|
Oracle® Application Server Enterprise Deployment Guide
10g Release 2 (10.1.2) for Windows or UNIX Part No. B13998-01 |
|
 Previous |
 Next |
|
Oracle® Application Server Enterprise Deployment Guide
10g Release 2 (10.1.2) for Windows or UNIX Part No. B13998-01 |
|
|
Previous |
Next |
This chapter provides instructions for creating the Data, E-Business and Web Server tiers, distributing the software components into the DMZs shown in the Enterprise Deployment architecture for myJ2EECompany shown in Figure 1-1.
Before you perform the tasks in this chapter, a two-node Real Application Clusters (RAC) database must be installed. In this chapter, the server names for the database hosts are APPDBHOST1 and APPDBHOST2. Ideally, these are separate physical databases from INFRADBHOST1 and INFRADBHOST2. In addition to isolating the security components, separate application databases provide the flexibility needed to maintain and tune application and security parameters separately.
This chapter contains the following topics:
Section 3.1, "Installing and Configuring the Security Infrastructure"
Section 3.2, "Installing and Configuring the Application Tier"
Section 3.3, "Installing and Configuring the Web Tier"
The security infrastructure for myJ2EECompany contains the components depicted in Figure 2-16, "Data Tier Configuration". The Security Infrastructures for myJ2EECompany and myPortalCompany differ in one aspect: the myJ2EECompany architecture does not have an Identity Management tier as part of its Security Infrastructure. The Oracle Application Server Java Authentication and Authorization Service (JAAS) Provider is used instead of Oracle Application Server Single Sign-On, so there is no Identity Management Tier in the myJ2EECompany configuration. The OracleAS JAAS Provider is referred to as the JAZN LDAP User Manager in the Deploy Applications: User Manager screen in the Oracle Enterprise Manager 10g Application Server Control Console.
To install and configure this security infrastructure:
Follow all instructions in Section 2.1, "Installing the Oracle Application Server Metadata Repository for the Security Infrastructure".
Follow all instructions in Section 2.2, "Installing the Oracle Internet Directory Instances in the Data Tier".
Follow all instructions in Section 2.3, "Configuring the Virtual Server to Use the Load Balancing Router".
Follow all instructions in Section 2.4, "Testing the Data Tier Components".
The application tier consists of multiple computers hosting middle tier Oracle Application Server instances, which contain multiple Oracle Application Server Containers for J2EE instances and deployed applications. In the complete configuration, requests are balanced among the OC4J instances on the application tier computers to create a performant, fault tolerant, and secure application environment. Figure 1-1, "Enterprise Deployment Architecture for myJ2EECompany.com", shows the application tier (APPHOST1 and APPHOST2).
Before you begin installing and configuring the OracleAS File-based Farm for myJ2EECompany, you should understand the implications of the default port assignments for Distributed Configuration Management, in the case of environments that require inter-instance communication across a firewall.
The Oracle Universal Installer assigns the ports described inTable 3-1 by default when the instance is installed.
Table 3-1 Oracle Universal Installer Default Port Assignments
| Quantity | Purpose/Description |
|---|---|
| 1 | DCM Discovery Port. The first instance installed on a computer is assigned port 7100 for this; the second instance installed on a computer is assigned 7101, and so on. This is defined in the ORACLE_HOME/dcm/config/dcmCache.xml file, in the discoverer element (for example, <discoverer discovery-port ="7100" original-"true" xmlns=""/>
|
| 50 | Range of ports for inter-instance communication: 7120 to 7179. These are defined in the ORACLE_HOME/dcm/config/dcmCache.xml file, in the port element (for example, <port lower="7120" upper="7179">.)
After installation, you will probably want to limit the number of ports open on the firewall. The actual port needs for inter-instance communication are:
|
If the ports in the range 7100 to 7179 were open on the firewall before installation, the instances in the farm will be able to communicate immediately after installation. Note that:
If you want the port assignments to be of a different numeric range from these, then, before installation, you must assign a DCM Discovery Port using the staticports.ini file, and select the Manual option during installation. (See Section B.3, "Using the Static Ports Feature with Oracle Universal Installer" for more information.) The range of ports will then be assigned accordingly, as specified in Table 3-1.
