SSL Offloading at Oracle Cloud Infrastructure (OCI) Load Balancer for Oracle Analytics Server on Oracle Cloud Marketplace

May 6, 2022 | 12 minute read
Veera Raghavendra Rao Koka
Consulting Member of Technical Staff
Text Size 100%:

REDWOOD

Introduction

This blog will demonstrate how to configure Oracle Cloud Infrastructure (OCI) Load Balancer for Oracle Analytics Server on Oracle Cloud Marketplace and configure SSL Offloading at the Load Balancer.

Architecture

Below are some of the Oracle Analytics Server architectures on Oracle Cloud Marketplace.

oaslb6

Can perform SSL Offloading at the Load Balancer in both the Architectures.

Prerequisites

Oracle Analytics Server either deployed in single node or multiple nodes on Oracle Cloud Marketplace.

Refer this blog, to Scale Out Oracle Analytics Server on Oracle Cloud Marketplace to multiple nodes for scalability.

 

As an example we will use the Architecture 1 for this blog.

After Scale out of Oracle Analytics Server, Instances running on Private Subnet, Create the Load Balancer on Public Subnet.

Generate SSL Certificates for Load Balancer

# Generate new server key
openssl genrsa -aes256 -passout pass:Oracle123 -out ./server.key 2048
# Take backup of server.key
cp ./server.key ./server-orig.key
# Remove the PassPhrase from server.key
openssl rsa -passin pass:Oracle123 -in ./server-orig.key -out ./server.key
# Delete the backup of the key
rm ./server-orig.key
# Generate server certificate sign request i.e server.csr
openssl req -subj "/C=US/ST=California/L=RedwoodShores/O=Oracle Corporation/OU=CEAL Team/CN=oas.oracleceal.com" -out ./server.csr -key ./server.key -new -sha256
# Share the CSR file (server.csr) with your IT and get it Signed by Internal or Public Well Known Certificate Authority.
# Rename the server.key as oas.key

For example, Public Well Known CA Signed Certificates are as below:

oaslb7

NOTE: Use the Load Balancer DNS Name as e.g. oas.oracleceal.com in the next steps.

Configure a Load Balancer with SSL Offloading at Load Balancer

1. Login to OCI Console as an Administrator

2. Navigate to Networking à Load Balancers

oaslb8

3. Select the Compartment where you need to config the Load Balancer

4. Create a Load Balancer

oaslb9

5. Select the Load Balancer Type as Load Balancer and click on Create Load Balancer

oaslb10

6. Create a Public Load Balancer

oaslb11

7. Create a Reserved IP Address so that we need not maintain the IP Address changes for the “A” Record in the DNS Server.

NOTE: You can create the Ephemeral IP Address also. Here we are using Reserved IP Address according to the usage.

oaslb12

LB Shapes: Flexible or Dynamic

Dynamic:

oaslb13

8. Click on “Show Advanced Options” à Security tab à Web Application Firewall can be configured for securing Oracle Analytics Server on Oracle Cloud

oaslb14

To configure Web Application Firewall (WAF) refer to this blog, see Securing Oracle Analytics Server using OCI WAF on Flexible Load Balancer.

9. Click Next, Specify the Load Balancer Policy as Weighted Round Robin

NOTE: Can use other Policies based on the type of configuration needed for the usage

oaslb15

10. Add Backends, Either Select the Instances available in the compartment or the IP Address

oaslb16

11. Set the Backend application running port number (e.g. 9502 non-ssl port, 9503 ssl port)

Note: Here we are offloading SSL at Load Balancer, hence using the non-ssl port (9502) for the Backends Port number.

oaslb17

NOTE: On any Linux or Windows Instance on the Public Subnet of the Load Balancer’s VCN or Bastion run below command and get the Status Code.

curl -k -vvv http://OracleAnalyticsServer.com:9502/dv

This shows the Status Code, here it is 302.

12. Uncheck the Checkbox Use SSL, as the backend servers are running on non-ssl port i.e HTTP mode.

13. If the Backend Servers running on a SSL Port i.e. HTTPS mode, then Check the Use SSL checkbox and upload the SSL Certificates related to the Backend Application.

NOTE: If the Backends have multiple certificates for each backend then upload only CA Certificates (CA Chain or CA Bundle). If not, upload the SAN Certificate, Private Key and CA Certificate of the multiple Backends.

Sample Screenshot

oaslb18

14. Click on Advanced Options

a. If needed set a Backend Set Name

oaslb19

b. Session Persistence ( https://docs.oracle.com/en-us/iaas/Content/Balance/Reference/sessionpersistence.htm)

  • Disable Session Persistence (If Backend server is a single server)

oaslb20

  • Enable Application Cookie Persistence (If the application maintains the session)

oaslb21

15. Create Listener and specify the type of traffic the Listeners handles, one as HTTPS.

16. Select Load Balancer Managed Certificate for Certificate Resource

17. Upload the SSL Certificates for the Load Balancer

NOTE: Oracle Suggests to use Public Well Known CA Signed SSL Certificate.

