9/23/2016 DocumentDisplay

UsingHAProxyasaTLSTerminationPointforOracleEBusinessSuiteRelease12.1.3(DocID
2012639.1)

ThisknowledgedocumentdescribeshowtouseHAProxyasaTLSterminationpointinfrontofOracleEBusinessSuiteRelease
12.1.3.

ThemostcurrentversionofthisdocumentcanbeobtainedinMyOracleSupportKnowledgeDocument2012639.1.

InThisDocument

Section1:Introduction
Section2:WhoCanUseThisNote
Section3:InstallingHAProxy
Section4:ConfiguringHAProxy
Section5:StartingHAProxy
Section6:ConfiguringOracleEBusinessSuiteforUsewithHAProxy
Section7:ObtainingaCertificateforHAProxy
Section8:References

Thereisachangelogattheendofthisdocument.

Section1:Introduction
TherearemanytypesofreverseproxiesthatcanbeusedasaTLSterminationpointinfrontofOracleEBusinessSuite
Release12.1.3.ThisdocumentdescribeshowtouseHAProxyversion1.5.12andlateronOracleLinux6astheTLS
terminationpointfortheOracleHTTPServer(OHS)deployedwithOracleEBusinessSuite12.1.3.ATLSterminationpointis
theendpointforanencryptedconnectionthatisinitiatedbyaclient(forexample,abrowser).

HAProxycanprovideanuptodateTLSendpointwiththefollowingconfigurationoptions:

CertificatessignedwithSHA2(signaturealgorithm:sha256WithRSAEncryption)
TLS1.2withstrongerciphersuites

Intheexampleusedinthisdocument,wewillshowyouhowtouseHAProxyonOracleLinux6astheTLSterminationpoint.
ThiscertificationappliestoHAProxyversion1.5.12andlater.

HAProxyisavailableasaninstallableRPMpackageaspartoftheOracleLinuxdistribution,soitcanbeinstalledwithasimple
yuminstallhaproxycommand.

TheHAProxy,beinganRPM,isinstalledbyroot.Itinstallsundertheassumptionthatitwillbeconfiguredbyrootusing
/etc/haproxy/haproxy.cfgandrunasasystemservice.Itwilllogtoalogfilein/var/log/(throughsyslog)andwillbe
startedbythercbootscripts.

Section2:WhoCanUseThisNote
WhileHAProxyisacapableproxyandaloadbalancer,Oracledoesnotrecommendthatyouusetheinstructioninthisnoteif
youalreadyhaveasatisfactoryproxyorloadbalancerinplace.

TheinstructionsinthisnotewillbeofparticularinteresttocustomerswithasingleOracleEBusinessSuiteapplicationtierwho
arecurrentlyusingOracleHTTPServer(OHS)10gastheTLSterminationpoint.

HAProxycanbeconfiguredforusewithTLS1.0,TLS1.1,TLS1.2andwillworkwithservercertificatessignedusingSHA2
(signaturealgorithm:sha256WithRSAEncryption).

IfyouareusingOracleLinux6(orRedHat),youcansimplyinstalltheOSprovidedRPMpackage.IfyouareusingAIXor
Solaris,itispossibletodownloadtheHAProxysourcecodeandcompileitforthatoperatingsystem.WindowsandHPUXare
notcurrentlysupportedbythebuildsystemsuppliedwithHAProxy.

https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrlstate=tc0zg2idc_9 1/8
9/23/2016 DocumentDisplay

InthecasethatyoucannotorprefernottorunHAProxyonthesamehostasOHS10g,youcanrunHAProxyonadifferent
hostwithasupportedoperatingsystem.Forexample,youcanrunHAProxyonLinuxonrealhardwareorinavirtualmachine.

Section3:InstallingHAProxy
IfyourOracleEBusinessSuiteapplicationtierisrunningonOracleLinux6andyouonlyhaveasingleapplicationtier,youcan
installHAProxyonthatapplicationtier.IfyouarenotrunningOracleLinux,youcaninstallHAProxyonanotherhostrunning
OracleLinux6.TheminimuminstallationofOracleLinux6isasufficientstartingpoint.Youwillmostlikelyfindthefollowing
RPMsusefulaswell:acpidntpwgetunzipnclsofopensshclients.

