tag:blogger.com,1999:blog-1816408742331555186.post593812219581359875..comments2023-05-22T03:03:54.478-07:00Comments on Oracle Fusion Middleware Security: SSL offloading and WebLogic serverChris Johnson (Oracle)http://www.blogger.com/profile/13331466366556759355noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-1816408742331555186.post-65397974576859686292012-09-10T15:18:49.971-07:002012-09-10T15:18:49.971-07:00You could go HTTP into OHS and then HTTPS from OHS...You could go HTTP into OHS and then HTTPS from OHS to WebLogic (though why would you want to?).<br /><br />Just configure mod_wl to use SSL - it's really that easy.<br /><br />But this post was talking about using Apache to simulate an SSL offloading reverse proxy. In other words something like an SSL accelerator. I do this on my VMs on my laptop because nobody wants to buy me an actual load balancer.<br /><br />This definitely is NOT something you'd use in a real world environment!Chris Johnson (Oracle)https://www.blogger.com/profile/13331466366556759355noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-42126802988731260422012-08-14T01:27:12.617-07:002012-08-14T01:27:12.617-07:00Hi Chris, This article and a few other articles of...Hi Chris, This article and a few other articles of yours are very useful. Overall, the solutions are imbued with simplicity, that is quite rare these days.<br /><br />Just to discuss on this article, in a real time scenario an OHS web server (with 11g webgate) resides separately on a separate WL server, while the application resides (secured by an OAM Identity Asserter)in a separate cluster environment.<br /><br />Assuming the application WLS is open only on HTTPS, can the OHS, which is on HTTP, reverse proxy to the WL server?Harihttps://www.blogger.com/profile/17451061995293000650noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-82681587117739667182012-06-11T14:19:08.208-07:002012-06-11T14:19:08.208-07:00The WebGate looks for a different header. The name...The WebGate looks for a different header. The name is configurable, but by default it's IS_SSL with the value "ssl". You'll want the proxy to add that header to the inbound traffic. If you do that the WebGate will know that it's HTTPS instead of HTTP and the redirects back and forth to the OAM server should work properly.Chris Johnson (Oracle)https://www.blogger.com/profile/13331466366556759355noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-28428796111653626822012-06-06T20:39:54.648-07:002012-06-06T20:39:54.648-07:00Hi Chris,
Thanks for the informational blog. I hav...Hi Chris,<br />Thanks for the informational blog. I have followed the configuration to setup the rev proxy in our env. I have run into a issue in our integration after adding a webgate into the picture, the whole setup works fine without a webgate. <br /><br />User -https-> LB -http-> Apache(webgate) -http-> weblogic(oim) <br />this is the setup we are trying to acheive with SSL offloading.<br /><br />The problem currently I face in acheiving this is after the login page, the protocol changes to http and getting a timed out or 404. <br /><br />https://oim.example.com/oim/faces/pages/Self.jspx (Protected app)<br /><br />--><br /><br />https://oam.example.com:4443/oam/server/obrareq.cgi%3Fwh%253Dzdoim4_wg%2520wu%253D%252Foim%252Ffaces%252Fpages%252FSelf.jspx%2520wo%253D1%2520rh%253Dhttp%253A%252F%252Foim.example.com%2520ru%253D%25252Foim%25252Ffaces%25252Fpages%25252FSelf.jspx<br /><br />--><br /><br />https://oam.example.com/ssologin/login.jsp (Login Page)<br /><br />--><br /><br />https://oam.example.com:4443/oam/server/auth_cred_submit<br /><br />--><br /><br />http://oim.example.com/obrar.cgi?cookie=ERE+2Fh9SyO4roKMHA20To%252B8x5KjnQ%252FeihUX9dvWSXUSZ2HXt77YDqsvN6Gs2NYgpAtgPHvUkxPxMgIbd4El0JS1LBOD330yHm0jgkS6KKEffGlc58ujSgzM0MYzOZSlLuGBRNEZQM0hpT65dRhJJ7sllZZr6aPzOYGHjqDm%252B8icbtkntE5yQ4jKNDkMPDRim8MGGCY4%252FsN3%wrmUmnJGo4cS2kmGs7GoS05CyK1bWdbn%252F5lnflHsEgsd%252BKNA%253D%2520redirectto%3D%25252Foim%25252Ffaces%25252Fpages%25252FSelf.jspx%2520ssoCookie%3Dhttponly<br />(timed out) <br /><br />I believe you could throw some light with a reverse proxy working with a webgate on apache. A little help with be greatly appreciated.<br /><br />Thanks,<br />VikramVikram Sekaranhttps://www.blogger.com/profile/04537738872939748966noreply@blogger.com