Frequently Asked Questions

D Frequently Asked Questions

This appendix provides answers to frequently asked questions about Oracle HTTP Server. It includes the following topics:

Documentation from the Apache Software Foundation is referenced when applicable.

Note:

Readers using this guide in PDF or hard copy formats will be unable to access third-party documentation, which Oracle provides in HTML format only. To access the third-party documentation referenced in this guide, use the HTML version of this guide and click the hyperlinks.

How Do I Create Application-Specific Error Pages?

Oracle HTTP Server has a default content handler for dealing with errors. You can use the ErrorDocument directive to override the defaults.

What Type of Virtual Hosts Are Supported for HTTP and HTTPS?

(Apache 2.4 required)

For HTTP, Oracle HTTP Server supports both name-based and IP-based virtual hosts. Name-based virtual hosts are virtual hosts that share a common listening address (IP plus port combination), but route requests based on a match between the Host header sent by the client and the ServerName directive set within the VirtualHost. IP-based virtual hosts are virtual hosts that have distinct listening addresses. IP-based virtual hosts route requests based on the address they were received on.

For HTTPS, only IP-based virtual hosts are possible with Oracle HTTP Server. This is because for name-based virtual hosts, the request must be read and inspected to determine which virtual host processes the request. If HTTPS is used, an SSL handshake must be performed before the request can be read. To perform the SSL handshake, a server certificate must be provided. To have a meaningful server certificate, the host name in the certificate must match the host name the client requested, which implies a unique server certificate per virtual host. However, because the server cannot know which virtual host to route the request to until it has read the request, and it can't properly read the request unless it knows which server certificate to provide, there is no way to make name-based virtual hosting work with HTTPS.

Parent topic: Frequently Asked Questions

Can I Use Different Language and Character Set Versions of Document?

Yes, you can use multiviews, a general name given to the Apache HTTP Server's ability to provide language and character-specific document variants in response to a request.

Can I Apply Apache HTTP Server Security Patches to Oracle HTTP Server?

No, you cannot apply the Apache HTTP Server security patches to Oracle HTTP Server for the following reasons:

Oracle tests and appropriately modifies security patches before releasing them to Oracle HTTP Server users.
In many cases, the Apache HTTP Server alerts, such as OpenSSL alerts, may not be applicable because Oracle has removed those components from the stack.

The latest security related fixes to Oracle HTTP Server are performed through the Oracle Critical Patch Update (CPU). See Oracle's Critical Patch Updates and Security Alerts Web page.

Note:

After applying a CPU, the Apache HTTP Server-based version may stay the same, but the vulnerability will be fixed. There are third-party security detection tools that can check the version, but do not check the vulnerability itself.

Parent topic: Frequently Asked Questions

Can I Upgrade the Apache HTTP Server Version of Oracle HTTP Server?

No, you cannot upgrade only the Apache HTTP Server version inside Oracle HTTP Server. Oracle provides a newer version of Apache HTTP Server that Oracle HTTP Server is based on, which is part of either a patch update or the next major or minor release of Oracle Fusion Middleware.

Parent topic: Frequently Asked Questions

Can I Compress Output From Oracle HTTP Server?

In general, Oracle recommends using mod_deflate, which is included with Oracle HTTP Server. For more information pertaining to mod_deflate, see http://httpd.apache.org/docs/current/mod/mod_deflate.html

Parent topic: Frequently Asked Questions

How Do I Create a Namespace That Works Through Firewalls and Clusters?

The general idea is that all servers in a distributed website should use a single URL namespace. Every server serves some part of that namespace, and can redirect or proxy requests for URLs that it does not serve to a server that is closer to that URL. For example, your namespaces could be the following:

/app1/login.html
/app1/catalog.html
/app1/dologin.jsp
/app2/orderForm.html
/apps/placeOrder.jsp

You could initially map these name spaces to two Web servers by putting app1 on server1 and app2 on server2. The configuration for server1 might look like the following:

Redirect permanent /app2 http://server2/app2
Alias /app1 /myApps/application1
<Directory /myApps/application1>
  ...
</Directory>

The configuration for Server2 is complementary.

If you decide to partition the namespace by content type (HTML on server1, and JSP on server2), then you can change server configuration and move files around, but you do not have to make changes to the application itself. The resulting configuration of server1 might look like the following:

RedirectMatch permanent (.*) \.jsp$ http://server2/$1.jsp
AliasMatch ^/app(.*) \.html$ /myPages/application$1.html
<DirectoryMatch "^/myPages/application\d">
  ...
</DirectoryMatch>

The amount of actual redirection can be minimized by configuring a hardware load balancer like F5 system BIG-IP to send requests to server1 or server2 based on the URL.

Parent topic: Frequently Asked Questions

How Can I Enhance Website Security?

