dads.conf

The dads.conf file contains the configuration parameters for the PL/SQL database access descriptor. (See Table E-1 for the file location.) A DAD is a set of values that specifies how the mod_plsql module connects to a database server to fulfill a HTTP request.

The following parameters are used with the dads.conf file:

E.6.2.1 PlsqlAfterProcedure

Specifies the procedure to be invoked after calling the requested procedure. This enables you to put a hook point after the requested procedure is called. This is useful in doing SQL*Traces/SQL Profiles while debugging a problem with the requested procedure. This is also useful when you want to ensure that a specific call is made after running every procedure.

Category Value

Syntax

PlsqlAfterProcedure string

Example

PlsqlAfterProcedure portal.mypkg.myafterproc

Default

None


Note:

This parameter should only be used for debugging purposes. In addition, you could use this parameter to stop SQL trace/SQL profiling.

E.6.2.2 PlsqlAlwaysDescribeProcedure

Specifies whether the mod_plsql module should describe a procedure before trying to run it. If this is set to On, then the mod_plsql module will always describe a procedure before invoking it. Otherwise, the mod_plsql module will only describe a procedure when its internal heuristics have interpreted a parameter type incorrectly.

Category Value

Syntax

PlsqlAlwaysDescribeProcedure On | Off

Example

PlsqlAlwaysDescribeProcedure On

Default

Off


Note:

This parameter should only be used for debugging purposes.

E.6.2.3 PlsqlAuthenticationMode

Specifies the authentication mode to use for allow access through the DAD. The accepted values for PlsqlAuthenticationMode are Basic, SingleSignOn, GlobalOwa, CustomOwa, PerPackageOwa.

Category Value

Syntax

PlsqlAuthenticationMode Basic | SingleSignOn | GlobalOwa | CustomOwa | PerPackageOwa

Example

PlsqlAuthenticationMode CustomOwa

Default

Basic


  • Basic is the default mode and determines whether or not to ask for username and password if they are not provided with PlsqlDatabaseUsername and PlsqlDatabasePassword. This setting is required for WebDB 2.x applications. If the DAD is not using the Basic authentication, then you must include a valid username/password in the DAD configuration.

  • SingleSignOn specifies that you want to use Single Sign-On server. This is required for DADs using Oracle9iAS Portal. As already stated the provided username and password need to be the one from your single signon server.

  • GlobalOwa, CustomOwa, and PerPackageOwa are used only by very few PL/SQL applications. Custom authentication enables applications to authenticate users within the application itself, not at the database level.

    Authorization is performed by invoking a user-written authorization function. Custom authentication uses a static username/password that is stored in the DAD. It cannot be combined with dynamic username/password authentication. To enable custom authentication, set the level of authentication for PlsqlAuthenticationMode and implement the authorize function.

You should also be aware of the following:

  • If the DAD is not using the Basic authentication, then you must include a valid username/password in the DAD configuration. For the Basic mode, to perform dynamic authentication, the DAD username/password parameters must be omitted.

  • The SingleSignOn mode is supported only for Oracle Fusion Middleware releases, and is used by Oracle Portal and Oracle Single Sign-On. Most customer applications use Basic authentication. Custom authentication modes (GlobalOwa, CustomOwa, and PerPackageOwa) are used by very few PL/SQL applications.

E.6.2.4 PlsqlBeforeProcedure

Specifies the procedure to be invoked before calling the requested procedure. This enables you to put a hook point before the requested procedure is called. This is useful in doing SQL*Traces/SQL Profiles while debugging a problem with the requested procedure. This is also useful when you want to ensure that a specific call be made before running every procedure.

Category Value

Syntax

PlsqlBeforeProcedure string

Example

PlsqlBeforeProcedure portal.mypkg.mybeforeproc

Default

None


Note:

This parameter should only be used for debugging purposes. In addition, you could use this parameter to start SQL Trace/SQL Profiling.

E.6.2.5 PlsqlBindBucketLengths

Note:

This configuration property is rarely ever changed, and system defaults suffice in almost all cases.

Specifies the rounding size to use while binding the number of elements in a collection bind. While executing PL/SQL statements, the Oracle database maintains a cache of PL/SQL statements in the shared SQL area, and attempts to reuse the cached statement if the same statement is run again. Oracle's matching criteria requires that the statement texts be identical, and that the bind variable data types match. Unfortunately, the type match for strings is sensitive to the exact byte size specified, and for collection bindings is also sensitive to the number of elements in the collection. Since the mod_plsql module binds statements dynamically, the odds of hitting the shared cache are low, and it may fill up with near-duplicates and lead to contention for the latch on the shared area. This parameter reduces that effect by bucketing bind lengths to the nearest level.

All numbers specified should be in ascending order. After the last specified size, subsequent bucket sizes will be assumed to be twice the last one.

Category Value

Syntax

PlsqlBindBucketLengths number multiline

Example

PlsqlBindBucketLengths 4

PlsqlBindBucketLengths 25

PlsqlBindBucketLengths 125

Default

4,20,100,400


  • This parameter is relevant only if you are using procedures with array parameters, and passing varying number of parameters to the procedure.

  • The default should be sufficient for most PL/SQL applications.

  • To see if this parameter needs to be changed, check the number of versions of a SQL statement in the SQL area.

  • After the higher configured value, mod_plsql starts auto-generating bucket sizes of larger values by doubling the last value, as needed. Therefore, after 400, the next bucket value becomes 800, then 1600, and so on.

  • Consider using flexible parameter passing to reduce the problem.

E.6.2.6 PlsqlBindBucketWidths

Note:

This configuration property is rarely ever changed, and system defaults suffice in almost all cases.

Specifies the rounding size to use while binding the number of elements in a collection bind. While executing PL/SQL statements, the Oracle database maintains a cache of PL/SQL statements in the shared SQL area, and attempts to reuse the cached statement if the same statement is run again. Oracle's matching criteria requires that the statement texts be identical, and that the bind variable data types match. Unfortunately, the type match for strings is sensitive to the exact byte size specified, and for collection bindings is also sensitive to the number of elements in the collection. Since the mod_plsql module binds statements dynamically, the odds of hitting the shared cache are low, and it may fill up with near-duplicates and lead to contention for the latch on the shared area. This parameter reduces that effect by bucketing bind widths to the nearest level.

All numbers specified should be in ascending order. After the last specified size, subsequent bucket sizes will be assumed to be twice the last one.

The last bucket width must be equal to or less than 4000. This is due to the restriction imposed by OCI where array bind widths cannot be greater than 4000.

Category Value

Syntax

PlsqlBindBucketWidths number multiline

Example

PlsqlBindBucketWidths 40

PlsqlBindBucketWidths 400

PlsqlBindBucketWidths 2000

Default

32,128,1450,2048,4000


  • This parameter is relevant only if you are using procedures with array parameters, and passing varying number of parameters to the procedure.

  • The default should be sufficient for most PL/SQL applications.

  • To see if this parameter needs to be changed, check the number of versions of a SQL statement in the SQL area.

  • After the higher configured value, mod_plsql starts auto-generating bucket sizes of larger values by doubling the last value, as needed. Therefore, after 400, the next bucket value becomes 800, then 1600, and so on.