After installation of all instances, configure the firewall to close the unused ports within the assigned range on each instance.
Follow these steps to install the first Oracle Application Server middle tier on APPHOST1:
Ensure that the system, patch, kernel and other requirements are met as specified in the Oracle Application Server Installation Guide. You can find this guide in the Oracle Application Server platform documentation library for the platform and version you are using.
Copy the staticports.ini file from the Disk1/stage/Response directory to a local directory, such as TMP. You will provide the path to this file during installation.
Edit the staticport.ini file to assign the following custom ports:
Oracle HTTP Server port = 7777 Oracle HTTP Server Listen port = 7778 Web Cache HTTP Listen Port = 7777 Web Cache HTTP Administration Port = 4000 Web Cache HTTP Invalidation Port = 4001 Application Server Control port = 1810
|
Notes: Ensure that these ports are not already in use by any other service on the computer. Using the Static Ports feature to install the the Application Server Tier ensures that the port assignments will be consistent, if the ports are correctly specified in the file and the port is not already in use. If a port is incorrectly specified, the Oracle Universal Installer will assign the default port. If a port is already in use, the Oracle Universal Installer will select the next available port.See Section B.3, "Using the Static Ports Feature with Oracle Universal Installer" for more information. |
Start the Oracle Universal Installer as follows:
On UNIX, issue this command: runInstaller
On Windows, double-click setup.exe
The Welcome screen appears.
Click Next.
On UNIX systems, the Specify Inventory Directory and Credentials screen appears.
Specify the directory you want to be the orainventory directory and the operating system group that has write permission to it.
Click Next.
On UNIX systems, a dialog appears, prompting you to run the orainstRoot.sh script.
Open a window and run the script, following the prompts in the window.
Return to the Oracle Universal Installer screen and click Next.
The Specify File Locations screen appears with default locations for:
The product files for installation (Source)
The name and path to the Oracle home (Destination)
Click Next.
The Select a Product to Install screen appears.
Figure 3-1 Oracle Universal Installer Select a Product to Install Screen
Select Oracle Application Server 10g, as shown in Figure 3-1, and click Next.
The Select Installation Type screen appears.
Select J2EE and Web Cache, as shown in Figure 3-2, and click Next.
The Confirm Pre-Installation Requirements screen appears.
Ensure that the requirements are met and click Next.
The Select Configuration Options screen appears.
Select OracleAS 10g Farm Repository, as shown in Figure 3-3, and click Next.
The Specify Port Configuration Options screen appears.
Select Manual, specify the location of the staticports.ini file, and click Next.
The Select Repository Type screen appears.
Select Create a new OracleAS File-based Farm for this instance, as shown in Figure 3-4, and click Next.
The Specify Instance Name and ias_admin Password screen appears.
Specify an instance name and the OracleAS administrator's password and click Next.
The Summary screen appears.
Click Next.
On UNIX systems, a dialog appears, prompting you to run the root.sh script.
Open a window and run the script, following the prompts in the window.
Return to the Oracle Universal Installer screen and click Next.
The Configuration Assistants screen appears. Multiple configuration assistants are launched in succession; this process can be lengthy. When it completes, the End of Installation screen appears.
Click Exit, and then confirm your choice to exit.
Verify that the installation was successful by viewing the application server instance in Oracle Enterprise Manager 10g. Start a browser and access http://hostname:1810.
Follow these steps to install the second Oracle Application Server middle tier on APPHOST2:
Ensure that the system, patch, kernel and other requirements are met as specified in the Oracle Application Server Installation Guide. You can find this guide in the Oracle Application Server platform documentation library for the platform and version you are using.
Copy the staticports.ini file from the Disk1/stage/Response directory to a local directory, such as TMP. You will provide the path to this file during installation.
