This post is about on how we can configure DMZ for Oracle E-Business Suite 12.2.10. Now what is DMZ? From the first tone, it sounds to be something related to Defence where you have a line or border beyond there are restrictive access. In Oracle terminology, the DMZ, which stands for DeMilitarized Zone consists of the portions of a corporate network that are between the corporate intranet and the Internet. The DMZ can be a simple one segment LAN or it can be broken down into multiple regions . The main benefit of a properly-configured DMZ is better security. In the event of a security breach, only the area contained within the DMZ is exposed to potential damage, while the corporate intranet remains somewhat protected.
Source-Metalink
In my setup, the external DMZ node is accessible through LB and also the application file system is not shared between primary and the external node. I had to manually setup the SSH. Also, the setup was done on a cloned environment and thus update hierarchy setup was already in place. Now coming to the steps.
1. Create passwordless connection between internal and external node
ssh-keygen(in the primary node)
this will create two keys private and public keys
copy the public key content and paste it to external node application user's authorized_hosts file.
2. In the primary node:-
update hierarchy type--Already done as part of clone from PROD
3. Add the secondary node:
prerequistes:-
a. Patch admin server should be up and running
b. External node should be able to telnet external host(run & patch file system) admin port
example
telnet internal.example.com 7001--run file system
telnet internal.example.com 7002--patch file system
If the connection fails:
1. In the run file system config.xml, remove any deny and bounce the admin server. Follow the same for patch file system.
If the above doesn't work, then in the respective admin console, context filter in the run/patch file system should be set from the admin console and then stop it from console and start it from server
In the primary
a.run adpreclone in the run & patch file system and in database tier
b. copy the below directories to the external tier
Run File System (FS1) : /u01/install/APPS/fs1/EBSapps
Patch File System (FS2) : /u01/install/APPS/fs2/EBSapps
Non-Editioned File System(fs_ne) : /u01/install/APPS/fs_ne
In the external tier
perl adcfgclone.pl appsTier dualfs
Copyright (c) 2002, 2015 Oracle Corporation
Redwood Shores, California, USA
Oracle E-Business Suite Rapid Clone
Version 12.2
adcfgclone Version 120.63.12020000.65
Enter the APPS password :
Enter the Weblogic AdminServer password :
Enter the password for DataSource ISGDatasource :
Do you want to add a node (yes/no) [no] : yes
Verifying: Run file system AdminServer is running
Verifying: Patch file system AdminServer is running
Running: Context clone...
Once the run and patch file system is configured, edit the context file to put the LB details and port etc
CONTEXT VARIABLES TO BE CHANGED FOR THE ABOVE LBR CONFIGURATION
<webentryurlprotocol oa_var="s_webentryurlprotocol">https</webentryurlprotocol>
<webentryhost oa_var="s_webentryhost">partners</webentryhost>
<webentrydomain oa_var="s_webentrydomain">example.com</webentrydomain>
<activewebport oa_var="s_active_webport">443</activewebport>
<login_page oa_var="s_login_page">https://partners.example.com:443/OA_HTML/AppsLogin</login_page>
<EndUserMonitoringURL oa_var="s_endUserMonitoringURL">https://partners.example.com:443/oracle_smp_chronos/oracle_smp_chronos_sdk.gif</EndUserMonitoringURL>
<externURL oa_var="s_external_url">https://partners.example.com:443/OA_HTML/AppsLogin</externURL>
4. run autoconfig in the external tier
run file system
$ . ./u01/install/APPS/EBSapps.env run
$ $INST_TOP/admin/scripts/adautocfg.sh
patch file system
. ./u01/install/APPS/EBSapps.env patch
$ADJVAPRG oracle.apps.ad.autoconfig.oam.CtxSynchronizer action=upload contextfile=context.xml logfile=/tmp/patchctxupload.log
5. Sync Up the Context File and Update Configuration on All Nodes
In the primary node
$ . ./u01/install/APPS/EBSapps.env run
$ perl $AD_TOP/bin/adSyncContext.pl contextfile=$CONTEXT_FILE
As part of node addition, all the nodes have the information of the managed servers of the other nodes. if these managed servers are not required, we need to delete the manage servers for the other nodes
perl <FND_TOP>/patch/115/bin/txkSetAppsConf.pl -contextfile=<CONTEXT_FILE> -configoption=removeMS -oacore=testserver1.example.com:7201 -forms=testserver2.example.com:7601
in the patch file system, repeat the above steps
In the external node
run file system
$ . ./u01/install/APPS/EBSapps.env run
$ perl $AD_TOP/bin/adSyncContext.pl contextfile=$CONTEXT_FILE
As part of node addition, all the nodes have the information of the managed servers of the other nodes. if these managed servers are not required, we need to delete the manage servers for the other nodes
perl <FND_TOP>/patch/115/bin/txkSetAppsConf.pl -contextfile=<CONTEXT_FILE> -configoption=removeMS -oacore=testserver1.example.com:7201 -forms=testserver2.example.com:7601
or
from apps.conf and mod_ohs.conf file, the managed servers can be manually removed.
in the patch file system, repeat the above steps
6. Run autoconfig
On all the application nodes
run file system
run autoconfig
In the external nodes
In the primary node
Shut down the Admin Server and the Node Manager on the Patch Edition File System of the primary node as follows:
$ <ADMIN_SCRIPTS_HOME>/adadminsrvctl.sh stop
$ <ADMIN_SCRIPTS_HOME>/adnodemgrctl.sh stop
In the DB node
<RDBMS_OH>/appsutil/scripts/<CONTEXT_NAME>/adautocfg.sh
lsnrctl reload <ORACLE_SID>
7. Login to the internal application node
Profile option
"Node trust level" should be set to external for external server
update list of responsibilities to be visible in external node login page
"Responsibility trust level" should be set to external for respective responsibilities
8. run autoconfig in internal and external node
Bounce the services and check
