C Securing Oracle Traffic Director Deployment. Oracle 11g Release 1
Add to My manuals308 Pages
Oracle Traffic Director 11g Release 1 is a software solution designed for load balancing, content switching, and web acceleration. It helps distribute traffic across multiple servers, ensuring high availability and optimal performance for your web applications. With advanced features like origin server health checking and dynamic discovery, Oracle Traffic Director automatically manages server pools and ensures that user requests are directed to the most suitable server.
advertisement
C
Securing Oracle Traffic Director
Deployment
This appendix provides information about the steps that you can take to secure your
Oracle Traffic Director deployment.
For information about securing access to the Oracle Traffic Director administration
server and enabling SSL/TLS, see Managing Security
.
Securing Oracle Traffic Director
The following are some of the steps that you can perform to secure Oracle Traffic
Director in your environment:
• Configure your system firewall to ensure that:
– Oracle Traffic Director server instance ports are accessible for external traffic.
The default port is 8989. For information about how to find port information for various instances, see
Viewing a List of Administration Nodes
.
– Oracle Traffic Director administration port is only accessible for internal traffic.
– Oracle Traffic Director administration node can communicate with the administration server.
• Alternatively you could ensure that Oracle Traffic Director administration nodes can only listen on private interfaces such as bond0
, which is not available to external traffic. For more information, see
Managing Administration Nodes .
• Ensure Oracle Traffic Director server instance is running as nonroot
and not listening on all interfaces. For information about starting Oracle Traffic Director
instances, see Starting_ Stopping_ and Restarting Oracle Traffic Director Instances
.
Note:
For each Oracle Traffic Director configuration that you instantiate on an administration node, a subdirectory named net-config_name
is created in the
INSTANCE_HOME
subdirectory.
• Ensure that sufficient file descriptors are available. For more information, see
Tuning the File Descriptor Limit .
• Ensure that appropriate network level protections are taken care. For more information, see http://www.oracle.com/technetwork/articles/servers-storageadmin/secure-linux-env-1841089.html.
Securing Oracle Traffic Director Deployment C-1
Securing Oracle Traffic Director
In addition, you should consider hardening your system. For information about hardening an Oracle Linux system, see http://www.oracle.com/technetwork/ articles/servers-storage-admin/tips-harden-oracle-linux-1695888.html.
C-2 Oracle Traffic Director Administrator's Guide
advertisement
Key Features
- Load balancing
- Content switching
- Web acceleration
- Origin server health checking
- Dynamic discovery
- SSL/TLS termination
- Web application firewall
- High availability
- Performance optimization
- Flexible deployment options
Related manuals
Frequently Answers and Questions
How do I reset the password for the administration server user?
What is a "configuration"?
How do I access the administration console?
Why am I unable to select TCP as the health-check protocol when dynamic discovery is enabled?
After I changed the origin servers in a pool to Oracle WebLogic Servers, they are not discovered automatically, though dynamic discovery is enabled. Why?
How do I view the request and response headers sent and received by Oracle Traffic Director?
advertisement
Table of contents
- 3 Contents
- 11 List of Tables
- 13 Preface
- 13 Audience
- 13 Documentation Accessibility
- 13 Related Documents
- 14 Conventions
- 15 Part I Getting Started
- 17 1 Getting Started with Oracle Traffic Director
- 18 What's New in this Release?
