Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • DMZ R12.2 Ed1

    Enviado por

    usman newton
    127 visualizações26 páginas
    dmz for r12

    Título original

    DMZ_R12.2_ed1

    Direitos autorais

    © © All Rights Reserved

    Formatos disponíveis

    PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento
    dmz for r12

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    127 visualizações26 páginas

    DMZ R12.2 Ed1

    Enviado por

    usman newton
    dmz for r12

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 26

    Demilitarized Zone

    R12.2
    Amit Sharma
    Oracle Apps DBA Expert
    CORPORATE OFFICE
    8 Magnolia Place,
    Harrow, London, UK
    HA2 6DS

    US OFFICE
    6515 E Union Ave,
    Unit 451, Denver
    CO 80237

    INDIA OFFICE
    NS-24 Mianwali Nagar
    Paschim Vihar
    New Delhi 110087

    Email : contact@k21academy.com
    Phone :
    +1 408 627 8021
    +91 959 905 6621
    1

    Agenda

    Business Need
    Challenges
    DMZ As a Solution !!!!
    Features/Benefits
    DMZ Architecture

    www.k21academy.com

    Copyright 2016 | K21 Academy | All Rights Reserved

    Business Needs
    To expose services outside Network
    Promote External Communication
    Sometime it is majorly External Communications only
    (Business Runs)

    www.k21academy.com

    Copyright 2016 | K21 Academy | All Rights Reserved

    Challenges
    Business does not want to compromise with security
    information
    Business cannot expose internal domain or internal URL
    information
    Entry point for attackers
    Application Vulnerability

    www.k21academy.com

    Copyright 2016 | K21 Academy | All Rights Reserved

    DMZ - Solution
    Portions of a corporate/Office network that are between the
    corporate intranet and the Internet.
    Only Portion belongs to DMZ will exposed and not the internal

    www.k21academy.com

    Copyright 2016 | K21 Academy | All Rights Reserved

    DMZ is the Solution!!!

    Oracle Application consists of fleet


    nodes (FND_NODES) so first decide
    which node have to expose to
    public
    To expose the node to public use
    the profile Node Trust Level
    Set node to Public/Private (Normal > private, External -> public)
    Set "Responsibility Trust Level"
    profile to decide whether to expose
    Application Responsibility to inside
    or outside firewall

    www.k21academy.com

    Copyright 2016 | K21 Academy | All Rights Reserved

    Feature / Benefits
    Exposed web services can be accessed by internal and external
    users
    Configurable and can be very easily rolled out
    Internal network and business data is secured from outside traffic
    Firewalls are deployed at various levels to ensure authorised traffic
    Unauthorized access to internal network from outside is prohibited
    No need for VPN and Secure FTP server

    www.k21academy.com

    Copyright 2016 | K21 Academy | All Rights Reserved

    DMZ Architecture
    From Oracle Point of view there are 4 options
    TYPE

    DETAILS

    DMZ Configuration With an External and Internal Application Tier

    DMZ Configuration With a Reverse Proxy and an External Application Tier

    DMZ Configuration With Internal and External Application Tiers in the Intranet Sharing the
    Application Tier File System

    DMZ configuration with multiple Internal/External application tiers in the Intranet and DMZ

    www.k21academy.com

    Copyright 2016 | K21 Academy | All Rights Reserved

    Type 1 Architecture
    Accessing Webtier with HTTPS port.
    SSH Compliance

    www.k21academy.com

    Copyright 2016 | K21 Academy | All Rights Reserved

    Benefits

    Simplicity
    Internal users access internal
    application via intranet
    Restrict access to a limited set of
    Oracle Appl responsibilities for
    users logging in via Internet

    www.k21academy.com

    Limitations/Restrictions

    Cannot share application tier file


    system between external and
    internal application tier nodes.
    Maintenance Overhead

