Product Area->weblogic server->Using Web Server Plug-ins->
[oracle@weblogic-01 i686]$ pwd
/home/oracle/Oracle/Middleware/wlserver_10.3/server/plugin/linux/i686
[oracle@weblogic-01 i686]$ ls -lh
total 6.5M
drwxr-x--- 2 oracle oracle 4.0K Dec 13 19:34 largefile
-rw-r----- 1 oracle oracle 912K Dec 13 19:34 libproxy128_61.so
-rw-r----- 1 oracle oracle 912K Dec 13 19:34 libproxy_61.so
-rw-r----- 1 oracle oracle 1.2M Dec 13 19:34 mod_wl128_20.so
-rw-r----- 1 oracle oracle 1.2M Dec 13 19:34 mod_wl128_22.so
-rw-r----- 1 oracle oracle 1.2M Dec 13 19:34 mod_wl_20.so
-rw-r----- 1 oracle oracle 1.2M Dec 13 19:34 mod_wl_22.so
[oracle@weblogic-02 modules]$ pwd
/usr/local/apache2/modules
[oracle@weblogic-02 modules]$ ls -lh
total 1.2M
-rw-r--r-- 1 root root 9.0K Dec 15 08:04 httpd.exp
-rw-r----- 1 root root 1.2M Dec 15 08:18 mod_wl_22.so
[oracle@weblogic-02 modules]$
#vi http.conf
LoadModule weblogic_module modules/mod_wl_22.so
[oracle@weblogic-01 i686]$ pwd
/home/oracle/Oracle/Middleware/wlserver_10.3/server/plugin/linux/i686
[oracle@weblogic-01 i686]$ ls -lh
total 6.5M
drwxr-x--- 2 oracle oracle 4.0K Dec 13 19:34 largefile
-rw-r----- 1 oracle oracle 912K Dec 13 19:34 libproxy128_61.so
-rw-r----- 1 oracle oracle 912K Dec 13 19:34 libproxy_61.so
-rw-r----- 1 oracle oracle 1.2M Dec 13 19:34 mod_wl128_20.so
-rw-r----- 1 oracle oracle 1.2M Dec 13 19:34 mod_wl128_22.so
-rw-r----- 1 oracle oracle 1.2M Dec 13 19:34 mod_wl_20.so
-rw-r----- 1 oracle oracle 1.2M Dec 13 19:34 mod_wl_22.so
[oracle@weblogic-02 modules]$ pwd
/usr/local/apache2/modules
[oracle@weblogic-02 modules]$ ls -lh
total 1.2M
-rw-r--r-- 1 root root 9.0K Dec 15 08:04 httpd.exp
-rw-r----- 1 root root 1.2M Dec 15 08:18 mod_wl_22.so
[oracle@weblogic-02 modules]$
#vi http.conf
LoadModule weblogic_module modules/mod_wl_22.so
3 Installing and Configuring the Apache HTTP Server Plug-In
The following sections describe how to install and configure the Apache HTTP Server Plug-In:
Overview of the Apache HTTP Server Plug-In
The Apache HTTP Server Plug-In allows requests to be proxied from an Apache HTTP Server to WebLogic Server. The plug-in enhances an Apache installation by allowing WebLogic Server to handle requests that require the dynamic functionality of WebLogic Server.
The plug-in is intended for use in an environment where an Apache Server serves static pages, and another part of the document tree (dynamic pages best generated by HTTP Servlets or JavaServer Pages) is delegated to WebLogic Server, which may be operating in a different process, possibly on a different host. To the end user—the browser—the HTTP requests delegated to WebLogic Server still appear to be coming from the same source.
HTTP-tunneling, a technique which allows HTTP requests and responses access through a company's firewall, can also operate through the plug-in, providing non-browser clients access to WebLogic Server services.
The Apache HTTP Server Plug-In operates as an Apache module within an Apache HTTP Server. An Apache module is loaded by Apache Server at startup, and then certain HTTP requests are delegated to it. Apache modules are similar to HTTP servlets, except that an Apache module is written in code native to the platform.
For information on configurations on which the Apache HTTP Server Plug-In is supported, see http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html.
Note:
Apache 2.0 Plug-In was deprecated in the WebLogic Server 10.0 release.Keep-Alive Connections in Apache Version 2.0
Version 2.0 of the Apache HTTP Server Plug-In improves performance by using a reusable pool of connections from the plug-in to WebLogic Server. The plug-in implements HTTP 1.1 keep-alive connections between the plug-in and WebLogic Server by reusing the same connection in the pool for subsequent requests from the same client. If the connection is inactive for more than 20 seconds, (or a user-defined amount of time) the connection is closed and removed from the pool. You can disable this feature if desired. For more information, see KeepAliveEnabled in Table 7-1.
Proxying Requests
The plug-in proxies requests to WebLogic Server based on a configuration that you specify. You can proxy requests based on the URL of the request (or a portion of the URL). This is called proxying by path. You can also proxy requests based on the MIME type of the requested file. Or you can use a combination of the two methods. If a request matches both criteria, the request is proxied by path. You can also specify additional parameters for each type of request that define additional behavior of the plug-in. For more information, see Configuring the Apache HTTP Server Plug-In.
Apache 2.2
Although this document refers to Apache 2.0, you can apply the same instructions to use Apache 2.2 with the libraries shown in Table 3-2.
Certifications
The Apache HTTP Server Plug-In is supported on AIX, Linux, Solaris, Windows, and HPUX11 platforms. For information on support for specific versions of Apache, seehttp://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html.
Installing the Apache HTTP Server Plug-In
The Apache HTTP Server Plug-In is included with WebLogic Server under the WL_HOME/server/plugin directory.
You can install the Apache HTTP Server Plug-In as an Apache module in your Apache HTTP Server installation and link it as a Dynamic Shared Object (DSO).
A DSO is compiled as a library that is dynamically loaded by the server at run time, and can be installed without recompiling Apache.
Installing the Apache HTTP Server Plug-In as a Dynamic Shared Object
The Apache plug-in is distributed as a shared object (.so) for Solaris, Linux, AIX, Windows, and HPUX11 platforms.
Note:
The WebLogic Server version 10.3 installation did not include the Apache HTTP server plug-ins. The Apache HTTP Server plug-ins are available in a separate zip file, available from the Oracle download and support sites. These plug-ins contain a fix for the security advisory described at:http://www.oracle.com/technology/deploy/security/alerts/alert_cve2008-3257.html
After downloading the zip file, extract the zip to a directory of your choice on disk.
Table 3-1 shows the directories that contain shared object files for various platforms.
Table 3-2 identifies the WebLogic Server Apache Plug-In modules for different versions of Apache HTTP Server and different encryption strengths.
Table 3-1 Locations of Plug-In Shared Object Files
Operating System | Shared Object Location Under WL_HOME/server/plugin |
---|---|
AIX | aix/ppc |
Solaris | solaris/sparc solaris/sparc/largefileFoot 1 solaris/x86 solaris/x86/largefileFoot 2 |
Linux | linux/i686 linux/i686/largefileFoot 3 linux/ia64 linux/x86_64 |
Windows (Apache 2.0 and 2.2, 32-bit) | win\32 |
HPUX11 | hpux11/IPF64 hpux11/PA_RISC Note: If you are running Apache 2.0.x server on HP-UX11, set the environment variables specified immediately below before you build the Apache server. Because of a problem with the order in which linked libraries are loaded on HP-UX, a core dump can result if the load order is not preset as an environment variable before building. Set the following environment variables before proceeding with the Apache configure, make, and make install steps, (described in Apache HTTP Server documentation at http://httpd.apache.org/docs-2.1/install.html#configure): export EXTRA_LDFLAGS="-lstd -lstream -lCsup -lm -lcl -ldld -lpthread" |
Footnote 1 See "Support for Large Files in Apache 2.0"
Footnote 2 See "Support for Large Files in Apache 2.0"
Footnote 3 See "Support for Large Files in Apache 2.0"
Choose the appropriate version of the plug-in shared object from the following table:
Table 3-2 Apache Plug-In Shared Object File Versions
Apache Version | Regular Strength Encryption | 128-bit Encryption |
---|---|---|
Standard Apache Version 2.0.x | mod_wl_20.so | mod_wl128_20.so |
Standard Apache Version 2.2.x | mod_wl_22.so | mod_wl128_22.so |
To install the Apache HTTP Server Plug-In as a dynamic shared object:
-
Locate the shared object directory for your platform using Table 3-1.
-
Identify the plug-in shared object file for your version of Apache in Table 3-2.
-
Verify that the WebLogic Server Apache HTTP Server Plug-In mod_so.c module is enabled.
The Apache HTTP Server Plug-In will be installed in your Apache HTTP Server installation as a Dynamic Shared Object (DSO). DSO support in Apache is based on module mod_so.c, which must be enabled before mod_wl_20.so is loaded. If you installed Apache HTTP Server using the script supplied by Apache, mod_so.c is already enabled. Verify that mod_so.c is enabled by executing the following command:
APACHE_HOME\bin\apachectl -l
(Where APACHE_HOME is the directory containing your Apache HTTP Server installation.)
This command lists all enabled modules. If mod_so.c is not listed, you must rebuild your Apache HTTP Server, making sure that the following options are configured:
... --enable-module=so --enable-rule=SHARED_CORE ...
See Apache 2.0 Shared Object (DSO) Support at http://httpd.apache.org/docs/2.0/dso.html.
-
Install the Apache HTTP Server Plug-In module for Apache 2.0.x by copying the mod_wl_20.so file to the APACHE_HOME\modules directory and adding the following line to your APACHE_HOME/conf/httpd.conf file manually:
LoadModule weblogic_module modules/mod_wl_20.so
-
Define any additional parameters for the Apache HTTP Server Plug-In.
The Apache HTTP Server Plug-In recognizes the parameters listed in General Parameters for Web Server Plug-Ins. To modify the behavior of your Apache HTTP Server Plug-In, define these parameters:
-
In a Location block, for parameters that apply to proxying by path, or
-
In an IfModule block, for parameters that apply to proxying by MIME type.
-
-
Verify the syntax of the APACHE_HOME\conf\httpd.conf file with the following command:
APACHE_HOME\bin\apachectl -t
The output of this command reports any errors in your httpd.conf file or returns:
Syntax OK
-
Restart Weblogic Server.
-
Start (or restart if you have changed the configuration) Apache HTTP Server.
-
Test the plug-in by opening a browser and setting the URL to the Apache Server plus “/weblogic/”, which should bring up the default WebLogic Server HTML page, welcome file, or default servlet, as defined for the default Web Application on WebLogic Server. For example:
http://myApacheserver.com/weblogic/
Support for Large Files in Apache 2.0
The version of Apache 2.0 that ships with some operating systems, including some versions of Solaris and Linux, is compiled with the following flags:
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
These compilation flags enable support for files larger than 2 GB. If you want to use a WebLogic Server Web server plug-in on such an Apache 2.0 Web server, you must use plug-ins compiled with the same compilation flags, which are available in the largefile subdirectory for your operating system. For example:
C:\WL_HOME\server\plugin\solaris\sparc\largefile
Note:
Apache 2.2 does not require special compilation flags to support files larger than 2 GB. Therefore, you do not need to use a specially compiled Web server plug-in if you are running Apache 2.2.Configuring the Apache HTTP Server Plug-In
After installing the plug-in in the Apache HTTP Server, configure the WebLogic Server Apache Plug-In and configure the server to use the plug-in. This section explains how to edit the Apache httpd.conf file to instruct the Apache server to load the WebLogic Server library for the plug-in as an Apache module, and to specify the application requests that should be handled by the module.
