Deploying Oracle Application Server with ZXTM
Contents
1. Deploying Oracle Application Server with ZXTM Accelerating and managing an Oracle AS Cluster with ZXTM Zeus Technology Limited The Jeffreys Building Cowley Road Cambridge CB4 OWS United Kingdom Zeus Technology 1955 Landings Drive Mountain View CA 94043 United States UK US Email Web 44 0 1223 525000 1 650 965 4627 info zeus com http www zeus com Contents PUR OGQUCTIONT B AAAA T E a A 3 PreregUiSit sS sissssiicsiciscnsesscsssnmewsensennwawssneanabwieeinnsienes reekeesdneauuseceusannsdcatecuedeessceneueminnnewenmeameweus 3 TODQIOGY weiciiissiiccidesidadacasicacidetscsciisdededsdsns tecndecnenceenenseeuanebeesdeeevaswieendneNwenieedsitesseimdtseseseseanddion 4 Basic CONTIQUPALION sisicedesedesesesedesaresavesedavadecadecadecnde cae ssicneressnnnedcnnandaensniecereniennncaienneiinssanesenes 5 Creare alate P Grou csiscssuessscsosancuducnseanaussonouenasenesancuauceseesauisonsessaasoosdecmeseetsase EEEREN ENES 5 Ogee Mila Sci o oo ee E ENEE EEO A 5 Passing the client I P to Oracle wisssicicdsicsesacicstscsitsesd sens ccasessdesesasasesececsseuswassvenavexesasessensencsasssasacces 6 Enabling Se SSION PErsiStONn CO i isisisirisisssisisinisisinenasisinindaissnionn n k 7 Monitoring Application COOKIES s 2cess2essreeeetiaeeeeeecayaeseesasenteeesequaaeeeesquauecesneaueeessauadessccennenececee 7 URE Rewriting Persistent tcccrrmcertiscccasteeetacerinsesuisaeberissriisstsinie AAAA AARAA 7 Load Balancing AIQOFithM2. JSESSIONID cookie which can be used by ZXTM to ensure that all requests with this session are sent back to the same node If the client does not accept the cookie encodeURL will append the jsessionid to the URL and separate it from the real path by using a colon e g http some web server some path jSessionid xxxxxxXXX Monitoring Application Cookies Go to Services gt Pools gt your Oracle AS cluster and click on the Session Persistence link Click the Create New Session Persistence Class link and create a class named ysessionid_cookie Set this class to Monitor Application Cookies and set the cookie name to JSESSIONID amp Monitor application cookies Monitor a specified application cookie to identify sessions Cookie SESSIONID Leave the failure mode set to choose a new node to use This will cause ZXTM to send the request to a different node if the persistent node isn t available URL Rewriting Persistence Configuring URL Rewriting Persistence is a two stage process First a persistence class using Universal Session Persistence must be created and then two TrafficScript rules written that detect a rewritten URL extract the J SESSIONID from it and persist on this ID To create the session persistence class go to Catalogs gt Persistence and create a new class called url_ rewriting Set this class to use the Universal Session Persistence method and failure mode of choose a new node to use a
3. following directive in your httpd conf UseWebCachelIP On Once that is set you can use the following TrafficScript rule to add this header to all incoming connections Set the remote address in the CLIENTIEP header http setHeader CLIENTIP request getRemoteIP 6 DEPLOYING ORACLE APPLICATION SERVER WITH ZXTM Ca Enabling Session Persistence Cee Oracle application server can manage session replication internally within the cluster To make use of this you should follow the J 2EE specifications and refer to the instructions in the Oracle enterprise manager ascontrol when deploying your application If for some reason you can not make use of Oracles internal session management or you chose not to use it for reasons of efficiency or speed you can use ZXTM to ensure clients with sessions are always directed to the same server The best method for doing this with Oracle AS is using a combination of the following persistence classes 1 Monitor Application Cookie 2 URL rewriting This combination is suggested because it will catch clients both with and without cookies enabled Note This will only work for browsers without cookies if you use are using the J2EE encodeURL method from the HTTPServletResponse class to generate your URLs This method will detect clients with cookies disabled and encode the session information inside the URL it generates When you create a session the application server will set a
