DMZs, SSL and RAC for OracleAS 10g + Release 11i

I know that many of you have been waiting for this announcement for a long time, so it's a real pleasure (and relief) to be able to tell you that Build 4.0 is finally here.

A new version of the OracleAS 10g integration with the E-Business Suite has been released for use with ATG Family Pack H Rollup 4.  This long-awaited integration patch, also known as Build 4.0, includes full support for three additional configurations:  DMZs, RAC, and SSL.

Demilitarized Zones and OracleAS 10g Integrations

In prior releases, there were a number of challenges to integrating an OracleAS 10g instance with an E-Business Suite environment deployed in a demilitarized zone (DMZ) configuration with multiple web entry points.  Some awkward workarounds existed, but they were incomplete, technically clumsy, and didn't work consistently in all circumstances.

With this latest release, full support for OracleAS 10g + E-Business Suite + DMZ configurations is now available.  This release allows you to register multiple E-Business Suite application servers (e.g. internal and external Oracle9i Application Server instances) with an OracleAS 10g and Single Sign-On instance, supporting the proper redirection of traffic to the appropriate server after authentication. 

This means that architectures like this are now fully supported:

DMZ + OracleAS 10g + E-Business Suite Architecture:

Registration with SSL-Enabled Oracle Internet Directory Hosts

In prior releases, it wasn't possible to register your E-Business Suite environment with an Oracle Internet Directory host deployed in a Secure Sockets Layer (SSL) configuration.

In this latest release, if your Oracle Internet Directory host is configured for SSL-enabled LDAP operations, you can use wallets in Oracle Wallet Manager to secure all LDAP operations.

Oracle Internet Directory Integration with RAC-Enabled Release 11i Databases

In prior releases, if your E-Business Suite database was configured to use Real Application Clusters (RAC), the synchronisation of user information between Oracle Internet Directory and FND_USER was handled by a specific database server in your RAC cluster.

If that database node failed, the synchronisation of user attributes between Oracle Internet Directory and the E-Business Suite wouldn't failover to other database server nodes.  Updates of user information in either direction would be suspended until the designated RAC database node came back online.

In this latest release, the E-Business Suite RAC service name is used when registering the Release 11i instance with Oracle Internet Directory.  All user synchronisation events are handled by the E-Business Suite RAC cluster now, so if a given RAC node fails, synchronisation of user information will continue as long as other RAC nodes are still running.



This is a wonderful news,atleast three of our customers were waiting on this one.
Kudos to the team!!

Posted by Sam on August 24, 2006 at 08:53 PM PDT #

Unfortunaly, "Enabling SSL with Oracle Application Server 10g and the E-Business Suite (Note 340178.1)" is not available for publics.

Posted by Dmitry Stepanov on August 24, 2006 at 09:32 PM PDT #


Do you know when the white paper "Integrating Oracle E-Business Suite Relese 11i with Oracle Internet Directory and Oracle Single Signon" (available via Metaling Note 261914.1) is to be updated for the new Build 4.0?

Many thanks - great blog!

Brian Millar

Posted by Brian Millar on August 25, 2006 at 01:26 AM PDT #

Brian,Thanks for the feedback.  All of the major changes for Build 4.0 -- i.e. the new support for
SSL-enabled OID instances, RAC-enabled 11i databases, and DMZs/multiple
web-entry points -- are described in Appendix C of Note 233436.1.There are some minor updates queued up for Note 261914.1, but these are primarily minor documentation bugs that need to be corrected.  I don't have a schedule for that yet, but I'll post an update here when it's released.Regards,Steven

Posted by Steven Chan on August 25, 2006 at 02:44 AM PDT #

Dmitry,That Note has now been externally-published.  Please let me know if you have any trouble accessing it now.Regards,Steven 

Posted by Steven Chan on August 25, 2006 at 04:20 AM PDT #

Steven, I was looking for the 11i architecture with 10Grac in your sites and in Metalink as well. There was no white paper at all for our architecture. We have 8 linux servers for the conc&web merged tier and we have the database on UNIX. We are planning to use RAC (with 2 nodes). Is it possible to configure 11i to always use a virtual host for the database and use some kind of load balance between the two instances?

