This appendix describes the directives available in the Oracle-developed modules supported by OHS. It contains these sections:
Note:
The directives described in this appendix are only for modules developed by Oracle. OHS also includes many Apache HTTP Server and third-party modules out-of-the-box. See "Apache HTTP Server and Third-party Modules in Oracle HTTP Server" in Chapter 3 for a list of these modules and a link to their documentation.mod_certheaders accepts the following directives:
Specifies which headers should be translated to CGI environment variables. This can be achieved by using the AddCertHeader directive. This directive takes a single argument, which is the CGI environment variable that should be populated from a HTTP header on incoming requests. For example, to populate the SSL_CLIENT_CERT CGI environment variable. AddCertHeader is generally used for Web Cache in front of OHS.
Category | Value |
---|---|
Syntax | AddCertHeader environment_variable |
Example | AddCertHeader SSL_CLIENT_CERT |
Default | None |
Note:
If a simulated SSL connection needs to be passed to WebLogic Server, AddCertHeader can be used with mod_wl_ohs as well. That module's directive, WLProxySSLPassThrough, ensures that the certificate is passed to the backend (irrespective of the real or simulated SSL connection).mod_certheaders can be used to instruct Oracle HTTP Server to treat certain requests as if they were received through HTTPS even though they were received through HTTP. This is useful when Oracle HTTP Server is front-ended by a reverse proxy or load balancer, which acts as a termination point for SSL requests, and forwards the requests to Oracle HTTP Server through HTTPS. and SimulateHttps is used for load balancer type of devices.
Category | Value |
---|---|
Syntax | SimulateHttps on|off |
Example | SimulateHttps on |
Default | off |
mod_certheaders accepts the OpmnHostPort directive.
This directive enables you to specify a hostname and port that OPMN should use for pinging the Oracle HTTP Server instance that mod_onsint is running in. If OpmnHostPort is not specified, mod_onsint chooses an HTTP port automatically. However, in certain circumstances, you may want to choose a specific HTTP port and hostname that OPMN should use to ping the listener with.
Category | Value |
---|---|
Syntax | OpmnHostPort host:Port |
Example | OpmnHostPort localhost:7778 |
Default | None |
mod_oradav accepts the following directives:
In an Oracle HTTP Server environment that is not OraDAV-enabled, mod_dav does not respond to HTTP GET requests. Instead, normal Oracle HTTP Server mechanisms are used to respond to GET requests.
The ORAAllowIndexDetails
parameter controls how OraDAV responds when a GET request is performed on a DAV collection and no index.html
file is found in the directory. In a typical Oracle HTTP Server environment, a separate module takes control, automatically generating and returning to the client HTML that represents an "index" of the resources (files) in that collection.
Category | Value |
---|---|
Syntax | ORAAllowIndexDetails true | false |
Example | ORAAllowIndexDetails true |
Default | false |
Specifies the password for the user specified by the ORAUser parameter. The OraAltPassword
uses a base-64 encoded character string. This parameter provides an alternative if you do not want the password to appear in unencoded plain text with the ORAUser
parameter. If the ORAPassword parameter is not specified, this value is used for the password.
Category | Value |
---|---|
Syntax | ORAAltPassword password |
Example | ORAAltPassword myPassword |
Default | None |
Specifies the directory to use for disk caching operations, per these requirements:
The specified directory must exist and be readable by Oracle HTTP Server, but cannot be visible to normal GET requests. If the directory is visible to normal GET requests, security measures could be bypassed by users accessing the cache directory.
The directory should be located on a file system that supports a last accessed time. On Microsoft Windows systems, this means using NTFS, not FAT, formatted partitions.
You cannot use the cache directory for anything other than caching. Any files in the cache directory are subject to deletion.
If you use the ORACacheDirectory
parameter, you must also use the ORACacheTotalSize parameter.
Category | Value |
---|---|
Syntax | ORACacheDirectory directoryName |
Example | ORACacheDirectory |
Default | If not used, disk caching is not performed for OraDAV operations |
Specifies the maximum cacheable resource size for disk caching operations. You can specify kilobytes (KB) or megabytes (MB) after an integer. If you do not specify a unit after the integer, then the default unit is bytes.
This parameter enables Web administrators to prevent large media files from dominating the cache. The performance benefit of caching a large file is greater than from caching a small file.
Category | Value |
---|---|
Syntax | ORACacheMaxResourceSize nn KB|MB |
Example | ORACacheMaxResourceSize 1024KB |
Default | None |
Specifies the percentage of disk cache usage to be freed when the cache is full. When the disk cache is full, the oldest files in the cache are deleted until the cache disk usage is reduced by the ORACachePrunePercent
value.
Category | Value |
---|---|
Syntax | ORACachePrunePercent nn |
Example | ORACachePrunePercent 40 |
Default | 25 |
Specifies the size of the cache to use for disk caching operations. You can specify MB (for megabytes) or GB (for gigabytes) after an integer. If you do not specify a unit after the integer, the default unit is bytes.
If you use the ORACacheDirectory parameter, you must also use the ORACacheTotalSize
parameter.
The ORACacheTotalSize
value should be large enough to hold either a significant amount of your Web site, or all of the most frequently accessed files plus 25 percent more space. If the value is too small, overall performance degrades because of the extra work of writing BLOB data to the file system and deleting files to make room for newer cache requests.
The actual space utilized by the disk cache might sometimes exceed the ORACacheTotalSize
value, possibly by as much as the ORACacheMaxResourceSize value. You should also be aware of file system block size issues that could cause the cache to use more disk space than the ORACacheTotalSize
value.
Category | Value |
---|---|
Syntax | DAVParam ORACacheTotalSize nn MB|GB |
Example | DAVParam ORACacheTotalSize 1GB |
Default | None |
Specifies the Oracle database to connect to. The ORAConnect
parameter lets you connect to a database that is not included in the tnsnames.ora
file. The value must use the following format:
To connect to an Oracle database, you must specify one, and no more than one, of the parameters ORAConnect, ORAConnectSN, or ORAService. To connect to a database included in the tnsnames.ora
file, use the ORAService parameter.
Category | Value |
---|---|
Syntax | ORAConnect database_host:database_port:database_sid |
Example | ORAConnect my-pc.example.com:1521:mysid |
Default | None |
Specifies the Oracle database to connect to. The ORAConnectSN
parameter lets you connect to a database that is not included in the tnsnames.ora
file. The value for this parameter is a character string.The value must use the following format:
To connect to an Oracle database, you must specify one, and no more than one, of the parameters ORAConnect, or ORAService. To connect to a database included in the tnsnames.ora
file, use the ORAService parameter.
Category | Value |
---|---|
Syntax | ORAConnectSN database-host:database-port:database-service-name |
Example | ORAConnectSN my-pc.example.com:1521:mysid |
Default | None |
Within the database user (schema) specified by the ORAUser parameter, there must exist a container, which is a set of PL/SQ packages and database tables that allow the storage of files in the database within a hierarchical structure. The ORAContainerName
parameter specifies the name of the container to use for the location. The value for this parameter is a character string, up to 20 characters. For example, <Location/project1>
.
Category | Value |
---|---|
Syntax | ORAContainerName Location/project1 |
Example | ORAContainerName |
Default | None |
Writes PL/SQL stack dumps in the Oracle HTTP Server log file, error_log, in the event of an exception in the PL/SQL package.
Category | Value |
---|---|
Syntax | ORAException RAISE|NORAISE |
Example | ORAException RAISE |
Default | NORAISE |
Note:
Although this parameter is useful for debugging purposes, it can use a large amount of disk space and can slow the performance of your system.Specifies one or more file extensions to identify types of files that are not to be run, but rather opened for editing. This allows you to open files for editing that are usually run as a result of a GET operation. When entering filetypes, include dot separators (.) and use a comma to separate file extensions. The value for this parameter is enclosed within double quotation marks. For example:
".htm, .html, .jsp1, .jsp2"
This directive applies only to file system access.
Category | Value |
---|---|
Syntax | ORAGetSource " .type[, .type, .type, .type] " |
Example | ORAGetSource ".htm, .html, .jsp1, .jsp2" |
Default | .JSP .SQLJSP |
Note:
The.jsp
and .sqljsp
files are by default opened for editing; you do not need to specify them in the ORAGetSource
parameter.Intended to be used in high-latency network environments to adjust the refresh lock behavior in Microsoft Office. Microsoft Office attempts to refresh locks on DAV resources just before the lock is set to expire. If the Microsoft Office client and the DAV server experience network congestion between the refresh, the request might arrive after the lock has expired.
OraDAV periodically looks for locks on resources that have expired and deletes those locks. The ORALockExpirationPad
parameter can be used to provide some additional time between when a lock expires and when that lock is deleted. For example, if ORALockExpirationPad
is set to 120, OraDAV does not actually delete locks for at least two minutes after the expiration time.
Category | Value |
---|---|
Syntax | ORALockExpirationPad nn |
Example | ORALockExpirationPad 90 |
Default | 0 |
Identifies the OraDAV driver implementation that is to be called when issuing OraDAV commands. The default is the OraDAV driver, which is the ORDSYS.DAV_API_DRIVER package.
Category | Value |
---|---|
Syntax | ORAPackageName name |
Example | ORAPackageName |
Default | The OraDAV driver |
Specifies the password for the user specified by the ORAUser parameter.
If you do not want to specify the password as an unencoded text string with the ORAPassword
parameter, you can specify the password as a base-64 encoded string with the ORAAltPassword parameter.
Category | Value |
---|---|
Syntax | ORAPassword password |
Example | ORAPassword myPassword |
Default | None |
Specifies the directory within the database repository to use as the root. If this parameter is specified, WebDAV clients see this directory as the root and are not able to see the repository directories that lead up to it. Do not include a trailing slash (/) in the value.
WebDAV clients can view the /third directory and can navigate to the /third/fourth directory, but will not be able to view or navigate to the /first or /first/second directories.
Category | Value |
---|---|
Syntax | ORARootPrefix / dirName1 [ /dirName1/dirName1/dirName1 ] |
Example | ORARootPrefix /first/second |
Default | None |
Specifies the Oracle database to connect to. The specified value must match a SID value in the tnsnames.ora
file.
To connect to an Oracle database, you must specify one, and no more than one, of the parameters ORAConnect, ORAConnectSN, or ORAService. To connect to a database that is not included in the tnsnames.ora file, use the ORAConnect or ORAConnectSN parameter.
Category | Value |
---|---|
Syntax | ORAService databaseName |
Example | ORAService |
Default | None |
Specifies the types of events to be recorded in the Oracle HTTP Server error log for debugging. The value for this parameter is one of the following:
getsource
: traces GET activity against the file system
hreftoutf8
: traces the HREF conversion from the native character set to UTF-8
request
: traces DAV requests, responses, and status values handled by mod_oradav
Category | Value |
---|---|
Syntax | ORATraceEvents getsource | hreftoutf8 | request |
Example | ORATraceEvents getsource |
Default | None |
Note:
Although this parameter is useful for debugging purposes, it can use a large amount of disk space and can slow the performance of your system.Specifies the level of debugging (trace statements) that will be entered in the Oracle HTTP Server error log. The lowest level is 0
(the default), which performs no tracing. The highest level is 4
, which performs maximum tracing. The value for this parameter is an integer between 0
and 4
.
The higher the number for the debugging level, the more information is written to the error log file.
Category | Value |
---|---|
Syntax | ORATraceLevel 0 | 1 | 2 | 3 | 4 |
Example | ORATraceLevel 2 |
Default | 0 |
Note:
Although setting this parameter to a high number is useful for debugging purposes, it can use a large amount of disk space and can slow the performance of your system.Specifies the database user (schema) to use when connecting to the service specified by the ORAConnect, ORAConnectSN, or ORAService parameter.
