This appendix describes the directives available in the Oracle-developed modules supported by OHS. It contains these sections:
In addition to the modules and directives described in this appendix, Oracle HTTP Server also ships with the mod_wl_ohs module, generally referred to as the Oracle WebLogic Server Proxy Plug-In. For information on this module's directives, see "Parameters for Oracle WebLogic Server Proxy Plug-Ins" in Using Oracle WebLogic Server Proxy Plug-Ins 12.1.3.
mod_certheaders accepts the following directives:
Specify which headers should be translated to CGI environment variables. This can be achieved by using the AddCertHeader
directive. This directive takes a single argument, which is the CGI environment variable that should be populated from a HTTP header on incoming requests. For example, to populate the SSL_CLIENT_CERT CGI environment variable.
Category | Value |
---|---|
Syntax | AddCertHeader environment_variable |
Example | AddCertHeader SSL_CLIENT_CERT |
Default | None |
mod_certheaders can be used to instruct Oracle HTTP Server to treat certain requests as if they were received through HTTPS even though they were received through HTTP. This is useful when Oracle HTTP Server is front-ended by a reverse proxy or load balancer, which acts as a termination point for SSL requests, and forwards the requests to Oracle HTTP Server through HTTPS.
Category | Value |
---|---|
Syntax | SimulateHttps on|off |
Example | SimulateHttps on |
Default | off |
To configure SSL for your Oracle HTTP Server, enter the mod_ossl
directives you want to use in the httpd.conf
file.
The following sections describe these directives:
Specifies if SSL accelerator is used. Currently only nFast card is supported.
Category | Value |
---|---|
Syntax | SSLAccelerator yes|no |
Example | SSLAccelerator yes |
Default | SSLAccelerator no |
Note:
TheSSLAccelerator
directive has been deprecated. For information on enabling SSL acceleration support using a wallet, refer to the Oracle Advanced Security Administrator's Guide on http://www.oracle.com/technology/documentation
.Specifies the file where you can assemble the Certificate Revocation Lists (CRLs) from CAs (Certificate Authorities) that you accept certificates from. These are used for client authentication. Such a file is the concatenation of various PEM-encoded CRL files in order of preference. This directive can be used alternatively or additionally to SSLCARevocationPath
.
Category | Value |
---|---|
Syntax | SSLCARevocationFile file_name |
Example |
SSLCARevocationFile ${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/crl/ca_bundle.cr |
Default | None |
Specifies the directory where PEM-encoded Certificate Revocation Lists (CRLs) are stored. These CRLs come from the CAs (Certificate Authorities) that you accept certificates from. If a client attempts to authenticate itself with a certificate that is on one of these CRLs, then the certificate is revoked and the client cannot authenticate itself with your server. "Changtes" section he refers to is here:
This directive must point to a directory that contains the hash value of the CRL To see the commands that allow you to create the hashes, see "orapki" in Administering Oracle Fusion Middleware.
Category | Value |
---|---|
Syntax | SSLCARevocationPath path/to/CRL_directory/ |
Example |
SSLCARevocationPath ${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/crl |
Default | None |
Specifies the SSL cipher suite that the client can use during the SSL handshake. This directive uses a colon-separated cipher specification string to identify the cipher suite. Table 11–2 shows the tags you can use in the string to describe the cipher suite you want. SSLCipherSuite accepts the following values:
none: Adds the cipher to the list
+ : Adds the cipher to the list and places it in the correct location in the list
- : Removes the cipher from the list (can be added later)
! : Removes the cipher from the list permanently
Tags are joined with prefixes to form a cipher specification string. Cipher suite tags are listed in Table F-1.
Category | Value |
---|---|
Example | SSLCipherSuite ALL:!MD5
In this example, all ciphers are specified except MD5 strength ciphers. |
Syntax | SSLCipherSuite cipher-spec |
Default |
ALL:!ADH:+HIGH:+MEDIUM:+LOW |
Table F-1 SSLCipher Suite Tags
Function | Tag | Meaning |
---|---|---|
Key exchange |
|
|
Authentication |
|
|
Encryption |
|
Triple |
Encryption |
|
|
Data Integrity |
|
|
Data Integrity |
|
|
Data Integrity |
|
SHA256 hash function |
Data Integrity |
|
SHA384 hash function |
Aliases |
|
All TLS version 1 ciphers |
Aliases |
|
All TLS version 1.1 ciphers |
Aliases |
|
All TLS version 1.2 ciphers |
Aliases |
|
All low strength ciphers (export and single |
Aliases |
|
All ciphers with 128-bit encryption |
Aliases |
|
All ciphers using triple |
Aliases |
|
All ciphers using AES encryption. |
Aliases |
|
All ciphers using |
Aliases |
|
All ciphers using Elliptic curve Diffie–Hellman Exchange key exchange |
Aliases |
|
All ciphers using Elliptic Curve Digital Signature Algorithm for authentication |
Table F-2 lists the Cipher Suites supported in Oracle Advanced Security 12c (12.1.3).
Table F-2 Cipher Suites Supported in Oracle Advanced Security 12.1.3
Cipher Suite | Key Exchange | Authenti- cation |
Encryption | Data Integrity | TLS v1 |
TLS v1.1 |
TLS v1.2 |
---|---|---|---|---|---|---|---|
|
|
|
|
|
Yes |
Yes |
Yes |
|
|
|
|
|
Yes |
Yes |
Yes |
|
|
|
|
|
Yes |
Yes |
Yes |
|
|
|
|
|
Yes |
Yes |
Yes |
|
|
|
|
|
Yes |
Yes |
Yes |
|
|
|
|
|
No |
No |
Yes |
|
|
|
|
|
No |
No |
Yes |
|
|
|
|
|
No |
No |
Yes |
|
|
|
|
|
No |
No |
Yes |
|
|
|
|
|
Yes |
Yes |
Yes |
|
|
|
|
|
Yes |
Yes |
Yes |
|
|
|
|
|
No |
No |
Yes |
|
|
|
|
|
No |
No |
Yes |
|
|
|
|
|
No |
No |
Yes |
|
|
|
|
|
No |
No |
Yes |
|
Ephemeral |
|
|
|
Yes |
Yes |
Yes |
|
Ephemeral |
|
|
|
Yes |
Yes |
Yes |
|
Ephemeral |
|
|
|
Yes |
Yes |
Yes |
|
Ephemeral |
|
|
|
Yes |
Yes |
Yes |
Toggles the usage of the SSL Protocol Engine. This is usually used inside a <VirtualHost>
section to enable SSL for a particular virtual host. By default, the SSL Protocol Engine is disabled for both the main server and all configured virtual hosts.
Category | Value |
---|---|
Syntax | SSLEngine on|off |
Example | SSLEngine on |
Default | Off |
This directive toggles the usage of the SSL library FIPS_mode flag. It must be set in the global server context and must not be configured with conflicting settings (for example, SSLFIPS on
followed by SSLFIPS off
). The mode applies to all SSL library operations.
Category | Value |
---|---|
Syntax |
SSLFIPS ON | OFF |
Example |
SSLFIPS ON |
Default | Off |
When you configure an SSLFIPS change, you must set the SSLFIPS on
/off
directive globally in ssl.conf. Virtual level configuration is disabled in SSLFIPS directive. Therefore, setting SSLFIPS to virtual directive results in an error.
