WebLogic SAML 1.1 & Apache as proxy & SSL between browser and Apache
Hi,
I'm trying to configure SAML 1.1 to work with WebLogic Server 10.3.
Here is a short description of the configuration
- Browser connects to Apache front end with ssl https://myserver:444/...
- Apache proxies requests to WebLogic Server instances in http. In the following example one of the WLS instances is listening on the port 555 on myserver.
During the SAML 1.1 requests the following url appears:
https://myserver:444/mysamlits?RPID=rp_00001&TARGET=http://myserver:555/myapp
Here http://myserver:555/myapp is the backend server listening address. Instead it should be the frontend server address instead:
https://myserver:444/mysamlits?RPID=rp_00001&TARGET=https://myserver:444/myapp
Problem:
Despite of all My efforts, WLS picks up the backend protocol and port and puts them in the TARGET. I can't find how to set up WebLogic Server to supply the frontend address as TARGET, so I'm asking help here.
Details:
I try to describe the setup in more detail below.
I have NOT installed mod_wl to Apache because My intention is to employ Apache to simulate a hardware load balancer (HLB).
I have appended the following lines to Apache httpd.conf:
# Added so that we can set the "WL-Proxy-SSL: true"
# HTTP header which tells a back-end WebLogic Server
# that requests are being proxied through a front-end
# SSL load-balancer or proxy server.
<IfModule headers_module>
RequestHeader set WL-Proxy-SSL true
</IfModule>
I have also verified that the header WL-Proxy-SSL is present in requests arriving at the backend WebLogic Server.
On the WebLogic Server side I have
- Frontend Host: myserver
- Frontend HTTP Port:0
- Frontend HTTPS Port:444
I have also tried setting WebLogic Plugin Enabled:true.
Regards,
Kari
Edited by: 858107 on May 11, 2011 10:00 PM: Removed a duplicated subject line.
I was mistaken. TARGET can very well be the backend address. The actual problem was that the browser was getting redirected to the backend address.
That was fixed by resetting the frontend settings:
Frontend Host: <empty>
Frontend HTTP Port:0
Frontend HTTPS Port:0
Kari
Similar Messages
-
ABAP Proxy connection Between PI and SRM for XMLs
Hello Experts,
We are trying to set up ABAP proxy connection between PI 7.1 and SRM so we can send XML from SRM into PI.
Our SRM developer is getting an SLD error (below) and seems like something is not set up right in the SLD. Could you help me out with any kind of blog/documention on setting up an ABAP proxy connection between PI and an ABAP system. Something that talks about what steps we need to take in PI and SRM.
error ...
*We saw the error during debugging. This error is preventing XML output
to be sent to PI.
BBP_BD 002 An SLD system has not been assigned to logical system
Thanks,
MayurThanks all for a quick reply. I also had to take following step to achieve the task.
adding the XI system to the SRM config - SRM Server -->
Technical basic Settings --> Define System Landscape? (also please
associated documentation in that link for XI)
Thanks,
Mayur -
SSL between XI and a business partner
Has anyone gotten SSL between XI and an external business partner up and running? I would like to have a short discussion with someone who has been successful. I am trying to send messages out from XI that require XI to be active. Please don't direct me to the documentation because we have read it and it has not been very helpful.
regards,
ChrisHello Richard,
I can't see we have been successful but we are close. Here are the steps:
1. HTTPS service needs to be active (Tx: SMICM)
2. You need to load the SSL certificate key in your XI system (Tx: STRUST)
3. You will need to create an RFC (type G)pointing to your target server. Then select the SSL (acitve) and the private key you want to use (you will need one RFC destination by server key).
4. Use your RFC destination in your HTTP Adapter:
on the HTTP adapter don't select URL address but select RFC destination.
I hope this will help.
PLease don't heistate to ask if you need more detail.
Mustapha -
SSL between NSAPI and WLS with custom certificate and RequireSSLHostMatch=true fails
I am trying to use SSL for communication between NSAPI and WebLogic
server (server authentication at the NSAPI).
Therefore, a custom server certificate is installed on WLS, containing this
server's hostname. The NSAPI is configured (RequireSSLHostMatch=true) to
check the hostname contained in the certificate against the WebLogicHost
parameter in the "obj.conf" file. The corresponding TrustedCAFile is installed
for NSAPI.
The SSL setup seems to work ok, but when matching the hostname, it seems like
NSAPI is trying to do a string-match against the numeric IP of the WebLogicHost,
not on the hostname as configured in the WebLogicHost parameter.
The relevant entry in the "obj.conf" file:
<Object name="weblogic" ppath="*">
Service fn=wl-proxy WebLogicHost=btsun2a.muc \
WebLogicPort=7162 \
Debug=ALL \
SecureProxy=ON \
TrustedCAFile=/home/qx13604/wls61/config/testdomain/TC_RootServer_PEM_Class0.pem
RequireSSLHostMatch=true
</Object>
I am using WLS6.1 with NSAPI (both Solaris). The content of "wlproxy.log" is as
follows.
Any ideas?
Content of "wlproxy.log":
Thu Oct 11 12:30:22 2001 INFO: SSL is configured
Thu Oct 11 12:30:22 2001 INFO: Initializing SSL library
Thu Oct 11 12:30:22 2001 Loaded 1 trusted CA's
Thu Oct 11 12:30:22 2001 INFO: Successfully initialized SSL
Thu Oct 11 12:30:22 2001 INFO: SSL configured successfully
Thu Oct 11 12:30:22 2001 ....relFile.../index.jsp...
Thu Oct 11 12:30:22 2001 URI=[index.jsp]
Thu Oct 11 12:30:22 2001 Initializing lastIndex=0 for a list of length=1
Thu Oct 11 12:30:22 2001 attempt #0 out of a max of 5
Thu Oct 11 12:30:22 2001 general list: trying connect to '160.50.106.101'/7162/7162
at line 1156 for '/index.jsp'
Thu Oct 11 12:30:22 2001 New SSL URL: match = 1 oid = 22
Thu Oct 11 12:30:22 2001 Going to check the general server list
Thu Oct 11 12:30:22 2001 WLS info : 160.50.106.101:7162 recycled? 0
Thu Oct 11 12:30:22 2001 Hdrs from Client:[connection]=[Keep-Alive]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[user-agent]=[Mozilla/4.72 [de]C-CCK-MCD
(WinNT; U)]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[host]=[btsun1a.muc:99]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[accept]=[image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, image/png, */*]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[accept-encoding]=[gzip]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[accept-language]=[de,en]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[accept-charset]=[iso-8859-1,*,utf-8]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[connection]=[Keep-Alive]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[user-agent]=[Mozilla/4.72 [de]C-CCK-MCD
(WinNT; U)]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[host]=[btsun1a.muc:99]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[accept]=[image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, image/png, */*]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[accept-encoding]=[gzip]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[accept-language]=[de,en]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[accept-charset]=[iso-8859-1,*,utf-8]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[WL-Proxy-SSL]=[false]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[X-WebLogic-Force-Cookie]=[true]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[Proxy-Client-IP]=[160.50.136.171]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[X-Forwarded-For]=[160.50.136.171]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[Proxy-Path-Translated]=[wwws/ns-homeV417/docs/index.jsp]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[Proxy-Path-Translated-Base]=[wwws/ns-homeV417/docs]
Thu Oct 11 12:30:22 2001 INFO: sysSend 52
Thu Oct 11 12:30:22 2001 Partial read socket
Thu Oct 11 12:30:22 2001 INFO: SSLWrite sent 0
Thu Oct 11 12:30:22 2001 INFO: Host (btsun2a.muc) doesn't match (160.50.106.101),
validation failed
Thu Oct 11 12:30:22 2001 ERROR: SSLWrite failed
Thu Oct 11 12:30:22 2001 SEND failed (ret=-1) at 549 of file URL.cpp
Thu Oct 11 12:30:22 2001 *******Exception type [WRITE_ERROR] raised at line 550
of URL.cpp
Thu Oct 11 12:30:22 2001 got exception in sendRequest phase: WRITE_ERROR [os error=0,
line 550 of URL.cpp]: at line 944
Thu Oct 11 12:30:22 2001 INFO: Closing SSL context
Thu Oct 11 12:30:22 2001 INFO: sysSend 14
Thu Oct 11 12:30:22 2001 Failing over after sendRequest exception
Thu Oct 11 12:30:22 2001 attempt #1 out of a max of 5
Thu Oct 11 12:30:22 2001 general list: trying connect to '160.50.106.101'/7162/7162
at line 1156 for '/index.jsp'
Thu Oct 11 12:30:22 2001 New SSL URL: match = 1 oid = 22
Thu Oct 11 12:30:22 2001 Going to check the general server list
Thu Oct 11 12:30:22 2001 WLS info : 160.50.106.101:7162 recycled? 0
Thu Oct 11 12:30:22 2001 Hdrs from Client:[connection]=[Keep-Alive]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[user-agent]=[Mozilla/4.72 [de]C-CCK-MCD
(WinNT; U)]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[host]=[btsun1a.muc:99]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[accept]=[image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, image/png, */*]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[accept-encoding]=[gzip]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[accept-language]=[de,en]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[accept-charset]=[iso-8859-1,*,utf-8]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[connection]=[Keep-Alive]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[user-agent]=[Mozilla/4.72 [de]C-CCK-MCD
(WinNT; U)]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[host]=[btsun1a.muc:99]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[accept]=[image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, image/png, */*]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[accept-encoding]=[gzip]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[accept-language]=[de,en]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[accept-charset]=[iso-8859-1,*,utf-8]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[WL-Proxy-SSL]=[false]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[X-WebLogic-Force-Cookie]=[true]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[Proxy-Client-IP]=[160.50.136.171]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[X-Forwarded-For]=[160.50.136.171]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[Proxy-Path-Translated]=[wwws/ns-homeV417/docs/index.jsp]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[Proxy-Path-Translated-Base]=[wwws/ns-homeV417/docs]
Thu Oct 11 12:30:22 2001 INFO: sysSend 52
Thu Oct 11 12:30:22 2001 Partial read socket
Thu Oct 11 12:30:22 2001 INFO: SSLWrite sent 0
Thu Oct 11 12:30:22 2001 INFO: Host (btsun2a.muc) doesn't match (160.50.106.101),
validation failed
Thu Oct 11 12:30:22 2001 ERROR: SSLWrite failed
Thu Oct 11 12:30:22 2001 SEND failed (ret=-1) at 549 of file URL.cpp
Thu Oct 11 12:30:22 2001 *******Exception type [WRITE_ERROR] raised at line 550
of URL.cpp
Thu Oct 11 12:30:22 2001 got exception in sendRequest phase: WRITE_ERROR [os error=0,
line 550 of URL.cpp]: at line 944
Thu Oct 11 12:30:22 2001 INFO: Closing SSL context
Thu Oct 11 12:30:22 2001 INFO: sysSend 14
Thu Oct 11 12:30:22 2001 Failing over after sendRequest exception
Thu Oct 11 12:30:22 2001 attempt #2 out of a max of 5
Thu Oct 11 12:30:22 2001 general list: trying connect to '160.50.106.101'/7162/7162
at line 1156 for '/index.jsp'
Thu Oct 11 12:30:22 2001 New SSL URL: match = 1 oid = 22
Thu Oct 11 12:30:22 2001 Going to check the general server list
Thu Oct 11 12:30:22 2001 WLS info : 160.50.106.101:7162 recycled? 0
Thu Oct 11 12:30:22 2001 Hdrs from Client:[connection]=[Keep-Alive]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[user-agent]=[Mozilla/4.72 [de]C-CCK-MCD
(WinNT; U)]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[host]=[btsun1a.muc:99]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[accept]=[image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, image/png, */*]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[accept-encoding]=[gzip]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[accept-language]=[de,en]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[accept-charset]=[iso-8859-1,*,utf-8]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[connection]=[Keep-Alive]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[user-agent]=[Mozilla/4.72 [de]C-CCK-MCD
(WinNT; U)]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[host]=[btsun1a.muc:99]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[accept]=[image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, image/png, */*]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[accept-encoding]=[gzip]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[accept-language]=[de,en]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[accept-charset]=[iso-8859-1,*,utf-8]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[WL-Proxy-SSL]=[false]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[X-WebLogic-Force-Cookie]=[true]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[Proxy-Client-IP]=[160.50.136.171]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[X-Forwarded-For]=[160.50.136.171]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[Proxy-Path-Translated]=[wwws/ns-homeV417/docs/index.jsp]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[Proxy-Path-Translated-Base]=[wwws/ns-homeV417/docs]
Thu Oct 11 12:30:22 2001 INFO: sysSend 52
Thu Oct 11 12:30:22 2001 Partial read socket
Thu Oct 11 12:30:22 2001 INFO: SSLWrite sent 0
Thu Oct 11 12:30:22 2001 INFO: Host (btsun2a.muc) doesn't match (160.50.106.101),
validation failed
Thu Oct 11 12:30:22 2001 ERROR: SSLWrite failed
Thu Oct 11 12:30:22 2001 SEND failed (ret=-1) at 549 of file URL.cpp
Thu Oct 11 12:30:22 2001 *******Exception type [WRITE_ERROR] raised at line 550
of URL.cpp
Thu Oct 11 12:30:22 2001 got exception in sendRequest phase: WRITE_ERROR [os error=0,
line 550 of URL.cpp]: at line 944
Thu Oct 11 12:30:22 2001 INFO: Closing SSL context
Thu Oct 11 12:30:22 2001 INFO: sysSend 14
Thu Oct 11 12:30:22 2001 Failing over after sendRequest exception
Thu Oct 11 12:30:22 2001 attempt #3 out of a max of 5
Thu Oct 11 12:30:22 2001 general list: trying connect to '160.50.106.101'/7162/7162
at line 1156 for '/index.jsp'
Thu Oct 11 12:30:22 2001 New SSL URL: match = 1 oid = 22
Thu Oct 11 12:30:22 2001 Going to check the general server list
Thu Oct 11 12:30:22 2001 WLS info : 160.50.106.101:7162 recycled? 0
Thu Oct 11 12:30:22 2001 Hdrs from Client:[connection]=[Keep-Alive]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[user-agent]=[Mozilla/4.72 [de]C-CCK-MCD
