On the Oracle HTTP Server machine, manually configure the SSL ports for internal and external communication. Also, create virtual hosts for internal and external communication.
Caution! | EPM_ORACLE_INSTANCE/httpConfig/ohs/config/OHS/ohs_component/ssl.conf is updated each time you perform the Configure Web Server task in EPM System Configurator. If you reconfigure the web server, verify that the internal and external communication ports are not updated when you configure the web server. |
To manually configure web server listen ports:
Using a text editor, open EPM_ORACLE_INSTANCE/httpConfig/ohs/config/OHS/ohs_component/ssl.conf.
Ensure that the SSL ports are listed under OHS Listen port. You should have two entries, similar to the following:
Listen EXTERNAL_SSL_PORT Listen INTERNAL_SSL_PORT
If you are using 4443 as the port for external communication and 19443 as the port for internal communication, your entries should be as follows:
Listen 4443 Listen 19443
Create two virtual host definitions similar to the following:
Note:
Include the directive proxypreservehost ON in the virtual host definitions if you are front-ending EPM System with an SSL offloader.
NameVirtualHost epm.myCompany.com:4443 <VirtualHost epm.myCompany.com:4443> ServerName epm.myCompany.com <IfModule ossl_module> SSLEngine on SSLProxyEngine On SSLVerifyClient None SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA SSLCRLCheck Off SSLWallet “C:\Oracle\middleware\ohs\bin\wallet\epmwallet" SSLProxyWallet "C:\Oracle\middleware\ohs\bin\wallet\epmwallet" <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/cgi-bin"> SSLOptions +StdEnvVars </Directory> BrowserMatch ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 </IfModule> </VirtualHost> NameVirtualHost epminternal.myCompany.com:19443 <VirtualHost epminternal.myCompany.com:19443> ServerName epminternal.myCompany.com <IfModule ossl_module> SSLEngine on SSLProxyEngine On SSLVerifyClient None SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA SSLCRLCheck Off SSLWallet "C:\Oracle\middleware\ohs\bin\wallet\epminternal" SSLProxyWallet "C:\Oracle\middleware\ohs\bin\wallet\epminternal" <FilesMatch>> SSLOptions +StdEnvVars </FilesMatch> <Directory "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/cgi-bin"> SSLOptions +StdEnvVars <Directory > BrowserMatch ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 <Location /> Options FollowSymLinks AllowOverride None Order Deny,Allow Deny from All # Allow from should list all servers that host EPM components Allow from myServer1,myServer2 DirectoryIndex welcome-index.html </Location> </IfModule> </VirtualHost>
Instruct Oracle HTTP Server to redirect internal traffic to the virtual host that is designed to handle internal communication. EPM System Configurator updates this file.
To configure redirection from Oracle HTTP Server to WebLogic Server:
Using a text editor, open EPM_ORACLE_INSTANCE/httpConfig/ohs/config/OHS/ohs_component/mod_wl_ohs.conf.
Ensure that the WLSSLWallet directive points to the Oracle Wallet where the certificates for internal and external communication were imported (see Configuring the Web Server). For example, your directive may be as follows:
WLSSLWallet MIDDLEWARE_HOME/ohs/bin/wallets/myWalletFor example, C:/Oracle/Middleware/ohs/bin/wallets/myWallet
Ensure that the value of SecureProxy directive is set to ON.
SecureProxy ON
Ensure that the LocationMatch definitions for deployed EPM System components are similar to the following Shared Services example, which assumes a WebLogic Server cluster (on myserver1 and myserver2):
<LocationMatch /interop/> SetHandler weblogic-handler pathTrim / WeblogicCluster myServer1:28443,myServer2:28443 WLProxySSL ON </LocationMatch>