How to create DMZ for EBS R12

AUGUST 4, 2017 TECHGOEASY COMMENT

This post I will explaining my experience with setting up DMZ for EBS R12. We will
first go through some of the important terms

DMZ

The DMZ, which stands for Demilitarized Zone consists of the portions of a corporate
network that are between the corporate intranet and the Internet. The DMZ can be
a simple one segment LAN or it can be broken down into multiple regions. The main
benefit of a properly configured

DMZ is better security: in the event of a security breach, only the area contained
within the DMZ is exposed to potential damage, while the corporate intranet remains
somewhat protected

Load Balancer

Load balancers distribute an application’s load over many identically configured

servers. This distribution ensures consistent application availability even when one or
more servers fail.

Reverse Proxy

A reverse proxy server is an intermediate server that sits between a client and the
actual web server and makes requests to the web server on behalf of the client. You
can find more information on reverse proxy servers

Internal Applications Middle Tier

The internal applications middle tier is the server configured for internal users to
access Oracle EBusiness Suite. It runs the following major application services:

Web and Forms Services

Administration and Concurrent Manager Services

Reports and Discoverer Services

External Applications Web Tier

The external applications web tier is the server configured for external users for
accessing Oracle EBusiness Suite. It runs the following application service:

Web server

How to create DMZ for EBS R12

1) Create the External Web Tier With Reverse Proxy

Case A: A New server with Reverse Proxy

Clone Application Tier to the New server

1. Run adpreclone and Take backup of the Internal Web Tier

2. Restore on External Web Tier
3. Run adcfgclone appsTier and configure the external Node

Once this is completed, Change following in the context file

<TIER_DB oa_var=”s_isDB”>NO</TIER_DB>

<TIER_ADMIN oa_var=”s_isAdmin”>NO</TIER_ADMIN>
<TIER_WEB oa_var=”s_isWeb”>YES</TIER_WEB>

<TIER_FORMS oa_var=”s_isForms”>NO</TIER_FORMS>

<TIER_NODE oa_var=”s_isConc”>NO</TIER_NODE>

<TIER_FORMSDEV oa_var=”s_isFormsDev”>NO</TIER_FORMSDEV>

<TIER_NODEDEV oa_var=”s_isConcDev”>NO</TIER_NODEDEV>

<TIER_WEBDEV oa_var=”s_isWebDev”>YES</TIER_WEBDEV>

Change the following for Reverse proxy

Set the value to the web entry protocol the clients use to access the reverse proxy
s_webentryurlprotocol
server

s_webentryhost Set the value to the reverse proxy server

s_webentrydomain Set the value to the domain of the reverse proxy server

s_active_webport Set the value to the port where the reverse proxy server listen for client

set the login page, s_login_page, to <webentry protocol>://<webentry

host>.<webentry domain>:<active web port>.

s_login_page

Replace <webentry protocol>, <webentry host>, <webentry domain>, and <active

web port> with

their respective values

set the help web agent s_help_web_agent, to <webentry protocol>://<webentry

host>.<webentry
s_help_web_agent

domain>:<active web port> .

 Replace <webentry protocol>, <webentry host>, <webentry domain>, and

<active web port> with their respective values.

Case B: Using the internal server as the external tier( Internal Server has
extra NIC card) with reverse proxy

This configuration requires your internal application middle tier server to have at
least two network interfaces. One network interface is required for the external entry
point and another for the internal entry point. These network interfaces must be
configured to resolve to two different hostnames in the DNS.

For example:

/etc/hosts of Internal Server

192.30.21.1 int.tech.com int

192.30.21.2 ext.tech.com ext

Create the New Context file using the below command

$ perl $COMMON_TOP/clone/bin/adclonectx.pl \

contextfile=$CONTEXT_FILE \

outfile= <name of the output file including location>

Important parameter to be fed

Target System Hostname (virtual or normal) [int]: ext

Do you want the inputs to be validated (y/n) [n] ?: Y

Do you want to preserve the port values from the

Y
source system on the target system (y/n) [y] ?

