Oracle® Application Server Release Notes 10g Release 2 (10.1.2) for HP-UX PA-RISC (64-bit) B25187-09 |
|
Previous |
Next |
This chapter describes issues associated with Oracle HTTP Server. It includes the following topics:
This section describes general issues and workarounds. It includes the following topics:
In the Oc4jMount
directive, weighted load balancing works only when the destinations are instances or clusters. Weighted load balancing does not work for AJP13 destinations. For AJP13 destinations, the load is distributed evenly in a round-robin manner. For example, if your mod_oc4j.conf
file contains the following lines, Host_A and Host_B will get an equal number of requests despite the settings in the Oc4jRoutingWeight
directives.
Oc4jSelectMethod roundrobin:weighted Oc4jRoutingWeight Host_A 1 Oc4jRoutingWeight Host_B 25 Oc4jMount /j2ee ajp13://Host_A:<AJP Port>,Host_B:<AJP Port> Oc4jMount /j2ee/* ajp13://Host_A:<AJP Port>,Host_B:<AJP Port> # Instance weighted routing work as expected #Oc4jMount /j2ee instance://Host_A:home,Host_B:home #Oc4jMount /j2ee/* instance://Host_A:home,Host_B:home
A possible workaround to achieve weighted load balancing for AJP13 destinations is to specify the same host multiple times in the Oc4jMount
directive. The following example specifies Host_B twice.
Oc4jMount /j2ee ajp13://Host_A:<AJP Port>,Host_B:<AJP Port>,Host_B:<AJP Port>
Oracle does not support using the version of Oracle HTTP Server that is supplied with Oracle9iAS Release 1 (1.0.2.2.x) as a front end to OC4J supplied with Oracle Application Server 10gRelease 2 (10.1.2). You must not use mod_proxy
to route data between these two components.
Always use mod_oc4j
to route data to and from OC4J supplied with Oracle Application Server 10g (10.1.2). Use mod_proxy
to route data between Oracle HTTP Server component supplied with Oracle9iAS Release 1 (1.0.2.2.x) and OC4J supplied with Oracle9iAS Release 1 (1.0.2.2.x).
During operations where mod_oc4j
calls mod_osso
(such as login and logout), the following error message is printed to the Oracle HTTP server log:
[Mon Jun 27 23:57:07 2005] [error] [client 139.185.173.23] [ecid: 90258476571,1] MOD_OC4J_0376: Request initial processing failed in ac worker with HTTP status code 1. This status will be passed back to the listener for error handling.
This error message is harmless and can be ignored. It will be removed in a future release.
In section C.7 Integrating Generic Apache with Oracle Application Server, the sentence "Generic Apache is Apache version 1.3.xx, and not Apache 2.x" should be "Generic Apache is Apache version 1.3.xx or Apache 2.x".
In section C.7.1, the note "mod_oc4j
is supported in Apache versions 1.3.x only. It is not supported in Apache 2.0.x versions" should be disregarded.
This section describes configuration issues and their workarounds. It includes the following topics:
Section 7.2.2, "Oracle HTTP Server Does Not Start After Enabling Port Tunneling or SSL in mod_oc4j"
Section 7.2.3, "Redirects Break If OracleAS Web Cache is Turned Off or is Disabled"
Section 7.2.4, "Using Oc4jCERTCHAINIndicator to Pass Client Certificate"
On most platforms, the path for sockets used by FastCGI is limited to 108 characters. If an error such as the following is encountered, use the FastCgiIpcDir
directive to specify a path name that is significantly shorter than 108 characters, such as /tmp
:
Thu Oct 16 12:55:06 2003] [error] [client 148.87.9.44] [ecid: 82608810576,1] FastCGI: failed to connect to (dynamic) server "/opt/oracle/inst/Apache/Apache/fcgi-bin/echo": path "/opt/oracle/inst/Apache/Apache/logs/fastcgi/dymanic/aac1cec5416b961cf002c5526b4159" is too long for a Domain socket
Note: The FastCGI limit of 108 characters is applicable to Apache 2.0 also. |
Oracle HTTP Server might not start if you modify its configuration to enable port tunneling (iASPT), or SSL in mod_oc4j
. Following are the possible solutions for this issue:
Recommended solution: if mod_perl
is not needed, disable it by commenting out the LoadModule perl_module libexec/libperl.so
line from httpd.conf
.
