Using HAProxy As A TLS Termination Point For Oracle E Business Suite Release 12.1.3
Using HAProxy As A TLS Termination Point For Oracle E Business Suite Release 12.1.3
Using HAProxy As A TLS Termination Point For Oracle E Business Suite Release 12.1.3
UsingHAProxyasaTLSTerminationPointforOracleEBusinessSuiteRelease12.1.3(DocID
2012639.1)
ThisknowledgedocumentdescribeshowtouseHAProxyasaTLSterminationpointinfrontofOracleEBusinessSuiteRelease
12.1.3.
ThemostcurrentversionofthisdocumentcanbeobtainedinMyOracleSupportKnowledgeDocument2012639.1.
InThisDocument
Section1:Introduction
Section2:WhoCanUseThisNote
Section3:InstallingHAProxy
Section4:ConfiguringHAProxy
Section5:StartingHAProxy
Section6:ConfiguringOracleEBusinessSuiteforUsewithHAProxy
Section7:ObtainingaCertificateforHAProxy
Section8:References
Thereisachangelogattheendofthisdocument.
Section1:Introduction
TherearemanytypesofreverseproxiesthatcanbeusedasaTLSterminationpointinfrontofOracleEBusinessSuite
Release12.1.3.ThisdocumentdescribeshowtouseHAProxyversion1.5.12andlateronOracleLinux6astheTLS
terminationpointfortheOracleHTTPServer(OHS)deployedwithOracleEBusinessSuite12.1.3.ATLSterminationpointis
theendpointforanencryptedconnectionthatisinitiatedbyaclient(forexample,abrowser).
HAProxycanprovideanuptodateTLSendpointwiththefollowingconfigurationoptions:
CertificatessignedwithSHA2(signaturealgorithm:sha256WithRSAEncryption)
TLS1.2withstrongerciphersuites
Intheexampleusedinthisdocument,wewillshowyouhowtouseHAProxyonOracleLinux6astheTLSterminationpoint.
ThiscertificationappliestoHAProxyversion1.5.12andlater.
HAProxyisavailableasaninstallableRPMpackageaspartoftheOracleLinuxdistribution,soitcanbeinstalledwithasimple
yuminstallhaproxycommand.
TheHAProxy,beinganRPM,isinstalledbyroot.Itinstallsundertheassumptionthatitwillbeconfiguredbyrootusing
/etc/haproxy/haproxy.cfgandrunasasystemservice.Itwilllogtoalogfilein/var/log/(throughsyslog)andwillbe
startedbythercbootscripts.
Section2:WhoCanUseThisNote
WhileHAProxyisacapableproxyandaloadbalancer,Oracledoesnotrecommendthatyouusetheinstructioninthisnoteif
youalreadyhaveasatisfactoryproxyorloadbalancerinplace.
TheinstructionsinthisnotewillbeofparticularinteresttocustomerswithasingleOracleEBusinessSuiteapplicationtierwho
arecurrentlyusingOracleHTTPServer(OHS)10gastheTLSterminationpoint.
HAProxycanbeconfiguredforusewithTLS1.0,TLS1.1,TLS1.2andwillworkwithservercertificatessignedusingSHA2
(signaturealgorithm:sha256WithRSAEncryption).
IfyouareusingOracleLinux6(orRedHat),youcansimplyinstalltheOSprovidedRPMpackage.IfyouareusingAIXor
Solaris,itispossibletodownloadtheHAProxysourcecodeandcompileitforthatoperatingsystem.WindowsandHPUXare
notcurrentlysupportedbythebuildsystemsuppliedwithHAProxy.
https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrlstate=tc0zg2idc_9 1/8
9/23/2016 DocumentDisplay
InthecasethatyoucannotorprefernottorunHAProxyonthesamehostasOHS10g,youcanrunHAProxyonadifferent
hostwithasupportedoperatingsystem.Forexample,youcanrunHAProxyonLinuxonrealhardwareorinavirtualmachine.
