Wrong SSL Handshake Behavior for each WebCenter Request, When Terminating SSL at OHS

Introduction During performance tuning it was noticed that SSL Handshake was taking place for each static request. Further investigation revealed that the problem was due to OHS SSL configuration, which unfortunately by default is wrongly included when OHS was installed. Main Article During performance tuning A-Team identified that in same cases SSL handshake was required […]

Converting SSL certificate generated by a 3rd party to an Oracle Wallet

     
     Recently a customer asked me how to import his private key and certificate into an Oracle HTTP Server Wallet.
The customer generated a CSR outside the OHS Wallet Manager, using Open SSL, and sent it to a CA to get his certificates issued by them.
Unfortunately, the Wallet Manager only allows you to import certificates which were created for a CSR generated by the Wallet itself.
Despite this minor limitation, there is a workaround to get your private key, certificate and CA trusted certificates chain into Oracle Wallet.
This post explains the simple steps to achieve this, with a little help from Open SSL.

  1.       What you will need:
a. openssl installed in a machine
b. The server’s certificate (PEM format)
c. The server’s encrypted private key and it’s password
d. The CA root and intermediate certificates (these must be concatenated into a single file, also in PEM format)
 
        2.    On a server with openssl installed, issue the following command:
 

openssl pkcs12 -export -in certfile -inkey keyfile -certfile cacertfile -out ewallet.p12

 

Where:

                certfile: is the server’s certificate
                keyfile: is the server’s private key
                cacertfile: is the CA’s concatenated root and intermediate certificates.
 
Note that the resulting file must be named ewallet.p12 in order to be recognized by Oracle Wallet Manager.

 

 
3      3.       Enter the private key’s passphrase when prompted for it.
        4.       Enter an export password when prompted for it. You MUST supply a non-blank password. You will need to type it again as verification.
        5.       Upload the ewallet.p12 file to the Oracle Application Server. Move it to where the OHS can access it.
        6.       Start the Oracle Wallet Manager application.
        7.      Under the Wallet menu, click Open.
        8.      You will likely receive an error message about the default wallet directory not existing, and asking you if you want to continue. Click Yes.
 
 
       9.   You will be asked to select the directory where the wallet file is located. Find the directory where you moved the file ewallet.p12 to.
      10.   You will be asked for the wallet password. Enter the export password you entered when converting the certificate.
      11.   The wallet should open, and the certificate may be displayed as empty – don’t worry about that right now. You should also see the CA certificate under “Trusted Certificates”.
 
 
      12.   Under the Wallet menu, select “Auto Login”. Verify that it was selected by viewing the Wallet menu again; the Auto Login box should now have a check mark.
 
       13.  Under the Wallet menu, select “Exit” to quit the Oracle Wallet Manager application.
       14.   Now you should have 2 files in the directory: ewallet.p12 and cwallet.sso. Both files must be together at the same directory so the OHS can access the wallet.
       15.   Shutdown OHS.
       16.   Modify your OSH ssl.conf (default location should look something like /home/oracle/Middleware/Oracle_WT1/instances/instance1/config/OHS/ohs1/ssl.conf) so the directive SSLWallet points to the directory where you saved both files, for example:
      
      SSLWallet “${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/default
 

 17.   Start OHS and access its HTTPS home page. Inspect the certificate presented by the browser and you should see your new certificate and the CA chain.

 
 

 

Front-ending a SAML Service Provider with OHS

This is a follow-up to one of my previous posts titled Integrating OBIEE 11g into Weblogic’s SAML SSO, where I mention the following when configuring the Service Provider: “The Published Site URL field value is the base URL for federation services on the server. For SAML2, make sure the webcontext path is saml2. This is […]

Using a Web Proxy Server with WebCenter Family

The use of a Web Tier is always recommended in a production environment, for security, performance and better control and load management, no matter if is a Intranet, internet or extranet environment.

The most common use for the Web Tier with WebCenter is acting as Reverse Proxy to forward all requests to a frontend WebCenter site to the application server (Figure A), but there’s to many ways to do an enterprise deployment with a web tier and many flavors of web servers and load balancing options.

FigA

Let’s start with the WebLogic plugin with supported webservers. You can found the standard plugins in your WebLogic instalation dir, that will something like “%WEBLOGIC_HOME%/server/plugin/%OS%/”, but I recommend you to download the latest plugin from Oracle’s OTN or eDelivery websites, you will found the Oracle WebLogic Server Web Server Plugins 1.1 or later. With the version 1.1 you will found plugins for Apache 2.2.x (32-Bits and 64-Bits) and for IIS 6+ and IIS 7+. Always confirm the OS support with the WLS Plugin Support Matrix. If you need support for iPlanet 6+ or 7+, you can use the version 1.0. Any throuble to found the files, try search or create to the Oracle support (Ref.: Doc ID 1111903.1).

FigB

Some times you do not want to use a separate web server, you can use the WebLogic as a Web Server by using a servlet, but this is subject for another post.

When you are deploying a WebCenter solution using a proxy server, you need to remember to proxy all your requests from all weblogics for Security, performance and Control and also all non-weblogic requests such as static files, WebCenter Content custom requests, Services, Portlets and 3rd Party.

Is common in intranet deployments you see calls direct to the application servers, calls to several different servers, like the Figure C.

FigC

Above you can see the same sample with all calls using the web server, for proxy forward, for reverse proxy, static files caching, even the use of Oracle Coherence is easy when you have a WebCenter Spaces + Content deployment.

FigD

We cannot forget to talk about the clustering and load balancers, Clustering is easy done by the WebLogic, you just need to follow the documentation. For Load balancing you need to choose what kind and what load balancer you will use.

LOAD BALANCING

You can do load balancing using the Web Proxy Server with WLS Plugin or a servlet as mentioned above or a External Load Balancer (Hardware) or Appliance.

Using the WLS Plugin you will need to remember to create a entry for WebCenter Server that are you using, that means that you need to create a entry for the /webcenter/ another for the /cs/, another for the “custom sitestudio” calls, for the portlets (If you do not create a parent folder for the portlets, you will need to create a entry for each portlet) and an entry for any other 3rd calls.

The configuration file for each entry will looks like this sample for IIS7:

 

# Changed by Oracle A-Team (Adao.Junior)
# Date: 07/31/2011
# WebCenter Content: CUSTOMER_WEB_SERVER
# WLSPlugin1.1-IIS6-IIS7-win64-x64

WebLogicCluster=192.168.100.101:8888,192.168.100.102:8888,192.168.100.101:8891,192.168.100.102:8891
ConnectTimeoutSecs=25
ConnectRetrySecs=5
KeepAliveEnabled=true
FileCaching=ON
SecureProxy=OFF

Debug=OFF
WLTempDir=C:\DEBUG\CONTENT

 

For a External Load Balancer (Hardware) you have many options, such as the f5 Big-IP, a guide to help you deploy with WebCenter could be found here.

 

There’s a option to use a hybrid configuration, with Hardware loadbalancers and Web Proxy to handle the web calls between the users and web farms, and web proxies and between the proxies and applications servers.