Skip to Main Content
Return to Navigation

Setting Up Reverse Proxy Servers

 

This section provides an overview and discusses how to:

Understanding Reverse Proxy Servers For PeopleSoft Implementations

PeopleSoft applications support the use of reverse proxy servers (RPS) with WebLogic. When using an RPS, the RPS provides the URL to which the browsers connect, but another web server handles the actual transaction processing. Implementing the use of RPS servers provides an additional protective layer between the content server and the internet.

A reverse proxy is a server that appears to outside clients to be the content server. It relays requests from outside the firewall to servers behind the firewall, and delivers retrieved content back to the client. A firewall rule allows access only to the proxy server, so that the content servers are protected. The proxy server changes URLs listed in the headers of any messages generated by the content servers, so that external clients are given no information about the servers behind the firewall. No configuration of clients is necessary with a reverse proxy (the client makes requests for content in the name-space of the reverse proxy). The reverse proxy decides where to send the requests, and returns the content as if it was the origin server.

Configuring Microsoft IIS as an RPS

This section describes how to proxy content to a single server configuration of PIA. When in production, a multi server configuration would be used to perform these steps to proxy content to your managed server instance of PIA, PIA1, PIA2, and so on.

Microsoft Internet Information Server (IIS) can be configured as a reverse proxy server (RPS) to one or more WebLogic Server instances. Multiple instances can be independent instances or grouped into a cluster. When you use a reverse proxy, any URL that would be used to access your PeopleSoft application (even URLs that are stored in the database) would point to the reverse proxy, and not to the WebLogic Server.

These instructions are based on a logical separation of WebLogic Server and Microsoft IIS, where both web servers are installed on the same machine. If your configuration has WebLogic Server and Microsoft IIS on separate machines, you must perform these additional tasks:

  • From the WebLogic server, copy WL_HOME\server\plugin\win\32\iisproxy.dll or WL_HOME\server\plugin\win\64\iisproxy.dll to c:\inetpub on your Microsoft IIS server.

  • From the WebLogic server, copy WL_HOME\server\plugin\win\32\iisforward.dll or WL_HOME\server\plugin\win\64\iisforward.dll to c:\inetpub on your Microsoft IIS server.

  • In the following procedure, change any reference of WL_HOME\server\plugin\win\32\ or WL_HOME\server\plugin\win\64\ to c:\inetpub.

Note: In these instructions, make the appropriate adjustments for your server's architecture (32–bit or 64–bit).

To set up a Microsoft IIS RPS:

  1. Access your installed Microsoft IIS configuration.

    On a Microsoft Windows server, select Start, Programs, Administrative Tools, Internet Services Manager.

  2. Open the Default Web Site properties

    Expand your list of available servers, right click the Default Web Site and select Properties.

  3. Add an ISAPI filter.

    • Select the ISAPI Filters tab, and click Add to define a new filter.

    • Enter IISFORWARD for the filter name.

    • Enter WL_HOME\server\plugin\win\32\iisforward.dll or WL_HOME\server\plugin\win\64\iisproxy.dll for the executable.

  4. Define a new application extension mapping.

    • Select the Home Directory tab then click Configuration.

    • Click Add on the App Mapping tab to define a new application mapping.

    • Enter WL_HOME\server\plugin\win\32\iisproxy.dll or WL_HOME\server\plugin\win\64\iisproxy.dll for the executable.

    • Enter .wlforward for the extension.

    • For Verbs, enter All Verbs (or at a minimum, GET and POST).

  5. Create the IIS-Plugin configuration file.

    Create WL_HOME\server\plugin\win\32\iisproxy.ini or WL_HOME\server\plugin\win\64\iisproxy.ini, containing the following lines and setting the values appropriately.

