apache Archive

How to configure SSL Between Weblogic and Apache

SSL between Apache and Weblogic

 

 

1) Set WLS Environment

C:\Oracle\Middleware\wlserver_10.3\server\bin>setWLSEnv.cmd

2) Go to the lib directory and covert WLS Root Certificate to .pem format

C:\Oracle\Middleware\wlserver_10.3\server\lib>java utils.der2pem CertGenCA.der

C:\Oracle\Middleware\wlserver_10.3\server\lib>dir CertGen*
Volume in drive C is Windows8_OS
Volume Serial Number is 8C04-A406

Directory of C:\Oracle\Middleware\wlserver_10.3\server\lib

01/03/2015 09:29 PM 540 CertGenCA.der
01/19/2015 07:47 PM 786 CertGenCA.pem
01/03/2015 09:29 PM 388 CertGenCAKey.der
3) Go to D:\Apache2.2\conf\httpd.conf and add the following entries

LoadModule weblogic_module modules/mod_wl128_22.so

<Location /console>
   SetHandler weblogic-handler
   SecureProxy ON
   TrustedCAFile C:/Oracle/Middleware/wlserver_10.3/server/lib/CertGenCA.pem
   RequireSSLHostMatch false
   WebLogicHost localhost
   WebLogicPort 7002
   WLLogFile D:/temp/wlproxy.log
   WLTempDir D:/temp
   Debug ALL

</Location>

Note: The Admin/Managed Server should be up and running on the ip& port mentioned in the location directive.

If there are any issues you can check the proxy logs. If you are still not able to resolve the issues please feel free to post here.

 

 

Apache Administration FAQ’s

How to disable Case Sensitivity in Apache?

Apache is case sensitive. When you application is hosted in case-insensitive webserver(like IIS) and moved to case-sensitive webserver (like Apache) you may get some problems related to non availability of URLS(HTTP 404 error). Apach provides a module which helps to make URLs case-insensitive.

Open httpd.conf(your apache configuration file) and find out the below line

LoadModule speling_module modules/mod_speling.so

If the above module is avilable with your apache, turn on the CheckSpelling directive

CheckSpelling On

How to monitor Apache server status?

There is a built in module mod_status available in apache which helps to get server status from a web browser

To monitor Apache webserver,

Open httpd.conf(Placed at <Apache Install Dir>/conf/httpd.conf)

vi httpd.conf

Set the Location directive as below. It will alow only from 192.13.24.57

<Location /server-status>

SetHandler server-status

Order Deny,Allow

Deny from all

Allow from 192.13.24.57

</Location>

Set ExtendendStatus to on

ExtendedStatus on

Save the httpd.conf and restart the webserver

Now you can monitor your apache webserver with http://servername/server-status from 192.13.24.57 browser

How to know whether a library is built on 32-bit or 64-bit?

Type below command at shell

file /usr/local/apache2.2.11/lib/libapr-1.so.0.3.3

The output of above command is,

/usr/local/apache2.2.11/lib/libapr-1.so.0.3.3: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), not stripped

The output tells that the libapr-1.so.0.3.3 file is built on 32-bit machines

Configure Apache Webserver with Weblogic Server

Step 1) Make sure the Apache server runs on port 8080.( This is because sometimes IIS, or some antivirus s/w runs on that port).This can be done by modifying the httpd.conf present at
D:\Program Files\Apache Group\Apache2\conf
Modify the Listen port to 8080

Listen 8080

Step 2) Copy the mod_wl_20.so from <bea_home>\wlserver_10.3\server\plugin\win\32 to
D:\Program Files\Apache Group\Apache2\modules

Step 3) Add these lines in the httpd.conf file

LoadModule weblogic_module modules/mod_wl_20.so

<Location />
SetHandler weblogic-handler
</Location>

<IfModule mod_weblogic.c>
WebLogicCluster localhost:7003,localhost:7005
Debug ON
WLLogFile c:/temp/wlproxy.log
WLTempDir c:/temp
</IfModule>

Step 4) Restart Apache and access the application deployed on the Cluster using

http://localhost:8080/YourApp

This will forward the request to the Weblogic Cluster

You can check the headers sent and received to WLS in wlproxy.log file.

Let me know if you face any issues.

Configure Apache WebServer with Jboss cluster.

1:- Create a cluster of Jboss server instances.

a:- Copy the folder ’all’ under the server directory i.e. the location JBOSS_HOME

b:- Rename it as Noode1 and Node2 which would be acting as the two Jboss instances within the cluster.

c: – Go to the command prompt and navigate to the bin folder under the JBOSS_HOME.

d: – Run both the server instances by specifying the below command.

For Node1:-
run.bat -c Node1 -g QACluster -u 239.255.100.111 -b abc.com

For Node2:-
run.bat -c Node2 -g QACluster -u 239.255.100.111 -b xyz.com

Note:-
-c refers to the node1 that is the part of the cluster
-g refers to the name of the cluster
-u refers to the multicast address
-b refers to the bind address of the node server.
-Djboss.service.binding.set refers to the ports of the Node1

2:- Copy the mod_jk.so file to the modules directory of the Apache Server.

3:- Copy the mod-jk.conf to the conf directory of the Apache server installation.

A sample mod-jk.conf would look like this.

