Ssl – Why Apache with SSL but the back end Weblogic without SSL works

apache-2.2sslweblogic

Hello everyone.
My question is very simple . The link below is a picture about my architecture.

https://docs.google.com/open?id=0BxSXbpgYIZVOR212RVk4ZDN1Sm8.

The pic above shows the architecture right now and it works correctly! Which means I could visit Apache with url https//apchehost:8080, could not visit the web app with https served by Weblogic but I could visit these app with https served by Apache(Apache is proxy server).
My question is why the Apache is configured with SSL but Weblogic without SSL works? I think Weblogic should also configured with SSL. If this works , what about security level? Is the SSL really working if only Apache configured with SSL but not with Weblogic? Thanks.

condition:
    Apache 2.2.17 with weblogic module mod_wl_22.so 
    Weblogic: 10.3
    OS: Windows server 2003

Best Answer

A setup like this with the web server in a DMZ and the clients unable to access the Weblogic hosts directly is quite common. Client HTTPS connections terminate at the web server on the DMZ and authentication and authorisation takes place there. If this is successful then the connections are proxied as HTTP down to the application layer.

As long as it is not possible for clients to connect to the Weblogic hosts directly then this is quite safe and has the advantage that all of the SSL configuration is in once place on the web server.

Related Solutions

Apache – Configuring VirtualHost with Mod-Proxy and SSL

At last I found a way to make it work. First I tried Dave Cheney suggestion, so I installed an other certificate for the apache server redirected to Tomcat non SSL port (so the proxy was redirecting to http://localhost:8080/). Unfortunately it did not fully work as in the web browser the https was transformed to http immediately upon connection. So I reverted to using https://localhost:8443/ and the final touch to make it work was to add again SSLProxyEngine.

Here is the resulting VirtualHost configuration:

<VirtualHost 1.2.3.4:443>
    ServerName host.domain.org

    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    SSLEngine on
    SSLProxyEngine On
    SSLCertificateFile /etc/apache2/ssl/certificate.crt
    SSLCertificateKeyFile /etc/apache2/ssl/certificate.key

    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass / https://localhost:8443/
    ProxyPassReverse / https://localhost:8443/
</VirtualHost>

Ssl – Custom Trust and Custom Identity Keystore in WebLogic 10.3

Create the boot.properties file:

${DOMAIN_HOME}/servers/AdminServer/security/boot.properties

edit the content to add the following:

username=weblogicAdminUsername
password=weblogicAdminUnencryptedPassword
TrustKeyStore=CustomTrust
CustomTrustKeyStoreFileName=/path/to/custom/keystore
CustomTrustKeyStorePassPhrase=keystoreUnencryptedPassword

Start the WebLogic server.

After startup, note the contents of the boot.properties file are now encrypted.

An alternative way to do it is as follows:

JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.TrustKeyStore=CustomTrust "
JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.CustomTrustKeyStorePassPhrase=customKeystorePassword "
JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.CustomTrustKeyStoreFileName=/my/custom/keystore.jks "

Append the above lines to the domain's bin/setDomainEnv.sh file. Customize the last two.

Best Answer

Related Solutions

Apache – Configuring VirtualHost with Mod-Proxy and SSL

Ssl – Custom Trust and Custom Identity Keystore in WebLogic 10.3

Related Topic