Wednesday, May 09, 2007

What Does "DMZ Certification" Mean?

Depending on whom you ask, the E-Business Suite has somewhere around 200 functional applications products, clustered into larger product families such as Oracle Financials. A subset of those products are specifically certified for deployment in an externally-facing configuration via demilitarized zones (DMZ). For example, products certified for these types of "external" deployments include iRecruitment, iStore, and iSupplier Portal.

DMZ Reverse Proxy:

The diagram above shows a common DMZ configuration for the E-Business Suite Release 11i. All of the points I'll make in this article apply equally to Release 11i and 12.

Loopbacks are Incompatible with DMZs

Some E-Business Suite products use loopbacks, which I've discussed in a previous article. Apps products certified for external use in demilitarized zone configurations are tested to ensure that they don't use loopbacks.

In fact, we turn off loopback support completely as part of the DMZ certification process for externally-facing products. If a particular product breaks during testing in these environments, this means that their code must be upgraded to eliminate the use of loopbacks.

Which Products are Certified for DMZs?

Products certified for external deployment are listed in:
Not all Apps products are appropriate for use in demilitarized zones, so product testing in these configurations isn't comprehensive across all product families. For example, regardless of security measures, no sane Apps architect would consider allowing their Chart of Accounts to be modified via the Internet. So, there's no point in certifying that particular product with in a DMZ configuration.

If a product isn't in listed in the appendices of the Notes listed above, it could mean one of two things:
  1. It uses loopbacks and is not certified for external use in a DMZ configuration
  2. It hasn't been tested in a DMZ configuration, and may or may not use loopbacks
What If a Product Isn't Certified?

Here's a hypothetical situation:

You'd like to deploy a particular application externally in a DMZ configuration. It's not listed in either of the referenced Metalink Notes. What do you do?

The answer: log a Service Request against the specific application via Metalink stating your requirement. It always helps to include a network diagram of your proposed topology, by the way. If all goes as planned, the Development team for the product will be notified of your requirement and will respond with an update on their plans for that certification.


No comments: