11 Configuring Oracle HTTP Server for an Enterprise Deployment
For an enterprise deployment, Oracle HTTP Server must be installed on each of the web tier hosts and configured as Oracle HTTP standalone domains on each host.
In this enterprise deployment, the LBR communicates with OHS over SSL protocol for a more secure configuration. The OHS instances also communicate over SSL protocol with the specific Managed Servers in the application tier. SSL is configured all the way from the LBR to the backend WLS servers.
Before you configure Oracle HTTP Server, be sure to review Understanding the Web Tier.
Note:
As of Fusion Middleware 14.1.2.0.0, Oracle Traffic Director has been deprecated. For an enterprise deployment, use Oracle HTTP Server.- About the Oracle HTTP Server Domains
In an enterprise deployment, each Oracle HTTP Server instance is configured on a separate host and in its own standalone domain. This allows for a simplified management that requires a minimum amount of configuration and a minimum amount of resources to run and maintain. Contrary to the App tier, Node Managers in the Web Tier listen on plain sockets because they are only accessed locally (they listen on localhost only). - Variables Used When Configuring the Oracle HTTP Server
As you perform the tasks in this chapter, you reference the directory variables that are listed in this topic. - Installing Oracle HTTP Server on WEBHOST1
It is important to understand the procedure for installing the Oracle HTTP Server software on the web tier. - Creating an Oracle HTTP Server Domain on WEBHOST1
The following topics describe how to create a new Oracle HTTP Server standalone domain on the first web tier host. - Installing and Configuring an Oracle HTTP Server Domain on WEBHOST2
After you install Oracle HTTP Server and configure a domain on WEBHOST1, then you must also perform the same tasks on WEBHOST2. - Starting the Node Manager and Oracle HTTP Server Instances on WEBHOST1 and WEBHOST2
It is important to understand how to start the Oracle HTTP Server instances on WEBHOST1 and WEBHOST2. - Generate Required Cetificates for OHS SSL Listeners
Since the OHS listeners use SSL it is necessary to create the appropriate certificates for them and add also the pertaining SANs for the server names they use. It is required to have certificates for each WEBHOST address, adding as SAN the different ServerNames that are used in them. - Configuring Oracle HTTP Server to Route Requests to the Application Tier
It is important to understand how to update the Oracle HTTP Server configuration files so that the web server instances route requests to the servers in the domain.
Parent topic: Configuring the Enterprise Deployment
About the Oracle HTTP Server Domains
In an enterprise deployment, each Oracle HTTP Server instance is configured on a separate host and in its own standalone domain. This allows for a simplified management that requires a minimum amount of configuration and a minimum amount of resources to run and maintain. Contrary to the App tier, Node Managers in the Web Tier listen on plain sockets because they are only accessed locally (they listen on localhost only).
For more information about the role and configuration of the Oracle HTTP Server instances in the web tier, see Understanding the Web Tier.
Variables Used When Configuring the Oracle HTTP Server
As you perform the tasks in this chapter, you reference the directory variables that are listed in this topic.
The values for several directory variables are defined in File System and Directory Variables Used in This Guide.
-
WEB_ORACLE_HOME
-
WEB_DOMAIN_HOME
-
WEB_KEYSTORE_HOME
-
JAVA _HOME
In addition, you reference the following virtual IP (VIP) address and host names:
-
ADMINVHN
-
WEBHOST1
-
WEBHOST2
-
SOAHOST1
-
SOAHOST2
Installing Oracle HTTP Server on WEBHOST1
It is important to understand the procedure for installing the Oracle HTTP Server software on the web tier.
Installing a Supported JDK
Oracle Fusion Middleware requires that a certified Java Development Kit (JDK) is installed on your system.
Parent topic: Installing Oracle HTTP Server on WEBHOST1
Locating and Downloading the JDK Software
To find a certified JDK, see the certification document for your release on the Oracle Fusion Middleware Supported System Configurations page.
After you identify the Oracle JDK for the current Oracle Fusion Middleware release, you can download an Oracle JDK from the following location on Oracle Technology Network:
https://www.oracle.com/java/technologies/downloads/
Be sure to navigate to the download for the Java SE JDK.
