|
Oracle9i Application Server Release Notes
Release 2 (9.0.3) for AIX-Based Systems, hp HP-UX PA-RISC (64-bit), hp Tru64 UNIX, and Linux x86 Part No. B10227-11 |
|
|
|
|
Oracle9i Application Server Release Notes
Release 2 (9.0.3) for AIX-Based Systems, hp HP-UX PA-RISC (64-bit), hp Tru64 UNIX, and Linux x86 Part No. B10227-11 |
|
|
|
|
This chapter discusses issues associated with Oracle HTTP Server. It covers the following topics:
This section covers the following general issues and their workarounds for Oracle HTTP Server:
You may not be able to access mod_osso protected pages from Netscape 4.7. If you want to access mod_osso protected pages from Netscape 4.7, then the partner application corresponding to mod_osso should be modified from the Oracle9iAS Single Sign-On server configuration console to point to Oracle9iAS Web Cache port number, which is usually 7777. For details on how to use the Oracle9iAS Single Sign-On console, see Oracle9iAS Single Sign-On Administrator's Guide.
This section covers the following configuration issues and their workarounds for Oracle HTTP Server:
Section 6.2.1, "Securing a Web Site Having OPMN/Oracle HTTP Server Infrastructure"
Section 6.2.2, "Receiving Single Sign-On Errors When Accessing Protected Page"
Section 6.2.3, "Configuring a Virtual Host Improperly Can Cause DADs to Break"
Section 6.2.4, "Using a Full or Partial Host Name in Oc4jMount Syntax in mod_oc4j.conf File"
Section 6.2.5, "Oracle HTTP Server (1.0.2.2.x) Cannot Be Used with Oracle9iAS (9.0.2.x and 9.0.3.x)"
When using OPMN/Oracle HTTP Server infrastructure, you must specify at least one non_ssl port. For a purely secure Web Site, that only accepts SSL connections, you must provide an extra non_ssl port in httpd.conf that only accepts traffic from localhost. You can do so by adding the following lines to maintain a secure Web Site:
Listen port <VirtualHost _default_:port> SSLEngine Off <Location /> Order deny,allow Deny from all Allow from local host Allow from <ip1 of a localhost> Allow from <ip2 of a localhost> Allow from <ip3 of a localhost> </Location> </VirtualHost>
Therefore, security is maintained by restricting the non-ssl port to only accept traffic from the local host.
When attempting to access a protected resource, you are redirected to the Oracle9iAS Single Sign-On Server. However, you may receive 503 type errors initially. To avoid errors, disable the KeepAlive directive when you are using a server load balancer.
After installation, if you wish to configure Virtual Hosts in the httpd.conf file, or by using the advanced section of the Enterprise Manager Web site, or by using a text editor on the httpd.conf file, use the following guidelines:
Ensure that the server definitions for VirtualHosts are provided after the Port, Listen, and ServerName directives. A simple example of a correctly set Virtual Host section might be as follows:
# # these are set at the end of the httpd.conf file after the IAS installation occurs # Port 7778 ServerName someServer.mycompany.com Listen 7779 # # these lines were added manually to create a virtualHost # NameVirtualHost 1.2.3.4 <VirtualHost 1.2.3.4> DocumentRoot /u01/app/oracle/product/iAS9020_portal/Vhost1.htdocs ServerName Vhost1.mycompany.com </VirtualHost>
Ensure that if you use a regular text editor to make changes to the file, you use the following dcmctl utility to update your changes.
prompt> ORACLE_HOME/dcm/bin/dcmctl updateConfig
This is automatically done for you if you edit the file through the EMD console.
You can use the following Oc4jMount syntax in a mod_oc4j.conf file:
Oc4jMount /path/* instance://[hostname:]ias_instance:oc4j_instance
However, note the following:
Be aware that the host name is optional. It is only necessary to specify it when there are some standalone Oracle9iAS instances installed on different hosts that have identical Oracle9iAS instance names, which is rare.