Editing the httpd.conf File
Edit the httpd.conf file in your Apache HTTP server installation to configure the Apache HTTP Server Plug-In.
This section explains how to locate and edit the httpd.conf file, to configure the server to use the WebLogic Server Apache Plug-In, to proxy requests by path or by MIME type, to enable HTTP tunneling, and to use other WebLogic Server plug-in parameters.
-
Open the httpd.conf file.
The file is located at APACHE_HOME\conf\httpd.conf (where APACHE_HOME is the root directory of your Apache HTTP server installation). See a sample httpd.conf file atSetting Up Perimeter Authentication.
-
Ensure that the WebLogic Server modules are included for Apache 2.0.x, manually add the following line to the httpd.conf file:
LoadModule weblogic_module modules\mod_wl_20.so
-
Add an IfModule block that defines one of the following:
-
For a non-clustered WebLogic Server: the WebLogicHost and WebLogicPort parameters.
-
For a cluster of WebLogic Servers: the WebLogicCluster parameter.
For example:
WebLogicHost myweblogic.server.com WebLogicPort 7001
-
-
To proxy requests by MIME type, add a MatchExpression line to the IfModule block. Note that if both MIME type and proxying by path are enabled, proxying by path takes precedence over proxying by MIME type.
For example, the following IfModule block for a non-clustered WebLogic Server specifies that all files with MIME type .jsp are proxied:
WebLogicHost myweblogic.server.com WebLogicPort 7001 MatchExpression *.jsp
You can also use multiple MatchExpressions, for example:
WebLogicHost myweblogic.server.com WebLogicPort 7001 MatchExpression *.jsp MatchExpression *.xyz
If you are proxying requests by MIME type to a cluster of WebLogic Servers, use the WebLogicCluster parameter instead of the WebLogicHost and WebLogicPortparameters. For example:
WebLogicCluster w1s1.com:7001,w1s2.com:7001,w1s3.com:7001 MatchExpression *.jsp MatchExpression *.xyz
-
To proxy requests by path, use the Location block and the SetHandler statement. SetHandler specifies the handler for the Apache HTTP Server Plug-In module. For example the following Location block proxies all requests containing /weblogic in the URL:
SetHandler weblogic-handler PathTrim /weblogic
The PathTrim parameter specifies a string trimmed from the beginning of the URL before the request is passed to the WebLogic Server instance (see General Parameters for Web Server Plug-Ins).
-
Optionally, enable HTTP tunneling for t3 or IIOP.
-
To enable HTTP tunneling if you are using the t3 protocol and weblogic.jar, add the following Location block to the httpd.conf file:
SetHandler weblogic-handler
-
To enable HTTP tunneling if you are using the IIOP, the only protocol used by the WebLogic Server thin client, wlclient.jar, add the following Location block to the httpd.conf file:
SetHandler weblogic-handler
-
-
Define any additional parameters for the Apache HTTP Server Plug-In.
The Apache HTTP Server Plug-In recognizes the parameters listed in General Parameters for Web Server Plug-Ins. To modify the behavior of your Apache HTTP Server Plug-In, define these parameters either:
-
In a Location block, for parameters that apply to proxying by path, or
-
In an IfModule block, for parameters that apply to proxying by MIME type.
-
Placing WebLogic Properties Inside Location or VirtualHost Blocks
If you choose to not use the IfModule, you can instead directly place the WebLogic properties inside Location or VirtualHost blocks. Consider the following examples of theLocation and VirtualHost blocks:
SetHandler weblogic-handler WebLogicHost myweblogic.server.com WebLogicPort 7001 SetHandler weblogic-handler WebLogicCluster w1s1.com:7001,w1s2.com:7001,w1s3.com:7001 SetHandler weblogic-handler WebLogicServer weblogic.server.com WebLogicPort 7001
Including a weblogic.conf File in the httpd.conf File
If you want to keep several separate configuration files, you can define parameters in a separate configuration file called weblogic.conf file, by using the Apache Include directive in an IfModule block in the httpd.conf file:
# Config file for WebLogic Server that defines the parameters Include conf/weblogic.conf
The syntax of weblogic.conf files is the same as that for the httpd.conf file.