- 19 Features of Oracle Traffic Director
- 22 Typical Network Topology
- 22 Oracle Traffic Director Terminology
- 24 Oracle Traffic Director Deployment Scenarios
- 24 Administration Framework of Oracle Traffic Director
- 25 Overview of the Administration Framework
- 27 Administration Server
- 27 Administration Node
- 27 Administration Interfaces
- 28 Configuration Store
- 28 Instance Configuration Files
- 28 Overview of Administration Tasks
- 32 Setting Up a Simple Load Balancer Using Oracle Traffic Director
- 32 Example Topology
- 33 Creating the Load Balancer for the Example Topology
- 35 Verifying the Load-Balancing Behavior of the Oracle Traffic Director Instance
- 37 2 Managing the Administration Server
- 37 Starting the Administration Server
- 38 Accessing the Administration Interfaces
- 38 Accessing the Command-Line Interface
- 39 Accessing the Administration Console
- 40 Stopping and Restarting the Administration Server
- 40 Stopping the Administration Server Using the CLI
- 41 Restarting the Administration Server Using the CLI
- 41 Viewing Administration Server Settings
- 42 Viewing the Administration Server Settings Using the CLI
- 42 Changing Administration Server Settings
- 43 Changing the Administration Server Settings Using the CLI
- 45 3 Managing Administration Nodes
- 45 Viewing a List of Administration Nodes
- 46 Viewing a List of Administration Nodes Using the CLI
- 46 Starting an Administration Node
- 47 Changing the Properties of an Administration Node
- 47 Changing the Properties of an Administration Node Using the CLI
- 48 Stopping and Restarting an Administration Node
- 48 Stopping and Restarting an Administration Node Using the CLI
- 48 Stopping and Restarting an Administration Node Using Shell Commands
- 51 Part II Basic Administration
- 53 4 Managing Configurations
- 53 Creating a Configuration
- 55 Creating a Configuration Using the CLI
- 56 Viewing a List of Configurations
- 56 Viewing a List of Configurations Using the CLI
- 56 Deployment Statuses
- 57 Deploying a Configuration
- 58 Modifying a Configuration
- 60 Modifying a Configuration Using the CLI
- 62 Synchronizing Configurations Between the Administration Server and Nodes
- 64 Synchronizing Configurations on the Administration Server and Administration Nodes Using the CLI
- 64 Copying a Configuration
- 65 Copying a Configuration Using the CLI
- 65 Deleting a Configuration
- 66 Viewing a List of Configuration Backups
- 67 Restoring a Configuration from a Backup
- 68 Restoring a Configuration from a Backup Using the CLI
- 69 5 Managing Instances
- 69 Creating Oracle Traffic Director Instances
- 70 Creating an Oracle Traffic Director Instance Using the CLI
- 70 Viewing a List of Oracle Traffic Director Instances
- 71 Viewing a List of Oracle Traffic Director Instances Using the CLI
- 71 Starting, Stopping, and Restarting Oracle Traffic Director Instances
- 72 Starting, Stopping, and Restarting Oracle Traffic Director Instances Using the CLI
- 73 Updating Oracle Traffic Director Instances Without Restarting
- 74 Reconfiguring Oracle Traffic Director Instances Using the CLI
- 74 Deleting Oracle Traffic Director Instances
- 74 Deleting Oracle Traffic Director Instances Using the CLI
- 75 Controlling Oracle Traffic Director Instances Through Scheduled Events
- 76 Managing Events Using the CLI
- 79 6 Managing Origin-Server Pools
- 79 Creating an Origin-Server Pool
- 81 Creating an Origin-Server Pool Using the CLI
- 82 Viewing a List of Origin-Server Pools
- 82 Viewing a List of Origin-Server Pools Using the CLI
- 82 Modifying an Origin-Server Pool
- 85 Changing the Properties of an Origin-Server Pool Using the CLI
- 85 Deleting an Origin-Server Pool
- 86 Deleting an Origin-Server Pool Using the CLI
- 86 Configuring an Oracle WebLogic Server Cluster as an Origin-Server Pool