Note:
Note the following restrictions on SSLFIPS:Enabling SSLFIPS mode in Oracle HTTP Server requires a wallet created with AES encrypted (compat_v12) headers. To create a new wallet or to convert an existing wallet with AES encryption, see these sections in "orapki" in Administering Oracle Fusion Middleware:
"Creating and Viewing Oracle Wallets with orapki"
The cipher suites supported in SSLFIPS mode are:
Cipher configuration (at both client and server) | Protocol |
---|---|
SSL_RSA_WITH_3DES_EDE_CBC_SHA | TLSv1 onwards |
SSL_RSA_WITH_3DES_EDE_CBC_SHA | TLSv1 onwards |
SSL_RSA_WITH_AES_256_CBC_SHA | TLSv1 onwards |
RSA_WITH_AES_128_CBC_SHA256 | TLSv1.2 onwards |
RSA_WITH_AES_256_CBC_SHA256 | TLSv1.2 onwards |
RSA_WITH_AES_256_GCM_SHA384 | TLSv1.2 onwards |
ECDHE_ECDSA_WITH_AES_128_CBC_SHA | TLSv1 onwards |
ECDHE_ECDSA_WITH_AES_256_CBC_SHA | TLSv1 onwards |
ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | TLSv1.2 onwards |
ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | TLSv1.2 onwards |
ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | TLSv1.2 onwards |
ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | TLSv1.2 onwards |
RSA_WITH_AES_128_GCM_SHA256 | TLSv1.2 onwards |
ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | TLSv1 onwards |
ECDHE_RSA_WITH_AES_128_CBC_SHA | TLSv1 onwards |
ECDHE_RSA_WITH_AES_256_CBC_SHA | TLSv1 onwards |
Note:
SSLv3 is not supported in OHS 12.1.3.To use the ECDHE_ECDSA cipher suite, Oracle HTTP Server requires a wallet created with an ECC user certificate. The ECDHE_ECDSA cipher suite does not work with RSA certificates.
To use the SSL_RSA/RSA/ECDHE_RSA cipher suite, Oracle HTTP Server requires a wallet created with an RSA user certificate. The SSL_RSA/RSA/ECDHE_RSA cipher suite does not work with ECC certificates.
For more information on configuring ECC/RSA certificates in a wallet, see "Creating and Viewing Oracle Wallets with orapki" in Administering Oracle Fusion Middleware.
For instructions on how to implement these cipher suites and corresponding protocols, see Section F.3.4, "SSLCipherSuite" and Section F.3.12, "SSLProtocol".
For more information on SSL FIPS 140-2 Standard for Oracle HTTP Server 12.1.3, see My Oracle Support Knowledge Database Doc ID 2160983.1 at https://support.oracle.com.
As originally specified, all versions of the SSL and TLS protocols (up to and including TLS/1.2) were vulnerable to a Man-in-the-Middle attack (CVE-2009-3555) during a renegotiation. This vulnerability allowed an attacker to "prefix" a chosen plaintext to the HTTP request as seen by the web server. A protocol extension was developed which fixed this vulnerability if supported by both client and server.
For more information on Man-in-the-Middle attack (CVE-2009-3555), see:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
Default mode
When the directive SSLInsecureRenegotion is not specified in the configuration, Oracle HTTP Server operates in compatibility mode.
In this mode, vulnerable peers that do not have Renegotiation Info/Signaling Cipher Suite Value (RI/SCSV) support are allowed to connect, but renegotiation is allowed only with those peers that have RI/SCSV support.
SSLInsecureRenegotiation ON
This option allows vulnerable peers that do not have RI/SCSV to perform renegotiation. Hence, this option must be used with caution, as it leaves the server vulnerable to the renegotiation attack described in CVE-2009-3555.
SSLInsecureRenegotiation OFF
If this option is used, only peers that support RI/SCSV will be allowed to negotiate and renegotiate a session. This is the most secure and recommended mode.
Category | Value |
---|---|
Syntax |
SSLInsecureRenegotiation ON | OFF |
Example |
SSLInsecureRenegotiation ON |
Default | The default value is neither ON nor OFF . By default, Oracle HTTP Server operates in compatibility mode, as described under the heading Default mode. |
To configure SSLInsecureRenegotiation, edit the ssl.conf file and set SSLInsecureRenegotiation
ON
/OFF
globally or virtually to enable or disable insecure renegotiation.
Type of semaphore (lock) for SSL engine's mutual exclusion of operations that have to be synchronized between Oracle HTTP Server processes. Accepted values are:
file:
path/to/mutex: Uses a file for locking. The process ID (PID) of the Oracle HTTP Server parent process is appended to the filename to ensure uniqueness. If the filename does not begin with a slash (/), it is assumed to be relative to ServerRoot
. This setting is not available on Windows.
none
: Uses no mutex at all. Not recommended, because the mutex synchronizes the write access to the SSL session cache. If you do not configure a mutex, the session cache can become garbled.
pthread
: This directive tells the SSL Module to use Posix thread mutexes. It is only available if the underlying platform and Apache Portable Runtime (APR) supports it.
sem
: Uses an operating system semaphore to synchronize writes. On UNIX, it would be a Sys V IPC semaphore; on Windows, it is a Windows Mutex. This is the best choice, if the operating system supports it.
Category | Value |
---|---|
Syntax | SSLMutex none | file | pthread | sem |
Example | SSLMutex sem |
Default | pthread |
Notes:
In the Oracle HTTP Server default ssl.conf
template file, pthread
is defined as the default value for the SSLMutex directive for non-Windows platforms and none
is defined as a default value for the Windows platform as follows:
<IfModule mpm_winnt_module> SSLMutex "none" </IfModule> <IfModule !mpm_winnt_module> SSLMutex pthread </IfModule>
As new Oracle HTTP Server instances are created for non-Windows platforms, the default value for SSLMutex will continue to be pthread
unless you explicitly modify your configuration. If you comment out these lines in the ssl.conf
file and no value is specified for SSLMutex in the Oracle HTTP Server configuration files, then Oracle HTTP Server will use none
as the default value for SSLMutex.
The none
value for the SSLMutex directive is not recommended for non-Windows platforms, because it can create a garbled session cache and can lead to core dumps.
SSLTraceLogLevel
adjusts the verbosity of the messages recorded in the NZ library error logs. When a particular level is specified, messages from all other levels of higher significance will be reported as well. For example, when SSLTraceLogLevel ssl
is set, messages with log levels of error, warn, user and debug will also be posted.
SSLTraceLogLevel accepts the following log levels:
none
: NZ Trace disable
fatal
: Fatal error; system is unusable.
error
: Error conditions.
warn
: Warning conditions.
user
: Normal but significant condition.
debug
: Debug-level condition
ssl
: SSL level debugging
Category | Value |
---|---|
Syntax |
SSLTraceLogLevel none | fatal | error | warn | user | debug | ssl |
Example |
SSLTraceLogLevel fatal |
Default | None |
Controls various runtime options on a per-directory basis. In general, if multiple options apply to a directory, the most comprehensive option is applied (options are not merged). However, if all of the options in an SSLOptions
directive are preceded by a plus ('+') or minus ('-') symbol, then the options are merged. Options preceded by a plus are added to the options currently in force, and options preceded by a minus are removed from the options currently in force.
Accepted values are:
StdEnvVars
: Creates the standard set of CGI/SSI environment variables that are related to SSL. This is disabled by default because the extraction operation uses a lot of CPU time and usually has no application when serving static content. Typically, you only enable this for CGI/SSI requests.
ExportCertData
: Enables the following additional CGI/SSI variables:
SSL_SERVER_CERT
SSL_CLIENT_CERT
SSL_CLIENT_CERT_CHAIN_n
(where n= 0, 1, 2...)