Changes required once the context file is created

AutoConfig Variable Required Value

s_isWeb YES

s_isWebDev YES

s_http_listen_parameter New Port for the http listener

s_https_listen_parameter New Port for the https listener

s_webentryurlprotocol Set the value to the web entry protocol

 s_webentryhost Set the value to the webentry host

s_webentrydomain Set the value to the webentry domain

s_active_webport Set the value to the active port

s_login_page Set the value to point to the new webentry configuration

Set the value of this variable to the IP address of the external facing network
s_server_ip_address
interface

2)Stop Concurrent Manager and all the application nodes

3) Instantiate the New Configuration Files and Profile Options Based on the New
Context File

The DMZ configuration requires the use of the new ServResp profile option hierarchy
for the profile options. If you haven’t already done so, change the profile options
hierarchy type to ServResp by executing the txkChangeProfH.sql SQL script as
shown below:

$ sqlplus apps/apps @$FND_TOP/patch/115/sql/txkChangeProfH.sql SERVRESP

SQL*Plus: Release 10.1.0.5.0 – Production on Thu Sep 5 01:46:59 2016

Copyright (c) 1982, 2005, Oracle. All rights reserved.

Connected to:

Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 – 64bit Production

With the Partitioning, Automatic Storage Management, OLAP, Data Mining

and Real Application Testing options

Changing the hierarchy type for the Profile APPS_WEB_AGENT

Profile APPS_WEB_AGENT hierarchy type has been successfully changed to

SERVRESP

Changing the hierarchy type for the Profile APPS_SERVLET_AGENT

Profile APPS_SERVLET_AGENT hierarchy type has been successfully changed to
SERVRESP

Changing the hierarchy type for the Profile APPS_JSP_AGENT

Profile APPS_JSP_AGENT hierarchy type has been successfully changed to

SERVRESP

Changing the hierarchy type for the Profile APPS_FRAMEWORK_AGENT

Profile APPS_FRAMEWORK_AGENT hierarchy type has been successfully changed to

SERVRESP

Changing the hierarchy type for the Profile ICX_FORMS_LAUNCHER

Profile ICX_FORMS_LAUNCHER hierarchy type has been successfully changed to

SERVRESP

Changing the hierarchy type for the Profile ICX_DISCOVERER_LAUNCHER

Profile ICX_DISCOVERER_LAUNCHER hierarchy type has been successfully changed

to SERVRESP

Changing the hierarchy type for the Profile ICX_DISCOVERER_VIEWER_LAUNCHER

Profile ICX_DISCOVERER_VIEWER_LAUNCHER hierarchy type has been successfully

changed to SERVRESP

Changing the hierarchy type for the Profile HELP_WEB_AGENT

Profile HELP_WEB_AGENT hierarchy type has been successfully changed to

SERVRESP

Changing the hierarchy type for the Profile APPS_PORTAL

Profile APPS_PORTAL hierarchy type has been successfully changed to SERVRESP

Changing the hierarchy type for the Profile CZ_UIMGR_URL

Profile CZ_UIMGR_URL hierarchy type has been successfully changed to SERVRESP

Changing the hierarchy type for the Profile QP_PRICING_ENGINE_URL

Profile QP_PRICING_ENGINE_URL hierarchy type has been successfully changed to

SERVRESP

Changing the hierarchy type for the Profile TCF:HOST

Profile TCF:HOST hierarchy type has been successfully changed to SERVRESP

Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 –

64bit Production

With the Partitioning, Automatic Storage Management, OLAP, Data Mining

and Real Application Testing options

4) Run Autoconfig all the nodes including External nodes

5) Run Autoconfig on the Primary internal Nodes

6) Startup the Internal system

7) Update Node Trust Level

Set the NODE_TRUST_LEVEL profile option value on the external web tier in your
Oracle E-business Suite Release 12 environment to External..

To change the value of the Node Trust Level profile option value to External for a
particular node, perform the following steps:

1. Login to Oracle E-Business Suite as sysadmin user using the internal URL
2. Select the System Administrator Responsibility
3. Select Profile / System
4. From the ‘Find system profile option Values’ window, select the server that
you want to designate as the external web tier
5. Query for%NODE%TRUST%. You will see a profile option named ‘Node
Trust Level‘. The value for this profile option at the site level will
be Normal. Leave this setting unchanged.

Set the value of this profile option to External at the server level. The site level
value should remain set to Normal

8) Update Responsibulities List

After updating the server-level profile value for Node Trust Level for the external
web tier(s) to External, users can no longer see any responsibilities when they login
via the external web tier. In order for a responsibility to be available from the
external E-Business Suite web tier, set the Responsibility Trust Level profile option
value for that responsibility to External at the responsibility level.

