OHS Reverse proxy discussion

OHS Reverse proxy discussion   LINK


OHS Reverse proxy in OIM High Availability environment

This question is Not Answered.
Nitin NatekarRookie
Nitin Natekar Jul 22, 2016 12:01 AM
Hi Security folks,

I need one suggestion related to configuring OHS reverse proxy in OIM HA environment. I have external and internal load balancer. My OHS is configured in DMZ area. It is reverse proxy to my Web Logic as well as OIM managed server. All managed servers (OIM and SOA) are in clustered mode.  OIM self service is exposed to public, OIM admin console and weblogic admin console is only accessible internally. Although OIM admin console and weblogic admin servers are internally access both are coming from external load balancer. We have created Firewall rules so that both the URL's are only accessible internally.

Self Service URL which is coming from external load balancer is hitting OHS and OHS reverse proxy settings are resolving to my internal load balancer. My internal load balancer then resolve actual application server URL i.e. 14000/identity.

My question here is :: what is recommended to provide in reverse proxy setting i.e. Actual host name of my application server (OIM host name and port) or VIP of internal load balancer? and Why?

Regards,
Nitin Natekar

Average User Rating: No ratings (0 ratings)
Average User Rating
No ratings
(0 ratings)
Your Rating:
Rate Poor(1 of 5)Rate Below Average(2 of 5)Rate Average(3 of 5)Rate Above Average(4 of 5)Rate Exceptional(5 of 5)

    • 1. Re: OHS Reverse proxy in OIM High Availability environment
      handatSuperhero
      handat Jul 22, 2016 12:14 AM (in response to Nitin Natekar)
      It really depends on your VIP/load balancer configuration as they all behave differently depending on which one you are using and who ie your load balancer or the weblogic plugin that you want to primarily handle the failover and healthchecks.

    • 2. Re: OHS Reverse proxy in OIM High Availability environment
      Nitin NatekarRookie
      Nitin Natekar Jul 22, 2016 12:38 AM (in response to Nitin Natekar)
      Hi handat,

      Thanks for reply.

      I have configured  mod_wl_ohs plugin to handle proxy. Fail over is handled by my load balancer which is NetScaler by Citrix.

      I just wanted to know what is recommended way and pros and cons of it.

      Regards,
      Nitin Natekar

    • 3. Re: OHS Reverse proxy in OIM High Availability environment
      IdmSkApprentice
      IdmSk Jul 22, 2016 2:41 AM (in response to Nitin Natekar)
      what is recommended to provide in reverse proxy setting i.e. Actual host name of my application server (OIM host name and port) or VIP of internal load balancer? and Why?
      Self service url is hitting OHS and OHS reverse proxy is resolving to internal load balancer, (as per your post), then it would be ok to provide vip of internal load balancer. This way you can hide or make the actual OIM hostname/port private. In fact you can publish a non-14000 port for OIM identity url to the outside world (load balancer will route/send to configured actual OIM host). Additionally if you are using ssl for OIM self service url, then publishing vip of internal load balancer makes sense by applying the ssl cert on the load balancer (ie you terminate ssl connection at the load balancer). In summary, providing vip of load balancer provides you security by making actual OIM hostname private.

    • 4. Re: OHS Reverse proxy in OIM High Availability environment
      handatSuperhero
      handat Jul 22, 2016 5:07 AM (in response to Nitin Natekar)
      As I said before, it all depends on your environment. Without specifics, I could write a full length essay but I rather narrow it down to a specific scenario and discuss that rather than being too generic. Do you use SSL, and if so, is it offloaded at the LB or is it SSL at every service layer and what type of certificates are you using, ie public CA signed, private CA, self signed?

    • 5. Re: OHS Reverse proxy in OIM High Availability environment
      Nitin NatekarRookie
      Nitin Natekar Jul 22, 2016 7:07 PM (in response to IdmSk)
      @IdmSk Thanks for your reply. External load balacer is receiving request on SSL and it is offloading it to non SSL when it is coming to internal load balancer or actual webserver  which are in DMZ.

    • 6. Re: OHS Reverse proxy in OIM High Availability environment
      Nitin NatekarRookie
      Nitin Natekar Jul 22, 2016 7:16 PM (in response to handat)
      Hi handat.

      We are offloading traffic to non SSL when it is coming to Webserver which are in DMZ.  External load balancer will receive request in SSL then load balancer will  offload it to non SSL which is resolving to my WebServer. Web Servers  are in DMZ area. Web Server is having reverse proxy setting using wl_mod_ohs, which is communicating to internal load balancer. Internal load balancer is accepting request on non ssl port. Internal load balancer is resolving my actual WebLogic and Managed server port i.e. OIM and SOA.

      My Question was, while doing reverse proxy setting should i provide internal load balancer host and port or actual application host and  port (i.e. WebLogic cluster) where I have installed my WebLogic and Managed server.

      Regards,
      Nitin Natekar

    • 7. Re: OHS Reverse proxy in OIM High Availability environment
      IdmSkApprentice
      IdmSk Jul 22, 2016 10:44 PM (in response to Nitin Natekar)
      >>External load balacer is receiving request on SSL and it is offloading it to non SSL when it is coming to internal load balancer or actual webserver  which are in DMZ.
      It will offload to the OHS or webserver.


