We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
You are on page 1/ 4
Copyright(c) 2022, Oracle Al rights reserved, Oracle Confidential
Best Practices for Configuring Agile Product Lifecycle Management (PLM) in Firewalls
Balancers and Proxy Servers (Doc ID 1310536.1)
In this Document
Abstract
History
Details
Qverview
ample
Example 2
‘Mapping of Alias by the Web Proxy Server Setting
Configure Apache webserver as a proxy for Agile PLM
Download Apache and install
Configure Apache as Web Proxy
Enabling the FileManager on the Same SSL Configuration
References
Oracle Agile PLM Framework - Version 9.2.2.4 and later
Information in this document applies to any platform.
Best practices for configuring Agile PLM in firewalls with Load balancers and Proxy servers
Create Date 04-04-2011
Overview
The recommended approach to SSL/HTTPS enabling of Agile PLM system is: SSL termination in the proxy tier either in a load-
balancer or web server.
Example 1
(One of the standard configuration’s for Agile PLM in corporate firewalls -
Create an alias for the Agile application and one for File manager, like “agllepim.xyz.com’ (used by users)and "agilefm.xyz.com"
(used by application).
Example 2
If you have 2 DNS servers, one internal and one external(managed by self or an ISP), you can set up DNS to translate all Agile
traffic via the above 2 alias's to the same internal URL's for all users, both external and internal. For instance, there can only be one Agile PLM URL for all users, called http://agileplm.xyz.com/Agile/PLMServlet
When external users use this URL, it is routed to whatever public IP address that the alias "agileplm.xyz.com" is on, via the
‘external DNS and gets translated at the firewall DMZ to an internal one as http://:7777/Aaile/PLMServiet,
While internal users ping the same alias URL, the internal DNS server routes all this internal traffic to the same switch/router in
the firewall DMZ or any other way feasible(if internal users cannot get to the DMZ) and gets translated to the internal one as
http://:7777/Agile/PLMServiet.
Simitary for Filemanager alias ut http: agilefm xyz.cony/Filemgr/AttachmentServiet gets translated tothe actual ur,
bttp//Flemanager-hostxyz.cor:8080/Flemgr/AttachmentServet
This approach ensures standard URL's for all users and in the all the config locations like JavaClient admin and other File
manager config'n, avoiding to add an extra iFS row for external users in the JavaClient which originally is meant for a separate
file server like a DFM,
Will facilitate using the same hostname/alias “agilepIm.xyz.com" uniformly in all places for all Agile components that
depend on the hostnames, domain names etc to work seamlessly. Since various Agile components like File Manager,
Viewer, SDK, PX's(normal or URL based), Import, Export... etc are invoked directly by the Web Client from the browser, in
‘order to work seamlessly, there should always be only one alias like agilepim.xyz.com in all the configuration URLs,
External users will be blocked on these URLS if they have internal hostnames or IP's
‘Mapping of Allas by the Web Proxy Server Setting
The above mapping of alias can also be accomplished via the Web/Proxy server settings instead of a Firewall/Switch routing if
required. IIS for windows and Apache for Linux/Unix. If internal users cannot go to DMZ for some reasons, customers usually
setup 2 IIS servers, one in DMZ for external users with a public IP and the other in the internal network. But the internal and
external DNS servers would again route Agile traffic accordingly, the same way as mentioned above in the case of firewall
NATing,
‘Web/Proxy servers and Load balancers(in case of clusters), help create an additional web layer on top of the application
layer, thereby keeping the identity of the actual servers private and preventing direct access on their own HTTP listeners
stressing the servers. Also makes it easy to web enable Agile services and firewall friendly(putting them in DMZ) with
standard ports like 80/443(SSL) doing away with punching holes in the firewall.
