Skip to main content

How to Implement HAPROXY in Oracle Apps R12.1

How to Implement HAPROXY in Oracle Apps R12.1


Please read article on more website security checks How to Conduct a Website Security Check


In an earlier post, I shared how HAPROXY is used as a reverse proxy for Oracle Apps. Now I am going to share how to implement the same.

I am using a separate server to install HAproxy and one EBS server.

The HAProxy server(OEL 7) I am using in my environment is known as oel7.lab (DNS name I have mapped as funerptest.lab)

[root@oel7 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.56.110 oel7.lab oel7
192.168.56.110 funerptest.lab funerptest


Steps:

1) Install haproxy
[root@oel7 ~]# yum install haproxy
2) Validate haproxy installation

[root@oel7 ~]# which haproxy
/usr/sbin/haproxy
[root@oel7 ~]# ls -l /etc/haproxy
total 4
-rw-r--r-- 1 root root 3142 Jun 28  2019 haproxy.cfg


3) Check the status of haproxy

[root@oel7 ~]# systemctl status haproxy
● haproxy.service - HAProxy Load Balancer
   Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; vendor preset: disabled)
   Active: inactive (dead)

4) Enable haproxy services after reboot and Enable the outbound connection of haproxy.

[root@oel7 ~]# systemctl enable haproxy
Created symlink from /etc/systemd/system/multi-user.target.wants/haproxy.service to /usr/lib/systemd/system/haproxy.service.


[root@oel7 haproxy]# setsebool -P haproxy_connect_any 1
setsebool:  SELinux is disabled.

systemctl start haproxy
5) Copy certificate and key bundle from your location to /etc/haproxy/bundle.pem

I have created a self-signed certificate. You get a CA-signed certificate as well.

Please refer to the below link on how to create a self-signed certificate.


Club the server certificate and key together in a bundle.

[root@oel7 certificates]# cat server.crt server.key >>/etc/haproxy/bundle.pem
[root@oel7 certificates]# ls -ltr /etc/haproxy/bundle.pem
-rw-r--r-- 1 root root 2879 Mar 28 18:45 /etc/haproxy/bundle.pem

6)Backup original HA config file.

[root@oel7 certificates]# cd /etc/haproxy/
[root@oel7 haproxy]# ls -ltr
total 8
-rw-r--r-- 1 root root 3142 Jun 28  2019 haproxy.cfg
-rw-r--r-- 1 root root 2879 Mar 28 18:45 bundle.pem
[root@oel7 haproxy]# cp haproxy.cfg haproxy.cfg_orig

7) Edit and update defaults settings options in haproxy

Add option forwardfor except 127.0.0.0/8 header ClientIP

Add the following line to the Global section (ciphers must be all on one long line) to define a set of strong cipher suites: # Ristic's Apache CipherSuite selection ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:EDH-RSA-DES-CBC3-SHA


8) Edit and update Front end detail in haproxy config. It should have the correct certificate bundle path.

frontend main *:5000 bind 0.0.0.0:443 ssl no-sslv3 crt /etc/haproxy/bundle.pem default_backend ebs

9) Edit and Add Backend details in haproxy config. The URL is for EBS login.

backend ebs balance roundrobin mode http server ebs funebs122.lab:8050



10) Validate haproxy configuration

[root@oel7 haproxy]# haproxy -f /etc/haproxy/haproxy.cfg -c
[WARNING] 086/185942 (2949) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.
Configuration file is valid

11) Shutdown application services on EBS and update context values to point to SSL haproxy DNS.

s_webentryurlprotocol ==> https
s_webentryhost ==> funerptest
s_webentrydomain ==> lab
s_active_webport ==> 443
s_login_page ==> https://funerptest.lab:443/OA_HTML/AppsLogin
s_endUserMonitoringURL ==> https://funerptest.lab:443/oracle_smp_chronos/oracle_smp_chronos_sdk.gif
s_external_url ==> https://funerptest.lab:443
s_chronosURL ==> https://funerptest.lab:443/oracle_smp_chronos/oracle_smp_chronos_sdk.gif
s_enable_sslterminator ==> Remove # value