This user must have the following privileges:
CONNECT
RESOURCE
CREATE TABLESPACE
DROP TABLESPACE
CREATE ANY TRIGGER
Category | Value |
---|---|
Syntax | ORAUser |
Example | ORAUser |
Default | None |
To configure SSL for your Oracle HTTP Server, enter the mod_ossl
directives you want to use in the ssl.conf
file.
The following directives are described in subsequent sections:
Specifies if SSL accelerator is used. Currently only nFast card is supported.
Category | Value |
---|---|
Syntax | SSLAccelerator yes|no |
Example | SSLAccelerator yes |
Default | SSLAccelerator no |
Note:
TheSSLAccelerator
directive has been deprecated. For information on enabling SSL acceleration support using a wallet, refer to the Oracle Advanced Security Administrator's Guide on http://www.oracle.com/technology/documentation
.Specifies the file where you can assemble the Certificate Revocation Lists (CRLs) from CAs (Certificate Authorities) that you accept certificates from. These are used for client authentication. Such a file is the concatenation of various PEM-encoded CRL files in order of preference. This directive can be used alternatively or additionally to SSLCARevocationPath.
Category | Value |
---|---|
Syntax | SSLCARevocationFile file_name |
Example | SSLCARevocationFile / ORACLE_HOME /Apache/Apache/conf/ssl.crl/ca_bundle.crl |
Default | None |
Specifies the directory where PEM-encoded Certificate Revocation Lists (CRLs) are stored. These CRLs come from the CAs (Certificate Authorities) that you accept certificates from. If a client attempts to authenticate itself with a certificate that is on one of these CRLs, then the certificate is revoked and the client cannot authenticate itself with your server.
Category | Value |
---|---|
Syntax | SSLCARevocationPath path/to/CRL_directory/ |
Example | SSLCARevocationPath / ORACLE_HOME /Apache/Apache/conf/ssl.crl/ |
Default | None |
Specifies the SSL cipher suite that the client can use during the SSL handshake. This directive uses a colon-separated cipher specification string to identify the cipher suite. Table E-1 displays the tags you can use in the string to describe the cipher suite you want. SSLCipherSuite accepts the following values:
none: Adds the cipher to the list
+ : Adds the cipher to the list and place it in the correct location in the list
- : Remove the cipher from the list (can be added later)
! : Remove the cipher from the list permanently
Tags are joined together with prefixes to form a cipher specification string. Cipher suite tags are listed in Table E-1. Available ciphers are described in Table E-2.
Table E-1 SSLCipher Suite Tags
Function | Tag | Meaning |
---|---|---|
Key exchange |
|
|
Key exchange |
|
Diffie-Hellman key exchange with RSA key |
Authentication |
|
No authentication |
Authentication |
|
|
Authentication |
|
Diffie-Hellman authentication |
Encryption |
|
No encryption |
Encryption |
|
|
Encryption |
|
Triple |
Encryption |
|
|
Data Integrity |
|
|
Data Integrity |
|
|
Data Integrity |
|
|
Data Integrity |
|
|
Aliases |
|
All TLS version 1 ciphers |
Aliases |
|
All TLS version 1.1 ciphers |
Aliases |
|
All TLS version 1.2 ciphers |
Aliases |
|
All low strength ciphers (export and single |
Aliases |
|
All ciphers with 128-bit encryption |
Aliases |
|
All ciphers using triple |
Aliases |
|
All ciphers using |
Aliases |
|
All ciphers using |
Aliases |
|
All ciphers using Diffie-Hellman key exchange |
Note:
All Export, anon, 40-bit, 50-bit, and 56-bit weak ciphers have been disabled in the Oracle HTTP Server 11.1.1.9.0 releaseTable E-2 Cipher Suites Supported in Oracle Advanced Security
Cipher Suite | Authentication | Encryption | Data Integrity | TLSv1 | TLSv1.1 | TLSv1.2 |
---|---|---|---|---|---|---|
|
|
|
|
Yes |
Yes |
Yes |
|
|
|
|
Yes |
Yes |
Yes |
|
|
|
|
Yes |
Yes |
Yes |
|
|
|
|
Yes |
Yes |
Yes |
|
|
|
|
Yes |
Yes |
Yes |
|
|
|
|
No |
No |
Yes |
|
|
|
|
No |
No |
Yes |
|
|
|
|
No |
No |
Yes |
|
|
|
|
No |
No |
Yes |
|
|
|
|
Yes |
Yes |
Yes |
|
|
|
|
Yes |
Yes |
Yes |
|
|
|
|
No |
No |
Yes |
|
|
|
|
No |
No |
Yes |
|
|
|
|
No |
No |
Yes |
|
|
|
|
No |
No |
Yes |
Toggles the usage of the SSL Protocol Engine. This is usually used inside a <VirtualHost>
section to enable SSL for a particular virtual host. By default, the SSL Protocol Engine is disabled for both the main server and all configured virtual hosts. Example 11–1 is an example for using SSLEngine directive. The default SSL is 4443 on UNIX and 443 on Windows.
Category | Value |
---|---|
Syntax | SSLEngine on|off |
Example | SSLEngine on |
Default | off |
This directive toggles the usage of the SSL library FIPS_mode
flag. It must be set in the global server context and should not be configured with conflicting settings (SSLFIPS on
followed by SSLFIPS off
or similar). The mode applies to all SSL library operations.
Category | Value |
---|---|
Syntax |
SSLFIPS ON | OFF |
Example |
SSLFIPS ON |
Default | Off |
Configuring an SSLFIPS change requires that the SSLFIPS on
/off
directive be set globally in ssl.conf. Virtual level configuration is disabled in the SSLFIPS directive. Hence, setting SSLFIPS to virtual directive will result in an error.
The cipher suites supported in SSLFIPS mode are:
Table E-3 Cipher Suites Supported by SSLFIPS
Cipher Suite | Protocol |
---|---|
|
TLSv1.0 and greater |
|
TLSv1.0 and greater |
|
TLSv1.0 and greater |
|
TLSv1.2 |
|
TLSv1.2 |
|
TLSv1.2 |
|
TLSv1.2 |
|
TLSv1.0 and greater |
|
TLSv1.0 and greater |
|
TLSv1.2 |
|
TLSv1.2 |
|
TLSv1.2 |
|
TLSv1.2 |
Note:
To use the TLS_ECDHE_ECDSA cipher suite, Oracle HTTP Server requires a wallet created with an ECC user certificate. The TLS_ECDHE_ECDSA cipher suite does not work with RSA certificates.
To use the SSL_RSA/TLS_RSA cipher suite, Oracle HTTP Server requires a wallet created with an RSA user certificate. The SSL_RSA/TLS_RSA cipher suite does not work with ECC certificates.
For more information on configuring ECC/RSA certificates in a wallet, see "Creating and Viewing Oracle Wallets with orapki" in Administering Oracle Fusion Middleware.
For instructions on how to implement these cipher suites and corresponding protocols, see Section E.4.4, "SSLCipherSuite" and Section E.4.12, "SSLProtocol".
For more information on SSL FIPS 140-2 Standard for Oracle HTTP Server 11.1.1.9, see My Oracle Support Knowledge Database Doc ID 2115681.1 at https://support.oracle.com/
.
Specifies where the SSL engine log file will be written. (Error messages will also be duplicated to the standard Oracle HTTP Server log file specified by the ErrorLog directive.)
Place this file at a location where only root can write, so that it cannot be used for symlink attacks. If the filename does not begin with a slash (/), it is assumed to be relative to the ServerRoot. If the filename begins with a bar (|), then the string following the bar is expected to be a path to an executable program to which a reliable pipe can be established.
This directive should occur only once per virtual server configuration.
Category | Value |
---|---|
Syntax | SSLLog path/to/file |
Example | SSLLog |
Default | None |
Specifies the verbosity degree of the SSL engine log file. The degrees, or levels, are (in ascending order, where each level is included in the levels preceding it):
none
: No dedicated SSL logging is done. Messages of type 'error' are duplicated to the standard HTTP server log file specified by the ErrorLog
directive.
error
: Only messages of the type 'error' (conditions that stop processing) are logged.
warn
: Messages that notify of non-fatal problems (conditions that do not stop processing) are logged.
info
: Messages that summarize major processing actions are logged.
trace
: Messages that summarize minor processing actions are logged.
debug
: Messages that summarize development and low-level I/O operations are logged.
Category | Value |
---|---|
Syntax | SSLLogLevel none | error | warn | info | trace | debug |
Example | SSLLogLevel error |
Default | None |
Type of semaphore (lock) for SSL engine's mutual exclusion of operations that have to be synchronized between Oracle HTTP Server processes. Accepted values are:
file:
path/to/mutex: Uses a file for locking. The process ID (PID) of the Oracle HTTP Server parent process is appended to the filename to ensure uniqueness. If the filename does not begin with a slash (/), it is assumed to be relative to ServerRoot
. This setting is not available on Windows.
none
: Uses no mutex at all. Not recommended, because the mutex synchronizes the write access to the SSL session cache. If you do not configure a mutex, the session cache can become garbled.
pthread
: This directive tells the SSL Module to use Posix thread mutexes. It is only available if the underlying platform and Apache Portable Runtime (APR) supports it.
sem
: Uses an operating system semaphore to synchronize writes. On UNIX, it would be a Sys V IPC semaphore; on Windows, it is a Windows Mutex. This is the best choice, if the operating system supports it.
Category | Value |
---|---|
Syntax | SSLMutex none | file | pthread | sem |
Example | SSLMutex file :/usr/local/apache/logs/ssl_mutex |
Default | pthread |
Notes:
In the Oracle HTTP Server default ssl.conf
template file, pthread
is defined as the default value for the SSLMutex directive for non-Windows platforms and none
is defined as a default value for the Windows platform as follows:
<IfModule mpm_winnt_module> SSLMutex "none" </IfModule> <IfModule !mpm_winnt_module> SSLMutex pthread </IfModule>
As new Oracle HTTP Server instances are created for non-Windows platforms, the default value for SSLMutex will continue to be pthread
unless you explicitly modify your configuration. If you comment out these lines in the ssl.conf
file and no value is specified for SSLMutex in the Oracle HTTP Server configuration files, then Oracle HTTP Server will use none
as the default value for SSLMutex.
The none
value for the SSLMutex directive is not recommended for non-Windows platforms, because it can create a garbled session cache and can lead to core dumps.
Controls various runtime options on a per-directory basis. In general, if multiple options apply to a directory, the most comprehensive option is applied (options are not merged). However, if all of the options in an SSLOptions
directive are preceded by a plus ('+') or minus ('-') symbol, then the options are merged. Options preceded by a plus are added to the options currently in force, and options preceded by a minus are removed from the options currently in force.
Accepted values are:
StdEnvVars
: Creates the standard set of CGI/SSI environment variables that are related to SSL. This is disabled by default because the extraction operation uses a lot of CPU time and usually has no application when serving static content. Typically, you only enable this for CGI/SSI requests.
ExportCertData
: Enables the following additional CGI/SSI variables:
SSL_SERVER_CERT
SSL_CLIENT_CERT
SSL_CLIENT_CERT_CHAIN_n
(where n= 0, 1, 2...)
These variables contain the Privacy Enhanced Mail (PEM)-encoded X.509 certificates for the server and the client for the current HTTPS connection, and can be used by CGI scripts for deeper certificate checking. All other certificates of the client certificate chain are provided. This option is "Off" by default because there is a performance cost associated with using it.
