Oracle E-Business Suite Release 12 Configuration in a DMZ
Below are definitions of some of the terms that are used in this document:
Firewalls control access between the internet and a corporation's internal network or intranet. Firewalls define which internet communications will be permitted into the corporate network, and which will be blocked. A well-designed firewall can foil many common internet-based security attacks.
The DMZ, which stands for DeMilitarized Zone consists of the portions of a corporate network that are between the corporate intranet and the Internet. The DMZ can be a simple one segment LAN or it can be broken down into multiple regions as shown in Figure F2. The main benefit of a properly-configured DMZ is better security: in the event of a security breach, only the area contained within the DMZ is exposed to potential damage, while the corporate intranet remains somewhat protected.
Load Balancer
Load balancers distribute an application's load over many identically configured servers. This distribution ensures consistent application availability even when one or more servers fail.
A service is a functional set of Oracle E-Business Suite application processes running on one or more nodes.
A node is referred to as a server that runs a set of E-Business Suite R12 application processes or database processes. In a single node installation of Oracle E-Business Suite, all the application processes including the database processes run on one node whereas in a multi node installation, the processes run on multiple nodes.
Internal Applications Middle Tier
The internal applications middle tier is the server configured for internal users to access Oracle E-Business Suite. It runs the following major application services:
  • Web and Forms Services
  • Administration and Concurrent Manager Services
  • Reports and Discoverer Services

External Applications Web Tier
The external applications web tier is the server configured for external users for accessing Oracle E-Business Suite. It runs the following application service:
  • Web server
URL Firewall
URL Firewall contains a white list of URLs, for the externally exposed E-Business Suite Modules, that may be accessed from the Internet. You can find more information on URL Firewall and how to configure it in appendix E. Configuring the URL Firewall of this document. (Oracle E-Business Suite R12 Configuration in a DMZ [ID 380490.1])

Points to be noted for the Network configuration as per Oracle’s recommendations are as

1. Ensure that network firewalls are configured correctly

2. Ensure that the network firewall rules have been defined correctly and are permitting authorized E-Business Suite traffic between all network segments:

3. Verify that access between intranet-based desktop clients and the internal Application web tier is permitted and working

4. Verify that access between the internal Application web tier and the Applications database server is permitted and working

5. Communication between Internet-based desktop clients and the external web tier servers must be permitted and working.

6. Verify that access between the Applications external web tier servers to the Applications database server is permitted and working.


  1. Server details for the PROD configuration is as listed in the following table:

  Server                                           Name Domain Server Type Remarks
erpdb01        Database Node 01 1st  DB node in the RAC environment
erpdb02        Database Node 02 2nd  DB node in the RAC environment
erpap01        Appl Node 01 1st  APPL node with HW load balancer
erpap02        Appl Node 02 2nd  APPL node with HW load balancer
careers         IRecruitement  Node Only 01 server in the external domain
erpPROD           HW load balancer HW load balancer for Application load balancer.

The iRecruitment server is hosted on This server is hosted in the DMZ and
this will have only the Web services configured for the Irecruitment access for the external
candidates and visitors.

Deployment Architecture:

The deployment architecture of the external web server being used for the iRecruitment server
is illustrated in the above figure.

 As is evident the External web server CAREERS is behind the firewall in DMZ. Any external access coming through internet first pass through the Oracle govt. firewall and then reach to the CAREERS server. The CAREERS server in turn connects to the enterprise database using the JDBC connectivity. The services to the external server are restricted with the iRec external candidate responsibility and features.
IREC external Web Server configuration Details:

All the steps for the configuration of the iREC server in the external domain are listed
in the following table. Please refer Oracle Metalink note ID 380490.1 for complete

Run maintain snapshot Information in the PROD system (ERPAPP01)

1. Login as user applprod in erpapp01 server and set the application environment
2. Run ADADMIN and Update the current View Snapshot
NOTE – This is the recommended step.
Run  adpreclone
On application
Tier (ERPAPP01)

1. Login to the Application Server (ERPAPP01) as user applprod, set the
application environment and shudown the application services as under:
$ cd $INST_TOP/admin/scripts
Wait for 15 minutes and check that all the services are closed.
2. Run the PRECLONE script at the Application Tier
$cd $INST_TOP/ admin/scripts
$perl appsTier.
copy the  source application tier to target application tier.
1. Copy the application top file system (Complete) to target node CAREERS using  SCP
Create OS user name on Target node
For application
file and copy the
filesystem to
server CAREERS
Create the same os user name for (application) on target node like source node. For an
example applprod: dba
1. Create a mount point like /u01/oracle/PROD and copy 02 folders apps and inst from
the SOURCE (ERPAPP01) to CAREERS. Change the ownership of /u01/oracle
to applprod: dba as user root on CAREERS server as under:
# cd /
# chown –R applprod:dba u01.
Run CLONE steps on target node CAREERS

1. Login as user applprod and remove the environment file from .bash_profile if
exist and then again relogin to ensure that the environment of previous one is
2. Go to the following path and run the
$ cd $COMMON_TOP/ clone/ bin
$ perl appsTier
Following are the values which are to be passed specifically while cloning rest other values as per normal CLONE process:
enable Root Service Group [enabled] [enabled]: enabled
enable Web Entry Point Services [enabled] [enabled] enabled
enable Web Application Services [enabled] [enabled]: enabled
enable Batch Processing Services [enabled] [disabled]:disabled
Other Service Group [disabled] [disabled]: disabled
Add the new

1. Before adding the new nodes please check if the CAREERS server is already
added. Please login to SQLPLUS as user apps and run the following commands:
SQL> select node_name, status, server_address from fnd_nodes;
SQL> select NAME, PATH from fnd_appl_tops;
SQL> select NAME, ACTIVE_FLAG, DESCRIPTION from ad_appl_tops
where name='careers';
2. If the entry for the server CAREERS exists then no need to perform this step. If
not then please follow the commands as under from CAREERS server as user
$ cd $COMMON_TOP/ clone/ bin
$ perl
Change the
type for the
list of profile

1. Login to the Application Server ERPAPP01 as under applprod, set the
application environment and run the following command
sqlplus apps/apps @$FND_TOP/patch/115/sql/txkChangeProfH.sql SERVRESP
2. Run the AUTOCONFIG after this to ensure that this change is affected.
$cd $INST_TOP/ admin/scripts
Provide the password for user APPS when prompted.

Update NODE_TRUST_LEVEL profile value for the SERVER and Responsibility Trust Level for iRecruitment External Candidate as shown below
System Administrator> Profile> System>  Responsibility to make the below updates:

Only iRecruitment External Candidate is the responsibility which will be accessed through External web server

 Oracle E-Business Suite R12 Configuration in a DMZ [ID 380490.1]