Oracle® Beehive Installation Guide Release 1 (1.4) for Microsoft Windows (32-Bit) Part Number E13792-02 |
|
|
View PDF |
This module describes how to configure Oracle Beehive DMZ instances. It involves the following steps:
Note:
If you want to configure your DMZ instances with SSL, follow the directions described in "Configuring SSL with Oracle Beehive DMZ Instances" in "Configuring SSL" These steps involve configuring your entire Oracle Beehive deployment for SSL.Follow these steps on all DMZ instances. Refer to "Configuring TLS with Oracle Wallet" for more information about Oracle Wallet.
Set the ORACLE_HOME environment variable to the Oracle home of the DMZ instance.
Run the following command to create a wallet:
<Oracle home of DMZ instance>\bin\orapki wallet create -wallet <Oracle home of DMZ instance>\Apache\Apache\conf\ssl.wlt\default -auto_login -pwd <new password for wallet>
Note:
The default Oracle Wallet directory is<Oracle home of DMZ instance>
\Apache\Apache\conf\ssl\default
. Alternatively, you may create a new Oracle Wallet in a different directory (by changing the value of the -wallet
option..Edit the file <Oracle home of DMZ instance>
\beehive\conf\bti.properties
and change the value of WalletDir to the wallet directory you specified in the previous step:
WalletDir=
<Oracle home of DMZ instance>\\Apache\\Apache\\conf\\ssl.wlt\\default
Note:
Escape colons (:) and backslashes (\) with a backslash. For example, if the location of your wallet isC:\DMZ\Apache\Apache\conf\ssl.wlt\default
, then you would specify C\:\\DMZ\\Apache\\Apache\\conf\\ssl.wlt\\default
in the bti.properties
file.
When using path names from this file for other purposes, such as in a command line, remember to remove the backslash escape character.
Edit the file <Oracle home of DMZ instance>
\opmn\conf\opmn.xml
and change the value of wallet-file to the wallet directory you specified in Step 2:
<notification-server interface="ipv4">
<!-- ... -->
<ssl enabled="true"
wallet-file="<Oracle home of DMZ instance>
\Apache\Apache\conf\ssl.wlt\default"/>
Restart the DMZ instance:
opmnctl stopall opmnctl startall
If you have not already done so, configure Oracle Wallet with your Oracle Beehive DMZ instance. Refer to "Step A: Configuring Oracle Wallet with Oracle Beehive DMZ Instances".
If you have configured your Oracle Beehive DMZ instances for SSL, then ignore this step.
By default, Oracle Beehive DMZ instances are configured to receive secure ONS notifications. If you specifically do not want to use SSL, you must configure ONS to receive non-SSL notifications.
To do this, edit the file <Oracle home of DMZ instance>
/opmn/conf/opmn.xml
as follows in all Oracle Beehive DMZ instances. In the <ssl> element, set the enable attribute to false:
<ssl enabled="false"
wallet-file="$ORACLE_HOME/opmn/conf/ssl.wlt/default"/>
Update the file <Oracle home of DMZ instance>
\opmn\conf\opmn.xml
as follows in all Oracle Beehive DMZ instances to add the topology definition for all Oracle Beehive (non-DMZ) application tiers that are part of this configuration:
<notification-server> <!-- ... --> <topology> <nodes list=" <Application tier 1 host name>:<OPMN remote port of application tier 1>, <Application tier 2 host name>:<OPMN remote port of application tier 2>, ... "/> </topology> </notification-server>
For example, if you have two Oracle Beehive application tiers with host names example1.com
and example2.com
and OPMN remote port numbers 6200 and 6300, respectively, add the following topology definition to the opmn.xml
file in your DMZ instances:
<notification-server> <!-- ... --> <topology> <nodes list="example1.com:6200,example2.com:6300"/> </topology> </notification-server>
Tip:
Retrieve the OPMN port of an Oracle Beehive application tier from the file<Oracle Beehive home>
\opmn\conf\opmn.xml
(of a non-DMZ application tier). The OPMN port is specified by the remote
attribute of the port
element in the notification-server
element.Restart each DMZ instance whose opmn.xml
file you changed with the <Oracle home of DMZ instance>
\opmn\bin\opmnctl
command:
opmnctl stopall opmnctl startall
From every DMZ instance, retrieve the following values from the specified files:
<Oracle home of DMZ instance>
\opmn\conf\opmn.xml
:
opmn_request_port
opmn_remote_port
<Oracle home of DMZ instance>
\beehive\conf\bti.properties
bti_server_port
bti_unique_id (PersistentId)
NumberOfClientWorkers
Open the following ports in your firewall:
OPMN ports between your DMZ instances and non-DMZ instances
AJP ports between your intranet and your DMZ instances: This is required for connectivity between Oracle HTTP Server (OHS) and OC4J. By default, Oracle Beehive OC4J instances listens on port numbers in the range 12501-12600. Oracle Beehive OC4J instances will try to listen on the lowest port number in this range.
Consequently, you only have to open the range of ports 12501-12504. Ensure that no other applications on Oracle Beehive servers occupy this range. As long as these ports are not occupied, Oracle Beehive OC4J instances will listen on this range of ports.
If you have installed Oracle Beehive Integration for Zimbra, open two additional ports (12505-12506).
Notes:
You do not need to open any OPMN ports between your DMZ instances and any Oracle RAC database host(s).The AJP port number range is defined in the AjpPortMinValue and AjpPortMaxValue parameters in each of Oracle Beehive's managed OC4J components:
beectl list_components --type ManagedOc4j ---------------+--------------------------------------------------- Component type | Component identifier ---------------+--------------------------------------------------- ManagedOc4j | BEEAPP_site.example.com ---------------+--------------------------------------------------- ... beectl list_properties --component BEEAPP_site.example.com --------------------------+---------------------------------------- Property name | Property value --------------------------+---------------------------------------- AdminPassword | [Protected Value] --------------------------+---------------------------------------- AdminUsername | oc4jadmin --------------------------+---------------------------------------- AjpPortMaxValue | 12600 --------------------------+---------------------------------------- AjpPortMinValue | 12501 --------------------------+---------------------------------------- ...
You may open a range of ports other than 12501-12504 (or 12501-12506 if you have installed Oracle Beehive Integration for Zimbra); however, you must make the necessary changes in the Oracle Beehive configuration.
On any Oracle Beehive non-DMZ instance, but not on a DMZ instance, run the following commands:
Add the first DMZ instance to the non-DMZ instance by calling the beectl add_dmz_home_instance
command on a non-DMZ instance:
beectl add_dmz_home_instance --hostname <Host name of first DMZ instance> --oracle_home <Oracle home of DMZ instance> --opmn_request_port <OPMN request port of first DMZ instance> --opmn_remote_port <OPMN remote port of first DMZ instance> --bti_server_port <BTI server port of first DMZ instance> --bti_unique_id <BTI unique ID of first DMZ instance> --no_of_client_workers <NumberOfClientWorkers from bti.properties>
After the successful completion of the beectl add_dmz_home_instance command
, immediately run the command beectl activate_configuration
on the same non-DMZ instance. Do not execute any other other beectl
commands on any other non-DMZ instance.
Repeat steps a and b for each of your other DMZ instances.
Run the following command on all the other non-DMZ instances:
beectl modify_local_configuration_files --log_level FINEST
If you receive an HTTP 404 error when accessing and HTTP resource from a DMZ instance, verify that you have properly configured your DMZ instances. Do this by running the command <Oracle home>
/opmn/bin/opmnctl @cluster status
from any Oracle Beehive instance. If you have properly configured your DMZ instances, then this command will display all your application tiers in your site.