Section3:InstallingHAProxy
IfyourOracleEBusinessSuiteapplicationtierisrunningonOracleLinux6andyouonlyhaveasingleapplicationtier,youcan
installHAProxyonthatapplicationtier.IfyouarenotrunningOracleLinux,youcaninstallHAProxyonanotherhostrunning
OracleLinux6.TheminimuminstallationofOracleLinux6isasufficientstartingpoint.Youwillmostlikelyfindthefollowing
RPMsusefulaswell:acpidntpwgetunzipnclsofopensshclients.
TheHAProxyRPMisnotinstalledbydefault.Toinstallit,run:
#exporthttp_proxy=wwwproxy:80 #Onlyifyouneedanoutboundproxy,useyoursite'svalue
#yumupdate #togetthelatestupdatesinstalled,especiallytheopenssllibrariesareimportantfor
haproxy
#yuminstallhaproxy
Followinginstallation,HAProxyisavailable,butnotrunningandnotyetconfigured.
[root@esc02~]#whichhaproxy
/usr/sbin/haproxy
[root@esc02~]#lsl/etc/haproxy
rwrr.1rootroot3142Oct1506:21haproxy.cfg
[root@esc02~]#lsl/etc/init.d/haproxy
rwxrxrx.1rootroot2298Oct1506:21/etc/init.d/haproxy
[root@esc02~]#chkconfiglisthaproxy
haproxy0:off1:off2:off3:off4:off5:off6:off
Section4:ConfiguringHAProxy
ToconfigureHAProxyforusewithOracleEBusinessSuite,youmustletHAProxyknowwhere(ip:port)tofindtheOracleE
BusinessSuiteinstance.YouwillhavetoconfiguretheTLSaspectsasfollows:
Protocols:avoidSSL3.0forPOODLE
Ciphersuites:avoidweakciphersuitesforFREAK
DiffieHellmankeyexchangeparameters:avoidweakDiffieHellmankeyexchangeparametersforLogjam
Certificate(chain):usePEMfiles
Forprotocols,youwillwanttoprovideTLS1.2toclientsthatarecapable.Tosupportolderclientsthatarenot,TLS1.0and
TLS1.1willbeprovided.SSL3.0willbeavoided.
Forciphersuites,youwillwantthenewciphersuitesavailablewithTLS1.2.IvanRisticofSSLlabsandtheMozillaFoundation
provideadviceforchoosingtheciphersuitesandtheorderinwhichtheyshouldbespecified.SeeSection8:Referencesfor
moredetails.
Youwillalsowantthelogfiles(forexample,OHSaccess_log.nnnfiles)ontheOracleEBusinessSuitetiertorecordthe
properIPaddressoftheclient.Toachievethis,youmustmakeHAProxyforwardtheclient'sIPaddresstoOHSandtellOHSto
usethatIPaddressinloggingandaccesscontroldecisions(ratherthanalwaysloggingtheIPaddressofthehostwhere
HAProxyruns).
4.1Configuringhaproxy.cfg
Tostart,makethefollowingmodificationstotheRPMprovidedconfigurationfile/etc/haproxy/haproxy.cfg:
https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrlstate=tc0zg2idc_9 2/8
9/23/2016 DocumentDisplay
[root@esc02~]#cd/etc/haproxy/
[root@esc02haproxy]#cpphaproxy.cfghaproxy.cfg.ORIG #justincase
Now,edithaproxy.cfgandmakethefollowingmodifications:
1.AddthefollowinglinetotheGlobalsection(ciphersmustbeallononelongline)todefineasetofstrongciphersuites:
#Ristic'sApacheCipherSuiteselection
ssldefaultbindciphers
ECDHEECDSAAES128GCMSHA256:ECDHEECDSAAES256GCMSHA384:ECDHE
ECDSAAES128SHA:ECDHEECDSAAES256SHA:ECDHEECDSAAES128SHA256:ECDHEECDSAAES256
SHA384:ECDHERSAAES128GCMSHA256:ECDHERSAAES256GCMSHA384:ECDHERSAAES128SHA:ECDHERSA
AES256SHA:ECDHERSAAES128SHA256:ECDHERSAAES256SHA384:DHERSAAES128GCMSHA256:DHERSA
AES256GCMSHA384:DHERSAAES128SHA:DHERSAAES256SHA:DHERSAAES128SHA256:DHERSAAES256
SHA256:EDHRSADESCBC3SHA
2.Changethelineinthedefaultssectionfrom:
optionforwardforexcept127.0.0.0/8
to
optionforwardforexcept127.0.0.0/8headerClientIP
ThisiswhereHAProxyistoldtoforwardthebrowser's(client's)IPaddresstoOHSintheClientHPrequestheader.