SSL_CLIENT_CERT_CHAIN_n
variables are in the following order: SSL_CLIENT_CERT_CHAIN_0
is the intermediate CA who signs SSL_CLIENT_CERT
. SSL_CLIENT_CERT_CHAIN_1
is the intermediate CA who signs SSL_CLIENT_CERT_CHAIN_0
, and so forth, with SSL_CLIENT_ROOT_CERT
as the root CA.
FakeBasicAuth
: Translates the subject distinguished name of the client X.509 certificate into an HTTP basic authorization user name. This means that the standard HTTP server authentication methods can be used for access control. Note that no password is obtained from the user; the string 'password' is substituted.
StrictRequire
: Denies access when, according to SSLRequireSSL or directives, access should be forbidden. Without StrictRequire
, it is possible for a 'Satisfy any'
directive setting to override the SSLRequire
or SSLRequireSSL
directive, allowing access if the client passes the host restriction or supplies a valid user name and password.
Thus, the combination of SSLRequireSSL
or SSLRequire
with SSLOptions +StrictRequire
gives mod_ossl
the ability to override a 'Satisfy any'
directive in all cases.
CompatEnvVars
: Exports obsolete environment variables for backward compatibility to Apache SSL 1.x, mod_ssl
2.0.x, Sioux 1.0, and Stronghold 2.x. Use this to provide compatibility to existing CGI scripts.
OptRenegotiate
: This enables optimized SSL connection renegotiation handling when SSL directives are used in a per-directory context.
Category | Value |
---|---|
Syntax | SSLOptions [+-] StdEnvVars | ExportCertData | FakeBasicAuth | StrictRequire | CompatEnvVars | OptRenegotiate |
Example | SSLOptions -StdEnvVars |
Default | None |
Type of pass phrase dialog for wallet access. mod_ossl
asks the administrator for a pass phrase in order to access the wallet. Accepted if values are:
builtin
: when the server is started, mod_ossl
prompts for a password for each wallet.
This cannot be used when Oracle HTTP Server is managed by OPMN. No user interaction is allowed when Oracle HTTP Server is started by OPMN.
exec:
path/to/program
- when the server is started, mod_ossl
calls an external program configured for each wallet. This program is invoked with two arguments: servername:portnumber and RSA
or DSA
.
Category | Value |
---|---|
Syntax | SSLPassPhraseDialog builtin | exec |
Example | SSLPassPhraseDialog exec: /usr/local/apache/sbin/pfilter |
Default | builtin |
Note:
The SSLv2 protocol is no longer supported by Oracle HTTP Server. The SSLv3 protocol is supported for backwards compatibility, but because of security concerns, it is disabled out-of-the-box in the Oracle HTTP Server 11.1.1.9 release.You can configure the SSLv3 protocol by explicitly entering SSLv3
in the SSLProtocol directive. However, Oracle strongly discourages the use of SSLv3 and logs a warning message cautioning you about the use of an insecure protocol. The following ciphers can be used with an SSLv3 configuration:
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_AES_128_CBC_SHA
If you are upgrading from an earlier release of Oracle HTTP Server, the SSLv3 and/or SSLv2 security protocol might be a part of your configuration. Oracle strongly recommends that you disable any SSLv3 or SSLv2 configuration from Oracle HTTP Server. See Section 8.9, "Disable SSLv2 and SSLv3 Security Protocols."
Specifies SSL protocol(s) for mod_ossl
to use when establishing the server environment. Clients can only connect with one of the specified protocols. Accepted values are:
TLSv1
TLSv1.1
TLSv1.2
All
You can specify multiple values as a space-delimited list. In the syntax, the "-" and "+" symbols have the following meaning:
+ : Adds the protocol to the list
- : Removes the protocol from the list
In the current release, All
is defined as +TLSv1
+TLSv1.1
+TLSv1.2
(SSLv2
is not supported and SSLv3
is disabled out-of-the-box.)
Table E-2 lists the ciphers that are available for the TLSv1, TLSv1.1, and TLSv1.2 protocols.
In the current release, you can specify the value for this directive using the OpenSSL format. The nzos*
formats have been deprecated and their use should be avoided.
Protocol Name | OpenSSL Format | nzos* Format (Deprecated) |
---|---|---|
TLS version 1.0 | TLSv1 |
nzos_Version_1_0 |
TLS version 1.1 | TLSv1.1 |
nzos_Version_1_1 |
TLS version 1.2 | TLSv1.2 |
nzos_Version_1_2 |
Category | Value |
---|---|
Syntax | SSLProtocol [+-] TLSv1 | TLSv1.1 | TSLv1.2 | All |
Example | SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 |
Default | ALL |
Specifies the SSL cipher suite that the proxy can use during the SSL handshake. This directive uses a colon-separated cipher specification string to identify the cipher suite. Table E-1 shows the tags you can use in the string to describe the cipher suite you want. SSLCipherSuite accepts the following values:
none: Adds the cipher to the list
+ : Adds the cipher to the list and places it in the correct location in the list
- : Removes the cipher from the list (which can be added later)
! : Removes the cipher from the list permanently
Tags are joined with prefixes to form a cipher specification string. The SSLProxyCipherSuite directive uses the same tags as the SSLCipherSuite directive. For a list of supported suite tags, see Table E-1.
Category | Value |
---|---|
Example | SSLProxyCipherSuite ALL:!MD5
In this example, all ciphers are specified except MD5 strength ciphers. |
Syntax | SSLProxyCipherSuite cipher-spec |
Default |
ALL:!ADH:+HIGH:+MEDIUM |
The SSLProxyCipherSuite directive uses the same cipher suites as the SSLCipherSuite directive. For a list of the Cipher Suites supported in Oracle Advanced Security 12.1.3, see Table E-2.
Enables or disables the SSL/TLS protocol engine for proxy. SSLProxyEngine is usually used inside a <VirtualHost>
section to enable SSL/TLS for proxy usage in a particular virtual host. By default, the SSL/TLS protocol engine is disabled for proxy both for the main server and all configured virtual hosts.
SSLProxyEngine should not be included in a virtual host that will be acting as a forward proxy (by using Proxy
or ProxyRequest
directives). SSLProxyEngine is not required to enable a forward proxy server to proxy SSL/TLS requests.
Category | Value |
---|---|
Syntax | SSLProxyEngine ON | OFF |
Example | SSLProxyEngine on |
Default | Disable |
Specifies SSL protocol(s) for mod_ossl
to use when establishing a proxy connection in the server environment. Proxies can only connect with one of the specified protocols. Accepted values are:
TLSv1
TLSv1.1
TLSv1.2
All
You can specify multiple values as a space-delimited list. In the syntax for SSLProxyProtocol, the "-" and "+" symbols have the following meaning:
+ : Adds the protocol to the list
- : Removes the protocol from the list
In the current release All
is defined as +TLSv1
+TLSv1.1
+TLSv1.2
(SSLv2
is not supported and SSLv3
is disabled out-of-the-box).
Category | Value |
---|---|
Syntax | SSLProxyProtocol [+-] TLSv1 | TLSv1.1 | TLSv1.2 | All |
Example | SSLProxyProtocol +TLSv1 +TLSv1 +TLSv1.1 |
Default | ALL |
Specifies the location of the wallet with its WRL, specified as a filepath, that a proxy connection must use.
Category | Value |
---|---|
Syntax | SSLProxyWallet file:path to wallet |
Example |
SSLProxyWallet "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/proxy" |
Default | None |
Denies access unless an arbitrarily complex boolean expression is true.
Category | Value |
---|---|
Syntax | SSLRequire expression (see Understanding the Expression) |
Example | SSLRequire word ">=" word |word "ge" word |
Default | None |
The expression must match the following syntax (given as a BNF grammar notation):
expr ::= "true" | "false" "!" expr expr "&&" expr expr "||" expr "(" expr ")" comp ::=word "==" word | word "eq" word word "!=" word |word "ne" word word "<" word |word "lt" word word "<=" word |word "le" word word ">" word |word "gt" word word ">=" word |word "ge" word word "=~" regex word "!~" regex wordlist ::= word wordlist "," word word ::= digit cstring variable function digit ::= [0-9]+ cstring ::= "..." variable ::= "%{varname}"
Table E-4 and Table E-5 list standard and SSL variables. These are valid values for varname.
function ::= funcname "(" funcargs ")"
For funcname
, the following function is available:
file(filename)
The file function takes one string argument, the filename, and expands to the contents of the file. This is useful for evaluating the file's contents against a regular expression.
Table E-4 lists the standard variables for SSLRequire varname.
Table E-4 Standard Variables for SSLRequire Varname
Standard Variables | Standard Variables | Standard Variables |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table E-5 lists the SSL variables for SSLRequire varname.
Table E-5 SSL Variables for SSLRequire Varname
SSL Variables | SSL Variables | SSL Variables |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Denies access to clients not using SSL. This is a useful directive for absolute protection of a SSL-enabled virtual host or directories in which configuration errors could create security vulnerabilities.
Category | Value |
---|---|
Syntax | SSLRequireSSL |
Example | SSLRequireSSL |
Default | None |
Specifies the global/interprocess session cache storage type. The cache provides an optional way to speed up parallel request processing. The accepted values are:
dc
:UNIX:/path/to/socket: This makes use of the distcache distributed session caching libraries. The argument should specify the location of the server or proxy to be used using the distcache address syntax; for example, UNIX:/path/to/socket specifies a UNIX domain socket (typically a local dc_client proxy); IP:server.example.com:9001 specifies an IP address.
none
: disables the global/interprocess session cache. Produces no impact on functionality, but makes a major difference in performance.
nonenotnull
: This disables any global/inter-process Session Cache. However it does force OpenSSL to send a non-null session ID to accommodate buggy clients that require one.
shmcb:
/path/to/datafile[bytes]: Uses a high-performance Shared Memory Cyclic Buffer (SHMCB) session cache to synchronize the local SSL memory caches of the server processes. The performance of shmcb
is more uniform in all environments when compared to shmht
. Note: in this shm setting, no log files are created under /path/to/datafile on local disk.
shmht:
/path/to/datafile[bytes]: Uses a high-performance hash table (bytes
specifies approximate size) inside a shared memory segment in RAM, which is established by the /path/to/datafile
. This hash table synchronizes the local SSL memory caches of the server processes. Note: in this shm setting, no log files are created under /path/to/datafile on local disk.
Category | Value |
---|---|
Syntax | SSLSessionCache dc:UNIX:/path/to/socket | none |nonetonull | shmcb:/path/to/datafile[bytes] | shmht: /path/to/datafile[bytes] |
Examples | SSLSessionCache shmht: / ORACLE_HOME /Apache/Apache/logs/ssl_scache(512000)
|
Default | SSLSessionCache none |
Specifies the number of seconds before a SSL session in the session cache expires.
Category | Value |
---|---|
Syntax | SSLSessionCacheTimeout seconds |
Example | SSLSessionCacheTimeout 120 |
Default | 300 |
Specifies whether or not a client must present a certificate when connecting. The accepted values are:
none
: No client certificate is required
optional
: Client may present a valid certificate
require
: Client must present a valid certificate
Category | Value |
---|---|
Syntax | SSLVerifyClient none | optional | require |
Example | SSLVerifyClient optional |
Default | None |
Note:
The leveloptional_no_ca
included with mod_ssl
(in which the client can present a valid certificate, but it need not be verifiable) is not supported in mod_ossl
.Specifies the location of the wallet with its WRL, specified as a filepath.
