This discussion is archived
8 Replies Latest reply: Aug 28, 2012 9:03 AM by wgkorb RSS

HTTPS client connection proxied to WLS as HTTP

wgkorb Newbie
Currently Being Moderated
Hi,

I have an interesting situation with the WLS plugin for iPlanet Web Server 7u15 (to WLS server 10.3.6).

I have followed the installation instructions in the README included with the plugin as well as in the Oracle® Fusion Middleware Using Web Server Plug-Ins with Oracle WebLogic Server 11g Release 1 (10.3.4) reference manual. With debugging enabled, I see that requests are indeed being passed to WLS for paths that I have defined. As a test, I configured my WS7 obj.conf to pass the /console context to WLS (the WLS admin console webapp). Here's the entry I made in obj.conf:

<Object ppath="/console/*">
Service fn="wl-proxy" WebLogicHost=localhost WebLogicPort=7001
Debug="ALL" WLLogFile="../logs/wl-proxy.log" DebugConfigInfo="ON"
</Object>

So any URI that starts with /console/ will be sent to the WLS instance running on the local host listening on port 7001 (HTTP). Since this is the loopback interface, I've made the conscious decision to use HTTP to communicate with WLS as HTTPS would simply slow things down at that point.

My WS7 instance is only configured to listen for HTTPS requests (on port 443) - there is no listener running on port 80 because I want all requests to this server to be SSL. This configuration causes a problem with the console app.

When I point my browser at the context root, WLS sends a redirect header to the login page back to the client, but it switches the protocol from https to http. For example, I point my browser here:

https://server.domain.lcl/console/

I then see this in the wl-proxy.log:

2012-08-14T11:52:25.1993-05:00 <886813449631452> Header from WLS:[Location]=[http://server.domain.lcl/console/login/LoginForm.jsp]

...and Firefox then tries to load that URL, but since I have no HTTP listener running, I get an error from FF telling me that it cannot connect. If I manually update the URL in FF and specify https, it loads the login page. I then supply my username and password and click Login, and that returns a redirect to http://server.domain.lcl/console/index.jsp which again fails due to the wrong protocol.

I have experimented with the WLProxySSL and WLProxyPassThrough settings for the plugin, but they seem to have no effect.

By comparison, if I use the built-in reverse proxy functionality of WS7, the console app works perfectly. I assume that the WLS plugin is more efficient than the WS7 reverse proxy, though, so that's why I'm trying to get that working.

This leads to two questions:

1. Is the WLS plugin truly more efficient than WS7's reverse proxy feature?
2. How can I make sure that redirects returned to the client are on https even though WLS sees the connection as being http?

If the answer to #1 is no, then I'll just switch back to using the reverse proxy and skip the trouble of dealing with the plugin.

Thanks,
Bill
  • 1. Re: HTTPS client connection proxied to WLS as HTTP
    wgkorb Newbie
    Currently Being Moderated
    Well, I came up with a work-around that isn't exactly elegant, but it has the advantage of actually making the WLS console app work properly when using the plugin.

    First, I configured an HTTP listener on port 80.

    Then I added this to the obj.conf file of my virtual server:

    -----
    # Force connections for specified webapps to be secure
    <If $uri =~ '^/(console|myapp)/.*' and not $security>
    NameTrans fn="redirect" from="/" url-prefix="https://$urlhost/" status="301"
    </If>
    -----

    So any requests for contents of webapps at one of the context roots /console or /myapp that are via HTTP will result in a browser redirect to the HTTPS version of the URL. Like I said, it works, but it's not exactly elegant.

    I would still like to figure out how to make the plugin handle this properly.

    Thanks,
    Bill
  • 2. Re: HTTPS client connection proxied to WLS as HTTP
    wgkorb Newbie
    Currently Being Moderated
    Well, I spoke too soon. That work-around makes HTTP GETs work fine, but not HTTP PUTs. So I still need to figure out how to make the plugin deal with this properly.

    Thanks,
    Bill
  • 3. Re: HTTPS client connection proxied to WLS as HTTP
    Kalyan Pasupuleti-Oracle Expert
    Currently Being Moderated
    Hi Bill,

    Try to enable WeblogicPluginEnabled.

    You will find this option under.

    Servers --> AdminServer ---> Configuration --> General

    Advance.

    Regards,
    Kal
  • 4. Re: HTTPS client connection proxied to WLS as HTTP
    wgkorb Newbie
    Currently Being Moderated
    Kal,

    Brilliant! That did it. I saw no mention of this in the docs, though I'm sure if I dug deep enough it's in there somewhere. ;-)

    Thanks very much.

    Bill
  • 5. Re: HTTPS client connection proxied to WLS as HTTP
    wgkorb Newbie
    Currently Being Moderated
    OK, now that the basic connection is working, I'm trying to harden my configuration to make it a bit more production ready.