3.Changethefrontenddefinitionfrom:
frontend main*:5000
aclurl_staticpath_begi/static/images/javascript/stylesheets
aclurl_staticpath_endi.jpg.gif.png.css.js
use_backendstaticifurl_static
default_backendapp
to
frontend main
bind0.0.0.0:443sslnosslv3crt/etc/haproxy/bundle.pem
default_backendebs
ThischangeconfiguresanHTTPSendpoint.YoumusttellHAProxywhatinterfaceandporttolistento(0.0.0.0:443)to
useHTTPS(designatedbytheparameterssl),butnotSSL3.0(nosslv3)andwheretofindthecertificatebundle
(crt/etc/haproxy/bundle.pem).
4.Attheend,addtheOracleEBusinessSuitebackenddefinition.
#
#roundrobinbalancingbetweenthevariousEBSbackends
#
backendebs
balanceroundrobin
server app127.0.0.1:8000
Here,127.0.0.1:8000istheIPaddressandportwheretheOracleEBusinessSuitewebapplicationlistensfor
unencryptedHTTPrequests.ThisexampleassumesthatHAProxyrunsonthesamehostastheOracleEBusinessSuite
applicationandusethedefaultOracleEBusinessSuiteport(portpool0).
4.2ConfiguringtheCertificates
Inthefileabove,youpointedHAProxytothecertificatefile/etc/haproxy/bundle.pem.
https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrlstate=tc0zg2idc_9 3/8
9/23/2016 DocumentDisplay
HAProxyusesasinglefiletoholdprivatekey,signedcertificate+optionally,anyrequiredintermediateCAcertificates.The
filesmustbeinPEMformat.
Inthefollowinginstructions,itisassumedthatyoualreadyhavethecertificatefilesforconfiguration.Ifnot,forinformationon
howtoobtainthecertificate,seeSection7:ObtainingaCertificateforHAProxy.
AssumingthatyouhaveyourprivatekeyandthesignedservercertificateandtheCArootcertificateintheindividualfilesas
follows:
key.pem//serversprivatekey
cert.pem//serverscertificate,signedbyCAincacert.pem
caintcert.pem//intermediateCAcertificate(onlyifrequired)foruse
cacert.pem//certificateofrootCA
Youwillcreatebundle.pemasfollows(dependingonwhetheryouhaveanintermediateCAcertificate):
[root@esc02~]#catcert.pemkey.pem>bundle.pem
or
[root@esc02~]#catcert.pemcaintcert.pemkey.pem>bundle.pem
Thecacert.pemfileisthecertificateoftherootCAthatsignedthecertificate,itwillhavetobetrustedbyyourHTTPSclients.
IfyouaregettingyourcertificatefromacommercialCA,theclients(browsers,java)probablyalreadytrustthatCAandno
furtheractionisrequired.Ifnot,youwillhavetodistributethecacert.pemfiletotheclientsandmakethemtrustthatCAasa
signerofcertificates.
Note:Ifyourprivatekeyhasapassphrase(password),HAProxywillpromptyouforitoneachstartandstop.Thisisnot
suitable/properforadaemonstartedandstoppedusingtheOSbootscripts,soyouwillwanttoremovethepassword
fromtheprivatekeyyouputinbundle.pem.
Forexample,thisOpenSSLcommandcanbeusedtoremovethepassphrasefromtheprivatekey.Youwillhavetoprovidethe
passwordtoberemoved(assumesRSAkeywhichismostcommonforECkeysreplacersawithec).