Parent topic: Installing a Supported JDK
Installing the JDK Software
Oracle HTTP Server requires that you install a certified Java Development Kit (JDK) on your system.
You must install the JDK in the local storage device for each of the web tier host computers. The web tier host computers, which reside in the DMZ, do not necessarily have access to the shared storage on the application tier.
For more information about the recommended location for the JDK software, see the Understanding the Recommended Directory Structure for an Enterprise Deployment.
The following example describes how to install a recent version of JDK 17.0.10.
Parent topic: Installing a Supported JDK
Starting the Installer on WEBHOST1
To start the installation program, perform the following steps.
Parent topic: Installing Oracle HTTP Server on WEBHOST1
Navigating the Oracle HTTP Server Installation Screens
The following table lists the screens in the order that the installation program displays them.
If you need additional help with any of the installation screens, click the screen name.
Table 11-1 Oracle HTTP Server Installation Screens
Screen | Description |
---|---|
On UNIX operating systems, this screen appears if you install any Oracle product on this host for the first time. Specify the location where you want to create your central inventory. Ensure that the operating system group name selected on this screen has write permissions to the central inventory location. See Understanding the Oracle Central Inventory in Installing Software with the Oracle Universal Installer. Note: Oracle recommends that you configure the central inventory directory within the products directory. Example: You may also need to execute the |
|
This screen introduces you to the product installer. |
|
Use this screen to automatically search My Oracle Support for available patches or automatically search the local directory for patches that you have already downloaded for your organization. |
|
Use this screen to specify the location of your Oracle home directory. For the purposes of an enterprise deployment, enter the value of the WEB_ORACLE_HOME variable listed in Table 7-3. |
|
Select Standalone HTTP Server (Managed independently of WebLogic server). This installation type allows you to configure the Oracle HTTP Server instances independently from any other existing Oracle WebLogic Server domains. |
|
For the value of JDK Home, enter the value of JAVA_HOME that you set when installing the JDK software. |
|
This screen verifies that your system meets the minimum necessary requirements. If there are any warning or error messages, verify that your host computers and the required software meet the system requirements and certification information described in Host Computer Hardware Requirements and Operating System Requirements for the Enterprise Deployment Topology. |
|
Use this screen to verify the installation options that you selected. If you want to save these options to a response file, click Save Response File and provide the location and name of the response file. Response files can be used later in a silent installation situation. See Using the Oracle Universal Installer in Silent Mode in Installing Software with the Oracle Universal Installer. |
|
This screen allows you to see the progress of the installation. |
|
This screen appears when the installation is complete. Review the information on this screen, then click Finish to close the installer. |
Parent topic: Installing Oracle HTTP Server on WEBHOST1
Verifying the Oracle HTTP Server Installation
Verify that the Oracle HTTP Server installation completed successfully by validating the WEB_ORACLE_HOME
folder contents.
Run the following command to compare the installed folder structure with the following list:
ls --format=single-column $WEB_ORACLE_HOME
The following files and directories are listed in the Oracle HTTP Server Oracle Home:
assistants
bin
cfgtoollogs
clone
crs
crypto
css
cv
deinstall
drdaas
env.ora
has
hs
install
instantclient
inventory
javavm
jdbc
jlib
jpub
ldap
lib
network
nls
odbc
ohs
olap
OPatch
opmn
oracle_common
oracore
oraInst.loc
ord
oss
oui
perl
plsql
plugins
precomp
QOpatch
racg
rdbms
root.sh
schagent.conf
sdk
slax
sqlcl
sqlj
sqlplus
srvm
suptools
ucp
unixODBC
usm
utl
webgate
wlserver
xdk
Parent topic: Installing Oracle HTTP Server on WEBHOST1
Creating an Oracle HTTP Server Domain on WEBHOST1
The following topics describe how to create a new Oracle HTTP Server standalone domain on the first web tier host.