TheHAProxyRPMisnotinstalledbydefault.Toinstallit,run:

#exporthttp_proxy=wwwproxy:80 #Onlyifyouneedanoutboundproxy,useyoursite'svalue


#yumupdate #togetthelatestupdatesinstalled,especiallytheopenssllibrariesareimportantfor
haproxy


#yuminstallhaproxy

Followinginstallation,HAProxyisavailable,butnotrunningandnotyetconfigured.

[root@esc02~]#whichhaproxy
/usr/sbin/haproxy

[root@esc02~]#lsl/etc/haproxy

rwrr.1rootroot3142Oct1506:21haproxy.cfg

[root@esc02~]#lsl/etc/init.d/haproxy

rwxrxrx.1rootroot2298Oct1506:21/etc/init.d/haproxy

[root@esc02~]#chkconfiglisthaproxy

haproxy0:off1:off2:off3:off4:off5:off6:off

Section4:ConfiguringHAProxy
ToconfigureHAProxyforusewithOracleEBusinessSuite,youmustletHAProxyknowwhere(ip:port)tofindtheOracleE
BusinessSuiteinstance.YouwillhavetoconfiguretheTLSaspectsasfollows:

Protocols:avoidSSL3.0forPOODLE
Ciphersuites:avoidweakciphersuitesforFREAK
DiffieHellmankeyexchangeparameters:avoidweakDiffieHellmankeyexchangeparametersforLogjam
Certificate(chain):usePEMfiles

Forprotocols,youwillwanttoprovideTLS1.2toclientsthatarecapable.Tosupportolderclientsthatarenot,TLS1.0and
TLS1.1willbeprovided.SSL3.0willbeavoided.

Forciphersuites,youwillwantthenewciphersuitesavailablewithTLS1.2.IvanRisticofSSLlabsandtheMozillaFoundation
provideadviceforchoosingtheciphersuitesandtheorderinwhichtheyshouldbespecified.SeeSection8:Referencesfor
moredetails.

Youwillalsowantthelogfiles(forexample,OHSaccess_log.nnnfiles)ontheOracleEBusinessSuitetiertorecordthe
properIPaddressoftheclient.Toachievethis,youmustmakeHAProxyforwardtheclient'sIPaddresstoOHSandtellOHSto
usethatIPaddressinloggingandaccesscontroldecisions(ratherthanalwaysloggingtheIPaddressofthehostwhere
HAProxyruns).

4.1Configuringhaproxy.cfg

Tostart,makethefollowingmodificationstotheRPMprovidedconfigurationfile/etc/haproxy/haproxy.cfg:

https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrlstate=tc0zg2idc_9 2/8
9/23/2016 DocumentDisplay

[root@esc02~]#cd/etc/haproxy/

[root@esc02haproxy]#cpphaproxy.cfghaproxy.cfg.ORIG #justincase

Now,edithaproxy.cfgandmakethefollowingmodifications:

1.AddthefollowinglinetotheGlobalsection(ciphersmustbeallononelongline)todefineasetofstrongciphersuites:

#Ristic'sApacheCipherSuiteselection
ssldefaultbindciphers
ECDHEECDSAAES128GCMSHA256:ECDHEECDSAAES256GCMSHA384:ECDHE
ECDSAAES128SHA:ECDHEECDSAAES256SHA:ECDHEECDSAAES128SHA256:ECDHEECDSAAES256
SHA384:ECDHERSAAES128GCMSHA256:ECDHERSAAES256GCMSHA384:ECDHERSAAES128SHA:ECDHERSA
AES256SHA:ECDHERSAAES128SHA256:ECDHERSAAES256SHA384:DHERSAAES128GCMSHA256:DHERSA
AES256GCMSHA384:DHERSAAES128SHA:DHERSAAES256SHA:DHERSAAES128SHA256:DHERSAAES256
SHA256:EDHRSADESCBC3SHA

2.Changethelineinthedefaultssectionfrom:

optionforwardforexcept127.0.0.0/8

to

optionforwardforexcept127.0.0.0/8headerClientIP

ThisiswhereHAProxyistoldtoforwardthebrowser's(client's)IPaddresstoOHSintheClientHPrequestheader.

