|
|
|
|
|
|
| | | |
FAQs: Plug-In
For information on how a plug-in works, see Installing and Configuring the Apache HTTP Server Plug-In in the Administration Guide.
How does the plug-in route the request for a sticky session?
If the browser sends a cookie, we look for "JSESSIONID" (configurable by a parameter called "CookieName") in the "Cookie: " header.
If the cookie is disabled and URL re-writing is used, the session id is encoded in the URL. In WebLogic Server 5.1 and earlier, it was encoded in the query string:
?WebLogicSession=my_dumy_session
In WebLogic Server 6.0 and later, it was encoded in the parameter:
;JSESSIONID=my_dummy_session
If no session is found in the query string or parameter and if it is small enough to be read into memory, WebLogic Server looks for the session in the postdata.
What is new for debugging a plug-in in WebLogic Server 6.0?
"Debug = ON" logs only informational and error messages HFC : headers from the client, informational, and error messages HTW : headers sent to wls, informational and error messages HFW : headers sent from wls, informational and error messages HTC : headers sent to the client, informational and error messages ALL : everything OFF : nothing -- default(should be used in production)
The log file is configurable for 6.1. For later versions of WebLogic Server, the WLLogFile was introduced to configure the debug filename and location.
What is expected in the wlproxy.log?
Every request looks like the following:
"================New Request: [GET / HTTP/1.1] ================="
PathTrim, DefaultFileName, and PathPrepend will be performed in order. The final request will be logged as the following: "Fri Jun 22 14:24:40 2001 The request string is '/index.jsp'"
Looking for session information and determining the primary:
"Fri Jun 22 14:24:40 2001 Initializing lastIndex=0 for a list of length=1 Fri Jun 22 14:24:40 2001 create a new server node: id='qa89:443' server_name='mint.beasys.com', port='18080'"
Init SSL if SecureProxy is set to ON:
"Fri Jun 22 14:24:40 2001 INFO: SSL is configured Fri Jun 22 14:24:40 2001 INFO: Initializing SSL library Fri Jun 22 14:24:40 2001 Loaded 1 trusted CA's Fri Jun 22 14:24:40 2001 INFO: Successfully initialized SSL Fri Jun 22 14:24:40 2001 INFO: SSL configured successfully"
Initial connection being made:
"Fri Jun 22 14:24:40 2001 general list: trying connect to '172.17.9.180'/443 Fri Jun 22 14:24:40 2001 Connected to 172.17.9.180:443"
Client headers and the post data (if present) being read:
"Fri Jun 22 14:24:40 2001 Hdrs from clnt:[Accept]=[image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, */*]"
Client headers and the post data (if any) being sent:
"Fri Jun 22 14:24:40 2001 Hdrs to WLS:[Accept]=[image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, */*]"
Response headers being obtained from WebLogic Server:
"Fri Jun 22 14:24:46 2001 Hdrs from WLS:[Set-Cookie]=[JSESSIONID=OzI19WqYmFnRviHEu5gKLvot42ABeD8NPWnF 0jW6cawSGcrp2mru!4038528127411848936!-1408169548!80!443; path=/] Fri Jun 22 14:24:46 2001 parsed all headers OK"
Response headers being sent to WebLogic Server and indicating if the connection is close or keep-alive is here:
"Fri Jun 22 14:24:46 2001 Hdrs to client:[Date]=[Fri, 22 Jun 2001 21:24:48 GMT] Fri Jun 22 14:24:46 2001 Hdrs to client:[Server]=[WebLogic WebLogic Server 6.1 beta 06/21/2001 10:44:44 #122398 - internal build by jlee on client jlee.qa89] Fri Jun 22 14:24:46 2001 canRecycle: conn=1 status=200 isKA=0 clen=2705 isCTE=0 Fri Jun 22 14:24:46 2001 closeConnection in load_utils: deleting URL* Fri Jun 22 14:24:46 2001 INFO: Closing SSL context Fri Jun 22 14:24:46 2001 INFO: sysSend 23 Fri Jun 22 14:24:46 2001 INFO: Error after SSLClose, socket may already have been closed by peer Fri Jun 22 14:24:46 2001 r->status=200 returning 0"
What has changed in the 6.1 plug-in?
What is static list, dynamic list, and general list?
Does the 6.1 plug-in support two-way SSL?
No. But the plug-in can be set-up to require the client certificate and pass it on to WebLogic Server. For example:
apache ssl
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
Sometimes a reponse from WebLogic Server to the plug-in contains the Set-Cookie header. Is this normal?
Yes. WebLogic Server will send the Set-Cookie header in the response if the Cookie header is missing from the request or X-WebLogic-Force-Cookie is detected. If the plug-in fails to connect to a bad server, the plug-in will send the header X-WebLogic-Force-Cookie: true to the next available server to force the client to update the corresponding cookie which contains the correct session information.
If I install mod_wl_ssl.so with mod_perl to Apache 1.3.19, why does Segmentation Fault (11) occur in mod_wl_ssl.so when I access WebLogic via the plug-in?
The server could be any 6.x and the operating system could be any version of Solaris. The environment is WebLogic Server 6.x (Use mod_wl_ssl.so), Solaris 2.x.
In order to avoid getting Segmentation Fault (11), add a VirtualHost block for HTTP as in the following example:
# General setup for the virtual host DocumentRoot "/export/home/happy/local/apache_1.3.19/htdocs" ServerName happy1 ServerAdmin happy@happyville ErrorLog /export/home/happy/local/apache_1.3.19/logs/error_log TransferLog /export/home/happy/local/apache_1.3.19/logs/access_log </VirtualHost>
For the SSL port, also use the IP address in:
<VirtualHost 206.189.223.111:443>
Use any valid DNS name for the ServerName.
How do I protect WebLogic Server from security attacks from bogus clients using the WL-Proxy-Client-Cert header?
The WL-Proxy-Client-Cert header can be spoofed (used) by any client which has direct access to WebLogic Server. WebLogic Server takes the certificate information from that header, trusting that is came from a secure source (the plug-in) and use that information to authenticate the user. In previous releases of WebLogic Server, the default behavior was to always trust that header. Now you need to explicitly define trust of the WL-Proxy-Client-Cert header. A new parameter clientCertProxy allows WebLogic Server to on the implicit trust of the certificate header. If you need an additional level of security, use a connection filter to limit all connections into WebLogic Server (therefore allowing WebLogic Server to only accept connections from the machine on which the plug-in is running).
The clientCertProxy parameter has been added to the HTTPClusterServlet and Web applications.
For the HTTPClusterServlet, add the parameter to the web.xml file as follows:
<context-param>
<param-name>clientCertProxy</param-name>
<param-value>true</param-value>
</context-param>
For Web applications, add the parameter to the web.xml file as follows:
ServletRequestImpl context-param
<context-param>
<param-name>weblogic.httpd.clientCertProxy</param-name>
<param-value>true</param-value>
</context-param>
You can also use this parameter in a cluster as follows:
<Cluster ClusterAddress="127.0.0.1" Name="MyCluster"
ClientCertProxyHeader="true"/>
|
|
|
|
|
|
Copyright © 2001 BEA Systems, Inc. All rights reserved.
|