4. same virtual server page Virtual Server Oracle Cluster HTTP port 80 SSL decrypt Unfold All Fold All Your virtual server can decrypt and authenticate SSL connections This offloads SSL processing from your nodes and allows the virtual server to inspect and process the connection Y SSL Decryption These settings control how SSL connections are decrypted Should this virtual server decrypt incoming SSL traffic ssl_decrypt C Yes C Nao Which SSL certificate should this virtual server use certificate Name Site CN Signed by Issuer Expires testvatechservy testva techserv cam zeus cam self signed 20 Dec 2007 Manage SSL Certificates DEPLOYING ORACLE APPLICATION SERVER WITH ZXTM Once you click update your virtual server is setup and ready to decrypt incoming SSL connections If you also want to pass on SSL variables you can do this by setting the ssi _ headers option to yes in the SSL Decryption section Configuring Oracle to recognise SSL Offloading In your Oracle HTTP server configuration you need to add the following directive for Unix LoadModule certheaders_module libexec mod_ certheaders so Or for Windows LoadModule certheaders_module modules ApacheModuleCertHeaders dll Then in the main server config virtual host or location you need to add the following directive AddCertHeader HTTPS Note This information was taken from the Oracle HTTP server administrator s guide
5. this service Oracle cluster ye DEPLOYING ORACLE APPLICATION SERVER WITH ZXTM https zxtmval techserv cam zeus com 9090 Manage a new Service step 3 e fran En fen Manage a new Service step 3 of 4 3 Specify the back end nodes Please enter the hostname and port of each node Hostname Port 7777 Add Node Nodes rhelserv1 techserv cam zeus com 7777 rhelserv2 techserv cam zeus com 7777 To remove a node form the list select it and press Remove node Remove Node Cancel lt Back Next gt Done zxtmval techserv cam zeus com 9090 l On the next screen we need to add all the Oracle AS cluster members as nodes Click Next to review the configuration and finish the set up You will then need to go to Services gt Virtual Servers gt Oracle Cluster and bind the service to the Traffic IP Group created earlier Your Oracle Cluster service should now be running You can return to the home page of the ZXTM and the green play button should be highlighted next to your new service Oracle Cluster a Oracle Cluster gt a z HTTP 80 RUT Default Pool Passing the client IP to Oracle In order to have the Oracle application server log the real IP of the client and make that IP available to standard J2EE methods such as getRemoteAddress you will need to configure the OHS to retrieve the client IP address from a CLIENTIP host header To do this you need to set the
6. OAS version 10G Release 2 section 8 11 mod_certheaders In more recent versions of the library the information appears to be missing However the functionality is still available in OAS version 10G Release 3 Once that is done you need to add some TrafficScript to your ZXTM so that it adds a header to requests which come in over SSL oet the SSL HIITPS header so that Oracle knows this request came an over Soli LE ssl isgsSL 4 NEEC Setheacder SSL ATIPS Y VYrrue s elisen Deeper MOn Ao dee EE 3 Using and protecting Enterprise Manager The main server in the Oracle HTTP Server runs the Oracle Enterprise Manager EM and any security conscious administrator will want to restrict who can access that service ZXTM can allow you to access the enterprise manager through ZXTM while protecting it from unauthorized users or if you prefer deny access completely Denying access is simple however if you want to allow restricted access to the console we have to overcome a few hurdles first http download uk oracle com docs cd B14099_19 web 1012 b14007 confmods htm 10 DEPLOYING ORACLE APPLICATION SERVER WITH ZXTM Ca The Enterprise Manager only runs on one of the cluster members so our service must ensure we always connect to that node The Enterprise Manager will also send redirects if the HTTP host header does not match the server name So we also need to ensure we use the correct host name when we connect to i
