Ssl in multi node ebs with dmz

Hi Erman,

Hope you are doing good.

In our environment we have single node database
Primary Applications node ssl enabled
And
Secondary Applications node which is the dmz node ssl enabled.
Ebs version 12.2.4
Db version 12.1.0.2

  I was preparing to renew my ssl certs for prod server.
Under $EBS_DOMAIN_HOME /opmn directory i see EBS_WEB_OHS1 AND EBS_WEB_OHS2 on the primary node and when I cat topology.xml I see the details as attached in screenshot.

The question is do I need to copy primary node cwallet.sso under EBS_WEB_OHS1 and EBS_WEB_OHS2?

And on the dmz node I don't see opmn directory under Under $EBS_DOMAIN_HOME /


I have attached the excel sheet in first section the highlighted OHS2 location on primary server

And the second section highlighted is about the missing opmn directory under EBS_DOMAIN_HOME.

My question is under primary node  OHS2 wallet locations  cwallet.sso needs to be added from primary node wallet or dmz node wallet.

Rest everything is clear.
Its a bit confusing.  Please suggest.  Thanks in advance

ssl_renewal_loc.xlsx1606931700721_topologyxml.txt

Why do you have 2 OHS instance configured on that PROD node?
Are they both active? If they are both active, my answer to your question is yes.
This environment is already configured with SSL/TLS right? So you can check the current contents of the directories and decide your actions as well..

What kind of DMZ implementation you have? Do you have an external  app tier on DMZ or you just have a reverse proxy there?

You have the required steps in your excel. If this steps are implemented earlier in your environment (I mean if you can trust those instructions), then again, If this is an already SSL-enabled environment, you will see the cwallet.sso there.

Why do you have 2 OHS instance configured on that PROD node?
===I am not sure. We have a primary node and dmz node. And its a non shared appl top.

Are they both active? If they are both active, my answer to your question is yes.

==== how can I verify it. And by your suggestion  I should copy the primary node cwallet.sso in both OHS1 and OHS2?

This environment is already configured with SSL/TLS right? So you can check the current contents of the directories and decide your actions as well..

What kind of DMZ implementation you have?
External irecruitment

 Do you have an external  app tier on DMZ or you just have a reverse proxy there?
==external irecruutment


You have the required steps in your excel. If this steps are implemented earlier in your environment (I mean if you can trust those instructions), then again, If this is an already SSL-enabled environment, you will see the cwallet.sso there.

==the steps in excel are from oracle document.1367293.1
I just copied the locations as per the document.  
In the implementation document there is no mention of OHS2.

I am stuck at this point whether to copy the primary  cwallet.sso or the dmz cwallet.sso in OHS2 folder located in primary node?

You can check it using FMW Control.
Alternatively, you can check the process running on your OS.. You can check the http server related processes and understand where there is an active second OHS instance in your environment or not.

If there is, then you need make the SSL related implementation there as well..

As i already said -> This environment is already configured with SSL/TLS right? So you can check the current contents of the directories and decide your actions as well..

We don't know your environment.. It may be a multi node and shared fs.. What you are seeing there as OHS2 may be the Oracle HTTP Server of the second apps node, as well..

This is what I recommend currently.. With the information that I currently have, I can't do better than that.


Normally, you should first know what your  environment is.. What services are running on each node. .(FND_NODES will give this info to you) Then you should decide what components to configure SSL and proceed accordingly..