Validate the value using below

egrep -i "s_webentryurlprotocol|s_webentryhost|s_webentrydomain|s_active_webport|s_login_page|s_endUserMonitoringURL|s_external_url|s_chronosURL|s_enable_sslterminator" $CONTEXT_FILE


12) Update httpd.conf file to make sure that the Actual Client IP is read in the access log not the haproxy server IP. In real this would be done in the template file to avoid removal of entry after autoconfig(httpd_conf_1013.tmp)

cd $FND_TOP/admin/template/custom
cp ../httpd_conf_1013.tmp .


Edit httpd_conf_1013.tmp on EBS server and uncomment below

UseWebCacheIp ON

13) Run autoconfig on EBS application.

14) Add compatibility URL setting in IE.

15) Re-test the new EBS URL with HTTPS. The client will only see haproxy server securing your main

ebs application server.




16) Reconfigure workflow or any other required setup as per the environment.






If you like please follow and comment
Labels:

Comments

Post a Comment

Popular posts from this blog

WebLogic migration to OCI using WDT tool

WebLogic migration to OCI using WDT tool Oracle WebLogic Deploy Tool (WDT) is an open-source project designed to simplify and streamline the management of Oracle WebLogic Server domains. With WDT, you can export configuration and application files from one WebLogic Server domain and import them into another, making it a highly effective tool for tasks like migrating on-premises WebLogic configurations to Oracle Cloud. This blog outlines a detailed step-by-step process for using WDT to migrate WebLogic resources and configurations. Supported WLS versions Why Use WDT for Migration? When moving Oracle WebLogic resources from an on-premises environment to Oracle Cloud (or another WebLogic Server), WDT provides an efficient and reliable approach to: Discover and export domain configurations and application binaries. Create reusable models and archives for deployment in a target domain. Key Pre-Requisites Source System: An Oracle WebLogic Server with pre-configured resources such as: Applica...
Post a Comment
Read more

How to Validate TDE Wallet Password in Oracle Database

How to Validate TDE Wallet Password in Oracle Database Validating the Transparent Data Encryption (TDE) wallet password is crucial, especially when ensuring that the password is correct without using the OPEN or CLOSE commands in the database. This blog post explains a straightforward method to validate the TDE password using the mkstore utility. Steps to Validate TDE Wallet Password Follow these steps to validate the TDE wallet password: Step 1: Copy the Keystore/Wallet File Navigate to your existing TDE wallet directory. Copy only the ewallet.p12 file to a new directory. If a cwallet.sso file exists, do not copy it . The absence of cwallet.sso ensures that the wallet does not use auto-login, forcing the utility to prompt for the password. Step 2: Validate Using mkstore Use the mkstore utility to check the contents of the wallet file. The mkstore utility will prompt you for the TDE wallet password, allowing you to validate its correctness. Command Syntax To display the conten...
Post a Comment
Read more

Rename a PDB in Oracle Database Multitenant Architecture in TDE and Non TDE Environment

Rename a PDB in Oracle Database Multitenant Architecture I am sharing a step-by-step guide to help you rename a PDB. This approach uses SQL commands. Without TDE or encryption Wallet Initial Check Check the Current Database Name and Open Mode: SQL > SELECT NAME, OPEN_MODE FROM V$DATABASE; NAME OPEN_MODE --------- -------------------- BEECDB READ WRITE List Current PDBs: SQL > SHOW PDBS; CON_ID CON_NAME OPEN MODE RESTRICTED ---------- ------------------------------ ---------- ---------- 2 PDB$SEED READ ONLY NO 3 FUAT READ WRITE NO We need to RENAME FUAT to BEE  Steps to Rename the PDB Step 1: Export ORACLE_SID Set the Oracle SID to the Container Database (CDB): export ORACLE_SID=BEECDB Step 2: Verify Target PDB Name Availability If the target PDB name is different from the current PDB name, ensure no service exists with the target PDB name. Run SQL to Check Exi...
Post a Comment
Read more