SSL offloading and WebLogic server redux - client x.509 certificates
I recently had to revisit the subject of SSL offloading and WebLogic server to include the ability to do client certificate authentication. I was specifically doing this for use with Oracle Access Manager 11g, but the configuration steps are identical whether you are using OAM or just WebLogic.
Just to redraw the diagram so we're all on the same page, this is what a real environment with OAM in it might look like:
Note that I put "Apache" in front of the OAM server. That could be Apache, IIS, OHS or indeed any web server. In my case I happened to use Apache but the configuration is the same for Apache or OHS.
The first thing I had to do was configure Apache to support SSL. I'll leave that step up to you - just follow the normal instructions for your web server. Then I created a new VirtualHost for :443 that looks like this:
<VirtualHost *:443>
ServerName linux.ktest.oracleateam.com
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /home/oracle/simpleCA/linux.ktest.oracleateam.com.crt
SSLCertificateKeyFile /home/oracle/simpleCA/linux.ktest.oracleateam.com.key
<LocationMatch ^/oam/server/.*>
SetHandler weblogic-handler
</LocationMatch>
<LocationMatch ^/oam/CredCollectServlet/X509.*>
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /home/oracle/simpleCA/ca.crt
SSLOptions +StdEnvVars +ExportCertData
</LocationMatch>
</VirtualHost>
There are a couple of interesting things in there.- The LocationMatch for "^/oam/server/.*" which routes any requests that match that regular expression on to the WebLogic plug-in so they can be sent to the OAM server
- The LocationMatch for "^/oam/CredCollectServlet/X509.*" In OAM 11g the only URL that actually needs to require client certificate authentication is the x.509 credential collector. By putting "SSLVerifyClient require" on that Location we are telling Apache that unless the user presents a client certificate it should not process the request but instead demand a certificate from the user
- The last item is the one that caused me grief - unless you add "SSLOptions +StdEnvVars +ExportCertData" mod_wl will not send the client certificate information down to the WebLogic server
That's all the configuration you need to do in Apache (or OHS). Now you need need to do a couple of steps inside WebLogic.
- Check the "WebLogic Plugin Enabled" checkbox as we did in the previous blog post.
- On the same page check the "Client Cert Proxy Enabled"
To reiterate where those are - go to the WebLogic Console (http://localhost:port/console), click on the domain name inside the left hand navigation tree, then click the Web Applications tab. You should find both of those settings towards the bottom of the screen.
That should be all you need to do.
No comments:
Post a Comment
Note: only a member of this blog may post a comment.