3.Changethefrontenddefinitionfrom:

frontend main*:5000

aclurl_staticpath_begi/static/images/javascript/stylesheets
aclurl_staticpath_endi.jpg.gif.png.css.js

use_backendstaticifurl_static
default_backendapp

to

frontend main

bind0.0.0.0:443sslnosslv3crt/etc/haproxy/bundle.pem


default_backendebs

ThischangeconfiguresanHTTPSendpoint.YoumusttellHAProxywhatinterfaceandporttolistento(0.0.0.0:443)to
useHTTPS(designatedbytheparameterssl),butnotSSL3.0(nosslv3)andwheretofindthecertificatebundle
(crt/etc/haproxy/bundle.pem).

4.Attheend,addtheOracleEBusinessSuitebackenddefinition.

#
#roundrobinbalancingbetweenthevariousEBSbackends

#
backendebs

balanceroundrobin


server app127.0.0.1:8000

Here,127.0.0.1:8000istheIPaddressandportwheretheOracleEBusinessSuitewebapplicationlistensfor
unencryptedHTTPrequests.ThisexampleassumesthatHAProxyrunsonthesamehostastheOracleEBusinessSuite
applicationandusethedefaultOracleEBusinessSuiteport(portpool0).

4.2ConfiguringtheCertificates

Inthefileabove,youpointedHAProxytothecertificatefile/etc/haproxy/bundle.pem.
https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrlstate=tc0zg2idc_9 3/8
9/23/2016 DocumentDisplay

HAProxyusesasinglefiletoholdprivatekey,signedcertificate+optionally,anyrequiredintermediateCAcertificates.The
filesmustbeinPEMformat.

Inthefollowinginstructions,itisassumedthatyoualreadyhavethecertificatefilesforconfiguration.Ifnot,forinformationon
howtoobtainthecertificate,seeSection7:ObtainingaCertificateforHAProxy.

AssumingthatyouhaveyourprivatekeyandthesignedservercertificateandtheCArootcertificateintheindividualfilesas
follows:

key.pem//serversprivatekey

cert.pem//serverscertificate,signedbyCAincacert.pem
caintcert.pem//intermediateCAcertificate(onlyifrequired)foruse
cacert.pem//certificateofrootCA

Youwillcreatebundle.pemasfollows(dependingonwhetheryouhaveanintermediateCAcertificate):

[root@esc02~]#catcert.pemkey.pem>bundle.pem

or

[root@esc02~]#catcert.pemcaintcert.pemkey.pem>bundle.pem

Thecacert.pemfileisthecertificateoftherootCAthatsignedthecertificate,itwillhavetobetrustedbyyourHTTPSclients.
IfyouaregettingyourcertificatefromacommercialCA,theclients(browsers,java)probablyalreadytrustthatCAandno
furtheractionisrequired.Ifnot,youwillhavetodistributethecacert.pemfiletotheclientsandmakethemtrustthatCAasa
signerofcertificates.

Note:Ifyourprivatekeyhasapassphrase(password),HAProxywillpromptyouforitoneachstartandstop.Thisisnot
suitable/properforadaemonstartedandstoppedusingtheOSbootscripts,soyouwillwanttoremovethepassword
fromtheprivatekeyyouputinbundle.pem.

Forexample,thisOpenSSLcommandcanbeusedtoremovethepassphrasefromtheprivatekey.Youwillhavetoprovidethe
passwordtoberemoved(assumesRSAkeywhichismostcommonforECkeysreplacersawithec).