    #
    WebLogicHost=<hostname or IP of weblogic server to forward requests to>
    WebLogicPort=<HTTP port of weblogic server to forward requests to>
    DebugConfigInfo=OFF
    Debug=OFF
    #
    #To proxy all IIS directed requests to WebLogic set "WlForwardPath=/"
    #To selectively proxy only PeopleSoft requests to WebLogic set "WlForwardPath="to 
    #the list of PeopleSoft sites to proxy. 
    #e.g. To proxy requests for only 'ps' and 'crm' set WlForwardPath to the following;
    #WlForwardPath=*/ps/*,*/crm/*
    WlForwardPath=/
    #
    #If you have specified an AuthTokenDomain during your PIA installation, 
    #you must set the cookieName for your reverse proxy.
    #WLCookieName=<CookieName as specified on weblogic in PORTAL webapps's weblogic.xml>
    
  6. Restart Microsoft IIS.

    Restart the two Windows services, IIS Admin Service and World Wide Web Publishing Service by using the Services utility in the Control Panel or by issuing the following three commands at a command prompt:

    NET STOP IISADMIN /Y
    NET START IISADMIN
    NET START W3SVC
  7. Start the WebLogic server.

    See Starting WebLogic.

    See Stopping WebLogic.

  8. Test your configuration by accessing the Microsoft IIS server by using the URL for your site.

    For example, http://IIS_server:port/ps/signon.html.

    Note: To connect to Microsoft IIS by using HTTPS, you must install digital certificates on the Microsoft IIS server.

Configuring Microsoft IIS 7.0 as an RPS

This section describes how to proxy content to a single server configuration of PIA. In a production environment, a multi server configuration would be used to perform these steps to proxy content to your managed server instance of PIA, PIA1, PIA2, and so on.

Microsoft Internet Information Server (IIS) can be configured as a reverse proxy server (RPS) for one or more WebLogic Server instances. Multiple instances can either be independent instances, or grouped into a cluster. When using a reverse proxy, all URLs that are used to access your PeopleSoft application (even URLs that are stored in the database), need to point to the reverse proxy, and not to the WebLogic server.

Oracle only supports IIS 7.0 as an RPS on Windows Server 2008 x64 Standard Edition, or Enterprise Edition environments. These instructions are based on a logical separation of WebLogic Server and Microsoft IIS 7.0, where both web servers are installed on the same machine. If your configuration has WebLogic Server and Microsoft IIS on separate machines, you must perform these additional tasks:

  • From the WebLogic server, copy WL_HOME\server\plugin\win\x64\iisproxy.dll to c:\inetpub, or to any other directory where an administrator has appropriate access to it on your Microsoft IIS server.

  • From the WebLogic server, copy WL_HOME\server\plugin\win\x64\iisforward.dll to c:\inetpub, or to any other directory where an administrator has appropriate access to it on your Microsoft IIS server.

  • In the procedures described below, change any reference to: WL_HOME\server\plugin\win\x64\, to c:\inetpub\, or to the other directory where you copied the two files mentioned above.

Note: In these instructions, make the appropriate adjustments for your server's architecture (32–bit or 64–bit).

Configuring the Microsoft IIS 7.0 RPS

To set up a Microsoft IIS 7.0 RPS:

  1. Access your installed Microsoft IIS 7.0 configuration.

    On a Microsoft Windows server, select Start, Programs, Administrative Tools, Internet Information Service (IIS) Manager.

  2. Add a JSP Script Mapping.

    1. After selecting the Default Web Site in the lefthand pane, locate the Handler Mappings icon in the panel to the right. Right click on Handler Mappings and select “Open Feature”.

    2. Right click in the new window and select Add Script Map…

    3. Enter *.jsp as the Request path.

    4. Browse to the iisproxy.dll file mentioned earlier, and add it as the executable. Name it: JSP.

    5. Click on the Request Restrictions… button, and uncheck the box titled Invoke handler only if the request is mapped to.

    6. When finished, click OK.

    7. A warning message will appear, asking you if you want to allow the ISAPI extension. Select Yes to continue.

  3. Add a WLFORWARD Script Mapping.

    1. In the same Handler Mappings panel, right click and again select Add Script Map…

    2. Enter *.wlforward as the Request path

    3. Browse to the same iisproxy.dll file mentioned earlier, and add it as the executable. Name it: WLFORWARD.

    4. Click on the Request Restrictions… button, and uncheck the box titled Invoke handler only if the request is mapped to.