  • Consider using flexible parameter passing to reduce the problem.

E.6.2.7 PlsqlCGIEnvironmentList

Specifies overrides and additions of CGI environment variables to the default set of environment variables passed to a PL/SQL procedure. This is a multi-line directive of name-value pairs to be added, overridden or removed. You can only specify one environment variable for each directive.

You can add CGI environment variables from the Oracle HTTP Server environment by specifying the variable name. To remove a CGI environment variable, set it equal to blank. To add your own name-value pair, use the syntax myname=myvalue.

Category Value

Syntax

PlsqlCGIEnvironmentList string multiline

Default

None

Example

  • To add a new environment variable from the Oracle HTTP Server environment:

    PlsqlCGIEnvironmentList DOCUMENT_ROOT

  • To remove an environment variable:

    PlsqlCGIEnvironmentList MYENVAR2=

  • To override from the Oracle HTTP Server environment:

    PlsqlCGIEnvironmentList REQUEST_PROTOCOL=HTTPS

  • To add your own environment variable:

    PlsqlCGIEnvironmentList MY_VARNAME=MY_VALUE


  • Environment variables added here are available in the PL/SQL application through the function owa_util.get_cgi_env.

E.6.2.8 PlsqlConnectionTimeout

Specifies the timeout in milliseconds for testing a connection pool in the mod_plsql module.

Category Value

Syntax

PlsqlConnectionTimeout number

Example

PlsqlConnectionTimeout 5000

Default

10000 (milliseconds)


When PlsqlConnectionValidation is set to Automatic or AlwaysValidate, the mod_plsql module attempts to test pooled database connections. This parameter specifies the maximum time the mod_plsql module should wait for the test request to complete before it assumes that the connection is not usable.

E.6.2.9 PlsqlConnectionValidation

Specifies the mechanism the mod_plsql module should use to detect terminated connections in its connection pool.

Note:

This configuration property is rarely ever changed, and system defaults suffice in almost all cases.

For performance reasons, the mod_plsql module pools database connections. If a database instance goes down, and the mod_plsql module was maintaining a pool of connections to the instance, then each pooled database connection results in an error when it is next used to service a request. This can be a concern in high availability configurations such as RAC where even if one node goes down, other nodes servicing the database might have been able to service the request successfully. The mod_plsql module provides for a mechanism whereby it can self-correct after it detects a failure that could be caused by a database node going down. This mechanism to self-correct is controlled by the parameter PlsqlConnectionValidation.

The following are the valid values for PlsqlConnectionValidation:

  • Automatic: The mod_plsql module tests all pooled database connections which were created prior to the detection of a failure that could mean an instance failure.

  • ThrowAwayOnFailure: The mod_plsql module throws away all pooled database connections which were created prior to the detection of a failure that could mean an instance failure.

  • AlwaysValidate: The mod_plsql module always tests all pooled database connections which were created prior to issuing a request. Since this option has an associated performance overhead for each request, this should be used with caution.

  • NeverValidate: The mod_plsql module never pings any pooled database connection.

Category Value

Syntax

PlsqlConnectionValidation Automatic | ThrowAwayOnFailure | AlwaysValidate | NeverValidate

Example

PlsqlConnectionValidation ThrowAwayOnFailure

Default

Automatic


When the mod_plsql module encounters one of the following errors, it assumes that the database may have been down.

  • 00443 — background process <string> did not start

  • 00444 — background process <string> failed while starting

  • 00445 — background process did not start after <x> seconds

  • 00447 — fatal error in background processes

  • 00448 — normal completion of background process

  • 00449 — background process <string> unexpectedly terminated with error

  • 00470 — LGWR process terminated with error

  • 00471 — DBWR process terminated with error

  • 00472 — PMON process terminated with error

  • 00473 — ARCH process terminated with error

  • 00474 — SMON process terminated with error

  • 00475 — TRWR process terminated with error

  • 00476 — RECO process terminated with error

  • 00480 — LCK* process terminated with error

  • 00481 — LMON process terminated with error

  • 00482 — LMD* process terminated with error

  • 00484 — LMS* process terminated with error

  • 00485 — DIAG process terminated with error

  • 01014 — ORACLE shutdown in progress

  • 01033 — ORACLE initialization or shutdown in progress

  • 01034 — ORACLE not available

  • 01041 — internal error. hostdef extension doesn't exist

  • 01077 — background process initialization failure

  • 01089 — immediate shutdown in progress- no operations permitted

  • 01090 — shutdown in progress- connection is not permitted

  • 01091 — failure during startup force

  • 01092 — ORACLE instance terminated. Disconnection forced

  • 03106 — fatal two-task communication protocol error

  • 03113 — end-of-file on communication channel

  • 03114 — not connected to ORACLE

  • 12570 — TNS: packet reader failure

  • 12571 — TNS: packet writer failure

E.6.2.10 PlsqlDatabaseConnectString

Specifies the connection to an Oracle database.

Category Value

Syntax

PlsqlDatabaseConnectString string {ServiceNameFormat | SIDFormat | TNSFormat | NetServiceNameFormat}

The string parameter depends on the second argument:

  • If the second argument is ServiceNameFormat, string is HOST:PORT:SERVICE_NAME, where HOST is the host name running the database, PORT is the port number the TNS listener is listening at, and SERVICE_NAME is the database service name.

    An IPv6 address can be specified using the format [IPv6_ADDRESS]:PORT:SERVICE_NAME.

  • If the second argument is SIDFormat, string is HOST:PORT:SID where HOST is the host name running the database, PORT is the port number the TNS listener is listening at, and SID is the database SID.

    An IPv6 address can be specified using the format [IPv6_ADDRESS]:PORT:SID.

  • If the second argument is TNSFormat, string is a valid TNS alias that can be resolved using Net8 utilities like tnsping and SQL*Plus.

  • If the second argument is NetServiceNameFormat, string is a valid net service name that can be resolved to a connect descriptor. A connect descriptor is a specially formatted description of the destination for a network connection. A connect descriptor contains destination service and network route information.

If the format argument is not specified, then the mod_plsql module assumes the string is either in the HOST:PORT:SID format, or resolvable by Net8. The differentiation between the two is made by the presence of the colon in the specified string.

It is recommended that newer DADs do not use the SIDFormat syntax. This exists only for backward compatibility reasons. Use the new two argument format for newly created DADs.

Example

  • PlsqlDatabaseConnectString example.com:1521:myhost.iasdb.inst ServiceNameFormat

  • PlsqlDatabaseConnectString [2001:DB8:f1ff:f1ff]:1521:myhost.iasdb.inst ServiceNameFormat

  • PlsqlDatabaseConnectString example.com:1521:iasdb SIDFormat

  • PlsqlDatabaseConnectString [2001:DB8:ff1ff:f1ff]:1521:iasdb SIDFormat

  • PlsqlDatabaseConnectString myhost_tns TNSFormat

  • PlsqlDatabaseConnectString cn=oracle,cn=iasdb NetServiceNameFormat

  • PlsqlDatabaseConnectString (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(Host=example.com)(Port= 1521))(CONNECT_DATA=(SID=iasdb))) TNSFormat

  • PlsqlDatabaseConnectString myhost_tns

  • PlsqlDatabaseConnectString example.com:1521:iasdb

Default

None


  • If the database is running in the same Oracle home, or the environment variable TWO_TASK is set, then this parameter need not be specified.

