This chapter describes the how to prepare your load balancer and firewalls for an enterprise deployment.
This chapter contains the following topics:
Configuring Firewalls and Ports for an Oracle Identity and Access Management Deployment
Configuring the Firewalls and Ports for an Exalogic Enterprise Deployment
This section describes how to configure virtual hosts on the hardware load balancer.
This section contains the following topics:
As shown in the topology diagrams, you must configure the hardware load balancer to recognize and route requests to several virtual servers and associated ports for different types of network traffic and monitoring.
In the context of a load balancing device, a virtual server is a construct that allows multiple physical servers to appear as one for load-balancing purposes. It is typically represented by an IP address and a service, and it is used to distribute incoming client requests to the servers in the server pool.
The virtual servers should be configured to direct traffic to the appropriate host computers and ports for the various services available in the enterprise deployment.
The procedures for configuring a load balancer differ, depending on the specific type of load balancer. Refer to the vendor supplied documentation for actual steps. The following steps outline the general configuration flow:
Create a pool of servers. This pool contains a list of servers and the ports that are included in the load balancing definition. For example, for load balancing between the web hosts you create a pool of servers which would direct requests to the web servers in the topology which accept requests using port 7777 (WEB_HTTP_PORT).
Create rules to determine whether or not a given host and service is available and assign it to the pool of servers described in Step 1.
Create a Virtual Server on the load balancer. This is the address and port that receives requests used by the application. For example, to load balance Web Tier requests you would create a virtual server for login.example.com:80.
If your load balancer supports it, specify whether or not the virtual server is available internally, externally or both. Ensure that internal addresses are only resolvable from inside the network.
Configure SSL Termination, if applicable, for the virtual server.
Assign the Pool of servers created in Step 1 to the virtual server.
Tune the time out settings, including time to detect whether a service is down.
The load balancer must be configured to check that the services in the Load Balancer Pool are available. Failure to do so will result in requests being sent to hosts where the service is not running.
Table 6-1 shows examples of how to determine whether a service is available:
For an Oracle Identity and Access Management deployment on commodity hardware, configure your hardware load balancer as shown in Table 6-2.
Table 6-2 Load Balancer Configuration Details
| Load Balancer Virtual Server | Server Pool | Protocol | SSL Termination | Other Required Configuration/Comments |
|---|---|---|---|---|
|
|
|
HTTPS |
Yes |
Identity Management requires that the following be added to the HTTP header:
|
|
|
|
HTTPS |
Identity Management requires that the following be added to the HTTP header:
|
|
|
|
|
|
No |
|
|
|
|
HTTP |
||
|
|
|
HTTP |
||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
Notes:
Port 80 is the HTTP_PORT from the WorksheetPort 443 is the HTTPS_PORT from the Worksheet
Port 7777 is the OHS_PORT from the Worksheet
Port 9002 is the MSAS_PORT from the Worksheet
Port 1389 is the LDAP_PORT from the Worksheet. The example given is for OUD.
Port 1636 is the LDAP_SSL_PORT from the worksheet. The example given is for OUD.
For an Oracle Identity and Access Management deployment on Exalogic hardware, configure your load balancer as shown in Table 6-3.
Table 6-3 Load Balancer Configuration Details
| Load Balancer Virtual Server | Server PoolFoot 1 | Server Pool (External OHS) | Protocol | SSL Termination | External | Other Required Configuration/Comments |
|---|---|---|---|---|---|---|
|
|
|
|
HTTPS |
Yes |
Yes |
Identity Management requires that the following be added to the HTTP header:
|
|
|
|
|
HTTPS |
Yes |
Yes |
Identity Management requires that the following be added to the HTTP header:
|
|
|
|
|
HTTPS |
No |
Yes |
This entry point passes through SSL rather than terminates it. |
|
|
|
|
HTTP |
No |
No |
|
|
|
|
|
HTTP |
No |
No |
Footnote 1 If you do not want to use an OTD failover group for faster failover detection, substitute WEBHOST1-vhn and webhost2-vhn with the host names corresponding to the client access network. For example: iamhost1ext and iamhost2ext.
Footnote 2 For information about configuring IS_SSL, see "About User Defined WebGate Parameters" in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
If you do not want to use an OTD failover group for faster failover detection, substitute WEBHOST1-VHN and WEBHOST2-VHN with the host names corresponding to the client access network. For example: WEBHOST1 and WEBHOST2.
In Exalogic deployments it is assumed that LDAP and inter app calls will be load balanced via OTD.
If you are using an external OHS then the servers will point to the external OHS hosts.
