Thursday, 16 February 2017

Install and configure Oracle HTTP Server Standalone

Last week I had an assignment to install and configure Oracle HTTP Server as a reversed proxy in a DMZ. Many years ago I worked with Apache a little, so I had not have the details at hand.

Although installing and configuring the HTTP Server is not hard, I found that I had to do quite some searching around to get to all the essentials. To help you out, and to have it logged for myself, let's get through it.

Install OHS Software


For installing the OHS Software I created a script as I did for other FMW installations (FMW Infrastructure, OSB, SOA/BPM, etc.). I did my installation on a Oracle Linux 7 VM, that already contained the database and Weblogic. So I did not need to add the necessary packages. See for instance the requirements doc.

The script starts with the following settings:

Variable
Meaning
Suggested Value (12.2.1.2)
OHS_ZIP_HOMELocation of the Zip file(s) of the installation. $PWD/../Zipped/OHS
OHS_INSTALL_HOMELocation to extract the Zip file(s) of the installation to.$PWD/../Extracted/stage/OHS
OHS_INSTALL_BINName of the installer within the Zip file(s)fmw_12.2.1.2.0_ohs_linux64.bin
OHSSA_INSTALL_RSPName of the response file to use in the installerfmw_12.2.1.2.0_ohs_sa.rsp
OHSSA_INSTALL_RSP_TPLName of the response file template, to expand to the actual response file.$OHSSA_INSTALL_RSP.tpl
OHS_INSTALL_ZIPName of the zip file that contains the installer.V789368-01.zip

As in earlier blogs I use a fmw12c_env.sh script to set variables to point to the locations/homes of the software. For this script I need the following variables (so add them if not present):
Variable
Meaning
Suggested Value (12.2.1.2)
ORACLE_BASEBase location of the oracle installations/u01/app/oracle or /app/oracle
OHSSA_HOMEHome for the installation of a StandAlone OHS.$ORACLE_BASE/product/middleware/OHS12212


The script installOHS_SA.sh is as follows:

#!/bin/bash
. $PWD/fmw12c_env.sh
#
export OHS_ZIP_HOME=$PWD/../Zipped/OHS
export OHS_INSTALL_HOME=$PWD/../Extracted/stage/OHS
export OHS_INSTALL_BIN=fmw_12.2.1.2.0_ohs_linux64.bin
export OHSSA_INSTALL_RSP=fmw_12.2.1.2.0_ohs_sa.rsp
export OHSSA_INSTALL_RSP_TPL=$OHSSA_INSTALL_RSP.tpl
export OHS_INSTALL_ZIP=V789368-01.zip
#
# Oracle Webtier 12c
if [ ! -d "$OHSSA_HOME" ]; then
  #
  #Unzip OHS Software
  if [ ! -f "$OHS_INSTALL_HOME/$OHS_INSTALL_BIN" ]; then
    if [ -f "$OHS_ZIP_HOME/$OHS_INSTALL_ZIP" ]; then
      if [ ! -d "$OHS_INSTALL_HOME" ]; then
        echo Create folder "$OHS_INSTALL_HOME"
        mkdir -p "$OHS_INSTALL_HOME"
      fi
      echo Unzip $OHS_ZIP_HOME/$OHS_INSTALL_ZIP to $OHS_INSTALL_HOME/$OHS_INSTALL_BIN
      unzip -o $OHS_ZIP_HOME/$OHS_INSTALL_ZIP -d $OHS_INSTALL_HOME
    else
      echo $OHS_INSTALL_HOME/$OHS_INSTALL_ZIP does not exist!
    fi  
  else
    echo $OHS_INSTALL_BIN already unzipped
  fi
  if [ -f "$OHS_INSTALL_HOME/$OHS_INSTALL_BIN" ]; then
    echo Substitute $OHSSA_INSTALL_RSP_TPL to $OHSSA_INSTALL_RSP
    envsubst < $OHSSA_INSTALL_RSP_TPL > $OHSSA_INSTALL_RSP
    echo Install Oracle HTTP Server 12cR2 StandAlone
    $OHS_INSTALL_HOME/$OHS_INSTALL_BIN -silent -responseFile $PWD/$OHSSA_INSTALL_RSP
  else
    echo $OHS_INSTALL_BIN not available!
  fi
else
  echo $OHSSA_HOME available: WebTier installed
fi

The script checks if the OHS Home already exists, if so it concludes that the software apparently is installed already. If not, it checks if the installer is available, and if that is not the case it checks if the zip is available. It will unzip the installer if needed and if one of the checks fail it will stop.

