5 Parameters for Oracle WebLogic Server Proxy Plug-Ins
Learn about the parameters that you can use to configure Apache HTTP Server on Linux.
Note:
The parameters for the Oracle WebLogic Server Proxy Proxy Plug-ins should be specified in special configuration files, which are named and formatted uniquely for each web server. For information about the configuration files specific to the proxy plug-ins for Apache HTTP Server, see Configuring the Oracle WebLogic Server Proxy Plug-In for Apache HTTP Server.This chapter includes the following topics:
- General Parameters for Oracle WebLogic Server Proxy Plug-Ins
The names of the general parameters for Oracle WebLogic Server Proxy Plug-ins are case sensitive. - SSL Parameters for Oracle WebLogic Server Proxy Plug-Ins
The names of the SSL parameters for Oracle WebLogic Server Proxy Plug-ins are case sensitive.
General Parameters for Oracle WebLogic Server Proxy Plug-Ins
The names of the general parameters for Oracle WebLogic Server Proxy Plug-ins are case sensitive.
This section includes the following topics:
- ConnectRetrySecs
- ConnectTimeoutSecs
- DebugConfigInfo
- DefaultFileName
- DynamicServerList
- ErrorPage
- FileCaching
- Idempotent
- KeepAliveEnabled
- KeepAliveSecs
- MatchExpression
- MaxPostSize
- MaxSkipTime
- PathPrepend
- PathTrim
- QueryFromRequest
- WebLogicCluster
- WebLogicHost
- WebLogicPort
- WLCookieName
- WLDNSRefreshInterval
- WLExcludePathOrMimeType
- WLForwardUriUnparsed
- WLIOTimeoutSecs
- WLLocalIP
- WLMaxWebSocketClients
- WLProtocol
- WLProxyPassThrough
- WLProxySSL
- WLProxySSLPassThrough
- WLRetryOnTimeout
- WLRetryAfterDroppedConnection
- WLServerInitiatedFailover
- WLSocketTimeoutSecs
- WLSRequest
- WLTempDir
Parent topic: Parameters for Oracle WebLogic Server Proxy Plug-Ins
ConnectRetrySecs
Default: 2
To specify no retries, set ConnectRetrySecs equal to
ConnectTimeoutSecs. However, the proxy plug-in attempts to
connect at least twice.
You can customize the error response by using the ErrorPage parameter.
ConnectTimeoutSecs
Default: 10
Maximum time in seconds that the proxy plug-in should attempt to connect to the
Oracle WebLogic Server host. Make the value greater than
ConnectRetrySecs. If ConnectTimeoutSecs
expires without a successful connection, even after the appropriate retries (see
ConnectRetrySecs), an HTTP 503/Service
Unavailable response is sent to the client.
You can customize the error response by using the ErrorPage parameter.
DebugConfigInfo
Default: OFF
Enables the special query parameter "__WebLogicBridgeConfig". Use it to get details about configuration parameters from the proxy plug-in.
For example, if you enable "__WebLogicBridgeConfig" by setting
DebugConfigInfo and then send a request that includes the query
string ?__WebLogicBridgeConfig, then the proxy plug-in gathers the configuration
information and run-time statistics and returns the information to the browser. The
proxy plug-in does not connect to Oracle WebLogic Server in this case.
This parameter is strictly for debugging and the format of the output message can change with releases. For security purposes, keep this parameter turned OFF in production systems.
DefaultFileName
Default: none
If the URI is "/" then the proxy plug-in performs the following steps:
- Trims the path specified with the
PathTrimparameter. - Appends the value of
DefaultFileName. - Prepends the value specified with
PathPrepend.
This procedure prevents redirects from Oracle WebLogic Server.
Set the DefaultFileName to the default welcome page of the Web application in Oracle
WebLogic Server to which requests are being proxied. For example, If the
DefaultFileName is set to welcome.html, an HTTP request like
"http://somehost/weblogic" becomes "http://somehost/weblogic/welcome.html". For this
parameter to function, the same file must be specified as a welcome file in all the
Web Applications to which requests are directed. See Configuring Welcome Files in Developing Web Applications, Servlets, and JSPs for Oracle WebLogic Server.