- 87 How Dynamic Discovery Works
- 88 Enabling Dynamic Discovery
- 89 Enabling Dynamic Discovery Using the CLI
- 89 Configuring Health-Check Settings for Origin-Server Pools
- 92 Configuring Health-Check Settings for Origin Servers Using the CLI
- 93 7 Managing Origin Servers
- 93 Adding an Origin Server to a Pool
- 95 Adding an Origin Server to a Pool Using the CLI
- 96 Viewing a List of Origin Servers
- 96 Viewing a List of Origin Servers Using the CLI
- 96 Modifying an Origin Server
- 98 Changing the Properties of an Origin Server Using the CLI
- 98 Removing an Origin Server from a Pool
- 99 Removing an Origin Server from a Pool Using the CLI
- 101 8 Managing Virtual Servers
- 101 Creating a Virtual Server
- 103 Creating a Virtual Server Using the CLI
- 104 Viewing a List of Virtual Servers
- 104 Viewing a List of Virtual Servers Using the CLI
- 105 Modifying a Virtual Server
- 107 Modifying a Virtual Server Using the CLI
- 108 Configuring Routes
- 112 Copying a Virtual Server
- 113 Copying a Virtual Server Using the CLI
- 113 Deleting a Virtual Server
- 114 Deleting a Virtual Server Using the CLI
- 115 9 Managing TCP Proxies
- 115 Creating a TCP Proxy
- 117 Creating a TCP Proxy Using the CLI
- 117 Viewing a List of TCP Proxies
- 118 Viewing a List of TCP Proxies Using the CLI
- 118 Modifying a TCP Proxy
- 119 Modifying a TCP Proxy Using the CLI
- 119 Deleting a TCP Proxy
- 120 Deleting a TCP Proxy Using the CLI
- 121 10 Managing Listeners
- 121 Creating a Listener
- 124 Creating a Listener Using the CLI
- 125 Viewing a List of Listeners
- 126 Viewing a List of Listeners Using the CLI
- 126 Modifying a Listener
- 128 Modifying a Listener Using the CLI
- 128 Deleting a Listener
- 129 Deleting a Listener Using the CLI
- 131 Part III Advanced Administration
- 133 11 Managing Security
- 133 Securing Access to the Administration Server
- 134 Changing the Administrator User Name and Password
- 135 Configuring LDAP Authentication for the Administration Server
- 137 Configuring LDAP Authentication for the Administration Server Using the CLI
- 137 Enabling the Pin for the Administration Server's PKCS#11 Token
- 139 Renewing Administration Server Certificates
- 139 Configuring SSL/TLS Between Oracle Traffic Director and Clients
- 140 Overview of the SSL/TLS Configuration Process
- 140 Configuring SSL/TLS for a Listener
- 142 Configuring SSL/TLS for a Listener Using the CLI
- 143 Associating Certificates with Virtual Servers
- 144 Associating Certificates with Virtual Servers Using the CLI
- 144 Configuring SSL/TLS Ciphers for a Listener
- 145 Configuring Ciphers for a Listener Using the CLI
- 146 Cipher Suites Supported by Oracle Traffic Director
- 148 Certificate-Selection Logic
- 149 About Strict SNI Host Matching
- 150 SSL/TLS Concepts
- 151 Configuring SSL/TLS Between Oracle Traffic Director and Origin Servers
- 152 About One-Way and Two-Way SSL/TLS
- 152 Configuring One-Way SSL/TLS Between Oracle Traffic Director and Origin Servers
- 155 Configuring Two-Way SSL/TLS Between Oracle Traffic Director and Origin Servers
- 157 Managing Certificates
- 158 Creating a Self-Signed Certificate
- 160 Obtaining a CA-Signed Certificate
- 163 Installing a Certificate
- 166 Viewing a List of Certificates
- 167 Renewing a Server Certificate
- 168 Deleting a Certificate
- 169 Configuring Oracle Traffic Director to Trust Certificates
- 171 Managing PKCS#11 Tokens
- 174 Managing Certificate Revocation Lists
- 175 Installing and Deleting CRLs Manually
- 175 Installing and Deleting CRLs Manually Using the CLI
- 176 Installing CRLs Automatically
- 177 Managing Web Application Firewalls
- 178 Overview of Web Application Firewalls
- 178 Configuring Web Application Firewalls
- 179 Enabling and Installing Web Application Firewall Rule Sets
- 182 Listing the Rule Set Files
