EBS 11i Application Access Control

Limiting Users from Specific IP to Access EBS.

Business need here is to allow certain IPs only to access e-business suite, Bellow mentioned is a very common way,

<Directory />
Order allow,deny
Allow from 10.172.152.114 10.171.145.134
</Directory>

This will serve our purpose, but there are two main issues

1) When running Autoconfig, these changes will be reverted back.
2) When you make the changes in httpd.conf it will only affect the document root. i.e.
http://server.domain:port

But any IP users will still have access to bellow OH_HTML url, and they can easily login
http://server.domain:port/OA_HTML/AppsLocalLogin.jsp

So here is a better solution

– Edit apps.conf and add a list of ip addresses for the users that you want to have access to the system

Alias   /OA_HTML/       “/u01/applmgr/common/html”
<Location /OA_HTML/>
Order allow,deny
Allow from 10.197.114.232
Allow from 10.197.114.233
Allow from 10.197.114.234
Allow from 10.197.114.235
Allow from 10.197.114.236
Allow from 10.197.114.237
Allow from localhost
Allow from aprx05.clotix.com
Allow from aprx05
</Location>

Note, you need to include localhost and your middle tier servername. in my case this is aprx05.clotix.com

After bouncing apache only the users who are using the ip’s added will have access. All other users will get a forbidden error.

Even you can change forbidden error message by doing this

edit httpd.conf
uncomment the ErrorDocument 403 line
change it to something like
ErrorDocument 403 “Forbidden oops, you cannot access the production instance as it is pek business hours certain users have access.

Bounce apache. Users will now receive the above message when they attempt to login.

Now lets make it autoconfig enable

1- Get the template name and version for httpd.conf file using following command:
$adident Header $IAS_ORACLE_HOME/Apache/Apache/conf/apps.conf

You will get something like this
$Header apps_ux.conf 115.52 2006/05/29 08:50:04 mmanku ship $

2- Go to $FND_TOP/admin/template

3- Create new directory named ” custom “

4- Copy from ($FND_TOP/admin/template) the file name of the template you get in step 1 (eg. apps_ux.conf ) to the new ” custom ” directory

5- Go to ” custom ” directory and edit the copied template and add above mentioned OH_HTML apps.conf entry to template.

6- Save changes and exit.

Now the changes are autoconfig enabled.

Reference Note: 270519.1

About the Author Masroof Ahmad

Leave a Comment:

2 comments
Add Your Reply