Oracle & MySQL Support

InfraStack-Labs Oracle & MySQL DBA Services help you manage, maintain, and optimize your critical Oracle systems. We deliver 24/7, year-round support with flexible monthly contracts that don’t lock you in.

Please contact me :- ajith.narayanan@infrastack-labs.in

Monday, January 10, 2011

Self Service or DMZ Setup (from 11.5.10)

In Self Service or DMZ Setup (from 11.5.10) you might have noticed new configuration file url_fw.conf under $IAS_ORACLE_HOME/Apache/Apache/conf . In this post We’ll understand requirement of this file , building blocks of this file, mod_rewrite module of apache and regular expressions.


Overview of url_fw.conf file is required ?

This file is delievered by patch 3942483 (included in 11.5.10) and called by Apache/Webserver configuration file httpd.conf .

This file uses mod_rewrite module of Apache to allow/disallow URL’s matched by regular expression.

What this does? - > This file provide extra security for DMZ or Self Service implementation accessible over internet. Only few URL’s opened/allowed by this file are accessible thus protecting secured URL which should not be accessible via internet.

Why its decided to include url_fw.conf -> If node trust level is marked as external (Three type of Node Trust level for a node , External, Internal, Administration) then Autoconfig includes url_fw.conf file in httpd.conf

What is mod_rewrite and where to get more information -> mod_rewrite is URL Rewrite Engine in Apache (on which Oracle-Apache or Oracle HTTP Server or Web Server in Apps). mod_rewrite is powerful tool for URL manipulation like to

- Restrict Access to directories and files

- Conditional redirection of access

- Relocating Servers, File System or Directories

- Regeneration of static pages based on HTTP Header Variable

For more information on mod_rewrite module of apache visit http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html

How to debug mod_rewite issues ?

If you think some of URL’s (complete url or partial - gif, jpg, html or jsp file) are blocked by above URL Firewall and you wish to know which file is blocked , you can enable logging by adding following directive in url_fw.conf

RewriteLog “/your_log_directory/rewrite.log”

RewriteLogLevel 7

By default logging is disabled , logLevel value is from 0-10 (0 means no logging and 10 is log everything which records all steps mod_rewrite is doing in background) a sensible value is 6 or 7 and you will see in log what URL is blocked and by what rule; so that if you think user should have access to that URL you can grant access on that resource by adding new rule in url_fw.conf

Sample url_fw.conf value and its meaning -

RewriteRule ^/$ /OA_HTML/AppsLocalLogin.jsp [R,L]

or

RewriteRule ^/OA_HTML/jsp/fnd/fndhelp.jsp$ - [L]

Here first rule is saying that when user type / i.e. after hostname , domainname and port number and then /; redirect user to /OA_HTML/AppsLocalLogin.jsp and stop applying any rewrite rule after that.

In second rule; - which means don’t do any thing and present User same url as mentioned in left side i.e. /OA_HTML/jsp/fnd/fndhelp.jsp

here [R,L] in end

R- Means Rewrite

L - Last rewrite rule (No more rule to apply after this)

In order to understand above rules , you should know regular expression and here few tips/meta characters on regular expressions

1) . (dot) means matches any characters

2) [] specifies a class

i.e.

—> [a-z] matches any lower case characters from a to z

—>[a-zA-Z0-9] matches any character upper or lower case from a to z and numeric 0 to 9

—> [abc$] matches a or b or c or $

—> [^0-9] matches anything except digit 0 to 9 . Here ^ is negation

Meta Characters in Regular Expressions

^ -> Matches Start of a line

$ -> Matches End of line

like

^appsdba -> Matches any line starting with appsdba

appsdba$ -> Matches any line ending with appsdba

^appsdba$ -> Matches any line which consist of just one word appsdba

Quantifiers for Characters

–> ? matches zero or one instance of character

–> + matches one or more instance of character

–> * matches zero or more instance of character

For Example

appsdba? matches appsdb or appsdba

appasdba+ matches appsdba, appsdbaa, appsdbaaa and so on

appsdba* matches appsdb, appsdba, appsdbaa, appsdbaaa and so on

Few error messages related to URL Firewall are

– Access to requested URL has been blocked by the url firewall

– Gone URL you are looking for is blocked by url Firewall

– Error in opening up attachments or date picker in iStore, iRec, iProc

– FW-1 at Firewall-2: Access denied

For more information on DMZ and E-Business Suite visit Steven Chan’s post at

http://blogs.oracle.com/schan/2006/05/17



HAPPY LEARNING!

No comments:

Post a Comment

Thanks for you valuable comments !