SSL Configuration for LoadBalancer

Hi Erman,

We have two node shared appl top. SSL is configured for each node.
Node 1 and Node 2. EBS is running fine. Do i need to create a wallet for LBR point.

cwallet.sso is already created for each node. Now if i need to create a wallet for LBR. Where i need to keep it.

Please suggest.

Hi,

Yes, if your load balancer is capable of doing that.. Your load balancer should present its certificated to EBS. Oracle HTTP Server can do the needed verification using the 'SSLVerifyClient require directive'

In order to have this setup, you need to import the load balancer certificate/or certificates into the Oracle Wallet and JDK keystores . This way you establish the chain of trust.
Load balancer should also be configured to verify the Oracle E-Business Suite Release 12.2 server.. EBS certificates should also be added to the load balancer trust point.  You should refer to the load balancer documentation on how to do this.

Hi Erman,

Thanks for the update.
Currently without SSL DNS Load balances is running fine. wallet is created for both the nodes and it is running fine. As wallet is created for both the nodes. Like cwallet.so and both nodes will have their copied to the their location as per  DOC 1367293.1, cwallet.sso needs to be copied to both the nodes to the below location. Each Node will have their own s_ohs_component, cwallet.sso is already available from node1 and node 2.
$EBS_DOMAIN_HOME/opmn/<s_ohs_instance>/<s_ohs_component>/wallet
$EBS_DOMAIN_HOME/opmn/<s_ohs_instance>/wallet
$FMW_HOME/webtier/instances/<s_ohs_instance>/config/OHS/<s_ohs_component>/proxy-wallet

Now i cannot import the loadbalancer at this path.
Where i need to import and copy certificates of load balancer.

What do you mean by "I can not import"? Please revise your question.

certificate is already copied for the individual nodes to the mentioned path.
If i will copy the entry point certificate it will overwrite the existing certificate here i mean cwallet.sso

hence i wrote i cannot import the cwallet.sso for entry point to the path mentioned in the doc.

You need to copy the certificates and import them into the Oracle Wallet and JDK keystores.
so you don't copy any wallets. Just the certificates and them import them into the Oracle Wallet and JDK keystores.

cwallet.sso is not certificate and it is an auto login wallet. I think you misunderstood the concept..

Hi Erman,
May be I am not able to keep my point.
On one path can i import more than one certificates.

In Multinode case one entry point is pointing to all the application nodes which can be accomplised using Loadbalancer.

In this case i have to create certificates for Entry point or Individual nodes. I created a certificates and imported the signed certificates. Login and everything is working fine.
But i am getting below error which indicates certificates needs to be created for entry point.

There is a problem with this website security certificate. I guess we need to SAN

Please suggest

Hi Erman,
The issue got resolved by creating the SAN certificate pointing to all the 3 hostname

DNS: apps.com,DNS:apps1.com,DNS:apps2.com

Good for you.
Yes, that 's a way.. Symantec Subject Alternative Name (SAN) Certificates are securing multiple FQDNs with a single certificate

As I said, in order to have this setup, you need to import the load balancer certificate/or certificates into the Oracle Wallet and JDK keystores in your apps nodes.

In your case, apps.com is your login url, which is probably served by your load balancer probably.