Guys , in recent past I worked with SSL configuration of OHS 11.1.1.9 in front of WLS 10.3.6 with JDK 1.7.Sharing the steps as ready made solution for the flow Client -- HTTPS --> Oracle HTTP Server ( mod_wl_ohs ) -- HTTPS --> WebLogic Managed Server(s). For this POC , I’ve only WLS admin server & OHS standalone installation on Windows.
1. Creation of Keystore for WLS.
Created my own identity & trust store as below ,
keytool -genkey -alias selfsignedcert -keyalg RSA -sigalg SHA256withRSA -keypass welcome1 -keystore identity.jks -storepass welcome1 -validity 365
keytool -export -alias selfsignedcert -sigalg SHA256withRSA -file root.cer -keystore identity.jks
keytool -import -alias selfsignedcert -sigalg SHA256withRSA -trustcacerts -file root.cer -keystore trust.jks
As a result you’ll get identity.jks & trust.jks keystore created.
2. Configuration of Keystore for WLS
Configure custom identtity & custom trust for WLS , I’m not going through details for this step
Set host name verification none & client cert not requested.
Set WLS Console–> Admin server –> General –>Advanced –> .WebLogic Plug-In Enabled checked.
Set WLS Console –> Domain –> Configuration –> Web Applications –>WebLogic Plugin Enabled checked.
Set WLS Console–> Admin server –>SSL—> Advanced –> Use JSSE SSL checked.
3. That’s all from WLS side , bounce the server & access the SSL port to verify whether WLS console is opening or not.
4. Creation of Wallet for OHS.
Here I’m going to create blank wallet using orapki utility with auto login option & add the WLS certificate from identity.jks.
orapki wallet create -wallet D:\shrik\WT\Oracle_WT1\instances\instance1\OHS\ohs1\wallet -auto_login_only
orapki wallet jks_to_pkcs12 -wallet D:\shrik\WT\Oracle_WT1\instances\instance1\OHS\ohs1\wallet -keystore D:\shrik\IAM\user_projects\domains\test_domain\identity.jks -jkspwd welcome1
orapki wallet display -wallet D:\shrik\WT\Oracle_WT1\instances\instance1\OHS\ohs1\wallet
Change the patch accordingly to reflect your environment.
5. Configuration of ssl.conf for OHS
Under the SSL Virtual Host section change below
#Path to the wallet
SSLWallet D:/shrik/WT/Oracle_WT1/instances/instance1/config/OHS/ohs1/keystores/wallet
6.Configuration of mod_wl_ohs.conf
I’m pasting mine here , paths are customized for windows,
# NOTE : This is a template to configure mod_weblogic.
LoadModule weblogic_module D:/shrik/WT/Oracle_WT1/ohs/modules/mod_wl_ohs.so
# This empty block is needed to save mod_wl related configuration from EM to this file when changes are made at the Base Virtual Host Level
<IfModule weblogic_module>
# WebLogicHost <WEBLOGIC_HOST>
# WebLogicPort <WEBLOGIC_PORT>
# Debug ON
# WLLogFile /tmp/weblogic.log
# MatchExpression *.jsp
WebLogicSSLVersion TLSv1.2
</IfModule>
# <Location /weblogic>
# SetHandler weblogic-handler
# PathTrim /weblogic
# ErrorPage http:/WEBLOGIC_HOME:WEBLOGIC_PORT/
# </Location>
<Location /console>
SetHandler weblogic-handler
WebLogicHost shroycho-in.in.oracle.com
WebLogicPort 7112
Debug ALL
WLLogFile D:/shrik/WT/Oracle_WT1/instances/instance1/OHS/ohs1/wllog.txt
DebugConfigInfo ON
WLProxySSL ON
SecureProxy ON
Idempotent ON
WlSSLWallet D:/shrik/WT/Oracle_WT1/instances/instance1/config/OHS/ohs1/keystores/wallet
</Location>
Highligted the lines to be added to access WLS console over SSL port via OHS.
7. Thast’s all for OHS , start the instance and try to access first OHS SSL port . Then append /console and see whether it’s redirecting to WLS SSL enabled console or not.
For any issue you can check the wllog.txt file.