When SSL offloading is done at F5 (SSL termination at loadbalancer), the redirect url during authentication is replacing loadbalancer protocol (https) with http
Actions:
-----------------------
1. Access a protected URL using https
Actions:
-----------------------
1. Access a protected URL using https
2. When challenged, provide user credentials and login
3. The final redirect URL is not https
3. The final redirect URL is not https
Ex:
https://HOST/oam/server/auth_cred_submit
POST /oam/server/auth_cred_submit HTTP/1.1
POST /oam/server/auth_cred_submit HTTP/1.1
HTTP/1.1 302 Moved Temporarily
Connection: close
Transfer-Encoding: chunked
Location: http://HOST/obrar.cgi?cookie=xxxxxx
Connection: close
Transfer-Encoding: chunked
Location: http://HOST/obrar.cgi?cookie=xxxxxx
Reason:
weblogic server not using loadbalancer protocol (https) for redirect urls
Solution:
follow below steps if you are having above issue at OAM 11.1.2.0
the steps to resolve this issue include
1) Set WL-Proxy-SSL to true at the Load Balancer end
2) Set the WebLogic 'Plugin Enabled' flag as follows
a. Log into WebLogic Console
b. Click the domain name on the left menu bar
c. Then choose 'Configurations' Tab and 'Web Applications' sub tab
d. Click 'Lock & Edit' button on top left menu
e. Check box 'WebLogic Plugin Enabled'
f. Save and activate the change.
If proxying requests to a standalone WebLogic Server, please enable this setting on the individual server level from the admin console by clicking on the -> Configuration -> General tab. In the advanced options, check the checkbox for WebLogicPluginEnabled and save the changes.
If proxying requests to a WebLogic Cluster, enable this setting at the cluster level from the admin console by clicking on the Cluster -> Configuration -> General tab. In the advanced options, check the checkbox for WebLogicPluginEnabled and save the changes.
3) When you start the WebLogicAdmin server, pass the following parameter:
-Dweblogic.http.isWLProxyHeadersAccessible=true
To do this:
a. Open setEnv.sh/cmd (located in /webserv//bin)
b. Change the JAVA_OPTIONS_os value and add "-Dweblogic.http.isWLProxyHeadersAccessible=true".
For example
For Windows:
SET JAVA_OPTIONS_WIN32=-jrockit -XnoOpt -XXnoJITInline -Xms512m -Xmx512m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dweblogic.http.isWLProxyHeadersAccessible=true
For Linux:
JAVA_OPTIONS_LINUX="-jrockit -XnoOpt -XXnoJITInLine -Xms512m -Xmx512m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dcom.sun.xm..namespace.QName.useCompatibleSerialVersionUIT=1.0 -Dweblogic.http.isWLProxyHeadersAccessible=true"
Note: If you've uncommented the JAVA_OPTIONS_ADMINSERVER parameter, then the 'isWLProxyHeadersAccessible' parameter needs to be added to JAVA_OPTIONS_ADMINSERVER instead of JAVA_OPTIONS_os.
Example:
For Windows:
SET JAVA_OPTIONS_ADMINSERVER=-jrockit -Xms256m -Xmx256m -Dweblogic.http.isWLProxyHeadersAccessible=true
For Linux:
JAVA_OPTIONS_ADMINSERVER="-jrockit -Xms256m -Xmx256m -
Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0 -Dweblogic.http.isWLProxyHeadersAccessible=true"
4) Use WebLogic 10.3.2 or a higher patch level of WebLogic 10.3.x
This is required because there is a an issue in WebLogic 10.3.1 that causes issues with this functionality.
No comments:
Post a Comment