[root@esc02]#mvkey.pem key.pem.passphrase
[root@esc02]#opensslrsainkey.pem.passphraseout key.pem
[root@esc02]#chmod600key.pem
ToavoidtheLogjam(CVE20154000)issueofweak(orfrequentlyused)DiffieHellmankeyexchangeparameters,youcan
generateauniqueoneforuse.ThiswillavoidusingthedefaultsthatarepartofthelinkedinOpenSSLlibrary.TheOpenSSL
commandcangeneratefresh,instancespecificdhparameters.Youcangeneratea2048bitgroupforbestsecurity,orcreate
a1024bitoneforbettercompatibilitywitholderclients.Thenewdhparametergroupissimplyappendedtothebundle.pem
file.
[root@esc02]#openssldhparam2048>>bundle.pem
Finally,verifythepropersequenceofPEMelementsinthebundle.pemfile.
[root@esc02]#grepBEGINbundle.pem
BEGINCERTIFICATE
BEGINRSAPRIVATEKEY
BEGINDHPARAMETERS
Section5:StartingHAProxy
BeforestartingHAProxy,youcanhaveHAProxyverify/validateitsconfigurationfile.
https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrlstate=tc0zg2idc_9 4/8
9/23/2016 DocumentDisplay
#haproxyf/etc/haproxy/haproxy.cfgc
Ifthatdoesnotprovideanyerrors,theconfigurationshouldbereadyforuse.
TostartHAProxyfromthecommandline:
#servicehaproxystart
YoucanverifythatHAProxyisrunningonthespecifiedportbyusingnetstat:
#netstatlntp|grephaproxy
YoucanmakeHAProxystartonrebootbyactivatingtheHAProxyservice:
#chkconfighaproxyon
thiswillmakeHAProxyruninrunlevels2,3,4,and5.
#chkconfiglisthaproxy
haproxy 0:off1:off2:on3:on4:on5:on6:off
Section6:ConfiguringOracleEBusinessSuiteforUsewithHAProxy
ForOracleEBusinessSuitetoknowwhereitswebentrypointis,youmustconfigureOracleEBusinessSuiteRelease12.1.3
throughasetofAutoConfigvariables.Thesenormallypointtotheapplicationtier'sOHSporteithertheHTTPport(:8000)or
theHTTPSport(:4443),dependingonwhetherornotyouhaveenabledHTTPS.
IfOracleEBusinessSuiteisfrontendedbyanHTTPSenabledreverseproxy,thesevariablesmustdescribethereverse
proxy'swebentrypoint.
Section3:ApplicationTierSetup,Step8UpdatetheContextFileofMyOracleSupportKnowledgeDocument376700.1,
EnablingSSLorTLSinOracleEBusinessSuiteRelease12describesthesettingofthesevariables.
Settingthefollowingvariablesinthecontextfile($CONTEXT_FILE)issufficienttomakeHAProxyknownastheconfiguredweb
entrypoint.
Setthewebentryapplicationtiercontextvariabletotheweb
s_webentryurlprotocol https
entryprotocol
Setthewebentryapplicationtiercontextvariabletotheweb
s_webentryhost ebsapp
entryhostname
Setthewebentryapplicationtiercontextvariabletotheweb
s_webentrydomain example.com
entrydomainname
Setthewebentryapplicationtiercontextvariabletotheweb
s_active_webport 4443
entryportnumber
Settheloginpagecontextvariableto<webentry
s_login_page protocol>://<webentryhost>.<webentrydomain>: https://ebsapp.example.com:4443/OA
<activewebport>/OA_HTML/AppsLogin
SettheendusermonitoringURLcontextvariableto
<webentryprotocol>://<webentryhost>.<webentry
s_endUserMonitoringURL https://ebsapp.example.com:4443/or
domain>:<activeweb
port>/oracle_smp_chronos/oracle_smp_chronos_sdk.gif
SettheexternalURLcontextvariableto<webentry
s_external_url protocol>://<webentryhost>.<webentrydomain>: https://ebsapp.example.com:4443
https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrlstate=tc0zg2idc_9 5/8
9/23/2016 DocumentDisplay
<activewebport>
Inadditiontotheabove,youmustletOHSknowtousetheheadersentbyHAProxywiththeclient'srealIPaddressbyadding
thefollowinglineforthedefaultHTTPconfigurationcontext.Todothis,addthefollowinglinetotheendofhttpd.conf.