Category | Value |
---|---|
Syntax | SSLWallet file:path to wallet |
Example | SSLWallet file:/etc/ ORACLE/WALLETS/ server |
Default | None |
Note:
SSLWalletPassword
has been deprecated. A warning message is generated in the Oracle HTTP Server log if this directive is used. For secure wallets, you should get a SSO wallet, with auto-login enabled, instead.Specifies the Wallet password needed to access the wallet specified within the same context. You can choose either a cleartext wallet password or an obfuscated password. The obfuscated password is created with the command line tool iasobf
. If you must use a regular wallet, Oracle recommends that you use the obfuscated password instead of a cleartext password. If no password is required do not set this directive.
Note:
If you are using a wallet created with the Auto Login feature of Oracle Wallet Manager, do not set this directive because these wallets do not require passwords.Category | Value |
---|---|
Syntax | SSLWalletPassword password |
Example | SSLWalletPassword myWalletPassword |
Default | None |
Note:
mod_osso is deprecated. You should use the Webgate plugin to achieve single sign on. For more information, see "Installing and Configuring Oracle HTTP Server 11g Webgate for OAM" in Oracle® Fusion Middleware Installation Guide for Oracle Identity Management.mod_oddo accepts the following directives:
Specifies the path to osso.conf
.
Category | Value |
---|---|
Syntax | OssoConfigFile path/to/ osso.conf |
Example | OssoConfigFile OracleOHS_Home/ohs/conf/osso/osso.conf |
Default | None |
Specifies whether or not to enable cookie idle timeout.
Category | Value |
---|---|
Syntax | OssoIdleTimeout ON | OFF |
Example | OssoIdleTimeout OFF |
Default | OFF |
Identifies which URLs OHS should ignore.
If ALL is specified, then all URLs are ignored.
If querystring is specified, URLs matching the query string are ignored.
Category | Value |
---|---|
Syntax | OssoIgnoreUri ALL | querystring string |
Example | OssoIgnoreUri ALL
or
|
Default | No URLs are ignored. |
When set to On, the directive enables a weak form of IP spoof checking. The incoming IP address is compared against the ClientIP header value.
Category | Value |
---|---|
Syntax | OssoIpCheck ON | OFF |
Example | OssoIpCheck ON |
Default | OFF |
Specifies whether or not to enable URI authentication for the location where it was set. When On, URI authentication is enabled.
Category | Value |
---|---|
Syntax | OssoLegacyApp ON | OFF |
Example | OssoLegacyApp ON |
Default | OFF |
Specifies whether or not to create a cookie for an application that protects itself via dynamic sso directives. When ON this cookie is created.
Category | Value |
---|---|
Syntax | OssoProtectedOnly ON | OFF |
Example | OssoProtectedOnly ON |
Default | OFF |
Specifies whether or not to enable redirect by form. When On, the redirect is enabled.
Category | Value |
---|---|
Syntax | OssoRedirectByForm ON | OFF |
Example | OssoRedirectByForm ON |
Default | OFF |
Specifies whether or not to enable secure cookies. When set to On, these cookies are enabled.
Category | Value |
---|---|
Syntax | OssoSecureCookies ON | OFF |
Example | OssoSecureCookies OFF |
Default | ON |
For statically protected pages, this directive specifies whether or not the following headers are sent:
Pragma: no-cache
Cache-Control: no-store
Surrogate-Control: no-store
Expires: Thu, 01 Jan 1970 12:00:00 GMT
Category | Value |
---|---|
Syntax | OssoSendCacheHeaders ON | OFF |
Example | OssoSendCacheHeaders OFF |
Default | ON |
Specifies whether or not to set HTTPOnly in the cookies created by the module. If ON, HTTPOnly is set.
Category | Value |
---|---|
Syntax | OssoHttpOnly ON | OFF |
Example | OssoHttpOnly OFF |
Default | ON |
The mod_plsql configuration parameters are described in these sections:
The following parameters are used with the plsql.conf
file:
Enables Dynamic Monitoring Service (DMS) for the mod_plsql module.
Category | Value |
---|---|
Syntax | PlsqlDMSEnable On | Off |
Example | PlsqlDMSEnable On |
Default | On |
Enables debug level logging for the mod_plsql module. Debug level logging is meant to be used for debugging purposes only.
When logging is enabled, Oracle HTTP Server log files are typically created in the ORACLE_INSTANCE
/diagnostics/logs/OHS/config/OHS/
component_name
directory. However, the location specified in PlsqlLogDirectory determines the final location.
This parameter should be set to Off
unless recommended by Oracle support to debug problems with the mod_plsql module.
To view more details about the internal processing of the mod_plsql module, set this directive to On
. This causes the mod_plsql module to start logging every request that is processed. The log files are generated as specified by the PlsqlLogDirectory directive.
Category | Value |
---|---|
Syntax | PlsqlLogEnable On | Off |
Example | PlsqlLogEnable Off |
Default | Off |
Specifies the directory where debug level logs are written.
Set the directory name of the location where log files should be generated when logging is enabled. To avoid possible confusion about the location of this directory, an absolute path is recommended.
On UNIX, this directory must have write permissions by the owner of the child httpd
processes.
Category | Value |
---|---|
Syntax | PlsqlLogDirectory directory |
Example | PlsqlLogDirectory ORACLE_INSTANCE/diagnostics/logs/OHS/ component_name |
Default | None |
Specifies the time (in minutes) in which the idle database sessions should be closed and cleaned by the mod_plsql module.
This directive is used in conjunction with connection pooling of database connections and sessions in the mod_plsql module. When a session is not used for the specified amount of time, it is closed and freed. This is done so that unused sessions can be cleaned, and the memory is freed on the database side.
Setting this time to a low number helps in faster cleanup of unused database sessions. If this number is too low, then this may adversely affect the performance benefits of connection pooling in the mod_plsql module.
If the number of open database sessions is not a concern, you can increase the value of this parameter for best performance. In such a case, if the site is accessed frequently enough that the idle session cleanup interval is never reached for a session, then the DAD configuration parameter PlsqlMaxRequestsPerSession can be modified so that it is guaranteed that a pooled database session gets recycled on a regular basis.
For most installations, the default value is adequate.
Category | Value |
---|---|
Syntax | PlsqlIdleSessionCleanupInterval number |
Example | PlsqlIdleSessionCleanupInterval 10 |
Default | 15 (minutes) |
The dads.conf
file contains the configuration parameters for the PL/SQL database access descriptor. (See Table E-1 for the file location.) A DAD is a set of values that specifies how the mod_plsql module connects to a database server to fulfill a HTTP request.
The following parameters are used with the dads.conf
file:
Specifies the procedure to be invoked after calling the requested procedure. This enables you to put a hook point after the requested procedure is called. This is useful in doing SQL*Traces/SQL Profiles while debugging a problem with the requested procedure. This is also useful when you want to ensure that a specific call is made after running every procedure.
Category | Value |
---|---|
Syntax | PlsqlAfterProcedure string |
Example | PlsqlAfterProcedure portal.mypkg.myafterproc |
Default | None |
Note:
This parameter should only be used for debugging purposes. In addition, you could use this parameter to stop SQL trace/SQL profiling.Specifies whether the mod_plsql module should describe a procedure before trying to run it. If this is set to On
, then the mod_plsql module will always describe a procedure before invoking it. Otherwise, the mod_plsql module will only describe a procedure when its internal heuristics have interpreted a parameter type incorrectly.
Category | Value |
---|---|
Syntax | PlsqlAlwaysDescribeProcedure On | Off |
Example | PlsqlAlwaysDescribeProcedure On |
Default | Off |
Note:
This parameter should only be used for debugging purposes.Specifies the authentication mode to use for allow access through the DAD. The accepted values for PlsqlAuthenticationMode are Basic, SingleSignOn, GlobalOwa, CustomOwa, PerPackageOwa.
Category | Value |
---|---|
Syntax | PlsqlAuthenticationMode Basic | SingleSignOn | GlobalOwa | CustomOwa | PerPackageOwa |
Example | PlsqlAuthenticationMode CustomOwa |
Default | Basic |
Basic
is the default mode and determines whether or not to ask for username and password if they are not provided with PlsqlDatabaseUsername and PlsqlDatabasePassword. This setting is required for WebDB 2.x applications. If the DAD is not using the Basic authentication, then you must include a valid username/password in the DAD configuration.
SingleSignOn
specifies that you want to use Single Sign-On server. This is required for DADs using Oracle9iAS Portal. As already stated the provided username and password need to be the one from your single signon server.
GlobalOwa
, CustomOwa
, and PerPackageOwa
are used only by very few PL/SQL applications. Custom authentication enables applications to authenticate users within the application itself, not at the database level.
Authorization is performed by invoking a user-written authorization function. Custom authentication uses a static username/password that is stored in the DAD. It cannot be combined with dynamic username/password authentication. To enable custom authentication, set the level of authentication for PlsqlAuthenticationMode and implement the authorize function.
You should also be aware of the following:
If the DAD is not using the Basic authentication, then you must include a valid username/password in the DAD configuration. For the Basic mode, to perform dynamic authentication, the DAD username/password parameters must be omitted.
The SingleSignOn mode is supported only for Oracle Fusion Middleware releases, and is used by Oracle Portal and Oracle Single Sign-On. Most customer applications use Basic authentication. Custom authentication modes (GlobalOwa, CustomOwa, and PerPackageOwa) are used by very few PL/SQL applications.
Specifies the procedure to be invoked before calling the requested procedure. This enables you to put a hook point before the requested procedure is called. This is useful in doing SQL*Traces/SQL Profiles while debugging a problem with the requested procedure. This is also useful when you want to ensure that a specific call be made before running every procedure.
Category | Value |
---|---|
Syntax | PlsqlBeforeProcedure string |
Example | PlsqlBeforeProcedure portal.mypkg.mybeforeproc |
Default | None |
Note:
This parameter should only be used for debugging purposes. In addition, you could use this parameter to start SQL Trace/SQL Profiling.Note:
This configuration property is rarely ever changed, and system defaults suffice in almost all cases.Specifies the rounding size to use while binding the number of elements in a collection bind. While executing PL/SQL statements, the Oracle database maintains a cache of PL/SQL statements in the shared SQL area, and attempts to reuse the cached statement if the same statement is run again. Oracle's matching criteria requires that the statement texts be identical, and that the bind variable data types match. Unfortunately, the type match for strings is sensitive to the exact byte size specified, and for collection bindings is also sensitive to the number of elements in the collection. Since the mod_plsql module binds statements dynamically, the odds of hitting the shared cache are low, and it may fill up with near-duplicates and lead to contention for the latch on the shared area. This parameter reduces that effect by bucketing bind lengths to the nearest level.
All numbers specified should be in ascending order. After the last specified size, subsequent bucket sizes will be assumed to be twice the last one.
Category | Value |
---|---|
Syntax | PlsqlBindBucketLengths number multiline |
Example | PlsqlBindBucketLengths 4
|
Default | 4,20,100,400 |
This parameter is relevant only if you are using procedures with array parameters, and passing varying number of parameters to the procedure.
The default should be sufficient for most PL/SQL applications.
To see if this parameter needs to be changed, check the number of versions of a SQL statement in the SQL area.
After the higher configured value, mod_plsql starts auto-generating bucket sizes of larger values by doubling the last value, as needed. Therefore, after 400, the next bucket value becomes 800, then 1600, and so on.
Consider using flexible parameter passing to reduce the problem.