For information about configuring IS_SSL, see "About User Defined WebGate Parameters" in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Note:
Port 80 is the HTTP_PORT from the WorksheetPort 443 is the HTTPS_PORT from the Worksheet
Port 7777 is the OHS_PORT from the Worksheet
Port 9002 is the MSAS_PORT from the Worksheet
Port 1389 is the LDAP_PORT from the Worksheet
Port 1636 is the LDAP_SSL_PORT from the worksheet
Many Oracle Fusion Middleware components and services use ports. As an administrator, you must know the port numbers used by these services, and to ensure that the same port number is not used by two services on a host.
Most port numbers are assigned after installation. You can use different port numbers if you want to. The port numbers shown in Table 6-4 are examples that are used throughout this guide for consistency. If you use different port numbers, you must substitute those values for the values in the table wherever they are used.
Table 6-4 lists the ports used in the Oracle Identity and Access Management topology, including the ports that you must open on the firewalls in the topology.
Firewall notation:
FW0 refers to the outermost firewall.
FW1 refers to the firewall between the web tier and the application tier.
FW2 refers to the firewall between the application tier and the database tier.
Table 6-4 Ports Used in the Oracle Identity and Access Management Enterprise Deployment Topology
| Type | Firewall | Port and Port Range | Protocol / Application | Inbound / Outbound | Timeout |
|---|---|---|---|---|---|
|
Browser request |
FW0 |
80 |
HTTP / Load balancer |
Both |
Timeout depends on all HTML content and the type of process model used for Oracle Identity and Access Management. |
|
Browser request |
FW0 |
443 |
HTTPS / Load balancer |
Both |
Timeout depends on all HTML content and the type of process model used for Oracle Identity and Access Management. |
|
Browser request |
FW1 |
80 |
HTTPS / Load Balancer |
Outbound (for intranet clients) |
Timeout depends on all HTML content and the type of process model used for IAM. |
|
Browser request |
FW1 |
443 |
HTTPS / Load Balancer |
Outbound (for intranet clients) |
Timeout depends on all HTML content and the type of process model used for IAM. |
|
Load balancer to Oracle HTTP Server |
n/a |
7777 |
HTTP |
n/a |
See Section 6.1, "Configuring Virtual Hosts on the Hardware Load Balancer." |
|
OHS registration with Administration Server |
FW1 |
7001 |
HTTP/t3 |
Inbound |
Set the timeout to a short period (5-10 seconds). |
|
Webtier Access to Oracle Weblogic Administration Server (IAMAccessDomain) |
FW1 |
7001 |
HTTP / Oracle HTTP Server and Administration Server |
Inbound |
N/A |
|
Webtier Access to Oracle Weblogic Administration Server (IAMGovernanceDomain) |
FW1 |
7101 |
HTTP / Oracle HTTP Server and Administration Server |
Inbound |
N/A |
|
Enterprise Manager Agent - web tier to Enterprise Manager |
FW1 |
5160 |
HTTP / Enterprise Manager Agent and Enterprise Manager |
Both |
N/A |
|
Oracle HTTP Server to WLS_OAM |
FW1 |
14100 |
HTTP / Oracle HTTP Server to WebLogic Server |
Inbound |
Timeout depends on the |
|
Oracle HTTP Server WLS_OIM |
FW1 |
14000 |
HTTP / Oracle HTTP Server to WebLogic Server |
Inbound |
Timeout depends on the |
|
Oracle HTTP Server WLS_SOA |
FW1 |
8001 |
HTTP / Oracle HTTP Server to WebLogic Server |
Both |
Timeout depends on the |
|
Oracle HTTP Server WLS_MSM |
FW1 |
14180 |
HTTP / Oracle HTTP Server to WebLogic Server |
Both |
Timeout depends on the |
|
Oracle HTTP Server WLS_AMA |
FW1 |
14150 |
HTTP / Oracle HTTP Server to WebLogic Server |
Both |
Timeout depends on the |
|
Oracle HTTP Server WLS_BI |
FW1 |
9704 |
HTTP / Oracle HTTP Server to WebLogic Server |
Both |
Timeout depends on the |
|
Oracle HTTP Server management by Administration Server |
FW1 |
OPMN remote port (6701) and OHS Administration Port (7779) |
TCP and HTTP, respectively |
Outbound |
Set the timeout to a short period, such as 5-10 seconds. |
|
Access Manager Server |
FW1 |
5575 |
OAP |
Both |
N/A |
|
Access Manager Coherence port |
FW1 |
9095 |
TCMP |
Both |
N/A |
|
Oracle Coherence Port |
FW1 |
8000 - 8088 |
TCMP |
Both |
N/A |
|
Application Tier to Database Listener |
FW2 |
1521 |
SQL*Net |
Both |
Timeout depends on all database content and on the type of process model used for Oracle Identity and Access Management. |
|
Oracle Notification Server (ONS) |
FW2 |
6200 |
ONS |
Both |
Required for Gridlink. An ONS server runs on each database server. |
|
OUD Port |
FW2 |
1389 |
LDAP |
Inbound |
Ideally, these connections should be configured not to time out. |
|
OUD SSL Port |
FW2 |
14636 |
LDAPS |
Inbound |
Ideally, these connections should be configured not to time out. |
|
Load Balancer LDAP Port |
FW2 |
386 |
LDAP |
Inbound |
Ideally, these connections should be configured not to time out. |
|
Load Balancer LDAP SSL Port |
FW2 |
636 |
LDAPS |
Inbound |
Ideally, these connections should be configured not to time out. |
|
Node Manager |
N/A |
5556 |
TCP/IP |
N/A |
N/A |
|
Oracle Unified Directory Replication |
N/A |
8989 |
TCP/IP |
N/A |
N/A |
Note:
Additional ports might need to be opened across the firewalls to enable applications in external domains, such as SOA or WebCenter Portal domains, to authenticate against this Identity and Access Management domain.Many Oracle Fusion Middleware components and services use ports. As an administrator, you must know the port numbers used by these services and ensure that the same port number is not used by two services on a host.
