You are on page 1of 2

287176.

1 ----- Oracle Applications 11i DMZ Configuration document


========================
Security is becoming increasingly important as more and more Internet-accessible
applications are developed and deployed.
- Internet-accessible sites must now defend themselves against attackers whom th
ey have little chance of locating or punishing.
These sites must therefore deploy firewalls, reverse proxy servers, and other la
nding servers to defend against determined attacks
by highly skilled and knowledgeable people. In addition to enhanced security req
uirements, Internet-accessible applications often need
to conform to higher scalability and availability as these may be accessed by us
ers 24x7 from different parts of the globe.
When configuring Oracle E-Business Suite in a DMZ configuration, firewalls are d
eployed at various levels as shown in Figure F2 to ensure that only
the traffic that the architecture expects is allowed to cross the firewall bound
aries.
The firewalls ensure that if intrusion attempts against machines in the DMZ are
successful,
the intrusion is contained within the DMZ and the machines in the intranet are n
ot affected.
To make Oracle E-Business Suite modules as secure as possible, the following tas
ks may need to be performed.
Use of separate web node for external usage
Setting of server level profile values
Associate trust levels to application middle tier nodes
Mark a subset of responsibilities as available on an external web node
Deploy a Reverse proxy in front of the external web node
Configuring a URL firewall and mod security in the reverse proxy
Run only the required Oracle E-Business Suite Application services on the extern
al web tier

The DMZ, which stands for DeMilitarized Zone consists of the portions of a corpo
rate network that are between the corporate intranet and the Internet. The DMZ c
an be a simple one segment LAN or it can be broken down into multiple regions as
shown in Figure F2. The main benefit of a properly-configured DMZ is better sec
urity: in the event of a security breach, only the area contained within the DMZ
is exposed to potential damage, while the corporate intranet remains somewhat p
rotected.
Configuring Oracle E-Business Suite 11i in DMZ
===============================================
Update Node Trust Level
-------------------------
Currently, three trust levels are supported:
Administrative
Servers marked as Administrative are typically those used exclusively by system
administrators. These servers are considered secure and provide access to any an
d all E-Business Suite functions.
Normal
Servers marked as Normal are those used by employees within a company s firewall.
Users logging in from normal servers have access to only a limited set of respon
sibilities.
External
Servers marked as External are those used by customers or employees outside of a
company s firewall. These servers have access to an even smaller set of responsib
ilities.
The default value for this profile option for all E-Business Suite middle tiers
is set to Normal.
Identify the external web tier in your Oracle E-business Suite 11i environment a
nd set the NODE_TRUST_LEVEL profile option value at the server level to External
.
Update List of Responsibilities
--------------------------------
To change the value of the Responsibility Trust Level profile option at the resp
onsibility level for a particular responsibility to external for using via exter
nal site. ..

Update Home Page Mode to Framework


-----------------------------------
The new Oracle E-Business Suite 11i Home page based on the Oracle Applications F
ramework architecture is required for the deployment of the Oracle E-Business Su
ite in a DMZ configuration. To enable this, apply the required patches mentioned
in Section 4 and set the self-service personal home page mode to "Framework Onl
y" as shown in the diagram below.

Configuration Details for Using Reverse Proxies in DMZ


--------------------------------------------------------
set the webentry point, s_webentryhost, to the reverse proxy server.
set the webentry domain, s_webentrydomain, to the domain name of the reverse pro
xy server.
set the active webport, s_active_webport, to the port where the reverse proxy se
rver listen for client requests. For example port 80 for HTTP or 443 for HTTPS.
set the webentry protocol, s_webentryurlprotocol, to the protocol value the clie
nts use to access the reverse proxy server.
set the login page, s_login_page, to ://.:. Replace , , , and with their respect
ive values.

Configuring the URL Firewall


-----------------------------
The purpose of the URL Firewall is to ensure that only URLs required for the ext
ernally exposed functionality can be accessed from the internet.
The URL firewall is implemented as a whitelist list of URLs required; any URL re
quest that is not matched in the whitelist list is refused. This will limit the
exposure of your Oracle E-Business Suite deployment by reducing the attack surf
ace available to external parties.

To implement the URL Firewall configuration on the reverse proxy server, copy ur
l_fw.conf from $IAS_CONFIG_HOME/Apache/Apache/conf/url_fw.conf on the external m
idtier to the reverse proxy host.