The following are some general guidelines for securing your web site.

Use a commercial firewall between your ISP and your Web server.
Use switched Ethernet to limit the amount of traffic a compromised server can detect. Use additional firewalls between Web server machines and highly sensitive internal servers running the database and enterprise applications.
Remove unnecessary network services such as RPC, Finger, and telnet from your server.
Always validate all input from Web forms and output from your applications. Be sure to validate encodings, long input strings and input that contains non-printable characters, HTML tags, or javascript tags.
Encrypt the contents of cookies when it is relevant.
Check often for security patches for all your system and application software, and install them as soon as possible. Only accept patches from Oracle or your Oracle support representative.
When it is relevant, use an intrusion detection package to monitor for defaced Web pages, viruses, and presence of rootkits. If possible, mount system executables and Web content on read-only file systems.
Consider using Pen testing or other relevant security testing on your application. Consider configuring web security using the appropriate custom mod_security rules to protect your application. For more information on mod_security, see Configuring the mod_security Module and Using mod_security.
Remove unneeded content from the httpd.conf file.See Removing Access to Unneeded Content.
Take precautions to protect your web pages from clickjacking attempts. There is a lot of helpful information available on the internet. For more information on clickjacking, see the Security Best Practices section in "Security Vulnerability FAQ for Oracle Database and Fusion Middleware Products (Doc ID 1074055.1)".

Parent topic: Frequently Asked Questions

Why is REDIRECT_ERROR_NOTES not set for "File Not Found" errors?

The REDIRECT_ERROR_NOTES CGI environment variable is not set for "File Not Found" errors in Oracle HTTP Server because compatibility with Apache HTTP Server does not make that information available to CGI and other applications for this condition.

Parent topic: Frequently Asked Questions

How can I hide information about the Web Server Vendor and Version

Specify ServerSignature Off to remove this information from web server generated responses. Specify ServerTokens Custom some-server-string to disguise the web server software when Oracle HTTP Server generates the web Server response header. (When a backend server generates the response, the server response header may come from the backend server depending on the proxy mechanism.)

Note:

ServerTokens Custom some-server-string is a replacement for the ServerHeader Off setting in Oracle HTTP Server 10g.

Parent topic: Frequently Asked Questions

Can I Start Oracle HTTP Server by Using apachectl or Other Command Line Tool?

Oracle HTTP Server process management is handled by Node Manager. You can use the startComponent command to start Oracle HTTP Server without using WLST or Fusion Middleware Control directly. See Starting Oracle HTTP Server Instances from the Command Line.

Parent topic: Frequently Asked Questions

How Do I Configure Oracle HTTP Server to Listen at Port 80?

By default, Oracle HTTP Server is not able to bind to ports on UNIX in the reserved range (typically less than 1024). You can enable Oracle HTTP Server to listen on a port in the reserved range (for example, the default port 80) by following the instructions in Starting Oracle HTTP Server Instances on a Privileged Port (UNIX Only).

Parent topic: Frequently Asked Questions

How Do I Terminate Requests Using SSL Within Oracle HTTP Server?

You can terminate requests using SSL before or within Oracle HTTP Server, where the mod_wl_ohs module forwards requests to WebLogic Server. Whether you terminate SSL before the request reaches Oracle HTTP Server or when the request is in the server, depends on your topology. See Terminating SSL at the Load Balancer and Terminating SSL at Oracle HTTP Server.

Parent topic: Frequently Asked Questions

How Do I Configure End-to-End SSL Within Oracle HTTP Server?

Support for Secure Sockets Layer (SSL) is provided by the Oracle WebLogic Server Proxy Plug-In. You can use the SSL protocol to protect the connection between the plug-in and Oracle WebLogic Server. The SSL protocol provides confidentiality and integrity to the data passed between the plug-in and WebLogic Server. See Use SSL with Plug-Ins in Using Oracle WebLogic Server Proxy Plug-Ins for information on setting up SSL libraries and for setting up one-way or two-way SSL communications between the web server and Oracle WebLogic Server.

If you will be configuring SSL in Oracle HTTP Server but not on Oracle WebLogic Server, then you can terminate SSL for requests sent by Oracle HTTP Server. For information on configuring this scenario, see Terminating SSL at Oracle HTTP Server.

Parent topic: Frequently Asked Questions

Can Oracle HTTP Server Front-End Oracle WebLogic Server?

Oracle HTTP Server is the web server component for Oracle Fusion Middleware. The server uses the WebLogic Management Framework to provide a simple, consistent and distributed environment for administering Oracle HTTP Server, Oracle WebLogic Server, and the rest of the Fusion Middleware stack. It acts as the HTTP front-end by hosting the static content from within and by using its built-in Oracle WebLogic Server Proxy Plug-In (mod_wl_ohs module) to route dynamic content requests to WebLogic-managed servers.