(WinNT; U)]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[host]=[btsun1a.muc:99]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[accept]=[image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, image/png, */*]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[accept-encoding]=[gzip]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[accept-language]=[de,en]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[accept-charset]=[iso-8859-1,*,utf-8]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[connection]=[Keep-Alive]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[user-agent]=[Mozilla/4.72 [de]C-CCK-MCD
(WinNT; U)]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[host]=[btsun1a.muc:99]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[accept]=[image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, image/png, */*]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[accept-encoding]=[gzip]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[accept-language]=[de,en]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[accept-charset]=[iso-8859-1,*,utf-8]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[WL-Proxy-SSL]=[false]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[X-WebLogic-Force-Cookie]=[true]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[Proxy-Client-IP]=[160.50.136.171]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[X-Forwarded-For]=[160.50.136.171]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[Proxy-Path-Translated]=[wwws/ns-homeV417/docs/index.jsp]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[Proxy-Path-Translated-Base]=[wwws/ns-homeV417/docs]
Thu Oct 11 12:30:22 2001 INFO: sysSend 52
Thu Oct 11 12:30:22 2001 Partial read socket
Thu Oct 11 12:30:22 2001 INFO: SSLWrite sent 0
Thu Oct 11 12:30:22 2001 INFO: Host (btsun2a.muc) doesn't match (160.50.106.101),
validation failed
Thu Oct 11 12:30:22 2001 ERROR: SSLWrite failed
Thu Oct 11 12:30:22 2001 SEND failed (ret=-1) at 549 of file URL.cpp
Thu Oct 11 12:30:22 2001 *******Exception type [WRITE_ERROR] raised at line 550
of URL.cpp
Thu Oct 11 12:30:22 2001 got exception in sendRequest phase: WRITE_ERROR [os error=0,
line 550 of URL.cpp]: at line 944
Thu Oct 11 12:30:22 2001 INFO: Closing SSL context
Thu Oct 11 12:30:22 2001 INFO: sysSend 14
Thu Oct 11 12:30:22 2001 Failing over after sendRequest exception
Thu Oct 11 12:30:22 2001 attempt #4 out of a max of 5
Thu Oct 11 12:30:22 2001 general list: trying connect to '160.50.106.101'/7162/7162
at line 1156 for '/index.jsp'
Thu Oct 11 12:30:22 2001 New SSL URL: match = 1 oid = 22
Thu Oct 11 12:30:22 2001 Going to check the general server list
Thu Oct 11 12:30:22 2001 WLS info : 160.50.106.101:7162 recycled? 0
Thu Oct 11 12:30:22 2001 Hdrs from Client:[connection]=[Keep-Alive]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[user-agent]=[Mozilla/4.72 [de]C-CCK-MCD
(WinNT; U)]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[host]=[btsun1a.muc:99]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[accept]=[image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, image/png, */*]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[accept-encoding]=[gzip]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[accept-language]=[de,en]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[accept-charset]=[iso-8859-1,*,utf-8]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[connection]=[Keep-Alive]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[user-agent]=[Mozilla/4.72 [de]C-CCK-MCD
(WinNT; U)]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[host]=[btsun1a.muc:99]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[accept]=[image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, image/png, */*]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[accept-encoding]=[gzip]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[accept-language]=[de,en]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[accept-charset]=[iso-8859-1,*,utf-8]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[WL-Proxy-SSL]=[false]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[X-WebLogic-Force-Cookie]=[true]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[Proxy-Client-IP]=[160.50.136.171]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[X-Forwarded-For]=[160.50.136.171]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[Proxy-Path-Translated]=[wwws/ns-homeV417/docs/index.jsp]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[Proxy-Path-Translated-Base]=[wwws/ns-homeV417/docs]
Thu Oct 11 12:30:22 2001 INFO: sysSend 52
Thu Oct 11 12:30:22 2001 Partial read socket
Thu Oct 11 12:30:22 2001 INFO: SSLWrite sent 0
Thu Oct 11 12:30:22 2001 INFO: Host (btsun2a.muc) doesn't match (160.50.106.101),
validation failed
Thu Oct 11 12:30:22 2001 ERROR: SSLWrite failed
Thu Oct 11 12:30:22 2001 SEND failed (ret=-1) at 549 of file URL.cpp
Thu Oct 11 12:30:22 2001 *******Exception type [WRITE_ERROR] raised at line 550
of URL.cpp
Thu Oct 11 12:30:22 2001 got exception in sendRequest phase: WRITE_ERROR [os error=0,
line 550 of URL.cpp]: at line 944
Thu Oct 11 12:30:22 2001 INFO: Closing SSL context
Thu Oct 11 12:30:22 2001 INFO: sysSend 14
Thu Oct 11 12:30:22 2001 Failing over after sendRequest exception
Thu Oct 11 12:30:22 2001 attempt #5 out of a max of 5
Thu Oct 11 12:30:22 2001 general list: trying connect to '160.50.106.101'/7162/7162
at line 1156 for '/index.jsp'
Thu Oct 11 12:30:22 2001 New SSL URL: match = 1 oid = 22
Thu Oct 11 12:30:22 2001 Going to check the general server list
Thu Oct 11 12:30:22 2001 WLS info : 160.50.106.101:7162 recycled? 0
Thu Oct 11 12:30:22 2001 Hdrs from Client:[connection]=[Keep-Alive]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[user-agent]=[Mozilla/4.72 [de]C-CCK-MCD
(WinNT; U)]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[host]=[btsun1a.muc:99]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[accept]=[image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, image/png, */*]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[accept-encoding]=[gzip]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[accept-language]=[de,en]
Thu Oct 11 12:30:22 2001 Hdrs from Client:[accept-charset]=[iso-8859-1,*,utf-8]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[connection]=[Keep-Alive]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[user-agent]=[Mozilla/4.72 [de]C-CCK-MCD
(WinNT; U)]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[host]=[btsun1a.muc:99]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[accept]=[image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, image/png, */*]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[accept-encoding]=[gzip]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[accept-language]=[de,en]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[accept-charset]=[iso-8859-1,*,utf-8]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[WL-Proxy-SSL]=[false]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[X-WebLogic-Force-Cookie]=[true]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[Proxy-Client-IP]=[160.50.136.171]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[X-Forwarded-For]=[160.50.136.171]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[Proxy-Path-Translated]=[wwws/ns-homeV417/docs/index.jsp]
Thu Oct 11 12:30:22 2001 Hdrs to WLS:[Proxy-Path-Translated-Base]=[wwws/ns-homeV417/docs]
Thu Oct 11 12:30:22 2001 INFO: sysSend 52
Thu Oct 11 12:30:22 2001 Partial read socket
Thu Oct 11 12:30:22 2001 INFO: SSLWrite sent 0
Thu Oct 11 12:30:22 2001 INFO: Host (btsun2a.muc) doesn't match (160.50.106.101),
validation failed
Thu Oct 11 12:30:22 2001 ERROR: SSLWrite failed
Thu Oct 11 12:30:22 2001 SEND failed (ret=-1) at 549 of file URL.cpp
Thu Oct 11 12:30:22 2001 *******Exception type [WRITE_ERROR] raised at line 550
of URL.cpp
Thu Oct 11 12:30:22 2001 got exception in sendRequest phase: WRITE_ERROR [os error=0,
line 550 of URL.cpp]: at line 944
Thu Oct 11 12:30:22 2001 INFO: Closing SSL context
Thu Oct 11 12:30:22 2001 INFO: sysSend 14
Thu Oct 11 12:30:22 2001 Failing over after sendRequest exception
Thu Oct 11 12:30:22 2001 request [index.jsp] processed ..................I tried some other case and configured a certificate containing
the numeric IP as hostname. The authentication works fine then,
but it wouldn't be nice to hard-code the IP in the certificate
(btw. the WebLogicHost parameter is still given as DNS name, not
as IP address).
Has anyone got a solution for this?
"Wolfgang Jodl" <[email protected]> wrote:
>
I am trying to use SSL for communication between NSAPI and WebLogic
server (server authentication at the NSAPI).
Therefore, a custom server certificate is installed on WLS, containing
this
server's hostname. The NSAPI is configured (RequireSSLHostMatch=true)
to
check the hostname contained in the certificate against the WebLogicHost
parameter in the "obj.conf" file. The corresponding TrustedCAFile is
installed
for NSAPI.
The SSL setup seems to work ok, but when matching the hostname, it seems
like
NSAPI is trying to do a string-match against the numeric IP of the WebLogicHost,
not on the hostname as configured in the WebLogicHost parameter.
