Configuring Oracle HTTP Server for an Enterprise Deployment

11 Configuring Oracle HTTP Server for an Enterprise Deployment

For an enterprise deployment, Oracle HTTP Server must be installed on each of the web tier hosts and configured as Oracle HTTP standalone domains on each host.

In this enterprise deployment, the LBR communicates with OHS over SSL protocol for a more secure configuration. The OHS instances also communicate over SSL protocol with the specific Managed Servers in the application tier. SSL is configured all the way from the LBR to the backend WLS servers.

Before you configure Oracle HTTP Server, be sure to review Understanding the Web Tier.

Note:

As of Fusion Middleware 14.1.2.0.0, Oracle Traffic Director has been deprecated. For an enterprise deployment, use Oracle HTTP Server.

About the Oracle HTTP Server Domains
In an enterprise deployment, each Oracle HTTP Server instance is configured on a separate host and in its own standalone domain. This allows for a simplified management that requires a minimum amount of configuration and a minimum amount of resources to run and maintain. Contrary to the App tier, Node Managers in the Web Tier listen on plain sockets because they are only accessed locally (they listen on localhost only).
Variables Used When Configuring the Oracle HTTP Server
As you perform the tasks in this chapter, you reference the directory variables that are listed in this topic.
Installing Oracle HTTP Server on WEBHOST1
It is important to understand the procedure for installing the Oracle HTTP Server software on the web tier.
Creating an Oracle HTTP Server Domain on WEBHOST1
The following topics describe how to create a new Oracle HTTP Server standalone domain on the first web tier host.
Installing and Configuring an Oracle HTTP Server Domain on WEBHOST2
After you install Oracle HTTP Server and configure a domain on WEBHOST1, then you must also perform the same tasks on WEBHOST2.
Starting the Node Manager and Oracle HTTP Server Instances on WEBHOST1 and WEBHOST2
It is important to understand how to start the Oracle HTTP Server instances on WEBHOST1 and WEBHOST2.
Generate Required Cetificates for OHS SSL Listeners
Since the OHS listeners use SSL it is necessary to create the appropriate certificates for them and add also the pertaining SANs for the server names they use. It is required to have certificates for each WEBHOST address, adding as SAN the different ServerNames that are used in them.
Configuring Oracle HTTP Server to Route Requests to the Application Tier
It is important to understand how to update the Oracle HTTP Server configuration files so that the web server instances route requests to the servers in the domain.

Parent topic: Configuring the Enterprise Deployment

About the Oracle HTTP Server Domains

In an enterprise deployment, each Oracle HTTP Server instance is configured on a separate host and in its own standalone domain. This allows for a simplified management that requires a minimum amount of configuration and a minimum amount of resources to run and maintain. Contrary to the App tier, Node Managers in the Web Tier listen on plain sockets because they are only accessed locally (they listen on localhost only).

For more information about the role and configuration of the Oracle HTTP Server instances in the web tier, see Understanding the Web Tier.

Parent topic: Configuring Oracle HTTP Server for an Enterprise Deployment

Variables Used When Configuring the Oracle HTTP Server

As you perform the tasks in this chapter, you reference the directory variables that are listed in this topic.

The values for several directory variables are defined in File System and Directory Variables Used in This Guide.

WEB_ORACLE_HOME
WEB_DOMAIN_HOME
WEB_KEYSTORE_HOME
JAVA _HOME

In addition, you reference the following virtual IP (VIP) address and host names:

ADMINVHN
WEBHOST1
WEBHOST2
SOAHOST1
SOAHOST2

Parent topic: Configuring Oracle HTTP Server for an Enterprise Deployment

Installing Oracle HTTP Server on WEBHOST1

It is important to understand the procedure for installing the Oracle HTTP Server software on the web tier.

Parent topic: Configuring Oracle HTTP Server for an Enterprise Deployment

Installing a Supported JDK

Oracle Fusion Middleware requires that a certified Java Development Kit (JDK) is installed on your system.

Parent topic: Installing Oracle HTTP Server on WEBHOST1

Locating and Downloading the JDK Software

To find a certified JDK, see the certification document for your release on the Oracle Fusion Middleware Supported System Configurations page.

After you identify the Oracle JDK for the current Oracle Fusion Middleware release, you can download an Oracle JDK from the following location on Oracle Technology Network:

https://www.oracle.com/java/technologies/downloads/

Be sure to navigate to the download for the Java SE JDK.

Parent topic: Installing a Supported JDK

Installing the JDK Software

Oracle HTTP Server requires that you install a certified Java Development Kit (JDK) on your system.

You must install the JDK in the local storage device for each of the web tier host computers. The web tier host computers, which reside in the DMZ, do not necessarily have access to the shared storage on the application tier.

For more information about the recommended location for the JDK software, see the Understanding the Recommended Directory Structure for an Enterprise Deployment.

The following example describes how to install a recent version of JDK 17.0.10.

Change directory to the location where you downloaded the JDK archive file.
```
cd download_dir
```
Unpack the archive into the JDK home directory, and then run the following commands:
```
tar -xzvf jdk-17.0.10+11_linux-x64_bin.tar.gz
```
Note that the JDK version listed here was accurate at the time this document was published. For the latest supported JDK, see the Oracle Fusion Middleware System Requirements and Specifications for the current Oracle Fusion Middleware release.
Move the JDK directory to the recommended location in the directory structure.
For example:
```
mv ./jdk-17.0.10 /u02/oracle/products/jdk
```
See File System and Directory Variables Used in This Guide.
Define the JAVA_HOME and PATH environment variables for running Java on the host computer.
For example:
```
export JAVA_HOME=/u02/oracle/products/jdk
export PATH=$JAVA_HOME/bin:$PATH
```
Run the following command to verify that the appropriate java executable is in the path and your environment variables are set correctly:
```
java -version
```
The Java version in the output should be displayed as 17.0.10.
Repeat steps 1 through 5 for each web tier host. For example, WEBHOST1 and WEBHOST2.

Parent topic: Installing a Supported JDK

Starting the Installer on WEBHOST1

To start the installation program, perform the following steps.

Log in to WEBHOST1.
Go to the directory in which you downloaded the installation program.
Enter the following command to launch the installation program:

./fmw_14.1.2.0.0_ohs_linux64.bin

When the installation program appears, you are ready to begin the installation.

Parent topic: Installing Oracle HTTP Server on WEBHOST1

Navigating the Oracle HTTP Server Installation Screens

The following table lists the screens in the order that the installation program displays them.

If you need additional help with any of the installation screens, click the screen name.

Table 11-1 Oracle HTTP Server Installation Screens

Screen	Description
Installation Inventory Setup	On UNIX operating systems, this screen appears if you install any Oracle product on this host for the first time. Specify the location where you want to create your central inventory. Ensure that the operating system group name selected on this screen has write permissions to the central inventory location. See Understanding the Oracle Central Inventory in Installing Software with the Oracle Universal Installer. Note: Oracle recommends that you configure the central inventory directory within the products directory. Example: `/u02/oracle/products/oraInventory` You may also need to execute the `createCentralinventory.sh` script as root from the `oraInventory` folder after the installer completes.
Welcome	This screen introduces you to the product installer.
Auto Updates	Use this screen to automatically search My Oracle Support for available patches or automatically search the local directory for patches that you have already downloaded for your organization.
Installation Location	Use this screen to specify the location of your Oracle home directory. For the purposes of an enterprise deployment, enter the value of the WEB_ORACLE_HOME variable listed in Table 7-3.
Installation Type	Select Standalone HTTP Server (Managed independently of WebLogic server). This installation type allows you to configure the Oracle HTTP Server instances independently from any other existing Oracle WebLogic Server domains.
JDK Selection	For the value of JDK Home, enter the value of JAVA_HOME that you set when installing the JDK software.
Prerequisite Checks	This screen verifies that your system meets the minimum necessary requirements. If there are any warning or error messages, verify that your host computers and the required software meet the system requirements and certification information described in Host Computer Hardware Requirements and Operating System Requirements for the Enterprise Deployment Topology.
Installation Summary	Use this screen to verify the installation options that you selected. If you want to save these options to a response file, click Save Response File and provide the location and name of the response file. Response files can be used later in a silent installation situation. See Using the Oracle Universal Installer in Silent Mode in Installing Software with the Oracle Universal Installer.
Installation Progress	This screen allows you to see the progress of the installation.
Installation Complete	This screen appears when the installation is complete. Review the information on this screen, then click Finish to close the installer.

Parent topic: Installing Oracle HTTP Server on WEBHOST1

Verifying the Oracle HTTP Server Installation

Verify that the Oracle HTTP Server installation completed successfully by validating the WEB_ORACLE_HOME folder contents.

Run the following command to compare the installed folder structure with the following list:

ls --format=single-column $WEB_ORACLE_HOME

The following files and directories are listed in the Oracle HTTP Server Oracle Home:


assistants
bin
cfgtoollogs
clone
crs
crypto
css
cv
deinstall
drdaas
env.ora
has
hs
install
instantclient
inventory
javavm
jdbc
jlib
jpub
ldap
lib
network
nls
odbc
ohs
olap
OPatch
opmn
oracle_common
oracore
oraInst.loc
ord
oss
oui
perl
plsql
plugins
precomp
QOpatch
racg
rdbms
root.sh
schagent.conf
sdk
slax
sqlcl
sqlj
sqlplus
srvm
suptools
ucp
unixODBC
usm
utl
webgate
wlserver
xdk

Parent topic: Installing Oracle HTTP Server on WEBHOST1

Creating an Oracle HTTP Server Domain on WEBHOST1

The following topics describe how to create a new Oracle HTTP Server standalone domain on the first web tier host.

