Offloading SSL from WLS to the F5
By Derek Sharpe on Oct 11, 2011
Having trouble with your WebLogic Admin console? Getting strange HTTPS or SSL messages from your browser when trying to save updates to the EM or Admin console? So was I. My browser presented me with the following warning, "Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party. Are you sure you want to continue sending this information?" And, the WebLogic Server console did not save my changes. But, I was able to correct my configuration to resolve the issue. So, I thought I would share my notes on the pieces involved.
In my case, there are three pieces involved: F5, OHS (Oracle HTTP Server), and WLS (WebLogic Server 10.3.4). SSL (or HTTPS) is terminated at the F5 (BIG-IP LTM) and HTTP traffic from the F5 to OHS is in plain-text. OHS was necessary to support a third-party Single-Sign On (SSO) solution.
Starting with the F5, I needed to configure a header to be passed with the requests called WL-Proxy-SSL and set the value to true (WL-Proxy-SSL: true). I found this well-documented in http://www.f5.com/pdf/deployment-guides/f5-weblogic10-dg.pdf in the section "Creating an HTTP profile". The F5 will set this header when it receives an HTTPS request bound for WebLogic Server. This lets WebLogic Server know that the original request was initiated over SSL. This header should not be sent if the inbound traffic to the F5 was not SSL (HTTPS).
The second piece of the puzzle was the WebLogic plugin for OHS. The plug-in parameter documentation can be found here. WLProxySSLPassThrough should be set to
ON, so that the OHS proxy/plug-in will pass the WL-Proxy-SSL header on to WebLogic Server.
The parameter applies to each Location element and should look something like:
The next two changes are checkbox changes in the WebLogic Server console. The first checkbox can be found on the WebLogic console under Preferences->Shared Preferences (banner at the top of the initial console splash page). The field is called "Follow Configuration Changes" and is enabled by default. This setting should be disabled so that the console does not trigger a reload of configuration pages when an activation of changes occurs. Deselect the "Follow Configuration Changes" checkbox.
The final change was to configure the Adminserver so that it would acknowledge the proxy plugin headers. This field is titled "WebLogic Plug-In Enabled" and can be found on the page Configuration->General in the Advanced section. This checkbox defaults to false, but should be changed to true when using the proxy plug-in. Care should be taken when enabling this flag as it can open a potential security risk. If this flag is enabled, the server should be secured so that client traffic can only come through your known proxy and not a rogue client masquerading as a proxy. Additional details can be found in Chapter 11: Using WebLogic Security of Professional Oracle WebLogic Server.