UseWebCacheIpON
Note:ToavoidhavingthesesettingsoverwrittenbyAutoConfig,youcanaddtheseconfigurationstoacustomizedversion
oftheAutoConfigtemplatesfoundunder<FND_TOP>/admin/template.SeeMyOracleSupportKnowledgeDocument
387859.1,UsingAutoConfigtoManageSystemConfigurationsinOracleEBusinessSuiteRelease12formoreinformation.
DeploymentScenario:SingleApplicationTierCurrentlyUsingOHSforTLSTermination
IfyoualreadyhaveanOracleEBusinessSuiteenvironmentwithasingleapplicationtierconfiguredforTLSterminationinOHS
asperMyOracleSupportKnowledgeDocument376700.1,EnablingSSLorTLSinOracleEBusinessSuiteRelease12,hereis
asimplewaytoreconfigurethatinstancetouseHAProxyonthathostforTLStermination.
Intheaboveconfiguration,OHSlistenersareonport:8000forHTTPandonport:4443forHTTPS.
IfinthatenvironmentyoushutdownOHSfromlisteningonport:4443,startHAProxylisteningonport:4443,theexisting
configurationofOracleEBusinessSuite(tellingitabouttheHTTPSwebentrypoint)willnothavetochange.
Todothat,edithttpd.conf.
1.Commentouttheincludelineinthessl.conffile.
2.AddtheUseWebCacheIpONline.
Forexample,change:
#IncludetheSSLdefinitionsandVirtualHostcontainer
include"/u01/install/APPS/inst/apps/EBSDB_apps/ora/10.1.3/Apache/Apache/conf/ssl.conf"
to
#IncludetheSSLdefinitionsandVirtualHostcontainer
#include"/u01/install/APPS/inst/apps/EBSDB_apps/ora/10.1.3/Apache/Apache/conf/ssl.conf"
UseWebCacheIpON
https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrlstate=tc0zg2idc_9 6/8
9/23/2016 DocumentDisplay
Note:ToavoidhavingthesesettingsoverwrittenbyAutoConfig,youcanaddtheseconfigurationstoacustomizedversion
oftheAutoConfigtemplatesfoundunder<FND_TOP>/admin/template.SeeMyOracleSupportKnowledgeDocument
387859.1,UsingAutoConfigtoManageSystemConfigurationsinOracleEBusinessSuiteRelease12formoreinfo.
Forthisscenario,theserverlineinhaproxy.cfgshouldsimplyreadserverapp127.0.0.1:8000andthebindlineshould
useport:4443.
AstheIPaddressisknowninthecase(localhost),youcansimplydownloadthepreparedconfigurationfilefromhaproxy.cfg
(assumingOHSHTTPisonport:8000).Otherwise,edittheportnumber.
Verifytheportnumbersintheconfigurationfile(:4443frontend,:8000backend).
#grepE'^*(server|bind)'haproxy.cfg
bind0.0.0.0:4443sslnosslv3crt/etc/haproxy/bundle.pem
server app1127.0.0.1:8000
StartHAProxyandchecktheports:
#servicehaproxystart
#netstatlntp|grep0:[48]
LISTEN 4118/haproxy
tcp 0 00.0.0.0:4443 0.0.0.0:*
tcp 0 00.0.0.0:8000 0.0.0.0:* LISTEN 3473/httpd
TestthatyourTLSenabledOracleEBusinessSuiteenvironmentworksasbefore.
VerifythatOHS'saccess_loglogstherealIPaddressoftheremoteclientsratherthantheIPaddressofHAProxy(127.0.0.1)in
thiscase.
Section7:ObtainingaCertificateforHAProxy
HAProxyneedstobeconfiguredwithavalidservercertificate.IfyouwerealreadyusingOHSastheTLSterminationpointand
willrunHAProxyonthesamehost,youmayalreadyhaveacertificatevalidforthehostname.