  • If the database is running in a separate Oracle home, then this parameter is mandatory.

  • If you have problems connecting to the database:

    • Check the username and password information in the DAD.

    • Make sure that you run tnsping db_connect_string, and commands such as:

      sqlplus DADUsername/DADPassword@db_connect_string
      
    • Ensure that TNS_ADMIN is configured properly.

    • Verify that the HOST:PORT:SERVICE_NAME format works correctly.

    • Ensure that the TNS listener and database are up and running.

    • Ensure that you can ping the host from this machine.

  • From a the mod_plsql module perspective, TNSFormat and NetServiceNameFormat are synonymous and denote connect descriptors that are resolved by Net8. The TNSFormat is provided as a convenience so that end-users use this to signify that the name resolution happens through the local tnsnames.ora. For situations where the resolution is through an LDAP lookup as configured in sqlnet.ora, it is recommended that the format specifier of NetServiceNameFormat be used.

    If your database supports high availability, for example, Oracle Real Application Clusters database, it is highly recommended that you use the NetServiceNameFormat such that the resolution for the net service name is through LDAP. This enables you to add or remove RAC nodes accessible through the mod_plsql module by changing Oracle Internet Directory with the new or deleted node information. In such situations, hard-coding database listener HOST:PORT information in dads.conf or in the local tnsnames.ora is not recommended.

E.6.2.11 PlsqlDatabasePassword

Specifies the password to use to log in to the database.

Category Value

Syntax

PlsqlDatabasePassword string

Example

PlsqlDatabasePassword tiger

Default

None


  • This is a mandatory parameter, except for a DAD that sets PlsqlAuthenticationMode to Basic and uses dynamic authentication.

  • For DADs using SingleSignOn authentication, this parameter uses the name of the schema owner.

After making manual configuration changes to DAD passwords, you should obfuscate the DAD passwords by running the dadTool.pl script, located in ORACLE_HOME/bin.

To obfuscate DAD passwords:

  1. If necessary, change the user to the Oracle software owner user, typically oracle, using the following command:

    $ su - oracle
    
  2. Set the ORACLE_HOME environment variable to specify the path to the Oracle home directory for the current release, and set the PATH environment variable to include the directory containing the Perl executable and the location of the dadTool.pl script.

    Bourne, Bash, or Korn shell:

    $ ORACLE_HOME=new_ORACLE_HOME_path;export ORACLE_HOME
    $ PATH=ORACLE_HOME/bin:ORACLE_HOME/perl/bin:$PATH;export PATH
    

    C or tcsh shell:

    % setenv ORACLE_HOME new_ORACLE_HOME_PATH
    % setenv PATH ORACLE_HOME/bin:ORACLE_HOME/perl/bin:PATH
    

    On Microsoft Windows, set the PATH and PERL5LIB environment variable:

    set PATH=ORACLE_HOME\bin;ORACLE_HOME\perl\bin;%PATH%
    set PERL5LIB=ORACLE_HOME\perl\lib
    
  3. On UNIX platforms, set the shared library path environment variable.

    Include the ORACLE_HOME/lib or lib32 directory in your shared library path. Table E-5 shows the appropriate directory and environment variable for each platform.

    Table E-5 Shared Library Path Environment Variable

    Platform Environment Variable Include Directory

    AIX Based Systems

    LIBPATH

    ORACLE_HOME/lib

    HP-UX PA-RISC

    SHLIB_PATH

    ORACLE_HOME/lib

    Solaris Operating System

    LD_LIBRARY_PATH

    ORACLE_HOME/lib32

    Other UNIX platforms, including Linux and HP Tru64 UNIX

    LD_LIBRARY_PATH

    ORACLE_HOME/lib


    For example, on HP-UX PA-RISC systems, set the SHLIB_PATH environment to include the ORACLE_HOME/lib directory:

    $SHLIB_PATH=$ORACLE_HOME/lib:$SHLIB_PATH;export SHLIB_PATH
    
  4. Change directory to the mod_plsql configuration directory for the current release of Oracle HTTP Server:

    cd ORACLE_HOME/bin
    
  5. Invoke the following Perl script to obfuscate DAD password:

    perl dadTool.pl -f dadfilename
    

    where dadfilename is the filename for dads.conf, which includes the full path to the DAD file.

    For example:

    perl dadTool.pl -f /u01/app/oracle/as11gr1/ORACLE_INSTANCE/config/OHS/component_name/mod_plsql/dads.conf
    

E.6.2.12 PlsqlDatabaseUserName

Specifies the username to use to log in to the database.

Category Value

Syntax

PlsqlDatabaseUsername string

Example

PlsqlDatabaseUsername scott

Default

None


  • This is a mandatory parameter, except for a DAD that sets PlsqlAuthenticationMode to Basic and uses dynamic authentication.

  • For DADs using SingleSignOn authentication, this parameter is the name of the schema owner.

E.6.2.13 PlsqlDefaultPage

Specifies the default procedure to call if none is specified in the URL.

Category Value

Syntax

PlsqlDefaultPage string

Example

PlsqlDefaultPage myschema.mypackage.home

Default

None


You can also use Oracle HTTP Server Rewrite rules to achieve the same effect as you get by setting this configuration parameter.

E.6.2.14 PlsqlDocumentPath

Specifies a virtual path in the URL that initiates document download from the document table. For example, if this parameter is set to docs, then the following URLs will start the document downloading process for URLs of the format:

/pls/dad/docs
/pls/plsqlapp/docs
Category Value

Syntax

PlsqlDocumentPath string

Example

PlsqlDocumentPath docs

Default

docs


Omit this parameter for applications that do not perform document uploads or downloads.

E.6.2.15 PlsqlDocumentProcedure

Specifies the procedure to call when a document download is initiated. This procedure is called to process the download.

Category Value

Syntax

PlsqlDocumentProcedure string

Example

PlsqlDocumentProcedure portal.wwdoc_process.process_download

Default

None


Omit this parameter for applications that do not perform document uploads or downloads.

E.6.2.16 PlsqlDocumentTablename

Specifies the table in the database to which all documents are uploaded.

Category Value

Syntax

PlsqlDocumentTablename string

Example

PlsqlDocumentTablename myschema.document_table

Default

None


Omit this parameter for applications that do not perform document uploads or downloads.

E.6.2.17 PlsqlErrorStyle

Specifies the error reporting mode for mod_plsql errors.

Category Value

Syntax

PlsqlErrorStyle {ApacheStyle | ModplsqlStyle | DebugStyle}

  • ApacheStyle: The mod_plsql module indicates to Oracle HTTP Server the HTTP error that was encountered. Oracle HTTP Server then generates the error page. This can be used with the Oracle HTTP Server ErrorDocument directive to produce customized error messages.