Edit the staticport.ini file to assign the following custom ports:
Oracle HTTP Server port = 7777 Oracle HTTP Server Listen port = 7778 Web Cache HTTP Listen Port = 7777 Web Cache HTTP Administration Port = 4000 Web Cache HTTP Invalidation Port = 4001 Application Server Control port = 1810
|
Notes: Ensure that these ports are not already in use by any other service on the computer. Using the Static Ports feature to install the the Application Server Tier ensures that the port assignments will be consistent, if the ports are correctly specified in the file and the port is not already in use. If a port is incorrectly specified, the Oracle Universal Installer will assign the default port. If a port is already in use, the Oracle Universal Installer will select the next available port.See Section B.3, "Using the Static Ports Feature with Oracle Universal Installer" for more information. |
Start the Oracle Universal Installer as follows:
On UNIX, issue this command: runInstaller
On Windows, double-click setup.exe
The Welcome screen appears.
Click Next.
On UNIX systems, the Specify Inventory Directory and Credentials screen appears.
Specify the directory you want to be the orainventory directory and the operating system group that has write permission to it.
Click Next.
On UNIX systems, a dialog appears, prompting you to run the orainstRoot.sh script.
Open a window and run the script, following the prompts in the window.
Return to the Oracle Universal Installer screen and click Next.
The Specify File Locations screen appears with default locations for:
The product files for installation (Source)
The name and path to the Oracle home (Destination)
Click Next.
The Select a Product to Install screen appears.
Figure 3-5 Oracle Universal Installer Select a Product to Install Screen
Select Oracle Application Server 10g, as shown in Figure 3-5, and click Next.
The Select Installation Type screen appears.
Select J2EE and Web Cache, as shown in Figure 3-6, and click Next.
The Confirm Pre-Installation Requirements screen appears.
Ensure that the requirements are met and click Next.
The Select Configuration Options screen appears.
Select OracleAS 10g Farm Repository, as shown in Figure 3-7, and click Next.
The Specify Port Configuration Options screen appears.
Select Manual, specify the location of the staticports.ini file, and click Next.
Select Join an existing OracleAS File-based Farm, as shown in Figure 3-8, and click Next.
The Specify File-based Farm Repository screen appears.
Specify the host name of APPHOST1, and the DCM Discovery Port on which the OracleAS File-based Farm Repository listens, and click Next.
|
Note: The port range 7100-7179 is used for communication between DCM instances. The first installed instance of an OracleAS File-based Farm on a computer has port 7100 assigned as its DCM Discovery Port. A subsequently installed instance will use port 7101, and so on. See Section 3.2.1, "A Note About Port Assignments for the Oracle Application Server File-based Farm" for more information. |
The Specify Instance Name and ias_admin Password screen appears.
Specify an instance name and the OracleAS administrator's password and click Next.
The Summary screen appears.
Click Next.
On UNIX systems, a dialog appears, prompting you to run the root.sh script.
Open a window and run the script, following the prompts in the window.
Return to the Oracle Universal Installer screen and click Next.
The Configuration Assistants screen appears. Multiple configuration assistants are launched in succession; this process can be lengthy. When it completes, the End of Installation screen appears.
Click Exit, and then confirm your choice to exit.
Verify that the installation was successful by viewing the application server instance in Oracle Enterprise Manager 10g. Start a browser and access http://hostname:1810.
Follow the steps in this section on APPHOST1 only to create OC4J instances. The instances you create will be replicated to APPHOST2 when you join the instances to a DCM-Managed OracleAS Cluster, joining APPHOST1 first. The first member of the DCM-Managed OracleAS Cluster provides the base configuration to the entire cluster.
On the Oracle Enterprise Manager 10g Farm page, select the APPHOST1 instance.
The Application Server page for the instance appears.
Click Create OC4J Instance.
The Create OC4J Instance page appears.
Enter the name for the OC4J instance and click Create.
|
Note: Do not use a host name, Oracle home, or an IP address in the OC4J instance name. |
A confirmation screen appears.
Click OK.
The Application Server page appears.
Follow the steps in this section on APPHOST1 only to deploy applications. The applications you deploy will be replicated to APPHOST2 when you join the instances to a DCM-Managed OracleAS Cluster, joining APPHOST1 first. The first member of the DCM-Managed OracleAS Cluster provides the base configuration to the entire cluster.