Posted by Andras on September 12, 2006 at 02:57 AM PDT #

Andras,I'm not sure I understand some of the assumptions underlying your question.  When you configure your E-Business Suite database to use RAC, the E-Business Suite communicates with the database via a service ID that represents the RAC cluster. The RAC cluster automatically and transparently load-balances database traffic between all registered RAC nodes.  You don't need an additional third-party load-balancer to do this.If that doesn't answer your question, feel free to elaborate.Regards,Steven 

Posted by Steven Chan on September 12, 2006 at 03:48 AM PDT #

And does this mean there will be a virtual host

Posted by Andras on September 14, 2006 at 11:44 PM PDT #

When I check the notes about RAC&11i it seems the tnsnames.ora should contain the rac node1 and node2 and the port. But what you are talking about is a single virtual host, right? I try to be more direct. Now tnsnames.ora contains
( If we add the node1 and create a RAC how will be the tnsnames.ora look like?
many thanks,

Posted by Andras on September 14, 2006 at 11:56 PM PDT #

For RAC the virtual hostname support is for listener and tns entries. With this the new listener.ora and tnsnames.ora will contain the virtual hostnames corresponding to each physical hostnames for the database nodes in the cluster.These virtual hosts must be defined as resources to the CRS while configuring the RAC.
Please see Note362135.1 for more details and sample files with virtual hostnames.

Posted by Pranjal Deosthali on September 17, 2006 at 07:55 PM PDT #

ok, thanks. Now we have HP ServiceGuard between the two node, and we have one virtual hostname for this package. If we migrate it to RAC with O ClusterWare. Could we have this one global virtual hostname? In this case there would be no need to change any third-party software's tnsnames.ora.

Posted by Andras on September 18, 2006 at 12:05 AM PDT #

Hi, Phani,I'm afraid that I'm not the right person to comment on licencing issues.  That's definitely something that you'll want to discuss with your Oracle account team.Regards,Steven 

Posted by Steven Chan on March 07, 2007 at 04:22 AM PST #

Hi Steven,

I am sure these questions need to check with sales person, but i want to know if you come across before.

Q. We have HR self service responsibility setup on DMZ nodes, do we need oracle license for those nodes?


Posted by Phani K on March 07, 2007 at 05:33 AM PST #


Do you have any comments on the preferred technology to use for configuring the Reverse Proxy Server (i.e. Native Apache Server or AS10g) from a simplicity perspective, that you have depicted in your diagram. Given the requirements for SSO Authentication to the same server for both intranet and internet users, I think using a reverse proxy server is really the only choice when AS10g is in the mix.

I know there is some discussion of this on Metalink, but this still seems to be really poorly documented. Sample configuration files for either technology would be helpful.

Thanks again for this Blog, it is a great resource to the Oracle community.

Posted by Dan Dunlap on March 29, 2008 at 03:25 PM PDT #

Dan,Glad to hear that you're finding this blog useful.E-Business Suite customers use a fairly wide range of technologies for their reverse proxy requirements.  Some customers use dedicated and specialized networking devices (e.g. from F5 and Cisco), while other customers use software-based solutions such as Apache, Oracle HTTP Server (based on Apache), Microsoft IIS, and others.We don't really have any strong opinions on either major approach, let alone the selection of specific options within each category.  Given the plethora of available options, we've found it a bit tricky to offer samples of configuration files.Specialized networking devices bring along other security and load-balancing capabilities, which I know some customers swear by.  Software solutions are cheap or even "free" (for open source options like Apache), which makes for a compelling argument for some customers. I think that the selection of the appropriate technology would depend upon your client's security requirements, projected load, enterprise networking standards, and perhaps most importantly, their level of expertise in deploying these types of solutions.  Best of luck with your analyses.Regards,Steven 

Posted by Steven Chan on April 02, 2008 at 06:13 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed


« July 2016