I have install OAS 10g R2 (infraestructure and Business Intelligence and Forms component) on suse 9 32 bit, suse 9 64 bit and suse 10 64 bit, so I will describe here the steps that I follow to configure oas to use forms and reports 10g:
1. First of all, before start editing files do a configuration backup of the middletier and the infraestructure.
It is necessary to put the database on archivelog to do the backup of infraestructure:
To enable ARCHIVELOG mode:
1. Run the following sql query to check if the flashback_recovery_area is setup:
show parameters db_recovery
If the flashback_recovery_area is setup, the query returns:
Name Type Value
db_recovery_file_dest string /private2/AS1012Installs/AS1012Infra/
flash_recovery_area
db_recovery_file_dest_size big integer 2G
If the flashback_recovery_area is setup, then the destination specified by the db_recovery_file_dest parameter is used as the archivelog destination, and you do not need to specify the destination directory for your archives in the following step.
2. Specify the destination directory for your archives by including the initialization parameter LOG_ARCHIVE_DEST_n in the initialization file. If spfile is used, then the following command can be issued:
alter system set log_archive_dest_n="LOCATION= ‘backup directory’ " scope=spfile;
In the log_archive_dest_n parameter, n is a number of 1 through 10.
If pfile is used, the following initialization file must be edited:
INFRA_ORACLE_HOME/dbs/initSID.ora
Change the LOG_ARCHIVE_DEST_n parameter to:
LOG_ARCHIVE_DEST_n="LOCATION=’backup directory’"
(Optional) The default filename format for archive logs is:
%t_%s.dbf
If you would like to use a different format, include the initialization parameter LOG_ARCHIVE_FORMAT in the initialization file, for example:
LOG_ARCHIVE_FORMAT = 'log%t_%r_%s.arc'
In the above example, t represents the thread number, r represents the reset log ID, and s represents the log sequence number.
3. Make sure that the ORACLE_HOME and ORACLE_SID (the default is orcl) environment variables are properly set.
4. Make sure that no one is using the database.
5. Perform a clean, normal shutdown of the database instance:
INFRA_ORACLE_HOME/bin/sqlplus /nolog
connect sys/password as sysdba
shutdown
6. Start up the instance and mount, but do not open the database:
startup mount;
7. Enable database ARCHIVELOG mode:
alter database archivelog;
8. Shut down and restart the database instance:
shutdown
startup
9. Verify the database is now in ARCHIVELOG mode.
Execute the following command and verify that Database log mode is Archive Mode and Automatic archival is Enabled.
archive log list;
Database log mode Archive Mode
Automatic archival Enabled
Archive destination /disk1/oraHome/archive
Oldest on-line log sequence 997
Next log sequence to archive 999
Current log sequence 999
2. Modify tnsnames to access databases.
Go to oracle_home_middletier/network/admin/tnsnames.ora
Backup it and then edit it and add the entry for the databases that you want to access from oas:
For example:
orcl =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS =
(PROTOCOL = TCP)
(Host = ip or hostname)
(Port = 1521)
)
)
(CONNECT_DATA = (SID = orcl)
)
)
3. I create folders to put the forms, menues and reports, one folder for production (fmx, mmx, rdf) and other for development.
I must compile the forms, plls and menus because we develop them on windows and then copied them to server.
Compile forms:
/opt/oracle/frs1/bin/frmcmp.sh module=$1 userid=pp/pp@orcl module_type=FORM compile_all=yes
Compile menus:
/opt/oracle/frs1/bin/frmcmp.sh module=$1 userid=pp/pp@orcl module_type=menu compile_all=yes
Compile plls:
/opt/oracle/frs1/bin/frmcmp.sh module=$1 userid=pp/pp@orcl module_type=library compile_all=yes
4. More than one enviroment.
I want to have two enviroments production and development: so I copy /oracle_home_middletier/forms/server/default.env file to default_prod.env and default_dev.env, and then modifed them:
default_prod.env:
FORMS_PATH=/opt/oracle/applications/production
default_dev.env:
FORMS_PATH=/opt/oracle/applications/development
We will use this prod and dev enviroment files when we edit the file formsweb.cfg on envFile argument.
5. Jar files
In our forms we use some jar files so I must copy them to /oracle_home_middletier/forms/java
You also must add the jar files in formsweb.cfg (see 5.)
