Forum Stats

  • 3,733,857 Users
  • 2,246,830 Discussions
  • 7,856,898 Comments

Discussions

Problems migrating from mod_plsql to ORDS

User_LYXO8
User_LYXO8 Member Posts: 3 Green Ribbon

Previously, had a 2008 OS server with OHS using mod_plsql and four DADs. Within two of the DADs, had the following CGI Environment Variables:

PlsqlCGIEnvironmentList SSL_CLIENT_CERT

PlsqlCGIEnvironmentList SSL_CLIENT_S_DN

PlsqlCGIEnvironmentList SSL_CLIENT_S_DN_C

PlsqlCGIEnvironmentList SSL_CLIENT_S_DN_ST

PlsqlCGIEnvironmentList SSL_CLIENT_S_DN_L

PlsqlCGIEnvironmentList SSL_CLIENT_S_DN_O

PlsqlCGIEnvironmentList SSL_CLIENT_S_DN_OU

PlsqlCGIEnvironmentList SSL_CLIENT_S_DN_CN

PlsqlCGIEnvironmentList SSL_CLIENT_S_DN_Email

PlsqlCGIEnvironmentList SSL_CLIENT_V_START

PlsqlCGIEnvironmentList SSL_CLIENT_V_END

Those two DADs allowed our users to login to our website with a PKI certificate. Our OWA_CUSTOM PL/SQL package would call OWA_UTIL.get_cgi_env to retrieve the values of those environment variables to check that the person logging in was registered in our database. In a different package we would store their PKI certificate for future logins but that package also uses the CGI Environment Variables.

Now we are upgrading to a 2016 OS server with ORDS running under WebLogic. We have ORDS configured and two of our four DADs converted to database pools which work just fine. While we have created the two database pools that correspond to the two DADs that have the CGI Environment Variables, there is no equivalent to the CGI Environment Variables within ORDS. So where do we put a reference to the CGI Environment Variables within ORDS so our OWA_CUSTOM can use them? We cannot do without a PKI certificate login and since it was possible under mod_plsql, it still needs to be possible under ORDS.

We have received word that CGI Environment variables are not possible with ORDS, so what workarounds are available so that we can continue to use PKI certification login?

Answers

  • thatJeffSmith-Oracle
    thatJeffSmith-Oracle Distinguished Product Manager Posts: 7,691 Employee

    highly suggest you open a support ticket with My Oracle Support

  • User_LYXO8
    User_LYXO8 Member Posts: 3 Green Ribbon

    thatJeffSmith-Oracle:

    We went that route at the start, our support from Oracle was to post the question here.

  • User_Z4K9S
    User_Z4K9S Member Posts: 10 Red Ribbon

    We ran into a similar issue testing a similar migration from mod_plsql to ORDS - we are using OHS in front of Weblogic/ORDS and use mod_wl_ohs as the proxy. We found that if we created a Location in mod_wl_ohs.conf for the DAD/database pool and set a RequestHeader that matched the name of the Environment Variable in Apache, it would pass that header on to Weblogic/ORDS, and Weblogic/ORDS seemed to interpret incoming headers as "environment variables", and the PL/SQL routines for retrieving CGI variables seemed to pick them up.

    So try something like:

    RequestHeader set SSL_ENVRIONMENT_VAR %{SSL_ENVIRONMENT_VAR}e env=SSL_ENVIRONMENT_VAR

    This sets a request header called SSL_ENVIRONMENT_VAR for the request to Weblogic/ORDS that contains the value of the OHS environment variable SSL_ENVIRONMENT_VAR if SSL_ENVIRONMENT_VAR is set. Obviously you can choose to change the name of the header if you update your PL/SQL code to look for the new name.

    Disclaimer - we are not using this in production right now - but we've had success with this working in a test environment. Hope this helps.

  • User_LYXO8
    User_LYXO8 Member Posts: 3 Green Ribbon

    Thank you for the information. We followed https://www.oracle.com/technetwork/developer-tools/apex/learnmore/apex-example-deployment-wp-2214343.pdf because it talks about installing OHS in front of Web Logic. We updated the mod_wl_ohs.conf to have:

    <IfModule weblogic_module>

         <Location /ords/>

               SetHandler weblogic-handler

               WebLogicHost localhost

               WebLogicPort 443

               DebugConfigInfo ON

               KeepAliveEnabled on

               KeepAliveSecs 10

         </Location>

    </IfModule>


    …because we use ords.war and ords does appear in our URL. We updated the ssl.conf to have:

      SSLWallet "C:\Wallets"

       

       <LocationMatch "^/(pls_ws|pki_jsmps)/.+$">

        SSLVerifyClient require

        SSLOptions +ExportCertData +StdEnvVars

         RequestHeader set X-Ssl-Cert "%{SSL_CLIENT_CERT}e" env=SSL_CLIENT_CERT

         RequestHeader set X-Ssl-Verify "%{SSL_CLIENT_VERIFY}e" env=SSL_CLIENT_VERIFY

         ProxyPreserveHost on

      </LocationMatch>

      

         ProxyPass "/" "https://localhost:443/"

         ProxyPassReverse "/" "https://localhost:443/"


    Our URL might have pls_ws or pki_jsmps along with two other locations. These two we need the client-side certificate…the other two we don’t. So with everything (managed server, ords.war, i.war, ohs1 component) turned on, we can get to our login page for the website, and even login with username / password. But when we try to login with client-side certificate (aka PKI), it fails. We cannot extract the cert from the header mainly because we don’t think it’s even in there. We have two valid certs in the lab and thus the browser should ask us which one to use and it never does. 


    Does what we have come close to what you did? Do you see anything that needs to be tweaked? We can provide more information if needed. Is there any chance you’d be willing to show us a full example of what you all did? 


    Thank you.

  • User_Z4K9S
    User_Z4K9S Member Posts: 10 Red Ribbon

    Yeah something seems amiss further up the chain here. If your browser isn't even prompting you to provide a certificate, that tells me there's a problem at the OHS/proxy before it even gets to Weblogic or ORDS. I would make sure your server wallet in C:\Wallets has every CA in the client certificate's chain included as trusted certificates.

    The other issue I've seen with OHS and the SSLVerifyClient directive is that using it inside a "Location" or "LocationMatch" block hasn't worked for me when I've tried it in the past. It's been a few versions since I've played with it, but at the time my thinking was that if you hit a URL on the OHS server via HTTPS that doesn't require client validation, then you go to one that does, the browser may not realize that it needs to renegotiate its SSL/TLS with the server and so you never get prompted for the cert. On our site we used "SSLVerifyClient" in the root ssl.conf and set it to either Optional or Required - we'd get prompted for a certificate as soon as we visited the first page of the site.

    I'd check those things first - check your wallet and try moving your SSLVerifyClient directive outside the LocationMatch block and see if you can at least get prompted for the cert. Then you can see how much ORDS is able to see about the provided cert and whether it can be authenticated.

    Good luck!

Sign In or Register to comment.