| Oracle® Application Server Release Notes 10g Release 2 (10.1.2) for Microsoft Windows B15501-23 |
|
 Previous |
 Next |
| Oracle® Application Server Release Notes 10g Release 2 (10.1.2) for Microsoft Windows B15501-23 |
|
Previous |
Next |
This chapter describes issues associated with Oracle HTTP Server. It includes the following topics:
This section describes general issues and workarounds. It includes the following topics:
In the Oc4jMount directive, weighted load balancing works only when the destinations are instances or clusters. Weighted load balancing does not work for AJP13 destinations. For AJP13 destinations, the load is distributed evenly in a round-robin manner. For example, if your mod_oc4j.conf file contains the following lines, Host_A and Host_B will get an equal number of requests despite the settings in the Oc4jRoutingWeight directives.
Oc4jSelectMethod roundrobin:weighted Oc4jRoutingWeight Host_A 1 Oc4jRoutingWeight Host_B 25 Oc4jMount /j2ee ajp13://Host_A:<AJP Port>,Host_B:<AJP Port> Oc4jMount /j2ee/* ajp13://Host_A:<AJP Port>,Host_B:<AJP Port> # Instance weighted routing work as expected #Oc4jMount /j2ee instance://Host_A:home,Host_B:home #Oc4jMount /j2ee/* instance://Host_A:home,Host_B:home
A possible workaround to achieve weighted load balancing for AJP13 destinations is to specify the same host multiple times in the Oc4jMount directive. The following example specifies Host_B twice.
Oc4jMount /j2ee ajp13://Host_A:<AJP Port>,Host_B:<AJP Port>,Host_B:<AJP Port>
Oracle does not support using the version of Oracle HTTP Server that is supplied with Oracle9iAS Release 1 (1.0.2.2.x) as a front end to OC4J supplied with Oracle Application Server 10gRelease 2 (10.1.2). You must not use mod_proxy to route data between these two components.
Always use mod_oc4j to route data to and from OC4J supplied with Oracle Application Server 10g (10.1.2). Use mod_proxy to route data between Oracle HTTP Server component supplied with Oracle9iAS Release 1 (1.0.2.2.x) and OC4J supplied with Oracle9iAS Release 1 (1.0.2.2.x).
During operations where mod_oc4j calls mod_osso (such as login and logout), the following error message is printed to the Oracle HTTP server log:
[Mon Jun 27 23:57:07 2005] [error] [client 139.185.173.23] [ecid: 90258476571,1] MOD_OC4J_0376: Request initial processing failed in ac worker with HTTP status code 1. This status will be passed back to the listener for error handling.
This error message is harmless and can be ignored. It will be removed in a future release.
In section C.7 Integrating Generic Apache with Oracle Application Server, the sentence "Generic Apache is Apache version 1.3.xx, and not Apache 2.x" should be "Generic Apache is Apache version 1.3.xx or Apache 2.x".
In section C.7.1, the note "mod_oc4j is supported in Apache versions 1.3.x only. It is not supported in Apache 2.0.x versions" should be disregarded.
This section describes configuration issues and their workarounds. It includes the following topics:
Section 8.2.1, "Redirects Break If OracleAS Web Cache is Turned Off or is Disabled"
Section 8.2.2, "Configuring IIS Listener 6.0 for Single Sign-On"
Section 8.2.3, "Using Oc4jCERTCHAINIndicator to Pass Client Certificate"
By default, Oracle HTTP Server sends redirects to the OracleAS Web Cache listening port. If OracleAS Web Cache is not running or is disabled, then redirects from Oracle HTTP Server (and any OC4J application behind Oracle HTTP Server) will not work. If you are not planning to run OracleAS Web Cache, then edit httpd.conf and ssl.conf, changing the Port directive so that it matches the Listen directive instead of the OracleAS Web Cache listening port.
The following procedure describes how to configure the IIS Listener 6.0 to use OracleAS SSO Plug-in.
Create a new directory, and install the proxy plug-in module. For this procedure, the directory will be named c:\plugin.
Create a text file to be used as the server definition file for the proxy module. In this procedure, the file will be named servers.txt. The file should look similar to the following:
oproxy.serverlist=ias1 oproxy.ias.hostname=myproxy.example.com oproxy.ias1.port=7777 oproxy.ias1.urlrule=/*
From the Start menu, select Run.
In the run dialog box, type regedit, and click OK.
The Registry Editor window opens.
In the Registry Editor window, expand the HKEY_LOCAL_MACHINE folder by clicking the + preceding its name.
Expand the SOFTWARE folder by clicking the + preceding its name.
Click the ORACLE folder.
From the Edit menu, select New, then Key.
A new folder is added under the ORACLE folder with the name New Key #1.
