You can use the Secure Sockets Layer (SSL) protocol to protect the connection between the plug-in and Oracle WebLogic Server. The SSL protocol provides confidentiality and integrity to the data passed between the plug-in and WebLogic Server.
The plug-in does not use the transport protocol (HTTP or HTTPS) specified in the HTTP request (usually by the browser) to determine whether to use SSL to protect the connection between the plug-in and WebLogic Server; that is, the plug-in is in no way dependent on whether the HTTP request (again, usually from the browser) uses HTTPS (SSL).
Instead, the plug-in uses SSL parameters that you configure for the plug-in, as described in SSL Parameters for Web Server Plug-Ins, to determine when to use SSL:
WebLogicSSLVersion
—Specifies the SSL protocol version to use for communication between the plug-in and the WebLogic Server.
WLSSLWallet
—The version 12c (12.2.1.1.0) plug-ins use Oracle wallets to store SSL configuration information. Use the WLSSLWallet
SSL configuration parameter to configure the wallets. The orapki utility is provided in the plug-in distribution for this purpose.
The orapki utility manages public key infrastructure (PKI) elements, such as wallets and certificate revocation lists, on the command line so the tasks it performs can be incorporated into scripts. This enables you to automate many of the routine tasks of maintaining a PKI.
For more information, see "Using the orapki Utility for Certificate Validation and CRL Management".
SecureProxy
—The SecureProxy
parameter determines whether SSL is enabled.
Note:
For more information on valid security protocols and ciphers for the current release, see "SSLCipherSuite" and "SSLProtocol" in Administering Oracle HTTP Server.
In the case of two-way SSL, the plug-in (the SSL client) automatically uses two-way SSL when Oracle WebLogic Server is configured for two-way SSL and requests a client certificate.
If a client certificate is not requested, the plug-ins default to one-way SSL.
Note:
If an Oracle Fusion Middleware 12c (12.2.1.1.0) product is installed on the same system as the Apache (including Oracle HTTP Server) plug-in, the ORACLE_HOME variable must point to a valid installation; otherwise, the plug-in fails to initialize SSL.
For example, if ORACLE_HOME is invalid because the product was not cleanly removed, the plug-in fails to initialize SSL.
This section contains the following information:
Plug-ins use Oracle libraries (NZ) to provide SSL support. Because the libraries are large, they are loaded only when SSL is needed. You must ensure that the library files, located in lib/*.so*, are available at the proper locations so that they can be dynamically loaded by the plug-in.
To configure the libraries for the plug-ins for Apache HTTP Server, you have a few options:
Windows: Specify the lib
directory that contains the .dll files in the PATH variable or copy the *.dll files in the bin
directory.
UNIX: Configure LD_LIBRARY_PATH to point to the folder containing the libraries or copy the libraries to the lib
directory.
If you copy the libraries instead of updating the PATH
(Windows) or LD_LIBRARY_PATH (UNIX) variables, you must copy the libraries afresh each time you install a new version of the plug-in.
Perform the following steps to configure one-way SSL.
In these steps, you run the keytool commands on the system on which WebLogic Server is installed, and you run the orapki commands on the system on which the version 12c (12.2.1.1.0) plug-ins are installed.
Note:
The examples in this section use the WebLogic Server demo CA. If you are using the plug-in a production environment, ensure that trusted CAs are properly configured for the plug-in and for Oracle WebLogic Server.
Configure Oracle WebLogic Server for SSL. For more information, see "Configuring SSL" in Administering Security for Oracle WebLogic Server.
Create an Oracle Wallet, by using the orapki utility.
orapki wallet create -wallet mywallet -auto_login_only
For more information, see "Using the orapki Utility for Certificate Validation and CRL Management" in the Administering Oracle Fusion Middleware.
Note:
Only the user who creates the wallet (or for Windows, the account SYSTEM) has access to the wallet.
This is typically sufficient for the Oracle WebLogic Server Proxy Plug-In for Apache HTTP Server because Apache runs as the account SYSTEM on Windows, and as the user who creates it on UNIX. However, for IIS the wallet will not work because the default user is IUSR_<Machine_Name>(IIS6.0 and below) or IUSR (IIS7.0 and above).
