Home » Oracle » How to create DMZ for EBS R12

How to create DMZ for EBS R12

This post I will explaining my experience with setting up DMZ for EBS R12. We will first go through some of the important terms

DMZ

The DMZ, which stands for Demilitarized Zone consists of the portions of a corporate network that are between the corporate intranet and the Internet. The DMZ can be a simple one segment LAN or it can be broken down into multiple regions. The main benefit of a properly configured

DMZ is better security: in the event of a security breach, only the area contained within the DMZ is exposed to potential damage, while the corporate intranet remains somewhat protected

Load Balancer

Load balancers distribute an application’s load over many identically configured servers. This distribution ensures consistent application availability even when one or more servers fail.

 Reverse Proxy

A reverse proxy server is an intermediate server that sits between a client and the actual web server and makes requests to the web server on behalf of the client. You can find more information on reverse proxy servers

Internal Applications Middle Tier

The internal applications middle tier is the server configured for internal users to access Oracle E-Business Suite. It runs the following major application services:

Web and Forms Services

Administration and Concurrent Manager Services

Reports and Discoverer Services

 External Applications Web Tier

The external applications web tier is the server configured for external users for accessing Oracle EBusiness Suite. It runs the following application service:

Web server

How to create DMZ for EBS  R12

(1) Create the External Web Tier With Reverse Proxy

Case A: A New server with Reverse Proxy

DMZ for EBS R12

Clone Application Tier to the New server

  1. Run adpreclone and Take backup of the Internal Web Tier
  2. Restore on External Web Tier
  3. Run adcfgclone appsTier and configure the external Node
See also  Oracle RAC interview Questions

Once this is completed, Change following in the context file

<TIER_DB oa_var="s_isDB">NO</TIER_DB>
<TIER_ADMIN oa_var="s_isAdmin">NO</TIER_ADMIN>
<TIER_WEB oa_var="s_isWeb">YES</TIER_WEB>
<TIER_FORMS oa_var="s_isForms">NO</TIER_FORMS>
<TIER_NODE oa_var="s_isConc">NO</TIER_NODE>
<TIER_FORMSDEV oa_var="s_isFormsDev">NO</TIER_FORMSDEV>
<TIER_NODEDEV oa_var="s_isConcDev">NO</TIER_NODEDEV>
<TIER_WEBDEV oa_var="s_isWebDev">YES</TIER_WEBDEV>

Change the following for Reverse proxy

Case B: Using the internal server as the external tier( Internal Server has extra NIC card) with reverse proxy

DMZ for EBS R12

This configuration requires your internal application middle tier server to have at least two network interfaces. One network interface is required for the external entry point and another for the internal entry point. These network interfaces must be configured to resolve to two different hostnames in the DNS.

For example:

/etc/hosts of Internal Server
192.30.21.1 int.tech.com int
192.30.21.2 ext.tech.com ext

Create the New Context file using the below command

$ perl $COMMON_TOP/clone/bin/adclonectx.pl \
contextfile=$CONTEXT_FILE \
outfile= <name of the output file including location>

Important parameter to be fed

Target System Hostname (virtual or normal) [int]:ext
Do you want the inputs to be validated (y/n) [n] ?:Y
Do you want to preserve the port values from the source system on the target system (y/n) [y] ?Y

Changes required once the context file is created

AutoConfig VariableRequired Value
s_isWebYES
s_isWebDevYES
s_http_listen_parameterNew Port for the http listener
s_https_listen_parameterNew Port for the https listener
s_webentryurlprotocolSet the value to the web entry protocol
s_webentryhostSet the value to the webentry host
s_webentrydomainSet the value to the webentry domain
s_active_webportSet the value to the active port
s_login_pageSet the value to point to the new webentry configuration
s_server_ip_addressSet the value of this variable to the IP address of the external facing network interface

(2)Stop Concurrent Manager and all the application nodes

(3) Instantiate the New Configuration Files and Profile Options Based on the New Context File

See also  How to rollback the patch after failed cutover phase in R12.2

The DMZ configuration requires the use of the new ServResp profile option hierarchy for the oracle profile options.  If you haven’t already done so, change the profile options hierarchy type to ServResp by executing the txkChangeProfH.sql SQL script as shown below:

