SlideShare ist ein Scribd-Unternehmen logo

Dmz aa aioug

A
aioughydchapter

AIOUG Hyderabad Chapter Apps DBA Day

Technologie
1 von 40
Downloaden Sie, um offline zu lesen
© Copyright 2015.Apps Associates LLC. 1 Demilitarized Zone in 12.2
© Copyright 2015.Apps Associates LLC. 2 KaliKishore Gomattam Lead DBA Consultant – IMS @ Apps Associates @kgomattam
© Copyright 2015.Apps Associates LLC. 3 Performance. Growth. Excellence. • Global Reach, Broad Service Profile • Founded in 2002, 600+ employees • US, Europe, India, Middle East • Service Offerings: Applications, CRM, Analytics, EPM, Cloud, Middleware, Application Development, App & Infrastructure Managed Services • Significant Investmentin R&D • Cloud (IaaS, PaaS, SaaS) • Business Process & SystemIntegration • Analytics & Big Data • Strategic Partnerships, Certifications, Credentials • Oracle Platinum Partner, Oracle Specialized Across Our Portfolio of Services • AWS Advanced Consulting Partner, Certified Managed Services Provider • Microsoft Certified • CMMI Level 3 & SSAE 16
© Copyright 2015.Apps Associates LLC. 4 Agenda  Overview  What is DMZ  Why DMZ  Different Ways to Setup  High Level Steps to enable DMZ  How does it defer from 12.1  Best Practices
© Copyright 2015.Apps Associates LLC. 5 Question !!! Why do we need to Expose Applications to Public ???
© Copyright 2015.Apps Associates LLC. 6
© Copyright 2015.Apps Associates LLC. 7
© Copyright 2015.Apps Associates LLC. 8
© Copyright 2015.Apps Associates LLC. 9 Risks  As Organizations,expose their Oracle Applicationout of privatenetwork, via HTTP/HTTPS, which will expose Oracle Applicationvia public network, which has following risks.  Entry point for attackers  Security information can be hacked  Expose internal Domain/network to external users.  Application Vulnerability
© Copyright 2015.Apps Associates LLC. 10 Solution is DMZ  DMZ will serve the purpose by restricting the access to applicationbiased on type of users login (Internal/External)  DMZ, which standsfor Demilitarized Zone consists of the portions of a corporate network that are between the corporateintranet and the Internet. The DMZ can be a simple one segment LAN or it can be broken down into multipleregions.  The main benefit of a properly-configuredDMZ is bettersecurity: in the event of a security breach, only the area containedwithin the DMZ is exposed to potentialdamage, while the corporate intranetremains somewhat protected.
© Copyright 2015.Apps Associates LLC. 11 DMZ with Oracle EBS  When configuring Oracle E-Business Suite in a DMZ configuration,firewallsare deployedat variouslevelsto ensure that only authorized traffic is allowed to cross the firewall boundaries.  The firewallsensure that if interruptionattemptsagainst machinesin the DMZ are successful, the intrusion is containedwithin the DMZ, leavingthe machines in the intranet unaffected.
© Copyright 2015.Apps Associates LLC. 12 DMZ Architecture  Oracle Provides four different types of architectures as follows.  DMZ Configuration With an External and Internal Application Tier  DMZ Configuration With a Reverse Proxy and an External Application Tier  DMZ Configuration With Internal and External Application Tiers in the Intranet Sharing the Application Tier File System  DMZ configuration with multiple Internal/External application tiers in the Intranet and DMZ
© Copyright 2015.Apps Associates LLC. 13 DMZ Architecture (Type 1) DMZ Configuration With an External and Internal Application Tier Internet Internal users Intranet External users HTTPS – 443 HTTP – 8000 WLS – 7001 / 7002 Node Manager – 5556 / 5557 ICMP SSH – 22 SQLNET – 1521 HTTPS HTTP WLS Node Manager ICMP SSH SQLNET SQLNET Internal External DMZ External Firewall
© Copyright 2015.Apps Associates LLC. 14 DMZ Architecture (Type 1)  Pros:  Simple Configuration with external application tier configured in DMZ for external users  Internal users access internal application via intranet  Restrict access to a limited set of Oracle Application Responsibilities for users logging in via Internet  Allow user access to only Oracle E-Business Suite Release 12 product that can be deployed for Internet access  Cons:  Need to expose complete EBS Suite to external world  Cannot share application tier file system between external and internal application tier nodes.
© Copyright 2015.Apps Associates LLC. 15 DMZ Architecture (Type 2) DMZ Configuration With a Reverse Proxy and an External Application Tier Internet Internal users Intranet External users HTTPS HTTP WLS Node Manager ICMP SSH SQLNET SQLNET Internal External DMZ Internal Firewall DMZ External Firewall Reverse Proxy HTTPS – 443 HTTP – 8000 WLS – 7001 / 7002 Node Manager – 5556 / 5557 ICMP SSH – 22 SQLNET – 1521
© Copyright 2015.Apps Associates LLC. 16 DMZ Architecture (Type 2)  Pros:  Restrict access to a limited set of Oracle Application Responsibilities for users logging in via Internet  Allow user access to only Oracle E-Business Suite Release 12 product that can be deployed for Internet access  Mask external application tier details from external users with the use of reverse proxy server  Terminate SSL connections at the reverse proxy if required  Implement URL firewall on the reverse proxy server to restrict access.  Cons:  Additional Server is required for reverse proxy  Cannot share application tier file system between external and internal application tier nodes.
© Copyright 2015.Apps Associates LLC. 17 DMZ Architecture (Type 3) DMZ Configuration With Internal and External Application Tiers in the Intranet Sharing the Application Tier File System Internet Internal users Intranet External users HTTPS HTTP SQLNET DMZ Internal Firewall DMZ External Firewall External Load Balancer WLS Node Manager ICMP SSH SQLNET Internal External Internal Load Balancer HTTPS – 443 HTTP – 8000 WLS – 7001 / 7002 Node Manager – 5556 / 5557 ICMP SSH – 22 SQLNET – 1521
© Copyright 2015.Apps Associates LLC. 18 DMZ Architecture (Type 3)  Pros:  Restrict access to a limited set of Oracle Application Responsibilities for users logging in via Internet  Allow user access to only Oracle E-Business Suite Release 12 product that can be deployed for Internet access  Application file system can be shared among all nodes.  Not required to open ports on firewall  Load is balanced across multiple nodes  Cons:  Load Balancer is exposed to external world.