Note:
This configuration property is rarely ever changed, and system defaults suffice in almost all cases.Specifies the rounding size to use while binding the number of elements in a collection bind. While executing PL/SQL statements, the Oracle database maintains a cache of PL/SQL statements in the shared SQL area, and attempts to reuse the cached statement if the same statement is run again. Oracle's matching criteria requires that the statement texts be identical, and that the bind variable data types match. Unfortunately, the type match for strings is sensitive to the exact byte size specified, and for collection bindings is also sensitive to the number of elements in the collection. Since the mod_plsql module binds statements dynamically, the odds of hitting the shared cache are low, and it may fill up with near-duplicates and lead to contention for the latch on the shared area. This parameter reduces that effect by bucketing bind widths to the nearest level.
All numbers specified should be in ascending order. After the last specified size, subsequent bucket sizes will be assumed to be twice the last one.
The last bucket width must be equal to or less than 4000. This is due to the restriction imposed by OCI where array bind widths cannot be greater than 4000.
Category | Value |
---|---|
Syntax | PlsqlBindBucketWidths number multiline |
Example | PlsqlBindBucketWidths 40
|
Default | 32,128,1450,2048,4000 |
This parameter is relevant only if you are using procedures with array parameters, and passing varying number of parameters to the procedure.
The default should be sufficient for most PL/SQL applications.
To see if this parameter needs to be changed, check the number of versions of a SQL statement in the SQL area.
After the higher configured value, mod_plsql starts auto-generating bucket sizes of larger values by doubling the last value, as needed. Therefore, after 400, the next bucket value becomes 800, then 1600, and so on.
Consider using flexible parameter passing to reduce the problem.
Specifies overrides and additions of CGI environment variables to the default set of environment variables passed to a PL/SQL procedure. This is a multi-line directive of name-value pairs to be added, overridden or removed. You can only specify one environment variable for each directive.
You can add CGI environment variables from the Oracle HTTP Server environment by specifying the variable name. To remove a CGI environment variable, set it equal to blank. To add your own name-value pair, use the syntax myname=myvalue.
Category | Value |
---|---|
Syntax | PlsqlCGIEnvironmentList string multiline |
Default | None |
Example |
|
Environment variables added here are available in the PL/SQL application through the function owa_util.get_cgi_env
.
Specifies the timeout in milliseconds for testing a connection pool in the mod_plsql module.
Category | Value |
---|---|
Syntax | PlsqlConnectionTimeout number |
Example | PlsqlConnectionTimeout 5000 |
Default | 10000 (milliseconds) |
When PlsqlConnectionValidation is set to Automatic
or AlwaysValidate
, the mod_plsql module attempts to test pooled database connections. This parameter specifies the maximum time the mod_plsql module should wait for the test request to complete before it assumes that the connection is not usable.
Specifies the mechanism the mod_plsql module should use to detect terminated connections in its connection pool.
Note:
This configuration property is rarely ever changed, and system defaults suffice in almost all cases.For performance reasons, the mod_plsql module pools database connections. If a database instance goes down, and the mod_plsql module was maintaining a pool of connections to the instance, then each pooled database connection results in an error when it is next used to service a request. This can be a concern in high availability configurations such as RAC where even if one node goes down, other nodes servicing the database might have been able to service the request successfully. The mod_plsql module provides for a mechanism whereby it can self-correct after it detects a failure that could be caused by a database node going down. This mechanism to self-correct is controlled by the parameter PlsqlConnectionValidation.
The following are the valid values for PlsqlConnectionValidation:
Automatic
: The mod_plsql module tests all pooled database connections which were created prior to the detection of a failure that could mean an instance failure.
ThrowAwayOnFailure
: The mod_plsql module throws away all pooled database connections which were created prior to the detection of a failure that could mean an instance failure.
AlwaysValidate
: The mod_plsql module always tests all pooled database connections which were created prior to issuing a request. Since this option has an associated performance overhead for each request, this should be used with caution.
NeverValidate
: The mod_plsql module never pings any pooled database connection.
Category | Value |
---|---|
Syntax | PlsqlConnectionValidation Automatic | ThrowAwayOnFailure | AlwaysValidate | NeverValidate |
Example | PlsqlConnectionValidation ThrowAwayOnFailure |
Default | Automatic |
When the mod_plsql module encounters one of the following errors, it assumes that the database may have been down.
00443 — background process <string> did not start
00444 — background process <string> failed while starting
00445 — background process did not start after <x> seconds
00447 — fatal error in background processes
00448 — normal completion of background process
00449 — background process <string> unexpectedly terminated with error
00470 — LGWR process terminated with error
00471 — DBWR process terminated with error
00472 — PMON process terminated with error
00473 — ARCH process terminated with error
00474 — SMON process terminated with error
00475 — TRWR process terminated with error
00476 — RECO process terminated with error
00480 — LCK* process terminated with error
00481 — LMON process terminated with error
00482 — LMD* process terminated with error
00484 — LMS* process terminated with error
00485 — DIAG process terminated with error
01014 — ORACLE shutdown in progress
01033 — ORACLE initialization or shutdown in progress
01034 — ORACLE not available
01041 — internal error. hostdef extension doesn't exist
01077 — background process initialization failure
01089 — immediate shutdown in progress- no operations permitted
01090 — shutdown in progress- connection is not permitted
01091 — failure during startup force
01092 — ORACLE instance terminated. Disconnection forced
03106 — fatal two-task communication protocol error
03113 — end-of-file on communication channel
03114 — not connected to ORACLE
12570 — TNS: packet reader failure
12571 — TNS: packet writer failure
Specifies the connection to an Oracle database.
Category | Value |
---|---|
Syntax | PlsqlDatabaseConnectString string {ServiceNameFormat | SIDFormat | TNSFormat | NetServiceNameFormat}
The string parameter depends on the second argument:
If the format argument is not specified, then the mod_plsql module assumes the string is either in the HOST:PORT:SID format, or resolvable by Net8. The differentiation between the two is made by the presence of the colon in the specified string. It is recommended that newer DADs do not use the |
Example |
|
Default | None |
If the database is running in the same Oracle home, or the environment variable TWO_TASK is set, then this parameter need not be specified.
If the database is running in a separate Oracle home, then this parameter is mandatory.
If you have problems connecting to the database:
Check the username and password information in the DAD.
Make sure that you run tnsping db_connect_string, and commands such as:
sqlplus DADUsername/DADPassword@db_connect_string
Ensure that TNS_ADMIN is configured properly.
Verify that the HOST:PORT:SERVICE_NAME format works correctly.
Ensure that the TNS listener and database are up and running.
Ensure that you can ping the host from this machine.
From a the mod_plsql module perspective, TNSFormat
and NetServiceNameFormat
are synonymous and denote connect descriptors that are resolved by Net8. The TNSFormat
is provided as a convenience so that end-users use this to signify that the name resolution happens through the local tnsnames.ora. For situations where the resolution is through an LDAP lookup as configured in sqlnet.ora, it is recommended that the format specifier of NetServiceNameFormat
be used.
If your database supports high availability, for example, Oracle Real Application Clusters database, it is highly recommended that you use the NetServiceNameFormat
such that the resolution for the net service name is through LDAP. This enables you to add or remove RAC nodes accessible through the mod_plsql module by changing Oracle Internet Directory with the new or deleted node information. In such situations, hard-coding database listener HOST:PORT information in dads.conf or in the local tnsnames.ora
is not recommended.
Specifies the password to use to log in to the database.
Category | Value |
---|---|
Syntax | PlsqlDatabasePassword string |
Example | PlsqlDatabasePassword tiger |
Default | None |
This is a mandatory parameter, except for a DAD that sets PlsqlAuthenticationMode to Basic and uses dynamic authentication.
For DADs using SingleSignOn authentication, this parameter uses the name of the schema owner.
After making manual configuration changes to DAD passwords, you should obfuscate the DAD passwords by running the dadTool.pl
script, located in ORACLE_HOME/bin
.
To obfuscate DAD passwords:
If necessary, change the user to the Oracle software owner user, typically oracle
, using the following command:
$ su - oracle
Set the ORACLE_HOME
environment variable to specify the path to the Oracle home directory for the current release, and set the PATH environment variable to include the directory containing the Perl executable and the location of the dadTool.pl
script.
Bourne, Bash, or Korn shell:
$ ORACLE_HOME=new_ORACLE_HOME_path;export ORACLE_HOME $ PATH=ORACLE_HOME/bin:ORACLE_HOME/perl/bin:$PATH;export PATH
C or tcsh shell:
% setenv ORACLE_HOME new_ORACLE_HOME_PATH % setenv PATH ORACLE_HOME/bin:ORACLE_HOME/perl/bin:PATH
On Microsoft Windows, set the PATH and PERL5LIB environment variable:
set PATH=ORACLE_HOME\bin;ORACLE_HOME\perl\bin;%PATH% set PERL5LIB=ORACLE_HOME\perl\lib
On UNIX platforms, set the shared library path environment variable.
Include the ORACLE_HOME/lib
or lib32
directory in your shared library path. Table E-6 shows the appropriate directory and environment variable for each platform.
Table E-6 Shared Library Path Environment Variable
Platform | Environment Variable | Include Directory |
---|---|---|
AIX Based Systems |
LIBPATH |
ORACLE_HOME/lib |
HP-UX PA-RISC |
SHLIB_PATH |
ORACLE_HOME/lib |
Solaris Operating System |
LD_LIBRARY_PATH |
ORACLE_HOME/lib32 |
Other UNIX platforms, including Linux and HP Tru64 UNIX |
LD_LIBRARY_PATH |
ORACLE_HOME/lib |
For example, on HP-UX PA-RISC systems, set the SHLIB_PATH environment to include the ORACLE_HOME/lib
directory:
$SHLIB_PATH=$ORACLE_HOME/lib:$SHLIB_PATH;export SHLIB_PATH
Change directory to the mod_plsql configuration directory for the current release of Oracle HTTP Server:
cd ORACLE_HOME/bin
Invoke the following Perl script to obfuscate DAD password:
perl dadTool.pl -f dadfilename
where dadfilename
is the filename for dads.conf
, which includes the full path to the DAD file.
For example:
perl dadTool.pl -f /u01/app/oracle/as11gr1/ORACLE_INSTANCE/config/OHS/component_name/mod_plsql/dads.conf
Specifies the username to use to log in to the database.
Category | Value |
---|---|
Syntax | PlsqlDatabaseUsername string |
Example | PlsqlDatabaseUsername scott |
Default | None |
This is a mandatory parameter, except for a DAD that sets PlsqlAuthenticationMode to Basic and uses dynamic authentication.
For DADs using SingleSignOn authentication, this parameter is the name of the schema owner.
Specifies the default procedure to call if none is specified in the URL.
Category | Value |
---|---|
Syntax | PlsqlDefaultPage string |
Example | PlsqlDefaultPage myschema.mypackage.home |
Default | None |
You can also use Oracle HTTP Server Rewrite rules to achieve the same effect as you get by setting this configuration parameter.
Specifies a virtual path in the URL that initiates document download from the document table. For example, if this parameter is set to docs
, then the following URLs will start the document downloading process for URLs of the format:
/pls/dad/docs /pls/plsqlapp/docs
Category | Value |
---|---|
Syntax | PlsqlDocumentPath string |
Example | PlsqlDocumentPath docs |
Default | docs |
Omit this parameter for applications that do not perform document uploads or downloads.
Specifies the procedure to call when a document download is initiated. This procedure is called to process the download.
Category | Value |
---|---|
Syntax | PlsqlDocumentProcedure string |
Example | PlsqlDocumentProcedure portal.wwdoc_process.process_download |
Default | None |
Omit this parameter for applications that do not perform document uploads or downloads.
Specifies the table in the database to which all documents are uploaded.