These variables contain the Privacy Enhanced Mail (PEM)-encoded X.509 certificates for the server and the client for the current HTTPS connection, and can be used by CGI scripts for deeper certificate checking. All other certificates of the client certificate chain are provided. This option is "Off" by default because there is a performance cost associated with using it.
SSL_CLIENT_CERT_CHAIN_n
variables are in the following order: SSL_CLIENT_CERT_CHAIN_0
is the intermediate CA who signs SSL_CLIENT_CERT
. SSL_CLIENT_CERT_CHAIN_1
is the intermediate CA who signs SSL_CLIENT_CERT_CHAIN_0
, and so forth, with SSL_CLIENT_ROOT_CERT
as the root CA.
FakeBasicAuth
: Translates the subject distinguished name of the client X.509 certificate into an HTTP basic authorization user name. This means that the standard HTTP server authentication methods can be used for access control. No password is obtained from the user; the string 'password' is substituted.
StrictRequire
: Denies access when, according to SSLRequireSSL or directives, access should be forbidden. Without StrictRequire
, it is possible for a 'Satisfy any'
directive setting to override the SSLRequire
or SSLRequireSSL
directive, allowing access if the client passes the host restriction or supplies a valid user name and password.
Thus, the combination of SSLRequireSSL
or SSLRequire
with SSLOptions +StrictRequire
gives mod_ossl
the ability to override a 'Satisfy any'
directive in all cases.
CompatEnvVars
: Exports obsolete environment variables for backward compatibility to Apache SSL 1.x, mod_ssl
2.0.x, Sioux 1.0, and Stronghold 2.x. Use this to provide compatibility to existing CGI scripts.
OptRenegotiate
: This enables optimized SSL connection renegotiation handling when SSL directives are used in a per-directory context.
Category | Value |
---|---|
Syntax | SSLOptions [+-] StdEnvVars | ExportCertData | FakeBasicAuth | StrictRequire | CompatEnvVars | OptRenegotiate |
Example | SSLOptions -StdEnvVars |
Default | None |
Type of pass phrase dialog for wallet access. mod_ossl
asks the administrator for a pass phrase to access the wallet. Accepted values are:
builtin
: when the server is started, mod_ossl
prompts for a password for each wallet.
exec:
path/to/program
- when the server is started, mod_ossl
calls an external program configured for each wallet. This program is invoked with two arguments: servername
:portnumber
and RSA
or DSA
.
Category | Value |
---|---|
Syntax | SSLPassPhraseDialog builtin | exec |
Example | SSLPassPhraseDialog exec:/usr/local/sbin/pfilter |
Default | builtin |
Specifies SSL protocol(s) for mod_ossl
to use when establishing the server environment. Clients can only connect with one of the specified protocols. Accepted values are:
TLSv1
TLSv1.1
TLSv1.2
All
You can specify multiple values as a space-delimited list. In the syntax for SSLProtocol, the "-" and "+" symbols have the following meaning:
+ : Adds the protocol to the list
- : Removes the protocol from the list
Table F-2 lists the ciphers that are available for the TLSv1, TLSv1.1, and TLSv1.2 protocols.
In the current release All
is defined as +TLSv1
+TLSv1.1
+TLSv1.2
(SSLv2
and SSLv3
are disabled out-of-the-box).
Note:
The syntax for theSSLProtocol
directive can use either TLSv1
as a value or the nzos_Version_1_0
syntax (or TLSv1.1
and nzos_Version_1_1
, or TLSv1.2
and nzos_Version_1_2
).
If you are using Oracle Fusion Middleware Control, security will be configured using the nzos*
syntax. Both options represent TLS 1.0 protocol version. The nzos_Version_1_0
syntax is the Oracle representation of TLS1.0 and TLSv1
is an open source representation. Oracle HTTP Server supports both ways to represent SSL protocol in its config files.
Category | Value |
---|---|
Syntax | SSLProtocol [+-] TLSv1 | TLSv1.1 | TLSv1.2 | All |
Example | SSLProtocol +TLSv1 +TLSv1 +TLSv1.1 |
Default | ALL |
Specifies the SSL cipher suite that the proxy can use during the SSL handshake. This directive uses a colon-separated cipher specification string to identify the cipher suite. Table F-1 shows the tags you can use in the string to describe the cipher suite you want. SSLCipherSuite accepts the following values:
none: Adds the cipher to the list
+ : Adds the cipher to the list and places it in the correct location in the list
- : Removes the cipher from the list (which can be added later)
! : Removes the cipher from the list permanently
Tags are joined with prefixes to form a cipher specification string. The SSLProxyCipherSuite directive uses the same tags as the SSLCipherSuite directive. For a list of supported suite tags, see Table F-1.
Category | Value |
---|---|
Example | SSLProxyCipherSuite ALL:!MD5
In this example, all ciphers are specified except MD5 strength ciphers. |
Syntax | SSLProxyCipherSuite cipher-spec |
Default |
ALL:!ADH:+HIGH:+MEDIUM |
The SSLProxyCipherSuite directive uses the same cipher suites as the SSLCipherSuite directive. For a list of the Cipher Suites supported in Oracle Advanced Security 12.1.3, see Table F-2.
Enables or disables the SSL/TLS protocol engine for proxy. SSLProxyEngine is usually used inside a <VirtualHost>
section to enable SSL/TLS for proxy usage in a particular virtual host. By default, the SSL/TLS protocol engine is disabled for proxy both for the main server and all configured virtual hosts.
SSLProxyEngine should not be included in a virtual host that will be acting as a forward proxy (by using Proxy
or ProxyRequest
directives). SSLProxyEngine is not required to enable a forward proxy server to proxy SSL/TLS requests.
Category | Value |
---|---|
Syntax | SSLProxyEngine ON | OFF |
Example | SSLProxyEngine on |
Default | Disable |
Specifies SSL protocol(s) for mod_ossl
to use when establishing a proxy connection in the server environment. Proxies can only connect with one of the specified protocols. Accepted values are:
TLSv1
TLSv1.1
TLSv1.2
All
You can specify multiple values as a space-delimited list. In the syntax for SSLProxyProtocol, the "-" and "+" symbols have the following meaning:
+ : Adds the protocol to the list
- : Removes the protocol from the list
In the current release All
is defined as +TLSv1
+TLSv1.1
+TLSv1.2
(SSLv2
and SSLv3
are disabled out-of-the-box).
Note:
The syntax for theSSLProxyProtocol
directive can use either TLSv1
as a value or the nzos_Version_1_0
syntax (or TLSv1.1
and nzos_Version_1_1
, or TLSv1.2
and nzos_Version_1_2
).
If you are using Oracle Fusion Middleware Control, security will be configured using the nzos*
syntax. Both options represent TLS 1.0 protocol version. The nzos_Version_1_0
syntax is the Oracle representation of TLS1.0 and TLSv1
is an open source representation. Oracle HTTP Server supports both ways to represent SSL protocol in its config files.
Category | Value |
---|---|
Syntax | SSLProxyProtocol [+-] TLSv1 | TLSv1.1 | TLSv1.2 | All |
Example | SSLProxyProtocol +TLSv1 +TLSv1 +TLSv1.1 |
Default | ALL |
Specifies the location of the wallet with its WRL, specified as a filepath, that a proxy connection must use.
Category | Value |
---|---|
Syntax | SSLProxyWallet file:path to wallet |
Example |
SSLProxyWallet "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/proxy" |
Default | None |
Denies access unless an arbitrarily complex boolean expression is true.