6. Icons
I copy the directory where I have my icons to /oracle_home_middletier/forms and then modify the file: /oracle_home_middletier/forms/server/forms.conf, I add a new alias:
/oracle_home_middletier/forms /java/icons
AliasMatch ^/forms/java/icons/(..*) "/oracle_home_middletier/forms/java/icons/$1"
And also modify the file /oracle_home_middletier/forms/registry/Registry.dat:
default.icons.iconpath=/forms/java/icons/
default.icons.iconextension=gif
7. Use configurations to run forms applications
Modfied the file /oracle_home_middletier/forms/server/formsweb.cfg to add my configurations: production and testing, and with jinitiator and with jpi:
#Configuracion para XXX test jinitiator
[xxx_test]
pageTitle=App XXX
form=Form_start_xxx.fmx
width=980
splashScreen=no
background=no
lookAndFeel=Oracle
colorScheme=blue
logo=no
archive_jini=frmall_jinit.jar,ModCursor.jar,HyperLink.jar
otherparams=useSDI=yes
height=750
envFile=default_dev.env
restrictedURLparams=HTMLbodyAttrs,HTMLbeforeForm,pageTitle,HTMLafterForm,log,allow_debug,allowNewConnections,form,pageTitle,width,splashScreen,background,lookAndFeel,colorScheme,archive_jini,logo,height,envFile,otherparams
#Configuracion para XXX prod jinitiator
[xxx]
pageTitle=App XXX
form=Form_start_xxx.fmx
width=980
splashScreen=no
background=no
lookAndFeel=Oracle
colorScheme=blue
logo=no
archive_jini=frmall_jinit.jar,ModCursor.jar,HyperLink.jar
otherparams=useSDI=yes
height=750
envFile=default_prod.env
restrictedURLparams=HTMLbodyAttrs,HTMLbeforeForm,pageTitle,HTMLafterForm,log,allow_debug,allowNewConnections,form,pageTitle,width,splashScreen,background,lookAndFeel,colorScheme,archive_jini,logo,height,envFile,otherparams
#Configuracion para XXX jpi
[xxxjpi]
baseHTMLJInitiator=basejpi.htm
jpi_classid=clsid:8AD9C840-044E-11D1-B3E9-00805F499D93
jpi_codebase=https://java.sun.com/update/1.5.0/jinstall-1_5-windows-i586.cab#Version=1,4,2,4
jpi_mimetype=application/x-java-applet;version=1.4.2
jpi_download_page=https://java.sun.com/j2se/1.5.0/download.html
pageTitle= App XXX
form=Form_start_xxx.fmx
width=980
splashScreen=no
background=no
lookAndFeel=Oracle
colorScheme=blue
logo=no
archive_jini=frmall_jinit.jar,ModCursor.jar,HyperLink.jar
otherparams=useSDI=yes
height=750
envFile=default_prod.env
restrictedURLparams=HTMLbodyAttrs,HTMLbeforeForm,pageTitle,HTMLafterForm,log,allow_debug,allowNewConnections,form,pageTitle,width,splashScreen,background,lookAndFeel,colorScheme,archive_jini,logo,height,envFile,otherparams
#Configuracion para XXX test jpi
[xxxjpi_test]
#baseHTMLJInitiator=basejpi.htm
baseHTMLJInitiator=webutiljpi.htm
jpi_classid=clsid:8AD9C840-044E-11D1-B3E9-00805F499D93
jpi_codebase=https://java.sun.com/update/1.5.0/jinstall-1_5-windows-i586.cab#Version=1,4,2,4
jpi_mimetype=application/x-java-applet;version=1.4.2
jpi_download_page=https://java.sun.com/j2se/1.5.0/download.html
pageTitle=App XXX
form=Form_start_xxx.fmx
width=980
splashScreen=no
background=no
lookAndFeel=Oracle
colorScheme=blue
logo=no
#archive_jini=frmall_jinit.jar,ModCursor.jar,HyperLink.jar
archive_jini=frmall_jinit.jar,ModCursor.jar,HyperLink.jar,share.jar,frmwebutil.jar,jacob.jar
otherparams=useSDI=yes
height=750
webUtilArchive=frmwebutil.jar,jacob.jar
envFile=default_dev.env
restrictedURLparams=HTMLbodyAttrs,HTMLbeforeForm,pageTitle,HTMLafterForm,log,allow_debug,allowNewConnections,form,pageTitle,width,splashScreen,background,lookAndFeel,colorScheme,archive_jini,logo,height,envFile,otherparams
8. More than one enviroment for reports
Modified the file of my report server to have two enviroments for reports:
/oracle_home_middletier/reports/conf/rep_middletier_instance.conf :
<environment id="prod">
<envVariable name="REPORTS_PATH" value="/opt/oracle/applications/production/"/>
</environment>
<environment id="dev">
<envVariable name="REPORTS_PATH" value="/opt/oracle/applications/development/"/>
</environment>
9. Configuring Oracle HTTP Server to use SSL
1. Open ORACLE_HOME_middletier/opmn/conf/opmn.xml in a text editor and find this block of code:
<ias-component id="HTTP_Server">
<process-type id="HTTP_Server" module-id="OHS">
<module-data>
<category id="start-parameters">
<data id="start-mode" value="ssl-disabled"/>
</category>
</module-data>
<process-set id="HTTP_Server" numprocs="1"/>
</process-type>
</ias-component>
2. Change the start-mode parameter value to ssl-enabled:
<ias-component id="HTTP_Server">
<process-type id="HTTP_Server" module-id="OHS">
<module-data>
<category id="start-parameters">
<data id="start-mode" value="ssl-enabled"/>
</category>
</module-data>
<process-set id="HTTP_Server" numprocs="1"/>
</process-type>
</ias-component>
3. Force OPMN to reload the modified opmn.xml configuration file:
opmnctl reload
10. Running a Form with SSL
Running a Forms application that uses an HTTPS port requires a certificate to be imported.