    5. When finished, click OK.

    6. A warning message will appear, asking you if you want to allow the ISAPI extension. Select Yes to continue.

  4. Add an ISAPI filter.

    1. On the Default Web Site, locate the ISAPI Filters icon.

    2. Right click on this icon, and select Open Feature.

    3. Right click in the new window and select Add…

    4. Enter WLFORWARD as the Filter name.

    5. Browse to the iiforward.dll file and add it as the executable.

    6. When finished, click OK.

  5. Provide necessary restrictions to the entire IIS:

    1. Select the root node with your hostname in the lefthand pane.

    2. Locate the ISAPI and CGI Restrictions icon on the right.

    3. Right click on the ISAPI and CGI Restrictions icon and select Open Feature.

    4. Right click and select Edit Feature Settings…

    5. Ensure that both Allow unspecified CGI modules, and Allow unspecified ISAPI modules are checked.

    6. When finished, click OK.

  6. Create an IIS Plugin configuration file:

    Create a WL_HOME\server\plugin\win\x64\iisproxy.ini file which contains the following lines. (The file should be placed in the same directory as the two plug-in DLL files that were mentioned at the top of this document.) Set the values appropriately for your environment.

    #For a list of all available parameters see:
    #http://download.oracle.com/docs/cd/E12840_01/wls/docs103/plugins
    #/plugin_params.html#wp1143049
    
    #
    WebLogicHost=<hostname or IP of the WebLogic server to forward requests to>
    WebLogicPort=<HTTP port of WebLogic server to forward requests to>
    DebugConfigInfo=OFF
    Debug=OFF
    #
    
    #To proxy all IIS directed requests to WebLogic, set "WlForwardPath=/"
    #
    #To selectively proxy only PeopleSoft requests to WebLogic, 
    #set "WlForwardPath=" to the list of PeopleSoft sites to proxy. 
    #e.g. To proxy requests for only the ‘ps’ and ‘crm’ sites, set WlForwardPath 
    #to the following:
    #WlForwardPath=*/ps/*,*/crm/*
    WlForwardPath=/
    #
    #If you have specified an AuthTokenDomain during your PIA installation, 
    #you must set the cookieName for your reverse proxy.
    WLCookieName=<CookieName as specified on WebLogic in PORTAL webapps’s weblogic.xml>
    
  7. Restart Microsoft IIS:

    Restart the two Windows services: IIS Admin Service, and World Wide Web Publishing Service, by using the Services utility in the Control Panel, or by issuing the following three commands at a command prompt:

    NET STOP IISADMIN /Y
    NET START IISADMIN
    NET START W3SVC
    

    Or, restart only the default website by right clicking on Default Web Site, and selecting: Manage Web Site, Restart.

  8. Start the WebLogic server.

  9. Test your configuration by accessing the Microsoft IIS server by using the URL for your site.

    For example, http://IIS_server:port/ps/signon.html.

    Note: To connect to Microsoft IIS by using HTTPS, you must install digital certificates on the Microsoft IIS server.

See http://download.oracle.com/docs/cd/E15523_01/web.1111/e14395/isapi.htm#BGBFJAEJ

http://download.oracle.com/docs/cd/E12840_01/wls/docs103/plugins/plugin_params.html#wp1143049

Configuring WebLogic as an RPS

This section discusses how to configure a WebLogic server as an RPS.

Note: Using WebLogic as a reverse proxy server is not recommended in a production environment.

Creating the RPS

To create an RPS, select Multi Server Domain as the configuration during the PeopleSoft Internet Architecture installation. The multi server domain installation automatically defines a server named "RPS" in addition to the main PIA server. The RPS is configured to be a reverse proxy server to other managed servers.