Category | Value |
---|---|
Syntax | SSLRequire expression (see Understanding the Expression) |
Example | SSLRequire word ">=" word |word "ge" word |
Default | None |
The expression must match the following syntax (given as a BNF grammar notation):
expr ::= "true" | "false" "!" expr expr "&&" expr expr "||" expr "(" expr ")" comp ::=word "==" word | word "eq" word word "!=" word |word "ne" word word "<" word |word "lt" word word "<=" word |word "le" word word ">" word |word "gt" word word ">=" word |word "ge" word word "=~" regex word "!~" regex wordlist ::= word wordlist "," word word ::= digit cstring variable function digit ::= [0-9]+ cstring ::= "..." variable ::= "%{varname}"
Table F-3 and Table F-4 list standard and SSL variables. These are valid values for varname
.
function ::= funcname "(" funcargs ")"
For funcname
, the following function is available:
file(filename)
The file function takes one string argument, the filename, and expands to the contents of the file. This is useful for evaluating the file's contents against a regular expression.
Table F-3 lists the standard variables for SSLRequire varname
.
Table F-3 Standard Variables for SSLRequire Varname
Standard Variables | Standard Variables | Standard Variables |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table F-4 lists the SSL variables for SSLRequire varname.
Table F-4 SSL Variables for SSLRequire Varname
SSL Variables | SSL Variables | SSL Variables |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Denies access to clients not using SSL. This is a useful directive for absolute protection of a SSL-enabled virtual host or directories in which configuration errors could create security vulnerabilities.
Category | Value |
---|---|
Syntax | SSLRequireSSL |
Example | SSLRequireSSL |
Default | None |
Specifies the global/interprocess session cache storage type. The cache provides an optional way to speed up parallel request processing. The accepted values are:
dc:
UNIX:/path/to/socket: This makes use of the distcache
distributed session caching libraries. The argument should specify the location of the server or proxy to be used using the distcache
address syntax; for example, UNIX:/path/to/socket specifies a UNIX domain socket (typically a local dc_client proxy); IP:server.example.com:9001 specifies an IP address.
none
: disables the global/interprocess session cache. Produces no impact on functionality, but makes a major difference in performance.
nonenotnull
: This disables any global/inter-process Session Cache. However it does force OpenSSL to send a non-null session ID to accommodate buggy clients that require one.
shmcb:
/path/to/datafile[bytes]: Uses a high-performance Shared Memory Cyclic Buffer (SHMCB) session cache to synchronize the local SSL memory caches of the server processes. The performance of shmcb
is more uniform in all environments when compared to shmht
. Note: in this shm setting, no log files are created under /path/to/datafile on local disk.
shmht:
/path/to/datafile[bytes]: Uses a high-performance hash table (bytes
specifies approximate size) inside a shared memory segment in RAM, which is established by the /path/to/datafile
. This hash table synchronizes the local SSL memory caches of the server processes. Note: in this shm setting, no log files are created under /path/to/datafile on local disk.
Category | Value |
---|---|
Syntax | SSLSessionCache dc:UNIX:/path/to/socket | none | nonenotnull | shmcb:/path/to/datafile[bytes] | shmht: /path/to/datafile[bytes] |
Examples | SSLSessionCache "shmcb:${ORACLE_INSTANCE}/servers/${COMPONENT_NAME}/logs/ssl_scache(512000)" |
Default | SSLSessionCache none |
Specifies the number of seconds before a SSL session in the session cache expires.
Category | Value |
---|---|
Syntax | SSLSessionCacheTimeout seconds |
Example | SSLSessionCacheTimeout 120 |
Default | 300 |
Specifies whether a client must present a certificate when connecting. The accepted values are:
none
: No client certificate is required
optional
: Client can present a valid certificate
require
: Client must present a valid certificate
Category | Value |
---|---|
Syntax | SSLVerifyClient none | optional | require |
Example | SSLVerifyClient optional |
Default | None |
Note:
The leveloptional_no_ca
included with mod_ssl
(in which the client can present a valid certificate, but it need not be verifiable) is not supported in mod_ossl
.Note:
mod_plsql is deprecated as of Oracle HTTP Server 12c (12.1.3).The mod_plsql configuration parameters are described in these sections:
The following parameters are used with the plsql.conf
file:
Enables Dynamic Monitoring Service (DMS) for the mod_plsql module.
Category | Value |
---|---|
Syntax | PlsqlDMSEnable On | Off |
Example | PlsqlDMSEnable On |
Default | On |
Enables debug level logging for the mod_plsql module. Debug level logging is meant to be used for debugging purposes only.
When logging is enabled, Oracle HTTP Server log files are typically created in the PlsqlCacheDirectory
DOMAIN_HOME/servers/componentName/ directory. However, the location specified in PlsqlLogDirectory determines the final location.
This parameter should be set to Off
unless recommended by Oracle support to debug problems with the mod_plsql module.
To view more details about the internal processing of the mod_plsql module, set this directive to On
. This causes the mod_plsql module to start logging every request that is processed. The log files are generated as specified by the PlsqlLogDirectory
directive.
Category | Value |
---|---|
Syntax | PlsqlLogEnable On | Off |
Example | PlsqlLogEnable Off |
Default | Off |
Specifies the directory where debug level logs are written.
Set the directory name of the location where log files should be generated when logging is enabled. To avoid possible confusion about the location of this directory, an absolute path is recommended.
On UNIX, this directory must have write permissions by the owner of the child httpd
processes.
Category | Value |
---|---|
Syntax | PlsqlLogDirectory directory |
Example | PlsqlLogDirectory "${ORACLE_INSTANCE}/servers/${COMPONENT_NAME}/logs" |
Default | None |
Specifies the time (in minutes) in which the idle database sessions should be closed and cleaned by the mod_plsql module.
This directive is used with connection pooling of database connections and sessions in the mod_plsql module. When a session is not used for the specified amount of time, it is closed and freed. This is done so that unused sessions can be cleaned, and the memory is freed on the database side.
Setting this time to a low number helps in faster cleanup of unused database sessions. If this number is too low, then this may adversely affect the performance benefits of connection pooling in the mod_plsql module.
If the number of open database sessions is not a concern, you can increase the value of this parameter for best performance. In such a case, if the site is accessed frequently enough that the idle session cleanup interval is never reached for a session, then the DAD configuration parameter PlsqlMaxRequestsPerSession can be modified so that it is guaranteed that a pooled database session gets recycled on a regular basis.
For most installations, the default value is adequate.
Category | Value |
---|---|
Syntax | PlsqlIdleSessionCleanupInterval number |
Example | PlsqlIdleSessionCleanupInterval 10 |
Default | 15 (minutes) |
The dads.conf
file contains the configuration parameters for the PL/SQL database access descriptor. (See Table F-1 for the file location.) A DAD is a set of values that specifies how the mod_plsql module connects to a database server to fulfill a HTTP request.
The following parameters are used with the dads.conf
file:
Specifies the procedure to be invoked after calling the requested procedure. This enables you to put a hook point after the requested procedure is called. This is useful in doing SQL*Traces/SQL Profiles while debugging a problem with the requested procedure. This is also useful when you want to ensure that a specific call is made after running every procedure.
Category | Value |
---|---|
Syntax | PlsqlAfterProcedure string |
Example | PlsqlAfterProcedure portal.mypkg.myafterproc |
Default | None |
Note:
This parameter should only be used for debugging purposes. You can also use this parameter to stop SQL trace/SQL profiling.Specifies whether the mod_plsql module should describe a procedure before trying to run it. If this is set to On
, then the mod_plsql module will always describe a procedure before invoking it. Otherwise, the mod_plsql module will only describe a procedure when its internal heuristics have interpreted a parameter type incorrectly.
Category | Value |
---|---|
Syntax | PlsqlAlwaysDescribeProcedure On | Off |
Example | PlsqlAlwaysDescribeProcedure On |
Default | Off |
Note:
This parameter should only be used for debugging purposes.Specifies the authentication mode to use to allow access through the DAD. The accepted values for PlsqlAuthenticationMode
are Basic
, SingleSignOn
, GlobalOwa
, CustomOwa
, PerPackageOwa
.
Category | Value |
---|---|
Syntax | PlsqlAuthenticationMode Basic | SingleSignOn | GlobalOwa | CustomOwa | PerPackageOwa |
Example | PlsqlAuthenticationMode CustomOwa |
Default | Basic |
Basic
is the default mode and determines whether to ask for username and password if they are not provided with PlsqlDatabaseUsername
and PlsqlDatabasePassword
. This setting is required for WebDB 2.x applications. If the DAD is not using the Basic authentication, then you must include a valid username/password in the DAD configuration.
SingleSignOn
specifies that you want to use Single Sign-On server. This is required for DADs using Oracle9iAS Portal. As already stated the provided username and password must be the one from your single sign-on server.
GlobalOwa
, CustomOwa
, and PerPackageOwa
are used only by very few PL/SQL applications. Custom authentication enables applications to authenticate users within the application itself, not at the database level.
Authorization is performed by invoking a user-written authorization function. Custom authentication uses a static username/password that is stored in the DAD. It cannot be combined with dynamic username/password authentication. To enable custom authentication, set the level of authentication for PlsqlAuthenticationMode and implement the authorize function.
You should also be aware of the following:
If the DAD is not using the Basic authentication, then you must include a valid username/password in the DAD configuration. For the Basic mode, to perform dynamic authentication, the DAD username/password parameters must be omitted.
The SingleSignOn mode is supported only for Oracle Fusion Middleware releases, and is used by Oracle Portal and Oracle Single Sign-On. Most customer applications use Basic authentication. Custom authentication modes (GlobalOwa, CustomOwa, and PerPackageOwa) are used by very few PL/SQL applications.
Specifies the procedure to be invoked before calling the requested procedure. This enables you to put a hook point before the requested procedure is called. This is useful in doing SQL*Traces/SQL Profiles while debugging a problem with the requested procedure. This is also useful when you want to ensure that a specific call be made before running every procedure.
Category | Value |
---|---|
Syntax | PlsqlBeforeProcedure string |
Example | PlsqlBeforeProcedure portal.mypkg.mybeforeproc |
Default | None |
Note:
This parameter should only be used for debugging purposes. In addition, you could use this parameter to start SQL Trace/SQL Profiling.Note:
This configuration property is rarely ever changed, and system defaults suffice in most cases.Specifies the rounding size to use while binding the number of elements in a collection bind. While executing PL/SQL statements, the Oracle database maintains a cache of PL/SQL statements in the shared SQL area, and attempts to reuse the cached statement if the same statement is run again. Oracle's matching criteria requires that the statement texts be identical, and that the bind variable data types match. Unfortunately, the type match for strings is sensitive to the exact byte size specified, and for collection bindings is also sensitive to the number of elements in the collection. Since the mod_plsql module binds statements dynamically, the odds of hitting the shared cache are low, and it may fill up with near-duplicates and lead to contention for the latch on the shared area. This parameter reduces that effect by bucketing bind lengths to the nearest level.
All numbers specified should be in ascending order. After the last specified size, subsequent bucket sizes will be assumed to be twice the last one.
Category | Value |
---|---|
Syntax | PlsqlBindBucketLengths number multiline |
Example | PlsqlBindBucketLengths 4
|
Default | 4,20,100,400 |
This parameter is relevant only if you are using procedures with array parameters, and passing varying number of parameters to the procedure.
The default should be sufficient for most PL/SQL applications.
To see if this parameter must be changed, check the number of versions of a SQL statement in the SQL area.
After the higher configured value, mod_plsql starts auto-generating bucket sizes of larger values by doubling the last value, as needed. Therefore, after 400, the next bucket value becomes 800, then 1600, and so on.
Consider using flexible parameter passing to reduce the problem.
Note:
This configuration property is rarely ever changed, and system defaults suffice in most cases.Specifies the rounding size to use while binding the number of elements in a collection bind. While executing PL/SQL statements, the Oracle database maintains a cache of PL/SQL statements in the shared SQL area, and attempts to reuse the cached statement if the same statement is run again. Oracle's matching criteria requires that the statement texts be identical, and that the bind variable data types match. Unfortunately, the type match for strings is sensitive to the exact byte size specified, and for collection bindings is also sensitive to the number of elements in the collection. Since the mod_plsql module binds statements dynamically, the odds of hitting the shared cache are low, and it may fill up with near-duplicates and lead to contention for the latch on the shared area. This parameter reduces that effect by bucketing bind widths to the nearest level.
All numbers specified should be in ascending order. After the last specified size, subsequent bucket sizes will be assumed to be twice the last one.
The last bucket width must be equal to or less than 4000. This is due to the restriction imposed by OCI where array bind widths cannot be greater than 4000.
Category | Value |
---|---|
Syntax | PlsqlBindBucketWidths number multiline |
Example | PlsqlBindBucketWidths 40
|
Default | 32,128,1450,2048,4000 |
This parameter is relevant only if you are using procedures with array parameters, and passing varying number of parameters to the procedure.
The default should be sufficient for most PL/SQL applications.
To see if this parameter must be changed, check the number of versions of a SQL statement in the SQL area.
After the higher configured value, mod_plsql starts auto-generating bucket sizes of larger values by doubling the last value, as needed. Therefore, after 400, the next bucket value becomes 800, then 1600, and so on.
Consider using flexible parameter passing to reduce the problem.
Specifies overrides and additions of CGI environment variables to the default set of environment variables passed to a PL/SQL procedure. This is a multi-line directive of name-value pairs to be added, overridden or removed. You can only specify one environment variable for each directive.
You can add CGI environment variables from the Oracle HTTP Server environment by specifying the variable name. To remove a CGI environment variable, set it equal to a blank space. To add your own name-value pair, use the syntax myname=myvalue
.
Category | Value |
---|---|
Syntax | PlsqlCGIEnvironmentList string multiline |
Default | None |
Example |
|
Environment variables added here are available in the PL/SQL application through the function owa_util.get_cgi_env
.
Specifies the timeout in milliseconds for testing a connection pool in the mod_plsql module.
Category | Value |
---|---|
Syntax | PlsqlConnectionTimeout number |
Example | PlsqlConnectionTimeout 5000 |
Default | 10000 (milliseconds) |
When PlsqlConnectionValidation is set to Automatic
or AlwaysValidate
, the mod_plsql module attempts to test pooled database connections. This parameter specifies the maximum time the mod_plsql module should wait for the test request to complete before it assumes that the connection is not usable.
Specifies the mechanism the mod_plsql module should use to detect terminated connections in its connection pool.