Starting the Configuration Wizard on WEBHOST1
To start the Configuration Wizard, navigate to the following directory and start the WebLogic Server Configuration Wizard, as follows:
cd $WEB_ORACLE_HOME
/oracle_common/common/bin
./config.sh
Parent topic: Creating an Oracle HTTP Server Domain on WEBHOST1
Navigating the Configuration Wizard Screens for an Oracle HTTP Server Domain
Oracle recommends that you create a standalone domain for the Oracle HTTP Server instances on each web tier host.
The following topics describe how to create a new standalone Oracle HTTP Server domain:
-
Task 1, "Selecting the Domain Type and Domain Home Location"
-
Task 7, "Reviewing Your Configuration Specifications and Configuring the Domain"
- Task 1 Selecting the Domain Type and Domain Home Location
-
On the Configuration Type screen, select Create a new domain.
In the Domain Location field, enter the value assigned to the WEB_DOMAIN_HOME variable.
Note the following:
-
The Configuration Wizard creates the new directory that you specify here.
-
Create the directory on local storage, so the web servers do not have any dependencies on storage devices outside the DMZ.
Tip:
-
More information about the Domain home directory can be found in About the Domain Home Directory in Planning an Installation of Oracle Fusion Middleware.
-
More information about the other options on this screen can be found in Configuration Type in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
-
For more information about the web tier and the DMZ, see Understanding the Firewalls and Zones of a Typical Enterprise Deployment.
-
For more information about the WEB_DOMAIN_HOME directory variable, see File System and Directory Variables Used in This Guide.
-
- Task 2 Selecting the Configuration Templates
-
On the Templates screen, select Oracle HTTP Server (Standalone) - [ohs].
Tip:
More information about the options on this screen can be found in Templates in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard. - Task 3 Selecting the JDK for the Web Tier Domain.
-
Select the Oracle HotSpot JDK installed in the
/u02/oracle/products/jdk
directory prior to the Oracle HTTP Server installation. - Task 4 Configuring System Components
-
On the System Components screen, configure one Oracle HTTP Server instance. The screen should, by default, have a single instance defined. This is the only instance that you need to create.
-
The default instance name in the System Component field is
ohs1
. Use this default name when you configureWEBHOST1
. -
Make sure that
OHS
is selected in the Component Type field. -
Use the Restart Interval Seconds field to specify the number of seconds to wait before you attempt a restart if an application is not responding.
-
Use the Restart Delay Seconds field to specify the number of seconds to wait between restart attempts.
-
- Task 5 Configuring OHS Server
-
Use the OHS Server screen to configure the OHS servers in your domain:
-
Select ohs1 from the System Component drop-down menu.
-
In the Listen Address field, enter the value of
WEBHOST1
.All the remaining fields are prepopulated, but you can change the values as required for your organization. The non-ssl listener will be disabled manually later in this guide. See OHS Server in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
-
In the Server Name field, verify the value of the listen address and listen port.
It should appear as follows:
http://WEBHOST1:7777
-
- Task 6 Configuring Node Manager
-
Select Per Domain Default Location as the Node Manager type, and specify the user name and password for the Node Manager.
Note:
For more information about the options on this screen, see Node Manager in Creating WebLogic Domains Using the Configuration Wizard.
For information about Node Manager configuration, see Configuring Node Manager on Multiple Machines in Administering Node Manager for Oracle WebLogic Server.
- Task 7 Reviewing Your Configuration Specifications and Configuring the Domain
-
The Configuration Summary screen contains detailed configuration information for the domain that you are about to create. Review the details of each item on the screen and verify that the information is correct.
If you need to make any changes, you can go back to any previous screen either by using the Back button or by selecting the screen in the navigation pane.
Domain creation does not begin until you click Create.
In the Configuration Progress screen, click Next when it finishes.
Tip:
More information about the options on this screen can be found in Configuration Summary in Creating WebLogic Domains Using the Configuration Wizard. - Task 8 Writing Down Your Domain Home
-
The Configuration Success screen shows the domain home location.
Make a note of the information provided here, as you need it to start the servers and access the Administration Server.
Click Finish to close the Configuration Wizard.
Parent topic: Creating an Oracle HTTP Server Domain on WEBHOST1
Installing and Configuring an Oracle HTTP Server Domain on WEBHOST2
After you install Oracle HTTP Server and configure a domain on WEBHOST1, then you must also perform the same tasks on WEBHOST2.