For information about the topologies you into which you can install Oracle HTTP Server, see Oracle HTTP Server Topologies.

Parent topic: Frequently Asked Questions

What is the Difference Between Oracle WebLogic Server Domains and Standalone Domains?

Oracle HTTP Server can be installed in either a standalone, a Full-JRF, or a Restricted-JRF domain. A standalone domain is a container for system components, such as Oracle HTTP Server. It is ideal for a DMZ environment because it has the least overhead. A standalone domain has a directory structure similar to an Oracle WebLogic Server Domain, but it does not contain an Administration Server, or Managed Servers, or any management support. It can contain one or more instances of system components of the same type, such as Oracle HTTP Server, or a mix of system component types.

WebLogic Server Domains support all WebLogic Management Framework tools. An Oracle WebLogic Server domain can be either Full-JRF or Restricted JRF. A WebLogic Server Domain in Full-JRF mode contains a WebLogic Administration Server, zero or more WebLogic Managed Servers, and zero or more System Component Instances (for example, an Oracle HTTP Server instance). This type of domain provides enhanced management capabilities through the Fusion Middleware Control and WebLogic Management Framework present throughout the system. A WebLogic Server Domain can span multiple physical machines, and it is centrally managed by the administration server. Because of these properties, a WebLogic Server Domain provides the best integration between your System Components and Java EE Components.

The purpose of the Restricted-JRF domain is to simplify Oracle HTTP Server administration by using the WebLogic server domain. A Restricted-JRF Oracle WebLogic Server domain is similar to a Full-JRF domain except that a connection to an external database is not required. All of the Oracle HTTP Server functionality through Fusion MiddleWare Control and WLST is still available, with the exception of cross component wiring.

For more details on each of these domains, see Domain Types.

Parent topic: Frequently Asked Questions

Can Oracle HTTP Server Cache the Response Data?

Oracle HTTP Server now includes the Apache mod_cache and mod_cache_disk modules to cache response data.

For more information, on mod_cache and mod_cache_disk, see mod_cache in the Apache documentation:

http://httpd.apache.org/docs/2.4/mod/mod_cache.html

Parent topic: Frequently Asked Questions

How Do I Configure a Virtual Server-Specific Access Log?

Within every VirtualHost directive, you can use the Apache LogFormat and CustomLog directives to configure Virtual Host-specific access log format and log files. See LogFormat and CustomLog.

Parent topic: Frequently Asked Questions

How to Enable SSL for Oracle HTTP Server by Using Fusion Middleware Control?

You can enable SSL for Oracle HTTP Server using Fusion Middleware control.

The steps mentioned in this section is applicable to Oracle HTTP Server - Version 12.2.1.0.0 and later.

Complete the following steps to enable SSL for Oracle HTTP Server using Fusion Middleware control:

Parent topic: Frequently Asked Questions

Start Node Manager and Admin Server

Start the Node Manager in the collocated ORACLE_HOME.

$ORACLE_HOME/user_projects/domains/bin/startNodeManager.sh

Start the Admin Server in the collocated ORACLE_HOME.

$ORACLE_HOME/user_projects/domains/bin/startWeblogic.sh

Parent topic: How to Enable SSL for Oracle HTTP Server by Using Fusion Middleware Control?

Create Keystore

Log in to Fusion Middleware Control.
Go to Domain, click Security, and then click Keystore.
The Keystore page appears.
Click Create Keystore.
The Create Keystore dialog box appears.
In this dialog box, enter the following data:
- Keystore Name: Enter a unique name. For example, Test.
- Protection Type: Choose Policy.
A new keystore is created with the name _Test, that is, ohs1_Test.
Once the keystore is created, select the new keystore ohs1_Test, and then click Manage to perform all other steps

Parent topic: How to Enable SSL for Oracle HTTP Server by Using Fusion Middleware Control?

Generate Keypair

To generate a certificate with an associated keypair:

Log in to Fusion Middleware Control.
From the navigation pane, locate the domain of interest.
Navigate to Security, then Keystore.
The Keystore page appears.
Expand the stripe in which the keystore resides. Select the row corresponding to the keystore.
Click Manage.
The Manage Certificates page appears.
Click Generate Keypair.
The Generate Keypair dialog appears.
Enter the details, and the click OK.
The new certificate appears in the list of certificates. You can view the certificate details by clicking on the certificate alias.

The generated keypair is wrapped in a CA signed certificate. To use this certificate for SSL or where trust needs to be established, applications must either use the domain trust store as their trust store or import the certificate to a custom application-specific trust store.

Parent topic: How to Enable SSL for Oracle HTTP Server by Using Fusion Middleware Control?