Note:
This configuration property is rarely ever changed, and system defaults suffice in most cases.For performance reasons, the mod_plsql module pools database connections. If a database instance goes down, and the mod_plsql module was maintaining a pool of connections to the instance, then each pooled database connection results in an error when it is next used to service a request. This can be a concern in high availability configurations such as Oracle RAC where even if one node goes down, other nodes servicing the database might have been able to service the request successfully. The mod_plsql module provides for a mechanism whereby it can self-correct after it detects a failure that could be caused by a database node going down. This mechanism to self-correct is controlled by the parameter PlsqlConnectionValidation.
The following are the valid values for PlsqlConnectionValidation:
Automatic
: The mod_plsql module tests all pooled database connections which were created before the detection of a failure that could mean an instance failure.
ThrowAwayOnFailure
: The mod_plsql module throws away all pooled database connections which were created before the detection of a failure that could mean an instance failure.
AlwaysValidate
: The mod_plsql module always tests all pooled database connections which were created before issuing a request. Since this option has an associated performance overhead for each request, use this option with caution.
NeverValidate
: The mod_plsql module never pings any pooled database connection.
Category | Value |
---|---|
Syntax | PlsqlConnectionValidation Automatic | ThrowAwayOnFailure | AlwaysValidate | NeverValidate |
Example | PlsqlConnectionValidation ThrowAwayOnFailure |
Default | Automatic |
When the mod_plsql module encounters one of the following errors, it assumes that the database may have been down.
00443 — background process <string> did not start
00444 — background process <string> failed while starting
00445 — background process did not start after <x> seconds
00447 — fatal error in background processes
00448 — normal completion of background process
00449 — background process <string> unexpectedly terminated with error
00470 — LGWR process terminated with error
00471 — DBWR process terminated with error
00472 — PMON process terminated with error
00473 — ARCH process terminated with error
00474 — SMON process terminated with error
00475 — TRWR process terminated with error
00476 — RECO process terminated with error
00480 — LCK* process terminated with error
00481 — LMON process terminated with error
00482 — LMD* process terminated with error
00484 — LMS* process terminated with error
00485 — DIAG process terminated with error
01014 — ORACLE shutdown in progress
01033 — ORACLE initialization or shutdown in progress
01034 — ORACLE not available
01041 — internal error. hostdef extension doesn't exist
01077 — background process initialization failure
01089 — immediate shutdown in progress- no operations permitted
01090 — shutdown in progress- connection is not permitted
01091 — failure during startup force
01092 — ORACLE instance terminated. Disconnection forced
03106 — fatal two-task communication protocol error
03113 — end-of-file on communication channel
03114 — not connected to ORACLE
12570 — TNS: packet reader failure
12571 — TNS: packet writer failure
Specifies the connection to an Oracle database.
Category | Value |
---|---|
Syntax | PlsqlDatabaseConnectString string {ServiceNameFormat | SIDFormat | TNSFormat | NetServiceNameFormat}
The string parameter depends on the second argument:
If the format argument is not specified, then the mod_plsql module assumes the string is either in the HOST:PORT:SID format, or resolvable by Oracle Net Services. The differentiation between the two is made by the presence of the colon in the specified string. It is recommended that newer DADs do not use the |
Example |
|
Default | None |
If the database is running in the same Oracle home, or the environment variable TWO_TASK is set, then this parameter need not be specified.
If the database is running in a separate Oracle home, then this parameter is mandatory.
If you have problems connecting to the database:
Check the username and password information in the DAD.
Make sure that you run tnsping db_connect_string
, and commands such as:
sqlplus DADUsername/DADPassword@db_connect_string
Ensure that TNS_ADMIN is configured properly.
Verify that the HOST:PORT:SERVICE_NAME format works correctly.
Ensure that the TNS listener and database are up and running.
Ensure that you can ping the host from this machine.
From the mod_plsql module perspective, TNSFormat
and NetServiceNameFormat
are synonymous and denote connect descriptors that are resolved by Oracle Net Services. The TNSFormat
is provided as a convenience so that end-users use this to signify that the name resolution happens through the local tnsnames.ora. For situations where the resolution is through an LDAP lookup as configured in sqlnet.ora, it is recommended that the format specifier of NetServiceNameFormat
be used.
If your database supports high availability, for example, Oracle Real Application Clusters database, it is highly recommended that you use the NetServiceNameFormat
such that the resolution for the net service name is through LDAP. This enables you to add or remove Oracle RAC nodes accessible through the mod_plsql module by changing Oracle Internet Directory with the new or deleted node information. In such situations, hard-coding database listener HOST:PORT information in dads.conf or in the local tnsnames.ora
is not recommended.
Specifies the password to use to log in to the database.
Category | Value |
---|---|
Syntax | PlsqlDatabasePassword string |
Example | PlsqlDatabasePassword tiger |
Default | None |
This is a mandatory parameter, except for a DAD that sets PlsqlAuthenticationMode to Basic and uses dynamic authentication.
For DADs using SingleSignOn authentication, this parameter uses the name of the schema owner.
After making manual configuration changes to DAD passwords, you should obfuscate the DAD passwords by running the dadTool.pl
script, located in ORACLE_HOME/bin
.
To obfuscate DAD passwords:
If necessary, change the user to the Oracle software owner user, typically oracle
, using the following command:
$ su - oracle
Set the ORACLE_HOME
environment variable to specify the path to the Oracle home directory for the current release, and set the PATH environment variable to include the directory containing the Perl executable and the location of the dadTool.pl
script.
Bourne, Bash, or Korn shell:
$ ORACLE_HOME=new_ORACLE_HOME_path;export ORACLE_HOME $ PATH=ORACLE_HOME/bin:ORACLE_HOME/perl/bin:$PATH;export PATH
C or tcsh shell:
% setenv ORACLE_HOME new_ORACLE_HOME_PATH % setenv PATH ORACLE_HOME/bin:ORACLE_HOME/perl/bin:PATH
On Microsoft Windows, set the PATH and PERL5LIB environment variable:
set PATH=ORACLE_HOME\bin;ORACLE_HOME\perl\bin;%PATH% set PERL5LIB=ORACLE_HOME\perl\lib
On UNIX platforms, set the shared library path environment variable.
Include the ORACLE_HOME/lib
or lib32
directory in your shared library path. Table F-5 shows the appropriate directory and environment variable for each platform.
Table F-5 Shared Library Path Environment Variable
Platform | Environment Variable | Include Directory |
---|---|---|
AIX Based Systems |
LIBPATH |
ORACLE_HOME/lib |
HP-UX PA-RISC |
SHLIB_PATH |
ORACLE_HOME/lib |
Solaris Operating System |
LD_LIBRARY_PATH |
ORACLE_HOME/lib32 |
Other UNIX platforms, including Linux and HP Tru64 UNIX |
LD_LIBRARY_PATH |
ORACLE_HOME/lib |
For example, on HP-UX PA-RISC systems, set the SHLIB_PATH environment to include the ORACLE_HOME/lib
directory:
SHLIB_PATH=$ORACLE_HOME/lib:$SHLIB_PATH;export SHLIB_PATH
Change directory to the bin directory for the current release of Oracle HTTP Server:
cd $ORACLE_HOME/ohs/bin
Invoke the following Perl script to obfuscate DAD password:
perl dadTool.pl -f dadfilename
where dadfilename
is the filename for dads.conf
, which includes the full path to the DAD file.
For example:
perl dadTool.pl -f /u01/app/oracle/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1/mod_plsql/dads.conf
Specifies the username to use to log in to the database.
Category | Value |
---|---|
Syntax | PlsqlDatabaseUsername string |
Example | PlsqlDatabaseUsername scott |
Default | None |
This is a mandatory parameter, except for a DAD that sets PlsqlAuthenticationMode to Basic and uses dynamic authentication.