If the user who runs the Oracle WebLogic Server Proxy Plug-In for Apache HTTP Server or Oracle WebLogic Server Proxy Plug-In 12c (12.2.1.1.0) for Microsoft IIS Web Server is different from the user who creates the wallet (or for Windows, the account SYSTEM), you need to grant the user access to the wallet by running the command cacls
(Windows) or chmod
(UNIX) after you create the wallet. For example:
cacls <wallet_path>\cwallet.sso /e /g IUSR:R
Import the WLS trust certificate into the Oracle Wallet.
orapki wallet add -wallet mywallet -trusted_cert -cert <cert_file_name> -auto_login_only
Configure the web server configuration files as follows:
For Oracle HTTP Server, edit the mod_wl_ohs
.conf
file as follows:
<IfModule mod_weblogic.c> WebLogicHost host WebLogicPort port SecureProxy ON WLSSLWallet path_to_wallet </IfModule>
For Microsoft IIS, edit the iisproxy.ini
file as follows:
WebLogicHost=host WebLogicPort=port SecureProxy=ON WLSSLWallet=path_to_wallet
For more information about the parameters in these examples, see Parameters for Web Server Plug-Ins.
Complete these steps if the version of the Oracle WebLogic Server instances in the back end is 10.3.4 (or a later release).
Log in to the Oracle WebLogic Server administration console.
In the Domain Structure pane, expand the Environment node.
If the server instances to which you want to proxy requests from Oracle HTTP Server are in a cluster, select Clusters.
Otherwise, select Servers.
Select the server or cluster to which you want to proxy requests from Oracle HTTP Server.
In the Configuration: General tab, scroll down to the Advanced section, then expand it.
Do one of the following:
To... | Select... |
---|---|
Enable one-way SSL |
WebLogic Plug-In Enabled |
Enable two-way SSL where client certificates are used to authenticate |
Client Cert Proxy Enabled |
Enable two-way SSL with client certificates. |
Both |
If you selected Servers in Step 5.b, repeat steps 5.c and 5.d for the other servers to which you want to proxy requests from Oracle HTTP Servers.
Click Save.
For the change to take effect, you must restart the server instances.
Send a request to http://host:port/mywebapp/my
.jsp from the browser and validate the response.
When Oracle WebLogic Server is configured for two-way SSL, the plug-in forwards the user certificate to WebLogic Server. As long as WebLogic Server can validate the user certificate, two-way SSL can be established.
In addition to the steps described in Configuring a Plug-In for One-Way SSL, perform the following steps:
In these steps, you run the keytool commands on the system on which WebLogic Server is installed. You run the orapki commands on the system on which the version 12c (12.2.1.1.0) plug-ins are installed.
You can use the Secure Sockets Layer (SSL) protocol to protect the connection between the Oracle WebLogic Server Proxy Plug-In 12c (12.2.1.1.0) for iPlanet Web Server plug-in and Oracle WebLogic Server. The SSL protocol provides confidentiality and integrity to the data passed between the Oracle iPlanet Web Server plug-in and Oracle WebLogic Server.
The Oracle WebLogic Server Proxy Plug-In 12c (12.2.1.1.0) for iPlanet Web Server plug-in does not use the transport protocol (http or https) specified in the HTTP request (usually by the browser) to determine whether the SSL protocol will be used to protect the connection between the Oracle WebLogic Server Proxy Plug-In 12c (12.2.1.1.0) for iPlanet Web Server and Oracle WebLogic Server.
To use the SSL protocol between Oracle iPlanet Web Server plug-in and Oracle WebLogic Server:
WebLogicPort
parameter in the Service
directive in the obj.conf file to the listen port configured in Step 1.SecureProxy
parameter in the Service
directive in the obj.conf file to ON
.Service
directive in the obj.conf
file that define information about the SSL connection. For the list of parameters, see SSL Parameters for Web Server Plug-Ins.Use perimeter authentication to secure WebLogic Server applications that are accessed by using the plug-in.
A WebLogic Identity Assertion Provider authenticates tokens from outside systems that access your WebLogic Server application, including users who access your WebLogic Server application through the plug-in. Create an Identity Assertion Provider that will safely secure your plug-in as follows:
See "Identity Assertion Providers" in .