-
Log in to WEBHOST2 and install Oracle HTTP Server by using the instructions in Installing Oracle HTTP Server on WEBHOST1.
-
Configure a new standalone domain on WEBHOST2 by using the instructions in Creating a Web Tier Domain on WEBHOST1.
Use the name
ohs2
for the instance on WEBHOST2, and be sure to replace all occurrences of WEBHOST1 with WEBHOST2 and all occurrences ofohs1
withohs2
in each of the examples.
Starting the Node Manager and Oracle HTTP Server Instances on WEBHOST1 and WEBHOST2
It is important to understand how to start the Oracle HTTP Server instances on WEBHOST1 and WEBHOST2.
Starting the Node Manager on WEBHOST1 and WEBHOST2
Before you can start the Oracle HTTP Server instances, you must start the Node Manager on WEBHOST1 and WEBHOST2:
See Advanced Node Manager Configuration in Administering Node Manager for Oracle WebLogic Server.
Setting Frontend Addresses and WebLogic Plugin for the WSM_PM Cluster and the Administration Server
As a security best practice oracle recommends setting a frontend address for the Administration Server and the WSM-PM cluster. In the initial domain creation steps, since OHS and the frontend Load Balancer may have not been configured yet, the frontend setting is avoided to allow verifications using the individual server addresses. However, at this point and before configuring OHS (and the frontend load balancer, if not done yet) it is required to add the pertaining addresses.
- To set the frontend and WebLogic Plugin for the Administration Server, use the
WebLogic Remote Console as follows:
- Click Edit Tree.
- Click Environment>Servers>AdminServer.
- Select the Protocol Tab and then select the HTTP tab.
- As Frontend Host, enter the front end LBR address that is used to access Enterprise management and the Remote Console (admin.example.com in the example used in this guide).
- Leave the Frontend HTTP port set to 0.
- Enter the LBR’s admin listener port (445) as Frontend HTTPS port.
- Click Save.
- Click the cart icon at the top right to commit the changes.
- To set the frontend for the WSM-PM Cluster, use the Remote Console as
follows:
- Enable the proxy plugin for the domain using the WebLogic Remote Console as
follows:
- Click Edit Tree.
- Click Environment>Domain.
- Select Web Application tab.
- Click the WebLogic Plugin Enable button.
- Click Save.
- Click the cart icon at the top right to commit the changes.
Generate Required Cetificates for OHS SSL Listeners
Since the OHS listeners use SSL it is necessary to create the appropriate certificates for them and add also the pertaining SANs for the server names they use. It is required to have certificates for each WEBHOST address, adding as SAN the different ServerNames that are used in them.
This enterprise deployment uses soainternal.example.com, soa.example.com, osb.example.com and admin.example.com as frontend addresses. These addresses are used in the WLS domain configuration as frontend addresses for different clusters and servers.
Oracle recommends using the same Identity and Trust store files for all the CAs and certificates used in the app tier. The OHS nodes, do not use shared storage so the stores need to be copied to their private folders from the app tier. Certificates in a production system should come from formal Certificate Authorities.
In Oracle FMW 14.1.2.0, the Oracle WebLogic allows the usage of a per-domain Certificate Authority (CA). To update the Identity store and a Trust Store for the OHS SSL listeners in a Weblogic Server using a per-domain CA, you can perform the following steps. Run these steps in any of the WLS nodes (because the OHS ones do not install the CerGen and keytool utilities) and then transfer the stores to the OHS nodes:
Configuring Oracle HTTP Server to Route Requests to the Application Tier
It is important to understand how to update the Oracle HTTP Server configuration files so that the web server instances route requests to the servers in the domain.
- About the Oracle HTTP Server Configuration for an Enterprise Deployment
- Modifying the httpd.conf File to Include Virtual Host Configuration Files
- Creating the Virtual Host Configuration Files
- Validating the Virtual Server Configuration on the Load Balancer
- Validating Access to the Management Consoles and Administration Server
- Configure a New Provider in the WebLocic Remote Console to Access the Domain Configuration Through the Frontend LBR
About the Oracle HTTP Server Configuration for an Enterprise Deployment
The following topics provide overview information about the changes that are required to the Oracle HTTP Server configuration files in an enterprise deployment.