© Copyright 2015.Apps Associates LLC. 19 DMZ Architecture (Type 4) DMZ configuration with multiple Internal/External application tiers in the Intranet and DMZ Internet Internal users Intranet External users HTTPS HTTP SQLNET DMZ Internal Firewall DMZ External Firewall External Load Balancer WLS Node Manager ICMP SSH SQLNET Internal External Internal Load Balancer HTTPS – 443 HTTP – 8000 WLS – 7001 / 7002 Node Manager – 5556 / 5557 ICMP SSH – 22 SQLNET – 1521
© Copyright 2015.Apps Associates LLC. 20 DMZ Architecture (Type 4)  Pros:  Restrict access to a limited set of Oracle Application Responsibilities for users logging in via Internet  Allow user access to only Oracle E-Business Suite Release 12 product that can be deployed for Internet access  Application file system can be shared among all nodes.  Load is balanced across multiple nodes  Cons:  Load Balancer is exposed to external world  Application tier file system between external and internal application tier nodes are not Shared.
© Copyright 2015.Apps Associates LLC. 21 Application Access Flow http://internal.mydomain.com Private Network EBS Instance 10.1.1.100
© Copyright 2015.Apps Associates LLC. 22 Application Access Flow http://external.mydomain.com Private NetworkPublic Network Proxy Server EBS Instance 10.1.1.100 54.100.200.100
© Copyright 2015.Apps Associates LLC. 23 Application Access Flow GlobalDNS 54.100.200.100 external.mydomain.com
© Copyright 2015.Apps Associates LLC. 24 Application Access Flow http://external.mydomain.com Private NetworkPublic Network Proxy Server EBS Instance 10.1.1.100 54.100.200.100
© Copyright 2015.Apps Associates LLC. 25 Application Access Flow Local DNS 10.1.1.100 external.mydomain.com GlobalDNS 54.100.200.100 external.mydomain.com
© Copyright 2015.Apps Associates LLC. 26 Application Access Flow http://external.mydomain.com Private NetworkPublic Network Proxy Server EBS Instance 10.1.1.100 54.100.200.100
© Copyright 2015.Apps Associates LLC. 27 Steps to enable DMZ  To enable DMZ using any of the four prototypes, we need to perform some/all of the below steps biased on which architecture we selected.  Patches required for DMZ Configuration  Clone External node using adcfgclone.pl (Run & Patch)  Update Hierarchy TypeUpdate Node/Responsibility Trust Level  Configure Reverse/Load Balancer Proxy (Conditional)  Remove references to Internal Node(s) in mod_wl_ohs.conf (Only for 12.2.x)
© Copyright 2015.Apps Associates LLC. 28 Steps to enable DMZ 1. Patches required for DMZ Configuration  R12.AD.C.Delta.4 and R12.TXK.C.Delta.4 Note: MOS Note 1617461.1 to apply the required patches. If an update patch for AD/TXK is available, apply those instead of the minimum code level mentioned under Patch Number/Min Code Level.
© Copyright 2015.Apps Associates LLC. 29 Steps to enable DMZ 2. Clone External node using adcfgclone.pl(Run & Patch)  When prompted say “Yes” to add node  Enable “Web Entry Point” and “Web Application Services”.  Don’t enable “Batch Processing Services”
© Copyright 2015.Apps Associates LLC. 30 Steps to enable DMZ 3. Update HierarchyType  Following user profiles are used to construct various URL’s in EBS
© Copyright 2015.Apps Associates LLC. 31 Steps to enable DMZ 3. Update HierarchyType  By default hierarchy type value for the profiles option is “Server type”
© Copyright 2015.Apps Associates LLC. 32 Steps to enable DMZ 3. Update HierarchyType  E-Biz environment for DMZ requires these profiles hierarchy set to “SERVRESP”  Run “$FND_TOP/patch/115/sql/txkChangeProfH.sql SERVRESP” on run FileSystem as apps user.
© Copyright 2015.Apps Associates LLC. 33 Steps to enable DMZ 4. Update Node/ResponsibilityTrust Level  Oracle E-Biz has the capability to restrict access to a predefined set of responsibilities base on the application tier server from which the user logs in.  This capability is achieved by tagging application server with a trust level indicated by the Node Trust Level (NODE_TRUST_LEVEL) server profile option.  Option:  Administrative: These servers are considered secure and provide access to any and all Ebiz functions.  Normal: Users logging in from normal servers have access to only a limited set of responsibilities.  External: These servers have access to an even smaller set of responsibilities.
© Copyright 2015.Apps Associates LLC. 34 Steps to enable DMZ 4. Update Node/ResponsibilityTrust Level
© Copyright 2015.Apps Associates LLC. 35 Steps to enable DMZ 5. Configure Reverse/Load Balancer Proxy (Conditional)  Reverse Proxy server is configured in the front of the external application tier node and it requires the Oracle E-Biz application tier nodes to be aware of the presence of the reverse proxy server.  Modify following parameters in the application tier context file for both run and patch file system.
© Copyright 2015.Apps Associates LLC. 36 Steps to enable DMZ 6. Remove references to Internal Node(s) in mod_wl_ohs.conf (Only for 12.2.x)  When node is added to an existing Ebiz instance, mod_wl_ohs.conf will have references to both primary and secondary nodes.  We need to remove these references to make sure, external nodes will not refer to internal managed servers.
© Copyright 2015.Apps Associates LLC. 37 12.1.x Vs 12.2.x 12.1.x 12.2.x Virtual Host Can Set while running adcfgclone Cannot be set using adcfgclone, need to configre OHS SSL Supports till SHA-1 Supports SHA-2 SSH Does not require User Equivalence Requires User Equivalence Apache No configuration Change required Need to remove access to Internal Node(s) in mod_wl_ohs.conf
© Copyright 2015.Apps Associates LLC. 38 Best Practices  Identify the network flow  Preserve isolationas much as possible  Practice good vulnerabilitymanagement  Make sure there is no way to directly request yourweb server, bypassing security filtering layers  Audit your equipment's  Follow security best practices  Monitor, monitor, monitor
© Copyright 2015.Apps Associates LLC. 39 Connect with Us Web: www.appsassociates.com Email: kalikishore.gomattam@appsassociates.com YouTube: www.youtube.com/user/AppsAssociates LinkedIn: www.us.linkedin.com/company/apps-associates Twitter: @AppsAssociates Facebook: www.facebook.com/AppsAssociatesGlobal
Thank You!@kgomattam