    Copyright 2016 | K21 Academy | All Rights Reserved

    10

    Type 2

    Restrict access to a limited set of Oracle Applications responsibilities for users logging in via the Internet
    Mask external application tier details from external users with the use of a reverse proxy server.
    No SSL connection mandatory at the reverse proxy
    Option to restrict subset of URL at reverse Proxy

    www.k21academy.com

    Copyright 2016 | K21 Academy | All Rights Reserved

    11

    Benefits

    URL firewall Option at Reverse


    Proxy

    Limitations/Restrictions

    Additional Server needed

    Same Type 1 restriction

    Maintenance Overhead

    SSL not mandatory


    Masking of Server Details

    www.k21academy.com

    Copyright 2016 | K21 Academy | All Rights Reserved

    12

    Type - 3

    Shared Application Tier filesystem


    No need for WLS and Node manager port to open at firewall
    ssh connectivity among application tier nodes doesn't have to cross firewall
    There is no requirement to open the Java Object Cache/FND Cache range ports

    www.k21academy.com

    Copyright 2016 | K21 Academy | All Rights Reserved

    13

    Benefits

    Easy Maintenance

    No specific port open needed

    Gives Failover capability as well

    www.k21academy.com

    Limitations/Restrictions

    Additional Server needed

    Copyright 2016 | K21 Academy | All Rights Reserved

    14

    Type 4
    Hybrid Setup - External and Internal Filesystem
    are not shared.
    Failover part covered

    www.k21academy.com

    Copyright 2016 | K21 Academy | All Rights Reserved

    15

    Benefits
    Extra level of security
    Load balancing/Failover

    www.k21academy.com

    Limitations/Restrictions

    Additional Servers needed

    Similar Type 1 restriction

    Maintenance Overhead as Hybrid


    Setup

    Ssh compliance

    Ports need to be open


    Copyright 2016 | K21 Academy | All Rights Reserved

    16

    Basic DMZ Setup Overview


    Patches required for DMZ Configuration. Minimum Patch Level

    Clone External node using adcfgclone.pl (Run & Patch)


    Hierarchy Type, Node Trust Level/Responsibility Trust Level
    Setup
    Configure Reverse Proxy or Load Balancer if using

    Remove references to Internal Node(s) in mod_wl_ohs.conf

    www.k21academy.com

    Copyright 2016 | K21 Academy | All Rights Reserved

    17

    Minimum Patch Level For DMZ

    Minimum Patch Level

    Latest Released (Dec-2015)

    R12.AD.C.Delta 4/R12.TXK.C.Delta 4 R12.AD.C.Delta 7/R12.TXK.C.Delta 7

    Reference Document - 1617461.1


    www.k21academy.com

    Copyright 2016 | K21 Academy | All Rights Reserved

    18

    Clone External node using adcfgclone.pl (Run & Patch)

    When prompted say Yes to add node


    Enable Web Entry Point and Web
    Application Services.
    Dont enable Batch Processing Services

    www.k21academy.com

    Copyright 2016 | K21 Academy | All Rights Reserved

    19

    Update Hierarchy Type


    Profile Options : URL based

    www.k21academy.com

    Copyright 2016 | K21 Academy | All Rights Reserved

    20

    Change the Hierarchy Type


    Set the Hirarchy type to
    Server Responsibility (SERVRESP)
    Connect to sqlpluas as apps and
    @$FND_TOP/patch/115/sql/txkChan
    geProfH.sql SERVRESP

    www.k21academy.com

    Copyright 2016 | K21 Academy | All Rights Reserved

    21

    Node / Responsibility Trust Level


    To restrict responsibility based on the application tier server
    By Setting the NODE_TRUST_LEVEL
    Check for Profile Option
    Node Trust Level
    Responsibility Trust Level
    Values

    Meaning

    Administrative

    Provide access to any and all Applications functions.

    Normal

    Users logging in from normal servers have access to only a limited set of responsibilities.

    External

    Got access to the server with even smaller set of responsibilities.

    www.k21academy.com

    Copyright 2016 | K21 Academy | All Rights Reserved

    22

    Configure Reverse/Load Balancer Proxy


    Reverse Proxy Configuration

    www.k21academy.com

    Copyright 2016 | K21 Academy | All Rights Reserved

    23

    Update mod_wl_ohs.conf

    We need to remove the entries from conf file

    www.k21academy.com

    Copyright 2016 | K21 Academy | All Rights Reserved

    24

    References
    Oracle E-Business Suite Release 12.2 Configuration in a DMZ
    (Doc ID 1375670.1)
    NOTE:1367293.1 - Enabling SSL in Oracle E-Business Suite
    Release 12.2

    www.k21academy.com

    Copyright 2016 | K21 Academy | All Rights Reserved

    25

    Find us
    https://www.facebook.com/K21Academy/

    http://twitter.com/k21Academy
    https://www.linkedin.com/company/k21Academy
    https://www.youtube.com/user/k21technologies

    www.k21academy.com

    Copyright 2016 | K21 Academy | All Rights Reserved

    26

    Você também pode gostar