Skip Headers

Oracle9i Application Server Release Notes
Release 2 (9.0.2) for Windows NT/2000

Part Number A90334-03
Go To Documentation Library
Home
Go To Table Of Contents
Contents

Go to previous page Go to next page

3
Management and Security Issues

This chapter summarizes management and security issues associated with Oracle9i Application Server. Topics include:

3.1 Management Issues

This section contains the following topics:

3.1.1 Clock Synchronization

Several Oracle9iAS components require the clocks on the machines on which they run to be synchronized. You can synchronize the clocks by running the Network Time Protocol (NTP) daemon on these machines. You do this by using abouttime or such similar software for Windows.

3.1.2 Use Port Option to Configure Loading Application

There are several ways to configure how to load an application.

3.1.3 Concurrent Administrative Operations on a Cluster Not Supported

Concurrent administrative operations on a cluster are not supported in Oracle9iAS Release 2 (9.0.2). Configuration information for clusters is stored in a central repository. All members of the cluster have access to this repository. This keeps configuration consistent across the cluster. Since the objects in the repository are shared across the cluster, concurrent write access to these objects is not allowed.

3.1.4 Directing Requests to OC4J Instances in Different Oracle Homes

This section describes how to direct requests to OC4J instances running on Oracle homes that are different from the one that first received the request. In other words, Oracle HTTP Server receives a request, then forwards it to an OC4J instance that belongs to a different Oracle home. In that Oracle home, OC4J instances are running, but Oracle HTTP Server may or may not be running. The Oracle homes can be installed on the same machine or different machines.

This scenario is different from clusters. In a cluster, all the Oracle9iAS instances are configured identically, and mod_oc4j sends requests to the instances in the cluster in a round-robin fashion. See the "Application Server Clustering" chapter in the Oracle9i Application Server Administrator's Guide for details on clustering.

In this scenario, the Oracle9iAS instances do not need to be the same type: they can be different mid-tier types and they can be configured differently. You can even direct requests between an infrastructure and a mid-tier type. See Section 3.1.4.3, "Directing Requests between Infrastructure and Mid-Tier" for details.

3.1.4.1 Requirements

For this to work, your environment must have the following characteristics:

3.1.4.2 General Procedure

The procedure for directing requests to another Oracle home is to edit the Oc4jConf directive in the ORACLE_HOME/Apache/Apache/conf/mod_oc4j.conf file. The directive maps URLs to OC4J instances.

By default, the directive directs requests to OC4J instances in the local Oracle home (the OC4J instances belong to the same host:port specified in the URL).

For example, the following lines route requests that begin with /webapp and /portal to the home and OC4J_Portal OC4J instances on the local Oracle9iAS instance, respectively:

Oc4jMount /webapp/* home
Oc4jMount /portal/* OC4J_Portal

To direct requests to an OC4J instance on another Oracle home, you prepend the name of the Oracle9iAS instance to the OC4J instance name, and you use the keyword "instance".

Syntax:

Oc4jMount url instance://ias_instance_name1:oc4j_instance_name [,
ias_instance_name2:oc4j_instance_name, ...]

Oc4jMount url cluster://cluster_name1:oc4j_instance_name [,
cluster_name2:oc4j_instance_name, ...]

where:

3.1.4.2.1 Non-Clustered Example

For example, the following lines direct the requests to instances on an Oracle9iAS instance called "pw.machine2.us.oracle.com". The instances are running on a machine called "machine2.us.oracle.com".

Oc4jMount /webapp/* instance://pw.machine2.us.oracle.com:home
Oc4jMount /portal/* instance://pw.machine2.us.oracle.com:OC4J_Portal

The syntax allows you to specify more than one instance to which to direct the requests. You separate the instances with the comma character. For example, the following line directs /portal/* requests to the OC4J_Portal instance running on machine2 and machine3 (all on one line):

Oc4jMount /portal/* instance://pw.machine2.us.oracle.com:OC4J_Portal,
pw.machine3.us.oracle.com:OC4J_Portal

In the example above, the pw.machine2.us.oracle.com and the pw.machine3.us.oracle.com Oracle9iAS instances do not need to be the same install type, but they do need to be running the OC4J_Portal instance.