Parent topic: Configuring Oracle HTTP Server for an Enterprise Deployment

Starting the Configuration Wizard on WEBHOST1

To start the Configuration Wizard, navigate to the following directory and start the WebLogic Server Configuration Wizard, as follows:

cd $WEB_ORACLE_HOME/oracle_common/common/bin
./config.sh

Parent topic: Creating an Oracle HTTP Server Domain on WEBHOST1

Navigating the Configuration Wizard Screens for an Oracle HTTP Server Domain

Oracle recommends that you create a standalone domain for the Oracle HTTP Server instances on each web tier host.

The following topics describe how to create a new standalone Oracle HTTP Server domain:

Task 1 Selecting the Domain Type and Domain Home Location

On the Configuration Type screen, select Create a new domain.

In the Domain Location field, enter the value assigned to the WEB_DOMAIN_HOME variable.

Note the following:

The Configuration Wizard creates the new directory that you specify here.
Create the directory on local storage, so the web servers do not have any dependencies on storage devices outside the DMZ.

Tip:

More information about the Domain home directory can be found in About the Domain Home Directory in Planning an Installation of Oracle Fusion Middleware.
More information about the other options on this screen can be found in Configuration Type in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
For more information about the web tier and the DMZ, see Understanding the Firewalls and Zones of a Typical Enterprise Deployment.
For more information about the WEB_DOMAIN_HOME directory variable, see File System and Directory Variables Used in This Guide.

Task 2 Selecting the Configuration Templates

On the Templates screen, select Oracle HTTP Server (Standalone) - [ohs].

Tip:

More information about the options on this screen can be found in Templates in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.

Task 3 Selecting the JDK for the Web Tier Domain.

Select the Oracle HotSpot JDK installed in the /u02/oracle/products/jdk directory prior to the Oracle HTTP Server installation.

Task 4 Configuring System Components

On the System Components screen, configure one Oracle HTTP Server instance. The screen should, by default, have a single instance defined. This is the only instance that you need to create.

The default instance name in the System Component field is ohs1. Use this default name when you configure WEBHOST1.
Make sure that OHS is selected in the Component Type field.
Use the Restart Interval Seconds field to specify the number of seconds to wait before you attempt a restart if an application is not responding.
Use the Restart Delay Seconds field to specify the number of seconds to wait between restart attempts.

Task 5 Configuring OHS Server

Use the OHS Server screen to configure the OHS servers in your domain:

Select ohs1 from the System Component drop-down menu.
In the Listen Address field, enter the value of WEBHOST1.

All the remaining fields are prepopulated, but you can change the values as required for your organization. The non-ssl listener will be disabled manually later in this guide. See OHS Server in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
In the Server Name field, verify the value of the listen address and listen port.

It should appear as follows:
```
http://WEBHOST1:7777
```

Task 6 Configuring Node Manager

Select Per Domain Default Location as the Node Manager type, and specify the user name and password for the Node Manager.

Note:

For more information about the options on this screen, see Node Manager in Creating WebLogic Domains Using the Configuration Wizard.

For information about Node Manager configuration, see Configuring Node Manager on Multiple Machines in Administering Node Manager for Oracle WebLogic Server.

Task 7 Reviewing Your Configuration Specifications and Configuring the Domain

The Configuration Summary screen contains detailed configuration information for the domain that you are about to create. Review the details of each item on the screen and verify that the information is correct.

If you need to make any changes, you can go back to any previous screen either by using the Back button or by selecting the screen in the navigation pane.

Domain creation does not begin until you click Create.

In the Configuration Progress screen, click Next when it finishes.

Tip:

More information about the options on this screen can be found in Configuration Summary in Creating WebLogic Domains Using the Configuration Wizard.

Task 8 Writing Down Your Domain Home

The Configuration Success screen shows the domain home location.

Make a note of the information provided here, as you need it to start the servers and access the Administration Server.

Click Finish to close the Configuration Wizard.

Parent topic: Creating an Oracle HTTP Server Domain on WEBHOST1

Installing and Configuring an Oracle HTTP Server Domain on WEBHOST2

After you install Oracle HTTP Server and configure a domain on WEBHOST1, then you must also perform the same tasks on WEBHOST2.

Log in to WEBHOST2 and install Oracle HTTP Server by using the instructions in Installing Oracle HTTP Server on WEBHOST1.
Configure a new standalone domain on WEBHOST2 by using the instructions in Creating a Web Tier Domain on WEBHOST1.

Use the name ohs2 for the instance on WEBHOST2, and be sure to replace all occurrences of WEBHOST1 with WEBHOST2 and all occurrences of ohs1 with ohs2 in each of the examples.

Parent topic: Configuring Oracle HTTP Server for an Enterprise Deployment

Starting the Node Manager and Oracle HTTP Server Instances on WEBHOST1 and WEBHOST2

It is important to understand how to start the Oracle HTTP Server instances on WEBHOST1 and WEBHOST2.