A new thing I found out after my earlier blogs is that I learned about the envsubst command that is available in Oracle Linux. It enables you to expand the environment variables that occur in a file. And for this script this is handy, because it needs a response file for the installer, but that contains for instance an Oracle Home to be set to the target $OHSSA_HOME from the fmw12c_env.sh script. In my earlier scripts, when I needed or wanted to install using other folder structures I needed to change both the script and the response file. Now I used the response file saved from the manual installation and then replaced the folder with the particular environment variable.

The response file template, I called fmw_12.2.1.2.0_ohs_sa.rsp.tpl, looks like:
[ENGINE]

#DO NOT CHANGE THIS.
Response File Version=1.0.0.0.0

[GENERIC]

#Set this to true if you wish to skip software updates
DECLINE_AUTO_UPDATES=true

#My Oracle Support User Name
MOS_USERNAME=

#My Oracle Support Password
MOS_PASSWORD=<SECURE VALUE>

#If the Software updates are already downloaded and available on your local system, then specify the path to the directory where these patches are available and set SPECIFY_DOWNLOAD_LOCATION to true
AUTO_UPDATES_LOCATION=

#Proxy Server Name to connect to My Oracle Support
SOFTWARE_UPDATES_PROXY_SERVER=

#Proxy Server Port
SOFTWARE_UPDATES_PROXY_PORT=

#Proxy Server Username
SOFTWARE_UPDATES_PROXY_USER=

#Proxy Server Password
SOFTWARE_UPDATES_PROXY_PASSWORD=<SECURE VALUE>

#The oracle home location. This can be an existing Oracle Home or a new Oracle Home
ORACLE_HOME=${OHSSA_HOME}

#Set this variable value to the Installation Type selected as either Standalone HTTP Server (Managed independently of WebLogic server) OR Collocated HTTP Server (Managed through WebLogic server)
INSTALL_TYPE=Standalone HTTP Server (Managed independently of WebLogic server)

#Provide the My Oracle Support Username. If you wish to ignore Oracle Configuration Manager configuration provide empty string for user name.
MYORACLESUPPORT_USERNAME=

#Provide the My Oracle Support Password
MYORACLESUPPORT_PASSWORD=<SECURE VALUE>

#Set this to true if you wish to decline the security updates. Setting this to true and providing empty string for My Oracle Support username will ignore the Oracle Configuration Manager configuration
DECLINE_SECURITY_UPDATES=true

#Set this to true if My Oracle Support Password is specified
SECURITY_UPDATES_VIA_MYORACLESUPPORT=false

#Provide the Proxy Host
PROXY_HOST=

#Provide the Proxy Port
PROXY_PORT=

#Provide the Proxy Username
PROXY_USER=

#Provide the Proxy Password
PROXY_PWD=<SECURE VALUE>

#Type String (URL format) Indicates the OCM Repeater URL which should be of the format [scheme[Http/Https]]://[repeater host]:[repeater port]
COLLECTOR_SUPPORTHUB_URL=


Create a folder structure, place the scripts fmw12c_env.sh, installOHS_SA.sh and fmw_12.2.1.2.0_ohs_sa.rsp.tpl  in a folder named scripts. Then create a folder named Zipped/OHS next to it. Download the OHS installer from edelivery.oracle.com and save it in that folder.
Also create an empty folder named Extracted/stage/OHS next to it. Then run the installOHS_SA.sh.