Generate CSR for a Certificate

To generate a CSR for a certificate or trusted certificate:

Log in to Fusion Middleware Control.
From the navigation pane, locate the domain of interest.
Navigate to Security, and then Keystore.
The Keystore page appears.
Expand the stripe in which the keystore resides. Select the row corresponding to the keystore.
Click Manage.
The Manage Certificates page appears.
Select the row corresponding to the new keypair and click Generate CSR.
The Generate CSR dialog appears.
Copy and paste the entire CSR into a text file, and click Close.
Alternatively, you can click Export CSR to automatically save the CSR to a file.

You can send the resulting certificate request to a certificate authority (CA) which will return a signed certificate.

Parent topic: How to Enable SSL for Oracle HTTP Server by Using Fusion Middleware Control?

Import the Trusted Certificate

To import a certificate into a password-protected keystore.

Log in to Fusion Middleware Control.
From the navigation pane, locate Oracle HTTP Server.
Navigate to Security, and then Keystore.
The Keystore page appears.
Expand the stripe in which the keystore resides. Select the keystore from which the CSR was generated.
Click Manage.
The Manage Certificates page appears.
Click Import.
The Import Certificate dialog appears.
In the Certificate Type, select Trusted Certificate.
In Alias, enter a name for the Alias.
In Certificate Source, either paste the content of the trusted certificate in Paste Certificate String here text box or select a trusted certificate file.
Click OK.
Repeat these steps for any other trusted CA certificates in the chain.

The imported trusted certificate appears in the list of certificates.

Parent topic: How to Enable SSL for Oracle HTTP Server by Using Fusion Middleware Control?

Import the Trusted Certificate to WebLogic Domain

You also need to import root CA certificate and any other Trusted CA Certificates to WebLogic "system" stripe under trust keystore.

Log in to Fusion Middleware Control.
From the navigation pane, locate WebLogic domain.
Navigate to Security, and then Keystore.
The Keystore page appears.
Expand the stripe in which the keystore resides. Select the keystore from which the CSR was generated.
Click Manage.
The Manage Certificates page appears.
Click Import.
The Import Certificate dialog appears.
In the Certificate Type, select Trusted Certificate.
In Alias, enter a name for the Alias.
In Certificate Source, either paste the content of the trusted certificate in Paste Certificate String here text box or select a trusted certificate file.
Click OK.
Repeat these steps for any other trusted CA certificates in the chain.

The imported trusted certificate appears in the list of certificates.

If you miss this step, then trying to export keystore to wallet fails with the following error message:

Error "Failed to export keystore to wallet. Error message: null" While Trying to Export Keystore to Wallet

See Note: 2140257.1

Parent topic: How to Enable SSL for Oracle HTTP Server by Using Fusion Middleware Control?

Import the User Certificate

Log in to Fusion Middleware Control.
From the navigation pane, locate Oracle HTTP Server.
Navigate to Security, and then Keystore.
The Keystore page appears.
Expand the stripe in which the keystore resides. Select the keystore from which the CSR was generated.
Click Manage.
The Manage Certificates page appears.
Click Import.
The Import Certificate dialog appears.
In the Certificate Type, select Certificate.
In Alias, enter a name for the Alias.
In Certificate Source, either paste the content of the user certificate in Paste Certificate String here text box or select a user certificate file.
Click OK.
The imported user certificate appears in the list of certificates.

Parent topic: How to Enable SSL for Oracle HTTP Server by Using Fusion Middleware Control?

Export Keystore to Wallet

Log in to Fusion Middleware Control.
From the navigation pane, locate Oracle HTTP Server.
Navigate to Security, and then Keystore.
The Keystore page appears.
Expand the stripe in which the keystore resides. Select the keystore from which the CSR was generated.
Click Manage.
The Manage Certificates page appears.
Click Import.
The Import Certificate dialog appears.
Click Export Keystore to Wallet.
You get an auto login wallet, cwallet.sso, that does not need a password. This auto login enabled wallet is also associated with a PKCS#12 wallet (ewallet.p12).

Parent topic: How to Enable SSL for Oracle HTTP Server by Using Fusion Middleware Control?

Enable SSL

Navigate to the Oracle HTTP Server home page.
Select Administration from the Oracle HTTP Server menu.
Select Virtual Hosts from the Administration menu.
Highlight an existing virtual host in the table
Click Configure.
Select SSL Configuration.
Check the Enable SSL box.
Select a wallet from the drop-down list.
Here, select the path to Test wallet.
Click OK to apply the changes.
Restart the Oracle HTTP Server instance by navigating to Oracle HTTP Server, then Control, then Restart.
Open a browser session and connect to the port number that was SSL-enabled.

Parent topic: How to Enable SSL for Oracle HTTP Server by Using Fusion Middleware Control?