Empfohlen

VSICM8_M02.pptx
VSICM8_M02.pptxVSICM8_M02.pptx
VSICM8_M02.pptx
MazharUddin34
 
Introduction to Hyper-V
Introduction to Hyper-VIntroduction to Hyper-V
Introduction to Hyper-V
Mark Wilson
 
Microsoft: Multi-tenant SaaS with Azure
Microsoft: Multi-tenant SaaS with AzureMicrosoft: Multi-tenant SaaS with Azure
Microsoft: Multi-tenant SaaS with Azure
AIMDek Technologies
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to Ansible
CoreStack
 
VMware vSphere 6.0 - Troubleshooting Training - Day 5
VMware vSphere 6.0 - Troubleshooting Training - Day 5VMware vSphere 6.0 - Troubleshooting Training - Day 5
VMware vSphere 6.0 - Troubleshooting Training - Day 5
Sanjeev Kumar
 
Ansible
AnsibleAnsible
Ansible
Kamil Lelonek
 
Virtual Infrastructure Overview
Virtual Infrastructure OverviewVirtual Infrastructure Overview
Virtual Infrastructure Overview
valerian_ceaus
 
Active-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptxActive-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptx
JavedAjmal1
 

Empfohlen

VSICM8_M02.pptx
VSICM8_M02.pptxVSICM8_M02.pptx
VSICM8_M02.pptx
MazharUddin34
 
Introduction to Hyper-V
Introduction to Hyper-VIntroduction to Hyper-V
Introduction to Hyper-V
Mark Wilson
 
Microsoft: Multi-tenant SaaS with Azure
Microsoft: Multi-tenant SaaS with AzureMicrosoft: Multi-tenant SaaS with Azure
Microsoft: Multi-tenant SaaS with Azure
AIMDek Technologies
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to Ansible
CoreStack
 
VMware vSphere 6.0 - Troubleshooting Training - Day 5
VMware vSphere 6.0 - Troubleshooting Training - Day 5VMware vSphere 6.0 - Troubleshooting Training - Day 5
VMware vSphere 6.0 - Troubleshooting Training - Day 5
Sanjeev Kumar
 
Ansible
AnsibleAnsible
Ansible
Kamil Lelonek
 
Virtual Infrastructure Overview
Virtual Infrastructure OverviewVirtual Infrastructure Overview
Virtual Infrastructure Overview
valerian_ceaus
 
Active-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptxActive-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptx
JavedAjmal1
 
Hyper-converged infrastructure
Hyper-converged infrastructureHyper-converged infrastructure
Hyper-converged infrastructure
Igor Malts
 
Presentation about servers
Presentation about serversPresentation about servers
Presentation about servers
Sasin Prabu
 
Active Directory
Active Directory Active Directory
Active Directory
Sandeep Kapadane
 
Red hat linux 9 ppt2003
Red hat linux 9 ppt2003Red hat linux 9 ppt2003
Red hat linux 9 ppt2003
ashishsjcit
 
The Data Distribution Service
The Data Distribution ServiceThe Data Distribution Service
The Data Distribution Service
Angelo Corsaro
 
Introduction to virtualization
Introduction to virtualizationIntroduction to virtualization
Introduction to virtualization
Ahmad Hafeezi
 
VMware vSphere Performance Troubleshooting
VMware vSphere Performance TroubleshootingVMware vSphere Performance Troubleshooting
VMware vSphere Performance Troubleshooting
Dan Brinkmann
 
Automate DBA Tasks With Ansible
Automate DBA Tasks With AnsibleAutomate DBA Tasks With Ansible
Automate DBA Tasks With Ansible
Ivica Arsov
 
Azure Virtual Desktop Overview.pptx
Azure Virtual Desktop Overview.pptxAzure Virtual Desktop Overview.pptx
Azure Virtual Desktop Overview.pptx
ceyhan1
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansible
Khizer Naeem
 
IBM WebSphere Application Server version to version comparison
IBM WebSphere Application Server version to version comparisonIBM WebSphere Application Server version to version comparison
IBM WebSphere Application Server version to version comparison
ejlp12
 
4. install and configure hyper v
4. install and configure hyper v4. install and configure hyper v
4. install and configure hyper v
Hameda Hurmat
 