Note for Apache users: If you are using Stronghold or Raven versions, define this parameter inside of a Location block, and not in an IfModule block.
DynamicServerList
Default: ON
When set to OFF, the proxy plug-in ignores the dynamic cluster list
used for load balancing requests proxied from the proxy plug-in and only uses the
static list specified with the WebLogicCluster parameter. Normally
this parameter should remain set to ON.
There are some implications for setting this parameter to OFF:
-
If one or more servers in the static list fails, the proxy plug-in could waste time trying to connect to a terminated server, resulting in decreased performance.
-
If you add a new server to the cluster, the proxy plug-in cannot proxy requests to the new server unless you redefine this parameter. Oracle WebLogic Server automatically adds new servers to the dynamic server list when they become part of the cluster.
ErrorPage
Default: none
You can create your own error page that is displayed when your Web server cannot forward requests to Oracle WebLogic Server.
The proxy plug-in redirects to an error page when the back-end server returns an HTTP 503/Service Unavailable response and there are no servers for failover.
FileCaching
Default: ON
When set to ON, and the size of the POST data in a request is
greater than 2048 bytes, the POST data is first read into a temporary file on disk
and then forwarded to Oracle WebLogic Server in chunks of 8192 bytes. This preserves
the POST data during failover, allowing all necessary data to be repeated to the
secondary if the primary goes down.
When FileCaching is ON, any client that tracks the
progress of the POST will see that the transfer has completed even though the data
is still being transferred between the WebServer and WebLogic. So, if you want the
progress bar displayed by a browser during the upload to reflect when the data is
actually available on the Oracle WebLogic Server, you might not want to have
FileCaching
ON.
When set to OFF and the size of the POST data in a request is
greater than 2048 bytes, the reading of the POST data is postponed until an Oracle
WebLogic Server cluster member is identified to serve the request. Then the proxy
plug-in reads and immediately sends the POST data to Oracle WebLogic Server in
chunks of 8192 bytes.
Turning FileCaching
OFF limits failover. If the Oracle WebLogic Server primary server
goes down while processing the request, the POST data already sent to the primary
cannot be repeated to the secondary.
Finally, regardless of how FileCaching is set, if the size of the
POST data is 2048 bytes or less the proxy plug-in will read the data into memory and
use it if needed during failover to repeat to the secondary.
- Location of POST Data Files
When the FileCaching parameter is set to ON and the size of the POST data in a request is greater than 2048 bytes, the POST data is first read into a temporary file on disk, and then forwarded to Oracle WebLogic Server in chunks of 8192 bytes.
Location of POST Data Files
/tmp/_wl_proxy for UNIX.
For Windows it is located as follows (if WLTempDir is not
specified):
- Environment variable
TMP - Environment variable
TEMP C:\Temp
Parent topic: FileCaching
Idempotent
Default: ON
When set to ON and if the servers do not respond within WLIOTimeoutSecs, the proxy plug-ins fail over if the method is Idempotent.
The proxy plug-ins also fail over if Idempotent is set to ON and the servers respond
with an error such as READ_ERROR_FROM_SERVER.
If Idempotent is set to OFF, the proxy plug-ins do not fail over. If you are using the Apache HTTP Server, you can set this parameter differently for different URLs or MIME types.
Idempotent only takes effect if the request is successfully sent to Oracle WebLogic Server and the proxy plug-in is now waiting for a response from the back end server.
POST requests are not retried even if marked as Idempotent.
KeepAliveEnabled
Default: ON
This directive enables pooling of connections between the proxy plug-in and Oracle
WebLogic Server. Valid values are ON and OFF.
While using Apache prefork mpm, Apache web server might fail. Set KeepAliveEnabled to OFF when using prefork mpm or use worker mpm in Apache.