Ifyoudonothaveacertificatethatyoucanorwishtoreuse,youcanpurchaseanewcertificateafterhavingcreatedanew
privatekeyandacertificatesigningrequest.
7.1ReuseanExistingCertificatefromOHSWallet
IfyouwereusingOHSasaTLSterminationpointandareinstallingHAProxyonthesamehostasOHS,youmayhaveastill
validSSLservercertificateforthishostinOHS'swalletfile.
Ifyouwouldlike,youcanexporttheprivatekeyandrelevantcertificatesfromthewallettothePEMfilesrequiredbyHAProxy.
Thewalletfile,ewallet.p12,isaPKCS#12fileandOpenSSLcanextractthevariouspieces,providedyouknowthewallet
password.
Ifyouwishtoextractthecontentsfromthewalletfile,seethereferencetothe"OpenSSLCookbook"inSection8:References
forinformationonhowtousetheopensslpkcs12command.
ThedrawbackofthissolutionisthatthecertificatethatyouexportfromthewalletwillnotbeanSHA2signedcertificate.Most
likely,youwilltakethisopportunitytoupgradetoacertificatesignedwithSHA2.
7.2CreateanewSHA2SignedCertificate
Toobtainanewcertificatefromacommercialcertificateauthority(CA),youwillhavetogenerateaprivatekeyanda
certificatesigningrequest(CSR).TheOpenSSLcommandcandothis.
TheOpenSSLCookbookhasgoodinformationabouthowtoworkwithOpenSSLtocreatecertificateartifacts,includingmention
ofthebenefitsofcreatingacompanyspecificconfigurationfilewithpropercompanydefaults.SeeSection8:Referencesfor
moreinformation.
https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrlstate=tc0zg2idc_9 7/8
9/23/2016 DocumentDisplay
However,thefollowingcommandswillcreateanewprivatekeyandaCSR:
[root@esc02]#cd/etc/haproxy
[root@esc02]#opensslgenrsaaes128outkey.pem2048
[root@esc02]#opensslreqnewsha256keykey.pemoutcsr.pem
Theopensslreqcommandwillpromptyouforinformationthatwillbeincorporatedintothecertificate,suchasinformation
aboutyourcompanyandthefullhostnameofyourwebentrypoint.YourorganizationoryourCAmayhaverequirementsor
standardsforacceptablevaluesforthesedataelements.
PriortosubmittingtheCSR,youcanreviewitscontentforaccuracybyusingthefollowingcommand:
[root@esc02]#opensslreqnooutincsr.pemtext
Submitthecertificatesigningrequestcsr.pemtoacommercialCAandreceiveyourSHA2signedcertificateandanyrequired
CAcertificates.
Section8:References
MyOracleSupportKnowledgeDocument376700.1,EnablingSSLorTLSinOracleEBusinessSuiteRelease12
MyOracleSupportKnowledgeDocument380489.1,UsingLoadBalancerswithOracleEBusinessSuiteRelease12
MyOracleSupportKnowledgeDocument1937646.1,CVE20143566InstructionstoMitigatetheSSLv3Vulnerability
("POODLEAttack")inOracleEBusinessSuite
HAProxyConfigurationManualversion1.5.12(.txtfile)
HAProxyConfigurationManualversion1.5.12(HTML)
MozillaWiki:Security/ServerSideTLSHAProxyProtocolsandCiphersforHAProxy
OpenSSLCookbookPKSC#12
OpenSSLCookbookCertificateGeneration
StackExchangeQ:2015TLS1.2CipherSuites
ChangeLog
Date Description
09Dec SpecifiedHAProxyversion(1.5.12andlater)toSection1:IntroductionUpdateddocumentcopyright
2015 statement.
22Jun2015 Initialpublication.
MyOracleSupportKnowledgeDocument2012639.1byOracleEBusinessSuiteDevelopment
Copyright2015,Oracleand/oritsaffiliates.Allrightsreserved.
Didn'tfindwhatyouarelookingfor?
https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrlstate=tc0zg2idc_9 8/8