A Configuring Oracle HTTP Server as Proxy

Oracle HTTP Server (OHS) can be used as a proxy server for Network Integrity. It can be installed in either collocated mode or in a standalone mode. Oracle recommends using the standalone mode to install OHS. This section provides instructions for installing OHS in standalone mode.

Directory Placeholders Used

Configuring Oracle HTTP Server as Proxy describes all the directory placeholders used in this section.

Table A-1 Description of Directory Placeholders

Placeholder	Directory Description
Oracle_Home	The home directory where OHS is installed.
OHS_Domain	The location where domain is created. The default location is Oracle_Home/user_projects/domains/OHS_DomainName where OHS_DomainName is the name of the OHS domain.
OHS_Component	Component directory that is created during domain creation.
Wallet_Path	The directory where Oracle Wallet is created. By default, it is set to Oracle_Home/ohsfmw/user_projects/domains/OHS_DomainName/config/fmwconfig/components/OHS/instances/OHS_Component/keystores/Wallet_Name where Wallet_Name is the name of Oracle wallet.

Configuring Oracle HTTP Server

To configure Oracle HTTP Server when installed in standalone domain:

Note:

For learning about the system requirements and specifications to install OHS, see Oracle Fusion Middleware System Requirements and Specifications.

1. Download and install Oracle HTTP Server 14.1.2.

   For more information on installing Oracle HTTP Server, see Oracle Fusion Middleware Installing and Configuring Oracle HTTP Server.

2. After installing Oracle HTTP Server, navigate to the /oracle_common/common/binOracle_Homedirectory and run the config.sh script to create a domain.
3. After creating a domain, start the Node Manager.

   If the node manager port of Oracle HTTP Server conflicts with the node manager port of WebLogic domain, change it using WLST.

4. Start the Node Manager using the following options:
   • Run the ./startNodeManager.sh command.
   • Run the nohup ./startNodeManger.sh command to start the Node Manager with nohup.

   You can locate this file in your OHS_Domain/bin directory.

   Note:

   Use the ./stopNodeManager.sh command to stop the Node Manager.
5. Run the following command to view the output:

   tail -f nohup.out

6. Once Node Manager is running, start your Oracle HTTP Server component by using the following command and provide the node manager password when prompted:

   ./startComponent.sh ComponentName

   A message indicating a successful connection to the component appears. You can locate this file in your OHS_Domain/bin directory.

7. Access the following Oracle HTTP Server URL to verify that the Oracle HTTP Server is running.

   http://<OHS_HostName>:<OHS_NonSSLPort> or https://OHS_HostName:OHS_SSLPort

   The Oracle HTTP Server welcome page appears.

Changing Node Manager Port

To change the node manager port, go to <Oracle_Home>/oracle_common/common/bin and run ./wlst.sh:

[bin]$ ./wlst.sh
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
wls:/offline> readDomain('<Oracle_Home>/user_projects/domains/<OHS_DomainName>')
wls:/offline/ohsop80idp4>cd('Machine')
wls:/offline/ohsop80idp4/Machine>cd('localmachine')
wls:/offline/ohsop80idp4/Machine/localmachine>cd('NodeManager')
wls:/offline/ohsop80idp4/Machine/localmachine/NodeManager>cd('localmachine')
wls:/offline/ohsop80idp4/Machine/localmachine/NodeManager/localmachine>ls()
-rw-   Adapter                                       null
-rw-   AdapterName                                   null
-rw-   AdapterVersion                                null
-rw-   DebugEnabled                                  false
-rw-   Id                                            0
-rw-   InstalledVMMAdapter
-rw-   ListenAddress                                 localhost
-rw-   ListenPort                                    5556
-rw-   NMSocketCreateTimeoutInMillis                 15000
-rw-   NMType                                        null
-rw-   Name                                          localmachine
-rw-   NodeManagerHome                               null
-rw-   Notes                                         null
-rw-   PasswordEncrypted                             ********
-rw-   ShellCommand                                  null
-rw-   Tag
-rw-   UserName                                      null
wls:/offline/ohsop80idp4/Machine/localmachine/NodeManager/localmachine>set('ListenPort',5555)
wls:/offline/ohsop80idp4/Machine/localmachine/NodeManager/localmachine>updateDomain()
wls:/offline/ohsop80idp4/Machine/localmachine/NodeManager/localmachine>closeDomain()
wls:/offline>exit()
Exiting WebLogic Scripting Tool.

Updating the mod_wl_ohs.conf File

You must edit the mod_wl_ohs.conf file to enable the Oracle HTTP Server instance to forward requests to the applications deployed on the Oracle WebLogic Server or clusters.