Note:
If bothKeepAliveEnabled and
HTTP/2 are configured for a back-end connection, the following message is
generated:
KeepAliveEnabled option will be ignored since
HTTP/2 connection is enabled
KeepAliveSecs
Default: 20
The length of time after which an inactive connection between the proxy plug-in and
Oracle WebLogic Server is closed. You must set KeepAliveEnabled to
true (ON when using the Apache HTTP Server)
for this parameter to be effective.
The value of this parameter must be less than or equal to the value of the Duration field set in the Administration Console on the Server/HTTP tab, or the value set on the server Mbean with the KeepAliveSecs attribute.
MatchExpression
Default: none
Use this parameter to modify the values of existing parameters or add a new parameter for a particular configuration.
The MatchExpression parameter supports only the * and ? regular expressions
-
*which matches 0 or more characters -
?which matches exactly one character
This parameter can be configured for two scenarios.
Proxying by MIME type:
You can use this parameter in the following format to set other parameters for a particular MIME type.
Syntax:
MatchExpression <file_extension> <param=value>|<param-value>|…
For example, the following configuration proxies *.jsp to myHost:8080:
<IfModule weblogic_module> MatchExpression *.jsp WebLogicHost=myHost|WebLogicPort=8080 </IfModule>
Proxying by path:
You can also use this parameter in the following format to set other parameters for a particular path.
Syntax:
MatchExpression <path> <param=value>|<param-value>|…
For example, the following configuration proxies the URIs beginning with /weblogic to myHost:9090:
<IfModule weblogic_module> MatchExpression /weblogic WebLogicHost=myHost|WebLogicPort=9090 </IfModule>
You can also use MatchExpression to override the parameter values, as shown above. It can also be used to define new parameters (this is, those that have not been used in the configuration).
For example, the configuration below proxies all the requests to myHost:8080. The URIs that match the type jpg will be proxied to myHost:8080/images and others will be proxied to myHost:8080.
<IfModule weblogic_module> SetHandler weblogic-handler WebLogicHost myHost WebLogicPort 8080 MatchExpression *.jpg PathPrepend=/images </IfModule>
You can find more examples of how to use MatchExpression in Configuring the Oracle WebLogic Server Proxy Plug-In for Apache HTTP Server.
MaxPostSize
Default: 0
Maximum allowable size of POST data, in bytes. If the content-length exceeds
MaxPostSize, the proxy plug-in returns an error message. If set
to 0, the size of POST data is not checked. This is useful for preventing
denial-of-service attacks that attempt to overload the server with POST data.
MaxSkipTime
Default: 10
If Oracle WebLogic Server listed in either the WebLogicCluster
parameter or a dynamic cluster list returned from Oracle WebLogic Server fails, the
failed server is marked as "bad" and the proxy plug-in attempts to connect to the
next server in the list.
MaxSkipTime sets the amount of time after which the proxy plug-in
will retry the server marked as "bad." The proxy plug-in attempts to connect to a
new server in the list each time a unique request is received (that is, a request
without a cookie).
PathPrepend
Default: null
As per the RFC specification, generic syntax for URL is:
[PROTOCOL]://[HOSTNAME]:{PORT}/{PATH}/{FILENAME};{PATH_PARAMS}/{QUERY_STRING}...PathPrepend specifies the path that the proxy plug-in prepends to
the {PATH} portion of the original URL, after PathTrim is trimmed
and before the request is forwarded to Oracle WebLogic Server.
If you must append a File Name, use DefaultFileName parameter instead of PathPrepend.
PathTrim
Default: null
As per the RFC specification, generic syntax for URL is:
[PROTOCOL]://[HOSTNAME]:{PORT}/{PATH}/{FILENAME};{PATH_PARAMS}/{QUERY_STRING}...PathTrim specifies the string trimmed by the proxy plug-in from the
{PATH}/{FILENAME} portion of the original URL, before the
request is forwarded to Oracle WebLogic Server. For example, if the
http://myWeb.server.com/weblogic/foo URL is passed to the proxy
plug-in for parsing and if PathTrim has been set to strip off
/weblogic, before handing the URL to Oracle WebLogic Server,
the URL forwarded to Oracle WebLogic Server is
http://myWeb.server.com:7001/foo.
