Manualshelf

Technical data

ManualsBrandsU-Line ManualsKitchen AppliancesB12115
41424344454647484950
Firewall Considerations: Opening the Right Ports
4-4 Advanced Topologies for Enterprise Deployments
to the default ports section of the Oracle Application Server 10g Administrator’s
Guide.
Firewall Stateful Inspection is not used between DMZ, mid-iers, and infrastructure
and Oracle recommends that FSI be used in the external internet interface.
For information about configuring and managing firewalls, see your administrator or
the documentation for your firewall implementation.
4.2.1 mod_oc4j and OC4J in Different Tiers and Across Firewalls
mod_oc4j is located within Oracle HTTP Server and (1) identifies the requests it needs
to act on, (2) determines which OC4J to route those requests to, and (3) communicates
with that process. Mod_oc4j now extracts some relevant parameters (for example SSL
information, certain environment variables, etc.) and forwards them to OC4J, using
AJP13 protocol.
mod_oc4j analyzes the response from OC4J and takes appropriate actions, for
example, if a Single Sign-On redirect is required.
By default, OPMN processes on all Oracle Application Server instances in the farm
notify each other of the up/down status of OC4J within their instance. In turn, every
OPMN also notifies its local mod_oc4j of changes in the OC4J status on all machines
within the cluster. This allows mod_oc4j to keep its routing table updated, without any
intervention from an administrator.
4.2.2 Opening the Right Ports for mod_oc4j
As a security practice, you can place mod_oc4j in one tier (usually in a DMZ tier) and
have it communicate with OC4J processes that are located in another tier (usually
another DMZ tier). Since mod_oc4j uses AJP to communicate to other OC4J instances,
it is important to have the correct ports opened for AJP and OPMN.
For more information about OC4J architecture, see the whitepaper Oracle9i
Application Server: mod_oc4j Technical Overview at
http://otn.oracle.com/products/ias/ohs/collateral/r2/mod_oc4j_wp.pdf.
4.2.3 Configuring iASPT
The Application Server 10g Port Tunneling (iASPT) feature reduces the number of
ports required to communicate to multiple OC4J processes to one. The iASPT process
acts as a communication concentrators for connections between Oracle HTTP Server
(OHS) and the Java virtual machine (JVM). (OHS) does not connect directly to the
servlet engines, instead, OHS connects to an iASPT. iASPT then forwards
communication on to the servlet engine. Each iASPT routes requests to multiple servlet
engines. By doing this concentration of connections, you’re only required to open one
port per iASPT process on the internal firewall DMZ rather than one port per OC4J
container.
As part of configuring iASPT, you’ll need to need to tell iASPT where mod_oc4j lives
and where the OC4J containers are. There are several directives to add in mod_oc4j,
such as wallet files and their passwords. On the server containing the target OC4J
instance, you’ll need to configure opmn.xml and set the iASPT status to enabled, as
well as specify the port or range of ports use. Finally, modify iaspt.conf to validate for
the correct location of wallet and port information.
For complete information on configuring iASPT, see Chapter 10 of Oracle HTTP Server
Administrators Guide.