5
Oracle HTTP Server

This chapter discusses issues associated with Oracle HTTP Server. It covers the following topics:

• Section 5.1, "General Issues and Workarounds"

• Section 5.2, "Configuration Issues and Workarounds"

• Section 5.3, "Administration Issues and Workarounds"

• Section 5.4, "Documentation Errata"

5.1 General Issues and Workarounds

This section covers the following general issues and their workarounds for Oracle HTTP Server:

• Manual Configuration to Access mod_osso Protected Pages from Netscape 4.7

5.1.1 Manual Configuration to Access mod_osso Protected Pages from Netscape 4.7

You may not be able to access mod_osso protected pages from Netscape 4.7. If you want to access mod_osso protected pages from Netscape 4.7, then the partner application corresponding to mod_osso should be modified from the Oracle9iAS Single Sign-On server configuration console to point to Oracle9iAS Web Cache port number, which is usually 7777. For details on how to use the Oracle9iAS Single Sign-On console, see Oracle9iAS Single Sign-On Administrator's Guide.

5.2 Configuration Issues and Workarounds

This section covers the following configuration issues and their workarounds for Oracle HTTP Server:

• Securing a Web Site Having OPMN/Oracle HTTP Server Infrastructure

• Receiving Single Sign-On Errors When Accessing Protected Page

• Configuring a Virtual Host Improperly Can Cause DADs to Break

• Using a Full or Partial Host Name in Oc4jMount Syntax in mod_oc4j.conf File

5.2.1 Securing a Web Site Having OPMN/Oracle HTTP Server Infrastructure

When using OPMN/Oracle HTTP Server infrastructure, you must specify at least one non_ssl port. For a purely secure Web Site, it only accepts SSL connection. You must provide an extra non_ssl port in httpd.conf. You can do so by adding the following lines to maintain a secure Web Site:

Listen port

<VirtualHost _default_:port>
   SSLEngine Off
   <Location />
      Order deny,allow
      Deny from all
      Allow from localhost
      Allow from <ip1 of a localhost>
      Allow from <ip2 of a localhost>
      Allow from <ip3 of a localhost>
   </Location>
</VirtualHost>

Therefore, security is maintained by restricting the non-ssl port to only accept traffic from the local host.

5.2.2 Receiving Single Sign-On Errors When Accessing Protected Page

When attempting to access a protected resource, you are redirected to the Oracle9iAS Single Sign-On Server. However, you may receive 503 errors initially. To avoid errors, disable the KeepAlive directive when you are using a server load balancer.

5.2.3 Configuring a Virtual Host Improperly Can Cause DADs to Break

After installation, if you wish to configure Virtual Hosts in the httpd.conf file, or by using the advanced section of the EMD console, or by using a text editor on the httpd.conf file, use the following guidelines:

1. Ensure that the server definitions for VirtualHosts are provided after the Port, Listen, and ServerName directives. A simple example of a correctly set Virtual Host section might be as follows:

   #
   # these are set at the end of the httpd.conf file after the IAS installation
   occurs
   #
   Port 7778
   ServerName someServer.mycompany.com
   Listen 7779
   #
   # these lines were added manually to create a virtualHost
   #
   NameVirtualHost 1.2.3.4
   <VirtualHost 1.2.3.4>
       DocumentRoot /u01/app/oracle/product/iAS9020_portal/Vhost1.htdocs
       ServerName Vhost1.mycompany.com
   </VirtualHost>
   
   

2. Ensure that if you use a regular text editor to make changes to the file, you use the following dcmctl utility to update your changes.

   ORACLE_HOME/dcm/bin/dcmctl updateConfig
   
   

   This is automatically done for you if you edit the file through the EMD console.

5.2.4 Using a Full or Partial Host Name in Oc4jMount Syntax in mod_oc4j.conf File

While using the following Oc4jMount syntax in mod_oc4j.conf file:

Oc4jMount /path/* instance://[hostname:]ias_instance:oc4j_instance

• Be aware that the host name is optional. It is only necessary to specify it when there are some standalone Oracle9iAS instances installed on different hosts that have identical Oracle9iAS instance names, which is rare.

• When host name is specified, be sure to test with both a partially qualified host name as well as a fully qualified host name to see which one works. The host name that works matches the host name stored in the OC4J registration event.

5.3 Administration Issues and Workarounds

This section covers the following administration issues and their workarounds for Oracle HTTP Server:

• Microsoft Internet Explorer Reporting Incorrect Host Header

• Microsoft Internet Explorer Reporting Errors

• Stop and Start Oracle HTTP Server After Adding an SSL-Enabled Virtual Host

5.3.1 Microsoft Internet Explorer Reporting Incorrect Host Header

If an infrastructure Oracle9iAS Single Sign-On Server install and a middle tier install are on the same machine (in different Oracle Homes), Microsoft Internet Explorer reports an incorrect host header after a redirect. This incorrect host headed causes mod_osso to generate an error message when trying to access a protected resource after the user has been redirected from the Oracle9iAS Single Sign-On Server back to the original server. If you click Reload in Internet Explorer, the session continues successfully. This issue will not occur if any of the following conditions are true:

• You do not use Microsoft Internet Explorer.

• The protected resource and the Oracle9iAS Single Sign-On Server are running behind Oracle HTTP Server instances with different server names or on different hosts. This is the most likely deployment.

• Oracle9iAS Single Sign-On Server and the protected resource are running behind a single Oracle HTTP Server port.

5.3.2 Microsoft Internet Explorer Reporting Errors

When you install an infrastructure instance of Oracle9iAS and a middle tier on a same machine, Microsoft Internet Explorer might report various errors where an incorrect host header is sometimes passed after redirection. Specifically, if you have already logged on via the Single Sign-On Server to the middle tier instance and then click a link redirecting you to the infrastructure instance, you will receive an OSSO error page. Pressing the Back button allows you to continue to the page you originally wished to reach.

5.3.3 Stop and Start Oracle HTTP Server After Adding an SSL-Enabled Virtual Host

In Oracle9iAS Release 2 (9.0.3), when you add an ssl-enabled virtual host to Oracle HTTP Server, you must stop and then start Oracle HTTP Server for this virtual host to function. Simply restarting Oracle HTTP Server will not enable the virtual host and may cause Oracle HTTP Server to crash, depending on your configuration. Virtual hosts that specify a wallet file but no wallet password will cause Oracle HTTP Server to crash on restart.

5.4 Documentation Errata

This section covers the following known documentation issues for Oracle HTTP Server:

• Correction for "Configuring the IIS Listener for Single Sign-On"

• Login Server File Example Giving Incorrect Syntax

5.4.1 Correction for "Configuring the IIS Listener for Single Sign-On"

Step 6 in the "Configuring the IIS Listener for Single Sign-On" section of the "Using Oracle9iAS Proxy Plug-in" appendix of the Oracle HTTP Server Administration Guide, incorrectly states the following:

Restart IIS (stop and then start the IIS Server), ensuring that the oproxy filter is marked with a green up-pointing arrow.

It should read:

Restart IIS (stop and then start the IIS Server), ensuring that the osso filter is marked with a green up-pointing arrow.

5.4.2 Login Server File Example Giving Incorrect Syntax

In the "Using Single Sign-On with the Plug-in" section of appendix A of the Oracle HTTP Server Administration Guide, the "OSSO Configuration File Examples" incorrectly presents the syntax for the LoginServerFile directive with double quotes around the value.

The correct syntax is:

LoginServerFile = /path/config/sso_conf