My Oracle Support Banner

WebLogic Server Plug-Ins and SSL Support Pattern (Doc ID 780026.1)

Last updated on JUNE 28, 2023

Applies to:

Oracle WebLogic Server - Version 6.1 and later
Information in this document applies to any platform.

Purpose

This document is a support pattern which provides an understanding in using WebLogic proxy plug-ins with SSL.

NOTE: Users of the Oracle HTTP Server (OHS) should consult Configuring Mod_wl_ohs to use SSL between Oracle HTTP Server and Weblogic Server in FMW 11g (11.1.1.X) <Note 1268723.1>. This support pattern focuses on the Apache, iPlanet, and IIS plug-ins.

Introduction

This document was created to help users understand their needs when using the WebLogic plugin and SSL. It describes in detail questions to ask when setting up the architecture of the environment. The three web servers that will be used as examples are: Apache, iPlanet (SunOne), and Microsoft IIS.

Prerequisites

Before starting, it is important to understand the handshake process. Refer to the Understanding and Investigating SSL Issues Support Pattern <Note 1078957.1> for information.

Before starting, ask the following questions:

  1. Will I have SSL set up between the client and the web server hosting the proxy (Apache, Sun One. IIS)?

    If the answer is yes, will it need to be 2-way SSL? This design has the advantage of offering the possibility to propagate client certificates to the back-end WebLogic Server (e.g., for authentication).
  2. Will I have SSL set up between the plugin and the WebLogic Server?

    If the answer is yes, will I need to "intercept" a client certificate from the first front-end handshake?
  3. Is it only 1-way SSL that I need? Is it only to encrypt the data between the plugin and the WebLogic Server?

IMPORTANT NOTE: The version 12c (12.2.1.4.0) and higher plug-ins use Oracle wallets to store SSL configuration information. Use the WLSSLWallet SSL configuration parameter to configure the wallets. The orapki utility is provided in the plug-in distribution for this purpose.

The orapki utility manages public key infrastructure (PKI) elements, such as wallets and certificate revocation lists, on the command line so the tasks it performs can be incorporated into scripts. This enables you to automate many of the routine tasks of maintaining a PKI. See Using the orapki Utility for Certificate Validation and CRL Management.

For more information on using SSL with the 12.2.1.4 and higher plug-ins, please see Using SSL with Plug-Ins in the 12.2.1.4 plug-in documentation.

Troubleshooting Steps

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Purpose
 Introduction
 Prerequisites
Troubleshooting Steps
 Configuration of Apache for SSL between the Client (e.g., browser) and the Web Server
 Pre-setup
 Simple Setup for 1-way SSL
 Simple Setup for 2-way SSL
 How to Debug
 Test the Configuration and Troubleshoot
 1-way SSL Setup
 2 way SSL Setup
 Configuration of Sun One/iPlanet for SSL between the Client (e.g., browser) and the Web Server
 Simple Setup for 1-way SSL
 Simple Setup for 2-way SSL
 How to Debug
 Test the Configuration and Troubleshoot
 1-way SSL Setup
 2-way SSL Setup
 Configuration of Microsoft IIS for SSL between the Client (e.g., browser) and the Web Server
 Pre-setup
 Simple Setup for 1-way SSL
 Setup for 2-way SSL
 How to Debug
 Test the Configuration and Troubleshoot
 1- way SSL Setup
 2-way SSL Setup
 Configuration of SSL between the WebLogic Plugin and WebLogic Server
 Verification and Preparation
 Plugin Parameters to Consider
 Configuration of Apache for SSL between the WebLogic Plugin and WebLogic Server
 How to Configure
 Verification
 Configuration of Sun One/iPlanet for SSL between the WebLogic Plugin and WebLogic Server
 How to configure
 Verification
 Configuration of Microsoft IIS for SSL between the WebLogic Plugin and WebLogic Server
 How to configure
 Verification
 Others
 What is [WL-Proxy-Client-Keysize]=[128]?
 What is [WL-Proxy-Client-Secretkeysize]=[128]?
 Troubleshooting the WebLogic Plugin and SSL
 ERROR 1 -- Plaintext data for protocol HTTP was received from peer
 Solution
 ERROR 2 -- Host (XXXXX) doesn't match (YYYYY)
 Solution
 ERROR 3 -- Client cert not exported to the backend WebLogic Server on Apache
 Solution
 Two Way Client Cert Behavior: Client certs not Requested in the Server -- Keystores & SSL tab.
 ERROR 4 -- SSL certificate chain validation failed: 3015
 Solution
 ERROR 5 -- Do I need a 128 bits encryption plugin?
 ERROR 6 -- HTTP 403.7 -- Forbidden: Client certificate required - Internet Information Services
 Solution
 Need further help?
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.