[root@esc02]#mvkey.pem key.pem.passphrase

[root@esc02]#opensslrsainkey.pem.passphraseout key.pem
[root@esc02]#chmod600key.pem

ToavoidtheLogjam(CVE20154000)issueofweak(orfrequentlyused)DiffieHellmankeyexchangeparameters,youcan
generateauniqueoneforuse.ThiswillavoidusingthedefaultsthatarepartofthelinkedinOpenSSLlibrary.TheOpenSSL
commandcangeneratefresh,instancespecificdhparameters.Youcangeneratea2048bitgroupforbestsecurity,orcreate
a1024bitoneforbettercompatibilitywitholderclients.Thenewdhparametergroupissimplyappendedtothebundle.pem
file.

[root@esc02]#openssldhparam2048>>bundle.pem

Finally,verifythepropersequenceofPEMelementsinthebundle.pemfile.

[root@esc02]#grepBEGINbundle.pem
BEGINCERTIFICATE

BEGINRSAPRIVATEKEY
BEGINDHPARAMETERS

Section5:StartingHAProxy
BeforestartingHAProxy,youcanhaveHAProxyverify/validateitsconfigurationfile.

https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrlstate=tc0zg2idc_9 4/8
9/23/2016 DocumentDisplay

#haproxyf/etc/haproxy/haproxy.cfgc

Ifthatdoesnotprovideanyerrors,theconfigurationshouldbereadyforuse.

TostartHAProxyfromthecommandline:

#servicehaproxystart

YoucanverifythatHAProxyisrunningonthespecifiedportbyusingnetstat:

#netstatlntp|grephaproxy

YoucanmakeHAProxystartonrebootbyactivatingtheHAProxyservice:

#chkconfighaproxyon

thiswillmakeHAProxyruninrunlevels2,3,4,and5.

#chkconfiglisthaproxy

haproxy 0:off1:off2:on3:on4:on5:on6:off

Section6:ConfiguringOracleEBusinessSuiteforUsewithHAProxy
ForOracleEBusinessSuitetoknowwhereitswebentrypointis,youmustconfigureOracleEBusinessSuiteRelease12.1.3
throughasetofAutoConfigvariables.Thesenormallypointtotheapplicationtier'sOHSporteithertheHTTPport(:8000)or
theHTTPSport(:4443),dependingonwhetherornotyouhaveenabledHTTPS.

IfOracleEBusinessSuiteisfrontendedbyanHTTPSenabledreverseproxy,thesevariablesmustdescribethereverse
proxy'swebentrypoint.

Section3:ApplicationTierSetup,Step8UpdatetheContextFileofMyOracleSupportKnowledgeDocument376700.1,
EnablingSSLorTLSinOracleEBusinessSuiteRelease12describesthesettingofthesevariables.

Settingthefollowingvariablesinthecontextfile($CONTEXT_FILE)issufficienttomakeHAProxyknownastheconfiguredweb
entrypoint.

VariableName Description Example

Setthewebentryapplicationtiercontextvariabletotheweb
s_webentryurlprotocol https
entryprotocol

Setthewebentryapplicationtiercontextvariabletotheweb
s_webentryhost ebsapp
entryhostname

Setthewebentryapplicationtiercontextvariabletotheweb
s_webentrydomain example.com
entrydomainname

Setthewebentryapplicationtiercontextvariabletotheweb
s_active_webport 4443
entryportnumber

Settheloginpagecontextvariableto<webentry
s_login_page protocol>://<webentryhost>.<webentrydomain>: https://ebsapp.example.com:4443/OA
<activewebport>/OA_HTML/AppsLogin

SettheendusermonitoringURLcontextvariableto
<webentryprotocol>://<webentryhost>.<webentry
s_endUserMonitoringURL https://ebsapp.example.com:4443/or
domain>:<activeweb
port>/oracle_smp_chronos/oracle_smp_chronos_sdk.gif

SettheexternalURLcontextvariableto<webentry
s_external_url protocol>://<webentryhost>.<webentrydomain>: https://ebsapp.example.com:4443
https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrlstate=tc0zg2idc_9 5/8
9/23/2016 DocumentDisplay
<activewebport>

Inadditiontotheabove,youmustletOHSknowtousetheheadersentbyHAProxywiththeclient'srealIPaddressbyadding
thefollowinglineforthedefaultHTTPconfigurationcontext.Todothis,addthefollowinglinetotheendofhttpd.conf.

