How to Terminate SSL at LBR, Another HTTP Server, Web Cache or OHS 11g - Including Steps for WLS Plugin (mod_wl_ohs)
(Doc ID 1569732.1)
Last updated on JULY 28, 2023
Applies to:
Oracle HTTP Server - Version 11.1.1.2.0 and laterWeb Cache - Version 11.1.1.2.0 and later
Oracle WebLogic Server - Version 10.3.2 and later
Oracle Fusion Middleware - Version 11.1.1.2.0 and later
Information in this document applies to any platform.
-- Concepts, experiences and issues with 12c may be the similar as in this 11g document, but see the following first for 12c:
Oracle Fusion Middleware Administering Oracle HTTP Server 12c (12.2.1)
8.7 Terminating SSL Requests
https://docs.oracle.com/middleware/12213/webtier/administer-ohs/security.htm#HSADM1327
AND
Goal
How to Terminate SSL at Load Balancer, Web Cache or OHS 11g - Including Steps for WLS Plugin (mod_wl_ohs)
Steps in this document were not formally tested by all Oracle product or application teams. Therefore, there may be issues and it may not be supported in all cases. Especially older products and applications where error correction support has expired and bugs cannot be filed. Where Oracle HTTP Server is concerned, it was only tested using OHS 11.1.1.7 where WLS version is 10.3.6 and appears to work for most applications. Some applications may make use of other redirection and dynamic generation mechanisms to produce incorrect URLs during processing. Known issues tracked at bottom of this document. If there are issues with applications built by Oracle, open a Service Request with the product/application team.
Oracle Documentation
Oracle Support has worked with Oracle Doc team to have this topology or security configuration officially documented:
Oracle Fusion Middleware Administering Oracle HTTP Server 11g (11.1.1.9)
8.4 Terminating SSL Requests
https://docs.oracle.com/middleware/11119/webtier/administer-ohs/security.htm#CDDHFDBE
Oracle Fusion Middleware Administering Oracle HTTP Server 12c (12.1.3)
8.6 Terminating SSL Requests
https://docs.oracle.com/middleware/1213/webtier/administer-ohs/man_logs.htm#HSADM1265
Oracle Fusion Middleware Administering Oracle HTTP Server 12c (12.2.1)
8.7 Terminating SSL Requests
https://docs.oracle.com/middleware/12213/webtier/administer-ohs/security.htm#HSADM1327
AND
<Note 2269377.1> How to Configure SSL to Terminate at Oracle HTTP Server Release 2 (12.2.1)? - with Oracle Forms Example
Overview and Prerequisites
In order to terminate SSL, you must consider your entire topology. This includes OHS in general and the WLS Plugin. In most cases, 11g users are also using the WLS PLugin. A Load Balancer (LBR), Oracle WebLogic Server (WLS) and the application being processed may have an extra requirement to ensure the processing stays https, as intended. You may also be serving pages from OHS using other modules, you may have Oracle Web Cache.
The reasons to terminate SSL are for performance when an internal network is otherwise protected with no risk of a third-party intercepting data within the communication. The first question to ask is what is the entire request flow in your topology and where you would like SSL terminated, meaning where https communication will stop and only http will be used.
It is assumed the following is understood and accomplished beforehand as you need a working page on OHS using mod_wl_ohs where a Java application is deployed to WLS:
1. If you are going to terminate SSL at OHS, ensure Oracle HTTP Server 11g is properly configured and working with SSL (mod_ossl):
<Note 1226933.1> Configuring Oracle HTTP Server to use SSL in Fusion Middleware 11g (11.1.1.x)
2. Ensure Oracle HTTP Server 11g is properly configured and working with the WLS Plugin (mod_wl_ohs):
<Note 1316142.1> How To Configure mod_wl_ohs with Oracle HTTP Server and Oracle WebLogic Server
-
- Note mod_wl_ohs.conf is the designated file to configure the WLS Plugin. You may have a different .conf file for the same purpose. This will be the case for Oracle Portal, Forms, Reports, Discoverer installations. If you have these successfully working using non-ssl, then they are using their designated .conf files with WLS Plugin configuration, and you should continually use the same for this configuration.
- Note mod_wl_ohs.conf is the designated file to configure the WLS Plugin. You may have a different .conf file for the same purpose. This will be the case for Oracle Portal, Forms, Reports, Discoverer installations. If you have these successfully working using non-ssl, then they are using their designated .conf files with WLS Plugin configuration, and you should continually use the same for this configuration.
3. You may need to simplify your requests at first and then determine other application requirements. The following may be used to set up a basic application:
<Note 1377400.1> Install Sanity Check: How To Deploy A Basic J2EE Application To Confirm Your WebLogic Domain Is Functional
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Goal |
| How to Terminate SSL at Load Balancer, Web Cache or OHS 11g - Including Steps for WLS Plugin (mod_wl_ohs) |
| Overview and Prerequisites |
| Solution |
| Minimal Configuration |
| Requirement for Terminating SSL Before Oracle HTTP Server |
| Best Practices and Examples to Using a Virtual Host Configuration |
| Requirement for Oracle Web Cache |
| Requirement for Other Web-Tier Proxy (Apache) |
| Requirement for Load Balancer |
| Using WLS HttpServletRequest |
| Troubleshooting |
| Known Issues Discoverer |
| References |