If you are newly converting an existing third-party server to proxy requests to
Oracle WebLogic Server using the proxy plug-in, you will need to change application
paths to /foo to include weblogic/foo. You can use
PathTrim and PathPrepend in combination to
change this path.
Configure the PathTrim parameter inside the
<Location> tag.
The following configuration is incorrect because the PathTrim
parameter is not configured inside the <Location> tag:
<Location /weblogic>
WLSRequest On
</Location>
<IfModule mod_weblogic.c>
WebLogicHost localhost
WebLogicPort 7001
PathTrim /weblogic
</IfModule>The following configuration is correct:
<Location /weblogic>
WLSRequest On
PathTrim /weblogic
</Location>The <Location> directive limits the scope of the enclosed
directives by URL. See Apache Location Directive.
QueryFromRequest
Default: OFF
When set to ON, specifies that the Apache HTTP Server use
(request_rec *)r->the_request
to pass the query string to Oracle WebLogic Server. (For more information, see the Apache documentation.) This behavior is desirable when a Netscape version 4.x browser makes requests that contain spaces in the query string
When set to OFF, the Apache HTTP Server uses (request_rec
*)r->args to pass the query string to Oracle WebLogic Server.
WebLogicCluster
Required when proxying to a cluster of Oracle WebLogic Servers, or to multiple non-clustered servers.
Default: none
The WebLogicCluster parameter is required to proxy a list of back-end servers that are clustered, or to perform load balancing among non-clustered managed server instances.
List of Oracle WebLogic Servers that can be used for load balancing. The server or
cluster list is a list of host:port entries. If a mixed set of
clusters and single servers is specified, the dynamic list returned for this
parameter will return only the clustered servers.
For the syntax for specifying the value of this parameter for Apache HTTP Server, see Configuring the Oracle WebLogic Server Proxy Plug-In for Apache HTTP Server.
If you are using SSL between the proxy plug-in and Oracle WebLogic Server, set the port number to the SSL listen port and set the SecureProxy parameter to ON.
The proxy plug-in does a simple round-robin between all available servers. The server list specified in this property is a starting point for the dynamic server list that the server and proxy plug-in maintain. Oracle WebLogic Server and the proxy plug-in work together to update the server list automatically with new, failed, and recovered cluster members.
You can disable the use of the dynamic cluster list by setting the DynamicServerList parameter to OFF.
The proxy plug-in directs HTTP requests containing a cookie, URL-encoded session, or a session stored in the POST data to the server in the cluster that created the cookie.
WebLogicHost
Required when proxying to a single Oracle WebLogic Server.
Default: none
Oracle WebLogic Server host (or virtual host name as defined in Oracle WebLogic
Server) to which HTTP requests should be forwarded. If you are using a Oracle
WebLogic cluster, use the WebLogicCluster parameter instead of
WebLogicHost.
WebLogicPort
Required when proxying to a single Oracle WebLogic Server.
Default: none
The port at which Oracle WebLogic Server host is listening for connection requests
from the proxy plug-in (or from other servers). (If you are using SSL between the
proxy plug-in and Oracle WebLogic Server, set this parameter to the SSL listen port
and set the SecureProxy parameter to
ON).
If you are using a Oracle WebLogic Cluster, use the WebLogicCluster
parameter instead of WebLogicPort.
WLCookieName
Default: JSESSIONID
If you change the name of the Oracle WebLogic Server session cookie in the Oracle
WebLogic Server Web application, then you must change the
WLCookieName parameter in the proxy plug-in to the same value.
The name of the Oracle WebLogic session cookie is set in the WebLogic-specific
deployment descriptor, in the <session-descriptor> element in
weblogic.xml.
WLDNSRefreshInterval
Default: 0 (Lookup once, during startup)
If defined in the proxy configuration, specifies number of seconds interval at which Oracle WebLogic Server refreshes DNS name to IP mapping for a server. This can be used if an Oracle WebLogic Server instance is migrated to a different IP address, but the DNS name for that server's IP remains the same. In this case, at the specified refresh interval the DNS<->IP mapping will be updated.
