Showing posts with label obrar.cgi. Show all posts
Showing posts with label obrar.cgi. Show all posts

Wednesday, 28 October 2015

OAM Webgate - Unable to get https redirect back to load balancer

Problem Description:

Load Balancer running on 'https' i.e. SSL enabled and behind it their is a web server (OTD/OHS/APACHE...any) on which webgate is integrated. 

The web server may be SSL enabled or may be not. But this webserver expects that the load balancer will tell about its SSL  state i.e. http or https. And this info actually not provided


Lets Understand the Use Case:

Say Load Balancer listening on - https://abc.com, the web server behind it is listening on http://xyz.abc.com:7777.

Now when the request lands on the load balancer it gives this request to the proxied web server where webgate redirects this to OAM Server by making a http://<host:port>/obrareq.cgi?<querystring> request.
OAM Server authenticates/authorizes the user's request & thus makes a redirect back to the server by making a http://<host:port>/obrar.cgi?<quesrystring> request. 

Thus here lies the issue, this obrar.cgi redirect should be on https:// rather it is on http://

Ever wondered why so; the reason is that the load balancer has not sent any info about its SSL state, that whether it is running in http or https mode.
That's why webgate has not given this same info to OAM Server, thus OAM server makes the obrar.cgi redirect on http instead of https.
 

Solution:

IS_SSL header is the solution; this header need to be set in the load balancer config file;
Now if load balancer is;
  • Apache/OHS than one need to set this header in the virtual host config
    • RequestHeader set IS_SSL ssl
  • OTD; one need to set this in the server obj conf file;
    • AuthTrans fn="set-variable" set-headers="is_ssl=ssl"     ;
After this restart the load balancer  ; test the use case & the issue is resolved;

Read More:
http://fusionsecurity.blogspot.in/2011/04/ssl-offloading-and-weblogic-server.html


Enjoy :-)