1 Reply Latest reply: Apr 2, 2013 7:03 AM by Dimitar Dimitrov RSS

    Trouble passing client certificate from OHS to WLS

    user12020272
      Hello,
      Using WLS 10.3.6, OHS 11.1.1.6 with the mod_wl_ohs plugin, and OAM 10.1.4.3.
      We're trying to pass the client certificate information to our application server so we can extract information, but we're not having any luck.
      Here are our settings (only pertinent info):

      **OHS server - In our *:4443 virtual host directive in the ssl.conf:

      <Location /cactest/cac_login>
      SSLVerifiyClient require
      </Location>

      SSLOptions StdEnvVars ExportCertData
      LoadModule certheaders_module "${ORACLE_HOME/ohs/modules/mod_certheaders.so"
      AddCertHeader HTTPS
      AddCertHeader SSL_CLIENT_CERT
      SimulateHttps On

      ***In our mod_wl_ohs.conf, we have these directives:
      WLProxySSL
      WLProxySSLPassThrough

      ***On our Weblogic managed server, we've enabled these options using the console:
      Client Cert Proxy Enabled
      Weblogic Plug-in Enabled


      Can anyone see anything that might be missing? We get prompted for our certificate, and we can even print out the SSL_CLIENT_CERT using perl. We just cannot access the cert in javax.servlet.request.X509Certificate on our app server.
      Thanks for the help!
        • 1. Re: Trouble passing client certificate from OHS to WLS
          Dimitar Dimitrov
          Most probably you are hitting a well-known bug:

          Bug 13873275 : MOD_WLS IS NOT WORKING WHEN USING OHS 11.1.1.6 AND WLS 10.3.6 TO FORWARD SHA-256

          You must have an Oracle Support account in order to access the necessary materials and get the corresponding patch from support.oracle.com. Look for more information at article 1454591.1 in Oracle Support Knowledge Base - "When Using OHS 11.1.1.6 And WLS 10.3.6 To Forward Client Certificates, The Certificate Is Not Passed".

          Some time ago I was hit by the same bug and I spent a lot of time until I realized that it was a bug. I was using Apache 2.2 + WLS Plug-In 1.1 trying to pass the client certificate to WLS with no luck. I tried also Apache 2.0 + WLS Plug-In 1.1 with no luck. Eventually I succeeded with Apache 2.x + WLS Plug-In 1.0. WLS Plug-In 1.0 is claimed to be deprecated, but it worked fine for my needs. You can try with it as a possible workaround. WLS Plug-In 1.0 is packaged and installed automatically as part of a standalone WebLogic Server installation. (You must be aware that there is no special WLS Plug-In 1.0 for OHS but there is for Apache HTTP Server).

          Dimitar