If mod_perl
is needed, ensure that you are running the latest patch set from Sun, and move the LoadModule
line for mod_perl
until after the include of mod_oc4j.conf
in httpd.conf
.
By default, Oracle HTTP Server sends redirects to the OracleAS Web Cache listening port. If OracleAS Web Cache is not running or is disabled, then redirects from Oracle HTTP Server (and any OC4J application behind Oracle HTTP Server) will not work. If you are not planning to run OracleAS Web Cache, then edit httpd.conf
and ssl.conf
, changing the Port
directive so that it matches the Listen
directive instead of the OracleAS Web Cache listening port.
The Oc4jCERTCHAINIndicator directive in the mod_oc4j.conf
file is used to pass client certificates to OC4J. The directive is used to indicate the certification chain set in the environment. For example, if the following line is in the mod_oc4j.conf
file:
Oc4jCERTCHAINIndicator SSL_CLIENT_CERT_CHAIN
Then the certificate chain can then be defined using the environment variables SSL_CLIENT_CERT_CHAINn, where n is greater than zero. The order of the certificates is as follows:
SSL_CLIENT_CERT_CHAIN0 is the highest order intermediate CA certificate that is certified with the Root CA certificate.
SSL_CLIENT_CERT_CHAINn is the lowest order intermediate CA certificate that certifies the Client certificate.
To use the Oc4jCERTCHAINIndicator directive, the Oc4JExtractSSL directive must be set to On. The following lines show the way the directives must be set:
Oc4jExtractSSL On
Oc4jCertChainIndicator CERT_CHAIN_INDICATOR
The following is an example of the directives:
Oc4jExtractSSL On Oc4jCertChainIndicator SSL_CLIENT_CERT
The section describes documentation errata in installation and upgrade documentation. It includes the following topics:
Section 7.3.1, "Correction to SSLCARevocationFile Directive Description"
Section 7.3.2, "Correction to SSLCARevocationPath Directive Description"
Section 7.3.3, "Incorrect Web Address for mod_php Extensions Information"
Section 7.3.4, "Incorrect Tags Listed for 40-Bit and 56-Bit Export Ciphers"
The description for the SSLCARevocationFile
directive in Oracle HTTP Server Administrator's Guide, Chapter 11, "Enabling SSL for Oracle HTTP Server," should be corrected as follows:
Specifies the file where you can assemble the Certificate RevocationLists (CRLs) from CAs (Certificate Authorities) that you accept certificates from. These are used for client authentication. Such a file is the concatenation of various PEM-encoded CRL files in order of preference. CRL files should be from a single issuer. Files specified by SSLCARevocationFile
should not be hashed. There should be only one SSLCARevocationFile
entry; if there are multiple entries, then the last one will be used. SSLCARevocationFile
can be used alternatively and/or additionally to SSLCARevocationPath
.
The description for the SSLCARevocationPath
directive in Oracle HTTP Server Administrator's Guide, Chapter 11, "Enabling SSL for Oracle HTTP Server," should be corrected as follows:
Specifies the directory where PEM-encoded Certificate Revocation Lists (CRLs) are stored. These CRLs come from the CAs (Certificate Authorities) that you accept certificates from. If a client attempts to authenticate itself with a certificate that is on one of these CRLs, then the certificate is revoked and the client cannot authenticate itself with your server.
CRL files in the SSLCARevocationPath
directory must be hashed. You can find the instructions to hash a CRL in Oracle Application Server Administrator's Guide, Section 15.2.5.2.1, "Renaming CRLs with a Hash Value for Certificate Validation." Note that orapki
creates a file with a ".rN
" extension. SSLCARevocationPath
will not work with this extension and it is still possible to access with a revoked certificate. To get it to work with Oracle HTTP Server, change the extension from ".rN
" to ".r0
".
SSLCARevocationPath
can be used alternatively and/or additionally to SSLCARevocationFile
.
The Web site provided for additional information on mod_php extensions was incorrect. The correct Web site is
Table 10-1, "SSLCipher Suite Tags", in the Oracle HTTP Server Administrator's Guide listed incorrectly the aliases for the 40-bit and the 56-bit export ciphers.
For 40-bit export cipher, do not use EXP40
. Use EXPORT40
instead.
For 56-bit export cipher, do not use EXP56
. Use EXPORT56
instead.