Below is a clear, step-by-step guide to set up Oracle E-Business Suite (EBS) 12.2 iRecruitement/iProcurement/iSupplier Portal in a DMZ.
I’ll keep it practical, ordered, and DBA-oriented, assuming you already know EBS basics.
1. Understand the Target Architecture (Before Touching Anything)
Goal:
Expose only the web tier to the internet (DMZ) for suppliers, while keeping Application + Database tiers private.
Typical DMZ Architecture
Internet
|
[Firewall]
|
[DMZ]
|
External Web Tier (OHS)
|
[Internal Firewall]
|
Internal Web Tier + App Tier
|
Database Tier
Key Principles
No DB or Forms traffic exposed to internet
Only HTTPS (443) open from Internet → DMZ
DMZ web tier is stateless
iSupplier uses OAF (HTML) → no Java Forms exposure needed
2. Prerequisites Checklist
Before setup, ensure:
EBS 12.2.x fully upgraded
Latest AD + TXK patches
SSL certificates ready (Public CA)
Separate servers:
DMZ Web Tier
Internal App Tier
DB Tier
DNS names defined:
External:
supplier.company.comInternal:
ebs-internal.company.local
3. Prepare the DMZ Web Tier Server
OS Preparation
Same OS & version as internal web tier
Same users/groups (
oracle,oinstall)Time sync (NTP)
No database client required
Directory Structure
Example:
/u01/oracle/VIS_DMZ/fs1
/u01/oracle/VIS_DMZ/fs2
/u01/oracle/VIS_DMZ/fs_ne
4. Clone Web Tier to DMZ (Web-Only Clone)
You do NOT install a fresh EBS in DMZ.
You clone only the web tier.
Steps (High Level)
On internal EBS:
perl adpreclone.pl appsTierCopy required directories to DMZ server
Run Rapid Clone on DMZ:
perl adcfgclone.pl appsTier
During Clone
Choose Web Tier Only
Skip DB & App services
Set external hostname
Disable Forms, Concurrent, Admin services
5. Configure External Web Tier (DMZ)
After clone, configure OHS for external access.
Key Config Files
httpd.confssl.confmod_wl_ohs.conf
mod_wl_ohs (Very Important)
Forward traffic to internal web/app tier:
<Location /OA_HTML>
SetHandler weblogic-handler
WebLogicHost internal-ebs.company.local
WebLogicPort 8001
</Location>
Same for:
/OA_MEDIA/OAFunc/OA_JAVA
6. Enable SSL on DMZ Web Tier (Mandatory)
iSupplier must use HTTPS.
Steps
Import public SSL cert into OHS wallet
Configure:
Listen 443 SSLEngine onEnforce HTTPS redirect:
RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
7. Configure EBS Context Files (Critical)
External Node Context
Set:
<s_external_url>https://supplier.company.com</s_external_url>
<s_webentryhost>supplier.company.com</s_webentryhost>
<s_webentryprotocol>https</s_webentryprotocol>
Internal Node Context
Ensure:
<s_internal_url>http://internal-ebs.company.local</s_internal_url>
Run:
adautocfg.sh
8. Enable iSupplier Portal Responsibility
Check These Are Installed
iSupplier Portal (POS)
TCA
FND Web components
Profile Options (Important)
Set at Site level:
| Profile | Value |
|---|---|
| Applications Servlet Agent | https://supplier.company.com |
| Applications Framework Agent | https://supplier.company.com |
| Self Service Web Applications | Enabled |
9. Configure Guest Access (Optional but Common)
For supplier registration:
Responsibility: iSupplier Portal Full Access
User:
GUESTEnable self-registration if required
10. Firewall Rules (Very Important)
Internet → DMZ
TCP 443 (HTTPS)
DMZ → Internal
WebLogic ports (usually 8001/8003)
OHS → Internal Web tier only
Block Completely
Forms ports
Database ports
Admin ports
11. Testing Checklist
External Test
Open:
https://supplier.company.com/OA_HTML/AppsLoginLogin as supplier
Open:
Home page
Purchase Orders
Invoices
Verify:
No Forms launch
No internal URLs exposed
SSL padlock valid
12. Security Hardening (Highly Recommended)
Disable
/OA_HTML/AppsLocalLogin.jspRemove admin responsibilities from DMZ
Enable:
WAF
Rate limiting
Patch OHS regularly
13. Common Issues & Fixes
Blank Page After Login
➡ Usually Applications Servlet Agent wrong
Redirects to Internal URL
➡ Context file mismatch → rerun AutoConfig
Images Not Loading
➡ /OA_MEDIA not proxied correctly
14. Final Architecture Summary
| Tier | Location |
|---|---|
| OHS (External) | DMZ |
| WebLogic (OAF) | Internal |
| Forms | Internal |
| DB | Internal |
Below is ready-to-use configs, firewall table, and a troubleshooting checklist for EBS 12.2 iSupplier Portal in DMZ.