3.1.4.2.2 Clustered Example

The syntax also allows you to direct requests to clusters. Oracle HTTP Server distributes the requests to the Oracle9iAS instances in the cluster.

The following example directs requests to OC4J_Portal instances in Oracle9iAS instances in the forms_cluster cluster.

Oc4jMount /portal/* cluster://forms_cluster:OC4J_Portal

3.1.4.3 Directing Requests between Infrastructure and Mid-Tier

A specific situation where you might want to redirect requests is where you have installed the Oracle9iAS infrastructure and a mid-tier install type on the same machine, but in different Oracle homes. You have Oracle HTTP Server processes running from both Oracle homes; they listen at different port numbers. Figure 3-1 shows such a situation: a machine, called machine1, has two Oracle homes. The infrastructure Oracle HTTP Server listens at port 7777, and the mid-tier Oracle HTTP Server listens at port 7780.

Figure 3-1 Original configuration

Text description of suitea.gif follows

Text description of the illustration suitea.gif

You now want to reduce the number of Oracle HTTP Server processes. One way of doing this is to configure Oracle HTTP Server running on one Oracle home (infrastructure's or mid-tier's) so that it can be the front-end to the other Oracle home. Two scenarios are possible:

In both scenarios, the Oracle9iAS instances are different (infrastructure and mid-tier installation types) and thus cannot be clustered together.

The following table lists the advantages and disadvantages of consolidating Oracle HTTP Servers:

Table 3-1 Advantages and disadvantages of consolidating Oracle HTTP Servers
Advantages Disadvantages
  • Only one Oracle HTTP Server to configure

  • Fewer processes on the machine

  • Fewer ports to open for the firewall

  • Only one certificate needed for SSL

  • If Oracle HTTP Server goes down for any reason, URLs on both mid-tier and infrastructure become unavailable because that is your only HTTP Server.

  • If you set up the mid-tier to be the front-end to the infrastructure (that is, you shut down the infrastructure Oracle HTTP Server), some infrastructure services (such as SSO) become unavailable.

3.1.4.4 Directing Requests through the Infrastructure

In this scenario (Figure 3-2), you shut down the Oracle HTTP Server running on the mid-tier. All requests goes through the Oracle HTTP Server running on the infrastructure Oracle home.

Figure 3-2 Using only the infrastructure Oracle HTTP Server

Text description of suite2.gif follows

Text description of the illustration suite2.gif

To enable the infrastructure Oracle HTTP Server to handle these requests, you have to do the following step:

To configure the mod_oc4j.conf file on the infrastructure:

  1. Make a copy of the infrastructure mod_oc4j.conf file, so that you have a backup.

  2. Copy the Oc4jMount lines from the mid-tier mod_oc4j.conf to the infrastructure mod_oc4j.conf.

    Note that there are some lines that are the same in both the infrastructure and mid-tier files. Do not copy these lines from the mid-tier file (that is, use the lines already in the infrastructure file).

    The list below shows the lines in the mid-tier mod_oc4j.conf file.


    Note:

    Your list of Oc4jMount directives might not match exactly the list shown above. The exact contents depends on the mid-tier installation type. Bigger installation types, such as Business Intelligence and Forms, have more directives than other installation types. You just need the ones that you see in your mod_oc4j.conf file.