$ sqlplus apps/apps @$FND_TOP/patch/115/sql/txkChangeProfH.sql SERVRESP
SQL*Plus: Release 10.1.0.5.0 - Production on Thu Sep 5 01:46:59 2016
Copyright (c) 1982, 2005, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, Automatic Storage Management, OLAP, Data Mining and Real Application Testing options
Changing the hierarchy type for the  Profile APPS_WEB_AGENT
Profile APPS_WEB_AGENT hierarchy type has been successfully changed to SERVRESP
Changing the hierarchy type for the  Profile APPS_SERVLET_AGENT
Profile APPS_SERVLET_AGENT hierarchy type has been successfully changed to SERVRESP
Changing the hierarchy type for the  Profile APPS_JSP_AGENT
Profile APPS_JSP_AGENT hierarchy type has been successfully changed to SERVRESP
Changing the hierarchy type for the  Profile APPS_FRAMEWORK_AGENT
Profile APPS_FRAMEWORK_AGENT hierarchy type has been successfully changed to SERVRESP
Changing the hierarchy type for the  Profile ICX_FORMS_LAUNCHER
Profile ICX_FORMS_LAUNCHER hierarchy type has been successfully changed to SERVRESP
Changing the hierarchy type for the  Profile ICX_DISCOVERER_LAUNCHER
Profile ICX_DISCOVERER_LAUNCHER hierarchy type has been successfully changed to SERVRESP
Changing the hierarchy type for the  Profile ICX_DISCOVERER_VIEWER_LAUNCHER
Profile ICX_DISCOVERER_VIEWER_LAUNCHER hierarchy type has been successfully changed to SERVRESP
Changing the hierarchy type for the  Profile HELP_WEB_AGENT
Profile HELP_WEB_AGENT hierarchy type has been successfully changed to SERVRESP
Changing the hierarchy type for the  Profile APPS_PORTAL
Profile APPS_PORTAL hierarchy type has been successfully changed to SERVRESP
Changing the hierarchy type for the  Profile CZ_UIMGR_URL
Profile CZ_UIMGR_URL hierarchy type has been successfully changed to SERVRESP
Changing the hierarchy type for the  Profile QP_PRICING_ENGINE_URL
Profile QP_PRICING_ENGINE_URL hierarchy type has been successfully changed to SERVRESP
Changing the hierarchy type for the  Profile TCF:HOST
Profile TCF:HOST hierarchy type has been successfully changed to SERVRESP
Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, Automatic Storage Management, OLAP, Data Mining
and Real Application Testing options

(4) Run Autoconfig all the nodes including External nodes

See also  How to change/validate TDE Keystore Password

(5) Run Autoconfig  on the Primary internal Nodes

(6) Startup the Internal system

(7)  Update Node Trust Level

Set the NODE_TRUST_LEVEL profile option value on the external web tier in your Oracle E-business Suite Release 12 environment to External..

To change the value of the Node Trust Level profile option value to External for a particular node, perform the following steps:

  1. Login to Oracle E-Business Suite as sysadmin user using the internal URL
  2. Select the System Administrator Responsibility
  3. Select Profile / System
  4. From the ‘Find system profile option Values’ window, select the server that you want to designate as the external web tier
  5. Query for%NODE%TRUST%. You will see a profile option named ‘Node Trust Level‘. The value for this profile option at the site level will be Normal. Leave this setting unchanged.

Set the value of this profile option to External at the server level. The site level value should remain set to Normal

(8) Update Responsibilities List

After updating the server-level profile value for Node Trust Level for the external web tier(s) to External, users can no longer see any responsibilities when they login via the external web tier. In order for a responsibility to be available from the external E-Business Suite web tier, set the Responsibility Trust Level profile option value for that responsibility to External at the responsibility level.

Login to Oracle E-Business Suite as sysadmin user using the internal URL

  1. Select System Administrator Responsibility
  2. Select Profile / System
  3. From the ‘Find system profile option Values’ window, select the responsibility that you want to make available to users logging in via the external web tier
  4. Query for%RESP%TRUST%. You will see a profile option named ‘Responsibility trust level‘. The value for this profile option at site level will be Normal. Leave this setting unchanged.
  5. Set the value of this profile option for the chosen responsibility to External at the responsibility level. The site-level value should remain Normal.

Repeat for all responsibilities that you want to make available from the external web tier.

(9) Start the External Tier and validate the application

adopmnctl.sh start
adoafmctl.sh start
adformsctl.sh start
adoacorectl.sh start
adapcctl.sh start

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top