Windows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory DomainWindows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory Domain
Napoleon NV
 
Oracle WebLogic Server Basic Concepts
Oracle WebLogic Server Basic ConceptsOracle WebLogic Server Basic Concepts
Oracle WebLogic Server Basic Concepts
James Bayer
 
Microsoft Hyper-V
Microsoft Hyper-VMicrosoft Hyper-V
Microsoft Hyper-V
Davoud Teimouri
 
Azure vm introduction
Azure vm introductionAzure vm introduction
Azure vm introduction
Lalit Rawat
 
Virtualization
VirtualizationVirtualization
Virtualization
Kamal Chauhan
 
Cloudstack for beginners
Cloudstack for beginnersCloudstack for beginners
Cloudstack for beginners
Joseph Amirani
 
Introducing Azure Bastion
Introducing Azure BastionIntroducing Azure Bastion
Introducing Azure Bastion
Ammar Hasayen
 
WebSphere Application Server Family (Editions Comparison)
WebSphere Application Server Family (Editions Comparison)WebSphere Application Server Family (Editions Comparison)
WebSphere Application Server Family (Editions Comparison)
ejlp12
 
Role of DBAs in CLOUD ERA - AIOUG Hyd Chapter - Oracle Cloud Day
Role of DBAs in CLOUD ERA - AIOUG Hyd Chapter - Oracle Cloud DayRole of DBAs in CLOUD ERA - AIOUG Hyd Chapter - Oracle Cloud Day
Role of DBAs in CLOUD ERA - AIOUG Hyd Chapter - Oracle Cloud Day
aioughydchapter
 
Editioning use in ebs
Editioning use in ebsEditioning use in ebs
Editioning use in ebs
aioughydchapter
 

Weitere ähnliche Inhalte

Was ist angesagt?

Hyper-converged infrastructure
Hyper-converged infrastructureHyper-converged infrastructure
Hyper-converged infrastructure
Igor Malts
 
Red hat linux 9 ppt2003
Red hat linux 9 ppt2003Red hat linux 9 ppt2003
Red hat linux 9 ppt2003
ashishsjcit
 
Oracle WebLogic Server Basic Concepts
Oracle WebLogic Server Basic ConceptsOracle WebLogic Server Basic Concepts
Oracle WebLogic Server Basic Concepts
James Bayer
 
Introducing Azure Bastion
Introducing Azure BastionIntroducing Azure Bastion
Introducing Azure Bastion
Ammar Hasayen
 

Was ist angesagt? (20)

Hyper-converged infrastructure
Hyper-converged infrastructureHyper-converged infrastructure
Hyper-converged infrastructure
 
Presentation about servers
Presentation about serversPresentation about servers
Presentation about servers
 
Active Directory
Active Directory Active Directory
Active Directory
 
Red hat linux 9 ppt2003
Red hat linux 9 ppt2003Red hat linux 9 ppt2003
Red hat linux 9 ppt2003
 
The Data Distribution Service
The Data Distribution ServiceThe Data Distribution Service
The Data Distribution Service
 
Introduction to virtualization
Introduction to virtualizationIntroduction to virtualization
Introduction to virtualization
 
VMware vSphere Performance Troubleshooting
VMware vSphere Performance TroubleshootingVMware vSphere Performance Troubleshooting
VMware vSphere Performance Troubleshooting
 
Automate DBA Tasks With Ansible
Automate DBA Tasks With AnsibleAutomate DBA Tasks With Ansible
Automate DBA Tasks With Ansible
 
Azure Virtual Desktop Overview.pptx
Azure Virtual Desktop Overview.pptxAzure Virtual Desktop Overview.pptx
Azure Virtual Desktop Overview.pptx
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansible
 
IBM WebSphere Application Server version to version comparison
IBM WebSphere Application Server version to version comparisonIBM WebSphere Application Server version to version comparison
IBM WebSphere Application Server version to version comparison
 
4. install and configure hyper v
4. install and configure hyper v4. install and configure hyper v
4. install and configure hyper v
 
Windows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory DomainWindows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory Domain
 
Oracle WebLogic Server Basic Concepts
Oracle WebLogic Server Basic ConceptsOracle WebLogic Server Basic Concepts
Oracle WebLogic Server Basic Concepts
 
Microsoft Hyper-V
Microsoft Hyper-VMicrosoft Hyper-V
Microsoft Hyper-V
 
Azure vm introduction
Azure vm introductionAzure vm introduction
Azure vm introduction
 
Virtualization
VirtualizationVirtualization
Virtualization
 
Cloudstack for beginners
Cloudstack for beginnersCloudstack for beginners
Cloudstack for beginners
 
Introducing Azure Bastion
Introducing Azure BastionIntroducing Azure Bastion
Introducing Azure Bastion
 
WebSphere Application Server Family (Editions Comparison)
WebSphere Application Server Family (Editions Comparison)WebSphere Application Server Family (Editions Comparison)
WebSphere Application Server Family (Editions Comparison)
 

Andere mochten auch

Developer & Fusion Middleware 2 _ Michael Baggott _ Lead to order integration...
Developer & Fusion Middleware 2 _ Michael Baggott _ Lead to order integration...Developer & Fusion Middleware 2 _ Michael Baggott _ Lead to order integration...
Developer & Fusion Middleware 2 _ Michael Baggott _ Lead to order integration...
InSync2011
 

Andere mochten auch (13)

Role of DBAs in CLOUD ERA - AIOUG Hyd Chapter - Oracle Cloud Day
Role of DBAs in CLOUD ERA - AIOUG Hyd Chapter - Oracle Cloud DayRole of DBAs in CLOUD ERA - AIOUG Hyd Chapter - Oracle Cloud Day
Role of DBAs in CLOUD ERA - AIOUG Hyd Chapter - Oracle Cloud Day
 
Editioning use in ebs
Editioning use in ebsEditioning use in ebs
Editioning use in ebs
 
Developer & Fusion Middleware 2 _ Michael Baggott _ Lead to order integration...
Developer & Fusion Middleware 2 _ Michael Baggott _ Lead to order integration...Developer & Fusion Middleware 2 _ Michael Baggott _ Lead to order integration...
Developer & Fusion Middleware 2 _ Michael Baggott _ Lead to order integration...
 