    Oc4jMount /j2ee/*                             # do not copy; already in the infrastructure file
    Oc4jMount /wwcp           OC4J_Wireless
    Oc4jMount /wwcp/*         OC4J_Wireless
    Oc4jMount /modules        OC4J_Wireless
    Oc4jMount /modules/*      OC4J_Wireless
    Oc4jMount /push           OC4J_Wireless
    Oc4jMount /push/*         OC4J_Wireless
    Oc4jMount /async          OC4J_Wireless
    Oc4jMount /async/*        OC4J_Wireless
    Oc4jMount /ptg            OC4J_Wireless
    Oc4jMount /ptg/*          OC4J_Wireless
    Oc4jMount /jocdemo        OC4J_Demos          # do not copy; already in the infrastructure file
    Oc4jMount /jocdemo/*      OC4J_Demos          # do not copy; already in the infrastructure file
    Oc4jMount /ojspdemos      OC4J_Demos
    Oc4jMount /ojspdemos/*    OC4J_Demos
    Oc4jMount /repdemo        OC4J_Demos
    Oc4jMount /repdemo/*      OC4J_Demos
    Oc4jMount /bmp            OC4J_Demos
    Oc4jMount /bmp/*          OC4J_Demos
    Oc4jMount /callerInfo     OC4J_Demos
    Oc4jMount /callerInfo/*   OC4J_Demos
    Oc4jMount /onlineorders   OC4J_Demos          # do not copy; already in the infrastructure file
    Oc4jMount /onlineorders/* OC4J_Demos          # do not copy; already in the infrastructure file
    Oc4jMount /webapp         home                # do not copy; already in the infrastructure file
    Oc4jMount /webapp/*       home                # do not copy; already in the infrastructure file
    Oc4jMount /cabo           home                # do not copy; already in the infrastructure file
    Oc4jMount /cabo/*         home                # do not copy; already in the infrastructure file
    Oc4jMount /studio                  OC4J_Portal
    Oc4jMount /studio/*                OC4J_Portal
    Oc4jMount /jpdk                    OC4J_Portal
    Oc4jMount /jpdk/*                  OC4J_Portal
    Oc4jMount /syndserver              OC4J_Portal
    Oc4jMount /syndserver/*            OC4J_Portal
    Oc4jMount /ultrasearch/query       OC4J_Portal
    Oc4jMount /ultrasearch/query/*     OC4J_Portal
    Oc4jMount /customization           OC4J_Portal
    Oc4jMount /customization/*         OC4J_Portal
    Oc4jMount /webtool                 OC4J_Portal
    Oc4jMount /webtool/*               OC4J_Portal
    Oc4jMount /wcp                     OC4J_Portal
    Oc4jMount /wcp/*                   OC4J_Portal
    Oc4jMount /ultrasearch/admin       OC4J_Portal
    Oc4jMount /ultrasearch/admin/*     OC4J_Portal
    Oc4jMount /ultrasearch/admin_sso   OC4J_Portal
    Oc4jMount /ultrasearch/admin_sso/* OC4J_Portal
    Oc4jMount /uddi                    OC4J_Portal
    Oc4jMount /uddi/*                  OC4J_Portal
    Oc4jMount /provider/ultrasearch    OC4J_Portal
    Oc4jMount /provider/ultrasearch/*  OC4J_Portal
    Oc4jMount /portal                  OC4J_Portal
    Oc4jMount /portal/*                OC4J_Portal
    Oc4jMount /examples                OC4J_Portal
    Oc4jMount /examples/*              OC4J_Portal
    Oc4jMount /OP                      OC4J_BI_Forms
    Oc4jMount /OP/*                    OC4J_BI_Forms
    Oc4jMount /reports                 OC4J_BI_Forms
    Oc4jMount /reports/*               OC4J_BI_Forms
    Oc4jMount /click                   OC4J_BI_Forms
    Oc4jMount /click/*                 OC4J_BI_Forms
    Oc4jMount /discoverer              OC4J_BI_Forms
    Oc4jMount /discoverer/*            OC4J_BI_Forms
    
    
  3. Edit the lines in the infrastructure mod_oc4j.conf file so that it contains the "instance://" keyword and the name of the mid-tier instance.

    Table 3-2 shows an example of how the lines would look in the infrastructure mod_oc4j.conf. In the table, ias_mid_tier_instance_name refers to the name of your mid-tier instance. Note that the table shows only a sample of two lines; you need to edit the rest of the lines that you copied.