WLExcludePathOrMimeType
Default: none
This parameter allows you to exclude certain requests from proxying.
This parameter can be defined locally at the Location tag level and globally. When the property is defined locally, it does not override the global property but defines a union of the two parameters.
WLForwardUriUnparsed
Default: OFF
When set to ON, the Oracle WebLogic Server Proxy Plug-in will
forward the original URI from the client to Oracle
WebLogic Server. When set to
OFF (default), the URI sent
to Oracle WebLogic Server is subjected to
modification by mod_rewrite or
other Web Server Plug-in modules.
WLIOTimeoutSecs
New name for HungServerRecoverSecs.
Default: 120
Defines the amount of time the proxy plug-in waits for a response to a request from
Oracle WebLogic Server. The proxy plug-in waits for WLIOTimeoutSecs
for the server to respond, and then declares that the server is dead, and fails over
to the next server. You must set the value to a large value. If the value is less
than the time the servlets take to process, you might see unexpected results.
Minimum value: 10
Maximum value: 2147483647
WLLocalIP
Default: none
Defines the IP address (on the proxy plug-in's system) to bind to when the proxy plug-in connects to an Oracle WebLogic Server instance running on a multihomed machine.
If WLLocalIP is not set, the TCP/IP stack will choose the source IP
address.
WLMaxWebSocketClients
Default: Windows: Half of ThreadsPerChild, Non-Windows: Half of MaxRequestWorkers
Limits the number of active WebSocket connections at any instant of time.
Note:
The maximum value you can set for this parameter is 75 percent of ThreadsPerChild (Windows) or 75 percent of MaxRequestWorkers (non-Windows). If the value specified for this parameter is greater than the maximum allowed, it will be automatically lowered to that maximum.
WLProtocol
Default: http/1.1
Scope: Location, Server context
http/2- for HTTP/2 protocolhttp/1.1- for HTTP/1.1 protocol
This directive specifies the protocol to be used by the Oracle WebLogic Server Proxy Plug-ins to communicate with the back-end server.
If the WLProtocol directive is not configured, the Oracle WebLogic
Server Proxy Plug-ins send requests to the
back-end server over HTTP/1.1. If the back-end
server does not support HTTP/2 protocol, the
Oracle WebLogic Server Proxy Plug-in does not
fallback to HTTP/1.1 and the 503 error is
returned.
WLProxyPassThrough
Default: OFF
If you have a chained proxy setup, where a proxy plug-in is running behind some other proxy or load balancer, you must explicitly enable the WLProxyPassThrough parameter. This parameter allows the header to be passed through the chain of proxies.
WLProxySSL
Default: OFF
Set this parameter to ON to maintain SSL communication between the
proxy plug-in and Oracle WebLogic Server when the following conditions exist:
- An HTTP client request specifies the HTTPS protocol.
- The request is passed through one or more proxy servers (including the Oracle WebLogic Server Proxy Plug-in).
- The connection between the proxy plug-in and Oracle WebLogic Server uses the HTTP protocol.
When WLProxySSL is set to ON, the location header
returned to the client from Oracle WebLogic Server specifies the HTTPS protocol.
WLProxySSLPassThrough
Default: OFF
If a load balancer or other software deployed in front of the web server and proxy
plug-in is the SSL termination point, and that product sets the
WL-Proxy-SSL request header to true or
false based on whether the client connected to it over SSL, set
WLProxySSLPassThrough to ON so that the
use of SSL is passed on to the Oracle WebLogic Server.
If the SSL termination point is in the web server where the proxy plug-in operates,
or the load balancer does not set WL-Proxy-SSL, set
WLProxySSLPassThrough to OFF
(default).
WLRetryOnTimeout
Default: None
Tells the Oracle WebLogic Server Proxy Plug-in whether to retry requests (including POST requests) when a time-out occurs before Oracle WebLogic Server sends the status line. Valid arguments are:
ALL: All requests are retried.IDEMPOTENT: Only requests that use idempotent methods are retried.NONE: No requests are retried.
