Forum Discussion
Mike_Richards_6
Nimbostratus
NimbostratusWL-Proxy-SSL HTTP header is not working in WebLogic 10.3.4 with F5 Big-IP load balancer
I have submitted this issue to Oracle Support because I believe the problem is on the WebLogic side, but I wanted to post it here in case any iRules experts have any suggestions. I will keep this post updated with my findings from Oracle Support.
Here is the contents of the support request I sent to Oracle:
---------------
Problem Description: WL-Proxy-SSL HTTP header is not working in WebLogic 10.3.4 with F5 Big-IP load balancer. We are off-loading the SSL for WebLogic and Oracle SOA Suite to the Big-IP hardware. Setting the WL-Proxy-SSL header worked with WebLogic 10.3.3 but does not appear to be working with 10.3.4.
1) Processor Spec's
64-bit Intel
2) Describe the Oracle environment
FMW 11.1.1.4 home with Oracle SOA Suite installed. The AdminServer is running the WebLogic Console and EM Fusion Middleware Control.
3) Describe your question or issue in detail
Here is the network trace provided by our F5 Big-IP network administrator:
----------------------------------------
This is the conversation between the F5 and the server of me hitting https://soa-test1.corp.paetec.com/console:
GET /console HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; MS-RTC LM 8; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: soa-test1.corp.paetec.com
Connection: Keep-Alive
Cookie: __utma=105458178.438694096.1294338702.1297090301.1297117932.6; __utmz=105458178.1294338702.1.1.utmcsr=insight.paetec.com|utmccn=(referral)|utmcmd=referral|utmcct=/; s_pers=%20s_nr%3D1298411690215-Repeat%7C1301003690215%3B%20s_prop18_persist%3DDirect%7C1298498090418%3B; BIGipServersoa-test1_tcp7101_pool=470164234.48411.0000; ADMINCONSOLESESSION=7zbLNl9Qgnv4Bln17Tp33ZWMrGTX240CC3yQ2DJT1yrLQpQ65vqs!-481033609
WL-Proxy-SSL: true
HTTP/1.1 302 Moved Temporarily
Date: Wed, 23 Feb 2011 22:07:23 GMT
Transfer-Encoding: chunked
Location: http://soa-test1.corp.paetec.com/console/
X-Powered-By: Servlet/2.5 JSP/2.1
0115
302 Moved Temporarily
This document you requested has moved temporarily.
It's now at http://soa-test1.corp.paetec.com/console/.
----------------------------------------
Notice that "WL-Proxy-SSL: true" is present in the HTTP request headers, but WebLogic is still returning a redirect to the HTTP version of the page.
As mentioned earlier, we used an identical load-balancer configuration with FMW 11.1.1.3 and WebLogic 10.3.3 with success.
4) List any documentation or notes you are following
I followed the steps in this document and it did not resolve the issue:
E-WL: How to Configure WebLogic 10.3 Admin Server Behind Load Balancer? [ID 1127517.1]
Perhaps this is a regression of bug 8254839 "In WebLogic Server 10.3.0, the WL-Proxy-SSL header is not recognized by the server."
I have reviewed and performed the steps in Doc ID 1127517.1. I have confirmed that "-Dweblogic.http.isWLProxyHeadersAccessible=true" appears on the command line for the WebLogic java process. The network capture I included in the SR shows that the "WL-Proxy-SSL: true" header is being set at the load balancer.
---------------
- Chris_Miller
Altostratus
Interesting. I leverage this header as well but we're not on that late of a WL version.
You could use "redirect rewrite" in an HTTP Class to rewrite these redirects until it gets working. 
hooleylistCirrostratus
As Chris says, you should be able to use 'redirect rewrites' on a custom HTTP profile. You might also need to update the response content to rewrite http:// to https://. If that's required, you could use a stream profile and STREAM::expression based iRule:
http://devcentral.f5.com/wiki/default.aspx/iRules/STREAM__expression.html
But the best option is to get a fix to the application if/when that's available as that lowers the complexity of the LTM config.
