How To Configure Apache With SSL Certificates To Forward Requests To WebLogic Se

kution

Applies to:
Oracle Weblogic Server – Version: 8.1 to 10.3.3
Information in this document applies to any platform.

Goal
Detailed steps to configure Apache with SSL in a WLS environment.

This process will successfully setup SSL communication between the client (browser) and the Apache Web Server as well as SSL (https) communication between the Apache Web Server and the WebLogic Server.

At a high level, the following steps are implemented:

Create a valid certificate from Verisign
Configure Apache plugin to use SSL using the new certificate
Configure WLS to use the new certificate
Test SSL proxy request to WLS
Solution
Apache configuration
Install apache 2.2.
Include the following in httpd.conf file:
LoadModule weblogic_module modules/mod_wl_22.so
Copy the mod_wl_22.so from the folder: <WebLogic_Home>\server\plugin\win\32 to
<Apache_Home>\modules.
Uncomment LoadModule ssl_module modules/mod_ssl.so in httpd.conf
Include Include conf/extra/httpd-ssl.conf must be uncommented.
Now run the following commands in apache:
>> set OPENSSL_CONF=F:\apache2.2\conf\openssl.cnf
>> openssl genrsa -des3 -out localhost.key 1024
Enter pass phrase:
>> openssl req -new -key localhost.key -out localhost.csr
It will generate the csr file. Place the csr file in a particular folder.

Goto verisign website and enter personal information. It will ask for csr. Pls enter the above csr and the root CN information.
Verisign will send a mail with intermediate certificate, public certificate and root CA.
Once included, you must comment for windows.
#SSLPassPhraseDialog builtin
Include the following:
SSLCertificateFile “<dir>/public.crt” => save this from the email sent by verisign
SSLCertificateKeyFile “<dir>/localhost.key”
SSLCertificateChainFile “<dir>/intermediate.crt”
And comment other similar entries.
Test https://localhost/index.html: it will work.
WebLogic Server Configuration
Generate a private key
jdk_home\bin\keytool -genkey -alias <your_alias_name> -keyalg RSA -keystore <your_keystore_filename>
Generate a certificate request (csr file)
jdk_home\bin\keytool -certreq -keyalg RSA -alias <your_alias_name> -file certreq.csr -keystore <your_keystore_filename>
Paste the csr file and get the trail certificate(save as public.pem) and intermediate CA (save
as intermediate.pem) and Root CA(save as CA.pem) from the email sent from Verisign website.
Import root CA into keystore:
keytool -import -alias verisignCA -file CA.pem -keystore <your_keystore_filename> -trustcacerts
Import intermediate CA into keystore:
keytool -import -alias verisignIntermediateCA -file Intermediate.pem -keystore <your_keystore_filename> -trustcacerts
Import the public key into your keystore. It will go on the same alias as the private key:
keytool -import -alias <your_alias_name> -file public.pem -keystore <your_keystore_filename> -trustcacerts
To view the keystore:
keytool -list -keystore mykeystore.jks -v
From the Admin console, go to your server page, and in the Keystore & SSL tab choose:
Custom Identity and Custom Trust
Custom Identity
Custom Identity Key Store File Name: <your_keystore_filename>
Custom Identity Key Store Type: jks
Custom Identity Key Store Pass Phrase: <your password>
Confirm Custom Identity Key Store Pass Phrase: <your password>
Custom Trust
Custom Trust Key Store File Name: <your_keystore_filename>
Custom Trust Key Store Type: jks
Custom Trust Key Store Pass Phrase: <your password>
Confirm Custom Trust Key Store Pass Phrase: <your password>
Private Key Alias: <your_alias_name>
Passphrase: password
Confirm Passphrase: password
Restart your server and now try https://localhost:7002/console
You should see the following while server starts up:
<Aug 4, 2009 7:19:17 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000298>
<Certificate expires in 14 days: [
[
Version: V3
Subject: CN=localhost, OU=Terms of use at www.verisign.com/cps/testca (c)05, OU=oracle,
O=oracle, L=BANG, ST=KA, C=IN
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key: Sun RSA public key, 1024 bits
modulus:
1005070948376358074374236852403785592182590705370591472921278852507162691666556315447504840297044217
406796806
8632923437196828010145594050195432044329126731123133367158479667242853741709746093197774813648593717
91639176198708507422
56868100626678565588940082002286028558797528920106552889565563824202336798115363
public exponent: 65537
Validity: [From: Tue Aug 04 05:30:00 GMT+05:30 2009,
To: Wed Aug 19 05:29:59 GMT+05:30 2009]
Issuer: CN=VeriSign Trial Secure Server CA - G2, OU=Terms of use at
https://www.verisign.com/cps/testca (c)09, OU="For
Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
SerialNumber: [ 5f8db365 ede6fd4b fbd717f2 48b0804f]

Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 62 30 60 A1 5E A0 5C 30 5A 30 58 30 56 16 09 .b0`.^.\0Z0X0V..
0010: 69 6D 61 67 65 2F 67 69 66 30 21 30 1F 30 07 06 image/gif0!0.0..
0020: 05 2B 0E 03 02 1A 04 14 4B 6B B9 28 96 06 0C BB .+......Kk.(....
0030: D0 52 38 9B 29 AC 4B 07 8B 21 05 18 30 26 16 24 .R8.).K..!..0&.$
0040: 68 74 74 70 3A 2F 2F 6C 6F 67 6F 2E 76 65 72 69 http://logo.veri
0050: 73 69 67 6E 2E 63 6F 6D 2F 76 73 6C 6F 67 6F 31 sign.com/vslogo1
0060: 2E 67 69 66 .gif

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 28 17 13 8A BD D6 A2 B5 DC 06 2C B7 B6 8E DA 10 (.........,.....
0010: 66 60 6E E5 f`n.
]

]

[3]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://SVRTrial-G2-crl.verisign.com/SVRTrialG2.crl]
]]

[4]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
[1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.21]

Click the lock icon in the bottom right of the screen and view the certificate.
Goto certification Path and select Root Certificate. View the certificate and copy to file MyWeblogicCAToTrust.cer in a particular location, say location1.
WebLogic Web Server Apache Plugin Configuration
Configure the following in apache httpd configuration.
<IfModule mod_weblogic.c>
WebLogicHost myip
WebLogicPort myport
SecureProxy ON
TrustedCAFile "<location1>\MyWeblogicCAToTrust.cer"
RequireSSLHostMatch false
EnforceBasicConstraints OFF
Debug ALL
WLLogFile <location>/wl_log.log
</IfModule>

<Location /weblogic>
SetHandler weblogic-handler
</Location>

<Location /console>
SetHandler weblogic-handler
</Location>

Access http://localhost:7001/console
Import the CA.pem for apache and weblogic in the browser using content-> certificate->
Import-> Autoselect store based on type of cert- option.