    Table 3-2 mod_oc4j.conf
    Lines in mid-tier mod_oc4j.conf (sample) Edited lines in infrastructure mod_oc4j.conf (sample)
    Oc4jMount /wwcp   OC4J_Wireless
    Oc4jMount /wwcp/* OC4J_Wireless
    
    Oc4jMount /wwcp    instance://ias_mid_tier_instance_name:OC4J_Wireless
    Oc4jMount /wwcp/*  instance://ias_mid_tier_instance_name:OC4J_Wireless
    

    You can edit the mod_oc4j.conf file using OEM or a text editor. See Section 3.1.4.9, "Editing the mod_oc4j.conf File" for details. If you use a text editor to edit mod_oc4j.conf, you must run "dcmctl updateConfig" and restart Oracle HTTP Server after you edit the file.

  4. Start up the OC4J_Demos and home OC4J instances on the infrastructure. By default, these OC4J instances are not started up in the infrastructure. You can start them up using dcmctl or OEM.

3.1.4.5 Directing Requests through the Mid-Tier

Figure 3-3 shows a configuration where the infrastructure Oracle HTTP Server goes away, and all requests go through the mid-tier Oracle HTTP Server.


Note:

This scenario is recommended only for J2EE and Web Cache mid-tier installation types and only if you do not use SSO in any way. Some components, such as SSO, cannot work without the infrastructure Oracle HTTP Server. This means that if you use components that use SSO, you cannot use this scenario. This includes Portal, Wireless, and DAS. It is recommended if you are directing requests between infrastructure and mid-tier, you direct your requests the other way (through the infrastructure Oracle HTTP Server instead of through the mid-tier Oracle HTTP Server).


Figure 3-3 Using only the mid-tier Oracle HTTP Server

Text description of suite3.gif follows

Text description of the illustration suite3.gif

You have to configure Oracle HTTP Server on the mid-tier to handle requests that used to be handled by the infrastructure Oracle HTTP Server. This involves:

To configure the mid-tier mod_oc4j.conf file:

  1. Make a copy of the mid-tier mod_oc4j.conf file, so that you have a backup.

  2. Copy the Oc4jMount lines from the infrastructure mod_oc4j.conf to the mid-tier mod_oc4j.conf.

    Note that there are some lines that are the same in both the infrastructure and mid-tier files. Do not copy these lines from the infrastructure file (that is, use the lines already in the mid-tier file). The only lines that you need to copy are the /oiddas lines.

    The list below shows the lines in the infrastructure mod_oc4j.conf file.

    Oc4jMount /j2ee/*                             # do not copy; already in the mid-tier file
    Oc4jMount /jocdemo        OC4J_Demos          # do not copy; already in the mid-tier file
    Oc4jMount /jocdemo/*      OC4J_Demos          # do not copy; already in the mid-tier file
    Oc4jMount /onlineorders   OC4J_Demos          # do not copy; already in the mid-tier file
    Oc4jMount /onlineorders/* OC4J_Demos          # do not copy; already in the mid-tier file
    Oc4jMount /webapp         home                # do not copy; already in the mid-tier file
    Oc4jMount /webapp/*       home                # do not copy; already in the mid-tier file
    Oc4jMount /cabo           home                # do not copy; already in the mid-tier file
    Oc4jMount /cabo/*         home                # do not copy; already in the mid-tier file
    Oc4jMount /oiddas         OC4J_DAS
    Oc4jMount /oiddas/*       OC4J_DAS
    
    
  3. Edit the lines in the mid-tier mod_oc4j.conf file so that it contains the "instance://" keyword and the name of the infrastructure instance, as shown in Table 3-3.

    In the table, ias_infra_instance_name refers to the name of the infrastructure instance.

    Table 3-3 mod_oc4j.conf when directing requests to the mid-tier Oracle home
    Copy from: Infrastructure mod_oc4j.conf To: Mid-Tier mod_oc4j.conf
    Oc4jMount /oiddas   OC4J_DAS
    Oc4jMount /oiddas/* OC4J_DAS
    
    Oc4jMount /oiddas   instance://ias_infra_instance_name:OC4J_DAS
    Oc4jMount /oiddas/* instance://ias_infra_instance_name:OC4J_DAS
    

    You can edit the mod_oc4j.conf file using Enterprise Manager or a text editor. See Section 3.1.4.9, "Editing the mod_oc4j.conf File" for details.


