4 Replies Latest reply on May 10, 2011 1:25 PM by David Pulliam

    Setting APEX to use SSL/HTTPS


      i am running Apex 4.0.2 on JDK as OC4J container.
      I start the listner using:

      ./java -Dapex.port=8090 -jar /home/oracle/stage_sw/apex_listener/apex.war &

      1). Is there any doc to be used/guide to configure my instance to use SSL?

      JDK is JDK6 Update 4

        • 1. Re: Setting APEX to use SSL/HTTPS
          Hi Jeff,

          just a quick remark before I get to your question: If you start the APEX Listener that way, you don't use OC4J but run the standalone mode.
          And I recommend you update the JDK to be at least JDK 6 Update 20 as listed in the requirements for the APEX Listener.

          You can have SSL/HTTPS using a J2EE Container that is configured accordingly. OC4J would be a candidate. SSL is not supported directly in standalone mode. You could put a SSL-capable proxy like Apache HTTP Server in front of your standalone Listener (or any other J2EE Container, of course) to provide HTTPS access easily.

          • 2. Re: Setting APEX to use SSL/HTTPS
            Hi Udo,

            so let me get it clear:

            Option one:
            Http Server ( not required) -----> OC4J server ( WLS or Glassfish and configure this as SSL)-----> Apex Listener-----> database

            Option TWO:
            HTTP server ( configure for HTTPS)----> Standalone java container---> Apex Listener

            look about right?
            which is recommended?

            • 3. Re: Setting APEX to use SSL/HTTPS
              Hi Jeff,

              that's right. To have it complete, the APEX Listener connects to the database in the second case as well. ;)
              I don't think there is a general recommendation.
              Depending on your scenario, it might be useful to use a proxy, because you could use it in a DMZ and would not need to put the J2EE container there. The proxy can usually be hardened much better. It would also offer you the chance to let internal traffic run without SSL and/or using an internal hostname. Furthermore, the proxy could shoulder your static files (images, ...) so these won't have to be part of the deployment plan for J2EE and hence don't cause any additional load there. And you could use it for load balancing/failover configuration.
              On the other hand, a proxy is an additional service that needs to be configured, monitored, documented, ... And if you don't use it for external communication, it will add a little "fee" on your round trip times you wouldn't really need.
              So decide yourself what fits best to your environment.

              • 4. Re: Setting APEX to use SSL/HTTPS
                David Pulliam
                In my opinion, the easiest option to get up is a direct WLS SSL implementation. That is what I currently run. This sort of makes sense for fail over as well because you are not dependent on a single point of fail over at the proxy. If all your weblogic instances has shared storage and you store your listener configuration file on that shared storage and said shared stored is mounted to the same location on all of your weblogic servers, you could in theory put apex nodes on any of your Weblogic servers with ease at will just by telling Weblogic to deploy them. I don't know if this is a correct assumption but this is what I have observed.