Sharepoint 2013-applied architecture from the field v3 (public)
Sharepoint 2013-applied architecture from the field v3 (public)Sharepoint 2013-applied architecture from the field v3 (public)
Sharepoint 2013-applied architecture from the field v3 (public)
 
SharePoint 2013 Hosted-Apps (On-Premises) - Infrastructure Setup
SharePoint 2013 Hosted-Apps (On-Premises) - Infrastructure SetupSharePoint 2013 Hosted-Apps (On-Premises) - Infrastructure Setup
SharePoint 2013 Hosted-Apps (On-Premises) - Infrastructure Setup
 
SharePoint Fest Chicago 2014 - Anatomy of SharePoint and Office 365 Hybrid De...
SharePoint Fest Chicago 2014 - Anatomy of SharePoint and Office 365 Hybrid De...SharePoint Fest Chicago 2014 - Anatomy of SharePoint and Office 365 Hybrid De...
SharePoint Fest Chicago 2014 - Anatomy of SharePoint and Office 365 Hybrid De...
 
SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in...
SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in...SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in...
SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in...
 
Implementing cloud applications redefine your dimension
Implementing cloud applications redefine your dimensionImplementing cloud applications redefine your dimension
Implementing cloud applications redefine your dimension
 
Aman sharma hyd_12crac High Availability Day 2015
Aman sharma hyd_12crac High Availability Day 2015Aman sharma hyd_12crac High Availability Day 2015
Aman sharma hyd_12crac High Availability Day 2015
 
Dmz
Dmz Dmz
Dmz
 
Leverage integration cloud_service_for_ebs_
Leverage integration cloud_service_for_ebs_Leverage integration cloud_service_for_ebs_
Leverage integration cloud_service_for_ebs_
 
OOW15 - Advanced Architectures for Oracle E-Business Suite
OOW15 - Advanced Architectures for Oracle E-Business SuiteOOW15 - Advanced Architectures for Oracle E-Business Suite
OOW15 - Advanced Architectures for Oracle E-Business Suite
 
Oracle Cloud Day(IaaS, PaaS,SaaS) - AIOUG Hyd Chapter
Oracle Cloud Day(IaaS, PaaS,SaaS) - AIOUG Hyd ChapterOracle Cloud Day(IaaS, PaaS,SaaS) - AIOUG Hyd Chapter
Oracle Cloud Day(IaaS, PaaS,SaaS) - AIOUG Hyd Chapter
 

Ähnlich wie Dmz aa aioug

Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlowCloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
Cohesive Networks
 
F5 Networks: миграция c Microsoft TMG
F5 Networks: миграция c Microsoft TMGF5 Networks: миграция c Microsoft TMG
F5 Networks: миграция c Microsoft TMG
Dmitry Tikhovich
 
F5 Value For Virtualization
F5 Value For VirtualizationF5 Value For Virtualization
F5 Value For Virtualization
Patricio Campos
 
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Codemotion
 

Ähnlich wie Dmz aa aioug (20)

Revised Adf security in a project centric environment
Revised Adf security in a project centric environmentRevised Adf security in a project centric environment
Revised Adf security in a project centric environment
 
Microsoft Cloud Services Licensing
Microsoft Cloud Services Licensing Microsoft Cloud Services Licensing
Microsoft Cloud Services Licensing
 
JavaOne 2015: CON 3437 - Smart Devices for the Internet of Things ...
JavaOne 2015: CON 3437 - Smart Devices for the Internet of Things ...JavaOne 2015: CON 3437 - Smart Devices for the Internet of Things ...
JavaOne 2015: CON 3437 - Smart Devices for the Internet of Things ...
 
Thinking about SDN and whether it is the right approach for your organization?
Thinking about SDN and whether it is the right approach for your organization?Thinking about SDN and whether it is the right approach for your organization?
Thinking about SDN and whether it is the right approach for your organization?
 
f5_synthesis_cisco_connect.pdf
f5_synthesis_cisco_connect.pdff5_synthesis_cisco_connect.pdf
f5_synthesis_cisco_connect.pdf
 
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlowCloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
 
Pivotal Digital Transformation Forum: Cloud and Devops - The Reality
Pivotal Digital Transformation Forum: Cloud and Devops - The RealityPivotal Digital Transformation Forum: Cloud and Devops - The Reality
Pivotal Digital Transformation Forum: Cloud and Devops - The Reality
 
OOW15 - Installation, Cloning, and Configuration of Oracle E-Business Suite 12.2
OOW15 - Installation, Cloning, and Configuration of Oracle E-Business Suite 12.2OOW15 - Installation, Cloning, and Configuration of Oracle E-Business Suite 12.2
OOW15 - Installation, Cloning, and Configuration of Oracle E-Business Suite 12.2
 
F5 Networks: миграция c Microsoft TMG
F5 Networks: миграция c Microsoft TMGF5 Networks: миграция c Microsoft TMG
F5 Networks: миграция c Microsoft TMG
 
Em13c New Features- One of Two
Em13c New Features- One of TwoEm13c New Features- One of Two
Em13c New Features- One of Two
 
2596 - Integrating PureApplication System Into Your Network
2596 - Integrating PureApplication System Into Your Network2596 - Integrating PureApplication System Into Your Network
2596 - Integrating PureApplication System Into Your Network
 
