B Configure SSL for a Domain

Secure Socket Layer (SSL) is the most commonly-used method of securing data sent across the internet. For domains created before June2020, you can configure SSL between clients and the load balancer used to access your Oracle WebLogic Server for OCI domain.

Note:

This procedure applies only to domains that were created before June 29, 2020.

To set up custom SSL for Oracle WebLogic Server for OCI instances, see Overview of Configuring SSL in WebLogic Server.

In this configuration, SSL connections (the HTTPS protocol) terminate at the load balancer. Connections from the load balancer to the compute instances running Oracle WebLogic Server do not use SSL; they use the HTTP protocol.

If you selected the Prepare Load Balancer for HTTPS option when creating the domain, then you only need to perform these tasks:

• Add a Certificate to the Load Balancer

If you did not select this option when creating the domain, then you must perform all of the tasks:

• Create an HTTPS Listener for the Load Balancer
• Add a Certificate to the Load Balancer
• Update the App Gateway for HTTPS (if the domain uses Oracle Identity Cloud Service)

Create an HTTPS Listener for the Load Balancer

Update the load balancer for your domain. Create a listener for the HTTPS port, and then configure the SSL request headers for Oracle WebLogic Server.

Note:

This procedure applies only to domains that were created before June 2020. The steps are required only if you did not select the Prepare Load Balancer for HTTPS option when creating the domain.

The SSL request headers instruct WebLogic Server to use the HTTPS protocol in external URLs that it generates, such as in web application links.

1. Access the Oracle Cloud Infrastructure console.
2. From the navigation menu, select Networking, and then click Load Balancers.
3. Select the Compartment in which the network resources for your domain were created.
   Depending on how the stack was initially created, this might be the same compartment that contains the compute instances for the domain.
4. Click the load balancer that was provisioned as part of your stack, prefix-lb.
5. Click Rule Sets.
6. Click Create Rule Set
7. For Name, enter SSLHeaders.
8. Click Specify Request Header Rules.
9. Specify these header parameters.
   • Action: Add Request Header
   • Header: WL-Proxy-SSL
   • Value: true
10. Click Another Request Header Rule.
11. Specify these header parameters.
    • Action: Add Request Header
    • Header: is_ssl
    • Value: ssl
12. Click Create, and then click Close.
13. Click Listeners.
14. Click Create Listener
15. For Name, enter https.
16. For Port, enter 443.
17. For Backend Set, select the backend resource created for the load balancer.
18. Click Create, and then click Close.
19. After the https listener is created, edit it.
20. Click Additional Rule Set, and then select SSLHeaders.
21. Click Save Changes, and then click Close.
22. If you provisioned a new load balancer subnet as part of your stack, update the security list for this subnet and permit access to the HTTPS port.
    1. From the navigation menu, select Networking, and then click Virtual Cloud Networks.
    2. Click the virtual cloud network (VCN) used by your domain.
    3. Click Security Lists.
    4. Click the load balancer security list that was provisioned for your stack.
       • prefix-lb-security-list, if you created a single regional subnet
       • prefix-wls-lb-security-list-1 and prefix-wls-lb-security-list-2, if you created subnets for specific availability domains
    5. Edit the existing ingress rule for port 80.
    6. Change the Destination Port Range to 443.
    7. Click Save Changes.

If you want to delete this stack at a later time, you will not be able to destroy the stack using Resource Manager. Because of the changes to the load balancer resources, you will have to manually delete the load balancer.

See these topics in the Oracle Cloud Infrastructure documentation:

• Managing Listeners
• Managing Rule Sets
• Security Lists

Add a Certificate to the Load Balancer

Upload your SSL certificate, and then associate the certificate with the HTTPS listener.

Note:

This procedure applies only to domains that were created before June 2020.

You can use a custom, self-signed SSL certificate, or a certificate that you’ve obtained from a Certificate Authority (CA). For production WebLogic Server environments, Oracle recommends that you use a CA-issued SSL certificate, which reduces the chances of experiencing a man-in-the-middle attack.

1. Access the Oracle Cloud Infrastructure console.
2. From the navigation menu, select Networking, and then click Load Balancers.
3. Select the Compartment in which the network resources for your domain were created.
   Depending on how the stack was initially created, this might be the same compartment that contains the compute instances for the domain.
4. Click the load balancer that was provisioned as part of your stack, prefix-lb.
5. Click Certificates.
6. Click Add Certificate.
7. Enter a name for your certificate.
8. Either upload the certificate file, or paste its contents into the text area.
9. If applicable, specify a CA certificate or a private key file.
   For example, if you are using a self-signed certificate, upload the corresponding private key file. See Managing SSL Certificates in the Oracle Cloud Infrastructure documentation.
10. Click Add Certificate, and then click Close.
11. After the certificate was successfully added, click Listeners.
12. Edit the https listener.
13. Click Use SSL, and then select your new certificate.
14. Click Save Changes, and then click Close.
15. If a listener exists named http, delete this listener.
    This is the default load balancer listener if you did not select the Prepare Load Balancer for HTTPS option when creating the domain.

You cannot modify an existing load balancer certificate. You must add a new certificate, and then associate the listener with the new certificate.

Update the App Gateway for HTTPS

If your Oracle WebLogic Server domain uses Oracle Identity Cloud Service for authentication, update and restart the App Gateway on each compute instance in the domain.

Note:

This procedure applies only to domains that were created before June 2020. The steps are required only if both of these are true:

• This procedure applies only to domains that were created before June 2020.
• You did not select the Prepare Load Balancer for HTTPS option when creating the domain.
• You selected the Enable Authentication Using Identity Cloud Service option when creating the domain.

1. Open an SSH connection to the first compute instance in the domain, as the opc user.
   Example:

   ssh -i mykey opc@203.0.113.13

2. Create a backup of the folder /u01/data/cloudgate_config.

   sudo cp -avr /u01/data/cloudgate_config /u01/data/cloudgate_config_bak

3. Edit the file /u01/data/cloudgate_config/appgateway-env.
4. Edit the variable named CG_CALLBACK_PREFIX. Replace http with https.

   CG_CALLBACK_PREFIX=https://%hostid%

5. Stop and remove the App Gateway container.

   sudo podman container stop appgateway

   sudo podman container rm appgateway

6. Delete the contents of the folder /u01/data/cloudgate_config, except for the following files.
   • appgateway-env
   • cwallet.sso
   • origin_conf
7. Start the App Gateway container.

   sudo /opt/scripts/idcs/run_cloudgate.sh

8. Repeat from step 1 for all remaining compute instances in this domain.