Aaron- Chris_MillerAaron,
Should he be contacting support on this too? Am just curious whether F5's Application Vendor Management teams get involved with stuff like this? Since this is a documented method of offloading SSL from WebLogic, I'd like to think people at F5 are testing these upgrade scenarios before they're released, especially given how big the Oracle Partnership is.
http://support.f5.com/kb/en-us/solutions/public/4000/400/sol4443.html?sr=13001161
Also, I noticed today that when using the WebLogic templates to create Virtual Servers, the auto-created HTTP profile doesn't contain the header insertion when doing SSL Offload. Is that a CR or support case? I'm fine with doing that one. Just curious. - hooleylistHi Chris,
Good points. Two cases with F5 Support on this would be great.
Aaron - Chris_MillerI created a support case on the template. I don't have a WL lab to test upgrades so hopefully Mike feels comfortable doing a case.
Mike_Richards_6Thanks for all the great suggestions everyone. I received an update from Oracle Support that has made great progress in correcting this issue:
Generic Note
------------------------
Hello Micheal,
I am currently going through the SR notes and analysing the information provided.
However I would wish to know the outcome of enabling the Weblogic Plugin Enabled parameter from the Domain_Name --> Configuration Tab --> Web Applications Sub Tab
You will need to check the Weblogic Plugin Enabled option.
Best Regards,
Shrikant Rajappan
Software Engineer
Global Customer Support - Application Server Team
--------------------------------------------------
MICHAEL.RICHARDS@PAETEC.COM - March 1, 2011 4:04:09 PM GMT-05:00 [Update from Customer]
--------------------------------------------------
Hi Shrikant,
I made the setting change you recommended and restarted the AdminServer. It appears that WebLogic server is now recognizing the WL-Proxy-SSL header from the F5 and behaving accordingly.
I have tested the WebLogic Admin Console and it seems to be working as expected.
I am still having some issues with the Fusion Middleware Control (EM) application over https (it works correctly over http through the load-balancer). Some elements of the Fusion Middleware Control UI are not rendering correctly or behaving correctly.
I will continue to troubleshoot and post another update.
Regards,
Mike- Mike_Richards_6
Here is the additional follow that I sent to Oracle Support today:
--------------------------------------------------
The WebLogic Admin Console seems to be functioning correctly over HTTPS on our soa-test1 domain with this change in place.
However, the Oracle EM application is not working completely over HTTPS.
https://soa-test1.corp.paetec.com/em
The first problem is that the loading page hangs indefinitely instead of redirecting to the login page. You can usually get around this by reloading the page and the login screen will come up. However, sometimes the login screen will work fine, and sometimes it will not work at all (pressing the Login button will have no effect).
I can reproduce these issues with some inconsistency. Sometimes one browser will work while another will not (Firefox 3.6 vs. IE 8), and sometimes clearing the cache and restarting the browser will help (and sometimes it won’t).
We do not experience these problems when accessing EM (Fusion Middleware Control) over the plain HTTP protocol through the F5/Big-IP. - Mike_Richards_6After further investigation, we have determined that disabling compression on the https profile on the F5 has resolved the remaining issues https issues with SOA Suite 11g.
- Chris_MillerSo what's the verdict here? Does the WL-Proxy-SSL header work on the new WebLogic version without any manual intervention? Or do WebLogic changes need to be made? Sounds like the Plugin Enabled button needs to be checked?
- Mike_Richards_6Hi Chris,
The final result for us was that WebLogic 10.3.4 would not recognize the WL-Proxy-SSL header until we enabled the "Weblogic Plugin Enabled" option in the WebLogic Admin Console. Once we enabled that option the SSL off-loading worked as expected.
The second issue we were experiencing was that some applications in the new version of Oracle SOA Suite 11g were not working correctly over HTTPS through the F5. Some of the large javascript files were intermittently failing to be loaded through the F5. Our network engineer disabled compression on the https profile and that resolved the issue.
Regards,
Mike