Purpose of the Oracle HTTP Server Virtual Hosts
The reference topologies in this guide require that you define a set of virtual servers on the hardware load balancer. You can then configure Oracle HTTP Server to recognize requests to specific virtual hosts (that map to the load balancer virtual servers) by adding <VirtualHost>
directives to the Oracle HTTP Server instance configuration files.
For each Oracle HTTP Server virtual host, you define a set of specific URLs (or context strings) that route requests from the load balancer through the Oracle HTTP Server instances to the appropriate Administration Server or Managed Server in the Oracle WebLogic Server domain.
About the WebLogicCluster Parameter of the <VirtualHost> Directive
A key parameter of the Oracle HTTP Server <VirtualHost>
directive is the WebLogicCluster
parameter, which is part of the WebLogic Proxy Plug-In for Oracle HTTP Server. When you configure Oracle HTTP Server for an enterprise deployment, consider the following information when you add this parameter to the Oracle HTTP Server configuration files.
The servers specified in the WebLogicCluster
parameter are
important only at startup time for the plug-in. The list needs to provide at least one
running cluster member for the plug-in to discover other members of the cluster. When
you start the Oracle HTTP server, the listed cluster member must be running. Oracle
WebLogic Server and the plug-in work together to update the server list automatically
with new, failed, and recovered cluster members.
Some example scenarios:
-
Example 1: If you have a two-node cluster and then add a third member, you do not need to update the configuration to add the third member. The third member is discovered on the fly at runtime.
-
Example 2: You have a three-node cluster but only two nodes are listed in the configuration. However, if both listed nodes are down when you start Oracle HTTP Server, then the plug-in would fail to route to the cluster. You must ensure that at least one of the listed nodes is running when you start Oracle HTTP Server.
If you list all members of the cluster, then you guarantee you can route to the cluster, assuming at least one member is running when Oracle HTTP Server is started.
Recommended Structure of the Oracle HTTP Server Configuration Files
Rather than adding multiple virtual host definitions to the httpd.conf
file, Oracle recommends that you create separate, smaller, and more specific configuration files for each of the virtual servers required for the products that you are deploying. This avoids populating an already large httpd.conf
file with additional content, and it can make troubleshooting configuration problems easier.
For example, in a typical Oracle Fusion Middleware Infrastructure domain, you can add a specific configuration file called admin_vh.conf
that contains the virtual host definition for the Administration Server virtual host (ADMINVHN).
Since all virtual hosts in this EDG use SSL, the original ssl.conf
file
is used as a template for them. This Enterprise Deployment Guide segregates the
listeners and certificates that are used by the different endpoints exposed through OHS.
It uses different certificates and listeners for the external, internal and
administration virtual hosts. This permits segregating the traffic and the encryption
quality for each type of access and provides a well-structured mapping of front ends,
Virtual Hosts and listeners.
Modifying the httpd.conf File to Include Virtual Host Configuration Files
Perform the following tasks to prepare the httpd.conf
file for the additional virtual hosts required for an enterprise topology:
-
Log in to WEBHOST1.
-
Locate the
httpd.conf
file for the first Oracle HTTP Server instance (ohs1
) in the domain directory:cd $WEB_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/
-
Verify if the
httpd.conf
file has the appropriate configuration as follows:-
Run the following command to verify the
ServerName
parameter, be sure that it is set correctly, substituting the correct value for the current WEBHOSTn:grep "ServerName http" httpd.conf ServerName http://WEBHOST1:7777
-
Run the following command to verify there is an include statement that includes all
*.conf
files from the moduleconf subdirectory:grep moduleconf httpd.conf IncludeOptional "moduleconf/*.conf"
-
If either validation fails to return results, or returns results that are commented out, open the
httpd.conf
file in a text editor and make the required changes in the appropriate locations.# # ServerName gives the name and port that the server uses to identify itself. # This can often be determined automatically, but we recommend you specify # it explicitly to prevent problems during startup. # # If your host doesn't have a registered DNS name, enter its IP address here. # ServerName http://WEBHOST1:7777 # and at the end of the file: # Include the admin virtual host (Proxy Virtual Host) related configuration include "admin.conf" IncludeOptional "moduleconf/*.conf"
-
Save the
httpd.conf
file.
