How to block restrict prevent access to E-Business Suite from end user.

by

how to block restrict prevent access E-Business Suite from users access And Allow Specific Users in 11i/R12:- In this post we will know how to prevent EBS user access(restrict ebs login from user in oracle) and allow specific user in 11i/R12.

 
During critical activity going from the business side and willing to restrict/prevent Business users accessing Oracle Applications, we can do the configuration changes.
 
Note:- Before change any think in configuration file , do the backup first.
 
11i
 
1. Backup file $IAS_ORACLE_HOME/Apache/Apache/conf/apps.conf
2. Edit the apps.conf file and add a list of ip addresses for the users system that you want to allow access to the system, rest will disallow to access oracle application suit.
 
e.g.
Alias /OA_HTML/ “/u01/jbcomn/html/”
<Location /OA_HTML/>
Order allow,deny
Allow from XX.XXX.XXX.XXX
Allow from XX.XXX.XXX.XXX
Allow from XX.XXX.XXX.XXX
Allow from X.XXX.XXX.XXX
Allow from localhost
Allow from your_apps_server.company.com
Allow from your_apps_server
</Location>
 
R12.1X
 
1. Edit file $ORA_CONFIG_HOME/10.1.3/Apache/Apache/conf/custom.conf and add a list of ip addresses for the users system that you want to allow access to the system. The benefit of using custom.conf is that it is preserved when autoconfig is run.
e.g.
<Location ~ “/OA_HTML”>
Order deny,allow
Deny from all
Allow from XX.XXX.XXX.XXX
Allow from XX.XXX.XXX.XXX
Allow from XX.XXX.XXX.XXX
Allow from X.XXX.XXX.XXX
Allow from localhost
Allow from your_apps_server.company.com
Allow from your_apps_server
</Location>
ErrorDocument 403 “Oracle Application Service is temporarily unavailable!!!. We are currently performing the maintenance activity(GST). Normal Service will be restored soon……..
 
R12.2x
1. In 12.2 the custom.conf file is located under $IAS_ORACLE_HOME/instances/EBS_web_<XXX>_OHS1/config/OHS/EBS_web_<XXX>.
Note: One needs to include localhost and your apps tier server name. One can use the PC name rather than IP address, however PC name is more sensitive to network config.
EBS Login Access during working hours
One way to only allow EBS login access during working hours is by adding a ReWrite Condition to custom.conf.  This file will be read each time Apache is started.  In the example below, if the following lines are added to custom.conf, all users will be prohibited from accessing the EBS login page between the hours of 6:00 pm and 6:00 am:
 
<Location ~ “/OA_HTML”>
RewriteEngine On
RewriteCond %{TIME_HOUR} >17
RewriteCond %{TIME_HOUR} <7
RewriteRule .*? – [F]
</Location> 
 
 
Note, you need to include localhost and your apps tier server name. One can use the PC name rather than IP address, however PC name is more sensitive to network config

 


3. Restart the Apache server.
 
4. Now only the users who are assigned to the ip addresses added will have access. All other users will get a forbidden error when they attempt to login. 
 
If Any user tries to login he will get below error
The forbidden error looks like this:
Forbidden
You don’t have permission to access /OA_HTML/AppsLocalLogin.jsp on this server
 
If you want to change the message you can do this: edit custom.conf add a line as follows (change the text to suit your requirements)

 


ErrorDocument 403 “Oracle Application Service is temporarily unavailable!!!. We are currently performing the maintenance activity(GST). Normal Service will be restored soon……..
 
Stop/Start apache. Users will now receive the above message
 
Important: This may not work if the IP address hitting the web server is from a reverse proxy, load balancer or some other device. This is because the IP address will not be from the end user.
 

 

 

Leave a Comment