Firewall friendly pipeline for secure data access
Firewall friendly pipeline for secure data accessFirewall friendly pipeline for secure data access
Firewall friendly pipeline for secure data access
 
Faster, simpler, more secure remote access to apps in aws
Faster, simpler, more secure remote access to apps in awsFaster, simpler, more secure remote access to apps in aws
Faster, simpler, more secure remote access to apps in aws
 
Enabling the-Connected-Car-Java
Enabling the-Connected-Car-JavaEnabling the-Connected-Car-Java
Enabling the-Connected-Car-Java
 
Enterprise serverless
Enterprise serverlessEnterprise serverless
Enterprise serverless
 
F5 Value For Virtualization
F5 Value For VirtualizationF5 Value For Virtualization
F5 Value For Virtualization
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
 
Enterprise Apps Development 101
Enterprise Apps Development 101Enterprise Apps Development 101
Enterprise Apps Development 101
 
Discover Great Reasons to move to ConfigMgr 2012 SP1
Discover Great Reasons to move to ConfigMgr 2012 SP1Discover Great Reasons to move to ConfigMgr 2012 SP1
Discover Great Reasons to move to ConfigMgr 2012 SP1
 
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
 

Mehr von aioughydchapter

Mehr von aioughydchapter (14)

veshaal-singh-ebs-oracle cloud(iaas+paas)
veshaal-singh-ebs-oracle cloud(iaas+paas)veshaal-singh-ebs-oracle cloud(iaas+paas)
veshaal-singh-ebs-oracle cloud(iaas+paas)
 
Oracle IaaS Overview - AIOUG Hyderabad Chapter
Oracle IaaS Overview - AIOUG Hyderabad ChapterOracle IaaS Overview - AIOUG Hyderabad Chapter
Oracle IaaS Overview - AIOUG Hyderabad Chapter
 
Oracle analytics cloud overview feb 2017
Oracle analytics cloud overview feb 2017Oracle analytics cloud overview feb 2017
Oracle analytics cloud overview feb 2017
 
Dg broker & client connectivity - High Availability Day 2015
Dg broker & client connectivity - High Availability Day 2015Dg broker & client connectivity - High Availability Day 2015
Dg broker & client connectivity - High Availability Day 2015
 
Aioug ha day oct2015 goldengate- High Availability Day 2015
Aioug ha day oct2015 goldengate- High Availability Day 2015Aioug ha day oct2015 goldengate- High Availability Day 2015
Aioug ha day oct2015 goldengate- High Availability Day 2015
 
Oracle rac cachefusion - High Availability Day 2015
Oracle rac cachefusion - High Availability Day 2015Oracle rac cachefusion - High Availability Day 2015
Oracle rac cachefusion - High Availability Day 2015
 
Getting optimal performance from oracle e business suite
Getting optimal performance from oracle e business suiteGetting optimal performance from oracle e business suite
Getting optimal performance from oracle e business suite
 
Ebs upgrade-to-12.2 technical-upgrade_best_practices
Ebs upgrade-to-12.2 technical-upgrade_best_practicesEbs upgrade-to-12.2 technical-upgrade_best_practices
Ebs upgrade-to-12.2 technical-upgrade_best_practices
 
Ebs12.2 online patching
Ebs12.2 online patching Ebs12.2 online patching
Ebs12.2 online patching
 
Query optimizer vivek sharma
Query optimizer vivek sharmaQuery optimizer vivek sharma
Query optimizer vivek sharma
 
Database and application performance vivek sharma
Database and application performance vivek sharmaDatabase and application performance vivek sharma
Database and application performance vivek sharma
 
Indexes overview
Indexes overviewIndexes overview
Indexes overview
 
AWR & ASH Analysis
AWR & ASH AnalysisAWR & ASH Analysis
AWR & ASH Analysis
 
Performance tuning intro
Performance tuning introPerformance tuning intro
Performance tuning intro
 

Kürzlich hochgeladen

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Kürzlich hochgeladen (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