Parent topic: Configuring Oracle HTTP Server for an Enterprise Deployment

Starting the Node Manager on WEBHOST1 and WEBHOST2

Before you can start the Oracle HTTP Server instances, you must start the Node Manager on WEBHOST1 and WEBHOST2:

Modify nodemanager.properties to not use secure listener. Ensure it uses the localhost only as listen address. Your $WEB_DOMAIN_HOME/nodemanager/nodemanager.properties should appear like the following:


#Mon Feb 26 18:12:34 GMT 2024
#Node manager properties
#Mon Feb 26 18:03:35 GMT 2024
LogAppend=true
DomainsFile=/u02/oracle/config/domains/soaedgohs/nodemanager/nodemanager.domains
LogLevel=INFO
PropertiesVersion=14.1.2.0.0
ListenBacklog=50
QuitEnabled=false
LogCount=1
LogLimit=0
NodeManagerHome=/u02/oracle/config/domains/soaedgohs/nodemanager
LogToStderr=true
NativeVersionEnabled=true
AuthenticationEnabled=true
CrashRecoveryEnabled=false
weblogic.StopScriptEnabled=false
DomainsFileEnabled=true
weblogic.StartScriptEnabled=true
LogFile=/u02/oracle/config/domains/soaedgohs/nodemanager/nodemanager.log
LogFormatter=weblogic.nodemanager.server.LogFormatter
ListenAddress=localhost
JavaHome=/u02/oracle/products/jdk
weblogic.StartScriptName=startWebLogic.sh
ListenPort=5556
SecureListener=false
StateCheckInterval=500

Start the Node Manager as shown in the following sections by using nohup and nodemanager.out as an example output file:
```
nohup $WEB_DOMAIN_HOME/bin/startNodeManager.sh > $WEB_DOMAIN_HOME/nodemanager/nodemanager.out 2>&1 &
```
Log in to WEBHOST2 and perform steps 1 and 2.

See Advanced Node Manager Configuration in Administering Node Manager for Oracle WebLogic Server.

Parent topic: Starting the Node Manager and Oracle HTTP Server Instances on WEBHOST1 and WEBHOST2

Starting the Oracle HTTP Server Instances

To start the Oracle HTTP Server instances:

To start the ohs1 instance in WEBHOST1, enter the following commands:


$WEB_ORACLE_HOME/oracle_common/common/bin/wlst.sh 

wls:/offline> nmConnect('ohsdomain_admin_user','ohsdomain_admin_password','localhost','5556','ohsdomain_name','WEB_DOMAIN_HOME','PLAIN')

wls:/nm/soaedgohs> nmStart(serverName='ohs1',serverType='OHS')

Repeat Step 1 to start the ohs2 instance on WEBHOST2. See Starting Oracle HTTP Server Instances in Administering Oracle HTTP Server.
Check the logs in each node at $WEB_DOMAIN_HOME/servers/ohs1/logs/ohs1.log.
This will allow you to validate the appropriate start of OHS on a non-ssl listener. The following steps will guide you through the process for using the SSL listeners for OHS and routing to WLS using SSL.

Parent topic: Starting the Node Manager and Oracle HTTP Server Instances on WEBHOST1 and WEBHOST2

Setting Frontend Addresses and WebLogic Plugin for the WSM_PM Cluster and the Administration Server

As a security best practice oracle recommends setting a frontend address for the Administration Server and the WSM-PM cluster. In the initial domain creation steps, since OHS and the frontend Load Balancer may have not been configured yet, the frontend setting is avoided to allow verifications using the individual server addresses. However, at this point and before configuring OHS (and the frontend load balancer, if not done yet) it is required to add the pertaining addresses.

To set the frontend and WebLogic Plugin for the Administration Server, use the WebLogic Remote Console as follows:
1. Click Edit Tree.
2. Click Environment>Servers>AdminServer.
3. Select the Protocol Tab and then select the HTTP tab.
4. As Frontend Host, enter the front end LBR address that is used to access Enterprise management and the Remote Console (admin.example.com in the example used in this guide).
5. Leave the Frontend HTTP port set to 0.
6. Enter the LBR’s admin listener port (445) as Frontend HTTPS port.
7. Click Save.
8. Click the cart icon at the top right to commit the changes.
To set the frontend for the WSM-PM Cluster, use the Remote Console as follows:
1. Click Edit Tree.
2. Click Environment>Clusters>WSM-PM_Cluster.
3. Select the HTTP tab.
4. As Frontend Host, enter the front end LBR address that will be used to access internally to the Enteprise Deployment system (services like WSMPM and internal.example.com in the example used in this guide).
5. Leave the Frontend HTTP port set to 0.
6. Enter the LBR’s internal listener (if your LBR does not allow using the same port from different listener this will have to be a different one from the admin port used for the Admin Server access) as Frontend HTTPS port (444).
7. Click Save.
8. Click the cart icon at the top right to commit the changes.
  
  These changes requires a restart of the AdminServer and the WSM-PM_Cluster to be effective (a notification appears in the WebLogic Remote Console about restart being required).
Enable the proxy plugin for the domain using the WebLogic Remote Console as follows:
1. Click Edit Tree.
2. Click Environment>Domain.
3. Select Web Application tab.
4. Click the WebLogic Plugin Enable button.
5. Click Save.
6. Click the cart icon at the top right to commit the changes.

Parent topic: Starting the Node Manager and Oracle HTTP Server Instances on WEBHOST1 and WEBHOST2

Generate Required Cetificates for OHS SSL Listeners

Since the OHS listeners use SSL it is necessary to create the appropriate certificates for them and add also the pertaining SANs for the server names they use. It is required to have certificates for each WEBHOST address, adding as SAN the different ServerNames that are used in them.

This enterprise deployment uses soainternal.example.com, soa.example.com, osb.example.com and admin.example.com as frontend addresses. These addresses are used in the WLS domain configuration as frontend addresses for different clusters and servers.

Oracle recommends using the same Identity and Trust store files for all the CAs and certificates used in the app tier. The OHS nodes, do not use shared storage so the stores need to be copied to their private folders from the app tier. Certificates in a production system should come from formal Certificate Authorities.

In Oracle FMW 14.1.2.0, the Oracle WebLogic allows the usage of a per-domain Certificate Authority (CA). To update the Identity store and a Trust Store for the OHS SSL listeners in a Weblogic Server using a per-domain CA, you can perform the following steps. Run these steps in any of the WLS nodes (because the OHS ones do not install the CerGen and keytool utilities) and then transfer the stores to the OHS nodes:

Download the generate_perdomainCACERTS-ohs.sh script from the maa github repo https://github.com/oracle-samples/maa/blob/main/1412EDG/generate_perdomainCACERTS-ohs.sh to SOAHOST1.
Run the script with the following arguments:
- WLS_DOMAIN_DIRECTORY: Directory hosting the Weblogic Domain that the Administration Server uses (ASERVER variable in this guide).
- WL_HOME: The directory within the Oracle home where the Oracle WebLogic Server software binaries are stored. Typically /u01/oracle/products/fmw/wlserver.
- KEYSTORE_HOME: Directory where the appIdentity and the appTrust stores are created.
- KEYPASS: Password used for the weblogic administration user (reused for certs and stores).
- LIST_OF_OHS_SSL_VIRTUAL_HOSTS: A space separated list of OHS Virtual host addresses enclosed in single quotes.
For example:
```
./generate_perdomainCACERTS-ohs.sh /u01/oracle/config/domains/soaedg_domain /u01/oracle/products/fmw/wlserver /u01/oracle/config/keystores "password" 'ohshost1.example.com ohshost2.example.com'
```
The script performs the following actions:
1. It traverses the domain configuration and extracts the front-end addresses used by the domain.
2. It uses the per domain CA to generate certificates for the OHS addresses that are provided as input to the script. The front-end addresses gathered from the domain configuration are added as SAN Subject Alternative Names (SAN) to these certificates.
3. It connects to the front-end addresses detected in the domain configuration and downloads their public certificates. It adds these certificates to the WebLogic's trust keystore to allow the WebLogic servers establish SSL handshake with the different front-end addresses (used for callbacks, identity access and other redirections).
  
  Note:
  The node where the generate_perdomainCACERTS-ohs.sh script is executed needs to have connectivity to the different front-end addresses included in the domain's config.xml to download their certificates.
4. It uses orapki to convert the identity and trust stores in the application tier into the required pkcs wallets used by the different OHS Virtual Hosts.
5. It creates a tar with the corresponding wallets (this needs to be transferred to the OHS nodes for completing the SSL configuration).
Transfer the tar generated by the script to the OHS nodes.
1. Use scp or any sftp tool to copy tar file to the OHS nodes. For consistency with the app tier, place it under $WEB_KEYSTORE_HOME.
2. Untar the contents of the file in that folder as follows:
  1. cd $WEB_KEYSTORE_HOME
  2. tar -xzvf orapki-ohs.tgz
  This creates a wallet for WLS access and a directory wallet for each virtual host provided as parameter.

Parent topic: Configuring Oracle HTTP Server for an Enterprise Deployment

Configuring Oracle HTTP Server to Route Requests to the Application Tier

It is important to understand how to update the Oracle HTTP Server configuration files so that the web server instances route requests to the servers in the domain.

Parent topic: Configuring Oracle HTTP Server for an Enterprise Deployment

About the Oracle HTTP Server Configuration for an Enterprise Deployment

The following topics provide overview information about the changes that are required to the Oracle HTTP Server configuration files in an enterprise deployment.

Parent topic: Configuring Oracle HTTP Server to Route Requests to the Application Tier

Purpose of the Oracle HTTP Server Virtual Hosts

The reference topologies in this guide require that you define a set of virtual servers on the hardware load balancer. You can then configure Oracle HTTP Server to recognize requests to specific virtual hosts (that map to the load balancer virtual servers) by adding <VirtualHost> directives to the Oracle HTTP Server instance configuration files.