Login to Oracle E-Business Suite as sysadmin user using the internal URL

1. Select System Administrator Responsibility

2. Select Profile / System
 3. From the ‘Find system profile option Values’ window, select the responsibility
that you want to make available to users logging in via the external web tier
4. Query for%RESP%TRUST%. You will see a profile option named
‘Responsibility trust level‘. The value for this profile option at site level will
be Normal. Leave this setting unchanged.
5. Set the value of this profile option for the chosen responsibility to External at
the responsibility level. The site-level value should remain Normal.

Repeat for all responsibilities that you want to make available from the external web
tier.

9) Start the External Tier and validate the application

adopmnctl.sh start

adoafmctl.sh start

adformsctl.sh start

adoacorectl.sh start

adapcctl.sh

R12 DMZ Configuration

By Nazim On December 7, 2010 · 1 Comment
DMZ Configuration on R12
Approach
The following is the approach to achieve the required configuration
 OS verification
 Backup the source (prodcution instance)
 Copy the source application tier to the DMZ machine
 Create user and group for the DMZ machine
 Create directories for the target DMZ and give them the required grant and ownership
 Configure the DMZ
 Run autoconfig on both application tiers and the database tier
 Start and check the services
OS Verification
i) Create OS user
ii) Host file format
The “/etc/hosts” file should use the following format and Hostname length should be less
than 255 characters.
IP Address Full Qualified Hostname alias
Example:
10.10.19.39 irecruit.oracle.com irecruit
10.10.11.31 internal.oracle.com internal
iii) Mount Point / Storage Details
All disks in a disk group should have the same I/O density (Megabytes per second of transfer
rate per Gigabyte of capacity)
Metalink note id: Oracle E-Business Suite R12 Configuration in a DMZ (380490.1)
iv) Software Requirement
Ar,ld,make ,X Display Server
v) Login into the Source and shut the application services
vi) Take a backup of the application directories and transfer it to the target server
Configuring DMZ
vii) login as: appldmz
viii) Check the below settings
echo $PATH
which make
which ld

ix) Navigate to the location where the files have been transfered.
x) And further navigate to the clone bin diretory and run the adcfgclone.pl with appsTier
pwd
/oracle/appldmz
apps inst
cd apps/apps_st/comn/clone/bin

perl adcfgclone.pl appsTier

Copyright (c) 2002 Oracle Corporation
Redwood Shores, California, USA
Oracle Applications Rapid Clone
Version 12.0.0
adcfgclone Version 120.20.12000000.11
Enter the APPS password :
Running:
/oracle/appldmz/apps/apps_st/comn/clone/bin/../jre/bin/java -Xmx600M -cp
/oracle/appldmz/apps/apps_st/comn/clone/jlib/java:/oracle/appldmz/apps/app
s_st/comn/clone/jlib
/xmlparserv2.jar:/oracle/appldmz/apps/apps_st/comn/clone/jlib/ojdbc14.jar
oracle.apps.ad.context.CloneContext -e
/oracle/appldmz/apps/apps_st/comn/clone/bin/../context/apps/CTXORIG.xml -
validate -pairsfile
/tmp/adpairsfile_28117.lst -stage
/oracle/appldmz/apps/apps_st/comn/clone 2&gt;
/tmp/adcfgclone_28117.err; echo $? &gt; /tmp/adcfgclone _28117.res
Log file located at
/oracle/appldmz/apps/apps_st/comn/clone/bin/CloneContext_10272126.log
Provide the values required for creation of the new APPL_TOP Context file.
Target System Hostname (virtual or normal) [irecruit] :
Target System Database SID : RAC1
Target System Database Server Node [irecruit] : internal
Target System Base Directory : /oracle/appldmzTarget System Forms
ORACLE_HOME Directory [/oracle/appldmz/apps/tech_st/10.1.2] :Target System
Web ORACLE_HOME Directory [/oracle/appldmz/apps/tech_st/10.1.3] :
Target System APPL_TOP Mountpoint [/oracle/appldmz/apps/apps_st/appl] :
Target System COMMON_TOP Directory [/oracle/appldmz/apps/apps_st/comn] :
Target System Instance Home Directory [/oracle/appldmz/inst] :
Username for the Applications File System Owner [appldmz] :
Target System Root Service [enabled] :
Target System Web Entry Point Services [enabled] :
Target System Web Application Services [enabled] :
Target System Batch Processing Services [enabled] :
Target System Other Services [disabled] :
Do you want to preserve the Display [internal:0.0] (y/n) ? : n
Target System Display [irecruit:0.0] :
Do you want the the target system to have the same port values as the
source system (y/n)[y] ? : n
Target System Port Pool [0-99] : 10
Checking the port pool 10
done: Port Pool 10 is free
Report file located at
/oracle/appldmz/inst/apps/RAC1_irecruit/admin/out/portpool.lst
Complete port information available at
/oracle/appldmz/inst/apps/RAC1_irecruit/admin/out/portpool.lst
Creating the new APPL_TOP Context file from :
/oracle/appldmz/apps/apps_st/appl/ad/12.0.0/admin/template/adxmlctx.tmp
The new APPL_TOP context file has been created :
/oracle/appldmz/inst/apps/RAC1_irecruit/appl/admin/RAC1_irecruit.xml
Log file located at
/oracle/appldmz/apps/apps_st/comn/clone/bin/CloneContext_10272126.log
Check Clone Context logfile
/oracle/appldmz/apps/apps_st/comn/clone/bin/CloneContext_10272126.log for
details.
Running Rapid Clone with command:
perl /oracle/appldmz/apps/apps_st/comn/clone/bin/adclone.pl
java=/oracle/appldmz/apps/apps_st/comn/clone/bin/../jre mode=apply
stage=/oracle/appldmz/apps/apps_st/comn/clone component=appsTier
method=CUSTOM
appctxtg=/oracle/appldmz/inst/apps/RAC1_irecruit/appl/admin/RAC1_irecruit.
xml showProgress
contextValidated=true
Running:
perl /oracle/appldmz/apps/apps_st/comn/clone/bin/adclone.pl
java=/oracle/appldmz/apps/apps_st/comn/clone/bin/../jre mode=apply
stage=/oracle/appldmz/apps/apps_st/comn/clone component=appsTier
method=CUSTOM
appctxtg=/oracle/appldmz/inst/apps/RAC1_irecruit/appl/admin/RAC1_irecruit.
xml showProgress
contextValidated=true

APPS Password :
Beginning application tier Apply - Tue Oct 27 21:27:47 2009
/oracle/appldmz/apps/apps_st/comn/clone/bin/../jre/bin/java -Xmx600M -
DCONTEXT_VALIDATED=true -Doracle.installer.oui_loc=/oui -classpath
/oracle/appldmz/apps/apps_st/comn/clone/jlib/xmlparserv2.jar:/oracle/appld
mz/apps/apps_st/com
n/clone/jlib/ojdbc14.jar:/oracle/appldmz/apps/apps_st/comn/clone/jlib/java
:/oracle/appldmz/apps/
apps_st/comn/clone/jlib/oui/OraInstaller.jar:/oracle/appldmz/apps/apps_st/
comn/clone/jlib/oui/ew
t3.jar:/oracle/appldmz/apps/apps_st/comn/clone/jlib/oui/share.jar:/oracle/
appldmz/apps/apps_st/c
omn/clone/jlib/oui/srvm.jar:/oracle/appldmz/apps/apps_st/comn/clone/jlib/o
jmisc.jar
oracle.apps.ad.clone.ApplyAppsTier -e
/oracle/appldmz/inst/apps/RAC1_irecruit/appl/admin/RAC1_irecruit.xml -
stage
/oracle/appldmz/apps/apps_st/comn/clone -showProgress
APPS Password : Log file located at
/oracle/appldmz/inst/apps/RAC1_irecruit/admin/log/ApplyAppsTier_10272127.l
og
/ 3% completed

xi) Once this process completes succesfully shut down the services change the following
parameters in the .xml file

