Enabling SSL in between OHS & OutBound Applications
Prerequisites:
- OHS SSL is enabled.
- Outbound App SSL is enabled like OAM, Weblogic, OIM etc.
- Consider your OHS server name is https://abc.com. So if admin needs to access the oamconsole. Admin will fire the url as https://abc.com/oamconsole
- To enable this usecase, /oamconsole is to be added in ssl.conf/mod_wl_ohs.conf file(usual way).
- But the catch is that our OHS & OAM are in SSL mode.
- This means that they will do handshake before starting to talk to each other.
- As we all know that while doing handshake, server sends its user certificate, now this cert is verified by client i.e. here mod_wl_proxy of OHS. So the wallet used by it has to have the trusted certificate entry in it.
Steps you need to follow for this are as;
- Import the certificate used by Outbound app such as Oracle WebLogic Server into the Oracle HTTP Server wallet as a trusted certificate.
- To add trusted certificate you can use orapki utility or any of your choice.
- <MW_HOME>/oracle_common/bin/orapki wallet add -wallet ./ -trusted_cert -cert cacert.pem -auto_login_only
- Note: './' is used as we consider that you are running this command from the directory where your cwallet.sso is present. You can substitute it with directory path of cwallet.sso as well.
- Now you need to add 2 tags in ssl.conf or mod_wl_proxy.conf:
SecureProxy On
WlSSLWallet "<wallet location>"
Complete Eg:
<Location /console>
SetHandler weblogic-handler
WebLogicHost xyz.us.domain.com
WebLogicPort 7001
SetHandler weblogic-handler
WebLogicHost xyz.us.domain.com
WebLogicPort 7001
SecureProxy ON
WlSSLWallet "/MW_HOME/keystores/newwallet"
</Location>
WlSSLWallet "/MW_HOME/keystores/newwallet"
</Location>
Now start your OHS server, and try to access the proxied url, you should be able to make a successful connection. You can also confirm the same by capturing wireshark traces.
Hope this helps... :-)
Useful links:
Enjoy :-)