Tuesday, June 4, 2013

DMZ Configuration with 11i

DMZ Configuration with 11i


A DMZ configuration refers to a Demilitarized Zone implementation of Oracle Applications. This kind of architecture is typically usefully when you wish to open up your applications outside your corporate network or your militarized zone.


The ebusiness suite 11.5.10.2 allows you to have various options ranging from the simple one to the more complex and tightly  secure architectures in a relatively simple out of the box solutions.


Typically Ebusiness Suite supports the following topologies in a DMZ architecture



  • Using Reverse Proxies in DMZ

  • Using Separate Oracle E-Business Suite 11i Web Tier in DMZ

  • Using HTTP Hardware Load Balancers in DMZ

  • Using Reverse Proxies only in DMZ


You can find more details on the supported methodologies with the DMZ architecture in the following metalink note

DMZ Configuration with Oracle E-Business Suite 11i


In the current post i will discuss on a less complex case where we are using an ebusiness suite application tier as the external tier for our DMZ architecture. The below diagram depicts this architecture in simplistic form.



As discussed earlier we will build a second application server for Oracle Applications using adclone which will be used as the external application for the instance.


Current Configuration

Oracle Applications 11.5.10.2

Dual Node

Operating System Sun Solaris


DMZ Patches

Ensure the following patches have been applied on the instance before proceeding ahead.

3942483 An autoconfig patch to suport your reverse proxy and DMZ configuration

5478710 An autoconfig template roll up.


Pre Clone

Shutdown the application tier services and run adpreclone.pl on the application tier of your instance.

#su – applsam

$cd samappl

$. ./APPSORA.env

$cd $COMMON_TOP/admin/scripts/SAM_SAMLXA

$perl adpreclone.pl appsTier


Filesystem Copy

After that copy across the application tier filesystem to the machine

tar -cf – applsam | ssh Node_B tar -xf – -C /u02/sam/


Post Clone on the External Tier

Now you must run your post clone (adcfgclone.pl) on the external tier  and specify that it is your Web Server node only

# su – applsam

$ cd samcomn/clone/bin

$ perl adcfgclone.pl appsTier


Run the txkChangeProfH.sql

Run the txkChangeProfH.sql script to update your profile options default hirerchy to server

$ cd $FND_TOP/patch/115/sql/

$ sqlplus apps/xxxxxxxx  @txkChangeProfH.sql SERVRESP


Startup Services

Startup the application services both on the internal and external tier and test the connectivity.


Verify the Nodes

Verify that the nodes have been registered as expected in the instance.

Navigate to

System Administrator->Install->Nodes


Update Node Trust Level

Update the node trust level by identifying the node which you want to be as your external node.

Navigate to

System Administrator->Profile->System and query for ‘Node Trust Level’

Set it as external for the external node at the server level only.


Update Responsibilities

After updating the node trust level the user who come in from the external application server will be able to see only those responsibilities that have been marked as external.

Navigate to

System Administrator->Profile->System and query for ‘Responsibility Trust Level’

Choose the responsibility that you want to be as external, in my case it was Isupplier Registration.


Update Home Page Mode

Lastly update the home page mode to framework only.

Navigate to

System Administrator->Profile->System and query for ‘Self-Service Personal Home Page Mode’ and set it to framework only.


Autoconfig

Run autoconfig on both the nodes and restart the application tier services.



DMZ Configuration with 11i
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)