0

New to weblogic and netscaler need help with the architecture

I want to expose a service on weblogic to the internet so mobile users can access a webservice.currently internal traffic works ok when users directly access the site eg http://xxx.internal.local:7001

i need to have SSL enabled end to end for both internal users and External users and the ability to access the webservice externally and internally

Traffic flow

  • External user|||| <--HTTPS-->|||| Netscaler|||| <--HTTPS--> weblogic server
  • Internal users connect directly to weblogic
  • Internal users would use https://xxx.internal.local:7002
    • (Private DNS and IP address)
  • External users would use https://xxx.external.com:443
    • (Public DNS and IP Address)

SAN Cert (has local domain and external domain) installed and imported into the weblogic Java key Stores.

What is the best way to achieve this?

Things we have tried

Netscaler admin configuring SSL Pass through on the Netscaler - eg no decrypt and re encrypt and forwards 443 port to 7002

CNAME setup in the internal DNS to point xxx.external.com to xxx.internal.local

  • internal traffic to https://xxx.internal.local:7002 was OK and encrypted
  • External traffic failed and Cert errors presented to users

i am unclear how this should be configured with having external domain and internal domain together with having netscaler doing SSL bridging - is there a better way to get this done - eg have the netscaler offload SSL at VIP and re ncrypt back to weblogic and changing the HTTP host headers to match the internal domain name (reverse proxy)

Thanks in advance

Codebug
  • 69
  • 1
  • 9
  • Both SSL termination at the load balancer (with or without re-encryption to backend) and true end-to-end with SSL termination at the backend (with the NetScaler vServer set to "SSL_BRIDGE" mode) are valid options. You can do both without cert errors. Which do you want? And regarding the errors: If I had to guess, then I'd say: client arrives via external.example.com but gets certificate from the backend that does not include that external name in its SAN names. Can you give more detail on the error message? Screenshot? – StackzOfZtuff Jan 09 '16 at 18:51
  • @StackzOfZtuff end to end with ssl termination at the backend - will mean i have to change internal domain to be the same as the external which is not possible at this stage. so if we terminate at the load balancer and rencrypt to backend how would this work? does the netscaler manage changing the host headers for requests and responses back to the user , since it will be different ? also i assume you will need to install the public cert on the NLB as well as the weblogic. can i use the same cert since its a SAN cert with both internal and external domain exist in it ? – Codebug Jan 10 '16 at 03:02

4 Answers4

1

Thanks All for the feedback. The tested working solution was as follows .

  • One publicly generated SAN cert (that has ext domain and internal domain in SAN entries) installed on the Netscaler and the weblogic server

  • External users would use the external domain url 'https://xxx.external.com:443' The external SSL traffic would terminate at the Netscaler decrypted and re-encrypted back to the internal weblogic server on port 7002 . The Netscaler will also change the HTTP host header in the request to the internal hostname also will change the response Http host headers to the external hostname.

  • Internal users will just use the internal domain url eg https://xxx.internal.local:7002

  • Cert providers dont issue Certs with internal domains anymore as i understand hence this might not work for you . but i think to work around that problem . you can generate an internal CA cert with the internal domain name. install on the weblogic server and netscaler . Purchase a publicly generated Cert with the external domain name and install on the Netscaler. so external traffic will use the the Public cert to encrtypt the traffic - and internal traffic will be encrypted using the internal Cert.

Codebug
  • 69
  • 1
  • 9
1

Although this is an old question, there is not a lot of WebLogic specific insight into the answer. Here is my experience from 7 or so years of dealing with WebLogic (with and without a Netscaler as backend).

1) Why are you exposing your application on port 7001 or 7002? Typically, 7001 and 7002 would house the AdminServer, and you certainly DO NOT want people to be able to get to http://...:7001/console (or https://....:7002/console). Port 7001 and 7002 should only be able to be accessed from trusted (administrative) parts of your network.

1a) Typically, if you are using Oracle Fusion Middleware, the application would be run inside a separate managed server, which gets its own ports. As an example, Oracle WebCentre Content runs in a managed server called UCM_server1, which has its primary service ports as 16200 (http) and 16201 (https)

2) You should really put WebLogic behind a reverse proxy to surface any sort of site. We've generally used either OHS (Oracle's version of httpd) or Apache httpd. Then typically you would use the weblogic_module within httpd to reverse proxy to your WebLogic managed server. (and in its advanced settings you would set 'Enable WebLogic module' (or named similarly, I can't recall it off the top of my head).

2a) The weblogic_module is particularly important (or rather, it enables particularly important features when used behind a reverse proxy). Features like knowing:

  • Did the traffic come in on http or https (important if the application wants to craft links / redirects and you want to avoid things like redirect loops).

  • What IP did the traffic come from (particularly important if using SSO, depending on how sane your security settings are)

2b) Most of what the weblogic_module does is set particular HTTP request headers. Enabling the 'Use weblogic module' in the settings of the managed server simply tells WebLogic "trust some particular headers that come into the requests and use those to learn more about where the traffic came from and how it entered the system".

Actually, I would suggest its better to avoid using the weblogic_module, particularly if you want to make a better "oops, the site is unavailable" experience (ie. 503 handler) without redirecting the user (changing their context so they can't just reload the page). Just do the same things that weblogic_module is doing -- its not terribly difficult.