By default, the following settings are applied to the RPS:

Setting

Value

Name

RPS

HTTP Listen Port

8080

HTTPS Listen Port

8443

Default web application

HttpProxyServlet

Address of back-end WebLogic content server

The hostname of the machine from which the PIA setup was run, with the HTTP listen port specified during the PIA setup.

The default address specified for the back-end WebLogic content server assumes that it's the same machine as the one on which you're configuring the RPS, using the HttpProxyServlet application. There's no need to change this setting unless the content server is a different machine, or you enable load balancing with multiple content servers. If it's a different machine, you must change this setting to specify the correct content server. If you enable load balancing, you'll need to specify additional content servers.

Enabling Load Balancing

In addition to the HttpProxyServlet application, the PIA setup also defines anHttpClusterServlet application in your WebLogic configuration, which by default isn't active. The primary difference between the two applications is that for a given HTTP request, HttpProxyServlet can proxy content only from a single back-end content server, whereas HttpClusterServlet can proxy content from multiple back-end content servers, all of which serve the same content. This enables the RPS to load-balance the requests across a cluster of WebLogic servers.

You can configure the RPS for load balancing by changing the default web application from HttpProxyServlet to HttpClusterServlet, which becomes active as a result.

To change the default web application:

  1. Start the WebLogic server.

  2. Sign in to the Administration Console.

  3. In the Domain Structure tree, click Deployments.

  4. Click HttpProxyServlet, and select the Targets tab.

  5. Clear the RPS Server check box, clickApply, and clickActivate Changes.

  6. In the Domain Structure tree, click Deployments.

  7. Click HttpClusterServlet, and select the Targets tab.

  8. Select the RPS Server check box, and clickApply.

  9. Log out of the Administrative Console.

Specifying Back-End WebLogic Content Servers

You need to specify back-end WebLogic content servers only for the currently designated default web application (HttpProxyServlet or HttpClusterServlet).

To do this, you edit the appropriate web.xml configuration file directly.

Web Application

web.xml file modification

HttpProxyServlet

You need to change the following settings only if the back-end WebLogic content server is on a different machine than the one where you're configuring the RPS.

Edit the web.xml configuration file in PIA_HOME\webserv\weblogic_domain\applications\HttpProxyServlet\WEB-INF

Modify the param-value elements for the WebLogicHost parameter and theWebLogicPort parameter to specify the hostname and HTTP listen port, respectively, of the back-end content server.

HttpClusterServlet

Edit the web.xml configuration file in PIA_HOME\webserv\weblogic_domain\applications\HttpClusterServlet\WEB-INF.

Modify the param-value element for the WebLogicCluster parameter to specify multiple back-end content servers separated by “|” symbols, using the following format:

host1:http_port:https_port|
host2:http_port:https_port

Starting the RPS

To start the RPS, open a command prompt, change to PIA_HOME\webserv\weblogic_domain, and launch the following commands:

  1. Open a command prompt, and change to PIA_HOME\webserv\weblogic_domain.

  2. Start the WebLogic Admin Server.

    startWebLogicAdmin
  3. Start the RPS server.

    startManagedWebLogic RPS

Note: You can also run the RPS as a service on Windows.

Configuring Oracle Sun Java System Web Server as an RPS

This section describes how to proxy content to a single server configuration of PIA. When in production, a multi server configuration would be used to perform these steps to proxy content to your managed server instance of PIA, PIA1, PIA2, and so on.

These instructions assume you have downloaded the Sun Java System Web Server from Oracle.

Installing the WebLogic Plug-In

Configuring the Oracle Sun Java System Web Server as an RPS involves installing a WebLogic plug-in on the Oracle Sun Java System Web Server. The plug-in comes in the form of a set of .DLL files for Windows systems and library files for UNIX systems.

To configure Oracle Sun Java System Web Server as an RPS:

  1. Locate the appropriate WebLogic plug-in files within your WebLogic installation, which are "proxy*.dll" or "proxy*.so" or "proxy*.sl".

    Note: If you are going to run your Sun web server on the same machine as WebLogic, it is recommended that you don't copy the plug-in files to your Sun web server.

    The plug-in files are located in the following location:

    WL_HOME/server/plugin/operating system/architecture

    Where:

    • WL_HOME represents the top level installation directory for your WebLogic server.

    • operating system corresponds to the operating system, such as AIX, Linux, or Windows.

    • architecture corresponds to the bit architecture of your operating system (32-bit, 64-bit).

  2. Copy the appropriate WebLogic plug-in files to your Sun web server installation.

    Copy the plug-in files to:

    Sun_Home\operating system\plugins

    Where:

    • Sun_Home refers to the high-level installation location of your Oracle Sun Java System Web Server.

    • operating system refers to the operating system the Oracle Sun Java System Web Server is installed on.

  3. Define the NSAPI Module.

    This step covers modifying the magnus.conf configuration file to reference the provided NSAPI module. Make sure to make a backup of it prior to modifying it.

    Open the magnus.conf file located in:

    C:\Sun_Home\server\https-machine_name.com\config

    Add the following lines to the bottom of the magnus.conf file. This instructs the Sun web server to load the native library as an NSAPI module. For Sun_Home anddrive, substitute the actual location, including the drive letter of the NSAPI module you copied in at previous steps:

    Init fn="load-modules" funcs="wl-proxy,wl-init"\ shlib=<drive>:/<Sun_Home>
    /plugins/proxy36.dll Init fn="wl-init"

    If you skipped Step 1 because Sun web server and WebLogic are running on the same machine, update your configuration file similar to the following:

    Init fn="load-modules" funcs="wl_proxy,wl_init"\ shlib="<drive>:/WebLogic_home
    /wlserver_10.3/server/bin/proxy36.dll" Init fn="wl_init" 
  4. Define which requests to be handled by the plug-in.

    The type of requests to be handled by the plug-in, and subsequently handed off to WebLogic, must be declared as part of an object definition in the magnus.conf file. A specific string in the URL, referred to as a ppath, can identify these requests.

    To proxy all requests of a single PeopleSoft Internet Architecture site, such as ps (which would be accessed as http://machine_name.com/ps/signon.html), define the following object tag in the magnus.conf file. Define this and any other object tags directly following the default object tag.

    <Object name="ps" ppath="*/ps/*">
    Service fn=wl-proxy WebLogicHost=server1\
     WebLogicPort=7001
    </Object>

    The default object tag is generally several lines long and can be identified by <Object name=default>...</Object>.

    To proxy additional sites, add subsequent object tags referencing the other site names:

    <Object name="hr" ppath="*/hr/*">
    Service fn=wl_proxy WebLogicHost=server1\
     WebLogicPort=7001
    </Object>
    

    To proxy all requests that are made to the Sun web server, create a single object tag named "peoplesoft" and set the ppath parameter to *.

  5. Apply changes to the Sun web server.

    With these settings saved, access the Server Manager, as in http://localhost:8888. When prompted, click the Apply button to update the Sun web server with your changes and restart it.

  6. Make sure the PIA WebLogic Server is running.

  7. Confirm the configuration.

    To confirm the configuration between the WebLogic Server and the Sun web server, access PeopleSoft using the typical URL. For example,

    http://urserver.com/ps/signon.html

    If you are able to logon to PeopleSoft, your proxy plug-in installation and configuration was successful.

Working With the Oracle Sun Java System Web Server RPS Configuration

If you plan to proxy all requests for the PeopleSoft Internet Architecture through the Sun web server, you must also update any URLs that are defined in the PeopleSoft database to reference the proxy server (Sun web server), not the WebLogic server.

URL

Description

Portal

For the PeopleSoft portal, any content URLs that you have defined that directly reference PeopleSoft content (psc, psp) on the WebLogic server (meaning that the WebLogic server is referenced in the URL) must be updated to reference the Sun server in the URL

Integration Gateway

For the PeopleSoft integration gateway, any node definitions that directly reference an integration gateway on the WebLogic server must be updated to reference the Sun server in the URLs.

Report Repository

For the PeopleSoft report repository, any report node definitions that directly reference a report server on the WebLogic server must be updated to reference the Sun server in the URLs.

