Oracle APPS DBA pieces: Oracle E-Business Suite 12.2.10 Configuration for DMZ

This post is about on how we can configure DMZ for Oracle E-Business Suite 12.2.10. Now what is DMZ? From the first tone, it sounds to be something related to Defence where you have a line or border beyond there are restrictive access. In Oracle terminology, the DMZ, which stands for DeMilitarized Zone consists of the portions of a corporate network that are between the corporate intranet and the Internet. The DMZ can be a simple one segment LAN or it can be broken down into multiple regions . The main benefit of a properly-configured DMZ is better security. In the event of a security breach, only the area contained within the DMZ is exposed to potential damage, while the corporate intranet remains somewhat protected.

Source-Metalink

In my setup, the external DMZ node is accessible through LB and also the application file system is not shared between primary and the external node. I had to manually setup the SSH. Also, the setup was done on a cloned environment and thus update hierarchy setup was already in place. Now coming to the steps.

1. Create passwordless connection between internal and external node

ssh-keygen(in the primary node)

this will create two keys private and public keys

copy the public key content and paste it to external node application user's authorized_hosts file.

2. In the primary node:-

update hierarchy type--Already done as part of clone from PROD

3. Add the secondary node:

prerequistes:-

a. Patch admin server should be up and running

b. External node should be able to telnet external host(run & patch file system) admin port

example

telnet internal.example.com 7001--run file system

telnet internal.example.com 7002--patch file system

If the connection fails:

1. In the run file system config.xml, remove any deny and bounce the admin server. Follow the same for patch file system.

If the above doesn't work, then in the respective admin console, context filter in the run/patch file system should be set from the admin console and then stop it from console and start it from server

In the primary

a.run adpreclone in the run & patch file system and in database tier

b. copy the below directories to the external tier

Run File System (FS1) : /u01/install/APPS/fs1/EBSapps

Patch File System (FS2) : /u01/install/APPS/fs2/EBSapps

Non-Editioned File System(fs_ne) : /u01/install/APPS/fs_ne

In the external tier

perl adcfgclone.pl appsTier dualfs

Redwood Shores, California, USA

Oracle E-Business Suite Rapid Clone

Version 12.2

adcfgclone Version 120.63.12020000.65

Enter the APPS password :

Enter the Weblogic AdminServer password :

Enter the password for DataSource ISGDatasource :

Do you want to add a node (yes/no) [no] : yes

Verifying: Run file system AdminServer is running

Verifying: Patch file system AdminServer is running

Running: Context clone...

Once the run and patch file system is configured, edit the context file to put the LB details and port etc

CONTEXT VARIABLES TO BE CHANGED FOR THE ABOVE LBR CONFIGURATION

<webentryurlprotocol oa_var="s_webentryurlprotocol">https</webentryurlprotocol>

<webentryhost oa_var="s_webentryhost">partners</webentryhost>

<webentrydomain oa_var="s_webentrydomain">example.com</webentrydomain>

<login_page oa_var="s_login_page">https://partners.example.com:443/OA_HTML/AppsLogin</login_page>

<EndUserMonitoringURL oa_var="s_endUserMonitoringURL">https://partners.example.com:443/oracle_smp_chronos/oracle_smp_chronos_sdk.gif</EndUserMonitoringURL>

<externURL oa_var="s_external_url">https://partners.example.com:443/OA_HTML/AppsLogin</externURL>

4. run autoconfig in the external tier

run file system

$ . ./u01/install/APPS/EBSapps.env run

$ $INST_TOP/admin/scripts/adautocfg.sh

patch file system

. ./u01/install/APPS/EBSapps.env patch

$ADJVAPRG oracle.apps.ad.autoconfig.oam.CtxSynchronizer action=upload contextfile=context.xml logfile=/tmp/patchctxupload.log

5. Sync Up the Context File and Update Configuration on All Nodes

In the primary node

$ . ./u01/install/APPS/EBSapps.env run

$ perl $AD_TOP/bin/adSyncContext.pl contextfile=$CONTEXT_FILE

As part of node addition, all the nodes have the information of the managed servers of the other nodes. if these managed servers are not required, we need to delete the manage servers for the other nodes

perl <FND_TOP>/patch/115/bin/txkSetAppsConf.pl -contextfile=<CONTEXT_FILE> -configoption=removeMS -oacore=testserver1.example.com:7201 -forms=testserver2.example.com:7601

in the patch file system, repeat the above steps

In the external node

run file system

$ . ./u01/install/APPS/EBSapps.env run

$ perl $AD_TOP/bin/adSyncContext.pl contextfile=$CONTEXT_FILE

perl <FND_TOP>/patch/115/bin/txkSetAppsConf.pl -contextfile=<CONTEXT_FILE> -configoption=removeMS -oacore=testserver1.example.com:7201 -forms=testserver2.example.com:7601

from apps.conf and mod_ohs.conf file, the managed servers can be manually removed.

in the patch file system, repeat the above steps

6. Run autoconfig

On all the application nodes

run file system

run autoconfig

In the external nodes

In the primary node

Shut down the Admin Server and the Node Manager on the Patch Edition File System of the primary node as follows:

$ <ADMIN_SCRIPTS_HOME>/adadminsrvctl.sh stop

$ <ADMIN_SCRIPTS_HOME>/adnodemgrctl.sh stop

In the DB node

<RDBMS_OH>/appsutil/scripts/<CONTEXT_NAME>/adautocfg.sh

lsnrctl reload <ORACLE_SID>

7. Login to the internal application node

Profile option

"Node trust level" should be set to external for external server

update list of responsibilities to be visible in external node login page

"Responsibility trust level" should be set to external for respective responsibilities

8. run autoconfig in internal and external node

Bounce the services and check

Oracle APPS DBA pieces

Pages

Sunday, December 5, 2021

Oracle E-Business Suite 12.2.10 Configuration for DMZ

2 comments:

Traffic