  • ModplsqlStyle: The mod_plsql module generates the error pages, usually a short message indicating the PL/SQL error encountered and PL/SQL exception stack, if any. For example:

    scott.foo PROCEDURE NOT FOUND
    
  • DebugStyle: This mode provides more details than ModplsqlStyle. The mod_plsql module provides more details about the URL and parameters, and also produces server configuration information. This mode is for debugging purposes only. Do not use this in a production system, since displaying internal server variables could be a security risk.

Example

PlsqlErrorStyle ModplsqlStyle

Default

ApacheStyle


E.6.2.18 PlsqlExclusionList

Specifies a pattern for procedures, packages, or schema names which are forbidden to be directly run from a browser. This is a multi-line directive in which each pattern is on a separate line. The pattern is not case sensitive and can accept a wildcard such as an asterisk (*). The default patterns disallowed from direct URL access are as follows:

  • sys.*

  • dbms_*

  • utl_*

  • owa_util*

  • owa.*

  • htp.*

  • htf.*

  • wpg_docload.*

Setting this directive to #NONE# will disable all protection. This is strongly discouraged for an active site and should not be done. It may be used for debugging purposes.

If this parameter is overridden, the defaults still apply, which means that you do not have to explicitly add the default list to the list of excluded patterns.

Category Value

Syntax

PlsqlExclusionList {string | "#NONE#" multiline}

Example

PlsqlExclusionList myschema.private.*

PlsqlExclusionList myschema.private1.*

will disallow access to URLs which contain one of:

sys.*, dbms_*, utl_*, owa_util*, owa.*, htp.*, htf.*, wpg_docload.*, myschema.private.*, myschema.private1.*

PlsqlExclusionList "#NONE#"

will disable all protection. Its use is strongly discouraged for an active site.

Default

sys.*

dbms_*

utl_*

owa_util*

owa.*

htp.*

htf.*

wpg_docload.*


  • In addition to the patterns specified with this parameter, the mod_plsql module disallows any procedure name which contains the following special characters:

    • tabs

    • new lines

    • carriage-return

    • single quotation mark

    • reverse slash

    • form feed

    • left parenthesis

    • right parenthesis

    • space

    This cannot be changed.

E.6.2.19 PlsqlFetchBufferSize

Specifies the number of rows of content to fetch from the database for each trip, using either owa_util.get_page or owa_util.get_page_raw.

By default, the mod_plsql module attempts to fetch 200 response lines of output where each line is of 255 bytes. In situations where the response bytes are single-bytes, the response buffer is populated to the maximum and can pack 255*200=51000 bytes for each round trip. For responses containing multi-byte data, the byte packing for each row could be less than ideal resulting in lesser bytes getting transferred for each round trip. If your application generates large pages frequently and the response does not fit in one round trip, then consider setting this parameter higher. The memory usage for the mod_plsql module will increase.

Category Value

Syntax

PlsqlFetchBufferSize number

Example

PlsqlFetchBufferSize 256

Default

200


  • This parameter is changed only for performance reasons. The minimum value for this parameter is 28, but it is seldom reduced.

  • Change this parameter only under the following circumstances:

    • The average response page is large and you want to reduce the number of round-trips the mod_plsql module makes to the database to fetch the response.

    • The character set in use is multi-byte, and you want to compensate for the problem of get_page or get_page_raw fetching fewer bytes for each row. Calculations in the PL/SQL Web ToolKit are character-based and in the case of multi-byte characters, OWA packages assume a worst-case character byte size and do not attempt to pack each row to its maximum.

E.6.2.20 PlsqlInfoLogging

Specifies what mode the mod_plsql module should use to do extra performance logging.

InfoDebug mode: This logs more information to the Apache's error_log. This is used in conjunction with Apache's info logging level. If the Apache's logging level is not at least set to this high, this setting will be ignored.

Category Value

Syntax

PlsqlInfoLogging InfoDebug

Example

PlsqlInfoLogging InfoDebug

Default

Empty


The logging setting is useful for debugging problems in your PL/SQL application.

E.6.2.21 PlsqlMaxRequestsPerSession

Specifies the maximum number of requests a pooled database connection should service before it is closed and re-opened.

Category Value

Syntax

PlsqlMaxRequestsPerSession number

Example

PlsqlMaxRequestsPerSession 500

Default

1000


  • This parameter helps relieve memory and resource problems that may occur due to prolonged session reuse by a PL/SQL application.

  • This parameter should not need to be changed. The default is sufficient in most cases.

  • Setting this parameter to a low number can degrade performance. A case for a lower value might be an infrequently-used DAD whose performance is not a concern, and for which limiting the number of requests provides some benefit.

E.6.2.22 PlsqlNLSLanguage

Specifies the NLS_LANG variable for this DAD. This parameter overrides the NLS_LANG environment variable. When this parameter is set, the PL/SQL Gateway uses the specified NLS_LANG to connect to the database. Once connected, an alter session command is issued to switch to the specified language and territory. If the middle tier character set matches that of the database, then no alter session call is issued by the mod_plsql module.

Category Value

Syntax

PlsqlNLSLanguage string

Example

PlsqlNLSLanguage America_America.UTF8

Default

None


  • Most applications have PlsqlTransferMode set to CHAR which means that the character set in PlsqlNLSLanguage needs to match the character set of the database. In one special case, where the database and the mod_plsql module are both using fixed-size character sets, and the character set width matches, the character set can be different. The response character set is always the mod_plsql module character set.

  • If PlsqlTransferMode is set to RAW, then this parameter can be ignored.

E.6.2.23 PlsqlPathAlias

Specifies a virtual path alias to map to a procedure call. This is application-specific. This directive is used with PlsqlPathAliasProcedure.

Category Value

Syntax

PlsqlPathAlias string

Example

PlsqlPathAlias url

Default

None


For applications that do not use path aliasing, this parameter may be omitted.

E.6.2.24 PlsqlPathAliasProcedure

Specifies the procedure to call when the virtual path in the URL matches the path alias as configured by PlsqlPathAlias.

Category Value

Syntax

PlsqlPathAliasProcedure string

Example

PlsqlPathAliasProcedure portal.wwpth_api_alias.process_download

Default

None


For applications that do not use path aliasing, this parameter may be omitted.

E.6.2.25 PlsqlRequestValidationFunction

Specifies an application-defined PL/SQL function which gives you the opportunity to allow and disallow further processing of the requested procedure. This is useful in implementing tight security for your PL/SQL application by blocking out package and procedure calls that should not be allowed to run from a DAD.

The function defined by this parameter must have the following prototype:

boolean function_name (procedure_name IN varchar2)

The procedure_name parameter will contain the name of the procedure that the request is trying to run.

For example, if all the PL/SQL application procedures callable from a browser are inside the package mypkg, then an implementation of this function can be as follows:

boolean my_validation_check (procedure_name varchar2)
is
begin
  if (upper (procedure_name) like upper ('myschema.mypkg%')) then
    return TRUE
  else
    return FALSE
  end if;
end;
Category Value

Syntax

PlsqlRequestValidationFunction string

Example

PlsqlRequestValidationFunction myschema.mypkg.my_validation_check

Default

none


  • By default, the mod_plsql module already disallows direct URL access to certain schemas and packages. For more information, refer to PlsqlExclusionList.

  • It is highly recommended that you provide an implementation for this function such that it only allows requests that belong to your application, and are callable from a browser.

