Requests to a WebLogic Server (WLS) usually go through a web server or a load balancer which serve as a proxy for the client requests. When the WLS requests are "front-ended" by either a web server or a load-balancer, the requests are handled via a plugin. It is important for WLS to be aware of the proxy so as to handle the request correctly. Informing the Weblogic Server of the proxy, and therefore the presence of the plugin, is achieved using the WLS setting “WebLogic plugin Enabled.” In this article, we will explain the purpose of this setting and how to configure it.
WLS usually receives requests through a proxy. In the case of Fusion Applications, the Oracle HTTP Server which uses the mod_wl_ohs plugin serves as the proxy to route client requests to WLS, which in turn serves the requests. In case of other Web Applications, WLS may be behind a Web Server, a Load balancer or a Reverse Proxy.
The WLS setting “WebLogic plugin Enabled” when set to true informs the WLS of the presence of the proxy. With this setting is enabled, WLS sets the proprietary WL-Proxy-Client-IP header and consequetntly calls to getRemoteAddr will return the address of the browser client from the WL-Proxy-Client-IP header instead of the address of the web server.
It is important for WLS to be made aware of the proxy when one exists. Failure to have this setting enabled causes unexpected results in cases where the client IP address is required or when SSL terminates either at the load-balancer or the Web Server. For example, OWSM may think the request came over plain HTTP and if it has a policy which enforces SSL, the request will be denied with error similar to following:
[WSM_POLICY_NAME: oracle/wss11_saml_or_username_token_with_message_protection_service_policy] Failure in WS-Policy Execution due to exception.
The stack trace will show errors similar to following:
Caused by: oracle.wsm.common.sdk.WSMException: FailedCheck : failure in security check
Caused by: oracle.wsm.security.policy.scenario.policycompliance.PolicyComplianceException: WSM-00042 : The request must be made over SSL.
This setting can be modified at one of three levels. The levels have a hierarchy and thus setting it at one level serves as the default for the level below and the setting at the level below overrides the setting at the higher level. The levels are:
The domain level
The cluster level
The individual managed server level
Setting it at the domain level sets it for each cluster and managed server within the domain. Setting it at the cluster level applies this to all the managed servers that are a part of the cluster. Value set at cluster level overrides the value at the domain level and the value set at managed server level overrides the value set at the cluster or domain levels.
To configure this you need to login to WLS Administration Console as an Administrator. Within the console, first click on "Lock and Edit" to acquire a domain edit lock. This step is required if you are running WLS in production mode.
To configure this setting at the domain level, perform the following steps:
1. In the "Domain Structure" pane on the left side, click on the name of domain - In this case IDMDomain
2. Within the "Settings for <DomainName>" page, navigate to "Web Applications" sub tab under the "Configuration" main tab
3. Scroll down until you see a check box titled "WebLogic Plugin Enabled"
4. Make sure the checkbox is checked and click "Save"
To configure this setting at the cluster level, perform the following steps:
1. In the "Domain Structure" pane on the left side, click on "+" icon against "Environment" and then click on "Clusters"
2. In the "Summary of Clusters" page, click on the cluster you want to enable this setting for, e.g., oam_cluster
3. In the "Settings for <cluster_name>" page, expand "Advanced" and make sure the box against "WebLogic plugin Enabled" is checked and click "Save"
To configure this setting at the managed server level, perform the following steps:
1. In the "Domain Structure" pane on the left side, click on "+" icon against "Environment" and then click on "Servers"
2. In the "Summary of Servers" page, click on the server you want to enable this setting for, e.g., wls_oam1
3. In the "Settings for <server_name>" page, expand "Advanced" and make sure the box against "WebLogic plugin Enabled" is checked and click "Save"
Once the property has been configured to the desired value, and at the desired scope (domain, cluster or server), click on "Activate Changes" to commit the configuration change.
Restart the required servers.
Note that once you set the property at the server or cluster level, unsetting it will make it false and continues to override any values set at the higher level being the cluster or the domain levels respectively. To restore the inheritance from the higher level, edit config.xml manually. It is the master configuration file for the domain, and is located under $DOMAIN_HOME/config directory. Note that for Fusion Applications there are several weblogic domains.
Open this file in a text editor of your choice and navigate to the section where the property was set originally and later unset. In this example, it was unset for managed server wls_oam1.
As seen above, in the highlighted section, the property is set to false, which means the plugin configuration is disabled. To change it such that it is not disabled for the managed server, but rather inherits from domain or cluster, delete this line from the file and save the changes. This will require restart of the component.