3) Stick a cache in front of that (varnish, nginx, etc.). In my experience, you do really want to only be serving the dynamic stuff from WebLogic, and make sure you serve static content from something optimized for that purpose. Don't tie up your worker threads needlessly; they can be scarce resources at times. Depending on your application, you may prefer to have something that allows you to have easy control over things like cache headers (cause some products --- Oracle WebCentre Content, I'm looking at you --- are just useless when it comes to making the site cache-friendly without rewriting Cache-Control headers).

4) You very likely want to have one URL... having different internal and external URLs is... just really awful. Consider using techniques such as 'split-horizon' DNS, whereby internal clients will get one IP (eg. 10.x.x.x), and external clients get another (eg. 123.x.x.x), or just serve all from the one public IP. You should have the same SSL certificate on each; HSTS may very well give you issues otherwise.

5) Speaking SSL, I would suggest that you also use self-signed certificates (or locally issued certificates if you have a local CA) for the internals (eg. WebLogic Servers such as AdminServer, as well as Nodemanager), and just have CA certificates on the actual web-heads.

6) If using httpd, I would highly recommend that you deploy it with the likes of mod_remoteip, with the idea being that you have a good source of logging.

The A-Team (they are from Oracle -- and very knowledgeable about various Oracle products) have a good blog post on the topic of weblogic_module: SSL offloading and WebLogic server

F5 have a useful deployment guide that shows how you configure a reverse proxy (F5 BigIP in their case, but still relevant for Netscaler or just httpd) and not have to use weblogic_module.

7) You're probably going to hate me for giving you so much to think about... but I tell you, its all driven by experience ... some of which is quite painful.

8) Oh, and in case you're running your Java workloads on a VMWare environment (that doesn't expose a hardware random number generator), you're going to want to do something to ensure that your application only ever uses /dev/urandom, and never /dev/random --- find all jre/lib/security/java.security files and set securerandom.source=file:/dev/./urandom to work around very long-standing (possibly resolved finally somewhere in Java 8) bug whereby it would be 'clever' and end up using /dev/random, making things like startup abominably slow.

Cameron Kerr
  • 1,725
  • 16
  • 23
0

SAN Cert (has local domain and external domain) installed and imported into the weblogic Java key Stores.

This must mean it's a local self-signed cert that you have created as a cert provider would not allow a local domain on a cert. This means it will not be recognised by external browsers as they do not recognise self-signed certs created by your company. Unless you have an externally issued wildcard cert that therefore works for both?

Netscaler admin configuring SSL Pass through on the Netscaler - eg no decrypt and re encrypt and forwards 443 port to 7002

This will not work for same reason. Your server will send the internal cert back from the server.

have the netscaler offload SSL at VIP and re ncrypt back to weblogic and changing the HTTP host headers to match the internal domain name (reverse proxy)

This is what you should do. Buy a cert for the external domain and then use internally issued self-signed cert for internal domain.

Alternatively use the same domain name internally and externally and then can use same cert on both or use pass through. With this set up you can have external DNS pointed at LoadBalancer and internally pointed directly at web server if you want.

Barry Pollard
  • 40,655
  • 7
  • 76
  • 92
  • we actually have a publicly generated SAN cert that has both internal domain and external domain CN has the ext domain and SAN has both int and ext domain.i understand cert providers dont do this anymore but to my surprise they did. As the internal traffic already been used and in Prod. changing the internal domain name is not possible at this stage. so it looks the option i am left with is the reverse proxy with changing HTTP host headers at the netscaler and re -encrypt traffic back to weblogic. do you also have change the response HTTP headers?nvr done this how would this work – Codebug Jan 10 '16 at 02:42
  • Should all be taken care of automatically by the load balancer. It's a fairly common use case. However if it is the same cert then pass through SSL should also work as your web server will provide the cert based on the wrong domain but this will also be the cert for the right domain. But reverse proxy is probably better as doubt you'll be able to get such a cert again in future. What was the cert error last time you tried? – Barry Pollard Jan 10 '16 at 08:49
0

Here are steps to archive this.

Step1: Add IP to netscaler (if you have more then 1 weblogic server, add all once by one)

Step2: Create a server using each server's internal IP (e.g. WebLogic_Svc1,WebLogic_Svc2)

Step3: Create service using above server's internal IP. (Use port#7002 where you have if functional)

Step4: Bind cert used on WebLogic to above service.

Step5: Now, you can change monitor to use SSL.(You may leave monitor to default tcp monitor as well. Ensure port7002 is open from SNIP to your WebLogic otherwise service will keep showing down).

Step6: If you see WebLogic_Svc1,WebLogic_Svc2 up, we can proceed to final two steps.

Step7: Create LB VServer xxx.external.com using routable public IP that will host and use port#443.

Step8: Bind public SSL CertKey pair to above LB Vserver . (Ensure that external SSL CertKey is linked to appropriate intermediate and root certificate. Your public cert provider will give you intermediate and root certificate. If you don't do this, your public cert still won't be recognized by browers as chin of trust will not get completed.)

Step9: Bind above two services to LB VServer xxx.external.com.

If above steps are too difficult for you to follow, see following youtube video from Andrew (theurbanpenguin)

Pranav Raval
  • 13
  • 3