DMZ Configuration with 11i
DMZ Configuration with 11i
A DMZ configuration refers to a Demilitarized Zone implementation of Oracle Applications. This kind of architecture is typically usefully when you wish to open up your applications outside your corporate network or your militarized zone.
The ebusiness suite 11.5.10.2 allows you to have various options ranging from the simple one to the more complex and tightly secure architectures in a relatively simple out of the box solutions.
Typically Ebusiness Suite supports the following topologies in a DMZ architecture
- Using Reverse Proxies in DMZ
- Using Separate Oracle E-Business Suite 11i Web Tier in DMZ
- Using HTTP Hardware Load Balancers in DMZ
- Using Reverse Proxies only in DMZ
You can find more details on the supported methodologies with the DMZ architecture in the following metalink note
DMZ Configuration with Oracle E-Business Suite 11i
In the current post i will discuss on a less complex case where we are using an ebusiness suite application tier as the external tier for our DMZ architecture. The below diagram depicts this architecture in simplistic form.
As discussed earlier we will build a second application server for Oracle Applications using adclone which will be used as the external application for the instance.
Current Configuration
Oracle Applications 11.5.10.2
Dual Node
Operating System Sun Solaris
DMZ Patches
Ensure the following patches have been applied on the instance before proceeding ahead.
3942483 An autoconfig patch to suport your reverse proxy and DMZ configuration
5478710 An autoconfig template roll up.
Pre Clone
Shutdown the application tier services and run adpreclone.pl on the application tier of your instance.
#su - applsam
$cd samappl
$. ./APPSORA.env
$cd $COMMON_TOP/admin/scripts/SAM_SAMLXA
$perl adpreclone.pl appsTier
Filesystem Copy
After that copy across the application tier filesystem to the machine
tar -cf - applsam | ssh Node_B tar -xf - -C /u02/sam/
Post Clone on the External Tier
Now you must run your post clone (adcfgclone.pl) on the external tier and specify that it is your Web Server node only
# su - applsam
$ cd samcomn/clone/bin
$ perl adcfgclone.pl appsTier
Run the txkChangeProfH.sql
Run the txkChangeProfH.sql script to update your profile options default hirerchy to server
$ cd $FND_TOP/patch/115/sql/
$ sqlplus apps/xxxxxxxx @txkChangeProfH.sql SERVRESP
Startup Services
Startup the application services both on the internal and external tier and test the connectivity.
Verify the Nodes
Verify that the nodes have been registered as expected in the instance.
Navigate to
System Administrator->Install->Nodes
Update Node Trust Level
Update the node trust level by identifying the node which you want to be as your external node.
Navigate to
System Administrator->Profile->System and query for 'Node Trust Level'
Set it as external for the external node at the server level only.
Update Responsibilities
After updating the node trust level the user who come in from the external application server will be able to see only those responsibilities that have been marked as external.
Navigate to
System Administrator->Profile->System and query for 'Responsibility Trust Level'
Choose the responsibility that you want to be as external, in my case it was Isupplier Registration.
Update Home Page Mode
Lastly update the home page mode to framework only.
Navigate to
System Administrator->Profile->System and query for 'Self-Service Personal Home Page Mode' and set it to framework only.
Autoconfig
Run autoconfig on both the nodes and restart the application tier services.
