You want to implement encryption between the web server and the backend Weblogic server.
Save yourself the 8 hours it took me to debug this one! 🙂
Handed to you on a plate – clear simple and proven. 😉
One gotcha is if your WLS has only an export license, which then requires a maximum of 56bits encryption via a 512 byte cert.
Therefore you need to generate the cert like this (2 years):
openssl req -newkey rsa:512 -days 730 -keyout newreq.pem -out newreq.pem
To check if you have an export license,
grep -i export /opt/bea/license.xml
– will show something like this:
license component="SSL/Export" expiration="never …
Another suggested tip by BEA is to ensure the files (cert, key and ca cert) should all end with the extension .pem.
Once you have the new key, cert and your CA cert (default demoCA/cacert.pem), copy it into /opt/bea/wlserver6.1/config/bpmdomain/myserver (or the location where you have Weblogic installed).
In our version we use wlintegration – so our path is /opt/bea/wlintegration2.1/config/bpmdomain/myserver
Subsequently these files are referenced from config.xml as explain below(replace file names with the ones you created and your ca):
For apache to work, need to modify configs to look something like this (after copying your cacert file to location designated below):
...IfModule mod_weblogic.c...WebLogicHost hostnameWebLogicPort 7002SecureProxy OntrustedCAFile yourcafile.pemRequireSSLHostMatch falseConnectTimeoutSecs 60Debug OffErrorPage https://xxxx/outage.html.../IfModule...
Notice the different port (7002) – default Weblogic SSL port. You need to ensure this is open from the firewall.
Therefore ensure it will work, even before entering change control! 🙂