Oracle Database XE, APEX, ORDS, Tomcat and httpd on CentOS 7: all-in-one guide - part three

This is the final chapter of this big all-in-one guide, which will be covering optional additional configuration of the environment. By now, you should have a working installation of Oracle Database XE, APEX, ORDS, Tomcat and Apache httpd on your CentOS system without proceeding to these steps at all. But when it comes to a production environment, there're always security and performance issues which arise. And if you want to improve these aspects of your setup, keep reading.

SSHd tweaks

It is a good idea to disable direct remote root login. Users which need super user rights, should be able to escalate their rights instead using su command. To do so, edit the SSHd config and reload it:

mcedit /etc/ssh/sshd_config

Add a line as below to the confg and save the file

PermitRootLogin no

Then, restart the service:

systemctl restart sshd

Apache httpd tweaks

First, disable the default welcome page by removing the corresponding config file:

rm -rf /etc/httpd/conf.d/welcome.conf

Then, add an additional configuration file 0-extra.conf in the etc/httpd/conf.d/ directory with the contents as below:

# additional apache httpd configuration
# add this to the end of /etc/httpd/conf/httpd.conf
# or put it in a separate file such as /etc/httpd/conf.d/0-extra.conf

# disable sensitive version info
ServerSignature Off
ServerTokens Prod

# enable compression of static content
<IfModule deflate_module>
     SetOutputFilter DEFLATE
     AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css text/javascript

# enable client caching of static content
<IfModule expires_module>
    ExpiresActive On
    ExpiresByType image/gif "access plus 7 days"
    ExpiresByType image/jpeg "access plus 7 days"
    ExpiresByType image/png "access plus 7 days"
    ExpiresByType text/css "access plus 7 days"
    ExpiresByType text/javascript "access plus 7 days"
    ExpiresByType application/javascript "access plus 7 days"
    ExpiresByType application/x-javascript "access plus 7 days"

This will enable traffic compression and client-side static files caching. On the other hand, it will disable displaying of the sensitive version data.

Tomcat tweaks

If you followed the steps from this guide, there's nothing to clean up in Tomcat. But, just to be sure, you can execute these command which are intended to remove all default Tomcat applications:

cd /usr/share/tomcat/webapps
rm -rf examples/*
rmdir examples
rm -rf sample/*
rmdir sample

Then, I noticed that despite the fact both tomcat and oracle-xe start on the system startup, APEX does not properly work without restarting of tomcat. This happens because the tomcat service starts before the oracle-xe. To fix this, we need to edit the Tomcat service systemd unit file:

mcedit /usr/lib/systemd/system/tomcat.service

There the Unit section should look like this:

Description=Apache Tomcat Web Application Container
After=syslog.target network.target oracle-xe.service

Save the file after making changes and invoke this command to reload the config:

systemctl daemon-reload

Oracle XE tweaks

Now let's connect to the database using rlwrap sqlplus /nolog command, clean it up and make some additional configuration:

-- connect to the database
connect sys as sysdba

-- anonymous user is not needed when we don't use XDB
alter user anonymous account lock;
-- dropping the demo schema
drop user hr cascade;

-- altering the default password policy (by default passwords will expire in 180 days)
alter profile default limit password_life_time unlimited;

-- some recommended values for the parameters
alter system set sessions=250 scope=spfile;
alter system set processes=200 scope=spfile;
alter system set memory_target=1G scope=spfile;
alter system set memory_max_target=1G scope=spfile;
alter system set job_queue_processes=100 scope=spfile;

-- creating a tablespace for our APEX workspaces
create tablespace apex datafile '/u01/app/oracle/oradata/XE/apex.dbf' size 128M reuse autoextend on next 8M maxsize unlimited;
-- creating a schema for our APEX workspaces
create user apex identified by "YourPasswordHere" default tablespace apex temporary tablespace temp;
alter user apex quota unlimited on apex;
grant unlimited tablespace to apex;
grant create session to apex;
grant create cluster to apex;
grant create dimension to apex;
grant create indextype to apex;
grant create job to apex;
grant create materialized view to apex;
grant create operator to apex;
grant create procedure to apex;
grant create sequence to apex;
grant create snapshot to apex;
grant create synonym to apex;
grant create table to apex;
grant create trigger to apex;
grant create type to apex;
grant create view to apex;

-- restart database
shutdown immediate

As you can see, I created a new schema apex in a new tablespace apex. I would recommend to use it for your APEX applications.

Note that If you plan to do any network calls from the database, for example to invoke web services or send emails, you need to configure Network Access Control List (ACL) to enable outgoing traffic to certain hosts/IP addresses and ports. Please see the special article, covering the topic in detail, for more information.

ORDS tweaks

The default connection pool settings in the ORDS configuration are too small. You'll have to experiment to see what settings are the best for your workload, but the following seem should work well:

mcedit /u01/ords/config/ords/conf/apex.xml

Find these parameters and set their values:

<entry key="jdbc.InitialLimit">10</entry>
<entry key="jdbc.MinLimit">10</entry>
<entry key="jdbc.MaxLimit">60</entry>

Restart Tomcat to take effect:

systemctl restart tomcat

Checking if everything works

I believe you are duying to open your browser and check how it works. Just do it!
Just Do It!

APEX main page must be available on yourdomain.tld/ords address, APEX administration services on yourdomain.tld/ords/apex_admin repectively (where yourdomain.tld is your domain name or the server IP address):
APEX login screen

Let's check the headers to be sure that caching and traffic compression work:
APEX login screen page headers

Everything looks wonderful!

Final words

Surely, these are not all the moves which could be done. Consider also setting up SSL connection to your server, configuring backups, installing some monitoring tools and systems like influxdb+telegraf+grafana. This work can be endless and I'd rather stop here.

Now, I can finally say that we successfully installed and secured a reliable, nocely working APEX environment on a CentOS Linux server. Please, provide me with your feedback in the comments and do not hesitate to add anything, which would be great to add to this guide. I would really appreciate it if you corrected my english if I misused some words or structure - I should excuse for it in advance.

Thank you very much for reading and I wonder if this series of blog posts would do any better to the great APEX community. Stay tuned for other guides and stories!

Previous chapters

In case you missed some previous steps, please, use the following links to catch up:

Oracle Database XE, APEX, ORDS, Tomcat and httpd on CentOS 7: all-in-one guide - part three
Share this