Configure the Domain

Unfortunately it is apparently not possible to create the domain  with a wlst script. Main reason for this (I think) is that the wlst installation in the OHS FMW_home lacks an implementation of the encrypt() method to encrypt a password against the SA-domain folder. Therefor you can't set the (encrypted) domain password and nodemanager password. And thus you can't start the OHS components in the regular way using the nodemanager.

So configuring the domain is done manually using the configurator.
Start the config.sh vanuit $OHS_HOME/oracle_common/common/bin:
[oracle@darlin-vce-db scripts]$ cd /u01/app/oracle/product/middleware/OHS12212/oracle_common/common/bin

[oracle@darlin-vce-db bin]$ ls

cam_clonedunpack.sh  cam_wlst.sh      config.sh        setHomeDirs.sh

cam_config.sh        clonedunpack.sh  configWallet.sh  unpack.sh

cam_pack.sh          commBaseEnv.sh   getproperty.sh   wlst.sh

cam_reconfig.sh      commEnv.sh       pack.sh

cam_unpack.sh        commExtEnv.sh    reconfig.sh

[oracle@darlin-vce-db bin]$ ./config.sh


Provide a domain home like: /u01/app/work/domains/ohs_domain.
Check the Oracle HTTP Server (Standalone) option.
The documentation suggest to select the Oracle Hotspot JDK, delivered with the installation.
Here you can add system components to the domain.
Per system component provide the listen address and port, as well as the Admin Host and Port.
Let's keep the defaults.
Keep the ‘Per Domain Default location’ option.
From Weblogic 12c this is the standard.
Keep the username weblogic and provide a password. For demo purposes I use the password welcome1.

Actually this is the step I couldn't manage to do with WLST.
Validate the settings.
The progress of the creation of the domain.
Confirm the configuration of the domain.

Further configuration of OHS

You'll need to add routes. For the plain http routes you can add a configuration file, like service_vh.conf (where service is the name of the application or purpose for which you want to use OHS). In my case I was routing an APEX application through ORDS, so I named it ords_vh.conf.
An example of the file is:
<VirtualHost *:7777>
    ServerName admin.darlin-vce-db:7777
    ServerAdmin martien.van.den.akker@darwin-it.nl
    RewriteEngine On
    RewriteOptions inherit
    # Admin Server and EM
    <Location /console>
        WLSRequest ON
        WebLogicHost darlin-vce-db
        WeblogicPort 7001
    </Location>
    <Location /consolehelp>
        WLSRequest ON
        WebLogicHost darlin-vce-db
        WeblogicPort 7001
    </Location>
    <Location /em>
        WLSRequest ON
        WebLogicHost darlin-vce-db
        WeblogicPort 7001
    </Location>
    # APEX in Admin Server
    <Location /ords>
        WLSRequest ON
        WebLogicHost darlin-vce-db
        WeblogicPort 7001
    </Location>
    <Location /ords/apex_admin>
        WLSRequest ON
        WebLogicHost darlin-vce-db
        WeblogicPort 7001
    </Location>
    <Location /i>
        WLSRequest ON
        WebLogicHost darlin-vce-db
        WeblogicPort 7001
    </Location>
</VirtualHost>

Place this file the folder $OHS_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/moduleconf. All files with extension ‘.conf’ in this folder are picked up automatically by the OHS component.

Start OHS

Adapt Nodemanager


Change the nodemanager.properties in $OHS_DOMAIN/nodemanager/nodemanager.properties:
#Node manager properties
#Tue Jan 24 14:41:26 CET 2017
DomainsFile=/u01/app/work/domains/ohs_domain/nodemanager/nodemanager.domains
LogLimit=0
PropertiesVersion=12.2.1
AuthenticationEnabled=true
NodeManagerHome=/u01/app/work/domains/ohs_domain/nodemanager
JavaHome=/usr/java/jdk1.8.0_74
LogLevel=INFO
DomainsFileEnabled=true
ListenAddress=localhost
NativeVersionEnabled=true
#ListenPort=5556
ListenPort=7555
LogToStderr=true
weblogic.StartScriptName=startWebLogic.sh
#SecureListener=true
SecureListener=false
LogCount=1
QuitEnabled=false
LogAppend=true
weblogic.StopScriptEnabled=false
StateCheckInterval=500
CrashRecoveryEnabled=false
weblogic.StartScriptEnabled=true
LogFile=/u01/app/work/domains/ohs_domain/nodemanager/nodemanager.log
LogFormatter=weblogic.nodemanager.server.LogFormatter
ListenBacklog=50