-
-
Ensure
ssl.conf
is included in the httpd configuration.grep ssl.conf httpd.conf include "ssl.conf"
-
Copy the
ssl.conf
file to a different file name.Note:
This is used as a template for other module conf files.cp $WEB_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/ssl.conf $WEB_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/moduleconf/ssl.template
-
Edit the
ssl.conf
file to include only the following lines (remove other content from the file):<IfModule ossl_module> # # Some MIME-types for downloading Certificates and CRLs AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use, second the expiring timeout (in seconds) and third # the mutex to be used. SSLSessionCache "shmcb:${ORACLE_INSTANCE}/servers/${COMPONENT_NAME}/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 </IfModule>
-
Modify the
$WEB_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/mod_wl_ohs.conf
to include the appropriate WLSSWallet file (required to route on SSL to the WLS backends) as follows:# NOTE : This is a template to configure mod_weblogic. LoadModule weblogic_module "${PRODUCT_HOME}/modules/mod_wl_ohs.so" # This empty block is needed to save mod_wl related configuration from EM to this file when changes are made at the Base Virtual Host Level <IfModule weblogic_module> WLIOTimeoutSecs 900 KeepAliveSecs 290 FileCaching OFF WLSocketTimeoutSecs 15 ErrorPage http://www.oracle.com/splash/cloud/index.html WLRetryOnTimeout NONE WLForwardUriUnparsed On SecureProxy On WLSSLWallet "/u02/oracle/config/keystores/orapki/" </IfModule>
-
Log in to
WEBHOST2
and perform steps from 2 to 7, replacing any occurrences ofWEBHOST1
orohs1
withWEBHOST2
orohs2
in the instructions as necessary.
Creating the Virtual Host Configuration Files
To create the virtual host configuration files:
Note:
Before you create the virtual host configuration files, be sure that you have configured the virtual servers on the load balancer, as described in Purpose of the Oracle HTTP Server Virtual Hosts.Validating the Virtual Server Configuration on the Load Balancer
From the load balancer, access the following URLs to ensure that your load balancer and Oracle HTTP Server are configured properly. These URLs should show the initial Oracle HTTP Server 12c web page.
-
https://admin.example.com:445/index.html
-
https://soainternal.example.com:444/index.html
Validating Access to the Management Consoles and Administration Server
To verify the changes that you have made in this chapter:
-
Access the Fusion Middleware Control by using the following URL:
https://admin.example.com:445/em
Configure a New Provider in the WebLocic Remote Console to Access the Domain Configuration Through the Frontend LBR
Create a new Admin Server Connection Provider that connects through the frontend load balancer and OHS to the domain’s Administration Server. To establish this connection, the WebLogic Remote Console must trust the certificate used by the load balancer for the administration frontend address.
-
Ensure that the Trust Store used by the WebLogic Remote Console includes the certificate or the CA certificate used by the frontend load balancer in the admin virtual server.
Tip:
If you used the scriptgenerate_perdomainCACERTS-ohs.sh
, you can download theappTrustKeyStore.pkcs12
file from the domain and use it as the WebLogic Remote Console trust store. It includes the frontend load balancer certificates as a trusted entity. -
Open the WebLogic Remote Console and click Add Admin Server Connection Provider.
-
Use the following values for the new provider:
-
Connection Provider Name:
Use a name identifying the connection. For example,
soaedg_domain_lbrprovider
. -
Username and Password:
Enter the WebLogic Domain Administration user and password.
-
URL: Use the frontend address and the port. For example,
https://admin.example.com:445
. -
Make Insecure Connect: If the the appropriate trust store settings are completed, you do not need to check this field.
Note:
If you are using demo certs in the load balancer, you might need to check the Disable host name verification field in the WebLogic Remote Console settings.
-
-
Click OK to add the provider.
-
Click the new provider.
You must able to manage the domain remotely through the front end LBR with these settings.