    • 8. Re: OHS Reverse proxy in OIM High Availability environment
      handatSuperhero
      handat Jul 24, 2016 11:27 PM (in response to Nitin Natekar)
      In your case, there are pros and cons for using your internal load balancer or using a list of weblogic server hostname for the weblogic plugin in OHS but there aren't that many benefits for using the internal load balancer as most people would expect.

      If using a load balancer hostname entry, it would provide ease of maintenance for maintaining the weblogic server hostnames as you just need to add/remove instances from your LB and just have the lb hostname in the OHS config instead of having to update the OHS config for each OHS instance. However, the propagation of the weblogic hostnames by default is dynamic, so if you add more weblogic servers to the weblogic clusters, the cluster membership is updated dynamically during runtime so the weblogic plugin on OHS will eventually have the hostnames propagated to it. When you restart the OHS servers, they will just load the hostnames you have statically defined in the OHS config, but after time, the whole list of active servers in the weblogic cluster will be propagated to it again. There is a case for using the lb hostname, however, when removing weblogic instances and the host that is removed happen to be the first entry in the ohs config of weblogic servers, then there will be a delay in starting ohs servers unless you manually update the ohs config and remove the removed weblogic host from the config as well.

      The weblogic plugin also does simple round robin load balancing for the configured list of weblogic instances. You might want to use your lb hostname instead so your load balancer can do more advcanced load balancing than what weblogic plugin can provide. However, if you do that, you also need to make sure your LB handles session affinity, aka sticky sessions, if your applications requires those. The weblogic plugin would do that automatically, but if your hostname is load balanced, you will need to handle it if your applications requires it. Since you are offloading SSL at the front, the sticky sessions can easily be done via cookies. Depending on your LB and application, you might be able to use existing cookies, or you might need to introduce additional cookies just for that.

      Since you are offloading SSL, there isn't much more you need to worry about except for timeouts for persistent sessions if you use any of those in your applications. Depending on how well your lb can handle/support them, you need to evaluate whether there is any performance impact on using lb hostname or direct hostnames of the weblogic instances.

    Comments

    Post a Comment

    Popular posts from this blog

    VMware fix for Invalid manifest and ova file import failed errors

    Image
    Recently we got a OVA file for a virtual machine. The vendor instructions were to import the ova file in vmware Workstation, Player for Windows/Linux, Fusion for Mac, and VirtualBox as well.  The instructions were to take the available package and launch the VM with VMware workstation. The package contained  Module.mf, Module.ovf and Module-disk.vmdk and a Module.ova file. The .mf and .ovf file were 2 KB each whereas the vmdk was several gigs. The package also contained a Module.ova file which was several gigs as well. OVF           Open Virtualization Format MF             Manifest file VMDK       Virtual Machine Disk OVA           Open Virtualization Appliance The ovf file is a xml file that contains metadata for the ovf package The mf file contains the SHA1 hash codes of all files in the package The vmdk file is the disk image of the virtual machine,  VMware Workstation or VirtualBox. (vmdk format was originally developed by VMware and is an open format now). All of
    Read more

    SOAPUI - import certificate

    Image
    Note: SoapUI has two versions, one is open source and second Professional version. The open source can be download here . (confirmed link 12/19/2018). SSL Handshake issue:   There is an Issue in SoapUI version 5.3.0 (and 5.2.0 version) with SSL handshake error. It was resolved by updating below in vmoptions file ( refer here ). However, the error that shows up while trying to load wsdl is "Error loading WSDL" as below The fix is to Enable TLS 1.2 protocol for SOAP/REST calls in SoapUI, by ammending the vmoptions file to add the directive for TLS as (-Dsoapui.https.protocols=TLSv1.2). Refer here . Update: Version 5.5.0 does not have this issue. If you are on 5.3.0 better upgrade to 5.5.0 which is available now (Feb 2019). I had above issue as well as another issue reaching to https endpoint. Upgrade to 5.5.0 resolved issue. Select "Check for updates" under the Help menu and you will get option for upgrade. Select upgrade current version and accept all defaul
    Read more

    Centrally Managed Users (CMU) - New Feature in Oracle Database 18c

    Image
    Centrally Managed Users (CMU) Centrally Managed Users or CMU is a new feature introduced since Oracle DB 18c which allows simplified database user management through integration with Microsoft Active Directory (AD). Beginning with Oracle Database release 18c, version 18.1 and later supports direct integration with Microsoft Active Directory (AD) using the new centrally managed users capability. CMU allows the Oracle database to perform user authentication and authorization directly against AD. Benefits of CMU With centrally managed users, users accessing the database can be centrally managed to improve an organization's security posture. An enterprise user (a user in Microsoft Active Directory) can be exclusively mapped to a database account, or many enterprise users (in an Microsoft Active Directory group) can be mapped to a shared account in the database. Microsoft Active Directory groups can also be mapped to a database global role, which provides users with additional privilege
    Read more