  • Since this function will be called for every request, be sure to make this function as optimized as possible. Suggested recommendations are:

    • Name your PL/SQL packages in a fashion such that the implementation of this function can be similar to the previous example.

    • If your implementation performs a table lookup to determine what packages and procedures should be allowed, then performance can be improved if you pin the cursor in the shared pool.

E.6.2.26 PlsqlSessionCookieName

Specifies the cookie name when PlsqlAuthenticationMode is set to SingleSignOn. This parameter is supported only for Oracle Fusion Middleware releases, and is used by Oracle Portal and Oracle Single Sign-On.

Category Value

Syntax

PlsqlSessionCookieName cookie_name

Example

PlsqlSessionCookieName mycookie

Default

Same as DAD name


  • For DADs not using SingleSignOn authentication, this parameter can be omitted. In most other cases, the session cookie name should be omitted (and this parameter automatically defaults to the DAD name).

  • A session cookie name must be specified only for Oracle Portal instances that need to participate in a distributed Oracle Portal environment. For those Oracle Portal nodes you want to seamlessly participate as a federated cluster, ensure that the session cookie name for all the participating nodes is the same.

  • Independent Oracle Portal nodes need to use distinct session cookie names.

E.6.2.27 PlsqlSessionStateManagement

Specifies how package and session state should be cleaned up at the end of each the mod_plsql request.

  • StatelessWithResetPackageState causes the mod_plsql module to call dbms_session.reset_package_state at the end of each mod_plsql request. This is the default.

  • StatelessWithPreservePackageState causes the mod_plsql module to call htp.init at the end of each mod_plsql request. This cleans up the state of session variables in the PL/SQL Web ToolKit. The PL/SQL application is responsible for cleaning up its own session state. Failure to do so causes erratic behavior, in which a request starts recognizing or manipulating state modified in previous requests.

  • StatelessWithFastResetPackageState causes the mod_plsql module to call dbms_session.modify_package_state(dbms_session.reinitialize) at the end of each mod_plsql request. This API is faster than the mode of StatelessWithResetPackageState, and avoids some latch contention issues, but exists only in Oracle database releases 8.1.7.2 and later. This mode uses slightly more memory than the default mode.

Category Value

Syntax

PlsqlSessionStateManagement {StatelessWithResetPackageState | StatelessWithFastResetPackageState | StatelessWithPreservePackageState}

Example

PlsqlSessionStateManagement StatelessWithPreservePackageState

Default

StatelessWithResetPackageState


  • The earlier values of stateful=no or stateful=STATELESS_RESET corresponds to StatelessWithResetPackageState.

  • The earlier value of stateful=STATELESS_FAST_RESET corresponds to StatelessWithFastResetPackageState.

  • The earlier value of stateful=STATELESS_PRESERVE corresponds to StatelessWithPreservePackageState.

The mod_plsql module does not support stateful mode of operation. To allow PL/SQL applications stateful behavior, save the state in cookies and/or in the database.

E.6.2.28 PlsqlTransferMode

Specifies the transfer mode for data from the database back to the mod_plsql module. Most applications use the default value of CHAR.

Category Value

Syntax

PlsqlTransferMode {CHAR | RAW}

Example

PlsqlTransferMode CHAR

Default

CHAR


This parameter only needs to be changed to enable sending back responses in different character sets from the same DAD. In such a case, the CHAR mode is useless, since it always converts the response data from the database character set to the mod_plsql character set.

E.6.2.29 PlsqlUploadAsLongRaw

Specifies the file extensions to be uploaded as LONGRAW data type, as opposed to using the default BLOB data type. The default can be overridden by specifying multi-line directives of file extensions for field. A value of asterisk (*) in this field causes all documents to be uploaded as LONGRAW.

Category Value

Syntax

PlsqlUploadAsLongRaw string multiline

Example

PlsqlUploadAsLongRaw jpg

PlsqlUploadAsLongRaw gif

Default

None


For applications that do not upload or download documents, this parameter may be omitted.

E.6.3 cache.conf

The cache.conf file contains the configuration settings for the file system caching functionality implemented in the mod_plsql module. This configuration file is relevant only if PL/SQL applications use the OWA_CACHE package to cache dynamically generated content in the file system.

The following parameters are specified in the cache.conf file:

E.6.3.1 PlsqlCacheCleanupTime

Specifies the time to start the cleanup of the cache storage.

This setting defines the exact day and time in which cleanup should occur. The frequency can be set as daily, weekly, and monthly.

  • To define daily frequency, the keyword Everyday is used. The cleanup starts every day at the time defined. For example, Everyday 2:00 causes the cleanup to happen everyday at 2:00 a.m. (local time).

  • To define weekly frequency, the days of the week, (Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday) are used. For example, Wednesday 15:30 causes the cleanup to happen every Wednesday at 3:30 p.m. (local time).

  • To define monthly frequency, the keyword Everymonth is used. The cleanup starts on the Saturday of the month at the time defined. For example, Saturday Everymonth 23:00 causes the cleanup to happen the first Saturday of every month at 11:00 p.m. (local time).

Category Value

Syntax

PlsqlCacheCleanupTime {Sunday-Saturday | Everyday | Everymonth} {hh:mm}

Example

PlsqlCacheCleanupTime Monday 20:00

Default

Saturday 23:00


E.6.3.2 PlsqlCacheDirectory

Specifies the directory where cache files are written out by the mod_plsql module. This directory must exist or Oracle HTTP Server will not start.

On UNIX, this directory must have write permissions by the owner of the child httpd processes.

Category Value

Syntax

PlsqlCacheDirectory directory

Example

PlsqlCacheDirectory ORACLE_INSTANCE/OHS/component_name

Default

none


E.6.3.3 PlsqlCacheEnable

Enables mod_plsql caching.

Category Value

Syntax

PlsqlCacheEnable {On | Off}

Example

PlsqlCacheEnable On

Default

Off


If an application does not make use of the OWA_CACHE package in the PL/SQL Web Toolkit, then you can choose to disable caching. In such situations, there will be a minor performance benefit.

E.6.3.4 PlsqlCacheMaxAge

Specifies the maximum time, in days, a cache file can reside in a file system cache, after which the cached file will be removed for cache maintenance.

This setting is to ensure that the cache system does not contain old content. This setting removes old cache files and makes space for new ones.

Category Value

Syntax

PlsqlCacheMaxAge number

Example

PlsqlCacheMaxAge 20

Default

30 (days)


E.6.3.5 PlsqlCacheMaxSize

Specifies the maximum possible size of a cache file.

This setting prevents the case in which one file can fill up the entire cache. In general, it is recommended that this be set to about 1-3 percent of the total cache size, which is specified by PlsqlCacheTotalSize.

Category Value

Syntax

PlsqlCacheMaxSize number

Example

PlsqlCacheMaxSize 1048576

Default

1048576


E.6.3.6 PlsqlCacheTotalSize

Specifies the total size of the cache directory. The default is 20 MB.

This setting limits the amount of space the cache is allowed to use. Both PL/SQL cache and Session Cookie cache share this cache space. This setting is not a hard limit. It might exceed the limit temporarily during normal processing. This is normal behavior.

