This article provides detailed steps to configure Apache with SSL in a WLS environment.
This process will successfully setup SSL communication between the client (browser) and the Apache Web Server as well as SSL (https) communication between the Apache Web Server and the WebLogic Server.
At a high level, the following steps are implemented:
  1. Create a valid certificate from Verisign.
  2. Configure Apache plugin to use SSL using the new certificate.
  3. Configure WLS to use the new certificate.
  4. Test SSL proxy request to WLS.

Solution

Apache configuration

  1. Install Apache 2.2.
  2. Include the following in httpd.conf file:
    LoadModule weblogic_module modules/mod_wl_22.so
    Note that this filename is different in different versions of the WebLogic plug-in: change the filename as needed for your version.
  3. Copy the mod_wl_22.so from the folder: <WebLogic_Home>\server\plugin\win\32 to <Apache_Home>\modules. Note that this filename is different in different versions of the WebLogic plug-in: change the filename as needed for your version.
  4. Uncomment LoadModule ssl_module modules/mod_ssl.so in httpd.conf
  5. Uncomment include conf/extra/httpd-ssl.conf in httpd.conf.
  6. Now run the following commands in apache:
    set OPENSSL_CONF=F:\apache2.2\conf\openssl.cnf
    > />openssl genrsa -des3 -out localhost.key 1024
    Enter pass phrase:
    > />openssl req -new -key localhost.key -out localhost.csr> />> />
    It will generate the CSR file. Place the CSR file in a particular folder.
  7. Go to the Verisign website and enter personal information. It will ask for the CSR. Please enter the above CSR and the root CN information.
  8. Verisign will send a mail with intermediate certificate, public certificate and root CA.
  9. Once included, you must comment for Windows: #SSLPassPhraseDialog builtin
  10. Include the following:
    SSLCertificateFile "<dir>/public.crt" => save this from the email sent by verisign
    SSLCertificateKeyFile "<dir>/localhost.key"
    SSLCertificateChainFile "<dir>/intermediate.crt"

    And comment other similar entries.
  11. Test https://localhost/index.html: it will work.

WebLogic Server Configuration

  1. Generate a private key
    jdk_home\bin\keytool -genkey -alias <your_alias_name> -keyalg RSA -keystore <your_keystore_filename>
  2. Generate a certificate request (CSR file).
    jdk_home\bin\keytool -certreq -keyalg RSA -alias <your_alias_name> -file certreq.csr -keystore <your_keystore_filename>
  3. Paste the csr file and get the trail certificate(save as public.pem) and intermediate CA (save as intermediate.pem) and Root CA (save as CA.pem) from the email sent from Verisign website.
  4. Import root CA into keystore:
    keytool -import -alias verisignCA -file CA.pem -keystore <your_keystore_filename> -trustcacerts
  5. Import intermediate CA into keystore:
    keytool -import -alias verisignIntermediateCA -file Intermediate.pem -keystore <your_keystore_filename> -trustcacerts
  6. Import the public key into your keystore. It will go on the same alias as the private key:
    keytool -import -alias <your_alias_name> -file public.pem -keystore <your_keystore_filename> -trustcacerts
  7. To view the keystore:
    keytool -list -keystore mykeystore.jks -v
  8. From the Admin console, go to your server page, and in the Keystore & SSL tab choose:
    Custom Identity and Custom Trust

    Custom Identity
    Custom Identity Key Store File Name: <your_keystore_filename>
    Custom Identity Key Store Type: jks
    Custom Identity Key Store Pass Phrase: <your password>
    Confirm Custom Identity Key Store Pass Phrase: <your password>

    Custom Trust
    Custom Trust Key Store File Name: <your_keystore_filename>
    Custom Trust Key Store Type: jks
    Custom Trust Key Store Pass Phrase: <your password>
    Confirm Custom Trust Key Store Pass Phrase: <your password>