    Here's what I did:

    1. Created a JKS keystore, generated a CSR, issued a X.509 cert via our in-house root CA (M$ Active Directory Certificate Services), and installed the cert in the keystore.
    2. Loaded our CA cert into the keystore so that the server would have access to the full certificate chain.
    3. Added our CA cert to the cacerts file included in JDK7u5 (in a local copy of that file, not the one in JAVA_HOME/jre/lib/security).
    4. Switched my config to use custom key & trust stores, with paths and passwords used in steps 1-3 (domain->Environment->Servers->AdminServer->Configuration->Keystores).
    5. Set the cert nickname & password to use, again based on steps 1-3 (domain->Environment->Servers->AdminServer->Configuration->SSL).
    6. Restarted the server.

    OK, life is good - connection directly to /console URI on WLS SSL port shows that it is indeed using our CA-signed cert. OiWS was configured to use the same certificate, and access to the /console URI via the WLS plugin through OiWS also shows that it is using the correct cert.

    Now I want to migrate to using the administration port (9002). So I checked the "Enable Administration Port" checkbox on the domain->Configuration->General port, and when I activated the change, it came back with "Console/Management requests or requests with <require-admin-traffic> specified to 'true' can only be made through an administration channel." So far, so good. By connecting via https to port 9002, I can view the /console URI just fine.

    However, if I instead try to access it view the plugin/OiWS, I get an error from the plugin, again telling me that I need to access it via an admin channel. Oh, piece of cake, I just need to reconfigure the plugin to use port 9002. Or so I thought.

    I changed my obj.conf Object as follows:

    -----
    <Object ppath="/console*">
    Service fn="wl-proxy" WebLogicHost="myhost.mydomain.lcl" WebLogicPort="9002" SecureProxy="ON"
    Debug="ALL" WLLogFile="../logs/wl-proxy.log" DebugConfigInfo="ON"
    </Object>
    -----

    (I originally had localhost, but had to change to the FQDN to match the DN on the cert).

    After restarting OiWS and connecting, I now get a different error: "No backend server available for connection: timed out after 10 seconds or idempotent set to OFF or method not idempotent."

    This comes back immediately - it's not that it's timing out.

    Looking at the OiWS errors log, I see this:

    -----
    [28/Aug/2012:09:39:44] failure ( 8764): for host 172.20.72.63 trying to GET /console/, wl-proxy reports: wl-proxy: trying GET /console/ at backend host '172.20.30.60/9002; got exception 'READ_ERROR_FROM_SERVER [os error=104, line 232 of ../common/Reader.cpp]: socket read failure'
    -----

    ...and the plugin log shows me this:

