Best Practices from Oracle Development's A‑Team

SSL offloading and WebLogic server redux - client x.509 certificates

I recently had to revisit the subject of SSL offloading and WebLogic server to include the ability to do client certificate authentication. I was specifically doing this for use with Oracle Access Manager 11g, but the configuration steps are identical whether you are using OAM or just WebLogic.

Just to redraw the diagram so we're all on the same page, this is what a real environment with OAM in it might look like:


Note that I put "Apache" in front of the OAM server. That could be Apache, IIS, OHS or indeed any web server. In my case I happened to use Apache but the configuration is the same for Apache or OHS.

The first thing I had to do was configure Apache to support SSL. I'll leave that step up to you - just follow the normal instructions for your web server. Then I created a new VirtualHost for :443 that looks like this:

<VirtualHost *:443>   ServerName linux.ktest.oracleateam.com   SSLEngine on   SSLProtocol all -SSLv2   SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW   SSLCertificateFile /home/oracle/simpleCA/linux.ktest.oracleateam.com.crt   SSLCertificateKeyFile /home/oracle/simpleCA/linux.ktest.oracleateam.com.key   <LocationMatch ^/oam/server/.*>     SetHandler weblogic-handler   </LocationMatch>   <LocationMatch ^/oam/CredCollectServlet/X509.*>     SSLVerifyClient require     SSLVerifyDepth 1     SSLCACertificateFile /home/oracle/simpleCA/ca.crt     SSLOptions +StdEnvVars +ExportCertData   </LocationMatch> </VirtualHost>

There are a couple of interesting things in there.

  1. The LocationMatch for "^/oam/server/.*" which routes any requests that match that regular expression on to the WebLogic plug-in so they can be sent to the OAM server
  2. The LocationMatch for "^/oam/CredCollectServlet/X509.*" In OAM 11g the only URL that actually needs to require client certificate authentication is the x.509 credential collector. By putting "SSLVerifyClient require" on that Location we are telling Apache that unless the user presents a client certificate it should not process the request but instead demand a certificate from the user
  3. The last item is the one that caused me grief - unless you add "SSLOptions +StdEnvVars +ExportCertData" mod_wl will not send the client certificate information down to the WebLogic server

That's all the configuration you need to do in Apache (or OHS). Now you need need to do a couple of steps inside WebLogic.

  1. Check the "WebLogic Plugin Enabled" checkbox as we did in the previous blog post.
  2. On the same page check the "Client Cert Proxy Enabled"

To reiterate where those are - go to the WebLogic Console (http://localhost:port/console), click on the domain name inside the left hand navigation tree, then click the Web Applications tab. You should find both of those settings towards the bottom of the screen.

That should be all you need to do.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha

Recent Content