Configuring Mod_wl_ohs to use SSL between Oracle HTTP Server and Weblogic Server in ORACLE FUSION MIDDLEWARE 11g

Following this note will result in the following architecture:

Browser --> https --> OHS --> https --> WebLogic Server

There are three steps needed to configure mod_wl_ohs in this setup:
Step I:  Configure OHS for SSL
Step II: Configure Weblogic for SSL
Step III: Configure mod_wl_ohs

Step I: Configure OHS for SSL
1. Configure Oracle HTTP Server so your browser can connect to OHS via SSL. See the following article to accomplish this:  Configuring Oracle HTTP Server to use SSL in Fusion Middleware 11g (11.1.1.X)

Step II: Configure Weblogic for SSL

1. Configure Weblogic so your browser can connect via SSL. See the following article to accomplish this:  Configuring Oracle WebLogic Server (10.3.X) to use SSL in Fusion Middleware 11g (11.1.1.X)

Step III: Configure mod_wl_ohs

This step assumes you have deployed an application to the WebLogic Managed Server where SSL is configured. In this example an application is deployed whose root context is /helloWorld. See  How To Configure mod_wl_ohs with Oracle HTTP Server and Oracle WebLogic Server, to make sure this works via HTTP before attempting the SSL setup
1. If you do not have the Root CA Certificate(s) that signed the WLS certifcate in Step II, then export it using the following steps:

a) Set the environment using the following command:
$MIDDLEWARE_HOME/user_projects/domains/<domain>/bin/setDomainEnv.cmd

b) If you do not know the alias for the root CA certificate run:
keytool -list -v -keystore

c) Export the certificate:
keytool -export -alias <root_alias> -file <filename> -keystore <keystore>
e.g:
keytool -export -alias rootca -file rootca.cer -keystore keystore.jks
d) Repeat this step for all root CA certificates in the chain
2. Load the Trusted Certificate(s) into the Oracle Wallet created in step I. The method to import the root CA certifcates depends on how you created the Wallet in the first place in Step I.
3. Edit the $ORACLE_INSTANCE/config/OHS/ohs1/mod_wl_ohs.conf and add the following entry:
<Location /context_root>
SetHandler weblogic-handler
WebLogicHost <weblogichost.domain>
WebLogicPort <weblogic_ssl_port>
Debug ALL
WLLogFile /tmp/weblogic1.log
SecureProxy ON
WlSSLWallet "<wallet_path_from_step_I>"
</Location>
For example:
<Location /helloWorld>
SetHandler weblogic-handler
WebLogicHost weblogic.uk.oracle.com
WebLogicPort 7012
Debug ALL
WLLogFile /tmp/weblogic1.log
SecureProxy ON
WlSSLWallet "/oracle/Middleware/instances/instance1/config/OHS/ohs1/keystores/newwallet"
</Location>
Note that WlSSLWallet can be the full path, or set to ${ORACLE_INSTANCE}/config/OHS/ohs1/keystores/newwallet. Make sure the Wallet is accessible and owned by the same owner as $ORACLE_HOME/ohs/bin/httpd, otherwise errors will occur.

4. Restart HTTP Server:
$ORACLE_INSTANCE/bin/opmnctl restartproc process-type=OHS
5. On FMW 11.1.1.4 or higher, there is an extra step required to prevent redirects going to http.
To prevent this problem:
  • Access the WebLogic Server console
  • Click on 'Servers' -> '<SSL_Managed_Server>' -> 'General' -> 'Advanced'
  • Check the 'WebLogic Plug-In Enabled' box.
  • Click 'Save'
  • Restart the Managed Server.
6. Test you can access the application via https:
https://host.domain:port/contextroot
For example:  https://ohs.uk.oracle.com:4448/helloWorld