To update the mod_wl_ohs.conf file:

1. Navigate to <OHS_Domain>/config/fmwconfig/components/OHS/instances/<OHS_component> and open mod_wl_ohs.conf.
2. Add directives as follows:
   • To forward requests to the UIM application running on a single Oracle WebLogic Server instance, specify /NetworkIntegrity within the <location> element as follows:

     <Location /NetworkIntegrity > 
     SetHandler weblogic-handler 
     WebLogicHost host 
     WebLogicPort port
     </Location>

     Where:

     • host is the name of the WebLogic Administration server machine.
     • port is the port of the server on which UIM is installed.
   • • To forward requests to the Network Integrity application running on a cluster of Oracle WebLogic Server instances, specify /NetworkIntegrity within a new <location> element as follows:

       <Location /NetworkIntegrity > 
       SetHandler weblogic-handler
       WebLogicCluster host1:port1,host2:port2
       </Location>
       

       Where:

       • host1 and host2 are host names of the managed servers.
       • port1 and port2 are ports of the managed servers.
   • To forward requests to the Network Integrity Web services running on a single Oracle WebLogic Server instance, specify /NetworkIntegrityApp-NetworkIntegrityControlWebService-context-root within the <location> element as follows:

     <Location /NetworkIntegrityApp-NetworkIntegrityControlWebService-context-root> 
     SetHandler weblogic-handler WebLogicHost host WebLogicPort port
     </Location>

     Where:

     • host is the name of the WebLogic Administration server machine.
     • port is the port of the server on which Network Integrity is installed.
   • To forward requests to the Network Integrity application running on a single Oracle WebLogic Server instance into which you want to deploy cartridges, specify /cartridge within the <location> element as follows:

     <Location /cartridge> 
     SetHandler weblogic-handler WebLogicHost host WebLogicPort port
     </Location>

     Where:

     • host is the name of the WebLogic Administration server machine.
     • port is the port of the server on which Network Integrity is installed.
   • Similarly, specify /em within the <location> element to access em console.

     <Location /cartridge> SetHandler 
     weblogic-handler WebLogicHost host 
     WebLogicPort port
     </Location>
     

     Where:

     • host is the name of the WebLogic Administration server machine.
     • port is the port of the server on which Network Integrity is installed.

Configuring SSL for OHS

Pre-requisite: The custom certificate and corresponding keystore should be generated for Network Integrity.

To configure SSL for OHS:

1. Go to the path <OHS_Domain>/ config/fmwconfig/components/OHS/instances/<Component> /keystores/ and create Oracle wallet for OHS as follows:

   ./orapki wallet create -wallet <Wallet_Name> -auto_login_only 
   ./orapki wallet add -wallet <Wallet_Name> -trusted_cert -cert <CERT_FILE> -auto_login_only
   

   The wallet is created.

2. Add keystore to the wallet as follows:

   ./orapki wallet jks_to_pkcs12 -wallet <Wallet_Name> -keystore <Keystore file> -jkspwd <Password>

3. Go to <Oracle_Home>/user_projects/domains/<OHS _Domain>/config/fmwconfig/components/OHS/instances/<OHS_Component> to edit the ssl.conf file. Search for Path to the wallet and update the SSLWallet sample path with the created wallet path.
4. Update the mod_wl_ohs.conf file, located at <Oracle_Home>/user_projects/domains/<OHS Domain>/config/fmwconfig/components/OHS/instances/<OHS component> with the created wallet as follows:

   <IfModule weblogic_module>
      WLSSLWallet “<Wallet_Path>”
   </IfModule>
   SSL ports of managed servers should be mentioned for WeblogicCluster and add SecureProxy ON and WLProxySSLPassThrough ON parameters in <Location/>.
   Example:
   <Location /NetworkIntegrity >
       SetHandler weblogic-handler
       WebLogicCluster <Host1>:<MS1_SSL_Port>,<Host2>:<MS2_SSL_Port>
       Debug ALL
       DebugConfigInfo ON
       SecureProxy ON
       WLProxySSLPassThrough ON    
     </Location>
       

5. Restart the component after updating SSL and mod_wl_ohs.conf as follows:

   ./restartComponent.sh ComponentName

6. Verify if all files are created in keystore, instance PEM, CRT, and SSO.
7. Go to CL1. In General tabs, go to Advance Fields and enable the WebLogic plugin for Admin Server and Managed Servers.
8. In the WebLogic console, update the frontend host and HTTPS port with the OHS host and port.
9. To configure the SSL Policy/Certificate in WebLogic Console, follow the procedure provided in Network Integrity System Administrator's Guide.