On the Oracle Enterprise Manager 10g Farm page, select the APPHOST1 instance.
The Application Server page for the instance appears.
Click the link for the OC4J instance for the application deployment.
The page for the OC4J instance appears.
Click the Applications link.
The Applications page for the OC4J instance appears.
Click Deploy EAR File.
The Deploy Application page appears.
Click Browse and navigate to the EAR file you want to deploy.
The J2EE Application field is populated with the path to the EAR file.
Complete the Application Name field and click Continue.
The Deploy Application: URL Mapping for Web Modules screen appears.
Specify the URL mapping for the application and click Next.
The Deploy Application: User Manger screen appears.
Select Use JAZN LDAP User Manager and click Next.
The Deploy Application: Review screen appears, with the name of the EAR file to deploy, the deployment destination instance, and the URL mapping specified. (If you need to change any information, you can click the Back button to navigate to the previous screen).
Click Deploy.
A confirmation screen appears.
Click OK.
The Applications page for the OC4J instance appears with the application in the Deployed Applications table.
Modify the ORACLE_HOME/j2ee/oc4j instance/application-deployments/application name/orion-application.xml file to remove auth-method="SSO" from the <jazn> tag.
|
Note: By default, when an application is deployed using Oracle Enterprise Manager 10g to specify use of the JAZN LDAP User Manager, Application Server Control Console automatically sets the auth-method to "SSO", so you must remove the auth-method="SSO" when OracleAS Single Sign-On is not used for authentication. |
Repeat the steps in this procedure, selecting the APPHOST2 instance in Step 1.
The Oracle Application Server instances on the Application Tier can be treated as one entity by clients and the system administrator if they belong to a DCM-Managed OracleAS Cluster.
The Oracle Application Server Farm (to which all of the application server instances belong, currently as standalone instances) was created during installation. Creating a cluster and its member instances is a two-step process: first, you create the cluster, then, you join instances to it.
Follow these steps on the Application Tier to create a DCM-Managed OracleAS Cluster:
On the Oracle Enterprise Manager 10g Farm page, click Create Cluster.
The Create Cluster page appears.
Enter the cluster name and click Create.
A confirmation screen appears.
Click OK.
The Farm page appears.
Click Start in the clusters section to start the cluster.
Follow these steps on the Application Tier to join the Oracle Application Server instances to the DCM-Managed OracleAS Cluster on APPHOST1:
On the Oracle Enterprise Manager 10g Farm page, select the APPHOST1 instance.
Click Join Cluster.
The Join Cluster page appears.
Select the cluster created in Section 3.2.6.1 and click Join.
A confirmation screen appears.
Click OK.
The Farm page appears.
Start the cluster created in Section 3.2.6.1.
Start the APPHOST2 instance.
Select the APPHOST2 instance.
Click Join Cluster.
The Join Cluster page appears.
Select the cluster created in Section 3.2.6.1 and click Join.
A confirmation screen appears.
Click OK.
The Farm page appears.
Start the APPHOST2 instance.
The Web Tier consists of multiple middle tier Oracle Application Server instances, with only OracleAS Web Cache and Oracle HTTP Server configured. In the complete configuration, the OracleAS Web Cache instances balance incoming requests to the Oracle HTTP Servers, which route the requests to the OC4J instances on the application tier computers.
Follow these steps to install an Oracle Application Server middle tier on WEBHOST1 and WEBHOST2:
Ensure that the system, patch, kernel and other requirements are met as specified in the Oracle Application Server Installation Guide. You can find this guide in the Oracle Application Server platform documentation library for the platform and version you are using.
Copy the staticports.ini file from the Disk1/stage/Response directory to a local directory, such as TMP. You will provide the path to this file during installation.