************************************************************

# Load mod_jk module

# Specify the filename of the mod_jk lib
LoadModule jk_module modules/mod_jk.so

# Where to find workers.properties
JkWorkersFile conf/workers.properties

# Where to put jk logs
JkLogFile logs/mod_jk.log

# Set the jk log level [debug/error/info]
JkLogLevel info

# Select the log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y]"

# JkOptions indicates to send SSK KEY SIZE
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories

# JkRequestLogFormat
JkRequestLogFormat "%w %V %T"

# Mount your applications
JkMount /* loadbalancer

# You can use external file for mount points.
# It will be checked for updates each 60 seconds.
# The format of the file is: /url=worker
# /examples/*=loadbalancer
# JkMountFile conf/uriworkermap.properties

# Add shared memory.
# This directive is present with 1.2.10 and
# later versions of mod_jk, and is needed for

# for load balancing to work properly
JkShmFile logs/jk.shm

# Add jkstatus for managing runtime data

JkMount status
Order allow,deny
#Deny from all
Allow from all

 

************************************************************

Note:

Check the LoadModule tag for the proper location of the mod_jk.so module.
Check the JkWorkersFile tag for the proper location of the workers.properties file.

4: Provide an entry for the mod_jk.conf file in the httpd.conf like below.
Include conf/mod-jk.conf

5:- Copy the workers.properties file to the Conf directory of the Apache installation directory.

A sample works.properties file look like this.

************************************************************

 

# Define list of workers that will be used
# for mapping requests
worker.list=loadbalancer,status

# Define Node1
# modify the host as your host IP or DNS name.
worker.node1.port=8009
worker.node1.host=192.168.96.85
worker.node1.type=ajp13
worker.node1.lbfactor=1
worker.node1.cachesize=10

# Define Node2
# modify the host as your host IP or DNS name.
worker.node2.port=8109
worker.node2.host=192.168.96.85
worker.node2.type=ajp13
worker.node2.lbfactor=1
worker.node2.cachesize=10

# Load-balancing behavior
worker.loadbalancer.type=lb
worker.loadbalancer.balance_workers=node1,node2
worker.loadbalancer.sticky_session=1
#worker.list=loadbalancer

# Status worker for managing load balancer
worker.status.type=status

 

************************************************************

Note: – worker.node1.port contains the ajp13 port for the node1, which is 8009 for default.

You can check the corresponding value from bindings.xml file under conf/bootstrap

6:- Deploy the sample application on both the nodes.

For Jboss 5.1 and above, just place the application war file under the farm directory of any of the nodes and that would automatically gets propagated to the other nodes in the cluster.

For Jboss 5.0 and below, you need to copy the application war file manually to the deploy folder of each nodes in the cluster.

7:- Now, re-start the apache web server and check the below messages in the Jboss server logs to see whether the servers have joined the clusters or not.

************************************************************************

14:28:24,343 INFO [GroupMember] I am (abc.com:3750)
14:28:24,343 INFO [GroupMember] New Members : 1 ([xyz.com:3812])
14:28:24,343 INFO [GroupMember] All Members : 2 ([abc.com:3750, xyz.com:3812])

************************************************************************

8:- Now access the application deployed on the cluster using the below URL.

http://localhost/helloworld/index.jsp

Configuring two way SSL between Client and Weblogic server with Apache proxying the request.

Configure Apache for SSL

Create the certificates using openssl (present in apache_home\bin) using the below steps:

openssl genrsa -des3 -out server.key 1024

openssl req -config ..\conf\openssl.cnf -new -key server.key -out localhost

openssl x509 -req -days 730 -in localhost -signkey server.key -out server.crt

Add the following in the httpd.conf file

<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

Listen 443
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile “C:\Program Files\Apache Group\Apache2\conf\server.crt”
SSLCertificateKeyFile “C:\Program Files\Apache Group\Apache2\conf\server.key”
SSLCACertificateFile “C:\Documents and Settings\Administrator\Desktop\cert\IntermediateCA.cer”
#SSLLog “C:\Program Files\Apache Group\Apache2\conf\ssl.log”
#SSLLogLevel debug
</VirtualHost>

Configure SSL between Apache and Weblogic Server

Add the following in the Location Directive

SecureProxy ON
TrustedCAFile C:\bea101\wlserver_10.0\server\lib\CertGenCA.pem
RequireSSLHostMatch false

Configure Apache to Request for Client Certificate

Add the following in the Location Directive

SSLVerifyClient optional_no_ca
SSLOptions +ExportCertData

Configure Weblogic Server for 2-way SSL

mydomain> Servers> myserver>Keystores & SSL > Advanced Options
Hostname Verification: None
Two Way Client Cert Behavior: Client Certs Requested but not enforced

Apache_SSL> Domain Wide Security Settings> Realms> myrealm> Authentication Providers> DefaultIdentityAsserter

Trusted Client Principals: provide CN of the Client Certificate
Types: X509

Details:

Use Default User Name Mapper: Checked
Default User Name Mapper Attribute Type: CN
Base64Decoding Required: Checked

Go the security realm and create a user wih the username as CN of the certificate

Add the following in the config.xml
<Server ClientCertProxyEnabled=”true”

Configure the Web Application

The Web Application should require client cert authentication.

Add the following in the web.xml

<context-param>
<param-name>weblogic.httpd.clientCertProxy</param-name>
<param-value>true</param-value>
</context-param>

Add the following in the weblogic.xml

<principal-name> CN of the certificate</principal-name>

References

1. http://www.apache-ssl.org/docs.html#SSLVerifyDepth
2. http://edocs.bea.com/wls/docs81/config_xml/Cluster.html#ClientCertProxyEnabled
3. http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#ssloptions