SSL Offloading at Oracle Cloud Infrastructure (OCI) Load Balancer for Oracle Analytics Server on Oracle Cloud Marketplace

May 6, 2022 | 12 minute read
Veera Raghavendra Rao Koka
Consulting Member of Technical Staff
Text Size 100%:



This blog will demonstrate how to configure Oracle Cloud Infrastructure (OCI) Load Balancer for Oracle Analytics Server on Oracle Cloud Marketplace and configure SSL Offloading at the Load Balancer.


Below are some of the Oracle Analytics Server architectures on Oracle Cloud Marketplace.


Can perform SSL Offloading at the Load Balancer in both the Architectures.


Oracle Analytics Server either deployed in single node or multiple nodes on Oracle Cloud Marketplace.

Refer this blog, to Scale Out Oracle Analytics Server on Oracle Cloud Marketplace to multiple nodes for scalability.


As an example we will use the Architecture 1 for this blog.

After Scale out of Oracle Analytics Server, Instances running on Private Subnet, Create the Load Balancer on Public Subnet.

Generate SSL Certificates for Load Balancer

# Generate new server key
openssl genrsa -aes256 -passout pass:Oracle123 -out ./server.key 2048
# Take backup of server.key
cp ./server.key ./server-orig.key
# Remove the PassPhrase from server.key
openssl rsa -passin pass:Oracle123 -in ./server-orig.key -out ./server.key
# Delete the backup of the key
rm ./server-orig.key
# Generate server certificate sign request i.e server.csr
openssl req -subj "/C=US/ST=California/L=RedwoodShores/O=Oracle Corporation/OU=CEAL Team/" -out ./server.csr -key ./server.key -new -sha256
# Share the CSR file (server.csr) with your IT and get it Signed by Internal or Public Well Known Certificate Authority.
# Rename the server.key as oas.key

For example, Public Well Known CA Signed Certificates are as below:


NOTE: Use the Load Balancer DNS Name as e.g. in the next steps.

Configure a Load Balancer with SSL Offloading at Load Balancer

1. Login to OCI Console as an Administrator

2. Navigate to Networking à Load Balancers


3. Select the Compartment where you need to config the Load Balancer

4. Create a Load Balancer


5. Select the Load Balancer Type as Load Balancer and click on Create Load Balancer


6. Create a Public Load Balancer


7. Create a Reserved IP Address so that we need not maintain the IP Address changes for the “A” Record in the DNS Server.

NOTE: You can create the Ephemeral IP Address also. Here we are using Reserved IP Address according to the usage.


LB Shapes: Flexible or Dynamic



8. Click on “Show Advanced Options” à Security tab à Web Application Firewall can be configured for securing Oracle Analytics Server on Oracle Cloud


To configure Web Application Firewall (WAF) refer to this blog, see Securing Oracle Analytics Server using OCI WAF on Flexible Load Balancer.

9. Click Next, Specify the Load Balancer Policy as Weighted Round Robin

NOTE: Can use other Policies based on the type of configuration needed for the usage


10. Add Backends, Either Select the Instances available in the compartment or the IP Address


11. Set the Backend application running port number (e.g. 9502 non-ssl port, 9503 ssl port)

Note: Here we are offloading SSL at Load Balancer, hence using the non-ssl port (9502) for the Backends Port number.


NOTE: On any Linux or Windows Instance on the Public Subnet of the Load Balancer’s VCN or Bastion run below command and get the Status Code.

curl -k -vvv

This shows the Status Code, here it is 302.

12. Uncheck the Checkbox Use SSL, as the backend servers are running on non-ssl port i.e HTTP mode.

13. If the Backend Servers running on a SSL Port i.e. HTTPS mode, then Check the Use SSL checkbox and upload the SSL Certificates related to the Backend Application.

NOTE: If the Backends have multiple certificates for each backend then upload only CA Certificates (CA Chain or CA Bundle). If not, upload the SAN Certificate, Private Key and CA Certificate of the multiple Backends.

Sample Screenshot


14. Click on Advanced Options

a. If needed set a Backend Set Name


b. Session Persistence (

  • Disable Session Persistence (If Backend server is a single server)


  • Enable Application Cookie Persistence (If the application maintains the session)


15. Create Listener and specify the type of traffic the Listeners handles, one as HTTPS.

16. Select Load Balancer Managed Certificate for Certificate Resource

17. Upload the SSL Certificates for the Load Balancer

NOTE: Oracle Suggests to use Public Well Known CA Signed SSL Certificate.