Edit the staticport.ini file to assign the following custom ports:
Oracle HTTP Server port = 7777 Oracle HTTP Server Listen port = 7778 Web Cache HTTP Listen Port = 7777 Web Cache HTTP Administration Port = 4000 Web Cache HTTP Invalidation Port = 4001 Application Server Control port = 1810
|
Notes: Ensure that these ports are not already in use by any other service on the computer. Using the Static Ports feature to install the the Application Server Tier ensures that the port assignments will be consistent, if the ports are correctly specified in the file and the port is not already in use. If a port is incorrectly specified, the Oracle Universal Installer will assign the default port. If a port is already in use, the Oracle Universal Installer will select the next available port.See Section B.3, "Using the Static Ports Feature with Oracle Universal Installer" for more information. |
Start the Oracle Universal Installer as follows:
On UNIX, issue this command: runInstaller
On Windows, double-click setup.exe
The Welcome screen appears.
Click Next.
On UNIX systems, the Specify Inventory Directory and Credentials screen appears.
Specify the directory you want to be the orainventory directory and the operating system group that has write permission to it.
Click Next.
On UNIX systems, a dialog appears, prompting you to run the orainstRoot.sh script.
Open a window and run the script, following the prompts in the window.
Return to the Oracle Universal Installer screen and click Next.
The Specify File Locations screen appears with default locations for:
The product files for installation (Source)
The name and path to the Oracle home (Destination)
Click Next.
The Select a Product to Install screen appears.
Figure 3-9 Oracle Universal Installer Select a Product to Install Screen
Select Oracle Application Server 10g, as shown in Figure 3-9, and click Next.
The Select Installation Type screen appears.
Select J2EE and Web Cache, as shown in Figure 3-10, and click Next.
The Product-Specific Prerequisite Checks screen appears.
Click Next.
The Confirm Pre-Installation Requirements screen appears.
Ensure that the requirements are met and click Next.
The Select Configuration Options screen appears.
Select OracleAS Web Cache and OracleAS 10g Farm Repository, as shown in Figure 3-11, and click Next.
The Specify Port Configuration Options screen appears.
Select Manual, specify the location of the staticports.ini file, and click Next.
The Select Repository Type screen appears.
Select Join an existing OracleAS File-based Farm, as shown in Figure 3-8, and click Next.
The Specify File-based Farm Repository screen appears.
Specify the host name of APPHOST1, and the DCM Discovery Port on which the OracleAS File-based Farm Repository listens, and click Next.
|
Note: The port range 7100-7179 is used for communication between DCM instances. The first installed instance of an OracleAS File-based Farm on a computer has port 7100 assigned as its DCM Discovery Port. A subsequently installed instance will use port 7101, and so on. See Section 3.2.1, "A Note About Port Assignments for the Oracle Application Server File-based Farm" for more information. |
The Specify Instance Name and ias_admin Password screen appears.
Specify an instance name and the OracleAS administrator's password and click Next.
The Summary screen appears.
Click Next.
On UNIX systems, a dialog appears, prompting you to run the root.sh script.
Open a window and run the script, following the prompts in the window.
Return to the Oracle Universal Installer screen and click Next.
The Configuration Assistants screen appears. Multiple configuration assistants are launched in succession; this process can be lengthy. When it completes, the End of Installation screen appears.
Click Exit, and then confirm your choice to exit.
Verify that the installation was successful by viewing the application server instance in Oracle Enterprise Manager 10g. Start a browser and access http://hostname:1810.
The Load Balancing Router (myapp.mycompany.com, shown in Figure 1-1, "Enterprise Deployment Architecture for myJ2EECompany.com", must be configured to receive client requests and balance them to the two Oracle HTTP Server instances on the Web tier.
This procedure associates incoming requests with the Load Balancing Router hostname and port in the myJ2EECompany configuration shown in Figure 1-1.
Access the Oracle Enterprise Manager 10g Application Server Control Console.
Click the link for the WEBHOST1 installation.
Click the HTTP Server link.
Click the Administration link.
Click Advanced Server Properties.
Open the httpd.conf file.
Perform the following steps:
Add the LoadModule certheaders_module directive for the appropriate platform.