7. S siisciisecccicnescscccscdiaisdsdeietedetededeneseeaweeiswi inten sieieiwiieewineeewiserw ees 8 yo Me Cer Pine reer reer rene rrr ree err cree rrr reer ere errr rrr ree re rrr errr reer rrree rr errr errr rer rr rer errr rer rrr re errr rrr rrr ret y 9 Enabling SSL decryption ON ZXTM cc cccccccc cece cece eect eee eee e eens ease teen nese sseseeeeeeeeeeeeeesgeuugggnnnnees 9 Configuring Oracle to recognise SSL Offloading cece cece cece eee eee eee essen tees eeeeeeeeeeseneneeeeas 10 Using and protecting Enterprise Manager s ssssssssssssss2uus22uuuuuuuuunnuunnnnnnunnnnnnnnnnnnnnn n 10 Deny All Access to the EM console sussssssnsrrrnsrrrrsrrrrnerrrresrrrrsrrrrernrrernrresrrrrsrrrrernrerrrrrerrne 11 Allow restricted access to EM console sssssssssrrussrrsnrrrssruunruuunnnrnnrrereununununnnnnnenrrnrannnun unnn 11 Create a new service on port 7777 ae eee eee eee ees 11 Create a new protection CIASS ssssssssrrrnsrrrrsrrrrsrrrrrsrrrrsrrrrsrnrrernrrrsrrrrsrrrrernrrenrrrerrn 12 Redirect em to the new virtual server ss sssssssssssrrsssrrrrrrrsrrrrrrrsrrrrrrrrsrrrrrrrsrrrrrrrerene 12 Rewrite incoming host header sessssrrrsrrrrrrrrrrerrrnrrrerrrerrrerrrerrerrrsrrrerrrerrrerrrrrrerrnn gt 12 F rther protection options cciccsescccsusaueacnameawecceswna as sesweaeasecewaueanseucuweuuseetaweeasevedauexteantxnes 12 CODYFIQNE iniinis aaa aaa aaa aia ai a a aa a a a a 13 Contact I MPOMMIGEIOND si
8. esolves to the virtual server IP address DEPLOYING ORACLE APPLICATION SERVER WITH ZXTM Ca Copyright Zeus Technology Limited 2007 Copyright in this document belongs to Zeus Technology Limited All rights are reserved Trademarks Zeus Technology the Zeus logo Zeus Web Server Zeus Load Balancer Zeus Extensible Traffic Manager ZXTM and associated logos and abbreviations TrafficScript TrafficCluster and RuleBuilder are trademarks of Zeus Technology Limited Other trademarks may be owned by third parties Contact Information If you would like to learn more about any of the topics covered by this white paper please feel free to contact us for more information You can reach us in a variety of ways By Email For general enquiries For commercial and technical enquiries Sales zeus com For reseller information partners zeus com For press and public relations information press zeus com info zeus com By Telephone Zeus Technology UK Zeus Technology US Fax By Post or in Person Zeus Technology Limited The Jeffreys Building Cowley Road Cambridge CB4 OWS United Kingdom WWwWw Zeus com 44 0 1223 525000 1 650 965 4627 44 0 1223 525100 Zeus Technology 1955 Landings Drive Mountain View CA 94043 United States Our web site contains a wealth of information on our products services and solutions as well as customer case studies and press information For more information please visit http
9. f the highly optimised SSL engine of ZXTM A potential issue with this solution arises when you want your application to know when the connection is secured Oracle HTTP Server provides a module called mod_certheaders which can be used to tell your application the link between ZXTM and the client was secure Enabling SSL decryption on ZXTM ZXTM can support HTTPS as the internal protocol but when you are using SSL Offloading ZXTM will still process the encapsulated HTTP For this reason a SSL offloading service Should be created in the same way you created the HTTP service using the HTTP protocol but port 443 instead of 80 You can either create a new virtual server which uses the same pool as the HTTP server or if you want all traffic over HTTPS you can modify the previously created Oracle Cluster virtual server to use the HTTPS port 443 Y Basic Settings The basic settings specify the internal virtual server protocol that is used for traffic inspection the port and IP addresses the virtual server listens on along with the default pool for handling traffic Name Oracle Cluster Internal Protocol HTTP Port 443 Default Traffic Pool Oracle Cluster Listening on All IP addresses C Traffic IP Groups C Domain names and IP addresses Update Once you have modified the port and clicked on the update button at the bottom of the page you will want to enable SSL decryption This is under its own heading on the
10. nd click Update to finish Note that you should not associate the url_rewriting class with any particular pool the TrafficScript rule below will associate it with a request as and when it is required DEPLOYING ORACLE APPLICATION SERVER WITH ZXTM Now go to Services gt Virtual Servers gt your Oracle AS Cluster gt Rules and click the Manage Rules in Catalog link in the Add New Request Rule section Create a new TrafficScript rule called url_ rewriting persistence and paste the following into the rule s text box and click Update Note that the argument to connection setPersistence must match the name of the persistence class you created above Don t Meee to do emis IF wS can persis on a cookie Cookie hike P eE Cooki o USES TONTO if Scookie break Pur htp cia orev lei Hie eS bie Wate eee gt dmvcle ele Sled wl poe I SiaS SIPONMED SE Wie 2 epee Wa Ssessionid 1 connection setPersistence url_rewriting GOMnMmeceon sebrPersisteneekhey Ssesstonid Finally create a new response rule Go to Services gt Virtual Servers gt your Oracle AS Cluster gt Rules and click the Manage Rules in Catalog link in the Add New Response Rule section Create a new TrafficScript rule called url_ rewriting response cut and paste the following into the rule s text box and click Update We re only interested in intercepting html responses VCOMLeMiEypS http geEResponseneader Co
