EPM 11.1.2 - SSL Offloading flavors

While EPM documentation clearly lists the different SSL flavors available in (http://download.oracle.com/docs/cd/E17236_01/epm.1112/epm_security_11121.pdf - termination at web server, ssl offloading, full ssl, 2 way ssl...), it requires additional information to adapt further depending on your environment.

Three main elements to know about:

  • Some EPM pages generate HTTPS links in their web pages based on request scheme. An http request will generate an http link, and an https request will generate an https link. This is the standard behavior of the request.getScheme servlet api method. The solution to let Weblogic know it has to use HTTPS in link is through a header named WL-Proxy-SSL true or false. This header has to be set by layers fronting Weblogic.
  • The Weblogic plugin (in Oracle Http Server, or IIS) has 2 parameters to add or propagate this header: WLProxySSL and WLProxyPassThrough  http://download.oracle.com/docs/cd/E21764_01/web.1111/e14395/toc.htm and http://download.oracle.com/docs/cd/E21764_01/web.1111/e14395/plugin_params.htm#WLPLG475)

quoting from above url: When WLProxySSL is set to ON, the location header returned to the client from WebLogic Server specifies the HTTPS protocol.

If you have a chained proxy setup, where a proxy plug-in or HttpClusterServlet is running behind some other proxy or load balancer, you must explicitly enable the WLProxyPassThrough parameter. Enabling this parameter allows the plug-in to trust the proxy fronting it, under the assumption that the network between them is trusted so user certs and so forth can be passed along.

This also means the WL-Proxy-SSL header amongst other headers are not going to be removed by the weblogic plugin when it receives headers from SSL Offloader.


Post a Comment:
  • HTML Syntax: NOT allowed