- 182 Viewing the List of Rule Set Files Using the CLI
- 183 Removing Rule Set Files
- 183 Removing Rule Set Files Using the CLI
- 184 Supported Web Application Firewall Directives, Variables, Operators, Actions, Functions, Persistent Storages and Phases
- 191 Configuring Client Authentication
- 192 Configuring Client Authentication Using the CLI
- 192 Preventing Denial-of-Service Attacks
- 193 Request Limiting Parameters
- 194 Configuring Request Limits for a Virtual Server
- 199 12 Managing Logs
- 199 About the Oracle Traffic Director Logs
- 199 Access Log
- 200 Server Log
- 200 Viewing Logs
- 201 Viewing Logs Using the CLI
- 202 Configuring Log Preferences
- 203 Configuring Log Preferences Using the CLI
- 205 About Log Rotation
- 205 Rotating Logs Manually
- 207 Configuring Oracle Traffic Director to Rotate Logs Automatically
- 208 Creating Log-Rotation Events Using the CLI
- 211 13 Monitoring Oracle Traffic Director Instances
- 211 Methods for Monitoring Oracle Traffic Director Instances
- 212 Configuring Statistics-Collection Settings
- 213 Configuring Statistics-Collection Settings Using the CLI
- 214 Configuring URI Access to Statistics Reports
- 215 Configuring URI Access to Statistics in XML Format Using the CLI
- 215 Configuring URI Access to Statistics in Plain-Text Format Using the CLI
- 216 Viewing Statistics Using the CLI
- 218 Viewing stats-xml and perfdump Reports Through a Browser
- 219 Monitoring Using SNMP
- 220 Configuring Oracle Traffic Director Instances for SNMP Support
- 221 Configuring SNMP Support Using the CLI
- 221 Configuring the SNMP Subagent
- 222 Starting and Stopping the SNMP Subagent
- 223 Viewing Statistics Using snmpwalk
- 225 Enabling the snmpwalk Command to Show MIB Object Names Instead of Numeric OIDs
- 226 Sample XML (stats-xml) Report
- 229 Sample Plain-Text (perfdump) Report
- 231 14 Tuning Oracle Traffic Director for Performance
- 232 General Tuning Guidelines
- 232 Tuning the File Descriptor Limit
- 234 Tuning the Thread Pool and Connection Queue
- 235 About Threads and Connections
- 235 Reviewing Thread Pool Metrics for an Instance
- 236 Reviewing Connection Queue Metrics for an Instance
- 237 Tuning the Thread Pool and Connection Queue Settings
- 237 Changing the Thread Pool and Connection Queue Settings Using the CLI
- 238 Tuning HTTP Listener Settings
- 239 Tuning Keep-Alive Settings
- 239 About Keep-Alive Connections
- 240 Reviewing Keep-Alive Connection Settings and Metrics
- 241 Tuning Keep-Alive Settings
- 242 Changing Keep-Alive Settings Using the CLI
- 243 Tuning HTTP Request and Response Limits
- 243 Viewing and Changing HTTP Request/Response Limits Using the CLI
- 244 Tuning Caching Settings
- 244 Caching in Oracle Traffic Director
- 245 Reviewing Caching Settings and Metrics for an Instance
- 246 Tunable Caching Parameters
- 248 Configuring Caching Parameters
- 251 Tuning DNS Caching Settings
- 251 Viewing DNS Cache Settings and Metrics
- 252 Configuring DNS Cache Settings
- 253 Configuring DNS Cache Settings Using the CLI
- 253 Tuning SSL/TLS-Related Settings
- 253 SSL/TLS Session Caching
- 254 Configuring SSL/TLS Session Caching Settings Using the CLI
- 255 Ciphers and Certificate Keys
- 255 Configuring Access-Log Buffer Settings
- 256 Configuring Access-Log Buffer Settings Using the CLI
- 257 Enabling and Configuring Content Compression
- 260 Common Performance Problems
- 260 Low-Memory Situations
- 260 Too Few Threads
- 261 Large Memory Footprint
- 261 Log File Modes
- 261 Using nostat
- 262 Tuning Connections to Origin Servers
- 264 Solaris-specific Tuning
- 264 Files Open in a Single Process (File Descriptor Limits)
- 265 Failure to Connect to HTTP Server
- 265 Tuning TCP Buffering
- 265 Reduce File System Maintenance
- 266 Long Service Times on Busy Volumes or Disks
- 266 Short-Term System Monitoring