11. no Banned IPs Add banned IP 0 0 0 0 0 Create a connection class called Oracle Admin and in Access restrictions add 0 0 0 0 0 to the banned list Then add IP addresses you want to allow into the allowed list Redirect em to the new virtual server You now need to redirect all requests for the path em to go to the new virtual server running on port 7777 To do this simply create a TrafficScript rule on the Oracle Cluster virtual server to send a HTTP redirect Spaeth http g Pach ie Eo aa a e aE e e e a emmy 9 Shostheader http getHostHeader http redirect Rete sonmoctieadeian 797i y em Rewrite incoming host header For the enterprise manager to work the incoming request needs to have a host header that matches the server name of the Oracle server if it does not you will need to use TrafficScript to rewrite the host header on the Oracle Admin service Set the host heacer to the name of the Oracle cluster contecoller Meto setileader Viost thelservyl techsery can Zeus com Further protection options The Protection classes available in ZXTM can use more than just IP addresses to make access decisions You could use a TrafficScript rule to decide if the access should be granted For example you could write a script to only allow access if the Host header matches a certain string You would then add a hosts entry on the client for my secret server host name string that r
12. ntent lype Iie Siting Sttaicesmicla Seomeeimeeyoe Vices Ara lomeaks Don t Meee to do emis 1i we can persise on a cookie SCOOT a Mike Or eEeCOoklew e oho Ss HON Mb ania if Scookie break Sbody http getresponsebody Hie Sele nop ec amienc Cla Sloochy 72 JSESSILONIED gt i eee ee a Ssessionid 1 Connect Von SeuPersistence Url rewriting Connect ion set Peral skemeekey osseecsiom id As mentioned above you can safely use and we recommend that you use the Monitor Application Cookies and URL Rewriting methods together to ensure that session persistence works regardless of whether or not clients have cookies enabled Load Balancing Algorithms By default a newly created pool will use a simple round robin algorithm This takes no account of the load on the back end servers and so it is recommended that one of the more sophisticated algorithms is used The optimal choice will depend on the application being run See section 5 2 1 of the ZXTM User Manual for details of each algorithm The Least Connections algorithm is a sensible default for a typical Oracle AS deployment set it on the Services gt Pool gt Your Oracle Cluster Pool gt Load Balancing page DEPLOYING ORACLE APPLICATION SERVER WITH ZXTM Ca SSL Offload Cee You may use ZXTM to terminate off load any incoming SSL connections This reduces the load on your application server by making use o
13. ology In the Active Active scenario all Oracle cluster members are load balanced by ZXTM and will therefore require some session management If your application does not make use of Oracle session replication ZXTM can manage this for you using session persistence classes The benefits of using ZXTM this way can be in speed and efficiency because the application server does not need to replicate any state information However a node failure will result in the loss of all sessions persisted to the node that failed In an Active Passive scenario ZXTM will send all traffic to the active node and only fail over to the passive node when the active node fails In this configuration Oracle recommend you use some form of shared storage which is mounted on the active node You therefore need to have some way of remounting the shared storage on to the other node when a failure occurs Please read the Oracle Application Server High Availability guide for more information on Active Passive topologies ZXTM zxtmva1 i zxtmva2 Oracle AS rhelserv1 rhelserv2 In our environment we have two ZXTM appliances zxtmval and zxtmva2 We also have two Oracle AS servers installed on a supported Linux platform rhelserv1l and rhelserv2 We used the default install options and our Oracle HTTP Server is listening on TCP port 7777 gt http download uk oracle com docs cd B31017_01 core 1013 b28941 toc htm q Basic Configu