<oa_system_config>
<TIER_DB oa_var="s_isDB">NO</TIER_DB>
<TIER_ADMIN oa_var="s_isAdmin">NO</TIER_ADMIN>
<TIER_WEB oa_var="s_isWeb">YES</TIER_WEB>
<TIER_FORMS oa_var="s_isForms">NO</TIER_FORMS>
<TIER_NODE oa_var="s_isConc">NO</TIER_NODE>
<TIER_FORMSDEV oa_var="s_isFormsDev">NO</TIER_FORMSDEV>
<TIER_NODEDEV oa_var="s_isConcDev">NO</TIER_NODEDEV>
<TIER_WEBDEV oa_var="s_isWebDev">YES</TIER_WEBDEV>
<config_option oa_var="s_techstack">as1013</config_option>
<config_option oa_var="s_tnsmode">generateTNS</config_option>
<config_option oa_var="s_apps_version">12.0.4</config_option>
<config_option oa_var="s_apache_mode">NORMAL</config_option>
<ias_version oa_var="s_ias_version">10.1.3.0.0</ias_version>
</oa_system_config>

xii) Run the node clean package as apps user

Sqlplus apps/********
exec fnd_conc_clone.setup_clean;
commit;
exit
Run autoconfig in the series as stated below
a) database tier
b) primary apps tier (prodcution)
c) DMZ (irecruit tier)
xiii) After the completion of the autoconfig run the following script as apps from the primary
node

This would change the profile options hierarchy type values to SERVRESP.
Run autoconfig again on the primary node. As seen in the following lines

@txkChangeProfH.sql SERVRESP
Changing the hierarchy type for the Profile APPS_WEB_AGENT
Profile APPS_WEB_AGENT hierarchy type has been
successfully changed to SERVRESP
Changing the hierarchy type for the Profile APPS_SERVLET_AGENT
Profile APPS_SERVLET_AGENT hierarchy type has been
successfully changed to SERVRESP
Changing the hierarchy type for the Profile APPS_JSP_AGENT
Profile APPS_JSP_AGENT hierarchy type has been
successfully changed to SERVRESP
Changing the hierarchy type for the Profile APPS_FRAMEWORK_AGENT
Profile APPS_FRAMEWORK_AGENT hierarchy type has been
successfully changed to SERVRESP
Changing the hierarchy type for the Profile ICX_FORMS_LAUNCHER
Profile ICX_FORMS_LAUNCHER hierarchy type has been
successfully changed to SERVRESP
Changing the hierarchy type for the Profile ICX_DISCOVERER_LAUNCHER
Profile ICX_DISCOVERER_LAUNCHER hierarchy type has been
successfully changed to SERVRESP
Changing the hierarchy type for the Profile
ICX_DISCOVERER_VIEWER_LAUNCHER
Profile ICX_DISCOVERER_VIEWER_LAUNCHER hierarchy type has been
successfully changed to SERVRESP
Changing the hierarchy type for the Profile HELP_WEB_AGENT
Profile HELP_WEB_AGENT hierarchy type has been
successfully changed to SERVRESP
Changing the hierarchy type for the Profile APPS_PORTAL
Profile APPS_PORTAL hierarchy type has been
successfully changed to SERVRESP
Changing the hierarchy type for the Profile CZ_UIMGR_URL
Profile CZ_UIMGR_URL hierarchy type has been
successfully changed to SERVRESP
Changing the hierarchy type for the Profile QP_PRICING_ENGINE_URL
Profile QP_PRICING_ENGINE_URL hierarchy type has been
successfully changed to SERVRESP
Changing the hierarchy type for the Profile TCF:HOST
Profile TCF:HOST hierarchy type has been
successfully changed to SERVRESP
Disconnected from Oracle Database 10g Enterprise Edition Release
10.2.0.3.0 - 64bit
Production
With the Partitioning, OLAP and Data Mining options
xiv) After the completion of the script start the primary isntnace and login as sysadmnin
And change the following profiles at server level
Server : iRecruit
Profile : Node Trust Level
Make the changes at the server level to external
This Completes the DMZ Configuration !!!
xv) Expose the responsibility to the external tier as per the requirement as seen in the following
screen shot.

xvi) Once the above process is completed the DMZ node can be started with the sequence
given
below
xvii) Startup and shutdown of DMZ Applications
We can start the iRecruit node with the following sequence
adopmnctl.sh start
adoafmctl.sh start
adformsctl.sh start
adoacorectl.sh start
adapcctl.sh start

To stop the DMZ follow the sequence stated below

adapcctl.sh stop
adoacorectl.sh stop
adformsctl.sh stop
adoafmctl.sh stop
adopmnctl.sh stop

URL : http://irecruit.oracle.com:8010/OA_HTML/IrcVisitor.jsp