UNIX:
LoadModule certheaders_module libexec/mod_certheaders.so
Windows:
LoadModule certheaders_module modules/ApacheModuleCertHeaders.dll
|
Notes: TheLoadModule LoadModule rewrite_module directive) must appear in the httpd.conf file at a location preceding the VirtualHost directives. The server must load all modules before it can execute the directives in the VirtualHost container.
It is a good idea to create the |
Add the following lines to create a NameVirtualHost directive and a VirtualHost container for myapp.mycompany.com and port 443.
NameVirtualHost *:7778<VirtualHost *:7778>ServerName portal.mycompany.comPort 443ServerAdminyou@your.addressRewriteEngine OnRewriteOptions inheritSimulateHttps On</VirtualHost>
Create a second NameVirtualHost directive and a VirtualHost container for webhost1.mycompany.com and port 7777.
NameVirtualHost *:7778<VirtualHost *:7778>ServerName apphost1.mycompany.comPort 7777ServerAdminyou@your.addressRewriteEngine OnRewriteOptions inherit</VirtualHost>
Save the httpd.conf file, and restart the Oracle HTTP Server when prompted.
Restart the components on APPHOST1 using these commands in WEBHOST1_ORACLE_HOME/opmn/bin:
opmnctl stopall
opmnctl startall
mod_oc4j, an Oracle HTTP Server module, performs the request routing to the OC4J instances over the AJP13 protocol. The routing configuration is specified in the mod_oc4j.conf file. (The mod_oc4j.conf file is referenced by the main server configuration file for Oracle HTTP Server, httpd.conf, with an Include directive.) The mod_oc4j.conf file is located in:
ORACLE_HOME/Apache/Apache/conf/mod_oc4j.conf
For complete descriptions of all directives and their uses, see the Oracle HTTP Server Administrator's Guide.
The default file at installation resembles Example 3-1:
Example 3-1 mod_oc4j.conf File
LoadModule oc4j_module modules/ApacheModuleOc4j.dll<IfModule mod_oc4j.c> <Location /oc4j-service> SetHandler oc4j-service-handler Order deny,allow Deny from all Allow from localhost my-pc.mycompany.com my-pc </Location> Oc4jMount /j2ee/* Oc4jMount /webapp home Oc4jMount /webapp/* home Oc4jMount /cabo home Oc4jMount /cabo/* home Oc4jMount /IsWebCacheWorking home Oc4jMount /IsWebCacheWorking/* home</IfModule>
Follow these steps in APPHOST1 (the configuration will be replicated in APPHOST2, because the instances are clustered):
On the Oracle Enterprise Manager 10g Farm page, select the APPHOST1 instance.
The Application Server page for the instance appears.
Click the link for the OC4J instance to configure.
The page for the OC4J instance appears.
Click Administration.
Click Advanced Properties.
Click the mod_oc4j.conf link.
The Edit mod_oc4j.conf screen appears.
Add an Oc4JConnTimeout directive to specify a timeout value smaller than the timeout value used by the firewall between the Web tier and the Application Tier. For example:
Oc4jConnTimeout 10
Add an Oc4JMount directive to specify the cluster to which requests should be load balanced. For example:
Oc4jMount path cluster: //appcluster:OC4J1,appcluster:OC4J2,appcluster:OC4J3,appcluster:OC4J4...
In the preceding example, path specifies the URI pattern of the request (such as the context root or application directory, that is, /myapp/*), appcluster is the name of the cluster created on the application tier, and OC4J1 through 4 are the OC4J instance names.
The Oracle Application Server Java Authentication and Authorization Service (JAAS) Provider (also referred to as JAZN) LDAP-based provider is used for authentication and authorization to the OC4J applications.
In the myJ2EECompany configuration, this provider is used without Oracle Application Server Single Sign-On, because communication to the data tier is prohibited (Oracle Application Server Single Sign-On requires mod_plsql access to the database). This section explains how to configure the Oracle Application Server instances on the application tier to use the JAZN LDAP provider.
For instructions on how to use Oracle Enterprise Manager 10g to manage the data in this provider, see Chapter 8 in the Oracle Application Server Containers for J2EE Security Guide.