The cleanup algorithm uses this setting to determine how much to reduce the cache files. Therefore, the real space limit is the physical storage's available size.

This parameter takes bytes as values:

  • 1 megabytes = 1048576 bytes

  • 10 megabytes = 10485760 bytes

Category Value

Syntax

PlsqlCacheTotalSize number

Example

PlsqlCacheTotalSize 20971520

Default

20971520 (bytes)


E.7 mod_wl_ohs

mod_wl_ohs accepts the following directives:

Note:

mod_wl_ohs directives are the same as those accepted by mod_wl.

E.7.1 ConnectRetrySecs

Interval in seconds that the plug-in should sleep between attempts to connect to the WebLogic Server host (or all of the servers in a cluster). Make this number less than the ConnectTimeoutSecs. The number of times the plug-in tries to connect before returning an HTTP 503/Service Unavailable response to the client is calculated by dividing ConnectTimeoutSecs by ConnectRetrySecs. To specify no retries, set ConnectRetrySecs equal to ConnectTimeoutSecs. However, the plug-in attempts to connect at least twice.You can customize the error response by using the ErrorPage directive.

Category Value

Syntax

ConnectRetrySecs secs

Example

ConnectRetrySecs 10

Default

2


E.7.2 ConnectTimeoutSecs

Maximum time in seconds that the plug-in should attempt to connect to the WebLogic Server host. Make the value greater than ConnectRetrySecs. If ConnectTimeoutSecs expires without a successful connection, even after the appropriate retries (see ConnectRetrySecs), an HTTP 503/Service Unavailable response is sent to the client. You can customize the error response by using the ErrorPage directive.

Category Value

Syntax

ConnectTimeoutSecs secs

Example

ConnectTimeoutSecs 120

Default

10


E.7.3 Debug

Sets the type of logging performed for debugging operations. The debugging information is written to the /tmp/wlproxy.log file on UNIX systems and c:\TEMP\wlproxy.log on Windows NT/2000 systems.

Override this location and filename by setting the WLLogFile parameter to a different directory and file. (See the WLTempDir parameter for an additional way to change this location.)

Ensure that the tmp or TEMP directory has write permission assigned to the user who is logged in to the server. Set any of the following logging options (HFC,HTW,HFW, and HTC options may be set in combination by entering them separated by commas, for example “HFC,HTW”):

  • ON - The plug-in logs informational and error messages.

  • OFF - No debugging information is logged.

  • HFC - The plug-in logs headers from the client, informational, and error messages.

  • HTW - The plug-in logs headers sent to WebLogic Server, and informational and error messages.

  • HFW - The plug-in logs headers sent from WebLogic Server, and informational and error messages.

  • HTC - The plug-in logs headers sent to the client, informational messages, and error messages.

  • ERR - Prints only the Error messages in the plug-in.

  • ALL - The plug-in logs headers sent to and from the client, headers sent to and from WebLogic Server, information messages, and error messages.

Category Value

Syntax

Debug ON | OFF | HFC | HTW | HFW | HTC | ERR | ALL

Example

Debug HFC,HTW,HTC

Default

OFF


E.7.4 DebugConfigInfo

Enables the special query parameter “__WebLogicBridgeConfig”. Use it to get details about configuration parameters from the plug-in.For example, if you enable “__WebLogicBridgeConfig” by setting DebugConfigInfo and then send a request that includes the query string ?__WebLogicBridgeConfig, then the plug-in gathers the configuration information and run-time statistics and returns the information to the browser. The plug-in does not connect to WebLogic Server in this case. This parameter is strictly for debugging and the format of the output message can change with releases. For security purposes, keep this parameter turned OFF in production systems.

Category Value

Syntax

DebugConfigInfo OFF | ON

Example

DebugConfigInfo ON

Default

OFF


E.7.5 DefaultFileName

Sets the default welcome page of the Web Application in WebLogic Server to which requests are being proxied.

If the URI is “/” then the plug-in performs the following steps:

  1. Trims the path specified with the PathTrim parameter.

  2. Appends the value of DefaultFileName.

  3. Prepends the value specified with PathPrepend.

This procedure prevents redirects from WebLogic Server. For example, If the DefaultFileName is set to welcome.html, an HTTP request like “http://somehost/weblogic” becomes “http://somehost/weblogic/welcome.html”. For this parameter to function, the same file must be specified as a welcome file in all the Web Applications to which requests are directed. For more information, see Configuring Welcome Pages.

Apache users:

If you are using Stronghold or Raven versions, define this parameter inside of a Location block, and not in an IfModule block. Oracle

Category Value

Syntax

DefaultFileName "http://path/to/file"

Example

DefaultFileName “http://somehost/weblogic”

Default

none


E.7.6 DynamicServerList

When set to OFF, the plug-in ignores the dynamic cluster list used for load balancing requests proxied from the plug-in and only uses the static list specified with the WebLogicCluster parameter. Normally this parameter should remain set to ON.

There are some implications for setting this parameter to OFF:

  • If one or more servers in the static list fails, the plug-in could waste time trying to connect to a dead server, resulting in decreased performance.

  • If you add a new server to the cluster, the plug-in cannot proxy requests to the new server unless you redefine this parameter. WebLogic Server automatically adds new servers to the dynamic server list when they become part of the cluster.

Category Value

Syntax

DynamicServerList ON | OFF

Example

DynamicServerList OFF

Default

ON


E.7.7 ErrorPage

Sets the error page that appears whenever your Web server is unable to forward requests to WebLogic Server. You can create your own error page. The plug-in redirects to an error page when the back-end server returns an HTTP 503/Service Unavailable response and there are no servers for failover.

Category Value

Syntax

ErrorPage

Example

ErrorPage

Default

none


E.7.8 FileCaching

Specifies whether or not file caching is enabled. When set to ON, and the size of the POST data in a request is greater than 2048 bytes, the POST data is first read into a temporary file on disk and then forwarded to the WebLogic Server in chunks of 8192 bytes. This preserves the POST data during failover, allowing all necessary data to be repeated to the secondary if the primary goes down.

Note that when FileCaching is ON, any client that tracks the progress of the POST will see that the transfer has completed even though the data is still being transferred between the WebServer and WebLogic. So, if you want the progress bar displayed by a browser during the upload to reflect when the data is actually available on the WebLogic Server, you might not want to have FileCaching ON.

When set to OFF and the size of the POST data in a request is greater than 2048 bytes, the reading of the POST data is postponed until a WebLogic Server cluster member is identified to serve the request. Then the plug-in reads and immediately sends the POST data to the WebLogic Server in chunks of 8192 bytes.

Note that turning FileCaching OFF limits failover. If the WebLogic Server primary server goes down while processing the request, the POST data already sent to the primary cannot be repeated to the secondary.

Finally, regardless of how FileCaching is set, if the size of the POST data is 2048 bytes or less the plug-in will read the data into memory and use it if needed during failover to repeat to the secondary.

Category Value

Syntax

FileCaching ON | OFF

Example

FileCaching OFF

Default

ON


E.7.9 Idempotent

Specifies whether or not plug-ins fail over.