For each Oracle HTTP Server virtual host, you define a set of specific URLs (or context strings) that route requests from the load balancer through the Oracle HTTP Server instances to the appropriate Administration Server or Managed Server in the Oracle WebLogic Server domain.

Parent topic: About the Oracle HTTP Server Configuration for an Enterprise Deployment

About the WebLogicCluster Parameter of the <VirtualHost> Directive

A key parameter of the Oracle HTTP Server <VirtualHost> directive is the WebLogicCluster parameter, which is part of the WebLogic Proxy Plug-In for Oracle HTTP Server. When you configure Oracle HTTP Server for an enterprise deployment, consider the following information when you add this parameter to the Oracle HTTP Server configuration files.

The servers specified in the WebLogicCluster parameter are important only at startup time for the plug-in. The list needs to provide at least one running cluster member for the plug-in to discover other members of the cluster. When you start the Oracle HTTP server, the listed cluster member must be running. Oracle WebLogic Server and the plug-in work together to update the server list automatically with new, failed, and recovered cluster members.

Some example scenarios:

Example 1: If you have a two-node cluster and then add a third member, you do not need to update the configuration to add the third member. The third member is discovered on the fly at runtime.
Example 2: You have a three-node cluster but only two nodes are listed in the configuration. However, if both listed nodes are down when you start Oracle HTTP Server, then the plug-in would fail to route to the cluster. You must ensure that at least one of the listed nodes is running when you start Oracle HTTP Server.

If you list all members of the cluster, then you guarantee you can route to the cluster, assuming at least one member is running when Oracle HTTP Server is started.

Parent topic: About the Oracle HTTP Server Configuration for an Enterprise Deployment

Recommended Structure of the Oracle HTTP Server Configuration Files

Rather than adding multiple virtual host definitions to the httpd.conf file, Oracle recommends that you create separate, smaller, and more specific configuration files for each of the virtual servers required for the products that you are deploying. This avoids populating an already large httpd.conf file with additional content, and it can make troubleshooting configuration problems easier.

For example, in a typical Oracle Fusion Middleware Infrastructure domain, you can add a specific configuration file called admin_vh.conf that contains the virtual host definition for the Administration Server virtual host (ADMINVHN).

Since all virtual hosts in this EDG use SSL, the original ssl.conf file is used as a template for them. This Enterprise Deployment Guide segregates the listeners and certificates that are used by the different endpoints exposed through OHS. It uses different certificates and listeners for the external, internal and administration virtual hosts. This permits segregating the traffic and the encryption quality for each type of access and provides a well-structured mapping of front ends, Virtual Hosts and listeners.

Parent topic: About the Oracle HTTP Server Configuration for an Enterprise Deployment

Modifying the httpd.conf File to Include Virtual Host Configuration Files

Perform the following tasks to prepare the httpd.conf file for the additional virtual hosts required for an enterprise topology:

Log in to WEBHOST1.
Locate the httpd.conf file for the first Oracle HTTP Server instance (ohs1) in the domain directory:
```
cd $WEB_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/
```

Verify if the httpd.conf file has the appropriate configuration as follows:

Run the following command to verify the ServerName parameter, be sure that it is set correctly, substituting the correct value for the current WEBHOSTn:
```
grep "ServerName http" httpd.conf   
ServerName http://WEBHOST1:7777 
```
Run the following command to verify there is an include statement that includes all *.conf files from the moduleconf subdirectory:
```
grep moduleconf httpd.conf   
IncludeOptional "moduleconf/*.conf"
```

If either validation fails to return results, or returns results that are commented out, open the httpd.conf file in a text editor and make the required changes in the appropriate locations.

# 
# ServerName gives the name and port that the server uses to identify itself. 
# This can often be determined automatically, but we recommend you specify 
# it explicitly to prevent problems during startup. 
# 
# If your host doesn't have a registered DNS name, enter its IP address here. 
# 
ServerName http://WEBHOST1:7777 
#  and at the end of the file:  
# Include the admin virtual host (Proxy Virtual Host) related configuration 
include "admin.conf"  
IncludeOptional "moduleconf/*.conf"

Save the httpd.conf file.

Ensure ssl.conf is included in the httpd configuration.
```
grep ssl.conf httpd.conf
include "ssl.conf"
```

Copy the ssl.conf file to a different file name.

