Intermediate firewall killing tcp connections, regarding WSM

As a followup to the post firewall and tcp connection

For Oracle WSM there exist a workaround from Oracle to make the application handle idle TCP connections, before the firewall kills them. The real scenario is a Oracle WSM gateway in DMZ.

1. Each policy step instance creates one or two long-lived connection to the Active Directory or LDAP directory. In a production environment, this may cause connection overloading during user authentication against an LDAP or Active Directory server.
The default value of the connection lifetime parameter, 0 milliseconds, ensures that the connection is never timed out.
The problem is that idle TCP connections will be killed by the intermediate firewall.

To provide a workaround for this behavior, you need to tune the connection lifetime parameter as follows:

a) Open the following file:ORACLE_HOME/opmn/conf/opmn.xml

b) Find the process-type ID whose value is the name of the instance
in which Oracle Web Services Manager is installed. This may be "home",
or it could be another instance name. For example:
...
<ias-component id="default_group">
<process-type id="home" module-id="OC4J" status="enabled">
...
c) Find the data id="java-options" in the category id="start-parameters"
section of the file.
...
<category id="start-parameters">
<data id="java-options" value="-server -XX:MaxPermSize=128M .../>
</category>
...
d) Add the connection lifetime parameter under java-options. For example:
-Doracle.wsm.directory.timeout=3600000
e). Restart the server for the configuration changes to take effect.
The timeout property is for the time to live, it is provided for
client context invalidation.

It can be set using system property oracle.wsm.directory.timeout
which is set against the OC4J JVM.
The usage of the “oracle.wsm.directory.timeout” parameter is in milliseconds.

Letting the application handle tcp connections before firewall interfere is the most isolated option, and should be preferred.
But as mentioned in firewall and tcp connection, this is not always an feasible option.

Comment are closed.