<VirtualHost *:443> ServerName linux.ktest.oracleateam.com SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /home/oracle/simpleCA/linux.ktest.oracleateam.com.crt SSLCertificateKeyFile /home/oracle/simpleCA/linux.ktest.oracleateam.com.key <LocationMatch ^/oam/server/.*> SetHandler weblogic-handler </LocationMatch> <LocationMatch ^/oam/CredCollectServlet/X509.*> SSLVerifyClient require SSLVerifyDepth 1 SSLCACertificateFile /home/oracle/simpleCA/ca.crt SSLOptions +StdEnvVars +ExportCertData </LocationMatch> </VirtualHost>There are a couple of interesting things in there.
- The LocationMatch for "^/oam/server/.*" which routes any requests that match that regular expression on to the WebLogic plug-in so they can be sent to the OAM server
- The LocationMatch for "^/oam/CredCollectServlet/X509.*" In OAM 11g the only URL that actually needs to require client certificate authentication is the x.509 credential collector. By putting "SSLVerifyClient require" on that Location we are telling Apache that unless the user presents a client certificate it should not process the request but instead demand a certificate from the user
- The last item is the one that caused me grief - unless you add "SSLOptions +StdEnvVars +ExportCertData" mod_wl will not send the client certificate information down to the WebLogic server
- Check the "WebLogic Plugin Enabled" checkbox as we did in the previous blog post.
- On the same page check the "Client Cert Proxy Enabled"