  • When set to ON and if the servers do not respond within WLIOTimeoutSecs, the plug-ins fail over if the method is idempotent.

  • The plug-ins also fail over if Idempotent is set to ON and the servers respond with an error such as READ_ERROR_FROM_SERVER.

  • If set to OFF the plug-ins do not fail over. If you are using the Apache HTTP Server you can set this parameter differently for different URLs or MIME types.

Category Value

Syntax

Idempotent ON | OFF

Example

Idempotent OFF

Default

ON


E.7.10 KeepAliveEnabled

Enables pooling of connections between the plug-in and WebLogic Server.

If you are using Apache prefork mpm, Apache web server might crash. Turn KeepAliveEnabled to OFF when using prefork mpm or use worker mpm in Apache.

Category Value

Syntax

KeepAliveEnabled ON(TRUE) | OFF(FALSE)

Example

KeepAliveEnabled OFF

Default

ON(TRUE)


E.7.11 KeepAliveSecs

Specifies how long to maintain an inactive connection between the plug-in and WebLogic Server. Once the time set here has elapsed, the connection is closed. You must set KeepAliveEnabled to true (ON when using the Apache HTTP Server) for this parameter to be effective.

The value of this parameter must be less than or equal to the value of the Duration field set in the Administration Console on the Server/HTTP tab, or the value set on the server Mbean with the KeepAliveSecs attribute.

Category Value

Syntax

KeepAliveSecs secs

Example

KeepAliveSecs 120

Default

20


E.7.12 MatchExpression

Specifies the filename pattern to use when proxying. This directive is entered inside of an IfModule block. For example, if you wanted to proxy by MIME type, you would use MatchExpression as shown here:

<IfModule weblogic_module>
 MatchExpression *.jsp
 WebLogicHost=myHost|paramName=value
</IfModule>

Or, if you wanted to proxy by path, you would use MatchExpression like this:

<IfModule weblogic_module>
 MatchExpression /weblogic
 WebLogicHost=myHost|paramName=value
</IfModule>

You can define a new parameter for MatchExpression by using the following syntax:

MatchExpression *.jsp PathPrepend=/test PathTrim=/foo
Category Value

Syntax

MatchExpression expression

Example

MatchExpression /weblogic

Default

none


E.7.13 MaxPostSize

Maximum allowable size of POST data, in bytes. If the content-length exceeds MaxPostSize, the plug-in returns an error message. If set to -1, the size of POST data is not checked. This is useful for preventing denial-of-service attacks that attempt to overload the server with POST data.

Category Value

Syntax

MaxPostSize nn

Example

MaxPostSize 64

Default

-1


E.7.14 MaxSkipTime

If a WebLogic Server listed in either the WebLogicCluster parameter or a dynamic cluster list returned from WebLogic Server fails, the failed server is marked as “bad” and the plug-in attempts to connect to the next server in the list.

MaxSkipTime sets the amount of time after which the plug-in will retry the server marked as “bad.” The plug-in attempts to connect to a new server in the list each time a unique request is received (that is, a request without a cookie).

Category Value

Syntax

MaxSkipTime sec

Example

MaxSkipTime 120

Default

10


E.7.15 PathPrepend

Specifies the path that the plug-in prepends to the {PATH} portion of the original URL, after PathTrim is trimmed and before the request is forwarded to WebLogic Server.Note that if you need to append File Name, use DefaultFileName parameter instead of PathPrepend.

Category Value

Syntax

PathPrepend [PROTOCOL]://[HOSTNAME]:{PORT}/{PATH}/{FILENAME};{PATH_PARAMS}/{QUERY_STRING]

Example

PathPrepend http://myHost:1234/myPath/myfile;

Default

null


E.7.16 PathTrim

PathTrim specifies the string trimmed by the plug-in from the {PATH}/{FILENAME} portion of the original URL, before the request is forwarded to WebLogic Server. For example, if the URLhttp://myWeb.server.com/weblogic/foois passed to the plug-in for parsing and if PathTrim has been set to strip off /weblogic before handing the URL to WebLogic Server, the URL forwarded to WebLogic Server is: http://myWeb.server.com:7001/fooNote that if you are newly converting an existing third-party server to proxy requests to WebLogic Server using the plug-in, you will need to change application paths to /foo to include weblogic/foo. You can use PathTrim and PathPrepend in combination to change this path.

Category Value

Syntax

PathTrim [PROTOCOL]://[HOSTNAME]:{PORT}/{PATH}/{FILENAME};{PATH_PARAMS}/{QUERY_STRING}

Example

PathTrim http://myWeb.server.com/weblogic/foo

Default

null


E.7.17 QueryFromRequest

When set to ON, specifies that the Apache HTTP Server use

(request_rec *)r->the_ request

to pass the query string to WebLogic Server. (For more information, see the Apache documentation.) This behavior is useful when a Netscape version 4.x browser makes requests that contain spaces in the query string

When set to OFF, the Apache HTTP Server uses (request_rec *)r->args to pass the query string to WebLogic Server.

Category Value

Syntax

QueryFromRequest ON | OFF

Example

QueryFromRequest ON

Default

OFF


E.7.18 WebLogicCluster

Specifies the list of WebLogic Servers that can be used for load balancing. The server or cluster list is a list of host:port entries. If a mixed set of clusters and single servers is specified, the dynamic list returned for this parameter will return only the clustered servers. This derivative is required to proxy a list of clustered back-end servers or to perform load balancing among non-clustered managed server instances.

If you are using SSL between the plug-in and WebLogic Server, set the port number to the SSL listen port and set the SecureProxy parameter to ON.

The plug-in does a simple round-robin between all available servers. The server list specified in this property is a starting point for the dynamic server list that the server and plug-in maintain. WebLogic Server and the plug-in work together to update the server list automatically with new, failed, and recovered cluster members.

You can disable the use of the dynamic cluster list by setting the DynamicServerList parameter to OFF.

The plug-in directs HTTP requests containing a cookie, URL-encoded session, or a session stored in the POST data to the server in the cluster that originally created the cookie.

Category Value

Syntax

The syntax for specifying the value of this parameter varies depending on the web server for which you are configuring the plug-in, as described in Using Web Server 1.1 Plug-Ins with Oracle WebLogic Server. For more information, see the following:

Example

WebLogicCluster w1s1.com:7001,w1s2.com:7001,w1s3.com:7001

Default

none


E.7.19 WebLogicHost

Specifies the WebLogic Server host (or virtual host name as defined in WebLogic Server) to which HTTP requests should be forwarded. If you are using a WebLogic cluster, use the WebLogicCluster parameter instead of WebLogicHost. This directive is required when proxying to a single WebLogic Server.

Category Value

Syntax

WebLogicHost hostname

Example

WebLogicHost myHost

Default

none


E.7.20 WebLogicPort

Specifies the port at which the WebLogic Server host is listening for connection requests from the plug-in (or from other servers). This directive is required when proxying to a single WebLogic Server.

  • If you are using SSL between the plug-in and WebLogic Server, set this parameter to the SSL listen port and set the SecureProxy parameter to ON.

  • If you are using a WebLogic Cluster, use the WebLogicCluster parameter instead of WebLogicPort.