When host name is specified, be sure to test with both a partially qualified host name as well as a fully qualified host name to see which one works. The host name that works matches the host name stored in the OC4J registration event.
Oracle Corporation does not support using the Oracle HTTP Server component that is supplied with Oracle9iAS Release 1 (1.0.2.2.x) as a front end to the Containers for J2EE (OC4J) component supplied with Oracle9iAS Release 2 (9.0.2.x and 9.0.3.x), that is, you must not use the mod_Proxy module to route data between these two components.
Always use the mod_oc4j module to route data to and from the OC4J component supplied with Oracle9iAS Release 2 (9.0.2.x and 9.0.3.x). Use the mod_proxy module to route data between the HTTP Server component supplied with Oracle9iAS Release 1 (1.0.2.2.x) and the OC4J component supplied with Oracle9iAS Release 1 (1.0.2.2.x).
This section covers the following administration issues and their workarounds for Oracle HTTP Server:
Section 6.3.1, "Microsoft Internet Explorer Reporting Incorrect Host Header"
Section 6.3.2, "Microsoft Internet Explorer Reporting Errors"
Section 6.3.3, "Stop and Start Oracle HTTP Server After Adding an SSL-Enabled Virtual Host"
If an infrastructure Oracle9iAS Single Sign-On Server install and a middle tier install are on the same machine (in different Oracle Homes), Microsoft Internet Explorer reports an incorrect host header after a redirect. This incorrect host headed causes mod_osso to generate an error message when trying to access a protected resource after the user has been redirected from the Oracle9iAS Single Sign-On Server back to the original server. If you click Reload in Internet Explorer, the session continues successfully. This issue will not occur if any of the following conditions are true:
You do not use Microsoft Internet Explorer.
The protected resource and the Oracle9iAS Single Sign-On Server are running behind Oracle HTTP Server instances with different server names or on different hosts. This is the most likely deployment.
Oracle9iAS Single Sign-On Server and the protected resource are running behind a single Oracle HTTP Server port.
When you install an infrastructure instance of Oracle9iAS and a middle tier on a same machine, Microsoft Internet Explorer might report various errors where an incorrect host header is sometimes passed after redirection. Specifically, if you have already logged on via the Single Sign-On Server to the middle tier instance and then click a link redirecting you to the infrastructure instance, you will receive an OSSO error page. Pressing the Back button allows you to continue to the page you originally wished to reach.
In Oracle9iAS Release 2 (9.0.3), when you add an ssl-enabled virtual host to Oracle HTTP Server, you must stop and then start Oracle HTTP Server for this virtual host to function. Simply restarting Oracle HTTP Server will not enable the virtual host and may cause Oracle HTTP Server to crash, depending on your configuration. Virtual hosts that specify a wallet file but no wallet password will cause Oracle HTTP Server to crash on restart.
This section covers the following known documentation issues for Oracle HTTP Server:
Section 6.4.1, "Correction for ÒConfiguring the IIS Listener for Single Sign-OnÓ"
Section 6.4.2, "Login Server File Example Giving Incorrect Syntax"
Step 6 in the "Configuring the IIS Listener for Single Sign-On" section of the ÒUsing Oracle9iAS Proxy Plug-inÓ appendix of the Oracle HTTP Server Administrator's Guide incorrectly states the following:
Restart IIS (stop and then start the IIS Server), ensuring that the oproxy filter is marked with a green up-pointing arrow.
It should read:
Restart IIS (stop and then start the IIS Server), ensuring that the osso filter is marked with a green up-pointing arrow.
In the "Using Single Sign-on with the Plug-in" section of appendix A of the Oracle HTTP Server Administrator's Guide the "OSSO Configuration File Examples" incorrectly presents the syntax for the LoginServerFile directive with double quotes around the value.
The correct syntax is:
LoginServerFile = /path/config/sso_conf