For DADs using SingleSignOn authentication, this parameter is the name of the schema owner.
Specifies the default procedure to call if none is specified in the URL.
Category | Value |
---|---|
Syntax | PlsqlDefaultPage string |
Example | PlsqlDefaultPage myschema.mypackage.home |
Default | None |
You can also use Oracle HTTP Server Rewrite rules to achieve the same effect as you get by setting this configuration parameter.
Specifies a virtual path in the URL that initiates document download from the document table. For example, if this parameter is set to docs
, then the following URLs will start the document downloading process for URLs of the format:
/pls/dad/docs /pls/plsqlapp/docs
Category | Value |
---|---|
Syntax | PlsqlDocumentPath string |
Example | PlsqlDocumentPath docs |
Default | docs |
Omit this parameter for applications that do not perform document uploads or downloads.
Specifies the procedure to call when a document download is initiated. This procedure is called to process the download.
Category | Value |
---|---|
Syntax | PlsqlDocumentProcedure string |
Example | PlsqlDocumentProcedure portal.wwdoc_process.process_download |
Default | None |
Omit this parameter for applications that do not perform document uploads or downloads.
Specifies the table in the database to which all documents are uploaded.
Category | Value |
---|---|
Syntax | PlsqlDocumentTablename string |
Example | PlsqlDocumentTablename myschema.document_table |
Default | None |
Omit this parameter for applications that do not perform document uploads or downloads.
Specifies the error reporting mode for mod_plsql errors.
Specifies a pattern for procedures, packages, or schema names which are forbidden to be directly run from a browser. This is a multi-line directive in which each pattern is on a separate line. The pattern is not case sensitive and can accept a wildcard such as an asterisk (*). The default patterns disallowed from direct URL access are as follows:
sys.*
dbms_*
utl_*
owa_util*
owa.*
htp.*
htf.*
wpg_docload.*
Setting this directive to #NONE#
will disable all protection. This is strongly discouraged for an active site and should not be done. It may be used for debugging purposes.
If this parameter is overridden, the defaults still apply, which means that you do not have to explicitly add the default list to the list of excluded patterns.
Category | Value |
---|---|
Syntax | PlsqlExclusionList {string | "#NONE#" multiline } |
Example | PlsqlExclusionList myschema.private.*
will disallow access to URLs which contain one of:
will disable all protection. Its use is strongly discouraged for an active site. |
Default | sys.*
dbms_* utl_* owa_util* owa.* htp.* htf.* wpg_docload.* |
In addition to the patterns specified with this parameter, the mod_plsql module disallows any procedure name which contains the following special characters:
tabs
new lines
carriage-return
single quotation mark
reverse slash
form feed
left parenthesis
right parenthesis
space
This cannot be changed.
Specifies the number of rows of content to fetch from the database for each trip, using either owa_util.get_page or owa_util.get_page_raw.
By default, the mod_plsql module attempts to fetch 200 response lines of output where each line is of 255 bytes. In situations where the response bytes are single-bytes, the response buffer is populated to the maximum and can pack 255*200=51000 bytes for each round trip. For responses containing multibyte data, the byte packing for each row could be less than ideal resulting in lesser bytes getting transferred for each round trip. If your application generates large pages frequently and the response does not fit in one round trip, then consider setting this parameter higher. The memory usage for the mod_plsql module will increase.
Category | Value |
---|---|
Syntax | PlsqlFetchBufferSize number |
Example | PlsqlFetchBufferSize 256 |
Default | 200 |
This parameter is changed only for performance reasons. The minimum value for this parameter is 28, but it is seldom reduced.
Change this parameter only under the following circumstances:
The average response page is large and you want to reduce the number of round-trips the mod_plsql module makes to the database to fetch the response.
The character set in use is multi-byte, and you want to compensate for the problem of get_page
or get_page_raw
fetching fewer bytes for each row. Calculations in the PL/SQL Web ToolKit are character-based and for multibyte characters, OWA packages assume a worst-case character byte size and do not attempt to pack each row to its maximum.
Specifies what mode the mod_plsql module should use to do extra performance logging.
InfoDebug mode: This logs more information to the Apache's error_log. This is used with Apache's info logging level. If the Apache's logging level is not at least set to this high, this setting will be ignored.
Category | Value |
---|---|
Syntax | PlsqlInfoLogging InfoDebug |
Example | PlsqlInfoLogging InfoDebug |
Default | Empty |
The logging setting is useful for debugging problems in your PL/SQL application.
Specifies the maximum number of requests a pooled database connection should service before it is closed and re-opened.
Category | Value |
---|---|
Syntax | PlsqlMaxRequestsPerSession number |
Example | PlsqlMaxRequestsPerSession 500 |
Default | 1000 |
This parameter helps relieve memory and resource problems that may occur due to prolonged session reuse by a PL/SQL application.
This parameter should not need to be changed. The default is sufficient in most cases.
Setting this parameter to a low number can degrade performance. A case for a lower value might be an infrequently-used DAD whose performance is not a concern, and for which limiting the number of requests provides some benefit.
Specifies the NLS_LANG variable for this DAD. This parameter overrides the NLS_LANG environment variable. When this parameter is set, the PL/SQL Gateway uses the specified NLS_LANG to connect to the database. Once connected, an alter session command is issued to switch to the specified language and territory. If the middle tier character set matches that of the database, then no alter session call is issued by the mod_plsql module.
Category | Value |
---|---|
Syntax | PlsqlNLSLanguage string |
Example | PlsqlNLSLanguage America_America.UTF8 |
Default | None |
Most applications have PlsqlTransferMode set to CHAR which means that the character set in PlsqlNLSLanguage must match the character set of the database. In one special case, where the database and the mod_plsql module are both using fixed-size character sets, and the character set width matches, the character set can be different. The response character set is always the mod_plsql module character set.
If PlsqlTransferMode is set to RAW, then this parameter can be ignored.
Specifies a virtual path alias to map to a procedure call. This is application-specific. This directive is used with PlsqlPathAliasProcedure.
Category | Value |
---|---|
Syntax | PlsqlPathAlias string |
Example | PlsqlPathAlias url |
Default | None |
For applications that do not use path aliasing, this parameter may be omitted.
Specifies the procedure to call when the virtual path in the URL matches the path alias as configured by PlsqlPathAlias.
Category | Value |
---|---|
Syntax | PlsqlPathAliasProcedure string |
Example | PlsqlPathAliasProcedure portal.wwpth_api_alias.process_download |
Default | None |
For applications that do not use path aliasing, this parameter may be omitted.
Specifies an application-defined PL/SQL function which gives you the opportunity to allow and disallow further processing of the requested procedure. This is useful in implementing tight security for your PL/SQL application by blocking out package and procedure calls that should not be allowed to run from a DAD.
The function defined by this parameter must have the following prototype:
boolean function_name (procedure_name IN varchar2)
The procedure_name parameter will contain the name of the procedure that the request is trying to run.
For example, if all the PL/SQL application procedures callable from a browser are inside the package mypkg, then an implementation of this function can be as follows:
boolean my_validation_check (procedure_name varchar2) is begin if (upper (procedure_name) like upper ('myschema.mypkg%')) then return TRUE else return FALSE end if; end;
Category | Value |
---|---|
Syntax | PlsqlRequestValidationFunction string |
Example | PlsqlRequestValidationFunction myschema.mypkg.my_validation_check |
Default | None |
By default, the mod_plsql module already disallows direct URL access to certain schemas and packages. For more information, refer to PlsqlExclusionList.