Category Value

Syntax

WebLogicPort portNo

Example

WebLogicPort 1234

Default

none


E.7.21 WebLogicSSLVersion

Selects the SSL protocol version to use for communication between the plug-in and the WebLogic Server. The following values are accepted:

  • SSLv3 : Uses SSL v3

  • TLSv1 : Uses TLS v1

The SSL protocol version chosen is used for all the connections from the plug-in to WebLogic Server. Hence define this parameter at the global scope.

Category Value

Syntax

WebLogicSSLVersion versionNumber

Example

WebLogicSSLVersion SSLv3

Default

If not configured, the best protocol supported by both the plug-in and WebLogic Server is used.


E.7.22 WLCookieName

Note:

WLCookieName replaces CookieName, which is deprecated.

If you change the name of the WebLogic Server session cookie in the WebLogic Server Web application, you need to change the this parameter in the plug-in to the same value. The name of the WebLogic session cookie is set in the WebLogic-specific deployment descriptor, in the <session-descriptor> element.

Category Value

Syntax

WLCookieName cookieName

Example

WLCookieName

Default

JSESSIONID


E.7.23 WLDNSRefreshInterval

If defined in the proxy configuration, this directive specifies the interval duration, in seconds, at which WebLogic Server refreshes DNS name to IP mapping for a server. This can be used in the event that a WebLogic Server instance is migrated to a different IP address, but the DNS name for that server's IP remains the same. In this case, at the specified refresh interval the bi-directional DNS-to-IP mapping will be updated.

Category Value

Syntax

WLDNSRefreshInterval nn

Example

WLDNSRefreshInterval 10

Default

Lookup once, during startup


E.7.24 WLExcludePathOrMimeType

This parameter allows you exclude certain requests from proxying. This parameter can be defined locally at the Location tag level as well as globally. When the property is defined locally, it does not override the global property but defines a union of the two parameters.

Category Value

Syntax

WLExcludePathOrMimeType value

Example

WLExcludePathOrMimeType

Default

none


E.7.25 WLForwardUriUnparsed

When set to ON, the WLS plug-in will forward the original URI from the client to WebLogic Server. When set to OFF (default), the URI sent to WebLogic Server is subject to modification by mod_rewrite or other web server plug-in modules.

Category Value

Syntax

WLForwardUriUnparsed ON | OFF

Example

WLForwardUriUnparsed ON

Default

OFF


E.7.26 WLIOTimeoutSecs

Note:

WLIOTimeoutSecs is the new name for HungServerRecoverSecs.

Defines the amount of time the plug-in waits for a response to a request from WebLogic Server. The plug-in waits for WLIOTimeoutSecs for the server to respond and then declares that server dead, and fails over to the next server. The value should be set to a very large value. If the value is less than the time the servlets take to process, then you may see unexpected results.

  • Minimum value: 10

  • Maximum value: Unlimited

Category Value

Syntax

WLIOTimeoutSecs nn

Example

WLIOTimeoutSecs 128

Default

300


E.7.27 WLLocalIP

Defines the IP address (on the plug-in's system) to which to bind when the plug-in connects to a WebLogic Server instance running on a multihomed machine.

If WLLocalIP is not set, the TCP/IP stack will choose the source IP address.

Category Value

Syntax

WLLocalIP ipAddress

Example

WLLocalIP 1001.1111.1234.4567

Default

none


E.7.28 WLLogFile

Specifies path and file name for the log file that is generated when the Debug parameter is set to ON. You must create this directory before setting this parameter.

Category Value

Syntax

WLLogFile path/to/file.ext

Example

WLLogFile http://myFolder/mySubfolder/myLogfile.log

Default

 

E.7.29 WLProxyPassThrough

If you have a chained proxy setup, where a proxy plug-in or HttpClusterServlet is running behind some other proxy or load balancer, you must explicitly enable the WLProxyPassThrough parameter. This parameter allows the header to be passed through the chain of proxies.

Category Value

Syntax

WLProxyPassThrough ON | OFF

Example

WLProxyPassThrough ON

Default

OFF


E.7.30 WLProxySSL

Specifies whether or not to maintain SSL communication between the plug-in and WebLogic Server when the following conditions exist:

  • An HTTP client request specifies the HTTPS protocol.

  • The request is passed through one or more proxy servers (including the WebLogic Server proxy plug-ins).

  • The connection between the plug-in and WebLogic Server uses the HTTP protocol.

  • When WLProxySSL is set to ON, the location header returned to the client from WebLogic Server specifies the HTTPS protocol.

Category Value

Syntax

WLProxySSL ON | OFF

Example

WLProxySSL ON

Default

OFF


E.7.31 WLProxySSLPassThrough

If a load balancer or other software deployed in front of the web server and plug-in is the SSL termination point, and that product sets the WL-Proxy-SSL request header to true or false based on whether or not the client connected to it over SSL, set WLProxySSLPassThrough to ON so that the use of SSL is passed on to the Oracle WebLogic Server.

If the SSL termination point is in the web server where the plug-in operates, or the load balancer does not set WL-Proxy-SSL, set WLProxySSLPassThrough to OFF (default).

Category Value

Syntax

WLProxySSLPassThrough ON | OFF

Example

WLProxySSLPassThrough ON

Default

OFF


E.7.32 WLServerInitiatedFailover

Specifies whether or not a 503 error response from Oracle WebLogic Server triggers a failover to another server. Normally, the plug-in will attempt to failover to another server when a 503 error response is received. When WLServerInitiatedFailover is set to OFF, the 503 error response will be returned to the client immediately.

Category Value

Syntax

WLServerInitiatedFailover ON | OFF

Example

WLServerInitiatedFailover OFF

Default

ON


E.7.33 WLSocketTimeoutSecs

Sets the timeout, in seconds, for the socket while connecting. See ConnectTimeoutSecs and ConnectRetrySecs for additional details. This value must be greater than 0

Category Value

Syntax

WLSocketTimeoutSecs nn

Example

WLSocketTimeoutSecs 10

Default

2


E.7.34 WLSRequest

This is an alternative to the SetHandler weblogic-handler mechanism of identifying requests to be forwarded to Oracle WebLogic Server. For example,

<Location /weblogic>
 WLSRequest ON
 PathTrim /weblogic
</Location>

The use of WLSRequest ON instead of SetHandler weblogic-handler has the following advantages:

  • Lower web server processing overhead in general

  • Resolves substantial performance degradation when the web server DocumentRoot is on a slow file system

  • Resolves 403 errors for URIs which cannot be mapped to the file system due to the file system length restrictions

Category Value

Syntax

WLSRequest ON | OFF

Example

WLSRequest ON

Default

OFF


E.7.35 WLTempDir

Specifies:

  • The directory where a wlproxy.log will be created. If the location fails, the Plug-In resorts to creating the log file under C:/temp in Windows and /tmp in all Unix platforms.

  • The location of the _wl_proxy directory for POST data files.

When both WLTempDir and WLLogFile are set, WLLogFile will override as to the location of wlproxy.log. WLTempDir will still determine the location of _wl_proxy directory.

Category Value

Syntax

WLTempDir dirNamee

Example

WLTempDir MyLogDir

Default

See the Debug parameter .