The relevant entry in the "obj.conf" file:
<Object name="weblogic" ppath="*">
Service fn=wl-proxy WebLogicHost=btsun2a.muc \
WebLogicPort=7162 \
Debug=ALL \
SecureProxy=ON \
TrustedCAFile=/home/qx13604/wls61/config/testdomain/TC_RootServer_PEM_Class0.pem
RequireSSLHostMatch=true
</Object>
I am using WLS6.1 with NSAPI (both Solaris). The content of "wlproxy.log"
is as
follows.
Any ideas? -
Hello:
I have a ITS 6.20 patchlevel 22 with Linux Red Hat Enterprise 4. I have configured the service PAS to access to the Employee Self-Service of the ITS via LDAP.
I want to configure SSL between my ITS and the LDAP, but I read in note 456666 that it is only possible for Microsoft Windows and my ITS is Linux.
Is it correct?
Regards,
Felipe SánchezHi,
~ldapport=636
636 is normally the secure port or the LDAP SSL port, but this depends on the directory server and additionaly things also.
Therefore I advise you to use example or SDK coding from your directory server or vendor. Normally things like certificate exchange / key exchange and configuration needed to ensure the secure configuration.
All these things are vendor dependend steps and therefore SAP has no documentation about it,e.g. Novell directory server has a SDK with example coding for SSL connections. This coding in combination with SAPs PAS SDK can be used to build a shared library with LDAP SSL.
regards,
-markus -
SSL between JNDI and AD - certificate chain
Hi,
I am trying to connect my active directory via SSL with the samples from the tutorial. Can anybody tell me, how I can export a certificate from AD (self-signed), so that I can import it with keytool? Or better, how to build that required certificate chain.
Thanks a lot
Falko BraunIf you are using AD as your Certificate Authority you can go to
http://servername/certserv
which is the web interface for certificates.
If you want the AD servers certificate, in the certificates snapin in MMC you can right click on the servers personal certificate -all tasks->export and export it.
Hope this helps.
G
Hi,
I am trying to connect my active directory via SSL
with the samples from the tutorial. Can anybody tell
me, how I can export a certificate from AD
(self-signed), so that I can import it with keytool?
Or better, how to build that required certificate
chain.
Thanks a lot
Falko Braun -
In EM Cloud control 12c, How to enable SSL between agent and OMS?
As title. Thanks!
Did you checkout MOS note 12c Cloud Control Security: How to Secure a 12c Agent from Console / Command Line? [ID 1390222.1] ?
Regards
Rob
http://oemgc.wordpress.com -
How to specify a cipher suit used between plugin and weblogic server?
I install Weblogic8.1 SP3 which supports for strong cipher suits, and config an apache 2.50 server as an front end.
I config appache to use 2 way SSL with browser and wls one way SSL with apache plugin. Then config apache to forward client certs to WLS. now the problem is, I can see that the SSL connection between browser and apache uses a strong cipher suit('SSL_RSA_WITH_RC4_128_MD5'), but the ssl connection bwtween apache plugin and WLS uses a weak cipher suit('SSL_RSA_EXPORT_WITH_RC4_40_MD5'), with the SnoopServlet, although I use the mod_wl128_20.so module. How can I increase the cipher strength of SSL between WLS and it's apache plugin?
Thanks in advance.
Best
Regards
JeanHello Gunaseelan,
This is not possible because WLS 6.1 needs a config.xml file, exactly this
name, to start.
What you can do is to define a recovery domain, called myrecovery_domain for
instance, and put the config_recovery.xml, renamed "config.xml".
Hope this helps,
Ludovic.
Developer Relations Engineer
BEA Support.
"Gunaseelan Venkateswaran" <[email protected]> a écrit dans le message
news: 3cd6a324$[email protected]..
>
Hi,
I have 2 weblogic startup scripts (startWebLogic.sh and
startWebLogic_recovery.sh) for the same domain.
startWebLogic.sh uses config.xml file.
I would like to use config_recovery.xml as the configuration file forstartWebLogic_recovery.sh
>
>
How would I do this ?
I am using WebLogic Server 6.1 on SunOS 5.8 / HP-UX 11.0.
Appreciate any help.
Regards
Gunaseelan Venkateswaran -
SSL Between OIM 11g R1 and AD using AD 11.1.15 Connerctor
Hi,
I am doing SSL Between AD and OIM 11g R1 using AD 11.1.1.5 Connector. I imported AD root certificate in connector server using AD doc after that i restarted the connector server
. I am getting following error
Unhandled Exception: System.Net.Sockets.SocketException: Only one usage of each
socket address (protocol/network address/port) is normally permitted
at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress
socketAddress)
at System.Net.Sockets.Socket.Bind(EndPoint localEP)
at System.Net.Sockets.TcpListener.Start(Int32 backlog)
at Org.IdentityConnectors.Framework.Impl.Server.ConnectorServerImpl.CreateSer
verSocket() in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\Server.cs:
line 1040
at Org.IdentityConnectors.Framework.Impl.Server.ConnectorServerImpl.Start() i
n c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\Server.cs:line 1022
at Org.IdentityConnectors.Framework.Service.Service.OnStart(String[] args) in
c:\ADE\aime_icf\icf\framework\dotnet\Service\Service.cs:line 154
at Org.IdentityConnectors.Framework.Service.Service.StartService(String[] arg
s) in c:\ADE\aime_icf\icf\framework\dotnet\Service\Service.cs:line 110
urgent requirement can any one help me.
Regards,
yuvaparveen.Hi Praveen,
Here is the solution suggested by Oracle for this particular error:
This exception is encountered because the Connector Server uses a port that has already been used (mostly by another instance of the Connector Server). You can fix this issue by performing one of the following steps:
If the Connector Server service is running, then stop it.
Search for and open the ConnectorServer.exe.Config file, change the port value to 8758 or 8755, and then start the Connector Server. The default location of the ConnectorServer.exe.Config file is C:\Program Files\Identity Connectors\Connector Server.
Ref: http://docs.oracle.com/cd/E22999_01/doc.111/e20347/trbleshoot.htm
If you still face the issue then try changing Port and Time wait registry values(Take registry backup before making any changes to registry):
Changing the Dynamic Port Range
Open regedit.
Open key HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
Edit (or create as DWORD) the MaxUserPort value.
Set it to a higher number. (i.e. 65534)
Changing the TIME_WAIT delay
Open regedit.
Open key HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
Edit (or create as DWORD) the TCPTimeWaitDelay.
Set it to a lower number. Value is in seconds. (i.e. 60 for 1 minute delay)
Thanks and Regards,
Chinni -
Problem with WebLogic 10.3.3, Apache 2.2.3 and WebLogic Apache proxy plugin
I have a problem with using Apache 2.2.3 as a WebLogic SSL proxy. I have Apache 2.2 running and successfully configured an SSL cert, config in ssl.conf is...
<VirtualHost secure.daftdonkey.com>
# Setup SSL for secure.daftdonkey.com
ServerName secure.daftdonkey.com
SSLEngine On
SSLCertificateFile /oracle/secure/secure.daftdonkey.com.crt
SSLCertificateKeyFile /oracle/secure/secure.daftdonkey.com.key
SSLCertificateChainFile /oracle/secure/gd_bundle.crt
</VirtualHost>
This works fine
Now I want Apache to proxy requests to my WebLogic Server and secure them over SSL as well
e.g. a request to https://secure.daftdonkey.com/service goes to https://weblogic.internal.site/service
I have downloaded and configured the weblogic module and tested it handling traffic for HTTP and that worked, then I switched the WebLogic module to use SSL.
