Oracle Weblogic Server: Configure Apache With SSL Certificates To Forward Requests To WebLogic Server Environment
This article provides detailed steps to configure Apache with SSL in a WLS environment.
This process will successfully setup SSL communication between the client (browser) and the Apache Web Server as well as SSL (https) communication between the Apache Web Server and the WebLogic Server.
At a high level, the following steps are implemented:
- Create a valid certificate from Verisign.
- Configure Apache plugin to use SSL using the new certificate.
- Configure WLS to use the new certificate.
- Test SSL proxy request to WLS.
Solution
Apache configuration
- Install Apache 2.2.
- Include the following in httpd.conf file:
LoadModule weblogic_module modules/mod_wl_22.so
Note that this filename is different in different versions of the WebLogic plug-in: change the filename as needed for your version. - Copy the mod_wl_22.so from the folder: <WebLogic_Home>\server\plugin\win\32 to <Apache_Home>\modules. Note that this filename is different in different versions of the WebLogic plug-in: change the filename as needed for your version.
- Uncomment
LoadModule ssl_module modules/mod_ssl.so
in httpd.conf - Uncomment
include conf/extra/httpd-ssl.conf
in httpd.conf. - Now run the following commands in apache:
set OPENSSL_CONF=F:\apache2.2\conf\openssl.cnfIt will generate the CSR file. Place the CSR file in a particular folder.
> />openssl genrsa -des3 -out localhost.key 1024
Enter pass phrase:
> />openssl req -new -key localhost.key -out localhost.csr> />> /> - Go to the Verisign website and enter personal information. It will ask for the CSR. Please enter the above CSR and the root CN information.
- Verisign will send a mail with intermediate certificate, public certificate and root CA.
- Once included, you must comment for Windows:
#SSLPassPhraseDialog builtin
- Include the following:
SSLCertificateFile "<dir>/public.crt" => save this from the email sent by verisign
SSLCertificateKeyFile "<dir>/localhost.key"
SSLCertificateChainFile "<dir>/intermediate.crt"
And comment other similar entries. - Test https://localhost/index.html: it will work.
WebLogic Server Configuration
- Generate a private key
jdk_home\bin\keytool -genkey -alias <your_alias_name> -keyalg RSA -keystore <your_keystore_filename> - Generate a certificate request (CSR file).
jdk_home\bin\keytool -certreq -keyalg RSA -alias <your_alias_name> -file certreq.csr -keystore <your_keystore_filename> - Paste the csr file and get the trail certificate(save as public.pem) and intermediate CA (save as intermediate.pem) and Root CA (save as CA.pem) from the email sent from Verisign website.
- Import root CA into keystore:
keytool -import -alias verisignCA -file CA.pem -keystore <your_keystore_filename> -trustcacerts - Import intermediate CA into keystore:
keytool -import -alias verisignIntermediateCA -file Intermediate.pem -keystore <your_keystore_filename> -trustcacerts - Import the public key into your keystore. It will go on the same alias as the private key:
keytool -import -alias <your_alias_name> -file public.pem -keystore <your_keystore_filename> -trustcacerts - To view the keystore:
keytool -list -keystore mykeystore.jks -v - From the Admin console, go to your server page, and in the Keystore & SSL tab choose:
Custom Identity and Custom Trust
Custom Identity
Custom Identity Key Store File Name: <your_keystore_filename>
Custom Identity Key Store Type: jks
Custom Identity Key Store Pass Phrase: <your password>
Confirm Custom Identity Key Store Pass Phrase: <your password>
Custom Trust
Custom Trust Key Store File Name: <your_keystore_filename>
Custom Trust Key Store Type: jks
Custom Trust Key Store Pass Phrase: <your password>
Confirm Custom Trust Key Store Pass Phrase: <your password>
- Restart your server and now try https://localhost:7002/console
- You should see the following while server starts up:
GMT+05:30>
<Certificate expires in 14 days: [
[
Version: V3
Subject: CN=localhost, OU=Terms of use at www.verisign.com/cps/testca (c)05, OU=oracle,
O=oracle, L=BANG, ST=KA, C=IN
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus:
1005070948376358074374236852403785592182590705370591472921278852507162691666556315447504840297044217
406796806
8632923437196828010145594050195432044329126731123133367158479667242853741709746093197774813648593717
91639176198708507422
56868100626678565588940082002286028558797528920106552889565563824202336798115363
public exponent: 65537
Validity: [From: Tue Aug 04 05:30:00 GMT+05:30 2009,
To: Wed Aug 19 05:29:59 GMT+05:30 2009]
Issuer: CN=VeriSign Trial Secure Server CA - G2, OU=Terms of use at
https://www.verisign.com/cps/testca (c)09, OU="For
Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
SerialNumber: [ 5f8db365 ede6fd4b fbd717f2 48b0804f]
Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 62 30 60 A1 5E A0 5C 30 5A 30 58 30 56 16 09 .b0`.^.\0Z0X0V..
0010: 69 6D 61 67 65 2F 67 69 66 30 21 30 1F 30 07 06 image/gif0!0.0..
0020: 05 2B 0E 03 02 1A 04 14 4B 6B B9 28 96 06 0C BB .+......Kk.(....
0030: D0 52 38 9B 29 AC 4B 07 8B 21 05 18 30 26 16 24 .R8.).K..!..0&.$
0040: 68 74 74 70 3A 2F 2F 6C 6F 67 6F 2E 76 65 72 69 http://logo.veri
0050: 73 69 67 6E 2E 63 6F 6D 2F 76 73 6C 6F 67 6F 31 sign.com/vslogo1
0060: 2E 67 69 66 .gif
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 28 17 13 8A BD D6 A2 B5 DC 06 2C B7 B6 8E DA 10 (.........,.....
0010: 66 60 6E E5 f`n.
]
]
[3]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://SVRTrial-G2-crl.verisign.com/SVRTrialG2.crl]
]]
[4]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
[1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.21] - Click the lock icon in the bottom right of the screen and view the certificate.
- Goto certification Path and select Root Certificate. View the certificate and copy to file MyWeblogicCAToTrust.cer in a particular location, say location1.
WebLogic Server Apache Plugin Configuration
- Configure the following in Apache httpd configuration.
<IfModule mod_weblogic.c>
WebLogicHost myip
WebLogicPort myport
SecureProxy ON
TrustedCAFile "<location1>\MyWeblogicCAToTrust.cer"
RequireSSLHostMatch false
EnforceBasicConstraints OFF
Debug ALL
WLLogFile <location>/wl_log.log
</IfModule>
<Location /weblogic>
SetHandler weblogic-handler
</Location>
<Location /console>
SetHandler weblogic-handler
</Location> - Access http://localhost:7001/console
- Import the CA.pem for apache and weblogic in the browser using content-> certificate-> Import-> Autoselect store based on type of cert- option.
1 Comments
It was just an example, in this case u need to locate ur certificate file.
ReplyDelete