Monday, 12 November 2012

B2B11g with Apache 2.0 as forward proxy

In the past I wrote an article about high availability architecture for Oracle Integration B2B10g.
Currently I'm working on an AS2 implementation with Oracle B2B11g. B2B11g is now part of SOASuite11g. Although it can be seen as a gateway product, much like OSB, since it is part of SOASuite I would not recommend to place B2B in de DMZ (Demilitarized Zone).

So what you need is a proxy and reverse proxy in the DMZ to forward messages from B2B to your trading partner (forward proxy) and route messages from your trading partner to B2B (reverse proxy).

The idea in our setup was actually to use Microsoft IIS for this. The reverse proxy was succesfull implementated, where it also functions as a SSL-decoder. But the IIS-expert had difficulties to turn the forward-proxy functioning on. Now that should not be to hard, but it need to have proxy, and proxy-connect (for proxying SSL-requests) installed. Apparently those are seperate installs for IIS. You may conclude: me know nothing about IIS. Also, the IIS-expert was not around very much and we needed a proxy in place pretty much immediatly.

So I installed Apache for that. I installed a Apache 2.0.x. Not the latest  release, I know, because I hoped to be able to re-use my settings from my earlier implementation. However, those turned out to be from 1.3 (forgot about that).

Anyway I had to change my settings a little.

First you need to turn some modules (mod_proxy, mod_proxy_http and mod_proxy_connect) on in the http.conf

#2012-10-31, M. van den Akker, Darwin-IT Professionals
# mod_proxy en mod_proxy_http needed for proxy
LoadModule proxy_module modules/
LoadModule proxy_connect_module modules/
LoadModule proxy_http_module modules/

The proxy-connect module is needed to be able to proxy for SSL connections.
Since I like to seperate my customsettings from the other ones I created a separate config file for the proxy-settings. This I include at the end of the http.conf:

#2012-10-31, M. van den Akker, Darwin-IT Professionals
#Include proxy config
Include conf/proxy.conf

Then of course the proxysettings in the proxy.conf file:
#2012-10-31, M. van den Akker, Darwin-IT Professionals

Listen 1234
NameVirtualHost proxy-web-b2b:1234
ProxyRequests On
ProxyVia On
AllowCONNECT 443 8443 
<Proxy *>
  #Order deny,allow
  #Deny from all
  Allow from all
<VirtualHost proxy-web-b2b:1234>
  ServerAdmin webmaster@proxy-web-b2b
  ErrorLog logs/error_proxyfwd1234.log
  CustomLog logs/access_proxyfwd1234.log common
The AllowCONNECT setting denotes the ports that are allowed for SSL-Connect forwards.

Since we use this temporarly only for forward proxying, I don't have the Apache 2.0 settings for reverse proxying at hand. Since B2B11g is the initiator of the https-connection it needs to have the SSL certificates of remote tradingpartners, besides the AS2 encryption/signing certificates in the keystore. So as is done in our case it does not make much sense to have the reverse-proxy (IIS in our implementation) do the un-SSL-ing (decoding). Then you'll need to maintain those certificates in two keystores.

For the forward proxy the weblogic server of B2B needs to be started with the following settings:
  • -Dhttp.proxySet=true
  • -Dhttp.proxyHost=proxy-web-b2b
  • -Dhttp.proxyPort=1234
In the B2B configuration on the delivery channels the checkbox "Use Proxy" needs to be checked.

That's about it.

No comments: