In this post I would like to talk about a requirement to access OAM 11g protected application in SSL mode. In my case the protected application is deployed in Tomcat Server front ending Apache Server.
The application is protected using OAM 11g Apache WebGate 10g and it works pretty fine. Now the goal is make it work in SSL mode. So the vital things here are to make changes in OAM front for this to work.
Pre-requisites:
- Apache Server should be configured to run in SSL mode. I am not getting into details of this here. Let us assume it is accessible using https port https://apache_hostname:8444/
- Tomcat application is being protected by OAM 11g using Apache 10g WebGate at front end and is working fine. Let us assume it to be accessible using URL http://apache_hostname/
Changes in OAM front:
- Create a new SSL Form Authentication scheme as shown below.
- Specify the challenge URL field for Login URL, for instance https://hostname:port/LN_login.html
- Notice that Challenge Parameters field should be specified with value ssoCookie:secure because ObSSOCookie needs to be sent over SSL
- Specify the new SSL Form Authentication Scheme in Authentication Policy in Application Domain as shown below.
- Change the Failure URL as https appropriately to a Authentication Failure Page. Same changes can be made to Authorization Failure URL in Authorization Policy, I am not giving screenshot here.
- Testing the URL, for instance https://apache_hostname:8444/private/protected.html and it displays Login page in HTTPS mode as shown below.
- After successful authentication and authorization it gets redirected to requested resource in https mode.
That’s it. We are done here. Please post questions if you have any.
Related Posts for OAM
- How to use OAM 11g Access Tester
- How to authenticate OAM 11g resource against OVD 11g
- How to configure SSL for OAM protected application
- Working with OAM Access Server SDK 11g
Oracle WebLogic Administrator [USD 399]- 03rd Dec, 2011
Good hands-on exercises (installation, patching, cloning), very experienced trainer worth every penny 
18 users commented in " How to configure SSL for OAM protected application "
Follow-up comment rss or Leave a TrackbackHi Mahendra,
I have integrated OAM 11g-EBS R12.1.3 by following Atul and Neha’s EBook “Oracle E-Business Suite (R12)Integration with OID/OAM 11g” (my environment is similar to this doc). And added a new EBS instance to the existing OAM. Now, I have a problem…as the new EBS instance is in https I have to run OAM also in https(as per DOC 1309013.1). Following are my doubts..
1. In order to redirect my https EBS url to https OAM login, do I need to enable all the middleware softwares(OID, WLS and OAM) in SSL mode??
2. Or only OHS must be SSL enabled ?
Regards,
Viswanath.P.R
@ viswanath,
Q: as the new EBS instance is in https I have to run OAM also in https
A: No, This is not true. What document 1309013.1 says is that if EBS middle tier is running in SSL then it is recommended to configure WebLogic Server on which AccessGate is deployed to SSL (This is different from configuring SSL for OAM)
All you need to do is either configure SSL for OHS which will then forward request to Weblogic Server (in which AccessGate is deployed) to Non SSL
or
configure SSL for OHS & WebLogic Server on which Access Gate is deployed in SSL. Communication from user to OHS and OHS to weblogic Server (in which AccessGate is deployed) is all SSL in this case.
WebGate to OAM is still non SSL in both case above.
If your requirement is to configure SSL everywhere then you must run OAM server in SECURE mode and change webgate from OPEN to CERT
As you have already purchased our book, feel free to call me on my mobile (as per London timezone) and I’ll be happy to explain this.
Please go through chapter 1 of our eBook
@ viswanath,
Your other two doubts
Q1. In order to redirect my https EBS url to https OAM login, do I need to enable all the middleware softwares(OID, WLS and OAM) in SSL mode??
A: No, that is not mandatory.
Q2. Or only OHS must be SSL enabled ?
A: Only OHS on SSL should be enough but check your security requirement.
If you have hardware load balancer with SSL termination , then you can terminate SSL at load balancer only and OHS then will be running on non SSL
Hi Atul,
I have initiated the process of enabling SSL for OHS. And in the process I have performed following steps..
