OHS Reverse proxy discussion

OHS Reverse proxy discussion   LINK


OHS Reverse proxy in OIM High Availability environment

This question is Not Answered.
Nitin NatekarRookie
Hi Security folks,

I need one suggestion related to configuring OHS reverse proxy in OIM HA environment. I have external and internal load balancer. My OHS is configured in DMZ area. It is reverse proxy to my Web Logic as well as OIM managed server. All managed servers (OIM and SOA) are in clustered mode.  OIM self service is exposed to public, OIM admin console and weblogic admin console is only accessible internally. Although OIM admin console and weblogic admin servers are internally access both are coming from external load balancer. We have created Firewall rules so that both the URL's are only accessible internally.

Self Service URL which is coming from external load balancer is hitting OHS and OHS reverse proxy settings are resolving to my internal load balancer. My internal load balancer then resolve actual application server URL i.e. 14000/identity.

My question here is :: what is recommended to provide in reverse proxy setting i.e. Actual host name of my application server (OIM host name and port) or VIP of internal load balancer? and Why?

Regards,
Nitin Natekar

Average User Rating: No ratings (0 ratings)
Average User Rating
No ratings
(0 ratings)

    • 1. Re: OHS Reverse proxy in OIM High Availability environment
      handatSuperhero
      It really depends on your VIP/load balancer configuration as they all behave differently depending on which one you are using and who ie your load balancer or the weblogic plugin that you want to primarily handle the failover and healthchecks.

    • 2. Re: OHS Reverse proxy in OIM High Availability environment
      Nitin NatekarRookie
      Hi handat,

      Thanks for reply.

      I have configured  mod_wl_ohs plugin to handle proxy. Fail over is handled by my load balancer which is NetScaler by Citrix.

      I just wanted to know what is recommended way and pros and cons of it.

      Regards,
      Nitin Natekar

    • 3. Re: OHS Reverse proxy in OIM High Availability environment
      IdmSkApprentice
      what is recommended to provide in reverse proxy setting i.e. Actual host name of my application server (OIM host name and port) or VIP of internal load balancer? and Why?
      Self service url is hitting OHS and OHS reverse proxy is resolving to internal load balancer, (as per your post), then it would be ok to provide vip of internal load balancer. This way you can hide or make the actual OIM hostname/port private. In fact you can publish a non-14000 port for OIM identity url to the outside world (load balancer will route/send to configured actual OIM host). Additionally if you are using ssl for OIM self service url, then publishing vip of internal load balancer makes sense by applying the ssl cert on the load balancer (ie you terminate ssl connection at the load balancer). In summary, providing vip of load balancer provides you security by making actual OIM hostname private.

    • 4. Re: OHS Reverse proxy in OIM High Availability environment
      handatSuperhero
      As I said before, it all depends on your environment. Without specifics, I could write a full length essay but I rather narrow it down to a specific scenario and discuss that rather than being too generic. Do you use SSL, and if so, is it offloaded at the LB or is it SSL at every service layer and what type of certificates are you using, ie public CA signed, private CA, self signed?

    • 5. Re: OHS Reverse proxy in OIM High Availability environment
      Nitin NatekarRookie
      @IdmSk Thanks for your reply. External load balacer is receiving request on SSL and it is offloading it to non SSL when it is coming to internal load balancer or actual webserver  which are in DMZ.

    • 6. Re: OHS Reverse proxy in OIM High Availability environment
      Nitin NatekarRookie
      Hi handat.

      We are offloading traffic to non SSL when it is coming to Webserver which are in DMZ.  External load balancer will receive request in SSL then load balancer will  offload it to non SSL which is resolving to my WebServer. Web Servers  are in DMZ area. Web Server is having reverse proxy setting using wl_mod_ohs, which is communicating to internal load balancer. Internal load balancer is accepting request on non ssl port. Internal load balancer is resolving my actual WebLogic and Managed server port i.e. OIM and SOA.

      My Question was, while doing reverse proxy setting should i provide internal load balancer host and port or actual application host and  port (i.e. WebLogic cluster) where I have installed my WebLogic and Managed server.

      Regards,
      Nitin Natekar

    • 7. Re: OHS Reverse proxy in OIM High Availability environment
      IdmSkApprentice
      >>External load balacer is receiving request on SSL and it is offloading it to non SSL when it is coming to internal load balancer or actual webserver  which are in DMZ.
      It will offload to the OHS or webserver.


    • 8. Re: OHS Reverse proxy in OIM High Availability environment
      handatSuperhero
      In your case, there are pros and cons for using your internal load balancer or using a list of weblogic server hostname for the weblogic plugin in OHS but there aren't that many benefits for using the internal load balancer as most people would expect.

      If using a load balancer hostname entry, it would provide ease of maintenance for maintaining the weblogic server hostnames as you just need to add/remove instances from your LB and just have the lb hostname in the OHS config instead of having to update the OHS config for each OHS instance. However, the propagation of the weblogic hostnames by default is dynamic, so if you add more weblogic servers to the weblogic clusters, the cluster membership is updated dynamically during runtime so the weblogic plugin on OHS will eventually have the hostnames propagated to it. When you restart the OHS servers, they will just load the hostnames you have statically defined in the OHS config, but after time, the whole list of active servers in the weblogic cluster will be propagated to it again. There is a case for using the lb hostname, however, when removing weblogic instances and the host that is removed happen to be the first entry in the ohs config of weblogic servers, then there will be a delay in starting ohs servers unless you manually update the ohs config and remove the removed weblogic host from the config as well.

      The weblogic plugin also does simple round robin load balancing for the configured list of weblogic instances. You might want to use your lb hostname instead so your load balancer can do more advcanced load balancing than what weblogic plugin can provide. However, if you do that, you also need to make sure your LB handles session affinity, aka sticky sessions, if your applications requires those. The weblogic plugin would do that automatically, but if your hostname is load balanced, you will need to handle it if your applications requires it. Since you are offloading SSL at the front, the sticky sessions can easily be done via cookies. Depending on your LB and application, you might be able to use existing cookies, or you might need to introduce additional cookies just for that.

      Since you are offloading SSL, there isn't much more you need to worry about except for timeouts for persistent sessions if you use any of those in your applications. Depending on how well your lb can handle/support them, you need to evaluate whether there is any performance impact on using lb hostname or direct hostnames of the weblogic instances.

    Comments

    Post a Comment

    Popular posts from this blog

    VMware fix for Invalid manifest and ova file import failed errors

    Session Timeout in Oracle Access Manager

    SOAPUI - import certificate