    Private Key Alias:
    Passphrase: password
    Confirm Passphrase: password
  9. Restart your server and now try https://localhost:7002/console
  10. You should see the following while server starts up:
    GMT+05:30>
    <Certificate expires in 14 days: [
    [
    Version: V3
    Subject: CN=localhost, OU=Terms of use at www.verisign.com/cps/testca (c)05, OU=oracle,
    O=oracle, L=BANG, ST=KA, C=IN
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

    Key: Sun RSA public key, 1024 bits
    modulus:
    1005070948376358074374236852403785592182590705370591472921278852507162691666556315447504840297044217
    406796806
    8632923437196828010145594050195432044329126731123133367158479667242853741709746093197774813648593717
    91639176198708507422
    56868100626678565588940082002286028558797528920106552889565563824202336798115363
    public exponent: 65537
    Validity: [From: Tue Aug 04 05:30:00 GMT+05:30 2009,
    To: Wed Aug 19 05:29:59 GMT+05:30 2009]
    Issuer: CN=VeriSign Trial Secure Server CA - G2, OU=Terms of use at
    https://www.verisign.com/cps/testca (c)09, OU="For
    Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
    SerialNumber: [ 5f8db365 ede6fd4b fbd717f2 48b0804f]

    Certificate Extensions: 8
    [1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 62 30 60 A1 5E A0 5C 30 5A 30 58 30 56 16 09 .b0`.^.\0Z0X0V..
    0010: 69 6D 61 67 65 2F 67 69 66 30 21 30 1F 30 07 06 image/gif0!0.0..
    0020: 05 2B 0E 03 02 1A 04 14 4B 6B B9 28 96 06 0C BB .+......Kk.(....
    0030: D0 52 38 9B 29 AC 4B 07 8B 21 05 18 30 26 16 24 .R8.).K..!..0&.$
    0040: 68 74 74 70 3A 2F 2F 6C 6F 67 6F 2E 76 65 72 69 http://logo.veri
    0050: 73 69 67 6E 2E 63 6F 6D 2F 76 73 6C 6F 67 6F 31 sign.com/vslogo1
    0060: 2E 67 69 66 .gif


    [2]: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 28 17 13 8A BD D6 A2 B5 DC 06 2C B7 B6 8E DA 10 (.........,.....
    0010: 66 60 6E E5 f`n.
    ]

    ]

    [3]: ObjectId: 2.5.29.31 Criticality=false
    CRLDistributionPoints [
    [DistributionPoint:
    [URIName: http://SVRTrial-G2-crl.verisign.com/SVRTrialG2.crl]
    ]]

    [4]: ObjectId: 2.5.29.37 Criticality=false
    ExtendedKeyUsages [
    [1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]]

    [5]: ObjectId: 2.5.29.32 Criticality=false
    CertificatePolicies [
    [CertificatePolicyId: [2.16.840.1.113733.1.7.21]
  11. Click the lock icon in the bottom right of the screen and view the certificate.
  12. Goto certification Path and select Root Certificate. View the certificate and copy to file MyWeblogicCAToTrust.cer in a particular location, say location1.

WebLogic Server Apache Plugin Configuration

  1. Configure the following in Apache httpd configuration.
    <IfModule mod_weblogic.c>
    WebLogicHost myip
    WebLogicPort myport
    SecureProxy ON
    TrustedCAFile "<location1>\MyWeblogicCAToTrust.cer"
    RequireSSLHostMatch false
    EnforceBasicConstraints OFF
    Debug ALL
    WLLogFile <location>/wl_log.log
    </IfModule>

    <Location /weblogic>
    SetHandler weblogic-handler
    </Location>

    <Location /console>
    SetHandler weblogic-handler
    </Location>
  2. Access http://localhost:7001/console
  3. Import the CA.pem for apache and weblogic in the browser using content-> certificate-> Import-> Autoselect store based on type of cert- option.
Configuration Complete!!

1 Comments

  1. It was just an example, in this case u need to locate ur certificate file.

    ReplyDelete