In one of my missions, I was involved in a new Fusion Middleware 12C ( installation with an ADF application and an Oracle report server instance deployments .
This infrastructure is protected using an Access Manager Single Sign on Server.
In Production, the complete environment is fronted by a WAF server ending the https.
On the TEST The complete environment is fronted by a SSL reverse proxy ending the https.

In the chosen architecture, all Single Sign On request goes directly through the reverse proxy to the OAM servers.
The Application requests and the reports requests are routed through a HTTP server having the WebGate installed.

Below is an extract of the SSL part of the reverse Proxy configuration:
# SSL Virtual Host
ErrorLog logs/ssl_errors.log
TransferLog logs/ssl_access.log
HostNameLookups off
ProxyPreserveHost On
ProxyPassReverse /oam
ProxyPass /oam
ProxyPassReverse /myCustom-sso-web
ProxyPass /myCustom-sso-web
ProxyPass /reports
ProxyPassReverse /reports
ProxyPass /myApplication
ProxyPassReverse /myApplication
# SSL configuration
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl/myStite_com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl/mySite_com.key

HTTP Server Virtual hosts:
# Local requests
Listen 7778
<VirtualHost *:7778>
# Rewrite included for OAM logout redirection
RewriteRule ^/oam/(.*)$$1
RewriteRule ^/myCustom-sso-web/(.*)$$1

<VirtualHost *:7778>

The ADf application and the reports servers mapping is done using custom configuration files included in http.conf files
<Location /myApplication>
SetHandler weblogic-handler
WLProxySSLPassThrough ON

# Force caching for image files
<FilesMatch ".(jpg|jpeg|png|gif|swf)$">
Header unset Surrogate-Control
Header unset Pragma
Header unset Cache-Control
Header unset Last-Modified
Header unset Expires
Header set Cache-Control "max-age=86400, public"
Header set Surrogate-Control "max-age=86400"

<Location /reports>
SetHandler weblogic-handler
DynamicServerList OFF
WLProxySSLPassThrough ON

After configuring a ADF application and the Reports Server to be protected through the WebGate, the users can connect and work without any issue during the first 30 minutes.
Then they loose their sessions. We thought first it was related to the session timeouts or inactivity timeout.
We increased the values of those timeouts without success.
We checked the logs and found out that the issue was related to the OAM and WebGate cookies.

The OAM Server gets and sets a cookie named OAM_ID.
Each WebGate gets and sets a cookie named OAMAuthnCookie_ + the host name and port.

The contents of the cookies are:

Authenticated User Identity (User DN)
Authentication Level
IP Address
SessionID (Reference to Server side session – OAM11g Only)
Session Validity (Start Time, Refresh Time)
Session InActivity Timeouts (Global Inactivity, Max Inactivity)
Validation Hash

The validity of a WebGate handled user session is 30 minutes by default and then the WebGate checks the OAM cookies.
Those cookies are secured and were lost because they were not forwarded by the WAF or the reverse proxy due to ending of the https.

We needed to changes the SSL reverse proxy configuration to send the correct information to the WebLogic Server and HTTP Server about ending SSL at reverse proxy level.
This has been done adding two HTTP Headers to the request before sending them to the Oracle Access Manager or Fusion Middleware HTTP Server.

# For the WebLogic Server to be informed about SSL ending at reverse proxy level
RequestHeader set WL-Proxy-SSL true
# For the Oracle HTTP Server to take the secure cookies in account
RequestHeader set X-Forwarded-Proto “https”

The WAF needed to be configured to do the same HTTP Headers adds in the production environment.

After those changes, the issue was solved.

Thumbnail [60x60]
Pascal Brand