Blog dedicated to Oracle Applications (E-Business Suite) Technology; covers Apps Architecture, Administration and third party bolt-ons to Apps

Thursday, September 20, 2007

First app tier on http, Second app tier on https

I am architecting a solution for an existing E-Biz instance which is going to talk to Kewill through Oracle's ITM (International Trade Management) adapter. For outbound traffice we'll be using a forward proxy. For inbound we need to give a URL which is accessible from internet. As a security policy, any external facing site needs to be on https. But if I implement https on all app tiers, there is going to be a performance hit of 35 - 40%. So instead, if I convert one of the existing app tiers to https, it would be a better solution overall. We have 6 app tiers. 4 app tiers will be on http and 2 app tiers will be on https. The http app tiers are being accessed through a Big IP load balancer URL which is reachable inside the intranet, and the 2 https app tiers will be accessed through a different URL which can be accessed through internet. I have raised an SR with Oracle to validate it. Here is what Oracle said in its response:

Hi Vikram.

I will be working with you on Service Request (SR) 6497953.993: IS IT POSSIBLE TO HAVE ONE APP TIER ON HTTPS, SECOND ON HTTP ?.

I am based in Melbourne, Australia. Our timezone is currently GMT+10 and our hours of operation are 7am - 3.30pm (local time). Should you wish for this SR to be repatriated to a different timezone, please let me know.

One thing I'll need to know is how you plan to access the apps tiers. Will you be going through a load balancer, for example, or connecting directly to them?

If you can give me an idea of your planned system architecture it will help me to find out your answer.


Thanks,
Gavin Stok

Oracle Support
Melbourne, Australia


20-SEP-07 23:40:05 GMT

Email Update button has been pressed: Sending email

21-SEP-07 03:35:02 GMT

New info :
The http app tiers will be accessed through a BigIP load balancer URL and the https app tiers will be accessed through a different BigIP load balancer URL.

- Vikram


21-SEP-07 04:52:24 GMT

UPDATE
======

Hi Vikram.

I write to you in regards to Service Request: IS IT POSSIBLE TO HAVE ONE APP TIER ON HTTPS, SECOND ON HTTP ?.

Thanks for the response.

From our understanding, yes this is possible and will mostly come down to the BigIP setup.

You should configure BigIP to have multiple entry points, with the access for the https nodes to run ssl acceleration. This will prevent you form needing to do ssl setup on the https middle tiers.

The people from BigIP may be better to explain the intricacies of what is needed.

Please let me know if you need any further clarification, or if this now resolves your
query.


Kind Regards,
Gavin Stok

Oracle Support
Melbourne, Australia


21-SEP-07 13:31:05 GMT

Hi Gavin,

Thank you for your answer. Our production environments have BigIP so we'll set it up there without issues. However I wanted to know if this is possible in dev environments where we don't have load balancers. Will this work if we configure https on one app tier and
http on second app tier in dev environment where we don't have BigIp load
balancers ?

- Vikram


25-SEP-07 00:46:43 GMT

UPDATE
======

Hi Vikram.

I write to you in regards to Service Request: IS IT POSSIBLE TO HAVE ONE APP TIER ON HTTPS, SECOND ON HTTP ?.

There should be no problem doing this. You set up one tier with HTTPS, and leave the
other with HTTP, then connect directly to whichever tier you need. The SSL setup
is between the middle tier and the browser, not the middle tier and the databas
e, so this is why there should be no problem.

Please refer to Note 123718.1 for implementing SSL with e-business suite.

Kind Regards,
Gavin Stok

Oracle Support
Melbourne, Australia

5 comments:

Frits said...

Using the webcache, it should be possible to convert https for the outside world to http internal.

Don't know if this is possible in EBS, tough.

Anonymous said...

Can't you have the BigIP device terminating the SSL traffic as another solution...
But I like the idea of the exercise either way.

Niall said...

could you perhaps add a pointer/justification for the 30-40% performance hit figure?

Atul Kumar said...

Vikram,
This is Architecture is supported and defined in Oracle's DMZ setup metalink note. Lot of my clients are using this kind of setup.

To gain performance you can use big IP ssl accelerator (extra cost of hardware) so browser to load balancer is SSL but from ssl to web server (external facing NON ssl)

Atul Kumar
http://becomeAppsDBA.blogSpot.com

Vikram said...

Hi Atul,

Thanks for the information.. For this application, the security team has dictated that the whole path has to be SSL. That means the path from External hosted solution on vendor server to Oracle Apps web tier has to be SSL. On both ends we need to have SSL certificates to ensure the identities of sender and receiver. Usually we put SSL certificates on load balancers and traffic from load balancer to application server is http. However in this case we need to enable HTTPS on the E-Biz server.

- Vikram