Note:

This is used as a template for other module conf files.

cp $WEB_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/ssl.conf $WEB_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/moduleconf/ssl.template

Edit the ssl.conf file to include only the following lines (remove other content from the file):


<IfModule ossl_module>
#
# Some MIME-types for downloading Certificates and CRLs
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl .crl

# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use, second the expiring timeout (in seconds) and third
# the mutex to be used.
    SSLSessionCache "shmcb:${ORACLE_INSTANCE}/servers/${COMPONENT_NAME}/logs/ssl_scache(512000)"
    SSLSessionCacheTimeout 300

</IfModule>

Modify the $WEB_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/mod_wl_ohs.conf to include the appropriate WLSSWallet file (required to route on SSL to the WLS backends) as follows:


# NOTE : This is a template to configure mod_weblogic.

LoadModule weblogic_module   "${PRODUCT_HOME}/modules/mod_wl_ohs.so"

# This empty block is needed to save mod_wl related configuration from EM to this file when changes are made at the Base Virtual Host Level
<IfModule weblogic_module>
 
    WLIOTimeoutSecs 900
    KeepAliveSecs 290
    FileCaching OFF
    WLSocketTimeoutSecs 15
    ErrorPage http://www.oracle.com/splash/cloud/index.html
    WLRetryOnTimeout NONE
    WLForwardUriUnparsed On
    SecureProxy On
    WLSSLWallet "/u02/oracle/config/keystores/orapki/"
</IfModule>

Log in to WEBHOST2 and perform steps from 2 to 7, replacing any occurrences of WEBHOST1 or ohs1 with WEBHOST2 or ohs2 in the instructions as necessary.

Parent topic: Configuring Oracle HTTP Server to Route Requests to the Application Tier

Creating the Virtual Host Configuration Files

To create the virtual host configuration files:

Note:

Before you create the virtual host configuration files, be sure that you have configured the virtual servers on the load balancer, as described in Purpose of the Oracle HTTP Server Virtual Hosts.

Log in to WEBHOST1 and change directory to the configuration directory for the first Oracle HTTP Server instance (ohs1):
```
cd $WEB_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/moduleconf
```

Copy the ssl.template file to the admin_vh.conf file, this will transfer most of the required SSL configuration:


cp $WEB_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/moduleconf/ssl.template $WEB_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/moduleconf/admin_vh.conf

Edit the file to add the following Listen, VirtualHost, ServerName, AllowEncodedSlashes, and Location directives. Also, change the SSLWallet directory to point to the specific wallet for the virtual host. The admin_vh.conf file should resemble the following file.


###################################################################
# Oracle HTTP Server mod_ossl configuration file: ssl.conf        #
###################################################################

# The Listen directive below has a comment preceding it that is used
# by tooling which updates the configuration.  Do not delete the comment.
#[Listen] OHS_SSL_PORT
Listen WEBHOST1:4445
##
## SSL Virtual Host Context
##
#[VirtualHost] OHS_SSL_VH
<VirtualHost WEBHOST1:4445> 
ServerName admin.example.com:445
AllowEncodedSlashes On
  <IfModule ossl_module>

   #  SSL Engine Switch:
   #  Enable/Disable SSL for this virtual host.
   SSLEngine on

   #  Client Authentication (Type):
   #  Client certificate verification type and depth.  Types are
   #  none, optional and require.
   SSLVerifyClient None

   #  SSL Protocol Support:
   #  Configure usable SSL/TLS protocol versions.
   SSLProtocol TLSv1.2 TLSv1.3
   
   # Option to prefer the server's cipher preference order 
   SSLHonorCipherOrder on

   #  SSL Cipher Suite:
   #  List the ciphers that the client is permitted to negotiate.
   SSLCipherSuite TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
   
   #Path to the wallet
   #SSLWallet "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/default"
   SSLWallet "/u02/oracle/config/keystores/orapki/orapki-vh-WEBHOST1"
        
   <FilesMatch "\.(cgi|shtml|phtml|php)$">
      SSLOptions +StdEnvVars
   </FilesMatch>

   <Directory "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/cgi-bin">
      SSLOptions +StdEnvVars
   </Directory>

   BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

   # Add the following directive to add HSTS
   <IfModule mod_headers.c>
   Header always set Strict-Transport-Security "max-age=63072000; preload; includeSubDomains"
   </IfModule>

   
   <Location /em>
   WLSRequest ON   
   WebLogicHost ADMINVHN  
   WebLogicPort 9002
   </Location>
   <Location /management>
   WLSRequest ON  
   WebLogicHost ADMINVHN
   WebLogicPort 9002
   </Location>

</IfModule>
</VirtualHost>

Repeat similar steps to create a soainternal_vh.conf file with this content (notice the different listen port, virtual host, and WLS settings):


###################################################################
# Oracle HTTP Server mod_ossl configuration file: ssl.conf        #
###################################################################

# The Listen directive below has a comment preceding it that is used
# by tooling which updates the configuration.  Do not delete the comment.
#[Listen] OHS_SSL_PORT
Listen WEBHOST1:4444


##
## SSL Virtual Host Context
##
#[VirtualHost] OHS_SSL_VH
<VirtualHost WEBHOST1:4444>
ServerName soainternal.example.com:444
  <IfModule ossl_module>
   #  SSL Engine Switch:
   #  Enable/Disable SSL for this virtual host.
   SSLEngine on

   #  Client Authentication (Type):
   #  Client certificate verification type and depth.  Types are
   #  none, optional and require.
   SSLVerifyClient None