It is highly recommended that you provide an implementation for this function such that it only allows requests that belong to your application, and are callable from a browser.
Since this function will be called for every request, be sure to make this function as optimized as possible. Suggested recommendations are:
Name your PL/SQL packages in a fashion such that the implementation of this function can be similar to the previous example.
If your implementation performs a table lookup to determine what packages and procedures should be allowed, then performance can be improved if you pin the cursor in the shared pool.
Specifies the cookie name when PlsqlAuthenticationMode is set to SingleSignOn. This parameter is supported only for Oracle Fusion Middleware releases, and is used by Oracle Portal and Oracle Single Sign-On.
Category | Value |
---|---|
Syntax | PlsqlSessionCookieName cookie_name |
Example | PlsqlSessionCookieName mycookie |
Default | Same as DAD name |
For DADs not using SingleSignOn authentication, this parameter can be omitted. In most other cases, the session cookie name should be omitted (and this parameter automatically defaults to the DAD name).
A session cookie name must be specified only for Oracle Portal instances that must participate in a distributed Oracle Portal environment. For those Oracle Portal nodes you want to seamlessly participate as a federated cluster, ensure that the session cookie name for all the participating nodes is the same.
Independent Oracle Portal nodes must use distinct session cookie names.
Specifies how package and session state should be cleaned up after each mod_plsql request.
StatelessWithResetPackageState
causes the mod_plsql module to call dbms_session.reset_package_state
after each mod_plsql request. This is the default.
StatelessWithPreservePackageState
causes the mod_plsql module to call htp.init
after each mod_plsql request. This cleans up the state of session variables in the PL/SQL Web ToolKit. The PL/SQL application is responsible for cleaning up its own session state. Failure to do so causes erratic behavior, in which a request starts recognizing or manipulating state modified in previous requests.
StatelessWithFastResetPackageState
causes the mod_plsql module to call dbms_session.modify_package_state(dbms_session.reinitialize)
after each mod_plsql request. This API is faster than the StatelessWithResetPackageState
mode, and avoids some latch contention issues, but exists only in Oracle database releases 8.1.7.2 and later. This mode uses slightly more memory than the default mode.
Category | Value |
---|---|
Syntax | PlsqlSessionStateManagement {StatelessWithResetPackageState | StatelessWithFastResetPackageState | StatelessWithPreservePackageState } |
Example | PlsqlSessionStateManagement StatelessWithPreservePackageState |
Default | StatelessWithResetPackageState |
The earlier values of stateful=no
or stateful=STATELESS_RESET
corresponds to StatelessWithResetPackageState
.
The earlier value of stateful=STATELESS_FAST_RESET
corresponds to StatelessWithFastResetPackageState
.
The earlier value of stateful=STATELESS_PRESERVE
corresponds to StatelessWithPreservePackageState
.
The mod_plsql module does not support stateful mode of operation. To allow PL/SQL applications stateful behavior, save the state in cookies and/or in the database.
Specifies the transfer mode for data from the database back to the mod_plsql module. Most applications use the default value of CHAR
.
Category | Value |
---|---|
Syntax | PlsqlTransferMode {CHAR | RAW } |
Example | PlsqlTransferMode CHAR |
Default | CHAR |
This parameter must be changed only to enable sending back responses in different character sets from the same DAD. In such a case, the CHAR
mode is useless, since it always converts the response data from the database character set to the mod_plsql character set.
Specifies the file extensions to be uploaded as LONGRAW data type, as opposed to using the default BLOB data type. The default can be overridden by specifying multi-line directives of file extensions for field. A value of asterisk (*
) in this field causes all documents to be uploaded as LONGRAW.
Category | Value |
---|---|
Syntax | PlsqlUploadAsLongRaw string multiline |
Example | PlsqlUploadAsLongRaw jpg
|
Default | None |
For applications that do not upload or download documents, this parameter may be omitted.
The cache.conf
file contains the configuration settings for the file system caching functionality implemented in the mod_plsql module. This configuration file is relevant only if PL/SQL applications use the OWA_CACHE
package to cache dynamically generated content in the file system.
The following parameters are specified in the cache.conf
file:
Specifies the time to start the cleanup of the cache storage.
This setting defines the exact day and time in which cleanup should occur. The frequency can be set as daily, weekly, and monthly.
To define daily frequency, the keyword Everyday
is used. The cleanup starts every day at the time defined. For example, Everyday 2:00
causes the cleanup to happen everyday at 2:00 a.m. (local time).
To define weekly frequency, the days of the week, (Sunday
, Monday
, Tuesday
, Wednesday
, Thursday
, Friday
, Saturday
) are used. For example, Wednesday 15:30
causes the cleanup to happen every Wednesday at 3:30 p.m. (local time).
To define monthly frequency, the keyword Everymonth
is used. The cleanup starts on the Saturday of the month at the time defined. For example, Saturday Everymonth 23:00 causes the cleanup to happen the first Saturday of every month at 11:00 p.m. (local time).
Category | Value |
---|---|
Syntax | PlsqlCacheCleanupTime {Sunday-Saturday | Everyday | Everymonth} {hh:mm} |
Example | PlsqlCacheCleanupTime Monday 20:00 |
Default | Saturday 23:00 |
Specifies the directory where cache files are written out by the mod_plsql module. This directory must exist or Oracle HTTP Server will not start.
On UNIX, this directory must have write permissions by the owner of the child httpd processes.
Category | Value |
---|---|
Syntax | PlsqlCacheDirectory directory |
Example | PlsqlCacheDirectory "${ORACLE_INSTANCE}/servers/${COMPONENT_NAME}" |
Default | None |
Enables mod_plsql caching.
Category | Value |
---|---|
Syntax | PlsqlCacheEnable {On | Off} |
Example | PlsqlCacheEnable On |
Default | Off |
If an application does not use the OWA_CACHE
package in the PL/SQL Web Toolkit, then you can choose to disable caching. In such situations, there will be a minor performance benefit.
Specifies the maximum time, in days, a cache file can reside in a file system cache, after which the cached file will be removed for cache maintenance.
This setting is to ensure that the cache system does not contain old content. This setting removes old cache files and makes space for new ones.
Category | Value |
---|---|
Syntax | PlsqlCacheMaxAge number |
Example | PlsqlCacheMaxAge 20 |
Default | 30 (days) |
Specifies the maximum possible size of a cache file.
This setting prevents the case in which one file can fill up the entire cache. In general, it is recommended that this be set to about 1-3 percent of the total cache size, which is specified by PlsqlCacheTotalSize.
Category | Value |
---|---|
Syntax | PlsqlCacheMaxSize number |
Example | PlsqlCacheMaxSize 1048576 |
Default | 1048576 |
Specifies the total size of the cache directory. The default is 20 MB.
This setting limits the amount of space the cache is allowed to use. Both PL/SQL cache and Session Cookie cache share this cache space. This setting is not a hard limit. It might exceed the limit temporarily during normal processing. This is normal behavior.
The cleanup algorithm uses this setting to determine how much to reduce the cache files. Therefore, the real space limit is the physical storage's available size.
This parameter takes bytes as values:
1 megabytes = 1048576 bytes
10 megabytes = 10485760 bytes
Category | Value |
---|---|
Syntax | PlsqlCacheTotalSize number |
Example | PlsqlCacheTotalSize 20971520 |
Default | 20971520 (bytes) |