‘Configure Apache webserver as a proxy for Agile PLM
Download Apache and install
Download Apache binary with OpenSSL included from http://httpd.apache.org
Below instruction is based on Apache Http Server 2.2.19,
Configure Apache as Web Proxy
Edit httpd.conf to remove the comment # for below lines
JLe modules/nod_pzoxy.2
» module module
les /
/agite-serve:
netp://aqil
port/agile
port/agile Enabling the FileManager on the Same SSL Configuration
(Once SSL is enabled on the FS load balancer VIP for Agile PLM system, need to perform the following for enabling the
FileManager on the same SSL configuration:
Webclient login via the SSL/HTTPS doesnot mean the SSL certificate deployment on Loadbalancer or Proxy server has been
done correct. Need to do the following to validate if the SSL cert deployment is done correct on F5 load balancer VIP for Agile
PLM system. Need to check on 1 and 2 below.
1. If commercial SSL cert from a third party. not self signed, then check if the certificate has been deployed correct on the FS
load balancer VIP for Agile PLM system.
Often times, it could be a chain certificate with root and intermediate cert’s that all need to be deployed onto FS by your
IT/Network team.
This can tested/checked from common websites like the one below from Symantec:
hittos://www websecurity. symantec. com/support/ssl-checker
just type in
nittps://FS-AgilePLM-vip
It should return as good if all root and intermediate cert’s are deployed onto F5 vip properly.
Otherwise, please involve your IT team to fix it, as itis a generic SSL cert deployment IT issue and nothing to do with
AgilePLM
Refer to this KM note's in this regard:
Document 1385200.1 File Manager Failed to Start Due to SSL Certificate Errors
Document 1205874.1 Preferred File Manager Is Down After Installing SSL Certificate
2, If itis a in-house self-signed/generated SSL certificate, then follow the procedure below to use keytool to import it into all
the JDK's Involved in Agile PLM.
Document 569235.1 javax.net.ssl,SSLHandshakeException Error Adding or Getting Attachments Due to Certificate Authority
Key Certificate Missing from Java Keystore
3, Test the above setup working for loadbalancer to Filemanager server connection via SSL using the url:
https://F5-Agi lePLM-vip/Filengr/Configuration
Should return Agile url details with success status
4. Once the above is taken care, its time to change Agile related configuration details to switch to HTTPS from HTTP, to enable
Filemanager on SSL.
a. In JavaClient, login as admin user and goto ServerSettings | Locations and switch the WebServer ul to HTTPS and
loadbalancer:
hittps://F5-AgilePLM-vip/Agile/PLMServiet
This url is very important for proer functioning of Agile PLM application, ALL Agile PLM users need to use ONLY this
url to access Agile, whether internal or external to the network/firewall. As the Agile code compares the user's
webclient login url against this entry in JavaClient to seemlessly transfer the cookies to Filemanager application. If a
User uses internal url like http://weblogic-hostname:7001/Agile/PLMServiet to login to webclient, while the entry
above is https://F5-AgilePLM-vip/Agile/PLMServlet, or vice versa, File manager operations will fal. b. In the Filemanager url tab settings, replace all http://filemanager-hostname:8080/Filemgr.., url's to https://F5-AgilePLM-
vip/Filemar..
Save the above url changes to HTTPS/Loadbalancer
5. On the File manager server machine, goto @agile-home@\agileDomain\config and edit the file "server.conf" to replace all
the 3 url's there to the same above HTTPS/Loadbalancer ones as:
https://F5-AgilePLM-vip/Agile.
https://F5-AgilePLM-vip/Filemar.,
6. Restart the weblogic Agile processes and tomcat file manager processes for the above changes to take effect.
Tail tomcat file manager startup log to make sure it starts successfully without any SSL handshake or SSL unknown hast socket.
connection errors.
If those errors appear, go back to steps 1, 2, 3, 4, 5 to fix them and test again restarting the process to see if they start
gracefully
7, Ifthe processes above start successfully, the test the webclient login via HTTPS/Loadbalancer and try upload/get files.
If any further issues, contact support to get assistance. Note that STEP 1 is MANDATORY to be taken care by customer's IT
teams, as itis outside of Agile product domain and we cannot assist on proper deployments of SSL certs on Loadbalancers and
Proxy servers.
Note: The Fully Qualified Domain Name (FQDN) in the above URLs are that of Agile Internal DNS Server
Didnt find what you are looking for?
