31.12 Tuning Apache/IHS v2 Webgates for Access Manager

Unless explicitly stated, information here applies to both Apache and IHS v2 Webgate (also known as plug-ins).

For details about Oracle HTTP Server, see the Oracle HTTP Server Administrator's Guide 10 g R2 (10.1.2).

• About Apache v2 bundled with Security-Enhanced Linux

• About Apache v2 bundled SELinux-enabled Linux Distribution

• Apache v2 Directives

31.12.1 About Apache v2 bundled with Security-Enhanced Linux

With SELinux, errors could be reported in WebServer logs/console when starting a Web server on Linux distributions that have more strict SELinux policies in place after installing an Access Manager Webgate.

You can avoid these errors by running appropriate chcon commands for the installed Web component before restarting the Web server.

See Also:

"SELinux Issues"

31.12.2 About Apache v2 bundled SELinux-enabled Linux Distribution

Security-enhanced Linux (SELinux) is an automatically enabled implementation of a mandatory access-control mechanism.

As described in your Linux documentation, SELinux policies provide access to certain pre-defined system directories such as /etc/httpd/conf, /usr/sbin/apachect, and /var/log/ (to name a few) for system daemons.

When Webgates are installed with the bundled Apache Web server, certain policies must be added to allow Apache processes to access installation files.

The bundled Apache Web server runs as user "apache" with a security context defined as context=user_u:system_r:unconfined_t. As a result, when Webgates are installed in any of the user folders, the Apache Web server will not start.

The $SELINUX_SRC variable represents the SELinux policy source directory. The default value is /etc/selinux/targeted/src/policy. However, your environment may vary. Be sure to consult your system Administrator for the actual value for your system.

31.12.2.1 Adding Access Manager Policies to Apache bundled with Red Hat Enterprise Linux 4

You can add Access Manager policies to Apace bundles with Red Hat Enterprise Linux 4.

1. After installing each Access Manager Webgate, log in as the 'root' user.
2. Ensure that all Webgates are installed for Web server user & group (default: apache).
3. Create an oracle_access_manager.te policy file in the $SELINUX_SRC/domains/programs/directory and add the following rules:

   type oracle_access_manager_t, file_type, sysadmfile; 
   allow httpd_t oracle_access_manager_t:file { rw_file_perms create rename
   link unlink setattr execute };
   allow httpd_t oracle_access_manager_t:dir  { rw_dir_perms create append
   rename link unlink setattr }; 
   

4. Create an oracle_access_manager.fc file context in the directory $SELINUX_SRC/file_contexts/program, then register the Webgate installation directory (without identity or access suffix). For example:

    Oracle_Access_Manager_install_dir(/.*)? system_u:object_r:oracle_access_
    manager_t
   

   Note:

   When the Webgate is installed in a separate directory from the Access Manager, be sure to register the Webgate installation directory separately.

5. Compile and deploy the policy files as follows:

   cd $SELINUX_SRC
   make load
   Label Oracle Access Manager files
   run restorecon -R Oracle_Access_Manager_install_dir (without the identity or access suffix)
   

31.12.3 Apache v2 Directives

Apache 1.3 uses a process model for serving multiple HTTP requests at once. This differs from the single process (thread) model employed by other Web servers, which manage several requests simultaneously in one process.

Note:

Only the prefork MPM in Apache v2 uses the same process model for serving HTTP requests as Apache v1.3. For all other MPMs, Apache v2 uses a hybrid process-thread model.

Several directives in the Apache v2 Web server configuration file (httpd.conf) affect how the Apache Web server decides to create or destroy worker processes. The following parameters affect the performance of the Apache v2 Web server:

• ThreadsPerChild: This directive sets the number of threads created by each child process. The child creates these threads at startup and never creates more.

  • If you are using an MPM like mpm_winnt, where there is only one child process, this number should be high enough to handle the entire load of the server.

  • If you are using an MPM like mpm_worker, where there are multiple child processes, the total number of threads should be high enough to handle the common load on the server.

• MinSpareThreads: This value is only used with mpm_worker. Since Access Manager plug-in initialization is deferred until the first request, there is minimal advantage of keeping high value for this directive. However, it is useful to keep this parameter as high as possible.

• MaxSpareThreads: This value is only used with mpm_worker. The value for MaxSpareThreads must be greater than or equal to the sum of MinSpareThreads and ThreadsPerChild or the Apache HTTP Server automatically corrects it.

  Recommendation: Keep the value high. For a dedicated server this will not be a problem.

• MaxSpareServers: With Apache v2, this is used only with the prefork MPM model. To preserve as much state as possible in the server, set the MaxSpareServers to a high value. Setting this value to the maximum of 255 keeps all Apache worker-processes available indefinitely, but it does not provide an opportunity for worker-process recycling during low-load periods.

• MinSpareServers: With Apache v2, this is used only with the prefork MPM model. Since Access Manager plug-in initialization is deferred until the first request, using a high value for the MinSpareServers parameter provides minimal advantage. However, it is useful to keep this parameter as high as possible. For dedicated Web server systems, this should pose no great burden.

• MaxClients: With IHS v2 and the worker MPM, MaxClients restricts the total number of threads that will be available to serve clients. For hybrid MPMs, the default value is 16 (ServerLimit) multiplied by a value of 25 (ThreadsPerChild). To increase MaxClients to a value that requires more than 16 processes, you must also raise ServerLimit.

Appropriate values for the preceding parameters depend on the expected load and the performance class of the systems involved, including the Access Server and LDAP server.

Apache servers on very high performance systems with high expected loads may be recompiled with a larger limit on the number of worker processes. These systems may see a greater performance impact on the StartServers and MinSpareServers parameters for dealing with sudden load spikes.

You may need to adjust operating system limits for the Access Server for proper operation. In particular, the maximum number of file descriptors available for any one Access Server may need to be increased beyond the default value. Configuring more than one connection between each Apache-based Webgate and an Access Server may quickly exceed this limit.

For additional information, see your Apache documentation.