To configure an Oracle Application Server instance to use the JAZN LDAP provider:
Create a file named jazn_config.properties in the $ORACLE_HOME/config directory that contains the following two lines and for which the current user has write permission:
DCMRESYNC=oracle.ias.configtool.configimpl.DcmResync JAZN=oracle.security.jazn.util.JAZNConfigTool
Ensure that the operating system-specific environment variable that controls the loading of dynamic libraries is set. The library path should include $ORACLE_HOME/lib.
Issue the following command for the platform you are using (all on one line). Substitute values for the variables shown in bold. Table 3-2 describes the variables.
Note: for the -classpath parameter, do not type any space characters after the colon (:) and semicolon (;) characters, as indicated by <no spaces>.
On UNIX:
$ORACLE_HOME/jdk/bin/java
-classpath .:$ORACLE_HOME/sso/lib/ossoreg.jar:<no spaces>
$ORACLE_HOME/jlib/ojmisc.jar:<no spaces>
$ORACLE_HOME/jlib/repository.jar:<no spaces>
$ORACLE_HOME/j2ee/home/jazn.jar:$ORACLE_HOME/jdk/lib/dt.jar:<no spaces>
$ORACLE_HOME/jdk/lib/tools.jar:$ORACLE_HOME/jlib/infratool.jar
oracle.ias.configtool.UseInfrastructure e
-f $ORACLE_HOME/config/jazn_config.properties -h OID_HOST -p OID_PORT -u OID_ADMIN_NAME -w OID_PASSWORD
-o ORACLE_HOME -m IAS_INFRA_INSTANCE_NAME
-infra INFRASTRUCTURE_GLOBAL_DB_NAME -mh MIDTIER_HOST
-sslp SSL_PORT -sslf SSL_ONLY_FLAG
On Windows:
%ORACLE_HOME%\jdk\bin\java -classpath .;%ORACLE_HOME%\sso\lib\ossoreg.jar;<no spaces> %ORACLE_HOME%\jlib\ojmisc.jar;<no spaces> %ORACLE_HOME%\jlib\repository.jar;<no spaces> %ORACLE_HOME%\j2ee\home\jazn.jar;<no spaces> %ORACLE_HOME%\jdk\lib\dt.jar;<no spaces> %ORACLE_HOME%\jdk\lib\tools.jar;%ORACLE_HOME%\jlib\infratool.jar oracle.ias.configtool.UseInfrastructure e -f %ORACLE_HOME%\config\jazn_config.properties -h OID_HOST -p OID_PORT -u OID_ADMIN_NAME -w OID_PASSWORD -o ORACLE_HOME -m IAS_INFRA_INSTANCE_NAME -infra INFRASTRUCTURE_GLOBAL_DB_NAME -mh MIDTIER_HOST -sslp SSL_PORT -sslf SSL_ONLY_FLAG
Verify that the command executed successfully by examining the ORACLE_HOME/config/jazn_config.log file.
Edit the ORACLE_HOME/config/ias.properties file to set the OIDhost, OIDport and OIDsslport values.
Verify that the provider was configured successfully using the JAZN administration tool in ORACLE_HOME/j2ee/home. Issue this command:
$ORACLE_HOME/jdk/bin/java -jar jazn.jar -listrealms
|
Note: To enable the debug log for the administration tool, set the java option"-Djazn.debug.log.enable=true"
|
Table 3-2 Variables for the OracleAS JAAS Provider Configuration Command
To use the OracleAS JAAS Provider, you must populate Oracle Internet Directory with certain user entries. The Oracle Application Server Containers for J2EE Security Guide, section titled "Creating Administrative Users and Groups for JAZN/LDAP", provides instructions for loading the entries.
To configure SSL on the connection path between external clients or the load balancer and Oracle HTTP Server, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Enabling SSL".
Depending on security needs, you may configure one or both of the following connection paths for OracleAS Web Cache:
External Clients or Load Balancer to OracleAS Web Cache
OracleAS Web Cache to Oracle HTTP Server
To configure OracleAS Web Cache for SSL, follow the instructions in "Configuring OracleAS Web Cache for HTTPS Requests" in the Oracle Application Server Web Cache Administrator's Guide.