NOTE: If the End Users connect to Oracle Analytics Server Instance through Intranet i.e. VPN and not from Internet, In such cases we can use Internal CA Signed SSL Certificates and create the “A” Record at the Internal DNS Servers.


18. Enable Error Logs and Access Logs based on the requirement


19. Click on “Submit”, Load Balancer is created


20. Click on the Load Balancer Name Navigate to Hostnames à Add Hostname

NOTE: The Hostname should be the DNS entry matching the SSL Certificate


21. Assigned the Hostname to the Listener


Check for Timeout Settings:

22. When SSL is offloaded at the Load Balancer follow below steps:

  • Enable WebLogic Plugin at the Domain Level in WebLogic admin console
  • Set RequestHeader WL-Proxy-SSL true at the Load Balancer (to maintain the ssl communication throughout the communication)
  • Set RequestHeader IS_SSL ssl at the Load Balancer (Set if it’s required even after setting the above Header)
  • Configure HTTP Redirects under DNS Management

23. Enable the WebLogic Proxy Plug-In

Before you can validate that requests are routed correctly through the Oracle HTTP Server instances, you must set the WebLogic Plug-In Enabled parameter. It is recommended to set the WebLogic Plug-In Enabled parameter at the domain level.

  1. Log in to the Oracle WebLogic Server Administration Console.
  2. In the Domain Structure pane, click on the top-level domain node (bi).
  3. Click Lock & Edit in the Change Center.
  4. Click on the Domain Name.
  5. Click on the Web Applications tab.
  6. Locate and select the WebLogic PlugIn Enabled option.
  7. Click Save.
  8. Click Activate Changes in the Change Center.
  9. Restart all services.

In the WebLogic admin console enable WebLogic-Plugin at the Domain level



24. Create Load Balancer Rule Set


25. Select “Specify Request Header Rules”


26. Edit the Listener and Add the Rule Set to the Listener


27. Configure HTTP Redirects under DNS Management

Navigate to Networking > DNS Management > HTTP Redirects


Click on Create.

NOTE: There are other ways to do the same, like creating a URL Redirect Rules in the Rule set of the Load Balancer, For this you need to create both 80 Port HTTP Listener and 443 Port HTTPS Listener with same BackendSet and Hostname and attach the URL Redirect Rule to the 80 Port HTTP Listener. Also open both the Ports for Ingress with Internet access.

28. Allow Internet Traffic to the Load Balancer’s Public Subnet

  • Add an Ingress Rule to allow access from Internet ( on port 443


29. Add “A” Record in Domain Provider’s DNS Management screen.


30. Here GoDaddy provides the domain i.e


31. Test the URL Access


Enable GZIP Compression at WebLogic Server

Since we do not have a Web Server to enable Compression and Caching in this scenario, we can enable GZip to enable compression at WebLogic Server.

  1. Log in to the Oracle WebLogic Server Administration Console.
  2. Click Lock & Edit in the Change Center.
  3. In the Domain Structure pane, click on the top-level domain node (bi).
  4. Click on the Web Applications tab.


  1. Locate and select the GZIP Compression Enabled option.
  2. GZIP Compression Min. Content Length : 2048
  3. Enter the list of Content Types in the text box under GZIP Compression Content Type


  1. Click Save.


  1. Click Activate Changes in the Change Center.
  2. Restart all services.


SSL Offloading can also be done at Web Servers like Apache HTTP Server or Oracle HTTP Server. This configuration is covered in another blog, for more details see SSL Offloading at Web Server for Oracle Analytics Server on Oracle Cloud Marketplace.

Call to Action

You have covered scaling out Oracle Analytics Server (in an attached blog link) and configured OCI Load Balancer for the scaled out Oracle Analytics Server.

You have also learnt SSL Offloading at the OCI Load Balancer for Clustered Oracle Analytics Server, try it yourself to have a hands on experience.



Veera Raghavendra Rao Koka

Consulting Member of Technical Staff

Oracle Analytics Service Excellence, CEAL Team

Previous Post

Securing Oracle Analytics Server on Oracle Cloud by Enforcing OCI WAF on Flexible Load Balancers

Ravi Bhuma | 8 min read

Next Post

Single Sign-On Solutions for Oracle Analytics Server on On-Premise and on Oracle Cloud