Category | Value |
---|---|
Syntax | PlsqlDocumentTablename string |
Example | PlsqlDocumentTablename myschema.document_table |
Default | None |
Omit this parameter for applications that do not perform document uploads or downloads.
Specifies the error reporting mode for mod_plsql errors.
Specifies a pattern for procedures, packages, or schema names which are forbidden to be directly run from a browser. This is a multi-line directive in which each pattern is on a separate line. The pattern is not case sensitive and can accept a wildcard such as an asterisk (*). The default patterns disallowed from direct URL access are as follows:
sys.*
dbms_*
utl_*
owa_util*
owa.*
htp.*
htf.*
wpg_docload.*
Setting this directive to #NONE#
will disable all protection. This is strongly discouraged for an active site and should not be done. It may be used for debugging purposes.
If this parameter is overridden, the defaults still apply, which means that you do not have to explicitly add the default list to the list of excluded patterns.
Category | Value |
---|---|
Syntax | PlsqlExclusionList {string | "#NONE#" multiline } |
Example | PlsqlExclusionList myschema.private.*
will disallow access to URLs which contain one of:
will disable all protection. Its use is strongly discouraged for an active site. |
Default | sys.*
dbms_* utl_* owa_util* owa.* htp.* htf.* wpg_docload.* |
In addition to the patterns specified with this parameter, the mod_plsql module disallows any procedure name which contains the following special characters:
tabs
new lines
carriage-return
single quotation mark
reverse slash
form feed
left parenthesis
right parenthesis
space
This cannot be changed.
Specifies the number of rows of content to fetch from the database for each trip, using either owa_util.get_page or owa_util.get_page_raw.
By default, the mod_plsql module attempts to fetch 200 response lines of output where each line is of 255 bytes. In situations where the response bytes are single-bytes, the response buffer is populated to the maximum and can pack 255*200=51000 bytes for each round trip. For responses containing multi-byte data, the byte packing for each row could be less than ideal resulting in lesser bytes getting transferred for each round trip. If your application generates large pages frequently and the response does not fit in one round trip, then consider setting this parameter higher. The memory usage for the mod_plsql module will increase.
Category | Value |
---|---|
Syntax | PlsqlFetchBufferSize number |
Example | PlsqlFetchBufferSize 256 |
Default | 200 |
This parameter is changed only for performance reasons. The minimum value for this parameter is 28, but it is seldom reduced.
Change this parameter only under the following circumstances:
The average response page is large and you want to reduce the number of round-trips the mod_plsql module makes to the database to fetch the response.
The character set in use is multi-byte, and you want to compensate for the problem of get_page or get_page_raw fetching fewer bytes for each row. Calculations in the PL/SQL Web ToolKit are character-based and in the case of multi-byte characters, OWA packages assume a worst-case character byte size and do not attempt to pack each row to its maximum.
Specifies what mode the mod_plsql module should use to do extra performance logging.
InfoDebug mode: This logs more information to the Apache's error_log. This is used in conjunction with Apache's info logging level. If the Apache's logging level is not at least set to this high, this setting will be ignored.
Category | Value |
---|---|
Syntax | PlsqlInfoLogging InfoDebug |
Example | PlsqlInfoLogging InfoDebug |
Default | Empty |
The logging setting is useful for debugging problems in your PL/SQL application.
Specifies the maximum number of requests a pooled database connection should service before it is closed and re-opened.
Category | Value |
---|---|
Syntax | PlsqlMaxRequestsPerSession number |
Example | PlsqlMaxRequestsPerSession 500 |
Default | 1000 |
This parameter helps relieve memory and resource problems that may occur due to prolonged session reuse by a PL/SQL application.
This parameter should not need to be changed. The default is sufficient in most cases.
Setting this parameter to a low number can degrade performance. A case for a lower value might be an infrequently-used DAD whose performance is not a concern, and for which limiting the number of requests provides some benefit.
Specifies the NLS_LANG variable for this DAD. This parameter overrides the NLS_LANG environment variable. When this parameter is set, the PL/SQL Gateway uses the specified NLS_LANG to connect to the database. Once connected, an alter session command is issued to switch to the specified language and territory. If the middle tier character set matches that of the database, then no alter session call is issued by the mod_plsql module.
Category | Value |
---|---|
Syntax | PlsqlNLSLanguage string |
Example | PlsqlNLSLanguage America_America.UTF8 |
Default | None |
Most applications have PlsqlTransferMode set to CHAR which means that the character set in PlsqlNLSLanguage needs to match the character set of the database. In one special case, where the database and the mod_plsql module are both using fixed-size character sets, and the character set width matches, the character set can be different. The response character set is always the mod_plsql module character set.
If PlsqlTransferMode is set to RAW, then this parameter can be ignored.
Specifies a virtual path alias to map to a procedure call. This is application-specific. This directive is used with PlsqlPathAliasProcedure.
Category | Value |
---|---|
Syntax | PlsqlPathAlias string |
Example | PlsqlPathAlias url |
Default | None |
For applications that do not use path aliasing, this parameter may be omitted.
Specifies the procedure to call when the virtual path in the URL matches the path alias as configured by PlsqlPathAlias.
Category | Value |
---|---|
Syntax | PlsqlPathAliasProcedure string |
Example | PlsqlPathAliasProcedure portal.wwpth_api_alias.process_download |
Default | None |
For applications that do not use path aliasing, this parameter may be omitted.
Specifies an application-defined PL/SQL function which gives you the opportunity to allow and disallow further processing of the requested procedure. This is useful in implementing tight security for your PL/SQL application by blocking out package and procedure calls that should not be allowed to run from a DAD.
The function defined by this parameter must have the following prototype:
boolean function_name (procedure_name IN varchar2)
The procedure_name parameter will contain the name of the procedure that the request is trying to run.
For example, if all the PL/SQL application procedures callable from a browser are inside the package mypkg, then an implementation of this function can be as follows:
boolean my_validation_check (procedure_name varchar2) is begin if (upper (procedure_name) like upper ('myschema.mypkg%')) then return TRUE else return FALSE end if; end;
Category | Value |
---|---|
Syntax | PlsqlRequestValidationFunction string |
Example | PlsqlRequestValidationFunction myschema.mypkg.my_validation_check |
Default | none |
By default, the mod_plsql module already disallows direct URL access to certain schemas and packages. For more information, refer to PlsqlExclusionList.
It is highly recommended that you provide an implementation for this function such that it only allows requests that belong to your application, and are callable from a browser.
Since this function will be called for every request, be sure to make this function as optimized as possible. Suggested recommendations are:
Name your PL/SQL packages in a fashion such that the implementation of this function can be similar to the previous example.
If your implementation performs a table lookup to determine what packages and procedures should be allowed, then performance can be improved if you pin the cursor in the shared pool.
Specifies the cookie name when PlsqlAuthenticationMode is set to SingleSignOn. This parameter is supported only for Oracle Fusion Middleware releases, and is used by Oracle Portal and Oracle Single Sign-On.
Category | Value |
---|---|
Syntax | PlsqlSessionCookieName cookie_name |
Example | PlsqlSessionCookieName mycookie |
Default | Same as DAD name |
For DADs not using SingleSignOn authentication, this parameter can be omitted. In most other cases, the session cookie name should be omitted (and this parameter automatically defaults to the DAD name).
A session cookie name must be specified only for Oracle Portal instances that need to participate in a distributed Oracle Portal environment. For those Oracle Portal nodes you want to seamlessly participate as a federated cluster, ensure that the session cookie name for all the participating nodes is the same.
Independent Oracle Portal nodes need to use distinct session cookie names.
Specifies how package and session state should be cleaned up at the end of each the mod_plsql request.
StatelessWithResetPackageState
causes the mod_plsql module to call dbms_session.reset_package_state
at the end of each mod_plsql request. This is the default.
StatelessWithPreservePackageState
causes the mod_plsql module to call htp.init
at the end of each mod_plsql request. This cleans up the state of session variables in the PL/SQL Web ToolKit. The PL/SQL application is responsible for cleaning up its own session state. Failure to do so causes erratic behavior, in which a request starts recognizing or manipulating state modified in previous requests.
StatelessWithFastResetPackageState
causes the mod_plsql module to call dbms_session.modify_package_state(dbms_session.reinitialize)
at the end of each mod_plsql request. This API is faster than the mode of StatelessWithResetPackageState
, and avoids some latch contention issues, but exists only in Oracle database releases 8.1.7.2 and later. This mode uses slightly more memory than the default mode.
Category | Value |
---|---|
Syntax | PlsqlSessionStateManagement {StatelessWithResetPackageState | StatelessWithFastResetPackageState | StatelessWithPreservePackageState } |
Example | PlsqlSessionStateManagement StatelessWithPreservePackageState |
Default | StatelessWithResetPackageState |
The earlier values of stateful=no or stateful=STATELESS_RESET corresponds to StatelessWithResetPackageState
.
The earlier value of stateful=STATELESS_FAST_RESET corresponds to StatelessWithFastResetPackageState
.
The earlier value of stateful=STATELESS_PRESERVE corresponds to StatelessWithPreservePackageState
.
The mod_plsql module does not support stateful mode of operation. To allow PL/SQL applications stateful behavior, save the state in cookies and/or in the database.
Specifies the transfer mode for data from the database back to the mod_plsql module. Most applications use the default value of CHAR
.
Category | Value |
---|---|
Syntax | PlsqlTransferMode {CHAR | RAW } |
Example | PlsqlTransferMode CHAR |
Default | CHAR |
This parameter only needs to be changed to enable sending back responses in different character sets from the same DAD. In such a case, the CHAR
mode is useless, since it always converts the response data from the database character set to the mod_plsql character set.
Specifies the file extensions to be uploaded as LONGRAW data type, as opposed to using the default BLOB data type. The default can be overridden by specifying multi-line directives of file extensions for field. A value of asterisk (*
) in this field causes all documents to be uploaded as LONGRAW.
Category | Value |
---|---|
Syntax | PlsqlUploadAsLongRaw string multiline |
Example | PlsqlUploadAsLongRaw jpg
|
Default | None |
For applications that do not upload or download documents, this parameter may be omitted.
The cache.conf
file contains the configuration settings for the file system caching functionality implemented in the mod_plsql module. This configuration file is relevant only if PL/SQL applications use the OWA_CACHE
package to cache dynamically generated content in the file system.
The following parameters are specified in the cache.conf
file:
Specifies the time to start the cleanup of the cache storage.
This setting defines the exact day and time in which cleanup should occur. The frequency can be set as daily, weekly, and monthly.
To define daily frequency, the keyword Everyday
is used. The cleanup starts every day at the time defined. For example, Everyday 2:00
causes the cleanup to happen everyday at 2:00 a.m. (local time).
To define weekly frequency, the days of the week, (Sunday
, Monday
, Tuesday
, Wednesday
, Thursday
, Friday
, Saturday
) are used. For example, Wednesday 15:30
causes the cleanup to happen every Wednesday at 3:30 p.m. (local time).
To define monthly frequency, the keyword Everymonth
is used. The cleanup starts on the Saturday of the month at the time defined. For example, Saturday Everymonth 23:00 causes the cleanup to happen the first Saturday of every month at 11:00 p.m. (local time).
Category | Value |
---|---|
Syntax | PlsqlCacheCleanupTime {Sunday-Saturday | Everyday | Everymonth} {hh:mm} |
Example | PlsqlCacheCleanupTime Monday 20:00 |
Default | Saturday 23:00 |
Specifies the directory where cache files are written out by the mod_plsql module. This directory must exist or Oracle HTTP Server will not start.
On UNIX, this directory must have write permissions by the owner of the child httpd processes.