1. Created wallet using OWM as per DOC 1226484.1
2. Modified ssl.conf as per DOC 1226933.1
3. Restarted OHS and OAM
But still my EBS URL is redirecting to SSO url which is in http but not to https.
Do I need to make anything more to make EBS URLto redirect to HTTPS of SSO/OAM url??
To be more clear on my previous question..
How to make EBS URL to look for HTTPS of SSO/OAM login page??
when I type EBS URL https://ebs_hostname:4449/ —->is redirecting to—-> http://oam_hostname:7777/ebsauth_ezir12/...
where as it should goto https://oam_hostname:4443/ebsauth_ezir12/...
as 4443 is https port for OHS
To achieve this do I need to change anything in oamconsole or EBS??
@ viswanath,
I am assuming that when you say http://oam_hostname:7777/ebsauth_ezir12/… here oam_hostname is machine on which OHS is running .
7777 is non -ssl port of OHS and 4443 is SSL port of OHS.
You want EBS to redirect to authentication on URL https://oam_hostname:4443/ebsauth_ezir12/OAMLogin.jsp
If this is the case then you should change profile option Application Authentication Agent URL value and bounce EBS middle Tier
Hi it worked after making following changes…
1. ‘Application Authenticate Agent’ profile in EBS to https://oam_hostname:4443/
2. changing the ‘challenge URL’ in oamconsole –> Authentication schemes to https url
3. changing protected resource policy –> failure url to https url.
Now, the EBS https url is redirected to sso/oam https url.
Please provide me some high level steps to integrate HTML application with OAM 11g
Thanks in Advance
Kiran Kumar
Hi Atul,
I have successfully completed the configuration for EBS SSO with Access Manager using your ebok, however I am pretty confused as to how to enable SSL for the whole set of components.
Can you please provide high level steps?
Thanks
Vivek
Hi Atul,
My application is running in SSL Port. I need to send ObSSOCookie to my application thru HTTP Header.
Can I protect my application using Security Level Open?
If not what are all the steps to protect my application.
Currently i created webgate with Simple security level. In MOD_wl_ohs.conf file i specified wlproxyssll on and in weblogic server i enabled weblogic plugin.
SetHandler weblogic-handler
WebLogicHost hostname
WeblogicPort port
WLProxySSL ON
WLProxySSLPassThrough ON
when accessing the application via http port i am getting
Please help me to resolve the same. I am very much new to OAM.
when accessing the application via http port i am getting below error in the application server log
The browser shows
Failure of server APACHE bridge:
No backend server available for connection: timed out after 10 seconds or idempotent set to OFF or method not idempotent.
@ Saravanan,
Either weblogic managed server is not running or virtual host entry (if using OHS) is not correct.
What URL do you see in browser when you see this message ?
Is weblogic managed server running ?
Are you accessing URL via virtual host (OHS server name is different and URL you are using in browser is different) ?
Thanks for your quick response.
My Managed Servers are running. I am accessing the URL via ip address of the OHS server. (in my case both all servers are running in same machine)
I am accessing http://hostname:7778/myApp. The oam webgate redirects to credential collector after that the same URL available in browser and getting “No backend server available for connection: timed out after 10 seconds or idempotent set to OFF or method not idempotent.”
Hi Atul,
I configured Webgate 11g Agent in Simple mode. When i try to access the protected URL, system is throwing the above error. The protected URL is running SSL enabled. In the app server log i found the error as ”
Need your help to resolve the same..
Plaintext data for protocol HTTP was received from peer***** instead of an SSL handshake.
Plaintext data for protocol HTTP was received from peer (hostname) instead of an SSL handshake.
is the error message.
Plaintext data for protocol HTTP was received from peer …. instead of an SSL handshake.
is the error message displayed in the app server log.
Plaintext data for protocol HTTP was received from peer ***** (hostname)*** instead of an SSL handshake.
Leave A Reply