EPM 11.1.2 - SSL Offloading flavors
By user809526 on Oct 20, 2011
While EPM documentation clearly lists the different SSL flavors available in 184.108.40.206 (http://download.oracle.com/docs/cd/E17236_01/epm.1112/epm_security_11121.pdf - termination at web server, ssl offloading, full ssl, 2 way ssl...), it requires additional information to adapt further depending on your environment.
Three main elements to know about:
Some EPM pages generate HTTPS links in their web pages based on request scheme. An http request will generate an http link, and an https request will generate an https link. This is the standard behavior of the request.getScheme servlet api method. The solution to let Weblogic know it has to use HTTPS in link is through a header named WL-Proxy-SSL true or false. This header has to be set by layers fronting Weblogic.
The Weblogic plugin (in Oracle Http Server, or IIS) has 2 parameters to add or propagate this header: WLProxySSL and WLProxyPassThrough http://download.oracle.com/docs/cd/E21764_01/web.1111/e14395/toc.htm and http://download.oracle.com/docs/cd/E21764_01/web.1111/e14395/plugin_params.htm#WLPLG475)
quoting from above url: When WLProxySSL is set to
ON, the location header returned to the client from WebLogic Server specifies the HTTPS protocol.
If you have a chained proxy setup, where a proxy plug-in or
HttpClusterServletis running behind some other proxy or load balancer, you must explicitly enable the
WLProxyPassThroughparameter. Enabling this parameter allows the plug-in to trust the proxy fronting it, under the assumption that the network between them is trusted so user certs and so forth can be passed along.
This also means the WL-Proxy-SSL header amongst other headers are not going to be removed by the weblogic plugin when it receives headers from SSL Offloader.
To set the correct header in the SSL offloader, refer to the vendor documentation. For instance for f5: http://support.f5.com/kb/en-us/solutions/public/4000/400/sol4443.html