1️⃣ Exact mod_wl_ohs.conf (DMZ Web Tier)
This is the most critical file.
📍 Location (DMZ node):
$EBS_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/mod_wl_ohs.conf
✅ Recommended Production Configuration
# Load weblogic module
LoadModule weblogic_module ${ORACLE_HOME}/ohs/modules/mod_wl_ohs.so
# Default settings
WLProxySSL ON
WLProxySSLPassThrough ON
Debug OFF
# ===== OA Framework =====
<Location /OA_HTML>
SetHandler weblogic-handler
WebLogicHost internal-ebs.company.local
WebLogicPort 8001
WLIOTimeoutSecs 300
</Location>
<Location /OA_MEDIA>
SetHandler weblogic-handler
WebLogicHost internal-ebs.company.local
WebLogicPort 8001
</Location>
<Location /OA_JAVA>
SetHandler weblogic-handler
WebLogicHost internal-ebs.company.local
WebLogicPort 8001
</Location>
<Location /OAFunc>
SetHandler weblogic-handler
WebLogicHost internal-ebs.company.local
WebLogicPort 8001
</Location>
# ===== Disable Forms Completely =====
<Location /forms>
Require all denied
</Location>
👉 Do NOT proxy /forms for iSupplier.
Restart OHS:
$ADMIN_SCRIPTS_HOME/adapcctl.sh stop
$ADMIN_SCRIPTS_HOME/adapcctl.sh start
2️⃣ SSL Configuration (DMZ OHS)
📍 File:
ssl.conf
Minimum Required
Listen 443
<VirtualHost *:443>
ServerName supplier.company.com
SSLEngine on
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
SSLCertificateFile /u01/ssl/public.crt
SSLCertificateKeyFile /u01/ssl/private.key
SSLCertificateChainFile /u01/ssl/chain.crt
</VirtualHost>
Force HTTPS Redirect
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
3️⃣ Firewall Rules (Clear Table)
🌐 Internet → DMZ
| Source | Destination | Port | Purpose |
|---|---|---|---|
| Any | DMZ OHS | 443 | Supplier access |
🔥 DMZ → Internal Network
| Source | Destination | Port | Purpose |
|---|---|---|---|
| DMZ OHS | Internal WebLogic | 8001 | OAF |
| DMZ OHS | Internal WebLogic | 8003 | SSL (if used) |
❌ Block Completely
| Port | Reason |
|---|---|
| 1521 | DB security |
| 7777 | Internal OHS |
| 9000+ | Admin ports |
| Forms ports | Not needed |
4️⃣ EBS Context File Settings (Very Important)
DMZ Web Tier Context
<s_webentryprotocol>https</s_webentryprotocol>
<s_webentryhost>supplier.company.com</s_webentryhost>
<s_webentryurl>https://supplier.company.com</s_webentryurl>
<s_external_url>https://supplier.company.com</s_external_url>
Internal Web Tier Context
<s_webentryprotocol>http</s_webentryprotocol>
<s_webentryhost>internal-ebs.company.local</s_webentryhost>
<s_internal_url>http://internal-ebs.company.local</s_internal_url>
Run on both tiers:
adautocfg.sh
5️⃣ Mandatory Profile Options (Site Level)
| Profile Name | Value |
|---|---|
| Applications Servlet Agent | https://supplier.company.com |
| Applications Framework Agent | https://supplier.company.com |
| ICX: Session Timeout | 180 |
| Self Service Personal Home Page Mode | Framework |
6️⃣ Testing URLs (Order Matters)
Login Page
https://supplier.company.com/OA_HTML/AppsLogin
iSupplier Home
https://supplier.company.com/OA_HTML/OA.jsp?OAFunc=POS_HOME
Media Test
https://supplier.company.com/OA_MEDIA/FNDSSCORP.gif
✔ Image loads = proxy OK
❌ Broken image = /OA_MEDIA issue
7️⃣ Common Issues & Fixes (Real-World)
❌ Redirects to Internal URL
Cause: Wrong profile or context
Fix:
Check
Applications Servlet AgentRe-run
adautocfg.sh
❌ Blank Page After Login
Cause: WebLogic port blocked
Fix:
telnet internal-ebs.company.local 8001
❌ CSS / Images Missing
Cause: /OA_MEDIA not proxied
Fix: Add <Location /OA_MEDIA>
❌ Supplier Can See Forms
Cause: Forms not blocked
Fix:
<Location /forms>
Require all denied
</Location>
8️⃣ Security Hardening (Strongly Recommended)
✔ Disable local login:
/OA_HTML/AppsLocalLogin.jsp
✔ Enable:
Web Application Firewall (WAF)
Rate limiting
IDS/IPS
✔ Patch regularly:
OHS PSU
EBS CPU
9️⃣ Final Production Checklist ✅
SSL works end-to-end
No internal hostname leaks
No Forms access
Only 443 exposed
Suppliers can view:
POs
Invoices
Payments
🔹DMZ architecture diagram