Enter IIS Proxy Adapter for the key name.
Add the following values to the IIS Proxy Adapter:
server_defs c:\plugin\servers.txt
log_file c:\plugin\proxy.log
log_level error_level
In the preceding text, log_file and log_level are optional. The error_level can be set to error, debug, inform, or emerg.
Click OK.
From the Start menu, select Administrative Tools from the Programs menu.
Select Services.
Stop the IIS Admin Service. This will also stop World Wide Web Publishing Service and HTTP SSL service.
From the Administrative Tools menu, select Internet Services Manager.
Expand the name of the machine.
Select Default Web Site, and right-click.
Select Virtual Directory from the New menu.
Set the alias, such as oproxy, and the path, such as c:\plugin.
Check the Execute box.
Right-click Properties.
Select ISAPI Filters.
Select Add to add the filter name, such as oproxy, the executable, such as c:\plugin\oracle_proxy.dll.
Click Apply.
Restart the IIS Server.
|
Note:
|
Make sure the filter is marked with a green upward arrow.
The Oc4jCERTCHAINIndicator directive in the mod_oc4j.conf file is used to pass client certificates to OC4J. The directive is used to indicate the certification chain set in the environment. For example, if the following line is in the mod_oc4j.conf file:
Oc4jCERTCHAINIndicator SSL_CLIENT_CERT_CHAIN
Then the certificate chain can then be defined using the environment variables SSL_CLIENT_CERT_CHAINn, where n is greater than zero. The order of the certificates is as follows:
SSL_CLIENT_CERT_CHAIN0 is the highest order intermediate CA certificate that is certified with the Root CA certificate.
SSL_CLIENT_CERT_CHAINn is the lowest order intermediate CA certificate that certifies the Client certificate.
To use the Oc4jCERTCHAINIndicator directive, the Oc4JExtractSSL directive must be set to On. The following lines show the way the directives must be set:
Oc4jExtractSSL On
Oc4jCertChainIndicator CERT_CHAIN_INDICATOR
The following is an example of the directives:
Oc4jExtractSSL On Oc4jCertChainIndicator SSL_CLIENT_CERT
The section describes documentation errata in installation and upgrade documentation. It includes the following topics:
Section 8.3.1, "Correction to SSLCARevocationFile Directive Description"
Section 8.3.2, "Correction to SSLCARevocationPath Directive Description"
Section 8.3.3, "Incorrect Web Address for mod_php Extensions Information"
Section 8.3.4, "Incorrect Tags Listed for 40-Bit and 56-Bit Export Ciphers"
The description for the SSLCARevocationFile directive in Oracle HTTP Server Administrator's Guide, Chapter 11, "Enabling SSL for Oracle HTTP Server," should be corrected as follows:
Specifies the file where you can assemble the Certificate RevocationLists (CRLs) from CAs (Certificate Authorities) that you accept certificates from. These are used for client authentication. Such a file is the concatenation of various PEM-encoded CRL files in order of preference. CRL files should be from a single issuer. Files specified by SSLCARevocationFile should not be hashed. There should be only one SSLCARevocationFile entry; if there are multiple entries, then the last one will be used. SSLCARevocationFile can be used alternatively and/or additionally to SSLCARevocationPath.
The description for the SSLCARevocationPath directive in Oracle HTTP Server Administrator's Guide, Chapter 11, "Enabling SSL for Oracle HTTP Server," should be corrected as follows:
Specifies the directory where PEM-encoded Certificate Revocation Lists (CRLs) are stored. These CRLs come from the CAs (Certificate Authorities) that you accept certificates from. If a client attempts to authenticate itself with a certificate that is on one of these CRLs, then the certificate is revoked and the client cannot authenticate itself with your server.
CRL files in the SSLCARevocationPath directory must be hashed. You can find the instructions to hash a CRL in Oracle Application Server Administrator's Guide, Section 15.2.5.2.1, "Renaming CRLs with a Hash Value for Certificate Validation." Note that orapki creates a file with a ".rN" extension. SSLCARevocationPath will not work with this extension and it is still possible to access with a revoked certificate. To get it to work with Oracle HTTP Server, change the extension from ".rN" to ".r0".
SSLCARevocationPath can be used alternatively and/or additionally to SSLCARevocationFile.
The Web site provided for additional information on mod_php extensions was incorrect. The correct Web site is
Table 10-1, "SSLCipher Suite Tags", in the Oracle HTTP Server Administrator's Guide listed incorrectly the aliases for the 40-bit and the 56-bit export ciphers.
For 40-bit export cipher, do not use EXP40. Use EXPORT40 instead.
For 56-bit export cipher, do not use EXP56. Use EXPORT56 instead.
