URL FIREWALL for External Node/DMZ
by Rackspace Technology Staff
When configuring Oracle E-Business Suite in a DMZ configuration, you can deploy firewalls at different levels to restrict access to only the web pages required for the business.
The URL Firewall blocks access to unnecessary web pages in modules that are not installed, configured, or licensed.
Business Impact
The external DMZ environment within the Oracle EBS architecture allows access to over 15,000 web pages when very less web pages are required. An attacker may be able to exploit security vulnerabilities present in any of these 15,000 web pages to access the core EBS application and the modules that support the business.
Following steps help enable firewall in a DMZ setup.
Rule 1 says when the user type / after the hostname, d
omain name and
#Include URLs for product IBE (iStore) with CZ
Enabled all the pages mentioned inside the IBE product section.
port number and then /; this will redirect user to the /OA_HTML/ AppsLocalLogin.jsp and will stop applying any rewrite rule.
Rule 2 Display same url as mentioned on the left, /OA_HTML/jsp/fnd/AOLDataStreaming.jsp
[R,L] at the end R- Means Rewrite L- Last rewrite rule (No more rule to apply after this)
Rule 1 says when the user type / after the hostname, domain name and port number and then /; this will redirect user to the /OA_HTML/ AppsLocalLogin.jsp and will stop applying any rewrite rule.
Rule 2 Display same url as mentioned on the left, /OA_HTML/jsp/fnd/AOLDataStreaming.jsp
[R,L] at the end R- Means Rewrite L- Last rewrite rule (No more rule to apply after this)
Rule 1 says when the user type / after the hostname, domain name and port number and then /; this will redirect user to the /OA_HTML/ AppsLocalLogin.jsp and will stop applying any rewrite rule.
Rule 2 Display same url as mentioned on the left, /OA_HTML/jsp/fnd/AOLDataStreaming.jsp
[R,L] at the end R- Means Rewrite L- Last rewrite rule (No more rule to apply after this)
For more understanding of the concept.
. (dot) means matches any characters
[] specifies a class
[a-z] matches any lowercase characters from a to z
[a-zA-Z0-9] matches any character upper or lower case from a to z and numeric 0 to 9
[abc$] matches a or b or c or $
[^0-9] matches anything except digit 0 to 9. Here ^ is negation
Meta Characters in Regular Expressions
^ – Matches Start of a line
$ – Matches End of line
Quantifiers for Characters
? matches zero or one instance of character
+
matches one or more instance of character
*
matches zero or more instance of character
2) MODIFY FILE $ORA_CONFIG_HOME/10.1.3/APACHE/APACHE/CONF/URL_FW.CONF COMMENT/DISABLE THE REQUIRED JSPS IN THE FIREWALL
Allowing the following jsp pages by UN-comment them from the url_fw.conf file:
Under section – #Include URLS for login method: LOCAL
Before: RewriteRule ^/$ https://<ISTORE_URL>:/OA_HTML/AppsLogin [R,L]
#RewriteRule ^/OA_HTML/OA.jsp$ - [L]
#RewriteRule ^/OA_HTML/RF.jsp$ - [L]
#RewriteRule ^/OA_HTML/AppsLocalLogin.jsp$ - [L]
#RewriteRule ^/OA_HTML/AppsLocalLogout.jsp$ - [L]
RewriteRule ^/OA_HTML/OALogout.jsp$ - [L]
RewriteRule ^/OA_HTML/OAErrorPage.jsp$ - [L]
RewriteRule ^/OA_HTML/OAErrorDetailPage.jsp$ - [L]
#RewriteRule ^/OA_HTML/OAExport.jsp$ - [L]
#RewriteRule ^/OA_HTML/OADownload.jsp$ - [L]
#RewriteRule ^/OA_HTML/fndvald.jsp$ - [L]
#RewriteRule ^/OA_HTML/AppsLogin$ - [L]
RewriteRule ^/OA_HTML/AppsLogout$ - [L]
After:
RewriteRule ^/$ https://<ISTORE_URL>:/OA_HTML/AppsLogin [R,L]
RewriteRule ^/OA_HTML/OA.jsp$ - [L]
RewriteRule ^/OA_HTML/RF.jsp$ - [L]
RewriteRule ^/OA_HTML/AppsLocalLogin.jsp$ - [L]
RewriteRule ^/OA_HTML/AppsLocalLogout.jsp$ - [L]
RewriteRule ^/OA_HTML/OALogout.jsp$ - [L]
RewriteRule ^/OA_HTML/OAErrorPage.jsp$ - [L]
RewriteRule ^/OA_HTML/OAErrorDetailPage.jsp$ - [L]
RewriteRule ^/OA_HTML/OAExport.jsp$ - [L]
RewriteRule ^/OA_HTML/OADownload.jsp$ - [L]
#RewriteRule ^/OA_HTML/fndvald.jsp$ - [L]
RewriteRule ^/OA_HTML/AppsLogin$ - [L]
RewriteRule ^/OA_HTML/AppsLogout$ - [L]
We can keep everything enabled inside the following mentioned sections
Please note, since we are using product IBE, we have enabled all the pages.