Category | Value |
---|---|
Syntax | PlsqlCacheDirectory directory |
Example | PlsqlCacheDirectory ORACLE_INSTANCE /OHS/ component_name |
Default | none |
Enables mod_plsql caching.
Category | Value |
---|---|
Syntax | PlsqlCacheEnable {On | Off} |
Example | PlsqlCacheEnable On |
Default | Off |
If an application does not make use of the OWA_CACHE
package in the PL/SQL Web Toolkit, then you can choose to disable caching. In such situations, there will be a minor performance benefit.
Specifies the maximum time, in days, a cache file can reside in a file system cache, after which the cached file will be removed for cache maintenance.
This setting is to ensure that the cache system does not contain old content. This setting removes old cache files and makes space for new ones.
Category | Value |
---|---|
Syntax | PlsqlCacheMaxAge number |
Example | PlsqlCacheMaxAge 20 |
Default | 30 (days) |
Specifies the maximum possible size of a cache file.
This setting prevents the case in which one file can fill up the entire cache. In general, it is recommended that this be set to about 1-3 percent of the total cache size, which is specified by PlsqlCacheTotalSize.
Category | Value |
---|---|
Syntax | PlsqlCacheMaxSize number |
Example | PlsqlCacheMaxSize 1048576 |
Default | 1048576 |
Specifies the total size of the cache directory. The default is 20 MB.
This setting limits the amount of space the cache is allowed to use. Both PL/SQL cache and Session Cookie cache share this cache space. This setting is not a hard limit. It might exceed the limit temporarily during normal processing. This is normal behavior.
The cleanup algorithm uses this setting to determine how much to reduce the cache files. Therefore, the real space limit is the physical storage's available size.
This parameter takes bytes as values:
1 megabytes = 1048576 bytes
10 megabytes = 10485760 bytes
Category | Value |
---|---|
Syntax | PlsqlCacheTotalSize number |
Example | PlsqlCacheTotalSize 20971520 |
Default | 20971520 (bytes) |
mod_wl_ohs accepts the following directives:
Note:
mod_wl_ohs directives are the same as those accepted by mod_wl.Interval in seconds that the plug-in should sleep between attempts to connect to the WebLogic Server host (or all of the servers in a cluster). Make this number less than the ConnectTimeoutSecs. The number of times the plug-in tries to connect before returning an HTTP 503/Service Unavailable response to the client is calculated by dividing ConnectTimeoutSecs by ConnectRetrySecs. To specify no retries, set ConnectRetrySecs equal to ConnectTimeoutSecs. However, the plug-in attempts to connect at least twice.You can customize the error response by using the ErrorPage directive.
Category | Value |
---|---|
Syntax | ConnectRetrySecs secs |
Example | ConnectRetrySecs 10 |
Default | 2 |
Maximum time in seconds that the plug-in should attempt to connect to the WebLogic Server host. Make the value greater than ConnectRetrySecs. If ConnectTimeoutSecs expires without a successful connection, even after the appropriate retries (see ConnectRetrySecs), an HTTP 503/Service Unavailable response is sent to the client. You can customize the error response by using the ErrorPage directive.
Category | Value |
---|---|
Syntax | ConnectTimeoutSecs secs |
Example | ConnectTimeoutSecs 120 |
Default | 10 |
Sets the type of logging performed for debugging operations. The debugging information is written to the /tmp/wlproxy.log file on UNIX systems and c:\TEMP\wlproxy.log on Windows NT/2000 systems.
Override this location and filename by setting the WLLogFile parameter to a different directory and file. (See the WLTempDir parameter for an additional way to change this location.)
Ensure that the tmp or TEMP directory has write permission assigned to the user who is logged in to the server. Set any of the following logging options (HFC,HTW,HFW, and HTC options may be set in combination by entering them separated by commas, for example ”HFC,HTW”):
ON - The plug-in logs informational and error messages.
OFF - No debugging information is logged.
HFC - The plug-in logs headers from the client, informational, and error messages.
HTW - The plug-in logs headers sent to WebLogic Server, and informational and error messages.
HFW - The plug-in logs headers sent from WebLogic Server, and informational and error messages.
HTC - The plug-in logs headers sent to the client, informational messages, and error messages.
ERR - Prints only the Error messages in the plug-in.
ALL - The plug-in logs headers sent to and from the client, headers sent to and from WebLogic Server, information messages, and error messages.
Category | Value |
---|---|
Syntax | Debug ON | OFF | HFC | HTW | HFW | HTC | ERR | ALL |
Example | Debug HFC,HTW,HTC |
Default | OFF |
Enables the special query parameter ”__WebLogicBridgeConfig”. Use it to get details about configuration parameters from the plug-in.For example, if you enable ”__WebLogicBridgeConfig” by setting DebugConfigInfo and then send a request that includes the query string ?__WebLogicBridgeConfig, then the plug-in gathers the configuration information and run-time statistics and returns the information to the browser. The plug-in does not connect to WebLogic Server in this case. This parameter is strictly for debugging and the format of the output message can change with releases. For security purposes, keep this parameter turned OFF in production systems.
Category | Value |
---|---|
Syntax | DebugConfigInfo OFF | ON |
Example | DebugConfigInfo ON |
Default | OFF |
Sets the default welcome page of the Web Application in WebLogic Server to which requests are being proxied.
If the URI is ”/” then the plug-in performs the following steps:
Trims the path specified with the PathTrim parameter.
Appends the value of DefaultFileName.
Prepends the value specified with PathPrepend.
This procedure prevents redirects from WebLogic Server. For example, If the DefaultFileName is set to welcome.html, an HTTP request like ”http://somehost/weblogic” becomes ”http://somehost/weblogic/welcome.html”. For this parameter to function, the same file must be specified as a welcome file in all the Web Applications to which requests are directed. For more information, see Configuring Welcome Pages.
Apache users:
If you are using Stronghold or Raven versions, define this parameter inside of a Location block, and not in an IfModule block. OracleCategory | Value |
---|---|
Syntax | DefaultFileName "http://path/to/file" |
Example | DefaultFileName ”http://somehost/weblogic” |
Default | none |
When set to OFF, the plug-in ignores the dynamic cluster list used for load balancing requests proxied from the plug-in and only uses the static list specified with the WebLogicCluster parameter. Normally this parameter should remain set to ON.
There are some implications for setting this parameter to OFF:
If one or more servers in the static list fails, the plug-in could waste time trying to connect to a dead server, resulting in decreased performance.
If you add a new server to the cluster, the plug-in cannot proxy requests to the new server unless you redefine this parameter. WebLogic Server automatically adds new servers to the dynamic server list when they become part of the cluster.
Category | Value |
---|---|
Syntax | DynamicServerList ON | OFF |
Example | DynamicServerList OFF |
Default | ON |
Sets the error page that appears whenever your Web server is unable to forward requests to WebLogic Server. You can create your own error page. The plug-in redirects to an error page when the back-end server returns an HTTP 503/Service Unavailable response and there are no servers for failover.
Category | Value |
---|---|
Syntax | ErrorPage |
Example | ErrorPage |
Default | none |
Specifies whether or not file caching is enabled. When set to ON, and the size of the POST data in a request is greater than 2048 bytes, the POST data is first read into a temporary file on disk and then forwarded to the WebLogic Server in chunks of 8192 bytes. This preserves the POST data during failover, allowing all necessary data to be repeated to the secondary if the primary goes down.
Note that when FileCaching is ON, any client that tracks the progress of the POST will see that the transfer has completed even though the data is still being transferred between the WebServer and WebLogic. So, if you want the progress bar displayed by a browser during the upload to reflect when the data is actually available on the WebLogic Server, you might not want to have FileCaching ON.
When set to OFF and the size of the POST data in a request is greater than 2048 bytes, the reading of the POST data is postponed until a WebLogic Server cluster member is identified to serve the request. Then the plug-in reads and immediately sends the POST data to the WebLogic Server in chunks of 8192 bytes.
Note that turning FileCaching OFF limits failover. If the WebLogic Server primary server goes down while processing the request, the POST data already sent to the primary cannot be repeated to the secondary.
Finally, regardless of how FileCaching is set, if the size of the POST data is 2048 bytes or less the plug-in will read the data into memory and use it if needed during failover to repeat to the secondary.
Category | Value |
---|---|
Syntax | FileCaching ON | OFF |
Example | FileCaching OFF |
Default | ON |
Specifies whether or not plug-ins fail over.
When set to ON and if the servers do not respond within WLIOTimeoutSecs, the plug-ins fail over if the method is idempotent.
The plug-ins also fail over if Idempotent is set to ON and the servers respond with an error such as READ_ERROR_FROM_SERVER.
If set to OFF the plug-ins do not fail over. If you are using the Apache HTTP Server you can set this parameter differently for different URLs or MIME types.
Category | Value |
---|---|
Syntax | Idempotent ON | OFF |
Example | Idempotent OFF |
Default | ON |
Enables pooling of connections between the plug-in and WebLogic Server.
If you are using Apache prefork mpm, Apache web server might crash. Turn KeepAliveEnabled to OFF when using prefork mpm or use worker mpm in Apache.
Category | Value |
---|---|
Syntax | KeepAliveEnabled ON(TRUE) | OFF (FALSE) |
Example | KeepAliveEnabled OFF |
Default | ON(TRUE) |
Specifies how long to maintain an inactive connection between the plug-in and WebLogic Server. Once the time set here has elapsed, the connection is closed. You must set KeepAliveEnabled to true (ON when using the Apache HTTP Server) for this parameter to be effective.
The value of this parameter must be less than or equal to the value of the Duration field set in the Administration Console on the Server/HTTP tab, or the value set on the server Mbean with the KeepAliveSecs attribute.
Category | Value |
---|---|
Syntax | KeepAliveSecs secs |
Example | KeepAliveSecs 120 |
Default | 20 |
Specifies the filename pattern to use when proxying. This directive is entered inside of an IfModule block. For example, if you wanted to proxy by MIME type, you would use MatchExpression as shown here:
<IfModule weblogic_module>
MatchExpression *.jsp
WebLogicHost=myHost|paramName=value
</IfModule>
Or, if you wanted to proxy by path, you would use MatchExpression like this:
<IfModule weblogic_module>
MatchExpression /weblogic
WebLogicHost=myHost|paramName=value
</IfModule>
You can define a new parameter for MatchExpression by using the following syntax:
MatchExpression *.jsp PathPrepend=/test PathTrim=/foo
Category | Value |
---|---|
Syntax | MatchExpression expression |
Example | MatchExpression /weblogic |
Default | none |
Maximum allowable size of POST data, in bytes. If the content-length exceeds MaxPostSize, the plug-in returns an error message. If set to -1, the size of POST data is not checked. This is useful for preventing denial-of-service attacks that attempt to overload the server with POST data.
Category | Value |
---|---|
Syntax | MaxPostSize nn |
Example | MaxPostSize 64 |
Default | -1 |
If a WebLogic Server listed in either the WebLogicCluster parameter or a dynamic cluster list returned from WebLogic Server fails, the failed server is marked as ”bad” and the plug-in attempts to connect to the next server in the list.
MaxSkipTime sets the amount of time after which the plug-in will retry the server marked as ”bad.” The plug-in attempts to connect to a new server in the list each time a unique request is received (that is, a request without a cookie).
Category | Value |
---|---|
Syntax | MaxSkipTime sec |
Example | MaxSkipTime 120 |
Default | 10 |
Specifies the path that the plug-in prepends to the {PATH} portion of the original URL, after PathTrim is trimmed and before the request is forwarded to WebLogic Server.Note that if you need to append File Name, use DefaultFileName parameter instead of PathPrepend.