UseWebCacheIpON

Note:ToavoidhavingthesesettingsoverwrittenbyAutoConfig,youcanaddtheseconfigurationstoacustomizedversion
oftheAutoConfigtemplatesfoundunder<FND_TOP>/admin/template.SeeMyOracleSupportKnowledgeDocument
387859.1,UsingAutoConfigtoManageSystemConfigurationsinOracleEBusinessSuiteRelease12formoreinformation.

DeploymentScenario:SingleApplicationTierCurrentlyUsingOHSforTLSTermination

IfyoualreadyhaveanOracleEBusinessSuiteenvironmentwithasingleapplicationtierconfiguredforTLSterminationinOHS
asperMyOracleSupportKnowledgeDocument376700.1,EnablingSSLorTLSinOracleEBusinessSuiteRelease12,hereis
asimplewaytoreconfigurethatinstancetouseHAProxyonthathostforTLStermination.

Intheaboveconfiguration,OHSlistenersareonport:8000forHTTPandonport:4443forHTTPS.

IfinthatenvironmentyoushutdownOHSfromlisteningonport:4443,startHAProxylisteningonport:4443,theexisting
configurationofOracleEBusinessSuite(tellingitabouttheHTTPSwebentrypoint)willnothavetochange.

Todothat,edithttpd.conf.

1.Commentouttheincludelineinthessl.conffile.
2.AddtheUseWebCacheIpONline.

Forexample,change:

#IncludetheSSLdefinitionsandVirtualHostcontainer

include"/u01/install/APPS/inst/apps/EBSDB_apps/ora/10.1.3/Apache/Apache/conf/ssl.conf"

to

#IncludetheSSLdefinitionsandVirtualHostcontainer

#include"/u01/install/APPS/inst/apps/EBSDB_apps/ora/10.1.3/Apache/Apache/conf/ssl.conf"
UseWebCacheIpON

https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrlstate=tc0zg2idc_9 6/8
9/23/2016 DocumentDisplay

Note:ToavoidhavingthesesettingsoverwrittenbyAutoConfig,youcanaddtheseconfigurationstoacustomizedversion
oftheAutoConfigtemplatesfoundunder<FND_TOP>/admin/template.SeeMyOracleSupportKnowledgeDocument
387859.1,UsingAutoConfigtoManageSystemConfigurationsinOracleEBusinessSuiteRelease12formoreinfo.

Forthisscenario,theserverlineinhaproxy.cfgshouldsimplyreadserverapp127.0.0.1:8000andthebindlineshould
useport:4443.

AstheIPaddressisknowninthecase(localhost),youcansimplydownloadthepreparedconfigurationfilefromhaproxy.cfg
(assumingOHSHTTPisonport:8000).Otherwise,edittheportnumber.

Verifytheportnumbersintheconfigurationfile(:4443frontend,:8000backend).

#grepE'^*(server|bind)'haproxy.cfg

bind0.0.0.0:4443sslnosslv3crt/etc/haproxy/bundle.pem
server app1127.0.0.1:8000

StartHAProxyandchecktheports:

#servicehaproxystart


#netstatlntp|grep0:[48]
LISTEN 4118/haproxy
tcp 0 00.0.0.0:4443 0.0.0.0:*
tcp 0 00.0.0.0:8000 0.0.0.0:* LISTEN 3473/httpd

TestthatyourTLSenabledOracleEBusinessSuiteenvironmentworksasbefore.

VerifythatOHS'saccess_loglogstherealIPaddressoftheremoteclientsratherthantheIPaddressofHAProxy(127.0.0.1)in
thiscase.

Section7:ObtainingaCertificateforHAProxy
HAProxyneedstobeconfiguredwithavalidservercertificate.IfyouwerealreadyusingOHSastheTLSterminationpointand
willrunHAProxyonthesamehost,youmayalreadyhaveacertificatevalidforthehostname.