    Note:

    If you use a text editor to edit mod_oc4j.conf, you must run "dcmctl updateConfig" and restart Oracle HTTP Server after you edit the file.


3.1.4.6 Determining Oracle9iAS Instance Names

You can determine the name of an Oracle9iAS instance by running the dcmctl command with the whichInstance option:

prompt> dcmctl whichInstance
doctest_j2ee.machine1.us.oracle.com

The instance name contains the host name, including the domain name.

dcmctl is in ORACLE_HOME/dcm/bin. If you have multiple Oracle homes on the same machine, run the command from the appropriate ORACLE_HOME.

For example, to route requests from the mid-tier to infrastructure OC4J instances (scenario 2), you need the name of the infrastructure instance.

prompt> cd INFRASTRUCTURE_ORACLE_HOME
prompt> cd dcm/bin
prompt> ./dcmctl whichInstance
doctest_infra.machine1.us.oracle.com

3.1.4.7 Determining OC4J Instance Names

You can determine the names of installed OC4J instances on a machine by running the dcmctl command with the listComponents option on that machine:

prompt> dcmctl listComponents
HTTP Server
OC4J_BI_Forms
OC4J_Demos
OC4J_Portal
OC4J_Wireless
home

The command returns the names of Oracle HTTP Server instances as well. You can determine the type of a component by running the dcmctl command with the getComponentType option:

prompt> dcmctl getComponentType -co home
oc4j
prompt> dcmctl getComponentType -co "HTTP Server"
ohs

To route requests from the mid-tier to the infrastructure OC4J instances (scenario 2), you need the OC4J_DAS instance on the infrastructure.

3.1.4.8 Determining Cluster Names

You can determine the names of clusters by running the dcmctl command with the listClusters option.

prompt> dcmctl listClusters
forms_cluster

3.1.4.9 Editing the mod_oc4j.conf File

You can edit the ORACLE_HOME/Apache/Apache/conf/mod_oc4j.conf file using a text editor or Enterprise Manager.


Note:

If you use a text editor to edit mod_oc4j.conf, you need to run dcmctl with the updateConfig option to sync the changes with the DCM repository. Then you have to restart Oracle HTTP Server so that it can read the updated file.


To edit the mod_oc4j.conf file using Enterprise Manager:

  1. Navigate to the Enterprise Manager Web site:

    http://host:1810/
    
    

    where host specifies the machine running Enterprise Manager. The default port is 1810.

  2. On the Farm page, click the name of the mid-tier instance.

  3. On the mid-tier instance home page, click HTTP Server in the System Components table.

  4. On the HTTP Server page, click Advanced Server Properties in the Administration section.

  5. On the Advanced Server Properties page, click mod_oc4j.conf.

    This displays the "Edit mod_oc4j.conf" page.

  6. Make your changes to the file.

  7. Click Apply.

  8. Click Yes when prompted to restart HTTP Server.

To edit the mod_oc4j.conf file using a text editor:

  1. Change directory to ORACLE_HOME/Apache/Apache/conf.

    prompt> cd ORACLE_HOME/Apache/Apache/conf
    
    
  2. Make your changes to the file using a text editor.

  3. Run dcmctl with the updateConfig parameter.

    prompt> cd ORACLE_HOME/dcm/bin
    prompt> ./dcmctl updateConfig
    
    
  4. Restart Oracle HTTP Server.

    prompt> ./dcmctl restart -ct ohs
    
    

3.2 Security Issues

The following are known issues associated with Oracle9iAS security.

3.2.1 Avoid Adding User Certificates to Trustpoints or Trusted Certificate Lists

If a wallet contains a user certificate as a trustpoint for a server, then a core dump occurs when the user connects to the server.

Oracle Corporation recommends not adding user certificates to trustpoints or trusted certificate lists in the Oracle wallet. Instead, install the certificate authority (CA) signers' certificate as a trustpoint.


Go to previous page Go to next page
Oracle
Copyright © 2002 Oracle Corporation.

All Rights Reserved.
Go To Documentation Library
Home
Go To Table Of Contents
Contents