Most port numbers are assigned during installation.
Table 6-5 lists the ports used in the Oracle Identity and Access Management topology, including the ports that you must open on the firewalls in the topology.
Note:
In Table 6-5:FW0 refers to the outermost firewall
FW1 refers to the firewall between the web tier and the application tier
FW2 refers to the firewall between the application tier and the data tier
On Exalogic systems:
FW1 is in between the load balancer and the Exadata Machine, unless an External OHS is used
FW2 will be present only if your database does not reside on Exadata
Table 6-5 Ports Used in the Exalogic Reference Topology
| Type | Firewall | Port and Port Range | Protocol / Application | Inbound / Outbound | Other Considerations and Timeout Guidelines |
|---|---|---|---|---|---|
|
Browser request |
FW0 |
80 |
HTTP / Load Balancer |
Inbound |
Timeout depends on all HTML content and the process models used for the Oracle Fusion Middleware products you are using in the Exalogic environment. |
|
Browser request |
FW0 |
443 |
HTTPS / Load Balancer |
Inbound |
Timeout depends on all HTML content and the process models used for the Oracle Fusion Middleware products you are using in the Exalogic environment. |
|
Load balancer to Oracle Traffic Director |
FW0 |
7777 |
HTTP |
n/a |
Timeout depends on all HTML content and the process models used for the Oracle Fusion Middleware products you are using in the Exalogic environment. |
|
Load Balancer to MSAS Proxy |
FW0 |
9002 |
HTTP |
n/a |
Timeout depends on all HTML content and the process models used for the Oracle Fusion Middleware products you are using in the Exalogic environment. |
|
IAMAccess Domain Administration Console access |
FW1 |
7001 |
HTTP / Administration Server and Enterprise Manager |
Both |
You should tune this timeout based on the type of access to the Administration console (whether it is planned to use the Oracle WebLogic Server Administration Console from application tier clients or clients external to the application tier). |
|
IAMGovernance Domain Administration Console access |
FW1 |
7101 |
HTTP / Administration Server and Enterprise Manager |
Both |
You should tune this timeout based on the type of access to the Administration console (whether it is planned to use the Oracle WebLogic Server Administration Console from application tier clients or clients external to the application tier). |
|
Coherence |
n/a |
8088 Range: 8080 - 8090 |
n/a |
n/a |
|
|
Application tier to data tier (Oracle database or RAC outside of Oracle Exalogic machine via Ethernet) |
FW2 |
1521 |
n/a |
n/a |
|
|
Oracle HTTP Server WLS_OAM |
FW1 |
14100 |
HTTP |
Inbound |
Managed Servers, which use |
|
Oracle HTTP Server WLS_OIM |
FW1 |
14000 |
HTTP |
Inbound |
Managed Servers, which use |
|
Oracle HTTP Server WLS_SOA |
FW1 |
8001 |
HTTP |
Inbound |
Managed Servers, which use |
|
Oracle HTTP Server WLS_AMA |
FW1 |
14150 |
HTTP |
Inbound |
Managed Servers, which use |
|
Oracle HTTP Server WLS_BI |
FW1 |
9704 |
HTTP |
Inbound |
Managed Servers, which use |
|
Oracle HTTP Server WLS_MSM |
FW1 |
14180 |
HTTP |
Inbound |
Managed Servers, which use |