- 266 Long-Term System Monitoring
- 267 Tuning for Performance Benchmarking
- 269 15 Diagnosing and Troubleshooting Problems
- 269 Roadmap for Troubleshooting Oracle Traffic Director
- 270 Solutions to Common Errors
- 270 Startup failure: could not bind to port
- 271 Unable to start server with HTTP listener port 80
- 271 Unable to restart SSL/TLS-enabled server after changing the PKCS#11 token pin
- 272 Unable to start the SNMP subagent
- 272 Unable to communicate with the administration server: connection refused
- 272 Oracle Traffic Director consumes excessive memory at startup
- 273 Operating system error: Too many open files in system
- 273 Unable to stop instance after changing the temporary directory
- 274 Unable to restart the administration server
- 274 Oracle Traffic Director does not maintain session stickiness
- 275 Frequently Asked Questions
- 276 How do I reset the password for the administration server user?
- 276 What is a "configuration"?
- 276 How do I access the administration console?
- 276 Why do I see a certificate warning when I access the administration console for the first time?
- 276 Can I manually edit configuration files?
- 276 In the administration console, what is the difference between saving a configuration and deploying it?
- 277 Why is the "Deployment Pending" message displayed in the administration console?
- 277 Why is the "Instance Configuration Deployed" message is displayed in the administration console?
- 277 Why does the administration console session end abruptly?
- 277 How do I access the CLI?
- 277 Why does "tadm --user=admin --host=myhost subcommand" take me into a command shell instead of executing the specified subcommand?
- 277 Why is a certificate warning message displayed when I tried to access the CLI for the first time?
- 277 How do I find out the short names for the options of a CLI command?
- 278 Can I configure the CLI to not prompt for a password every time I access it?
- 278 Why am I unable to select TCP as the health-check protocol when dynamic discovery is enabled?
- 278 After I changed the origin servers in a pool to Oracle WebLogic Servers, they are not discovered automatically, though dynamic discovery is enabled. Why?
- 278 How do I view the request and response headers sent and received by Oracle Traffic Director?
- 280 How do I enable SSL/TLS for an Oracle Traffic Director instance?
- 280 How do I find out which SSL/TLS cipher suites are supported and enabled?
- 280 How do I view a list of installed certificates?
- 280 How do I issue test requests to an SSL/TLS-enabled Oracle Traffic Director instance?
- 280 How do I analyze SSL/TLS connections?
- 283 How do I run the administration server on a privileged port (<1024) as a non-root user?
- 283 How do I view details of SSL/TLS communication between Oracle Traffic Director instances and Oracle WebLogic Server origin servers?
- 283 Why are certain SSL/TLS-enabled origin servers marked offline after health checks, even though the servers are up?
- 284 Does Oracle Traffic Director rewrite the source IP address of clients before forwarding requests to the origin servers?
- 284 Why does Oracle Traffic Director return a 405 status code?
- 285 Contacting Oracle for Support
- 287 A Metrics Tracked by Oracle Traffic Director
- 287 Instance Metrics
- 290 Process Metrics
- 291 Thread Pool Metrics
- 291 Connection Queue Metrics
- 292 Compression and Decompression Metrics
- 293 Virtual Server Metrics
- 295 CPU Metrics
- 296 Origin Server Metrics
- 298 Proxy Cache Metrics
- 298 DNS Cache Metrics
- 299 B Web Application Firewall Examples and Use Cases
- 299 Basics of Rules
- 300 Rules Against Major Attacks
- 300 Brute Force Attacks
- 302 SQL Injection
- 303 XSS Attacks
- 305 C Securing Oracle Traffic Director Deployment
- 305 Securing Oracle Traffic Director
- 307 Index