Miscellaneous

Any of your own definitions or objects that reference the URL of the WebLogic server must be updated to reference the Sun server in the URLs.

The magnus.conf file strictly enforces where text can be added. To avoid problems, follow these guidelines:

  • Eliminate extraneous leading and trailing white space. If you must enter more characters than can be fit on one line, place a backslash (\) at the end of that line and continue typing on the following line. The backslash directly appends the end of the first line to the beginning of the following line.

  • If a space is necessary between the words that end the preceding line and begin the next line, use one space, either at the end of the first line (before the backslash), or at the beginning of the second line.

  • Do not split attributes across multiple lines.

The WebLogic online documentation contains a complete listing of WebLogic plug-in attributes and parameters.

Configuring for Deleting Attachments

If you intend to allow end users to delete attachments, and you are using the Oracle Sun Java System RPS, you need to make sure the access control lists for Oracle Sun Java System RPS are configured correctly.

To configure Oracle Sun Java System RPS for deleting attachments:

  1. Start the Sun Java admin server and login to the administrative console.

  2. Navigate to Configurations, and click the appropriate configuration.

  3. Select Access Control, Access Control Lists, where you'll see the default and es-internal access control lists.

  4. Modify the default access control list.

    • Click default.

    • For Allow anyone and Allow all, click delete rights.

    • Save.

  5. Modify the es-internal access control list.

    • Click es-internal.

    • Click on allow anyone and enable delete rights.

    • Click on deny anyone and disable delete right.

    • Save.

  6. Save and deploy the change so it is reflected in the instances.

Configuring Apache HTTP as an RPS

This section describes how to configure Apache to be a proxy for a single server configuration of PIA running on WebLogic. When in production, a multi server configuration would be used to perform these steps to proxy content to your managed server instance of PIA, PIA1, PIA2, and so on.

To configure Apache HTTP:

  1. Download and install the Apache HTTP server.

    See Apache website.

  2. Install the Apache HTTP server plug-in.

    The installation of the Apache plug-in depends on whether you are installing the plug-in as a dynamic shared object (DSO) or a statically linked module. If you have downloaded the binary distribution of Apache, you will probably install the Apache plug-in from as a shared object. If you are in doubt as to which type, install the plug-in as a DSO. Exact instructions are available in the WebLogic documentation.

  3. Specify the parameters that will be used by the Apache plug-in by defining them in an IfModule tag for WebLogic in the Apache httpd.conf file.

    Add this tag in the ### Section 2: 'Main' server configuration section of httpd.conf. For example, to configure the Apache to proxy all requests that it receives to a WebLogic server that is running on a machine named crm.peoplesoft.com and listening on port 7001, you would define the following tag:

    <IfModule mod_weblogic.c>
    	  WebLogicHost crm.peoplesoft.com
    	  WebLogicPort 7001
    	  MatchExpression /</IfModule>

    To proxy requests to a cluster of WebLogic servers, replace the two attributes, WebLogicHost and WebLogicPort, with WebLogicCluster.

    The syntax of the WebLogicCluster is wlserver1:port,wlserver2:port.

    See The Red Paper posted on My Oracle Support:Clustering and High Availability for PeopleTools

    If you specified an AuthTokenDomain during the PeopleSoft Internet Architecture installation, you must set the WLCookieName for the reverse proxy to that same value. To do so, add the WLCookieName attribute and set its value to CookieName, as specified on the WebLogic server in the PORTAL web application's weblogic.xml file in PIA_HOME\webserv\peoplesoft\applications\peoplesoft\PORTAL.war\WEB-INF\weblogic.xml.

  4. Start the Apache HTTP server following the Apache usage instructions.

  5. Start the WebLogic server.

  6. Confirm the configuration between both the WebLogic server and Apache servers by signing onto the PeopleSoft system by using the typical URL. For example,

    http://Apachehost/ps/signon.html.

    If you can sign in to the PeopleSoft system, your installation and configuration was successful.