In this file change the following properties:
  • SecureListener=false
  • ListenPort=5555

If you already have a nodemanager running, possibly for another domain (not likely when using this in a DMZ) you can use another port. For instance 7555.
As a good practice I tend to duplicate the lines, comment out the original ones and change the duplicates.
Because we changed the nodemanager config, we need to update the domain. This can be done by a wlst file like the following setNodeManagerListenPort.py:
readDomain('/u01/app/work/domains/ohs_domain')
cd ('Machine/localmachine/NodeManager/localmachine')
set('ListenPort',7555)
set('NMType','plain')
updateDomain()

That can be run as:
[oracle@darlin-vce-db OHSSaDomain]$ . ./ohs12c_env.sh
set OHS StandAlone 12cR2 environment
Set Weblogic Common Env.
[oracle@darlin-vce-db OHSSaDomain]$ wlst.sh setNodeManagerListenPort.py


Here the content of the environment script ohs12c_env.sh is as follows:
#!/bin/bash
echo set OHS StandAlone 12cR2 environment
#export JAVA_HOME=/usr/java/jdk1.8.0_101
#export ORACLE_BASE=/app/oracle
export ORACLE_BASE=/u01/app/oracle
export OHS_HOME=$ORACLE_BASE/product/middleware/OHS12212
export WL_HOME=${OHS_HOME}/wlserver
export SHARED_CONFIG_DIR=/u01/app/work
export OHS_DOMAIN_NAME=ohs_domain
export OHS_DOMAIN_HOME=$SHARED_CONFIG_DIR/domains/$OHS_DOMAIN_NAME
export NODEMGR_HOME=$OHS_DOMAIN_HOME/nodemanager
#
echo Set Weblogic Common Env.
. $OHS_HOME/oracle_common/common/bin/commEnv.sh
#
export PATH=$OHS_HOME/oracle_common/common/bin:$PATH

Start Nodemanager

You can start the nodemanager using $DOMAIN_HOME/bin/startNodemanager.sh. It can also using a custom script like:

#!/bin/bash
. ohs12c_env.sh
echo Start NodeManager
nohup $OHS_DOMAIN_HOME/bin/startNodeManager.sh > $OHS_DOMAIN_HOME/nodemanager/nm.out&

This starts the nodemanager in the background.

Start OHS


When you start OHS initially, you can do it like below, to store the userconfig:
[oracle@darlin-vce-db bin]$ ./startComponent.sh ohs1 storeUserConfig
Starting system Component ohs1 ...

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

Reading domain from /u01/app/work/domains/ohs_domain


Please enter Node Manager password:
Creating the key file can reduce the security of your system if it is not kept in a secured location after it is created. Creating new key...
The username and password that were used for this WebLogic NodeManager connection are stored in /home/oracle/.wlst/nm-cfg-ohs_domain.props and /home/oracle/.wlst/nm-key-ohs_domain.props.
Connecting to Node Manager ...
Successfully Connected to Node Manager.
Starting server ohs1 ...
Successfully started server ohs1 ...
Successfully disconnected from Node Manager.


Exiting WebLogic Scripting Tool.

Done
[oracle@darlin-vce-db bin]$

This starts the OHS and stores the password encrypted. Every following time, you can start it like:
#!/bin/bash
. ./ohs12c_env.sh
echo Stop Ohs1
$OHS_DOMAIN_HOME/bin/stopComponent.sh ohs1
echo Start Ohs1
$OHS_DOMAIN_HOME/bin/startComponent.sh ohs1


Finally

In my case I had to configure SSL as well. This included creating a wallet with a certificate etc.
I'll save that for another article, because this one is already quite extensive.