DirecTutor.com

How to Configure SSL between Oracle iPlanet Web Server with WL Plugin 1.1 to WebLogic Server?

When configuring Oracle iPlanet Web Server 7 with WL Plugin 1.1 in SSL mode to WebLogic Server, we are experiencing the following error:

<Jan 14, 2013 2:34:33 PM CST> <Warning> <Security> <BEA-090475> <Plaintext data for protocol HTTP was received from peer proxy.example.com - 10.10.10.10 instead of an SSL handshake.>

 
and in the iPlanet Web Server errors log:

 

[14/Jan/2013:13:23:33] failure (18104): for host 172.27.180.40 trying to GET /wls/index.jsp at backend host '1xx.xxx.xxx.xx/443; got exception 'READ_ERROR_FROM_SERVER [os error=0, line 713 of ../common/URL.cpp]: Unexpected EOF reading HTTP status - failover request based on Idempotent flag'

 
 

SOLUTION

The issue is misconfiguration of the WL Plugin 1.1 in the obj.conf to enable SSL between WL Plugin and WebLogic Server.  The steps to enable SSL on the WL Plugin 1.1 is as follows.


NOTE: make sure that all configuration changes to iplanet have been fully deployed prior to making new configuration changes.

 

1. Create an Oracle Wallet with orapki utility that comes bundled with the WL Plugin 1.1 for iPlanet. Note your plugin home is where you unzipped the plugin bits WLSPlugin11g-64bit-iPlanet7.0-solaris-sparc.zip. Run this command on the system where the plug-in is being configured.
  

> ${PLUGIN_HOME}/bin/orapki wallet create -wallet my-wallet -auto_login_only

 The above command would create a directory by the name of my-wallet in the current working directory.  Change directory to my-wallet and list the files and you will see the cwallet.sso file.


2. If the user who runs the iPlanet plug-in is not the same user that created the wallet (or has ROOT account access), wallet creator would need to grant access to the wallet by running the command 'chmod' after creating the wallet.

  For example:
  > chmod a+r my-wallet/cwallet.sso

3. Import the CA certificate you wish to trust into the Oracle Wallet.    Here is the example of the command using Demo CA in WLS installation at ${WL_HOME}/sever/lib/CertGenCA.der. In your case, you would import the CA certificate that is trusted for your own server certificate that secures your WLS. Note DER is binary format of the certificate.
  

> ${PLUGIN_HOME}/bin/orapki wallet add -wallet my-wallet -trusted_cert -cert CertGenCA.der -auto_login_only

 

4. Enable SSL on the WL plug-in using the WLSSLWallet by editing the vs-obj.conf/obj.conf file to add in the WLSSLWallet parameter to point to the location of the Oracle Wallet. 

For example:

<Object name="wls" ppath="*/wls/*">
Service fn="wl-proxy" WebLogicCluster="wls1.example.com:443,wls2.example.com:443" WLProxySSL="ON" KeepAliveEnabled="true" KeepAliveSecs="60" ConnectTimeoutSecs="6" ConnectRetrySecs="2" SecureProxy="ON" CookieName="PORTRAITUISESSIONID" WLSSLWallet="/path/to/my-wallet"
</Object>

 

5. After making hand edit configuration changes to iPlanet, you should go into the iplanet admin-server console and do a pull and deploy changes. Restart your iplanet server.

Document 1311162.1 - How To Deploy Manual, CLI and GUI Configuration Changes in Oracle iPlanet Web Server 7.0.x.

6. Now test to see if you can successfully connect to your WLS through iPlanet WL Plugin 1.1 using SSL.

Tags
WebLogic