NOTE: If the End Users connect to Oracle Analytics Server Instance through Intranet i.e. VPN and not from Internet, In such cases we can use Internal CA Signed SSL Certificates and create the “A” Record at the Internal DNS Servers.

oaslb22

18. Enable Error Logs and Access Logs based on the requirement

oaslb23

19. Click on “Submit”, Load Balancer is created

oaslb24

20. Click on the Load Balancer Name Navigate to Hostnames à Add Hostname

NOTE: The Hostname should be the DNS entry matching the SSL Certificate

oaslb25

21. Assigned the Hostname to the Listener

oaslb26

Check for Timeout Settings: https://docs.oracle.com/en-us/iaas/Content/Balance/Reference/connectionreuse.htm.

22. When SSL is offloaded at the Load Balancer follow below steps:

  • Enable WebLogic Plugin at the Domain Level in WebLogic admin console
  • Set RequestHeader WL-Proxy-SSL true at the Load Balancer (to maintain the ssl communication throughout the communication)
  • Set RequestHeader IS_SSL ssl at the Load Balancer (Set if it’s required even after setting the above Header)
  • Configure HTTP Redirects under DNS Management

23. Enable the WebLogic Proxy Plug-In

Before you can validate that requests are routed correctly through the Oracle HTTP Server instances, you must set the WebLogic Plug-In Enabled parameter. It is recommended to set the WebLogic Plug-In Enabled parameter at the domain level.

  1. Log in to the Oracle WebLogic Server Administration Console.
  2. In the Domain Structure pane, click on the top-level domain node (bi).
  3. Click Lock & Edit in the Change Center.
  4. Click on the Domain Name.
  5. Click on the Web Applications tab.
  6. Locate and select the WebLogic PlugIn Enabled option.
  7. Click Save.
  8. Click Activate Changes in the Change Center.
  9. Restart all services.

In the WebLogic admin console enable WebLogic-Plugin at the Domain level

oaslb27

                             oaslb28

24. Create Load Balancer Rule Set

https://docs.oracle.com/en-us/iaas/Content/Balance/Tasks/managingrulesets.htm#URLRedirectRules

oaslb29

25. Select “Specify Request Header Rules”

oaslb30

26. Edit the Listener and Add the Rule Set to the Listener

oaslb31

27. Configure HTTP Redirects under DNS Management

Navigate to Networking > DNS Management > HTTP Redirects

oaslb32

Click on Create.

NOTE: There are other ways to do the same, like creating a URL Redirect Rules in the Rule set of the Load Balancer, For this you need to create both 80 Port HTTP Listener and 443 Port HTTPS Listener with same BackendSet and Hostname and attach the URL Redirect Rule to the 80 Port HTTP Listener. Also open both the Ports for Ingress with Internet access.

28. Allow Internet Traffic to the Load Balancer’s Public Subnet

  • Add an Ingress Rule to allow access from Internet (0.0.0.0/0) on port 443

oaslb33

29. Add “A” Record in Domain Provider’s DNS Management screen.

oaslb34

30. Here GoDaddy provides the domain i.e oracleceal.com

oaslb35

31. Test the URL Access https://oas.oracleceal.com/dv

oaslb36

Enable GZIP Compression at WebLogic Server

Since we do not have a Web Server to enable Compression and Caching in this scenario, we can enable GZip to enable compression at WebLogic Server.

  1. Log in to the Oracle WebLogic Server Administration Console.
  2. Click Lock & Edit in the Change Center.
  3. In the Domain Structure pane, click on the top-level domain node (bi).
  4. Click on the Web Applications tab.

oaslb27

  1. Locate and select the GZIP Compression Enabled option.
  2. GZIP Compression Min. Content Length : 2048
  3. Enter the list of Content Types in the text box under GZIP Compression Content Type

text/html
text/xml
text/plain
text/x-component
application/javascript
application/json
application/xml
application/rss+xml
font/truetype
font/opentype
application/vnd.ms-fontobject
image/svg+xml
text/css
text/javascript

  1. Click Save.

oaslb37

  1. Click Activate Changes in the Change Center.
  2. Restart all services.

 

SSL Offloading can also be done at Web Servers like Apache HTTP Server or Oracle HTTP Server. This configuration is covered in another blog, for more details see SSL Offloading at Web Server for Oracle Analytics Server on Oracle Cloud Marketplace.

Call to Action

You have covered scaling out Oracle Analytics Server (in an attached blog link) and configured OCI Load Balancer for the scaled out Oracle Analytics Server.

You have also learnt SSL Offloading at the OCI Load Balancer for Clustered Oracle Analytics Server, try it yourself to have a hands on experience.

REDWOOD

 

Veera Raghavendra Rao Koka

Consulting Member of Technical Staff

Oracle Analytics Service Excellence, CEAL Team


Previous Post

Securing Oracle Analytics Server on Oracle Cloud by Enforcing OCI WAF on Flexible Load Balancers

Ravi Bhuma | 8 min read

Next Post


Single Sign-On Solutions for Oracle Analytics Server on On-Premise and on Oracle Cloud