Ifyoudonothaveacertificatethatyoucanorwishtoreuse,youcanpurchaseanewcertificateafterhavingcreatedanew
privatekeyandacertificatesigningrequest.

7.1ReuseanExistingCertificatefromOHSWallet

IfyouwereusingOHSasaTLSterminationpointandareinstallingHAProxyonthesamehostasOHS,youmayhaveastill
validSSLservercertificateforthishostinOHS'swalletfile.

Ifyouwouldlike,youcanexporttheprivatekeyandrelevantcertificatesfromthewallettothePEMfilesrequiredbyHAProxy.
Thewalletfile,ewallet.p12,isaPKCS#12fileandOpenSSLcanextractthevariouspieces,providedyouknowthewallet
password.

Ifyouwishtoextractthecontentsfromthewalletfile,seethereferencetothe"OpenSSLCookbook"inSection8:References
forinformationonhowtousetheopensslpkcs12command.

ThedrawbackofthissolutionisthatthecertificatethatyouexportfromthewalletwillnotbeanSHA2signedcertificate.Most
likely,youwilltakethisopportunitytoupgradetoacertificatesignedwithSHA2.

7.2CreateanewSHA2SignedCertificate

Toobtainanewcertificatefromacommercialcertificateauthority(CA),youwillhavetogenerateaprivatekeyanda
certificatesigningrequest(CSR).TheOpenSSLcommandcandothis.

TheOpenSSLCookbookhasgoodinformationabouthowtoworkwithOpenSSLtocreatecertificateartifacts,includingmention
ofthebenefitsofcreatingacompanyspecificconfigurationfilewithpropercompanydefaults.SeeSection8:Referencesfor
moreinformation.
https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrlstate=tc0zg2idc_9 7/8
9/23/2016 DocumentDisplay

However,thefollowingcommandswillcreateanewprivatekeyandaCSR:

[root@esc02]#cd/etc/haproxy

[root@esc02]#opensslgenrsaaes128outkey.pem2048

[root@esc02]#opensslreqnewsha256keykey.pemoutcsr.pem

Theopensslreqcommandwillpromptyouforinformationthatwillbeincorporatedintothecertificate,suchasinformation
aboutyourcompanyandthefullhostnameofyourwebentrypoint.YourorganizationoryourCAmayhaverequirementsor
standardsforacceptablevaluesforthesedataelements.

PriortosubmittingtheCSR,youcanreviewitscontentforaccuracybyusingthefollowingcommand:

[root@esc02]#opensslreqnooutincsr.pemtext

Submitthecertificatesigningrequestcsr.pemtoacommercialCAandreceiveyourSHA2signedcertificateandanyrequired
CAcertificates.

Section8:References
MyOracleSupportKnowledgeDocument376700.1,EnablingSSLorTLSinOracleEBusinessSuiteRelease12
MyOracleSupportKnowledgeDocument380489.1,UsingLoadBalancerswithOracleEBusinessSuiteRelease12
MyOracleSupportKnowledgeDocument1937646.1,CVE20143566InstructionstoMitigatetheSSLv3Vulnerability
("POODLEAttack")inOracleEBusinessSuite
HAProxyConfigurationManualversion1.5.12(.txtfile)
HAProxyConfigurationManualversion1.5.12(HTML)
MozillaWiki:Security/ServerSideTLSHAProxyProtocolsandCiphersforHAProxy
OpenSSLCookbookPKSC#12
OpenSSLCookbookCertificateGeneration
StackExchangeQ:2015TLS1.2CipherSuites

ChangeLog

Date Description

09Dec SpecifiedHAProxyversion(1.5.12andlater)toSection1:IntroductionUpdateddocumentcopyright
2015 statement.

22Jun2015 Initialpublication.

MyOracleSupportKnowledgeDocument2012639.1byOracleEBusinessSuiteDevelopment

Copyright2015,Oracleand/oritsaffiliates.Allrightsreserved.

Didn'tfindwhatyouarelookingfor?

https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrlstate=tc0zg2idc_9 8/8