If you access Oracle HTTP Server through port 4444, you need to import the Oracle HTTP Server certificate.
To import the Oracle HTTP Server Certificate:
1. Invoke Wallet manager: /oracle_home_middletier/bin/owm
2. Open /oracle_home_middletier/Apache/Apache/conf/ssl.wlt/default.
3. Enter welcome as the password.
4. Select Auto Login.
5. Select FOR TEST PURPOSES ONLY.
6. Choose [Operations]-[Export Trusted Certificate] and provide a name.
7. Open this file in a text editor and copy all of its contents and append it to
C:\Program Files\Oracle\JInitiator1.3.1.21\lib\security\certdb.txt.
(If you use jinitiator)
8. Run the Form Servlet as https://hostname:4444/forms/frmservlet
9. Verify that the JInitiator log window displays the HTTPS protocol
11. Disable reports url access
The security team ask me to disable this urls:
http://hostname:port/reports/rwservlet/showjobs
http:// hostname:port/reports/rwservlet/showenv
http:// hostname:port/reports/rwservlet/showmap
so edit file /oracle_home_middletier/reports/conf/rwservlet.properties and set:
DIAGNOSTIC=NO
RELOAD_KEYMAP=YES
So we must use the cgicmd.dat for reports.
Add to this file the key for your reports, for example:
keyprod: userid=user/pass@sid destype=cache SERVER=report server name envid=prod %*
keytest: userid=<user>/<pass>@<sid> destype=cache SERVER=<report server name> envid=test %*
Edit file En /oracle_home_middletier/reports/conf/<your report server name>.conf and find this:
<identifier confidential="yes" encrypted="yes">RwZAF1u2H1CXwMiHwQ6RDk5W</identifier>
And modified:
<identifier confidential="yes" encrypted="yes">user/pass</identifier>
Only with this user pass you will have access to these urls:
http://hostname:port/reports/rwservlet/showjobs
http:// hostname:port/reports/rwservlet/showenv
http:// hostname:port/reports/rwservlet/showmap
12. Enable Mod_security on Apache
The mod_security module is installed by default with the HTTP Server and it is disabled by default.
In order to enable the same, you have to follow the steps given below.
1. Edit the httpd.conf file present under $ORACLE_HOME/Apache/Apache/conf directory
2. Add the following lines into the file, at the appropriate location in the httpd.conf file where the other 'AddModules' entries are present
The first two lines are the ones that enable the module and the remaining lines are the filter commands to configure the filters
LoadModule security_module libexec/mod_security.so
<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On
#Should mod_security inspect POST payloads
SecFilterScanPOST On
# The type of auditing
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog /opt/oracle/frs1/Apache/Apache
/logs/modsec_audit.log
# Action to take by default
#SecFilterDefaultAction "deny,log,status:406"
# Only check the body of the POST request
#SecFilterSelective POST_PAYLOAD 333
# XSS protection but allows common HTML tags
SecFilter "<( |\n)*script"
# Prevent XSS atacks (HTML/Javascript injection)
#SecFilter "<(.|\n)+>"
# Filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
</IfModule>
3. Save the file
4. The entries given below is an example and you will have to change it as per your needs
5. dcmctl updateconfig
6. Restart the HTTP Server
13. Securing the Welcome Page
By default, the Oracle Application Server Welcome page is accessible from this URL:
http://hostname.domain:7777
This page contains links to useful information like demos and code samples which can be used to compromise the security of your site. You can secure your Welcome page by:
Creating Your Own Custom Welcome Page
To deploy a new Welcome page for Oracle Application Server:
1. Create the new Welcome page you want to use. This page must be named index.html.
2. Save the new Welcome page in a directory. It is recommended that you save the page in a different directory than the htdocs directory.
3. Start the Application Server Control Console.
4. Select the OracleAS Infrastructure instance. You will be prompted to login.
5. Click HTTP Server.
6. Click Administration.
7. Click Properties.
8. Enter the directory for your new page in the Document Root field.
9. (Optional) Enter the administrator's e-mail address in the Administrator's Email field.
10. Click Apply.
14. Customize error pages on Apache
The security team ask me to customize the error pages on Apache, the reason was to avoid to show messages that could identified that the server has installed an oracle application server.
Edit the file httpd.conf and find this “# Customizable error response” and add:
ErrorDocument 500 "El servidor genero el error 500. Consulte al administrador.”
ErrorDocument 401 "El servidor genero el error 401. Consulte al administrador.”
ErrorDocument 402 "El servidor genero el error 402. Consulte al administrador.”
ErrorDocument 404 "El servidor genero el error 404. Consulte al administrador.”
