Configure Webgate to use https protocol if SSL offloading is done at F5 (SSL termination at loadbalancer),
Issue:
When logging into a webgate on a reverse proxy using a login form the redirect back to the protected resource is reset to HTTP instead of the originally requested HTTPS.
Cause:
Weblogic server not using loadbalancer protocol (https) for redirect urls
When SSL is terminated at the loadbalancer or using reverse proxy, weblogic server should use the loadbalancer hostname/protocol for all redirect URLs
Solution:
1. Add a ProxySSLHeaderVar entry to the "User Defined Parameters" section at the bottom of the form. The value of the proxySSLHeaderVar parameter defines the name of the header variable the proxy must set. The value of the header variable must be "ssl" or "nonssl". For example:
ProxySSLHeaderVar:IS_SSL
b. Click the domain name on the left menu bar
c. Then choose 'Configurations' Tab and 'Web Applications' sub tab
d. Click 'Lock & Edit' button on top left menu
e. Check box 'WebLogic Plugin Enabled'
f. Save and activate the change.
If proxying requests to a standalone WebLogic Server, please enable this setting on the individual server level from the admin console by clicking on the -> Configuration -> General tab. In the advanced options, check the checkbox for WebLogicPluginEnabled and save the changes.
If proxying requests to a WebLogic Cluster, enable this setting at the cluster level from the admin console by clicking on the Cluster -> Configuration -> General tab. In the advanced options, check the checkbox for WebLogicPluginEnabled and save the changes.
When logging into a webgate on a reverse proxy using a login form the redirect back to the protected resource is reset to HTTP instead of the originally requested HTTPS.
Cause:
Weblogic server not using loadbalancer protocol (https) for redirect urls
When SSL is terminated at the loadbalancer or using reverse proxy, weblogic server should use the loadbalancer hostname/protocol for all redirect URLs
Solution:
1. Add a ProxySSLHeaderVar entry to the "User Defined Parameters" section at the bottom of the form. The value of the proxySSLHeaderVar parameter defines the name of the header variable the proxy must set. The value of the header variable must be "ssl" or "nonssl". For example:
ProxySSLHeaderVar:IS_SSL
2.Set the WebLogic 'Plugin Enabled' flag as follows
a. Log into WebLogic Console b. Click the domain name on the left menu bar
c. Then choose 'Configurations' Tab and 'Web Applications' sub tab
d. Click 'Lock & Edit' button on top left menu
e. Check box 'WebLogic Plugin Enabled'
f. Save and activate the change.
If proxying requests to a standalone WebLogic Server, please enable this setting on the individual server level from the admin console by clicking on the -> Configuration -> General tab. In the advanced options, check the checkbox for WebLogicPluginEnabled and save the changes.
If proxying requests to a WebLogic Cluster, enable this setting at the cluster level from the admin console by clicking on the Cluster -> Configuration -> General tab. In the advanced options, check the checkbox for WebLogicPluginEnabled and save the changes.
3. Restart Weblogic AdminServer and Managed Server using the following commands
./startWeblogic.sh --Dweblogic.http.isWLProxyHeadersAccessible=true
./startManagedWeblogic.sh <MANAGED_SERVER> http://<AdminHost>:<AdminPort> -Dweblogic.http.isWLProxyHeadersAccessible=true
4.Use WebLogic 10.3.2 or a higher patch level of WebLogic 10.3.x
This is required because there is a an issue in WebLogic 10.3.1 that causes issues with this functionality. The bug number is 8786487.
5. In the loadbalancer, add an HTTP custom header variable that contains the IS_SSL and set its value to “ssl”.
6. In the loadbalancer, add an HTTP custom header variable that contains the WL-Proxy-SSL to true.
Comments
Post a Comment