Dmz aa aioug

  • 1. © Copyright 2015.Apps Associates LLC. 1 Demilitarized Zone in 12.2
  • 2. © Copyright 2015.Apps Associates LLC. 2 KaliKishore Gomattam Lead DBA Consultant – IMS @ Apps Associates @kgomattam
  • 3. © Copyright 2015.Apps Associates LLC. 3 Performance. Growth. Excellence. • Global Reach, Broad Service Profile • Founded in 2002, 600+ employees • US, Europe, India, Middle East • Service Offerings: Applications, CRM, Analytics, EPM, Cloud, Middleware, Application Development, App & Infrastructure Managed Services • Significant Investmentin R&D • Cloud (IaaS, PaaS, SaaS) • Business Process & SystemIntegration • Analytics & Big Data • Strategic Partnerships, Certifications, Credentials • Oracle Platinum Partner, Oracle Specialized Across Our Portfolio of Services • AWS Advanced Consulting Partner, Certified Managed Services Provider • Microsoft Certified • CMMI Level 3 & SSAE 16
  • 4. © Copyright 2015.Apps Associates LLC. 4 Agenda  Overview  What is DMZ  Why DMZ  Different Ways to Setup  High Level Steps to enable DMZ  How does it defer from 12.1  Best Practices
  • 5. © Copyright 2015.Apps Associates LLC. 5 Question !!! Why do we need to Expose Applications to Public ???
  • 6. © Copyright 2015.Apps Associates LLC. 6
  • 7. © Copyright 2015.Apps Associates LLC. 7
  • 8. © Copyright 2015.Apps Associates LLC. 8
  • 9. © Copyright 2015.Apps Associates LLC. 9 Risks  As Organizations,expose their Oracle Applicationout of privatenetwork, via HTTP/HTTPS, which will expose Oracle Applicationvia public network, which has following risks.  Entry point for attackers  Security information can be hacked  Expose internal Domain/network to external users.  Application Vulnerability
  • 10. © Copyright 2015.Apps Associates LLC. 10 Solution is DMZ  DMZ will serve the purpose by restricting the access to applicationbiased on type of users login (Internal/External)  DMZ, which standsfor Demilitarized Zone consists of the portions of a corporate network that are between the corporateintranet and the Internet. The DMZ can be a simple one segment LAN or it can be broken down into multipleregions.  The main benefit of a properly-configuredDMZ is bettersecurity: in the event of a security breach, only the area containedwithin the DMZ is exposed to potentialdamage, while the corporate intranetremains somewhat protected.
  • 11. © Copyright 2015.Apps Associates LLC. 11 DMZ with Oracle EBS  When configuring Oracle E-Business Suite in a DMZ configuration,firewallsare deployedat variouslevelsto ensure that only authorized traffic is allowed to cross the firewall boundaries.  The firewallsensure that if interruptionattemptsagainst machinesin the DMZ are successful, the intrusion is containedwithin the DMZ, leavingthe machines in the intranet unaffected.
  • 12. © Copyright 2015.Apps Associates LLC. 12 DMZ Architecture  Oracle Provides four different types of architectures as follows.  DMZ Configuration With an External and Internal Application Tier  DMZ Configuration With a Reverse Proxy and an External Application Tier  DMZ Configuration With Internal and External Application Tiers in the Intranet Sharing the Application Tier File System  DMZ configuration with multiple Internal/External application tiers in the Intranet and DMZ
  • 13. © Copyright 2015.Apps Associates LLC. 13 DMZ Architecture (Type 1) DMZ Configuration With an External and Internal Application Tier Internet Internal users Intranet External users HTTPS – 443 HTTP – 8000 WLS – 7001 / 7002 Node Manager – 5556 / 5557 ICMP SSH – 22 SQLNET – 1521 HTTPS HTTP WLS Node Manager ICMP SSH SQLNET SQLNET Internal External DMZ External Firewall
  • 14. © Copyright 2015.Apps Associates LLC. 14 DMZ Architecture (Type 1)  Pros:  Simple Configuration with external application tier configured in DMZ for external users  Internal users access internal application via intranet  Restrict access to a limited set of Oracle Application Responsibilities for users logging in via Internet  Allow user access to only Oracle E-Business Suite Release 12 product that can be deployed for Internet access  Cons:  Need to expose complete EBS Suite to external world  Cannot share application tier file system between external and internal application tier nodes.
  • 15. © Copyright 2015.Apps Associates LLC. 15 DMZ Architecture (Type 2) DMZ Configuration With a Reverse Proxy and an External Application Tier Internet Internal users Intranet External users HTTPS HTTP WLS Node Manager ICMP SSH SQLNET SQLNET Internal External DMZ Internal Firewall DMZ External Firewall Reverse Proxy HTTPS – 443 HTTP – 8000 WLS – 7001 / 7002 Node Manager – 5556 / 5557 ICMP SSH – 22 SQLNET – 1521
  • 16. © Copyright 2015.Apps Associates LLC. 16 DMZ Architecture (Type 2)  Pros:  Restrict access to a limited set of Oracle Application Responsibilities for users logging in via Internet  Allow user access to only Oracle E-Business Suite Release 12 product that can be deployed for Internet access  Mask external application tier details from external users with the use of reverse proxy server  Terminate SSL connections at the reverse proxy if required  Implement URL firewall on the reverse proxy server to restrict access.  Cons:  Additional Server is required for reverse proxy  Cannot share application tier file system between external and internal application tier nodes.
  • 17. © Copyright 2015.Apps Associates LLC. 17 DMZ Architecture (Type 3) DMZ Configuration With Internal and External Application Tiers in the Intranet Sharing the Application Tier File System Internet Internal users Intranet External users HTTPS HTTP SQLNET DMZ Internal Firewall DMZ External Firewall External Load Balancer WLS Node Manager ICMP SSH SQLNET Internal External Internal Load Balancer HTTPS – 443 HTTP – 8000 WLS – 7001 / 7002 Node Manager – 5556 / 5557 ICMP SSH – 22 SQLNET – 1521
  • 18. © Copyright 2015.Apps Associates LLC. 18 DMZ Architecture (Type 3)  Pros:  Restrict access to a limited set of Oracle Application Responsibilities for users logging in via Internet  Allow user access to only Oracle E-Business Suite Release 12 product that can be deployed for Internet access  Application file system can be shared among all nodes.  Not required to open ports on firewall  Load is balanced across multiple nodes  Cons:  Load Balancer is exposed to external world.