    -----
    2012-08-28T09:39:44.4261-05:00 <876413461647843> attempt #5 out of a max of 5
    2012-08-28T09:39:44.4261-05:00 <876413461647843> keepAlive = 1, canRecycle = 0
    2012-08-28T09:39:44.4261-05:00 <876413461647843> general list: trying connect to '172.20.30.60'/9002/9002 at line 1888 for '/console/'
    2012-08-28T09:39:44.4263-05:00 <876413461647843> URL::Connect: Connected successfully
    2012-08-28T09:39:44.4263-05:00 <876413461647843> SSL is not configured for this connection
    2012-08-28T09:39:44.4263-05:00 <876413461647843> Local Port of the socket is 35520
    2012-08-28T09:39:44.4263-05:00 <876413461647843> Remote Host 172.20.30.60 Remote Port 35520
    2012-08-28T09:39:44.4263-05:00 <876413461647843> general list: created a new connection to '172.20.30.60'/9002 for '/console/', Local port:35520
    2012-08-28T09:39:44.4263-05:00 <876413461647843> Entering method BaseProxy::sendRequest
    2012-08-28T09:39:44.4263-05:00 <876413461647843> Entering method BaseProxy::parse_headers
    2012-08-28T09:39:44.4263-05:00 <876413461647843> No of headers =7
    2012-08-28T09:39:44.4263-05:00 <876413461647843> Header from client:[host]=[myhost.mydomain.lcl]
    2012-08-28T09:39:44.4263-05:00 <876413461647843> Header from client:[user-agent]=[Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1]
    2012-08-28T09:39:44.4263-05:00 <876413461647843> Header from client:[accept]=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
    2012-08-28T09:39:44.4264-05:00 <876413461647843> Header from client:[accept-language]=[en-us,en;q=0.5]
    2012-08-28T09:39:44.4264-05:00 <876413461647843> Header from client:[accept-encoding]=[gzip, deflate]
    2012-08-28T09:39:44.4264-05:00 <876413461647843> Header from client:[connection]=[keep-alive]
    2012-08-28T09:39:44.4264-05:00 <876413461647843> Exiting method BaseProxy::parse_headers
    2012-08-28T09:39:44.4264-05:00 <876413461647843> parse_client_headers is done
    2012-08-28T09:39:44.4264-05:00 <876413461647843> Method is GET
    2012-08-28T09:39:44.4264-05:00 <876413461647843> URL::sendHeaders(): meth='GET' file='/console/' protocol='HTTP/1.1'
    2012-08-28T09:39:44.4264-05:00 <876413461647843> Header to WLS: [host]=[myhost.mydomain.lcl]
    2012-08-28T09:39:44.4264-05:00 <876413461647843> Header to WLS: [user-agent]=[Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1]
    2012-08-28T09:39:44.4264-05:00 <876413461647843> Header to WLS: [accept]=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
    2012-08-28T09:39:44.4264-05:00 <876413461647843> Header to WLS: [accept-language]=[en-us,en;q=0.5]
    2012-08-28T09:39:44.4264-05:00 <876413461647843> Header to WLS: [accept-encoding]=[gzip, deflate]
    2012-08-28T09:39:44.4264-05:00 <876413461647843> Header to WLS: [Connection]=[Keep-Alive]
    2012-08-28T09:39:44.4264-05:00 <876413461647843> Header to WLS: [WL-Proxy-SSL]=[true]
    2012-08-28T09:39:44.4264-05:00 <876413461647843> Header to WLS: [X-Forwarded-For]=[172.20.72.63]
    2012-08-28T09:39:44.4264-05:00 <876413461647843> Header to WLS: [WL-Proxy-Client-Keysize]=[256]
    2012-08-28T09:39:44.4264-05:00 <876413461647843> Header to WLS: [WL-Proxy-Client-Secretkeysize]=[256]
    2012-08-28T09:39:44.4264-05:00 <876413461647843> Header to WLS: [WL-Proxy-Client-IP]=[172.20.72.63]
    2012-08-28T09:39:44.4264-05:00 <876413461647843> Header to WLS: [Proxy-Client-IP]=[172.20.72.63]
    2012-08-28T09:39:44.4264-05:00 <876413461647843> Header to WLS: [X-WebLogic-KeepAliveSecs]=[30]
    2012-08-28T09:39:44.4264-05:00 <876413461647843> Header to WLS: [X-WebLogic-Force-JVMID]=[unset]
    2012-08-28T09:39:44.4265-05:00 <876413461647843> About to call parseHeaders
    2012-08-28T09:39:44.4265-05:00 <876413461647843> Reader::fill(): first=0 last=0 toRead=4096
    2012-08-28T09:39:44.4277-05:00 <876413461647843> *******Exception type [READ_ERROR_FROM_SERVER] (socket read failure) raised at line 232 of ../common/Reader.cpp
    2012-08-28T09:39:44.4277-05:00 <876413461647843> caught exception in readStatus: READ_ERROR_FROM_SERVER [os error=104, line 232 of ../common/Reader.cpp]: socket read failure at line 689
    2012-08-28T09:39:44.4277-05:00 <876413461647843> PROTOCOL_ERROR: Backend Server not responding - isRecycled:0
    2012-08-28T09:39:44.4277-05:00 <876413461647843> Marking 172.20.30.60:9002 as bad
    2012-08-28T09:39:44.4277-05:00 <876413461647843> got exception in sendRequest phase: READ_ERROR_FROM_SERVER [os error=104, line 232 of ../common/Reader.cpp]: socket read failure at line 639
    2012-08-28T09:39:44.4277-05:00 <876413461647843> expCode = 4, u->hasRead = 0, ci.pi->wlRetryAfterDropped = 1, idempotentMethod = 1
    2012-08-28T09:39:44.4278-05:00 <876413461647843> Failing over after READ_ERROR_FROM_SERVER exception in sendRequest() prior to reading status line
    2012-08-28T09:39:44.4278-05:00 <876413461647843> request [console/] did NOT process successfully..................
    -----

    I think the key here is the "SSL is not configured for this connection" message. It isn't?!? Sure it is!!! I have the correct cert, the correct DN, and I have SecureProxy="ON" - why would it think SSL is not configured?

    Or am I missing something else here?

    Thanks for any insight you might have.

    Bill
  • 6. Re: HTTPS client connection proxied to WLS as HTTP
    wgkorb Newbie
    Currently Being Moderated
    Hey, I just thought of something - does this require "two-way" SSL between OiWS & WLS? I think what I currently have is only one-way SSL as I have not generated any client certs. If that is the case, then I assume I need to generate a client certificate for the plugin to use. Where does that cert belong? In the same keystore as the server is using? What should the DN look like for that cert? How do I tell the plugin to use the client cert?

    ...or am I on a wild goose chase here...

    Thanks,
    Bill
  • 7. Re: HTTPS client connection proxied to WLS as HTTP
    Kalyan Pasupuleti-Oracle Expert
    Currently Being Moderated
    Hi Bill,

    Try to upgrade the Weblogic plugin for your web-server that will help you to fix such issue like " Exception type [READ_ERROR_FROM_SERVER] ".

    open a ticket with Oracle Weblogic support to get new wl-proxy plugin for web-server version.

    Regards,
    Kal
  • 8. Re: HTTPS client connection proxied to WLS as HTTP
    wgkorb Newbie
    Currently Being Moderated
    Kal,

    SR 3-6130822551

    Thanks,
    Bill

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points