14. ration To set up a simple service to load balance traffic across your Oracle Cluster you would perform the following actions 1 Create a traffic IP group This is a group of IP address s which will be used to host the web application 2 Create a new service for your Oracle AS cluster using the Traffic IP group Create a Traffic IP Group Name jo racle Cluster Traffic Managers Traffic Manager Add zxtmval techserv cam 7eus com 10 100 9 126 l zxtmva2 techserv cam zeus com go 10 100 9 127 IP Addresses Www xxx yyy 2zz Create Traffic IP Group Go to Services gt Traffic IP Group and create a new traffic IP group containing the external IP address es to which the host names of your websites resolve The example group is named Oracle Cluster Create a new service https zxtmval techserv cam zeus com 9090 Manage a new Service step 2 o x Manage a new Service step 2 of 4 2 Specify the service Please enter a brief name to identify the service you would like to balance Name Oracle Cluster Please select the protocol that the service uses Protocol HTTP v Please specify the port that the protocol listens on Port 80 Cancel lt Back Next gt Done zxtmval techserv cam zeus com 9090 amp We will use the Manage a new service wizard to manage a new virtual server and pool We want to manage a new service using protocol HTTP and port 80 We can call
15. sis sisiceicsicsiesidsicineacisiesiesia sie nsiasesedasiesesasseaasinsetadseutedsitadedseaddauiecsicessssdecsaedcasasseseaid 13 DEPLOYING ORACLE APPLICATION SERVER WITH ZXTM Ca Introduction This document describes how to configure ZXTM to manage a cluster of Oracle Application servers We will discuss load balancing the cluster members for reliability offloading SSL connections to ZXTM for speed and efficiency using ZXTM to manage session persistence and securing the Oracle Enterprise Manager administration tool Prerequisites qa e ZXTM version 4 0 or later is required e Oracle Application Server 10g This document will assume that you have already installed and configured your Oracle Application Server Cluster using the Oracle documentation available from their web site It is also assumed the reader has installed ZXTM on one or more machines in front of this cluster For help with the initial set up of ZXTM you may refer to the getting started guide available from the Zeus website l http www oracle com technology documentation appserver html http knowledgehub zeus com media getting_ started pdf DEPLOYING ORACLE APPLICATION SERVER WITH ZXTM Topology DEPLOYING ORACLE APPLICATION SERVER WITH ZXTM Oracle clustering supports two high availability topologies They are Active Active and Active Passive This guide will address the more scalable configuration of the Active Active top
16. t Before we discuss how to achieve that we will discuss the simpler option of denying access completely Deny All Access to the EM console If you don t require access to ascontrol through the ZXTM you can simply deny access to that path with the following TrafficScript Spat RE p e Pa n ie Site Line oare oN paa emi y Comm Ce ulomne loses 40 o a eh vie aie Allow restricted access to EM console If you would like to allow access through the ZXTM but protect the service with a protection class you would perform the following actions Create a new service on port 7777 https zxtmval techserv cam zeus com 9090 Manage a new Service step 4 d o x Manage a new Service step 4 of 4 You have chosen to create a virtual server with the following settings Description Oracle Admin Protocol http port 7777 This virtual server will balance traffic onto the following nodes Nodes rhelservl techsery cam zeus com 77 To create this service press Finish To change your settings press Back Cancel lt Back Finish zxtmval techserv cam zeus com 9090 amp This service should only have one node your cluster manager ge DEPLOYING ORACLE APPLICATION SERVER WITH ZXTM Il Create a new protection class Y Access Restrictions ZATM can be configured to accept or reject connections from a set of IP addresses There are no Allowed IPs Add allowed IP 192 168 1 0 24 There are
17. www zeus com knowledgehub zeus com The ZXTM KnowledgeHub is a key resource for developers and system administrators wishing to learn about ZXTM and Zeus Traffic Management solutions It is located at http kKnowledgehub zeus com DEPLOYING ORACLE APPLICATION SERVER WITH ZXTM q
Download Pdf Manuals
Related Search