WLRetryAfterDroppedConnection
Default: ALL
Tells the Oracle WebLogic Server Proxy Plug-ins which requests to retry when a connection is lost before Oracle WebLogic Server sends the status line. Valid arguments are:
ALL: All requests will be retried.IDEMPOTENT: Only requests using idempotent methods will be retried.NONE: No requests will be retried.
WLServerInitiatedFailover
Default: ON
This controls whether a 503 error response from Oracle WebLogic Server triggers a
failover to another server. Normally, the proxy plug-in will attempt to failover to
another server when a 503 error response is received. When
WLServerInitiatedFailover is set to OFF,
the 503 error response will be returned to the client immediately.
WLSocketTimeoutSecs
Default: 2 (must be greater than 0)
Set the timeout for the socket while connecting, in seconds. See ConnectTimeoutSecs and ConnectRetrySecs for additional details.
WLSRequest
Default: OFF
This is an alternative to the WLSRequest On mechanism of identifying requests to be forwarded to Oracle WebLogic Server. For example,
<Location /weblogic> WLSRequest ON PathTrim /weblogic </Location>
The use of WLSRequest ON instead of SetHandler weblogic-handler has the following advantages:
-
Lower web server processing overhead in general
-
Resolves substantial performance degradation when the web server
DocumentRootis on a slow filesystem -
Resolves 403 errors for URIs which cannot be mapped to the filesystem due to the filesystem length restrictions
SSL Parameters for Oracle WebLogic Server Proxy Plug-Ins
The names of the SSL parameters for Oracle WebLogic Server Proxy Plug-ins are case sensitive.
Note:
The SCG certificates are not supported for use with Oracle WebLogic Server Proxy Plug-in. The non-SCG certificates work appropriately and allow SSL communication between Oracle WebLogic Server and the proxy plug-in.
KeyStore-related initialization parameters are not supported for use with Oracle WebLogic Server Proxy Plug-in.
This section includes the following topics:
Parent topic: Parameters for Oracle WebLogic Server Proxy Plug-Ins
SecureProxy
Default: OFF
Set this parameter to ON to enable the use of the SSL protocol for all communication between the proxy plug-in and Oracle WebLogic Server. Remember to configure a port on the corresponding Oracle WebLogic Server for the SSL protocol before defining this parameter.
This parameter may be set at two levels: in the configuration for the main server and—if you have defined any virtual hosts—in the configuration for the virtual host. The configuration for the virtual host inherits the SSL configuration from the configuration of the main server if the setting is not overridden in the configuration for the virtual host.
Parent topic: SSL Parameters for Oracle WebLogic Server Proxy Plug-Ins
WebLogicSSLCiphers
Ciphers Supported:
- TLSv1.3 ciphers:
TLS_AES_256_GCM_SHA384TLS_AES_128_GCM_SHA256
- TLSv1.2 ciphers:
ECDHE-RSA-AES256-GCM-SHA384ECDHE-RSA-AES128-GCM-SHA256ECDHE-ECDSA-AES256-GCM-SHA384ECDHE-ECDSA-AES128-GCM-SHA256
Deprecated (yet available) TLSv1.2 ciphers:
AES128-GCM-SHA256AES256-GCM-SHA384AES128-SHA256AES256-SHA256AES256-SHAAES128-SHA
Default: All supported ciphers
Scope: Server, VirtualHost
Applies to: Apache HTTP Server
This directive accepts a space separated list of ciphers to be used between Oracle WebLogic Server Proxy Plug-in and Oracle WebLogic Server.
