0 Replies Latest reply: Nov 12, 2012 9:17 AM by user12109470 RSS

    Unable to PASS CLient SSL to Weblogic via WL Proxy Plugin and OHS-Webserver

      Can someone please help me ? I have been unable to get this working; working on this for almost 2-3 weeks now.
      Problem Summary
      Unable to PASS CLient SSL to Weblogic via Weblogic Proxy Plugin adn Webserver in front of WLS

      Problem Description
      We have a new requirement to validate Client's SSL certificate at the Application level and based on it, we take some decisions.
      Our setup involves:
      (1) Weblogic Side:
      WLS 10.3.6 - 64 Bit on IBM AIX 64 Bit OS.
      IBM JDK 6- 64 Bit
      Weblogic Plugin Enabled at:
      Domain-> Web Applications ->Client Cert Proxy Enabled
      Domain-> Web Applications ->WebLogic Plugin Enabled
      SSL Certificate Deployed on Managed Server ; custom identity and custom trust store (having all trusted root CA and also Customer's SSL)
      SSL Port Enabled
      Two Way SSL Authentication Enabled at Managed Server Level
      NO CLUSTER; it is single managed server.

      (2) ProxyPlugin & DMZ Server Level:

      OracleHttpServer - 64 Bit; enabled for two ssl authentication
      SSL Engine ON
      SSLVerifyClient require
      SSLOptions FakeBasicAuth ExportCertData +StrictRequire
      SSLWallet <TO-SOme-Path> # This has our key/public SSL/customer's trusted SSL etc

      (3) Weblogic Plugin 1.1 - mod_wl_ohs
      WLProxySSL ON
      WLSSLWallet <SomePath>

      The client uses XML request/response to use our application on https sending their SSL certificaes.

      We don't find CLiennt's SSL passing from Proxy to WLS.
      Header to WLS: [Content-Type]=[text/xml]
      Header to WLS: [Authorization]=[Basic Q0VSVFRFU1R
      Header to WLS: [User-Agent]=[Java/1.7.0_04]
      Header to WLS: [Host]=[lt-101843.xxxx.com:44
      Header to WLS: [Accept]=[text/html, image/gif, im
      Header to WLS: [Content-Length]=[379]
      Header to WLS: [Connection]=[Keep-Alive]
      Header to WLS: [WL-Proxy-SSL]=[true]
      Header to WLS: [X-Forwarded-For]=[]
      Header to WLS: [WL-Proxy-Client-Cert]=[] ###### Empty List ......................??????
      Header to WLS: [WL-Proxy-Client-Keysize]=[128]
      Header to WLS: [WL-Proxy-Client-Secretkeysize]=[1
      Header to WLS: [WL-Proxy-Client-IP]=[]
      Header to WLS: [Proxy-Client-IP]=[]
      Header to WLS: [X-WebLogic-KeepAliveSecs]=[30]
      Header to WLS: [X-WebLogic-Force-JVMID]=[unset]

      The proxy log does not show any certificates being passed from Client Header to Proxy...

      The client can though access the application on the weblogic; it is just application does not find any matching certificates and then it throws the error.
      Client sends the certificates via XML request.

      These are the headers seen in the proxy log:

      2012-11-12T00:09:34.7549-05:00 <910413526969741> No of headers =9
      2012-11-12T00:09:34.7549-05:00 <910413526969741> Header from client:[Content-Type]=[text/xml]
      2012-11-12T00:09:34.7549-05:00 <910413526969741> Header from client:[Authorization]=[Basic Q0VSVFRFU1RJTkdfQURNSU46YWJjMTIz]
      2012-11-12T00:09:34.7549-05:00 <910413526969741> Header from client:
      2012-11-12T00:09:34.7549-05:00 <910413526969741> Header from client:[company-code]=[YYYY]
      2012-11-12T00:09:34.7549-05:00 <910413526969741> Header from client:[User-Agent]=[Java/1.7.0_04]
      2012-11-12T00:09:34.7549-05:00 <910413526969741> Header from client:[Host]=[lt-XXX.YYYY.com:4443]
      2012-11-12T00:09:34.7549-05:00 <910413526969741> Header from client:[Accept]=[text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2]
      2012-11-12T00:09:34.7549-05:00 <910413526969741> Header from client:[Connection]=[keep-alive]
      2012-11-12T00:09:34.7549-05:00 <910413526969741> Header from client:[Content-Length]=[379]
      I would greatly appreciate any inputs.
      Thanks in advance.