F5 LoadBalancer (ver. 10.2.4) and WebLogic 12c

In the past we have always used an Apache Linux frontend that proxies connections to our backend WebLogic servers (ver 8 and ver 10).  We are currently upgrading to WebLogic 12c, and we are looking to remove Apache out of the solution and use our existing BigIP F5 LTMs to do the SSL Offloading.  I've searched to see the proper way to configure this with the WebLogic backend, but I can't get the page to come up.  Can't quite figure out what I'm doing wrong?  I'm trying to find documentation or the proper steps on configuring F5 10.2.4 with WebLogic 12c.  Any help would be greatly appreciated.

David Ivins
ElemicaIT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
though the below is F5 archive deployment guide for Weblogic, it should be still applicable for the SSL client profile. Do catch pg 2-10 onwards for the config. Note, there is also a mention of "Request Header Insert" field to state "WL-Proxy-SSL: true" required if offloading SSL on the BIG-IP LTM (under the http profile
5. In the Request Header Insert row, check the Custom box. In the
box, type: WL-Proxy-SSL: true.
6. In the Redirect Rewrite row, check the Custom box. From the
Redirect Rewrite list, select Match.
also note the importing of the SSL key format intoo LTM
Once you have obtained a certificate, you can import this certificate into the
BIG-IP LTM system using the Configuration utility. By importing a
certificate or archive into the Configuration utility, you ease the task of
managing that certificate or archive. You can use the Import SSL
Certificates and Keys screen only when the certificate you are importing is
in Privacy Enhanced Mail (PEM) format
Are you just encrypting between the end user and the F5?  Or are you also encrypting between the F5 and the Weblogic server?  I don't mean just passing the request through un-encrypted I mean:

User <-- encrypted --> F5 decrypt data ; look at data in iRule/Stream; F5 re-encrypt  data <--> Weblogic server.
btanExec ConsultantCommented:
There is Client SSL profile and Server SSL profile so do configure as req too. There can be irule deployed for debugging SSL e.g on the "CLIENTSSL_CLIENTCERT" (SSL::verify_result) event in LTM request, looking at the error codes can be handy

Some useful discussion in Devcentral is good resource as well
ElemicaIT ManagerAuthor Commented:
I have now gotten it configured for the page to show up, but after logging it changes from https to http and the page shows as unavailable.  If I manually change the URL to https i can get to the next page.  How can I ensure that all pages after logging in remain https?
btanExec ConsultantCommented:
In fact, when F5 after terminating SSL it goes to the http listener on the weblogic nodes. The http traffic then load-balanced to the WLS cluster. Therefore you are seeing https not enabled on F5 and have now all redirects going back to http even though the user started off with an https session....you will need to enable Redirect Rewrite on the HTTP Profile that is assigned to the virtual server. That will rewrite all redirects that contain http:// to https:// 

See the latest deployment guide
. The BIG-IP system establishes a connection to a WebLogic Server, translating the destination port, based on the selected Load
Balancing algorithm and will persist the connection to the same WebLogic Server while optimizing the connection.
Depending on the configuration, the BIG-IP system may also provide the following:
•       Compression and Caching via BIG-IP AAM.
•       Terminate the SSL connection and insert a WL-Proxy-SSL cookie into the client request so that the WebLogic server will continue
to build its URIs to use HTTPS.
•       Rewrite content flowing to and from the WebLogic server to use the host name of the Virtual Server instead of the real host name
of the WebLogic server.
Do you want to redirect inbound HTTP traffic to HTTPS? Advanced
This question only appears if you selected SSL Offload or SSL Bridging in the SSL question.
Select whether you want the BIG-IP system to automatically redirect HTTP traffic to the HTTPS virtual server. This is useful when
users forget to use HTTPS when attempting to connect to the HTTP deployment.
f Redirect HTTP to HTTPS
Select this option to redirect HTTP traffic to HTTPS. If you select this option (the default), the BIG-IP system attaches a very
small redirect iRule to the virtual server.
Under the HTTP profile
Name Type a unique name
Parent Profile http
Rewrite Redirect2 Matching
Request Header Insert3 WL-Proxy-SSL: true
In the VIP
iRule4 If offloading SSL only: Enable the built-in _sys_https_redirect irule
See Appendix for full summary of "Manual configuration table"

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.