LoadModule weblogic_module modules/mod_wl.so
<IfModule mod_weblogic.c>
WebLogicHost weblogic.internal.site
WebLogicPort 16101
Debug ALL
SecureProxy ON
WLSSLWallet /oracle/secure/my-wallet
WLLogFile /tmp/wl-proxy.log
</IfModule>
<Location /service>
SetHandler weblogic-handler
</Location>
Starting Apache throws the error. I think this is my main problem, i've searched support.oracle.com and not found anything.
[Mon Jun 07 23:00:48 2010] [crit] (20014)Internal error: WL SSL Init failed for server: (null) on 0
but Apache starts... I get this error when I make a request to https://secure.daftdonkey.com/service
Failure of server APACHE bridge:
No backend server available for connection: timed out after 10 seconds or idempotent set to OFF.
Looking into the log /tmp/wl-proxy.log I see....
Mon Jun 7 22:30:10 2010 <393212759749971> URLfactory Created
Mon Jun 7 22:30:10 2010 <393312759750102> ================New Request: [GET /service HTTP/1.1] =================
Mon Jun 7 22:30:10 2010 <393312759750102> INFO: SSL is configured
Mon Jun 7 22:30:10 2010 <393312759750102> Using Uri /service
Mon Jun 7 22:30:10 2010 <393312759750102> After trimming path: '/service'
Mon Jun 7 22:30:10 2010 <393312759750102> The final request string is '/service'
Mon Jun 7 22:30:10 2010 <393312759750102> parseServerList: Socket Address hostnames 'weblogic.internal.site:16101'
Mon Jun 7 22:30:10 2010 <393312759750102> Host extracted from serverlist is [weblogic.internal.site]
Mon Jun 7 22:30:10 2010 <393312759750102> parseServerList: IP from socket Address [192.168.100.15]
Mon Jun 7 22:30:10 2010 <393312759750102> Initializing lastIndex=0 for a list of length=1
Mon Jun 7 22:30:10 2010 <393312759750102> getListNode: created a new server node: id='weblogic.internal.site:16101' server_name='secure.daftdonkey.com', port='443'
Mon Jun 7 22:30:10 2010 <393312759750102> attempt #0 out of a max of 5
Mon Jun 7 22:30:10 2010 <393312759750102> Trying a pooled connection for '192.168.100.15/16101/16101'
Mon Jun 7 22:30:10 2010 <393312759750102> getPooledConn: found a host and port/securePort match
Mon Jun 7 22:30:10 2010 <393312759750102> getPooledConn: No more connections in the pool for Host[192.168.100.15] Port[16101] SecurePort[16101]
Mon Jun 7 22:30:10 2010 <393312759750102> general list: trying connect to '192.168.100.15'/16101/16101 at line 3188 for '/service'
Mon Jun 7 22:30:10 2010 <393312759750102> SSL is not configured for this connection
Mon Jun 7 22:30:10 2010 <393312759750102> Local Port of the socket is 45580
Mon Jun 7 22:30:10 2010 <393312759750102> Remote Host 192.168.100.15 Remote Port 16101
Mon Jun 7 22:30:10 2010 <393312759750102> URL::connect SSLConn for reader is not set as it is NULL
Mon Jun 7 22:30:10 2010 <393312759750102> general list: created a new connection to '192.168.100.15'/16101 for '/service', Local port:0
Mon Jun 7 22:30:10 2010 <393312759750102> Hdrs from clnt:[Host]=[secure.daftdonkey.com]
Mon Jun 7 22:30:10 2010 <393312759750102> Hdrs from clnt:[User-Agent]=[Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 ( .NET CLR 3.5.30729)]
Mon Jun 7 22:30:10 2010 <393312759750102> Hdrs from clnt:[Accept]=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Mon Jun 7 22:30:10 2010 <393312759750102> Hdrs from clnt:[Accept-Language]=[en-us,en;q=0.5]
Mon Jun 7 22:30:10 2010 <393312759750102> Hdrs from clnt:[Accept-Encoding]=[gzip,deflate]
Mon Jun 7 22:30:10 2010 <393312759750102> Hdrs from clnt:[Accept-Charset]=[ISO-8859-1,utf-8;q=0.7,*;q=0.7]
Mon Jun 7 22:30:10 2010 <393312759750102> Hdrs from clnt:[Keep-Alive]=[300]
Mon Jun 7 22:30:10 2010 <393312759750102> Hdrs from clnt:[Connection]=[keep-alive]
Mon Jun 7 22:30:10 2010 <393312759750102> parse_header is done
Mon Jun 7 22:30:10 2010 <393312759750102> Method is GET
Mon Jun 7 22:30:10 2010 <393312759750102> About to call parseHeaders
Mon Jun 7 22:30:10 2010 <393312759750102> URL::parseHeaders: Value of parsedHeaders = [0]
Mon Jun 7 22:30:10 2010 <393312759750102> URL::sendHeaders(): meth='GET' file='/service' protocol='HTTP/1.1'
Mon Jun 7 22:30:10 2010 <393312759750102> Hdrs to WLS: [Host]=[secure.daftdonkey.com]
Mon Jun 7 22:30:10 2010 <393312759750102> Hdrs to WLS: [User-Agent]=[Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 ( .NET CLR 3.5.30729)]
Mon Jun 7 22:30:10 2010 <393312759750102> Hdrs to WLS: [Accept]=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Mon Jun 7 22:30:10 2010 <393312759750102> Hdrs to WLS: [Accept-Language]=[en-us,en;q=0.5]
Mon Jun 7 22:30:10 2010 <393312759750102> Hdrs to WLS: [Accept-Encoding]=[gzip,deflate]
Mon Jun 7 22:30:10 2010 <393312759750102> Hdrs to WLS: [Accept-Charset]=[ISO-8859-1,utf-8;q=0.7,*;q=0.7]
Mon Jun 7 22:30:10 2010 <393312759750102> Hdrs to WLS: [Keep-Alive]=[300]
Mon Jun 7 22:30:10 2010 <393312759750102> Hdrs to WLS: [Connection]=[Keep-Alive]
Mon Jun 7 22:30:10 2010 <393312759750102> Hdrs to WLS: [WL-Proxy-SSL]=[true]
Mon Jun 7 22:30:10 2010 <393312759750102> Hdrs to WLS: [WL-Proxy-Client-IP]=[192.168.100.245]
Mon Jun 7 22:30:10 2010 <393312759750102> Hdrs to WLS: [Proxy-Client-IP]=[192.168.100.245]
Mon Jun 7 22:30:10 2010 <393312759750102> Hdrs to WLS: [X-Forwarded-For]=[192.168.100.245]
Mon Jun 7 22:30:10 2010 <393312759750102> Hdrs to WLS: [X-WebLogic-KeepAliveSecs]=[30]
Mon Jun 7 22:30:10 2010 <393312759750102> Hdrs to WLS: [X-WebLogic-Force-JVMID]=[unset]
Mon Jun 7 22:30:10 2010 <393312759750102> Reader::fill(): first=0 last=0 toRead=4096
Mon Jun 7 22:30:10 2010 <393312759750102> Reader::fill(): sysRecv returned -1
Mon Jun 7 22:30:10 2010 <393312759750102> *******Exception type [READ_ERROR_FROM_SERVER] (socket read failure) raised at line 251 of ../nsapi/Reader.cpp
Mon Jun 7 22:30:10 2010 <393312759750102> caught exception in readStatus: READ_ERROR_FROM_SERVER [os error=104, line 251 of ../nsapi/Reader.cpp]: socket read failure at line 963
Mon Jun 7 22:30:10 2010 <393312759750102> PROTOCOL_ERROR: Backend Server not responding - isRecycled:0
Mon Jun 7 22:30:10 2010 <393312759750102> Marking 192.168.100.15:16101 as bad
Mon Jun 7 22:30:10 2010 <393312759750102> got exception in sendRequest phase: Backend Server not responding at line 3702
Mon Jun 7 22:30:10 2010 <393312759750102> Failing over after sendRequest() exception: PROTOCOL_ERROR as Idempotent is set to ON
Mon Jun 7 22:30:10 2010 <393312759750102> attempt #1 out of a max of 5
However connecting directly to https://192.168.100.15:16101/irm_rights is successful.