   #  SSL Protocol Support:
   #  Configure usable SSL/TLS protocol versions.
   SSLProtocol TLSv1.2 TLSv1.3
   
   # Option to prefer the server's cipher preference order 
   SSLHonorCipherOrder on

   #  SSL Cipher Suite:
   #  List the ciphers that the client is permitted to negotiate.
   SSLCipherSuite TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
   
   #Path to the wallet
   #SSLWallet "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/default"
   SSLWallet "/u02/oracle/config/keystores/orapki/orapki-vh-WEBHOST1"
        
   <FilesMatch "\.(cgi|shtml|phtml|php)$">
      SSLOptions +StdEnvVars
   </FilesMatch>

   <Directory "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/cgi-bin">
      SSLOptions +StdEnvVars
   </Directory>

   BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

   # Add the following directive to add HSTS
   <IfModule mod_headers.c>
   Header always set Strict-Transport-Security "max-age=63072000; preload; includeSubDomains"
   </IfModule>

   <Location /wsm-pm>
   WLSRequest ON
   WebLogicCluster SOAHOST1:7010,SOAHOST2:7010
   </Location>

  </IfModule>
</VirtualHost>

Restart the ohs1 instance by entering the following commands:

$WEB_ORACLE_HOME/oracle_common/common/bin/wlst.sh

wls:/offline> nmConnect('ohsdomainadmin','ohsdomainadmin_password','localhost','5556','ohsdomainname', 'WEB_DOMAIN_HOME','PLAIN')

wls:/nm/soaedgohs> nmKill(serverName='ohs1',serverType='OHS')

wls:/nm/soaedgohs> nmStart(serverName='ohs1',serverType='OHS')

Watch the $WEB_DOMAIN_HOME/servers/ohs1/logs/ohs1.log file for errors.

Copy the admin_vh.conf file and the soainternal_vh.conf file to the configuration directory for the second Oracle HTTP Server instance (ohs2) on WEBHOST2:
```
$WEB_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs2/moduleconf
```
Edit the admin_vh.conf and soainternal_vh.conf files and change any references from WEBHOST1 to WEBHOST2 in the <VirtualHost> directives.

Restart the ohs2 instance by entering the following commands:

$WEB_ORACLE_HOME/oracle_common/common/bin/wlst.sh

wls:/offline> nmConnect('ohsdomainadmin','ohsdomainadmin_password','localhost','5556','ohsdomainname','WEB_DOMAIN_HOME','PLAIN')

wls:/nm/soaedgohs> nmKill(serverName='ohs2',serverType='OHS')

wls:/nm/soaedgohs> nmStart(serverName='ohs2',serverType='OHS')

Parent topic: Configuring Oracle HTTP Server to Route Requests to the Application Tier

Validating the Virtual Server Configuration on the Load Balancer

From the load balancer, access the following URLs to ensure that your load balancer and Oracle HTTP Server are configured properly. These URLs should show the initial Oracle HTTP Server 12c web page.

https://admin.example.com:445/index.html
https://soainternal.example.com:444/index.html

Parent topic: Configuring Oracle HTTP Server to Route Requests to the Application Tier

Validating Access to the Management Consoles and Administration Server

To verify the changes that you have made in this chapter:

Access the Fusion Middleware Control by using the following URL:
```
https://admin.example.com:445/em
```

Parent topic: Configuring Oracle HTTP Server to Route Requests to the Application Tier

Configure a New Provider in the WebLocic Remote Console to Access the Domain Configuration Through the Frontend LBR

Create a new Admin Server Connection Provider that connects through the frontend load balancer and OHS to the domain’s Administration Server. To establish this connection, the WebLogic Remote Console must trust the certificate used by the load balancer for the administration frontend address.

Ensure that the Trust Store used by the WebLogic Remote Console includes the certificate or the CA certificate used by the frontend load balancer in the admin virtual server.

Tip:
If you used the script generate_perdomainCACERTS-ohs.sh, you can download the appTrustKeyStore.pkcs12 file from the domain and use it as the WebLogic Remote Console trust store. It includes the frontend load balancer certificates as a trusted entity.
Open the WebLogic Remote Console and click Add Admin Server Connection Provider.
Use the following values for the new provider:
- Connection Provider Name:
  
  Use a name identifying the connection. For example, soaedg_domain_lbrprovider.
- Username and Password:
  
  Enter the WebLogic Domain Administration user and password.
- URL: Use the frontend address and the port. For example, https://admin.example.com:445.
- Make Insecure Connect: If the the appropriate trust store settings are completed, you do not need to check this field.
  
  Note:
  If you are using demo certs in the load balancer, you might need to check the Disable host name verification field in the WebLogic Remote Console settings.
Click OK to add the provider.
Click the new provider.

You must able to manage the domain remotely through the front end LBR with these settings.

Parent topic: Configuring Oracle HTTP Server to Route Requests to the Application Tier