Showing posts with label SecureProxy. Show all posts
Showing posts with label SecureProxy. Show all posts

Monday, 3 July 2017

Enable SSL in between OHS & Outbound Applications

Enabling SSL in between OHS & OutBound Applications

Prerequisites:
  1. OHS SSL is enabled.
  2. Outbound App SSL is enabled like OAM, Weblogic, OIM etc.
What we are aiming is to setup SSL in b/w OHS & outbound apps

Eg: Consider you want to proxy your OAM server via OHS as a load balancer/proxy call it any. This is a very normal usecase where you have your OAM servers sitting in your data-center & you don't want it's hostname/IP to be exposed. So what you usually do is proxy OAM via OHS.
  • Consider your OHS server name is https://abc.com. So if admin needs to access the oamconsole. Admin will fire the url as https://abc.com/oamconsole
  • To enable this usecase, /oamconsole is to be added in ssl.conf/mod_wl_ohs.conf file(usual way).
  • But the catch is that our OHS & OAM are in SSL mode.
  • This means that they will do handshake before starting to talk to each other.
  • As we all know that while doing handshake, server sends its user certificate, now this cert is verified by client i.e. here mod_wl_proxy of OHS. So the wallet used by it has to have the trusted certificate entry in it.

Steps you need to follow for this are as;

  • Import the certificate used by Outbound app such as Oracle WebLogic Server into the Oracle HTTP Server wallet as a trusted certificate.
    • To add trusted certificate you can use orapki utility or any of your choice.
    • <MW_HOME>/oracle_common/bin/orapki wallet add -wallet ./ -trusted_cert -cert cacert.pem -auto_login_only 
    • Note: './' is used as we consider that you are running this command from the directory where your cwallet.sso is present. You can substitute it with directory path of cwallet.sso as well.
  •  Now you need to add 2 tags in ssl.conf or mod_wl_proxy.conf:
    • SecureProxy On
      WlSSLWallet "<wallet location>" 

Complete Eg:

<Location /console>
SetHandler weblogic-handler
WebLogicHost xyz.us.domain.com
WebLogicPort 7001
SecureProxy ON
WlSSLWallet "/MW_HOME/keystores/newwallet"
</Location>


Now start your OHS server, and try to access the proxied url, you should be able to make a successful connection. You can also confirm the same by capturing wireshark traces. 

Hope this helps... :-)

Useful links:

Enjoy :-)