Oracle‎ > ‎

OHS / Apache Restricting Access for HTTP Requests and allowing HTTPS SSL

How to restrict IPs/networks to only be able to access EPM over HTTPS (SSL) while allowing backend servers to connect to the OHS server on HTTP (None SSL)
All commands follow the basic rules of Apache  since OHS is just Apache repackaged with small 1GB of extra stuff.
The way that Oracle have configured the httpd.conf file is a bit odd/all over the place, but its been worse in older versions of EPM.

This example uses the OHS which comes with EPM 11.1.2.3.

1. Enable SSL

In the httpd.conf file uncomment the line:

include "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/ssl.conf"

Then run with the default cert for testing or setup a new cert for the client by configuring the ssl.cont file (Doc ID 1530169.1 for full details).

2. The default epm installation includes file, which get applied only to the <VirtualHost *:19000>

Remove/comment the <VirtualHost *:19000> and </VirtualHost> lines leaving what is inside.

This will now apply the includes to the whole Apache instance. EPM will now work for HTTP as well as HTTPS.


3. Now to restrict what can access the server over 19000, there are all sorts of options but just to restrict access to IPs it would look like this (networks are also possible):

Re add <VirtualHost *:19000> and </VirtualHost> virtual host entries below the ones commented out above and then add the Deny/Allow directives so it looks like this:

 <VirtualHost *:19000>

      <Location />

            Order deny,allow

            Deny from all

            Allow from 192.168.1.124 192.168.1.133 192.168.1.132 10.0.0.144

      </Location>

</VirtualHost>


So the complete bottom of the httpd.conf file will look like this:

If you are having issues getting allowed clients to connect check the access logs, you may have IPV 6 enabled or they are connection over a different network card/IP Range

Client coming from allowed IPs will see the content on http and https.

Clients coming from none listed IPs on HTTP will get:


Allowed HTTP IP’s:


Alternatively you could redirect the denied user to the https url automatically, but I have not looked at that. Won't be much different though.

Comments