Ouput from orapki seems to show a valid wallet.
[root@content my-wallet]# /oracle/install/bin/orapki wallet display -wallet /oracle/secure/my-wallet/
Oracle PKI Tool : Version 11.1.1.2.0
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Trusted Certificates:
Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US
Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: CN=weblogic.internal.site,OU=FOR TESTING ONLY,O=MyOrganization,L=MyTown,ST=MyState,C=US
Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Also the apache log at /var/log/httpd/ssl_error_log shows.
[Mon Jun 07 23:59:03 2010] [error] [client 192.168.100.245] ap_proxy: trying GET /service/ at backend host '192.168.100.15/16101; got exception 'Backend Server not responding'
[Mon Jun 07 23:59:03 2010] [error] [client 192.168.100.245] ap_proxy: trying GET /service/ at backend host '192.168.100.15/16101; got exception 'Backend Server not responding'
[Mon Jun 07 23:59:03 2010] [error] [client 192.168.100.245] ap_proxy: trying GET /service/ at backend host '192.168.100.15/16101; got exception 'Backend Server not responding'
[Mon Jun 07 23:59:03 2010] [error] [client 192.168.100.245] ap_proxy: trying GET /service/ at backend host '192.168.100.15/16101; got exception 'Backend Server not responding'
[Mon Jun 07 23:59:03 2010] [error] [client 192.168.100.245] ap_proxy: trying GET /service/ at backend host '192.168.100.15/16101; got exception 'Backend Server not responding'
[Mon Jun 07 23:59:03 2010] [error] [client 192.168.100.245] ap_proxy: trying GET /service/ at backend host '192.168.100.15/16101; got exception 'Backend Server not responding'
Editing the httpd.conf and sending traffic from Apache to WebLogic over regular HTTP works, config is...
LoadModule weblogic_module modules/mod_wl.so
<IfModule mod_weblogic.c>
WebLogicHost weblogic.internal.site
WebLogicPort 16100
Debug ALL
# SecureProxy ON
# WLSSLWallet /oracle/secure/my-wallet
WLLogFile /tmp/wl-proxy.log
</IfModule>
Resulting detail from /tmp/wl-proxy.log
Mon Jun 7 23:20:50 2010 <415912759780351> URLfactory Created
Mon Jun 7 23:20:50 2010 <416012759780502> ================New Request: [GET /service/ HTTP/1.1] =================
Mon Jun 7 23:20:50 2010 <416012759780502> Using Uri /service/
Mon Jun 7 23:20:50 2010 <416012759780502> After trimming path: '/service/'
Mon Jun 7 23:20:50 2010 <416012759780502> The final request string is '/service/'
Mon Jun 7 23:20:50 2010 <416012759780502> parseServerList: Socket Address hostnames 'weblogic.internal.site:16100'
Mon Jun 7 23:20:50 2010 <416012759780502> Host extracted from serverlist is [weblogic.internal.site]
Mon Jun 7 23:20:50 2010 <416012759780502> parseServerList: IP from socket Address [192.168.100.15]
Mon Jun 7 23:20:50 2010 <416012759780502> Initializing lastIndex=0 for a list of length=1
Mon Jun 7 23:20:50 2010 <416012759780502> getListNode: created a new server node: id='weblogic.internal.site:16100' server_name='secure.daftdonkey.com', port='443'
Mon Jun 7 23:20:50 2010 <416012759780502> attempt #0 out of a max of 5
Mon Jun 7 23:20:50 2010 <416012759780502> Trying a pooled connection for '192.168.100.15/16100/16100'
Mon Jun 7 23:20:50 2010 <416012759780502> getPooledConn: found a host and port/securePort match
Mon Jun 7 23:20:50 2010 <416012759780502> getPooledConn: No more connections in the pool for Host[192.168.100.15] Port[16100] SecurePort[16100]
Mon Jun 7 23:20:50 2010 <416012759780502> general list: trying connect to '192.168.100.15'/16100/16100 at line 3188 for '/service/'
Mon Jun 7 23:20:50 2010 <416012759780502> SSL is not configured for this connection
Mon Jun 7 23:20:50 2010 <416012759780502> Local Port of the socket is 56647
Mon Jun 7 23:20:50 2010 <416012759780502> Remote Host 192.168.100.15 Remote Port 16100
Mon Jun 7 23:20:50 2010 <416012759780502> URL::connect SSLConn for reader is not set as it is NULL
Mon Jun 7 23:20:50 2010 <416012759780502> general list: created a new connection to '192.168.100.15'/16100 for '/service/', Local port:0
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs from clnt:[Host]=[secure.daftdonkey.com]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs from clnt:[User-Agent]=[Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 ( .NET CLR 3.5.30729)]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs from clnt:[Accept]=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs from clnt:[Accept-Language]=[en-us,en;q=0.5]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs from clnt:[Accept-Encoding]=[gzip,deflate]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs from clnt:[Accept-Charset]=[ISO-8859-1,utf-8;q=0.7,*;q=0.7]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs from clnt:[Keep-Alive]=[300]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs from clnt:[Connection]=[keep-alive]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs from clnt:[Cookie]=[JSESSIONID=YF4nMNfZ3lJ5ZrVV9HGpKwj3hf12yRvlf4zksQf6pkKx2LhJ2ywY!34167467]
Mon Jun 7 23:20:50 2010 <416012759780502> parse_header is done
Mon Jun 7 23:20:50 2010 <416012759780502> Method is GET
Mon Jun 7 23:20:50 2010 <416012759780502> About to call parseHeaders
Mon Jun 7 23:20:50 2010 <416012759780502> URL::parseHeaders: Value of parsedHeaders = [0]
Mon Jun 7 23:20:50 2010 <416012759780502> URL::sendHeaders(): meth='GET' file='/service/' protocol='HTTP/1.1'
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs to WLS: [Host]=[secure.daftdonkey.com]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs to WLS: [User-Agent]=[Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 ( .NET CLR 3.5.30729)]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs to WLS: [Accept]=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs to WLS: [Accept-Language]=[en-us,en;q=0.5]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs to WLS: [Accept-Encoding]=[gzip,deflate]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs to WLS: [Accept-Charset]=[ISO-8859-1,utf-8;q=0.7,*;q=0.7]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs to WLS: [Keep-Alive]=[300]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs to WLS: [Cookie]=[JSESSIONID=YF4nMNfZ3lJ5ZrVV9HGpKwj3hf12yRvlf4zksQf6pkKx2LhJ2ywY!34167467]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs to WLS: [Connection]=[Keep-Alive]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs to WLS: [WL-Proxy-SSL]=[true]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs to WLS: [WL-Proxy-Client-IP]=[192.168.100.245]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs to WLS: [Proxy-Client-IP]=[192.168.100.245]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs to WLS: [X-Forwarded-For]=[192.168.100.245]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs to WLS: [X-WebLogic-KeepAliveSecs]=[30]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs to WLS: [X-WebLogic-Force-JVMID]=[unset]
Mon Jun 7 23:20:50 2010 <416012759780502> Reader::fill(): first=0 last=0 toRead=4096
Mon Jun 7 23:20:50 2010 <416012759780502> Reader::fill(): sysRecv returned 568
Mon Jun 7 23:20:50 2010 <416012759780502> URL::parseHeaders: CompleteStatusLine set to [HTTP/1.1 302 Moved Temporarily]
Mon Jun 7 23:20:50 2010 <416012759780502> URL::parseHeaders: StatusLine set to [302 Moved Temporarily]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs from WLS:[Date]=[Tue, 08 Jun 2010 06:20:50 GMT]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs from WLS:[Transfer-Encoding]=[chunked]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs from WLS:[Location]=[https://secure.daftdonkey.com/service/faces/LoginPage.jspx]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs from WLS:[X-WebLogic-JVMID]=[34167467]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs from WLS:[X-Powered-By]=[Servlet/2.5 JSP/2.1]
Mon Jun 7 23:20:50 2010 <416012759780502> parsed all headers OK
Mon Jun 7 23:20:50 2010 <416012759780502> done with sendRequest
Mon Jun 7 23:20:50 2010 <416012759780502> sendResponse() : r->status = '302'
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs to client (add):[Date]=[Tue, 08 Jun 2010 06:20:50 GMT]
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs to client (add):[Location]=[https://secure.daftdonkey.com/service/faces/LoginPage.jspx]
Mon Jun 7 23:20:50 2010 <416012759780502> for 192.168.100.15/16100/16100, updated JVMID: 34167467
Mon Jun 7 23:20:50 2010 <416012759780502> Hdrs to client (add):[X-Powered-By]=[Servlet/2.5 JSP/2.1]
Mon Jun 7 23:20:50 2010 <416012759780502> calling closeConn() with non-null URL* at 3826
Mon Jun 7 23:20:50 2010 <416012759780502> canRecycle: conn=1 status=302 isKA=1 clen=-1 isCTE=1
Mon Jun 7 23:20:50 2010 <416012759780502> closeConn: pooling for '192.168.100.15/16100'
Mon Jun 7 23:20:50 2010 <416012759780502> closeConn: pooling '0'
Mon Jun 7 23:20:50 2010 <416012759780502> request [irm_rights/] processed successfully..................
