E1 9.2 with OVR needing to communicate through load balancer

Shane_Foster

Member
I have a situation where we implemented a hardware load balancer (kemp although I don't think that matters) into an E1 configuration with 3 webservers and when we did the OVR server stopped working.

After some research we came up with a couple of issues. Namely that you need to have some identifiers in the configuration to enable 2 way communication between the original requester and the OVR server.

E1: OVR: Setup Instructions for OVR in Load Balanced Environments ( Doc ID 1516935.1 ).
When I couldn't get that to work I contacted JDE support they said that I needed to implement SSL in my OVR setup by following this document. Setup Instructions for OVR in SSL Environments ( Doc ID 2251244.1 ).

After some more work and troubleshooting I ended up with my OVR not working at all. I asked support for additional help and clarification of the documentation and was informed they couldn't make it work either and said I should talk to weblogic support.

In case anyone hasn't guessed that has been less than fruitless as well.

So do we have anyone here or does anyone know of anyone that knows how to make this work? I'm willing to pay for someone's time to get this resolved so I can get on to other issues.

Thanks
Shane
 
I did some work on this for a client a few years ago in terms of getting AIS, OVR, ADF and JAS all playing nice together. For reference, their production environment consisted of 40 JAS instances sitting behind F5 load balancers with SSL hand off at the load balancer. I went through the same process as yourself in terms of trying to get support from Oracle and it is still one of my favorite tickets. After getting the run around for nearly four weeks they finally said that THE person (just one) that knew anything about it was on PTO. When they came back the response I got... sorry can't help you with that but good luck :).

In the end we did get it to work but it involved using a JDE lab environment (full JDE deployment with two of all components and software load balancers) and then using Wireshark and man in the middle hosts to literally sniff all of the network traffic to try and work out who was trying to talk to whom and what data was being sent. For example, the JAS server will send Javascript back to the browser to enable blind authentication on the other components and those components have to contact the same JAS server to be able verify the token string provided. Now, this was all done on a tools release where all of this stuff was fairly new so I can't confirm that what worked then would still work now but I will point out that everything needs to be paired to get it to work seamlessly. So if you only have 3 JAS instances then the easy method might be to deploy 3 OVR instances and make sure they're paired together. When you have 40, this isn't really feasible so instead we were using reverse proxies and header injection scripts to ensure that the load balancers knew what was going on. It also meant that ALL of the traffic between any of the components had to go through the load balancers because maintaining the correct sessions with the browser was critical.

Good luck and God speed!
 
Russell,

Have you seen errors like this (or similar) with F5? - "EnterpriseOne has to exit due to XSS attack" pop-ups?

One of my clients is seeing it and I'm not sure what to suggest.

Any help would be appreciated.

I think there can also be "[SEVERE][RUNTIME]***Security Alert*** Malicious script attack has been detected. The user session will be invalidated." messages in the logs in some cases (although maybe not at this client's). And trying to figure it out with F5's in the picture is as you mentioned rather hard...
 
Russell,

Have you seen errors like this (or similar) with F5? - "EnterpriseOne has to exit due to XSS attack" pop-ups?

One of my clients is seeing it and I'm not sure what to suggest.

Any help would be appreciated.

I think there can also be "[SEVERE][RUNTIME]***Security Alert*** Malicious script attack has been detected. The user session will be invalidated." messages in the logs in some cases (although maybe not at this client's). And trying to figure it out with F5's in the picture is as you mentioned rather hard...

If you're getting XSS with an F5 or other load balancer/reverse proxy then there's probably an issue with the client host headers not being passed through or WebLogic not being set up correctly to sit behind a load balancer. In short there is specific setup that must be done for WebLogic that does not exist of other types of Java application or HTTP servers.

Also, if it is for your Everest SSO solution, have you confirmed that the hostname for the SSO instance is the same as the JDE instance? For example, if they're trying to hit sso.example.com for the Everest SSO login to then be forwarded to jde.example.com then there are likely to be issues.
 
Thanks, Russell!

... client host headers
I think this should be fine in F5, as far as I can tell.

... WebLogic not being set up correctly to sit behind a load balancer
That's interesting, are there any Oracle Doc numbers you could refer us to, please?

... if it is for your Everest SSO solution, have you confirmed that the hostname for the SSO instance is the same as the JDE instance? For example, if they're trying to hit sso.example.com for the Everest SSO login to then be forwarded to jde.example.com then there are likely to be issues.
Ok, it probably needs some thought too, but originally it was all going through the same alias, so it should have happened. And with 2 different aliases behind F5 I have not seen it happening before either. So maybe not.

But I think there are some extra headers that could be interfering with JDE, like "X-Frame-Options" and such. Anyway, it all feels like a nasty can of worms, I'd hate going through gigabytes of network captures to figure this one out.

And since you have seen these things before, maybe I could refer this client to you?
 
That's interesting, are there any Oracle Doc numbers you could refer us to, please?

http://itadminguide.com/configure-f5-ssl-weblogic-servers/ has a few pointers plus a link to another WebLogic setup document.

In terms of debugging the rest of it, the first thing to ask is what are the three URL's that are being used for your solution:

So which URL do the users hit (including if it is http or https) for Everest SSO, which URL is Everest SSO configured to use to establish the JAS session and then which URL does Everest redirect the user to so that the the E1 JAS home page opens. If they're doing something like browser -> https://jde.example.com/sso -> http://jde01.example.local/ -> browser -> https://jde01.example.com/jde/E1Menu.maf then there is going to be issues.
 
Another point to make is that if you are using wildcard SSL certificates then you need to make sure the Hostname Verifier is set to weblogic.security.utils.SSLWLSWildcardHostnameVerifier within WebLogic
 
Back
Top