This section describes how to create weblogic.conf files, and includes sample weblogic.conf files.
Creating weblogic.conf Files
Be aware of the following when constructing a weblogic.conf file.
-
Enter each parameter on a new line. Do not put '=' between a parameter and its value. For example:
PARAM_1 value1 PARAM_2 value2 PARAM_3 value3
-
If a request matches both a MIME type specified in a MatchExpression in an IfModule block and a path specified in a Location block, the behavior specified by theLocation block takes precedence.
-
If you use an Apache HTTP Server block, you must include all configuration parameters (MatchExpression, for example) for the virtual host within the block (see Apache Virtual Host documentation at http://httpd.apache.org/docs/vhosts/).
-
If you want to have only one log file for all the virtual hosts configured in your environment, you can achieve it using global properties. Instead of specifying the sameDebug, WLLogFile and WLTempDir properties in each virtual host you can specify them just once in the tag.
-
Sample httpd.conf file:
WebLogicCluster johndoe02:8005,johndoe:8006 Debug ON WLLogFile c:/tmp/global_proxy.log WLTempDir "c:/myTemp" DebugConfigInfo On KeepAliveEnabled ON KeepAliveSecs 15 SetHandler weblogic-handler WebLogicCluster agarwalp01:7001 SetHandler weblogic-handler PathTrim/web Debug OFF WLLogFile c:/tmp/web_log.log SetHandler weblogic-handler PathTrim/foo Debug ERR WLLogFile c:/tmp/foo_proxy.log
-
All the requests which match /jurl/* will have Debug Level set to ALL and log messages will be logged to c:/tmp/global_proxy.log file. All the requests which match /web/* will have Debug Level set to OFF and no log messages will be logged. All the requests which match /foo/* will have Debug Level set to ERR and log messages will be logged to c:/tmp/foo_proxy.log file.
-
Oracle recommends that you use the MatchExpression statement instead of the block.
Sample weblogic.conf Configuration Files
The following examples of weblogic.conf files may be used as templates that you can modify to suit your environment and server. Lines beginning with # are comments.
Example 3-1 Example Using WebLogic Clusters
# These parameters are common for all URLs which are # directed to the current module. If you want to override # these parameters for each URL, you can set them again in # the or blocks. (Except WebLogicHost, # WebLogicPort, WebLogicCluster, and CookieName.) WebLogicCluster w1s1.com:7001,w1s2.com:7001,w1s3.com:7001 ErrorPage http://myerrorpage.mydomain.com MatchExpression *.jsp ####################################################
In Example 3-2, the MatchExpression parameter syntax for expressing the filename pattern, the WebLogic Server host to which HTTP requests should be forwarded, and various other parameters is as follows:
MatchExpression [filename pattern] [WebLogicHost=host] | [paramName=value]
The first MatchExpression parameter below specifies the filename pattern *.jsp, and then names the single WebLogicHost. The paramName=value combinations following the pipe symbol specify the port at which WebLogic Server is listening for connection requests, and also activate the Debug option. The second MatchExpression specifies the filename pattern *.http and identifies the WebLogicCluster hosts and their ports. The paramName=value combination following the pipe symbol specifies the error page for the cluster.
Example 3-2 Example Using Multiple WebLogic Clusters
# These parameters are common for all URLs which are # directed to the current module. If you want to override # these parameters for each URL, you can set them again in # the or blocks (Except WebLogicHost, # WebLogicPort, WebLogicCluster, and CookieName.) MatchExpression *.jsp WebLogicHost=myHost|WebLogicPort=7001|Debug=ON MatchExpression *.html WebLogicCluster=myHost1:7282,myHost2:7283|ErrorPage= http://www.xyz.com/error.html
Example 3-3 shows an example without WebLogic clusters.
Example 3-3 Example Without WebLogic Clusters
# These parameters are common for all URLs which are # directed to the current module. If you want to override # these parameters for each URL, you can set them again in # the or blocks (Except WebLogicHost, # WebLogicPort, WebLogicCluster, and CookieName.) WebLogicHost myweblogic.server.com WebLogicPort 7001 MatchExpression *.jsp
Example 3-4 shows an example of configuring multiple name-based virtual hosts.
Example 3-4 Example Configuring Multiple Name-Based Virtual Hosts
# VirtualHost1 = localhost:80 DocumentRoot "C:/test/VirtualHost1" ServerName localhost:80 #... WLS parameter ... WebLogicCluster localhost:7101,localhost:7201 # Example: MatchExpression *.jsp MatchExpression *.jsp PathPrepend=/test2 # VirtualHost2 = 127.0.0.2:80 DocumentRoot "C:/test/VirtualHost1" ServerName 127.0.0.2:80 #... WLS parameter ... WebLogicCluster localhost:7101,localhost:7201 # Example: MatchExpression *.jsp MatchExpression *.jsp PathPrepend=/test2 #... WLS parameter ...
You must define a unique value for ServerName or some Plug-In parameters will not work as expected.
Template for the Apache HTTP Server httpd.conf File
This section contains a sample httpd.conf file for Apache 2.0. You can use this sample as a template and modify it to suit your environment and server. Lines beginning with # are comments.
Note that Apache HTTP Server is not case sensitive.
Example 3-5 Sample httpd.conf file for Apache 2.0
#################################################### APACHE-HOME/conf/httpd.conf file #################################################### LoadModule weblogic_module libexec/mod_wl_20.so SetHandler weblogic-handler PathTrim /weblogic ErrorPage http://myerrorpage1.mydomain.com SetHandler weblogic-handler PathTrim /something ErrorPage http://myerrorpage1.mydomain.com MatchExpression *.jsp WebLogicCluster w1s1.com:7001,w1s2.com:7001,w1s3.com:7001 ErrorPage http://myerrorpage.mydomain.com
Setting Up Perimeter Authentication
Use perimeter authentication to secure WebLogic Server applications that are accessed via the Apache Plug-In.
A WebLogic Identity Assertion Provider authenticates tokens from outside systems that access your WebLogic Server application, including users who access your WebLogic Server application through the Apache HTTP Server Plug-In. Create an Identity Assertion Provider that will safely secure your Plug-In as follows:
-
Create a custom Identity Assertion Provider on your WebLogic Server application. See "How to Develop a Custom Identity Assertion Provider" in Developing Security Providers for Oracle WebLogic Server.
-
Configure the custom Identity Assertion Provider to support the Cert token type and make Cert the active token type. See "How to Create New Token Types" inDeveloping Security Providers for Oracle WebLogic Server.
-
Set clientCertProxy to True in the web.xml deployment descriptor file for the Web application (or, if using a cluster, optionally set the Client Cert Proxy Enabled attribute to true for the whole cluster on the Administration Console Cluster-->Configuration-->General tab). The clientCertProxy attribute can be used with a third party proxy server, such as a load balancer or an SSL accelerator, to enable 2-way SSL authentication. For more information about the clientCertProxy attribute, see"context-param" in Developing Web Applications, Servlets, and JSPs for Oracle WebLogic Server.
-
Once you have set clientCertProxy, be sure to use a connection filter to ensure that WebLogic Server accepts connections only from the machine on which the Apache Plug-In is running. See "Using Network Connection Filters" in Programming Security for Oracle WebLogic Server.
-
Web server plug-ins require a trusted Certificate Authority file in order to use SSL between the plug-in and WebLogic Server. Use Sun Microsystems' keytool utility to export a trusted Certificate Authority file from the DemoTrust.jks keystore file that resides in WL_HOME/server/lib.
-
To extract the wlsdemoca file, for example, use the command:
keytool -export -file trustedcafile.der -keystore DemoTrust.jks -alias wlsdemoca
Change the alias name to obtain a different trusted CA file from the keystore.
To look at all of the keystore's trusted CA files, use:
keytool -list -keystore DemoTrust.jks
Press enter if prompted for password.
-
To convert the Certificate Authority file to pem format: java utils.der2pem trustedcafile.der
-
See "Identity Assertion Providers" in Developing Security Providers for Oracle WebLogic Server.
Using SSL with the Apache Plug-In
You can use the Secure Sockets Layer (SSL) protocol to protect the connection between the Apache HTTP Server Plug-In and WebLogic Server. The SSL protocol provides confidentiality and integrity to the data passed between the Apache HTTP Server Plug-In and WebLogic Server.
The Apache HTTP Server Plug-In does not use the transport protocol (http or https) specified in the HTTP request (usually by the browser) to determine whether or not the SSL protocol is used to protect the connection between the Apache HTTP Server Plug-In and WebLogic Server.
Although two-way SSL can be used between the HTTP client and Apache HTTP server, note that one-way SSL is used between Apache HTTP Server and WebLogic Server.
Configuring SSL Between the Apache HTTP Server Plug-In and WebLogic Server
To use the SSL protocol between Apache HTTP Server Plug-In and WebLogic Server:
-
Configure WebLogic Server for SSL. For more information, see Configuring SSL.
-
Configure the WebLogic Server SSL listen port. For more information, see Configuring SSL.
-
In the Apache Server, set the WebLogicPort parameter in the httpd.conf file to the WebLogic Server SSL listen port configured in Step 2.
-
In the Apache Server, set the SecureProxy parameter in the httpd.conf file to ON.
-
Set any additional parameters in the httpd.conf file that define information about the SSL connection. For a complete list of the SSL parameters that you can configure for the plug-in, see SSL Parameters for Web Server Plug-Ins.
Issues with SSL-Apache Configuration
These known issues arise when you configure the Apache plug-in to use SSL:
-
To prepare the plug-in configuration, using Internet Explorer click the lock and go to the certificates path:
-
Select the root CA (at the top).
-
Display it.
-
Detail and then copy this certificate (using the export wizard) to a file using the Coded "Base 64 X509" option.
-
Save the file, for example, to "MyWeblogicCAToTrust.cer" (which is also a PEM file).
-
-
The PathTrim parameter (see SSL Parameters for Web Server Plug-Ins ) must be configured inside the tag.
The following configuration is incorrect:
SetHandler weblogic-handler WebLogicHost localhost WebLogicPort 7001 PathTrim /weblogic
The following configuration is the correct setup:
SetHandler weblogic-handler PathTrim /weblogic
-
The current implementation of the WebLogic Server Apache Plug-In does not support the use of multiple certificate files with Apache SSL.
Connection Errors and Clustering Failover
When the Apache HTTP Server Plug-In attempts to connect to WebLogic Server, the plug-in uses several configuration parameters to determine how long to wait for connections to the WebLogic Server host and, after a connection is established, how long the plug-in waits for a response. If the plug-in cannot connect or does not receive a response, the plug-in attempts to connect and send the request to other WebLogic Server instances in the cluster. If the connection fails or there is no response from any WebLogic Server in the cluster, an error message is sent.
Figure 3-1 demonstrates how the plug-in handles failover.
Possible Causes of Connection Failures
Failure of the WebLogic Server host to respond to a connection request could indicate the following problems:
-
Physical problems with the host machine
-
Network problems
-
Other server failures
Failure of all WebLogic Server instances to respond could indicate the following problems:
-
WebLogic Server is not running or is unavailable
-
A hung server
-
A database problem
-
An application-specific failure
Tuning to Reduce Connection_Refused Errors
Under load, an Apache plug-in may receive CONNECTION_REFUSED errors from a back-end WebLogic Server instance. Follow these tuning tips to reduce CONNECTION_REFUSED errors:
-
Increase the AcceptBackLog setting in the configuration of your WebLogic Server domain.
-
On Apache 2.0.x, set the KeepAlive directive in the httpd.conf file to On. For example:
# KeepAlive: Whether or not to allow persistent connections (more than # one request per connection). Set to "Off" to deactivate. # KeepAlive On
See Apache HTTP Server 2.0 documentation at http://httpd.apache.org/docs-project/.
-
Decrease the time wait interval. This setting varies according to the operating system you are using. For example:
-
On Windows NT, set the TcpTimedWaitDelay on the proxy and WebLogic Server servers to a lower value. Set the TIME_WAIT interval in Windows NT by editing the registry key under HKEY_LOCAL_MACHINE:
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpTimedWaitDelay
If this key does not exist you can create it as a DWORD value. The numeric value is the number of seconds to wait and may be set to any value between 30 and 240. If not set, Windows NT defaults to 240 seconds for TIME_WAIT.
-
On Windows 2000, lower the value of the TcpTimedWaitDelay by editing the registry key under HKEY_LOCAL_MACHINE:
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
-
On Solaris, reduce the setting tcp_time_wait_interval to one second (for both the WebLogic Server machine and the Apache machine, if possible):
$ndd /dev/tcp param name to set - tcp_time_wait_interval value=1000
-
-
Increase the open file descriptor limit on your machine. This limit varies by operating system. Using the limit (.csh) or ulimit (.sh) directives, you can make a script to increase the limit. For example:
#!/bin/sh ulimit -S -n 100 exec httpd
-
On Solaris, increase the values of the following tunables on the WebLogic Server machine:
tcp_conn_req_max_q tcp_conn_req_max_q0
Failover with a Single, Non-Clustered WebLogic Server
If you are running only a single WebLogic Server instance the plug-in only attempts to connect to the server defined with the WebLogicHost parameter. If the attempt fails, an HTTP 503 error message is returned. The plug-in continues trying to connect to that same WebLogic Server instance for the maximum number of retries as specified by the ratio of ConnectTimeoutSecs and ConnectRetrySecs.
The Dynamic Server List
The WebLogicCluster parameter is required to proxy to a list of back-end servers that are clustered, or to perform load balancing among non-clustered managed server instances.
In the case of proxying to clustered managed servers, when you use the WebLogicCluster parameter in your httpd.conf or weblogic.conf file to specify a list of WebLogic Servers, the plug-in uses that list as a starting point for load balancing among the members of the cluster. After the first request is routed to one of these servers, a dynamic server list is returned containing an updated list of servers in the cluster. The updated list adds any new servers in the cluster and deletes any that are no longer part of the cluster or that have failed to respond to requests. This list is updated automatically with the HTTP response when a change in the cluster occurs.
Failover, Cookies, and HTTP Sessions
When a request contains session information stored in a cookie or in the POST data, or encoded in a URL, the session ID contains a reference to the specific server instance in which the session was originally established (called the primary server). A request containing a cookie attempts to connect to the primary server. If that attempt fails, the plug-in attempts to make a connection to the next available server in the list in a round-robin fashion. That server retrieves the session from the original secondary server and makes itself the new primary server for that same session. See Figure 3-1.
Note:
If the POST data is larger than 64K, the plug-in will not parse the POST data to obtain the session ID. Therefore, if you store the session ID in the POST data, the plug-in cannot route the request to the correct primary or secondary server, resulting in possible loss of session data. In this figure, the Maximum number of retries allowed in the red loop is equal to
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/27042095/viewspace-1063307/,如需转载,请注明出处,否则将追究法律责任。
转载于:http://blog.itpub.net/27042095/viewspace-1063307/