Mon Jun 7 23:20:50 2010 <415912759780351> Cleaning up the list node 'weblogic.internal.site:16100'list Length '1'I found the answer to this. The documentation is not clear enough, LD_LIBRARY_PATH MUST be set and MUST have a pointer to the directory where the SSL .so modules are. I wrote up a blog article explaining the configuration and detailed this issue.
http://blogs.oracle.com/irm/2010/06/quick_guide_to_oracle_irm_11g_1.html -
WLS 10.0 Mp1 - Weblogic startup class to initialize client's SSL channels
Hi,
Is it possible to use Weblogic startup class to initialize client's SSL channels?
Any pointers are appreciated.
Thanks in advance.Hey
If possible can you explain the issue in detail.
What do you mean by “initialize client's SSL channels”
Regards,
Hussain -
Can I query for WL-Proxy-SSL header?
I want to be able to enforce certain pages to be loaded via https.
Is it ok to query for the WL-Proxy-SSL header in order to detect if a request
was via https, or is there a better way? I cannot find any documentation on this.
TIA,
-grahamYou should read the Servlet spec, Graham:
ServletRequest.isSecure() returns true and ServletRequest.getScheme() returns
https
Glad to be of help ;)
-graham
"Graham Lyus" <[email protected]> wrote:
>
I want to be able to enforce certain pages to be loaded via https.
Is it ok to query for the WL-Proxy-SSL header in order to detect if a
request
was via https, or is there a better way? I cannot find any documentation
on this.
TIA,
-graham -
Does Weblogic 8.1 use Apache web service libraries
Does Weblogic 8.1 use Apache web service libraries ? I've been pressured to include the apache web service libraries, but have been resistant. I was later told by those wanting me to include the apache libraries that weblogic uses the apache libraries, but I have not found any evidence of it.
Can some confirm or deny this?
Thanks,
EddieHosting an Apache web service inside WLS is basically deploying the Apache service as a webapp in WLS. And in the webapp's WEB-INF\lib folder you would have the Apache libraries.
Regards
Shridhar -
Configuring a Apache Reverse Proxy for OracleAS Portal and OracleAS Single
I'm trying to implement my Oracle Portal 10g Release 2 with a reverse proxy (Apache 2.2) as described in this link: http://download.oracle.com/docs/cd/B14099_19/core.1012/b13998/variants.htm#BEIFECEH without success. I have Oracle Portal, Oracle SSO,OID in the same domain and Apache Reverse Proxy in another domain. Has anyone had success using OracleAS Portal with a reverse proxy?
First of all i'm trying to configure a reverse proxy only for Ora SSO (infra tier). Here is what i already do:
APACHE REVERSE PROXY (Apache 2.2)
http:/proxy.mycompany.com:80
ProxyRequests off
ProxyPassInterpolateEnv On
ProxyPass / http:/portal.tech.everett.it:7777/
ProxyPassReverse / http:/portal.tech.everett.it:7777/
ProxyPreserveHost On
ORACLE SSO
http:/portal.mycompany.com:7777
Here are the steps i already do:
1- CONFIG OID
create an ldif file called setdasurl.ldif and insert as follow:
dn:cn=OperationURLs,cn=DAS,cn=Products,cn=OracleContext
changetype: modify
replace: orcldasurlbase
orcldasurlbase: http:/proxy.mycompany.com/
then do ldapmodify as follow:
ldapmodify -x -h portal.mycompany.com -p 3060 -D "cn=orcladmin" -w password1 -v -f setdasurl.ldif
2- CONFIG ORA SSO (as gentjan user)
export ORACLE_HOME=/home/gentjan/product/10.1.2/OracleAS/infra/
2.1-config Apache config of ORA SSO
vi $ORACLE_HOME/Apache/Apache/conf/httpd.conf
change from:
ServerName portal.mycompany.com
Port 7777
KeepAlive On
to:
ServerName proxy.mycompany.com
Port 80
KeepAlive Off
and add at the end of httpd.conf
RewriteEngine On
RewriteOptions inherit
2.2- update DCM Repository (as root)
*$ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct HTTP_Server -v -d*
2.3- modify SSO Server Home URL to reverse proxy hostname and port (as root)
*$ORACLE_HOME/sso/bin/ssocfg.sh http proxy.mycompany.com 80*
2.4- Updating the targets.xml File
Open the ORACLE_HOME/sysman/emd/targets.xml file and locate the target type oracle_sso_server.
vi $ORACLE_HOME/sysman/emd/targets.xml
Update the HTTPMachine and HTTPPort attributes with the proxy server host and port attributes that were passed to ssocfg. For example:
Property NAME="HTTPMachine" VALUE="proxy.mycompany.com"
Property NAME="HTTPPort" VALUE="80"
Property NAME="HTTPProtocol" VALUE="http"
Save and close the file.
Reload the Application Server Control Console by issuing this command (as gentjan):
*$ORACLE_HOME/bin/emctl reload*
2.5- Re-register mod_osso on SSO Middle-tier with reverse proxy hostname and port
some needed permissions
chmod -R 775 /home/gentjan/product/10.1.2/OracleAS/infra/dcm/
Re-register mod_osso (as gentjan)
*$ORACLE_HOME/sso/bin/ssoreg.sh -oracle_home_path /home/gentjan/product/10.1.2/OracleAS/infra -site_name infra.proxy.mycompany.com -config_mod_osso TRUE -mod_osso_url http:/proxy.mycompany.com:80 -update_mode MODIFY*
2.6- update DCM Repository (as root)
*$ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct HTTP_Server -v -d*
2.7- Restart OC4J_Security and Oracle HTTP Server at Infrastructure tier
*$ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server*
*$ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY*
After this modifications my reverse proxy is ok.