Note:
- If
WebLogicSSLCiphersis set to TLSv1.3 ciphers andWebLogicSSLVersionis set to TLSv1.2, or vice versa, the following error message is thrown during the server startup:Error: No available SSL version. Possible Mismatch between the configured protocol(s) and cipher(s) - If
WebLogicSSLCiphersis omitted, then the default list of ciphers is selected (that is, all supported ciphers). - If
WebLogicSSLVersionis omitted, then the default list of protocols is selected, which is TLSv1.2 and TLSv1.3. - If you want to remove a particular cipher, you must explicitly set a list of ciphers by omitting that cipher. Only the ciphers specified with the
WebLogicSSLCiphersdirective will be enabled. - A web server starts if there is at least one supported cipher in the list of ciphers configured with the
WebLogicSSLCiphersdirective. If the list contains any unsupported cipher, a warning message is displayed and the unsupported cipher is ignored. - Both TLSv1.2 (and below) and TLSv1.3 ciphers can be configured using the
WebLogicSSLCiphersdirective. For example:WebLogicSSLCiphers TLS_AES_256_GCM_SHA384 ECDHE-ECDSA-AES128-GCM-SHA256
Parent topic: SSL Parameters for Oracle WebLogic Server Proxy Plug-Ins
WebLogicSSLVersion
Default: TLSv1.2, TLSv1.3
Specifies the SSL protocol version to use for communication between the proxy plug-in
and the Oracle WebLogic Server. This setting need
not match that of the web server's
ssl.conf file. The proxy plug-in
can have its own SSL version to communicate with
Oracle WebLogic Server.
The following values are accepted:
TLSv1_1orTLSv1.1: Uses TLS v1.1TLSv1_2orTLSv1.2: Uses TLS v1.2TLSv1_3orTLSv1.3: Uses TLS v1.3 (Applicable for Apache HTTP Server on Linux only.)
For example:
WebLogicSSLVersion TLSv1_2 TLSv1_3You can define multiple protocols by using a space-separated list. The SSL protocol version chosen is used for all the connections from the proxy plug-in to Oracle WebLogic Server. Hence, define this parameter at the global scope.
If not configured, the proxy plug-in uses the best protocol supported by both the proxy plug-in and Oracle WebLogic Server.
Note:
- As of the 14.1.1.0.0 release of the proxy plug-in, the default minimum version of the Transport Layer Security (TLS) protocol configured is TLSv1.2. Oracle recommends that you use TLS V1.2 or later in a production environment. It is still possible to configure TLSv1.1 protocol for communication between the proxy plug-in and Oracle WebLogic Server. However, the proxy plug-in throws a WARNING message when this protocol is configured.
- To configure TLSv1.1, you have to explicitly configure the ciphersuite. The ciphersuites compatible with TLSv1.1 are AES128-SHA and AES256-SHA. For more information about configuring ciphersuites, see WebLogicSSLCiphers.
- If
WebLogicSSLCiphersis set to TLSv1.3 ciphers andWebLogicSSLVersionis set to TLSv1.2, or vice versa, the following error message is thrown during the server startup:Error: No available SSL version. Possible Mismatch between the configured protocol(s) and cipher(s)
Parent topic: SSL Parameters for Oracle WebLogic Server Proxy Plug-Ins
WLSSLCheckCn
Default: OFF
Scope: Location, Server context
- The host name configured using the
WebLogicHostorWebLogicClusterdirective must match theCommon Nameattribute of the SSL certificate'sDistinguished Namesor thesubjectAltNameextension. - The SSL certificate referred to here is the certificate configured for the Oracle WebLogic Server Managed Server serving the request.
Parent topic: SSL Parameters for Oracle WebLogic Server Proxy Plug-Ins
WLSSLWallet
Default: none
Scope: Server context, Virtual Host context
The WLSSLWallet performs one-way or two-way SSL based on how SSL is configured for Oracle WebLogic Server. The export_wallet program exports the wallet into PEM formatted files on the file system. For each user-supplied wallet, three files may be created in the same file system path where the auto-login wallet is present:
key.pem: A pass-phrase protected file containing the private key in PEM format, if a private key is present in the wallet.user.crt: User certificate in PEM format, if a user certificate is present in the wallet.trusted_certs.crt: Chain of trusted certificates in PEM format.
Set the path of an Oracle Wallet (containing an SSO wallet file) as an argument. For example:
WLSSLWallet "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/default"
Parent topic: SSL Parameters for Oracle WebLogic Server Proxy Plug-Ins