Thursday, February 23, 2012

SSL offloading and WebLogic server redux - client x.509 certificates

I recently had to revisit the subject of SSL offloading and WebLogic server to include the ability to do client certificate authentication. I was specifically doing this for use with Oracle Access Manager 11g, but the configuration steps are identical whether you are using OAM or just WebLogic.

Just to redraw the diagram so we're all on the same page, this is what a real environment with OAM in it might look like:

Note that I put "Apache" in front of the OAM server. That could be Apache, IIS, OHS or indeed any web server. In my case I happened to use Apache but the configuration is the same for Apache or OHS.

The first thing I had to do was configure Apache to support SSL. I'll leave that step up to you - just follow the normal instructions for your web server. Then I created a new VirtualHost for :443 that looks like this:

<VirtualHost *:443>  
  ServerName linux.ktest.oracleateam.com

  SSLEngine on  
  SSLProtocol all -SSLv2  
  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW  
  SSLCertificateFile /home/oracle/simpleCA/linux.ktest.oracleateam.com.crt
  SSLCertificateKeyFile /home/oracle/simpleCA/linux.ktest.oracleateam.com.key
  
  <LocationMatch ^/oam/server/.*>
    SetHandler weblogic-handler
  </LocationMatch>
  
  <LocationMatch ^/oam/CredCollectServlet/X509.*>
    SSLVerifyClient require
    SSLVerifyDepth 1
    SSLCACertificateFile /home/oracle/simpleCA/ca.crt
    SSLOptions +StdEnvVars +ExportCertData
  </LocationMatch>
  
</VirtualHost>
There are a couple of interesting things in there.
  1. The LocationMatch for "^/oam/server/.*" which routes any requests that match that regular expression on to the WebLogic plug-in so they can be sent to the OAM server
  2. The LocationMatch for "^/oam/CredCollectServlet/X509.*" In OAM 11g the only URL that actually needs to require client certificate authentication is the x.509 credential collector. By putting "SSLVerifyClient require" on that Location we are telling Apache that unless the user presents a client certificate it should not process the request but instead demand a certificate from the user
  3. The last item is the one that caused me grief - unless you add "SSLOptions +StdEnvVars +ExportCertData" mod_wl will not send the client certificate information down to the WebLogic server

That's all the configuration you need to do in Apache (or OHS). Now you need need to do a couple of steps inside WebLogic.

  1. Check the "WebLogic Plugin Enabled" checkbox as we did in the previous blog post.
  2. On the same page check the "Client Cert Proxy Enabled"

To reiterate where those are - go to the WebLogic Console (http://localhost:port/console), click on the domain name inside the left hand navigation tree, then click the Web Applications tab. You should find both of those settings towards the bottom of the screen.

That should be all you need to do.

2 comments:

  1. we have wallet ewallet.p12 on OHS side and we are using the wallet insted of SSLCertificateFile in our ssl.conf and mod_wl_ohs.conf

    The issue is the OHS is sending the user certificate from the wallet insted o?f certificate from the browser
    also we have the
    SSLOptions +StdEnvVars +ExportCertData
    but dosn't have the
    SSLVerifyDepth 1 in the mod_wl_ohs.conf
    what is the use of SSLVerifyDepth 1

    ReplyDelete
  2. I was using the "plain jane" Apache for this setup.

    if you are using OHS the config is *slightly* different. If you open an SR support will be happy to help you get this working properly.

    ReplyDelete

Note: Only a member of this blog may post a comment.