Understanding the use of “WebLogic Plugin Enabled”

Introduction:

Requests to a WebLogic Server (WLS) usually go through a web server or a load balancer which serve as a proxy for the client requests. When the WLS requests are “front-ended” by either a web server or a load-balancer, the requests are handled via a plugin. It is important for WLS to be aware of the proxy so as to handle the request correctly. Informing the Weblogic Server of the proxy, and therefore the presence of the plugin, is achieved using the WLS setting “WebLogic plugin Enabled.” In this article, we will explain the purpose of this setting and how to configure it.

 

Main Article:

WLS usually receives requests through a proxy. In the case of Fusion Applications, the Oracle HTTP Server which uses the mod_wl_ohs plugin serves as the proxy to route client requests to WLS, which in turn serves the requests. In case of other Web Applications, WLS may be behind a Web Server, a Load balancer or a Reverse Proxy.

The WLS setting “WebLogic plugin Enabled” when set to true informs the WLS of the presence of the proxy. With this setting is enabled, WLS sets the proprietary WL-Proxy-Client-IP header and consequetntly calls to getRemoteAddr will return the address of the browser client from the WL-Proxy-Client-IP header instead of the address of the web server.

It is important for WLS to be made aware of the proxy when one exists. Failure to have this setting enabled causes unexpected results in cases where the client IP address is required or when SSL terminates either at the load-balancer or the Web Server. For example, OWSM may think the request came over plain HTTP and if it has a policy which enforces SSL, the request will be denied with error similar to following:

[WSM_POLICY_NAME: oracle/wss11_saml_or_username_token_with_message_protection_service_policy] Failure in WS-Policy Execution due to exception.

The stack trace will show errors similar to following:

Caused by: oracle.wsm.common.sdk.WSMException: FailedCheck : failure in security check

Caused by: oracle.wsm.security.policy.scenario.policycompliance.PolicyComplianceException: WSM-00042 : The request must be made over SSL.

 

Modifying WebLogic plugin Enabled setting

This setting can be modified at one of three levels. The levels have a hierarchy and thus setting it at one level serves as the default for the level below and the setting at the level below overrides the setting at the higher level. The levels are:

The domain level
The cluster level
The individual managed server level

Setting it at the domain level sets it for each cluster and managed server within the domain. Setting it at the cluster level applies this to all the managed servers that are a part of the cluster. Value set at cluster level overrides the value at the domain level and the value set at managed server level overrides the value set at the cluster or domain levels.

 

To configure this you need to login to WLS Administration Console as an Administrator. Within the console, first click on “Lock and Edit” to acquire a domain edit lock. This step is required if you are running WLS in production mode.

Lock_And_Edit

To configure this setting at the domain level, perform the following steps:

1. In the “Domain Structure” pane on the left side, click on the name of domain – In this case IDMDomain

Domain_Name

2. Within the “Settings for <DomainName>” page, navigate to “Web Applications” sub tab under the “Configuration” main tab

Domain_WebApplications

3. Scroll down until you see a check box titled “WebLogic Plugin Enabled”

Domain_WLS_Plugin_Enabled

4. Make sure the checkbox is checked and click “Save”

Domain_Save

To configure this setting at the cluster level, perform the following steps:

1. In the “Domain Structure” pane on the left side, click on “+” icon against “Environment” and then click on “Clusters”

Cluster

2. In the “Summary of Clusters” page, click on the cluster you want to enable this setting for, e.g., oam_cluster

Cluster_Name

3. In the “Settings for <cluster_name>” page, expand “Advanced”  and make sure the box against “WebLogic plugin Enabled” is checked and click “Save”

Cluster_WLS_Plugin_Enabled

To configure this setting at the managed server level, perform the following steps:

1. In the “Domain Structure” pane on the left side, click on “+” icon against “Environment” and then click on “Servers”

Server

2. In the “Summary of Servers” page,  click on the server you want to enable this setting for, e.g., wls_oam1

Server_Name

3. In the “Settings for <server_name>” page, expand “Advanced”  and make sure the box against “WebLogic plugin Enabled” is checked and click “Save”

Server_WLS_Plugin_Enabled

 

Once the property has been configured to the desired value, and at the desired scope (domain, cluster or server), click on “Activate Changes” to commit the configuration change.

Activate_Changes

Restart the required servers.

 

Note that once you set the property at the server or cluster level, unsetting it will make it false and continues to override any values set at the higher level being the cluster or the domain levels respectively. To restore the inheritance from the higher level, edit config.xml manually. It is the master configuration file for the domain, and is located under $DOMAIN_HOME/config directory. Note that for Fusion Applications there are several weblogic domains.

Open this file in a text editor of your choice and navigate to the section where  the property was set originally and later unset. In this example, it was unset for managed server wls_oam1.

config_xml

As seen above, in the highlighted section, the property is set to false, which means the plugin configuration is disabled. To change it such that it is not disabled for the managed server, but rather inherits from domain or cluster, delete this line from the file and save the changes. This will require restart of the component.

Comments

  1. sarapitola says:

    Hi A-Team, in Weblogic 12c the flag WebLogic Plug-In Enabled on Cluster > Configuration > General > Advanced have the new option “Default”, this “Default” refers the Domain Plug-In definition? The same “behaviour” exist in Managed Server. It’s possible clarify this change? Thx

  2. Mary BrowningSmith says:

    Hello,
    We’ve been using WLS with OBIEE for 2 years. We use Apache with WLS. We’re updating the WLS Web Server Proxy Plug-In for Apache HTTP Server. I notice that we’ve never had this setting checked before. Are there situations in which you don’t need to check this box? How can I determine if we need to do this and whether we’ve been receiving errors we didn’t know were significant?
    Thanks for your help.

    Mary

  3. Philip Varghese says:

    Naveen,
    Thanks for this clear and concise article.
    My question is around the OHS configuration.
    The OHS is configured to route a request to WLS servers that actually service the request. The WLS plugins running on the OHS can only connect to the plugins on the WLS server if the ‘weblogic plugin enabled” flag is set. Is that a correct understanding?

    Thanks
    Phil

Add Your Comment