  • 19. © Copyright 2015.Apps Associates LLC. 19 DMZ Architecture (Type 4) DMZ configuration with multiple Internal/External application tiers in the Intranet and DMZ Internet Internal users Intranet External users HTTPS HTTP SQLNET DMZ Internal Firewall DMZ External Firewall External Load Balancer WLS Node Manager ICMP SSH SQLNET Internal External Internal Load Balancer HTTPS – 443 HTTP – 8000 WLS – 7001 / 7002 Node Manager – 5556 / 5557 ICMP SSH – 22 SQLNET – 1521
  • 20. © Copyright 2015.Apps Associates LLC. 20 DMZ Architecture (Type 4)  Pros:  Restrict access to a limited set of Oracle Application Responsibilities for users logging in via Internet  Allow user access to only Oracle E-Business Suite Release 12 product that can be deployed for Internet access  Application file system can be shared among all nodes.  Load is balanced across multiple nodes  Cons:  Load Balancer is exposed to external world  Application tier file system between external and internal application tier nodes are not Shared.
  • 21. © Copyright 2015.Apps Associates LLC. 21 Application Access Flow http://internal.mydomain.com Private Network EBS Instance 10.1.1.100
  • 22. © Copyright 2015.Apps Associates LLC. 22 Application Access Flow http://external.mydomain.com Private NetworkPublic Network Proxy Server EBS Instance 10.1.1.100 54.100.200.100
  • 23. © Copyright 2015.Apps Associates LLC. 23 Application Access Flow GlobalDNS 54.100.200.100 external.mydomain.com
  • 24. © Copyright 2015.Apps Associates LLC. 24 Application Access Flow http://external.mydomain.com Private NetworkPublic Network Proxy Server EBS Instance 10.1.1.100 54.100.200.100
  • 25. © Copyright 2015.Apps Associates LLC. 25 Application Access Flow Local DNS 10.1.1.100 external.mydomain.com GlobalDNS 54.100.200.100 external.mydomain.com
  • 26. © Copyright 2015.Apps Associates LLC. 26 Application Access Flow http://external.mydomain.com Private NetworkPublic Network Proxy Server EBS Instance 10.1.1.100 54.100.200.100
  • 27. © Copyright 2015.Apps Associates LLC. 27 Steps to enable DMZ  To enable DMZ using any of the four prototypes, we need to perform some/all of the below steps biased on which architecture we selected.  Patches required for DMZ Configuration  Clone External node using adcfgclone.pl (Run & Patch)  Update Hierarchy TypeUpdate Node/Responsibility Trust Level  Configure Reverse/Load Balancer Proxy (Conditional)  Remove references to Internal Node(s) in mod_wl_ohs.conf (Only for 12.2.x)
  • 28. © Copyright 2015.Apps Associates LLC. 28 Steps to enable DMZ 1. Patches required for DMZ Configuration  R12.AD.C.Delta.4 and R12.TXK.C.Delta.4 Note: MOS Note 1617461.1 to apply the required patches. If an update patch for AD/TXK is available, apply those instead of the minimum code level mentioned under Patch Number/Min Code Level.
  • 29. © Copyright 2015.Apps Associates LLC. 29 Steps to enable DMZ 2. Clone External node using adcfgclone.pl(Run & Patch)  When prompted say “Yes” to add node  Enable “Web Entry Point” and “Web Application Services”.  Don’t enable “Batch Processing Services”
  • 30. © Copyright 2015.Apps Associates LLC. 30 Steps to enable DMZ 3. Update HierarchyType  Following user profiles are used to construct various URL’s in EBS
  • 31. © Copyright 2015.Apps Associates LLC. 31 Steps to enable DMZ 3. Update HierarchyType  By default hierarchy type value for the profiles option is “Server type”
  • 32. © Copyright 2015.Apps Associates LLC. 32 Steps to enable DMZ 3. Update HierarchyType  E-Biz environment for DMZ requires these profiles hierarchy set to “SERVRESP”  Run “$FND_TOP/patch/115/sql/txkChangeProfH.sql SERVRESP” on run FileSystem as apps user.
  • 33. © Copyright 2015.Apps Associates LLC. 33 Steps to enable DMZ 4. Update Node/ResponsibilityTrust Level  Oracle E-Biz has the capability to restrict access to a predefined set of responsibilities base on the application tier server from which the user logs in.  This capability is achieved by tagging application server with a trust level indicated by the Node Trust Level (NODE_TRUST_LEVEL) server profile option.  Option:  Administrative: These servers are considered secure and provide access to any and all Ebiz functions.  Normal: Users logging in from normal servers have access to only a limited set of responsibilities.  External: These servers have access to an even smaller set of responsibilities.
  • 34. © Copyright 2015.Apps Associates LLC. 34 Steps to enable DMZ 4. Update Node/ResponsibilityTrust Level
  • 35. © Copyright 2015.Apps Associates LLC. 35 Steps to enable DMZ 5. Configure Reverse/Load Balancer Proxy (Conditional)  Reverse Proxy server is configured in the front of the external application tier node and it requires the Oracle E-Biz application tier nodes to be aware of the presence of the reverse proxy server.  Modify following parameters in the application tier context file for both run and patch file system.
  • 36. © Copyright 2015.Apps Associates LLC. 36 Steps to enable DMZ 6. Remove references to Internal Node(s) in mod_wl_ohs.conf (Only for 12.2.x)  When node is added to an existing Ebiz instance, mod_wl_ohs.conf will have references to both primary and secondary nodes.  We need to remove these references to make sure, external nodes will not refer to internal managed servers.
  • 37. © Copyright 2015.Apps Associates LLC. 37 12.1.x Vs 12.2.x 12.1.x 12.2.x Virtual Host Can Set while running adcfgclone Cannot be set using adcfgclone, need to configre OHS SSL Supports till SHA-1 Supports SHA-2 SSH Does not require User Equivalence Requires User Equivalence Apache No configuration Change required Need to remove access to Internal Node(s) in mod_wl_ohs.conf
  • 38. © Copyright 2015.Apps Associates LLC. 38 Best Practices  Identify the network flow  Preserve isolationas much as possible  Practice good vulnerabilitymanagement  Make sure there is no way to directly request yourweb server, bypassing security filtering layers  Audit your equipment's  Follow security best practices  Monitor, monitor, monitor
  • 39. © Copyright 2015.Apps Associates LLC. 39 Connect with Us Web: www.appsassociates.com Email: kalikishore.gomattam@appsassociates.com YouTube: www.youtube.com/user/AppsAssociates LinkedIn: www.us.linkedin.com/company/apps-associates Twitter: @AppsAssociates Facebook: www.facebook.com/AppsAssociatesGlobal