To enable SSL communication between mod_oc4j and the OC4J instances, you must:
Obtain an SSL certificate and place it in a wallet (see the Oracle Application Server Administrator's Guide).
Enable SSL for mod_oc4j
Enable SSL for OC4J
To enable SSL on mod_oc4j, use the Oracle Enterprise Manager 10g Application Server Control Console to edit the ORACLE_HOME/Apache/Apache/conf/mod_oc4j.conf file on WEBHOST1 and WEBHOST2:
On the Oracle Enterprise Manager 10g Farm page, select the WEBHOST1 instance.
Select HTTP Server from the System Components list.
The HTTP Server page appears.
Click the Administration link.
A list of links for configuration options appears.
Click Advanced Server Properties.
The Advanced Server Properties Configuration Files page appears.
Click the mod_oc4j.conf link.
The Edit mod_oc4j.conf screen appears.
Add this directive to enable SSL:
Oc4JEnableSSL On
Add this directive to specify the location of the wallet (specify only the directory, not the file name, of the wallet):
Oc4JSSLWalletFile path to file
Click Apply.
The Confirmation screen appears.
Click Yes to restart the HTTP Server.
The Processing:Restart screen appears, then the Confirmation screen appears with a message that the HTTP Server was restarted.
Click OK.
The Edit mod_oc4j.conf screen appears.
Enable the Auto Login feature in Oracle Wallet Manager to create an obfuscated copy of the wallet. Follow these steps:
Start Oracle Wallet Manager with the command:
(Windows) Select Start > Programs > Oracle-HOME_NAME > Network Administration > Wallet Manager (UNIX) Issue this command: owm.
Choose Wallet from the menu bar.
Check Auto Login. A message at the bottom of the window indicates that auto login is enabled.
To enable SSL for OC4J, specify the following settings in the ORACLE_HOME/j2ee/home/config/default-web-site.xml file, under the <web-site> element:
On the Oracle Enterprise Manager 10g Farm page, select the WEBHOST1 instance.
Select the OC4J instance from the System Components list.
The OC4J instance page appears.
Click the Administration link.
A list of links for configuration options appears.
Click Advanced Server Properties.
The Advanced Server Properties Configuration Files page appears.
Click the mod_oc4j.conf link.
The Edit mod_oc4j.conf screen appears.
Set secure="true" (in the <web-site> element) to direct the AJP protocol to use an SSL socket.
Specify the path and password for the keystore, as shown in the subsequent example.
<web-site ... secure="true" ... > ... <ssl-config keystore="path and file" keystore-password="password" /> </web-site>
|
Note: The<ssl-config> element is required when the secure flag is set to true. The path and file value can indicate either an absolute or relative directory path, and includes the file name. A relative path is relative to the location of the Web site XML file.
|
(Optional) To specify that client authentication is required, set the needs-client-auth flag to true, as shown in the subsequent example.
<web-site ... secure="true" ... > ... <ssl-config keystore="path_and_file" keystore-password="pwd" needs-client-auth="true" /></web-site>
When the needs-client-auth flag is set to true, OC4J accepts or rejects a client entity, such asOracle HTTP Server, for secure communication depending on its identity. The needs-client-auth flag instructs OC4J to request the client certificate chain upon connection. If OC4J recognizes the root certificate of the client, then the client is accepted. The keystore that is specified in the <ssl-config> element must contain the certificates of any clients that are authorized to connect to OC4J through secure AJP and SSL.
Example 3-2 shows a sample configuration of secure AJP communication with client authentication. The settings pertinent to security are shown in bold text.
Example 3-2 Configuration for Secure AJP Communication with Client Authentication in default-web-site.xml File
<web-site display-name="OC4J Web Site" protocol="ajp13" secure="true" > <default-web-app application="default" name="defaultWebApp" root="/j2ee" /> <access-log path="../log/default-web-access.log" /> <ssl-config keystore="../keystore" keystore-password="welcome" needs-client-auth="true" /> </web-site>