I can access to http:/proxy.mycompany.com:80 and this redirect me to Oracle Application Server Welcome page.
If i try http:/proxy.mycompany.com/pls/orasso/orasso.home, i can view the SSO Server Home page.
The problem that i find is when i click to Login page for Oracle SSO.
I have the following error:
Forbidden You don't have permission to access /pls/orasso/ORASSO.wwsec_app_priv.login on this server.
So, in other words i can't do the login/logout under reverse proxy. Anyone can help?
Gentjan -
FTP Proxy not being denied (and some other questions)
I have a simple BM37+NW6SP5 test server for testing rules prior to moving them to production (2x BM38+NW65SP6). Recently we tried to block all access to FTP sites and allow only a select group of users access. The rules on the test proxy looked something like this:
1. Action: Deny / Source: Any / Access: URL / Dest: SurfControl
2. Action: Allow / Source: FTP_User_Group / Access: FTP Proxy / Dest: Any
3. Action: Allow / Source: WWW_User_Group / Access: URL / Dest: Any URL
Default Rule:
4. Action: Deny / Source: Any / Access: Any / Dest: Any
Yet with this setup, anybody in the WWW_User_Group (but not in the FTP_User_Group) was able to access FTP. I temporarily closed the hole by doing this ruleset:
1. Action: Deny / Source: Any / Access: URL / Dest: SurfControl
2. Action: Allow / Source: FTP_User_Group / Access: FTP Proxy / Dest: Any
3. Action: Deny / Source: Any / Access: FTP Proxy / Dest: Any
4. Action: Allow / Source: WWW_User_Group / Access: URL / Dest: Any URL
Default Rule:
5. Action: Deny / Source: Any / Access: Any / Dest: Any
I don't understand why I have to explicitly deny access to FTP Proxy for this to work. I think the rule that grants access to URL for WWW_User_Group is also allowing FTP access. If I turn that rule into a Deny rule in the first ruleset, it deny's all FTP (as well as all HTTP).
Also, we are using SurfControl to block access to certain categories. I read that the URL rule only affects port 80 requests (which would seem weird when its affecting my ftp proxy over port 21 above). How would I go about blocking those same categories over HTTPS?
Finally, does anybody have any general guidelines on how many rules should exist in a typical medium business BM environment (assuming modern hardware)? I'm trying to get the customer to avoid adding so many adhoc rules as the production environment is pretty complex which is why I am testing on a test proxy with few rules to avoid accidental rule overlap. I'm going to have to do an audit of their existing production environment and prefer the KISS principle when it comes to rule definitions.
P.S. Since most sites require both a HTTP and HTTPS rule, almost every desired "rule" in BM needs to be repeated twice to allow (or deny) secure communication as most websites switch to SSL from the launcher (non-ssl) parent page. The rulebase expands quite quickly and gets confusing due to this.cam wrote:
> Perhaps I should have said that this was being tested using normal dos
> FTP. Open a command prompt, type FTP proxyservername, open
> [email protected](for example), etc... no browser involved, but
> that does bring up another point of WHY do I need a dozen rules to block
> access to a single site over a single protocol?
Then you're doing something wrong or you're not telling the whole
settings. your rule was calling nds groups so you need authentication
enable and the checkbox for " Authenticate only when user......."
unchecked. Then the syntax once you open the connection to the ftp proxy
is ndsusername@[email protected]. In your example there is not
nds authentication.
you do not need ANY rule to block a single site. The default rule will
do for you. If you do not make an specific allow one, then sites will be
blocked.
Even if I use a web
> browser and access it as ftp://, it should use the FTP protocol, not
> the HTTP protocol.
When your browser is configure to go thru proxy and you access a ftp
site, you'll hit two situations with IE:
1. With default settings, IE will use its miniftp client build in and
try to access the ftp site directly. that can fail if there is a
firewall stopping this traffic as it will bypass bm.
2. If the option "enable ftp folder view" is unchecked and the "use pasv
ftp..." checked, IE will encapsulate ftp traffic into http and send it
to border, to the http proxy. So bm gets http traffic, remove the http
envelope and makes a ftp connection to the ftp server. But to apply
rules, this is a http traffic thru http proxy. A single LAN trace on the
server will show you this behavior
Firefox always uses the configured proxy settings.
> Regarding the point you bring up about HTTPS, I can't wrap my mind
> around how if this is true, we can still keep things secure and safe.
> Let's look at a single website, www.novell.com. The novell.com domain
> is not listed in a SurfControl category filter that places would
> normally block. Therefore most approved internet users would be able
> to access it. Now let's say you go to www.novell.com and log into the
> user portal; it switches to HTTPS! Without an allow port 443 rule,
> this should fail then. However, if that's the case, I need to know
> that this website needs access to port 443, so I am forced to manage
> another rule for port 443. This rules destination filter will grow to
> thousands if not millions of websites as almost every valid website
> known to man requires HTTPS if they want you to create a login on their
> site. This is unmanageable.
You;re exaggerating here.You will need indeed an port 443 rule but this
is how it works. SSL traffic and normal http traffic are two very
different things. But with a single allow all port 443 you can
accomplish here. Read below
> So you're solution is to create a Destination ALL rule for Port 443.
> While this removes the need to manage a list of millions of websites,
> it now opens you to all the vicious websites (domains listed in blocked
> categories in SurfControl for example) which use https. My company pays
> Websense thousands of dollars a year to block certain categories of
> websites, but if any of those websites use HTTPS, based on what you are
> telling me it seems it is impossible to block it using SurfControl since
> the Deny Port rule does not allow a Destination of ANY third party
> filter.
The allow all port 443 it has to be placed after the surfcontrol one and
after other third party rule or websense or whatever you use to block
specific sites. that means that the allow all port 443 only will be hit
if surfcontrol and other rules above this one did not find a match. If a
match is find, bm applies the rule and stop reading so if it hits a site
that websense or SF blocks, it will block it, regardless of the allow
all port 443.
Also you can make an allow port 443 with a domain name destination, just
for specific destination
if sites are on the blocked category for SF then it will blocked. You
can go to SF website an check it and if it is not blocked then is a SF
problem not a bm and you should contact them.
Gonzalo
Maybe you are looking for
-
Hello! The question is this. In London, took the Iphone 5 as sim free, flew to Moscow put Simcoe, and he writes me that is locked to the operator O2. Can anyone encountered this problem? What to do? How to remove the Unlock? <Edited by Host>
-
Code to retrive the sender and receiver interface names using custome adapter module
Hello Team, I want to develop an custom adapter module which could retrieve the names of the sender and receiver interfaces of the scenario and for that i am trying to use com.sap.aii.af.service.administration.api.monitoring.ProcessContextFactory.Par
-
Attaching Multiple Attachments in One Step to a Complaint
Hi, Standard SAP CRM does not allow multiple attachments to be attached to a complaint in one step. Is there a work around to accomplish this? If so any tips/tricks? Thanks in advance
-
Can you import radius dictionaries into ACS 4.2 ? Currently We are running 4.2.0 in production. I need to add airspace attributes to the system. Can this be done or am I forced to upgrade to 4.2.1 code where I know the airspace dictionaries are that
-
Side by side configuration issue
Hi - New to all this but here goes.....downloaded media go, when i come to use it i get an error message telling me that "application has failed to start because its side by side configuration is incorrect". Any ideas what i can do to resolve this. J