In this section, and along with the same we have enabled common pages (not related to product) as well.
#Include URLs for product IBE (iStore) with CZ
Enable all the pages mentioned inside the IBE product section.
Enabled this entry to get pass the HTTP 400 Bad Request error and add to cart started working fine.
RewriteRule ^/OA_HTML/JavaScriptServlet* - [L]
RewriteRule ^/OA_HTML/ibe*.js$ - [L]
IN CASE YOU NEED TO DISABLE THE FIREWALL FOR THE CZ PRODUCT, COMPLETE THE FOLLOWING STEPS:
#Include URLs for product IBE (iStore) with CZ
Enable all the pages mentioned inside.
3) NETWORK TEAM IS REQUIRED TO CHANGE THE HEARTBEAT FOR THE LOAD BALANCER SO THEY DO IT USING THE INDEX.HTML
After the firewall was enabled on the iStore backend server, the LB marked the service as “Down”. It seems the firewall change produced a redirect and changed the response code from a 200 to a 302. The index.html page was permitted and the monitor was successfully reconfigured to check “/index.html”.
Before index.html was used
HTTP/1.1 302 Found
Date: Mon, 20 Jul 2020 20:55:50 GMT
Location : https://<URL.HOSTNAME>:/OA_HTML/AppsLogin
Content-Type: text/html; charset=iso-8859-1
After index.html was used
curl -Ik https://<IP_ADDRESS>:/index.html
HTTP/1.1 200 OK
Date: Mon, 20 Jul 2020 21:10:27 GMT
X-Content-Type-Options: nosniff
Last-Modified: Mon, 20 Jul 2020 20:40:39 GMT
ETag: “hd4503-7wd-5f98747”
Accept-Ranges: bytes
Content-Length: 1275
Content-Type: text/html
4) TROUBLESHOOTING TIPS IN CASE ANY SPECIFIC PAGE IS NOT WORKING, CUSTOM PAGE OR THE SEED PAGE.
Open IE and navigate to the page having issue in the istore.
Press F12 -> Navigate to the Network tab to find out the exact page in question this can be any page like JavaScriptServlet* , ibe* or *.jsp
Once the exact page with issues is identified, you need to add the page as shown in the following snapshot.
$ORA_CONFIG_HOME/10.1.3/Apache/Apache/conf/url_fw.conf file, bounce the services to make sure now the page is working fine.
Example of entries include.
RewriteRule ^/OA_HTML/JavaScriptServlet* - [L]
RewriteRule ^/OA_HTML/ibe*.js$ - [L]
RewriteRule ^/OA_HTML/<custom_pagename>.*.jsp$ - [L]
Please note - These entries need to be added in the appropriate place in the url_fw.conf file. Once all the settings are complete and verified and the pages are working fine, you can make the changes in the template file url_fw_conf_1013.tmp ($FND_TOP/admin/template/url_fw_conf_1013.tmp ) and copy the file to custom folder ($FND_TOP/admin/template/custom/url_fw_conf_1013.tmp ) and run autoconfig.
Conclusion
Firewall controls access between the internet and internal network or intranet (within the organization). Firewall dictates which external communications will be permitted into the organization network, and which will be blocked. A well-designed firewall can prevent numerous common internet-based security attacks.
By following and completing the above mentioned steps, one can systematically enable the firewall in a DMZ setup and debug the issue.
Recent Posts
Upgrade Palo Alto Firewall and GlobalProtect for November 2024 CVE
November 26th, 2024
Ready for Lift Off: The Community-Driven Future of Runway
November 20th, 2024
Google Cloud Hybrid Networking Patterns — Part 1
October 17th, 2024
Google Cloud Hybrid Networking Patterns — Part 3
October 17th, 2024
Google Cloud Hybrid Networking Patterns — Part 2
October 17th, 2024