Category | Value |
---|---|
Syntax | PathPrepend [PROTOCOL]://[HOSTNAME]:{PORT}/{PATH}/{FILENAME};{PATH_PARAMS}/{QUERY_STRING] |
Example | PathPrepend http://myHost:1234/myPath/myfile; |
Default | null |
PathTrim specifies the string trimmed by the plug-in from the {PATH}/{FILENAME} portion of the original URL, before the request is forwarded to WebLogic Server. For example, if this URL:
http://myWeb.server.com/weblogic/foo
is passed to the plug-in for parsing and if PathTrim has been set to strip off /weblogic before handing the URL to WebLogic Server, the URL forwarded to WebLogic Server is:
http://myWeb.server.com:7001/foo
Note that if you are newly converting an existing third-party server to proxy requests to WebLogic Server using the plug-in, you will need to change application paths to /foo to include weblogic/foo. You can use PathTrim and PathPrepend in combination to change this path.
Category | Value |
---|---|
Syntax | PathTrim [PROTOCOL]://[HOSTNAME]:{PORT}/{PATH}/{FILENAME};{PATH_PARAMS}/{QUERY_STRING} |
Example | PathTrim http://myWeb.server.com/weblogic/foo |
Default | null |
When set to ON, specifies that the Apache HTTP Server use
(request_rec *)r->the_ request
to pass the query string to WebLogic Server. (For more information, see the Apache documentation.) This behavior is useful when a Netscape version 4.x browser makes requests that contain spaces in the query string.
When set to OFF, the Apache HTTP Server uses (request_rec *)r->args to pass the query string to WebLogic Server.
Category | Value |
---|---|
Syntax | QueryFromRequest ON | OFF |
Example | QueryFromRequest ON |
Default | OFF |
Specifies the list of WebLogic Servers that can be used for load balancing. The server or cluster list is a list of host:port entries. If a mixed set of clusters and single servers is specified, the dynamic list returned for this parameter will return only the clustered servers. This derivative is required to proxy a list of clustered back-end servers or to perform load balancing among non-clustered managed server instances.
If you are using SSL between the plug-in and WebLogic Server, set the port number to the SSL listen port and set the SecureProxy parameter to ON.
The plug-in does a simple round-robin between all available servers. The server list specified in this property is a starting point for the dynamic server list that the server and plug-in maintain. WebLogic Server and the plug-in work together to update the server list automatically with new, failed, and recovered cluster members.
You can disable the use of the dynamic cluster list by setting the DynamicServerList parameter to OFF.
The plug-in directs HTTP requests containing a cookie, URL-encoded session, or a session stored in the POST data to the server in the cluster that originally created the cookie.
Category | Value |
---|---|
Syntax | The syntax for specifying the value of this parameter varies depending on the web server for which you are configuring the plug-in, as described in Using Web Server 1.1 Plug-Ins with Oracle WebLogic Server. For more information, see the following: |
Example | WebLogicCluster w1s1.com:7001,w1s2.com:7001,w1s3.com:7001 |
Default | none |
Specifies the WebLogic Server host (or virtual host name as defined in WebLogic Server) to which HTTP requests should be forwarded. If you are using a WebLogic cluster, use the WebLogicCluster parameter instead of WebLogicHost. This directive is required when proxying to a single WebLogic Server.
Category | Value |
---|---|
Syntax | WebLogicHost hostname |
Example | WebLogicHost myHost |
Default | none |
Specifies the port at which the WebLogic Server host is listening for connection requests from the plug-in (or from other servers). This directive is required when proxying to a single WebLogic Server.
If you are using SSL between the plug-in and WebLogic Server, set this parameter to the SSL listen port and set the SecureProxy parameter to ON.
If you are using a WebLogic Cluster, use the WebLogicCluster parameter instead of WebLogicPort.
Category | Value |
---|---|
Syntax | WebLogicPort portNo |
Example | WebLogicPort 1234 |
Default | none |
Note:
Because of security concerns, the SSLv3 security protocol is disabled out-of-the-box in the Oracle HTTP Server 11.1.1.9 release. The SSLv2 and SSLV3 protocols are no longer supported by Oracle HTTP Server.If you are upgrading from an earlier release of Oracle HTTP Server, the SSLv3 and/or SSLv2 security protocol might be a part of your configuration. Oracle strongly recommends that you disable any SSLv3 or SSLv2 configuration from Oracle HTTP Server. See Section 8.9, "Disable SSLv2 and SSLv3 Security Protocols."
Selects the SSL protocol version to use for communication between the plug-in and the WebLogic Server. The following values are accepted:
TLSv1
TLSv1.1
TLSv1.2
You can specify multiple values as a space-delimited list.
The SSL protocol version chosen is used for all the connections from the plug-in to WebLogic Server. Hence define this parameter at the global scope.
In the current release, you can specify the value for this directive using OpenSSL format. The nzos*
formats have been deprecated and their use should be avoided.
Protocol Name | OpenSSL Format | nzos* Format (Deprecated) |
---|---|---|
TLS version 1.0 | TLSv1 | nzos_Version_1_0 |
TLS version 1.1 | TLSv1.1 | nzos_Version_1_1 |
TLS version 1.2 | TLSv1.2 | nzos_Version_1_2 |
Category | Value |
---|---|
Syntax | WebLogicSSLVersion versionNumber |
Example | WebLogicSSLVersion TLSv1 TLSv1.1 |
Default | If not configured, the best protocol supported by both the plug-in and WebLogic Server is used. |
Note:
WLCookieName replaces CookieName, which is deprecated.If you change the name of the WebLogic Server session cookie in the WebLogic Server Web application, then you must change this parameter in the plug-in to the same value. The name of the WebLogic session cookie is set in the WebLogic-specific deployment descriptor, in the <session-descriptor>
element.
Category | Value |
---|---|
Syntax | WLCookieName cookieName |
Example | WLCookieName |
Default | JSESSIONID |
If defined in the proxy configuration, this directive specifies the interval duration, in seconds, at which WebLogic Server refreshes DNS name to IP mapping for a server. This can be used in the event that a WebLogic Server instance is migrated to a different IP address, but the DNS name for that server's IP remains the same. In this case, at the specified refresh interval the bi-directional DNS-to-IP mapping will be updated.
Category | Value |
---|---|
Syntax | WLDNSRefreshInterval nn |
Example | WLDNSRefreshInterval 10 |
Default | Lookup once, during startup |
This parameter allows you exclude certain requests from proxying. This parameter can be defined locally at the Location tag level as well as globally. When the property is defined locally, it does not override the global property but defines a union of the two parameters.
Category | Value |
---|---|
Syntax | WLExcludePathOrMimeType value |
Example | WLExcludePathOrMimeType |
Default | none |
When set to ON, the WLS plug-in will forward the original URI from the client to WebLogic Server. When set to OFF (default), the URI sent to WebLogic Server is subject to modification by mod_rewrite or other web server plug-in modules.
Category | Value |
---|---|
Syntax | WLForwardUriUnparsed ON | OFF |
Example | WLForwardUriUnparsed ON |
Default | OFF |
Note:
WLIOTimeoutSecs is the new name for HungServerRecoverSecs.Defines the amount of time the plug-in waits for a response to a request from WebLogic Server. The plug-in waits for WLIOTimeoutSecs for the server to respond and then declares that server dead, and fails over to the next server. The value should be set to a very large value. If the value is less than the time the servlets take to process, then you may see unexpected results.
Minimum value: 10
Maximum value: Unlimited
Category | Value |
---|---|
Syntax | WLIOTimeoutSecs nn |
Example | WLIOTimeoutSecs 128 |
Default | 300 |
Defines the IP address (on the plug-in's system) to which to bind when the plug-in connects to a WebLogic Server instance running on a multihomed machine.
If WLLocalIP is not set, the TCP/IP stack will choose the source IP address.
Category | Value |
---|---|
Syntax | WLLocalIP ipAddress |
Example | WLLocalIP 1001.1111.1234.4567 |
Default | none |
Specifies path and file name for the log file that is generated when the Debug parameter is set to ON. You must create this directory before setting this parameter.
Category | Value |
---|---|
Syntax | WLLogFile path/to/file.ext |
Example | WLLogFile http://myFolder/mySubfolder/myLogfile.log |
Default |
If you have a chained proxy setup, where a proxy plug-in or HttpClusterServlet is running behind some other proxy or load balancer, you must explicitly enable the WLProxyPassThrough parameter. This parameter allows the header to be passed through the chain of proxies.
Category | Value |
---|---|
Syntax | WLProxyPassThrough ON | OFF |
Example | WLProxyPassThrough ON |
Default | OFF |
Specifies whether or not to maintain SSL communication between the plug-in and WebLogic Server when the following conditions exist:
An HTTP client request specifies the HTTPS protocol.
The request is passed through one or more proxy servers (including the WebLogic Server proxy plug-ins).
The connection between the plug-in and WebLogic Server uses the HTTP protocol.
When WLProxySSL is set to ON, the location header returned to the client from WebLogic Server specifies the HTTPS protocol.
Category | Value |
---|---|
Syntax | WLProxySSL ON | OFF |
Example | WLProxySSL ON |
Default | OFF |
If a load balancer or other software deployed in front of the web server and plug-in is the SSL termination point, and that product sets the WL-Proxy-SSL request header to true or false based on whether or not the client connected to it over SSL, set WLProxySSLPassThrough to ON so that the use of SSL is passed on to the Oracle WebLogic Server.
If the SSL termination point is in the web server where the plug-in operates, or the load balancer does not set WL-Proxy-SSL, set WLProxySSLPassThrough to OFF (default).
Category | Value |
---|---|
Syntax | WLProxySSLPassThrough ON | OFF |
Example | WLProxySSLPassThrough ON |
Default | OFF |
Specifies whether or not a 503 error response from Oracle WebLogic Server triggers a failover to another server. Normally, the plug-in will attempt to failover to another server when a 503 error response is received. When WLServerInitiatedFailover is set to OFF, the 503 error response will be returned to the client immediately.
Category | Value |
---|---|
Syntax | WLServerInitiatedFailover ON | OFF |
Example | WLServerInitiatedFailover OFF |
Default | ON |
Sets the timeout, in seconds, for the socket while connecting. See ConnectTimeoutSecs and ConnectRetrySecs for additional details. This value must be greater than 0
Category | Value |
---|---|
Syntax | WLSocketTimeoutSecs nn |
Example | WLSocketTimeoutSecs 10 |
Default | 2 |
This is an alternative to the SetHandler weblogic-handler mechanism of identifying requests to be forwarded to Oracle WebLogic Server. For example,
<Location /weblogic>
WLSRequest ON
PathTrim /weblogic
</Location>
The use of WLSRequest ON instead of SetHandler weblogic-handler has the following advantages:
Lower web server processing overhead in general
Resolves substantial performance degradation when the web server DocumentRoot is on a slow file system
Resolves 403 errors for URIs which cannot be mapped to the file system due to the file system length restrictions
Category | Value |
---|---|
Syntax | WLSRequest ON | OFF |
Example | WLSRequest ON |
Default | OFF |
Specifies:
The directory where a wlproxy.log will be created. If the location fails, the Plug-In resorts to creating the log file under C:/temp in Windows and /tmp in all Unix platforms.
The location of the _wl_proxy directory for POST data files.
When both WLTempDir and WLLogFile are set, WLLogFile will override as to the location of wlproxy.log. WLTempDir will still determine the location of _wl_proxy directory.
Category | Value |
---|---|
Syntax | WLTempDir dirNamee |
Example | WLTempDir MyLogDir |
Default | See the Debug parameter . |