Configure HTTPS encryption for Oracle JD Edwards EnterpriseOne on Oracle WebLogic by using an Application Load Balancer

Created by Thanigaivel Thirumalai (AWS)

Summary

This pattern explains how to configure HTTPS encryption for SSL offloading in Oracle JD Edwards EnterpriseOne on Oracle WebLogic workloads. This approach encrypts traffic between the user’s browser and a load balancer to remove the encryption burden from the EnterpriseOne servers.

Many users scale the EnterpriseOne JAVA virtual machine (JVM) tier horizontally by using an AWS Application Load Balancer. The load balancer serves as the single point of contact for clients, and distributes incoming traffic across multiple JVMs. Optionally, the load balancer can distribute the traffic across multiple Availability Zones and increase the availability of EnterpriseOne.

The process  described in this pattern configures encryption between the browser and the load balancer instead of encrypting the traffic between the load balancer and the EnterpriseOne JVMs. This approach is referred to as SSL offloading. Offloading the SSL decryption process from the EnterpriseOne web or application server to the Application Load Balancer reduces the burden on the application side. After SSL termination at the load balancer, the unencrypted traffic is routed to the application on AWS.

Oracle JD Edwards EnterpriseOne is an enterprise resource planning (ERP) solution for organizations that manufacture, construct, distribute, service, or manage products or physical assets. JD Edwards EnterpriseOne supports various hardware, operating systems, and database platforms.

Prerequisites and limitations

Prerequisites

• An active AWS account

• An AWS Identity and Access Management (IAM) role that has permissions to make AWS service calls and manage AWS resources

• An SSL certificate

Product versions

• This pattern was tested with Oracle WebLogic 12c, but you can also use other versions.

Architecture

There are multiple approaches to perform SSL offloading. This pattern uses an Application Load Balancer and Oracle HTTP Server (OHS), as illustrated in the following diagram.

The following diagram shows the JD Edwards EnterpriseOne, Application Load Balancer, and Java Application Server (JAS) JVM layout.

Tools

AWS services

• Application Load Balancers distribute incoming application traffic across multiple targets, such as Amazon Elastic Compute Cloud (Amazon EC2 instances), in multiple Availability Zones.

• AWS Certificate Manager (ACM) helps you create, store, and renew public and private SSL/TLS X.509 certificates and keys that protect your AWS websites and applications.

• Amazon Route 53 is a highly available and scalable DNS web service.

Best practices

• For ACM best practices, see the ACM documentation.

Epics

Set up WebLogic and OHS

Task	Description	Skills required
Install and configure Oracle components.	Install Fusion Middleware Infrastructure by following the standard installation process. This program helps you install and configure a WebLogic domain. For instructions, see the Oracle documentation. Install OHS by following the standard installation process. For instructions, see the Oracle documentation. When installation is complete, start the configuration wizard (config.sh file) to configure OHS. You can update an existing domain or create a new domain. This pattern assumes that you’re updating an existing domain. For Available Templates, choose Oracle Enterprise Manager-Restricted JRF and Oracle HTTP Server (Restricted JRF). Selecting these Java Required Files (JRF) options eliminates the connection to an external database. For Managed Servers, Clusters, Server Templates, Coherence Clusters, Machines, Assign Servers to Machines, Virtual targets, and Partitions, accept the default configuration values and choose Next to move to the next category. Complete the configuration details (for example, administrator host and port, listen address and port, server name) for the OHS instance (for example, ohs1).	JDE CNC, WebLogic administrator
Enable the WebLogic plugin at the domain level.	The WebLogic plugin is required for load balancing. To enable the plugin: Log in to the WebLogic administration console by using the link: http://<WeblogicServer>:<Adminport>/console Choose Lock & Edit, and then choose Configuration, Web Applications. Choose the WebLogic Plugin Enabled (check box or dropdown option). Choose Save and Activate Changes.	JDE CNC, WebLogic administrator
Edit the configuration file.	The mod_wl_ohs.conf file configures proxy requests from OHS to WebLogic. Edit this file. It’s located at: $ORACLE_HOME/user_projects/domains/ For example: /home/oracle/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/config/fmwconfig/components/OHS/instances/ohs1 Add the WebLogic host (WebLogicHost) and port (WebLogicPort) values (This pattern assumes localhost and port 8000.) Add WLProxySSL and WLProxySSLPassThrough values as follows: <VirtualHost *:8000> <Location /jde> WLSRequest On SetHandler weblogic-handler WebLogicHost localhost WebLogicPort 8000 WLProxySSL On WLProxySSLPassThrough On </Location> </VirtualHost>	JDE CNC, WebLogic administrator
Start OHS by using the Enterprise Manager.	Log in to Enterprise Manager Fusion Middleware by using the link: http://<WeblogicServer>:<Adminport>/em/ In Target Navigation, under HTTP Server, select the OHS instance (for example, ohs1). Choose Shut Down and Start Up to restart the OHS instance. When OHS setup is complete, you can connect to the EnterpriseOne HTML client by using your HTTP server host name with port 8000 instead of the EnterpriseOne server host name. Old link: http://<Webserver>:80/jde/owhtml New link: http:// <HTTP server or web server>:8000/jde/owhtml If you use a port other than the default Oracle HTTP port, edit the httpd.conf file to add a listener for that port in two places: #[Listen] OHS_LISTEN_PORT Listen 8000 and: # ServerName <WeblogicServer1>:8000	JDE CNC, WebLogic administrator

Configure the Application Load Balancer

Task	Description	Skills required
Set up a target group.	Create a target group for the HTTP server port 8000. Register the targets under the target group with the same port. Check the status of the targets to confirm that they are healthy. Configure the health check settings as necessary. For detailed instructions, see the Elastic Load Balancing documentation.	AWS administrator
Set up the load balancer.	Create an Application Load Balancer with default attributes and the required virtual private cloud (VPC), security groups, and subnets. For instructions, see the Elastic Load Balancing documentation. Add a listener entry for HTTPS 443 and forward it to the target group that you created in the previous step. (For instructions, see the Elastic Load Balancing documentation.) An HTTPS listener requires an SSL certificate. You can choose a certificate from ACM or upload one. For both listeners, enable stickiness by following the instructions in the Elastic Load Balancing documentation.	AWS administrator
Add a Route 53 (DNS) record.	(Optional) You can add an Amazon Route 53 DNS record for the subdomain. This record would point to your Application Load Balancer. For instructions, see the Route 53 documentation.	AWS administrator

Troubleshooting

Issue

Solution

HTTP server doesn’t appear.

If HTTP Server doesn’t appear in the Target Navigation list on the Enterprise Manager console, follow these steps: Under WebLogic Domain, Administration, choose OHS Instances. Choose Create to create a new OHS instance. Provide an instance name, and then choose OK to create the instance. When the instance has been created and changes have been activated, you will be able to see the HTTP server in the Target Navigation panel.

Related resources

AWS documentation

• Application Load Balancers

• Working with public hosted zones

• Working with private hosted zones

Oracle documentation:

• Overview of Oracle WebLogic Server Proxy Plug-In

• Installing WebLogic Server using the Infrastructure Installer

• Installing and Configuring Oracle HTTP Server