04-22-2008 07:31 AM
Hi,
Have a problem with css11503 where i am running ssl termination, it is working so far that i can get to the login page at the server and if i login with the wrong username or password it checks this and comes back with a "wrong username or password" but if i try with a working login name it times out and displays "page cannot be found". Could this be due to the CSS and SSL termination or is it more thinkable that it is something wrong with the server?
Thanks in advance
/Daniel
04-23-2008 12:11 AM
Daniel,
You'll need to sniff the backend and see what the request looks like from CSS to server.
The CSS does not modify the content of http body, so I really doubt that this would be a CSS issue.
Gilles.
04-23-2008 12:26 AM
Thanks for your reply, i do not believe this to be a CSS issue either but wanted to hear if someone experienced this before or knew something about it. Thanks for your suggestion
//Daniel
04-23-2008 06:00 AM
Daniel,
Does the same symptoms occur when going to the real address via HTTP?
We had a lot of trouble standing up a new process where the SSL was offloaded on our CSS. Ended up being Chimney Offloading and Win2K3 SP2, coupled with an out of date NIC driver. Also, not knowing how you have everything connected, make sure PROXY-ARPing isn't causing you problems. You may need to turn it off on the switches/VLANs/VRF/Routers in your infrastructure.
Throughout the testing to eliminate problems, the HTTP directly to the server performed the same as through HTTPS. So use this as a means to isolate the issue.
Good luck and let us know how it turns out.
Jim
05-13-2008 04:19 AM
If i set this up without the ssl-termination it is working but not with the ssl-termination. What i have discovered is that when i log in the server sends a FIN to the client and opens another session which is not an https.
If i use this config it is working so i can log in but when i do this the server is initiating another session and it turns to http:
!*************************** GLOBAL ***************************
cdp run
ssl associate rsakey wcl1key wcl1key.080422.pem
ssl associate cert wcl1cert wcl1cert.080422.pem
ip route 0.0.0.0 0.0.0.0 10.200.133.129 1
!************************* INTERFACE *************************
interface 1/1
bridge vlan 4
interface 1/2
bridge vlan 40
!************************** CIRCUIT **************************
circuit VLAN4
ip address 10.200.133.137 255.255.255.128
circuit VLAN40
ip address 192.168.1.1 255.255.255.0
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list secure-SSL
ssl-server 212
ssl-server 212 rsakey wcl1key
ssl-server 212 rsacert wcl1cert
ssl-server 212 vip address 10.200.133.212
ssl-server 212 cipher rsa-with-rc4-128-md5 192.168.1.12 10038 weight 10
ssl-server 212 cipher rsa-export-with-rc4-40-md5 192.168.1.12 10038 weight 5
ssl-server 212 failure ignore
ssl-server 215
ssl-server 215 rsakey wcl1key
ssl-server 215 rsacert wcl1cert
ssl-server 215 vip address 10.200.133.214
ssl-server 215 cipher rsa-with-rc4-128-md5 192.168.1.15 80 weight 10
ssl-server 215 cipher rsa-export-with-rc4-40-md5 192.168.1.15 80 weight 5
ssl-server 212 http-header session
active
!************************** SERVICE **************************
service ssl-wcl1
type ssl-accel
slot 3
add ssl-proxy-list secure-SSL
keepalive type none
active
service wcl1
ip address 192.168.1.12
active
service wcldb2
ip address 192.168.1.11
active
service wclldap
ip address 192.168.1.14
active
service wclqr
ip address 192.168.1.13
active
service wclst
ip address 192.168.1.15
active
!*************************** OWNER ***************************
owner Forsvarsmakten
billing-info "Forsvaret"
address "Krutvagen 666"
email-address bomber@krut.se
content SSL-wcl1
vip address 10.200.133.212
add service ssl-wcl1
protocol tcp
port 443
active
content SSL-wclst
vip address 10.200.133.214
add service ssl-wcl1
protocol tcp
port 443
active
content http-wcl1
vip address 10.200.133.212
add service wcl1
advanced-balance cookies
protocol tcp
port 10038
active
content wcl1
protocol tcp
vip address 10.200.133.212
add service wcl1
content wclqr
protocol tcp
vip address 10.200.133.213
add service wclqr
active
content wclst
protocol tcp
vip address 10.200.133.214
add service wclst
active
Can i specify how the server make a connection so i can send the server session to the ssl vip address? This is a IBM Websphere Portal. If anyone have any suggestions i will be very glad to hear them.
Thanks
/Daniel
05-13-2008 04:32 AM
Daniel,
You have two rules for the same VIP. One SSL and the other non-SSL. I presume you want a client to come in SSL, get decrypted/encrypted and go to the server on port 10038. If this is true, you really need two seperate VIPs. One for the SSL (and available to the public) and the second - different - for the rule to the server.
Think of it this way. Client connects to SSL-VIP, goes through the SSL Proxy and then connects to the non-SSL vip and rule. If those VIPs are the same address, well, which way does it go???
Here's mine below:
*********************** SSL PROXY LIST ***********************
ssl-proxy-list internet_DASHBOARD
ssl-server 1
ssl-server 1 rsakey cshorizons
ssl-server 1 rsacert cshorizons
ssl-server 1 vip address 192.168.66.20
ssl-server 1 cipher rsa-with-rc4-128-md5 192.168.66.21 80
ssl-server 1 urlrewrite 1 cshorizons.cswg.com
active
!************************** SERVICE **************************
service SSL_Service
type ssl-accel
keepalive type none
slot 2
add ssl-proxy-list internet_DASHBOARD
active
service Web_Server_1
ip address 192.168.66.220
protocol tcp
port 80
redundant-index 41
active
service Web_Server_2
ip address 192.168.66.221
protocol tcp
port 80
redundant-index 42
!*************************** OWNER ***************************
owner iD
email-address INTELSYSTEMSGROUP@cswg.com
case sensitive
billing-info "Business"
address "10 Optical Ave, Keene, NH"
content Dash_Back
add service Web_Server_1
add service Web_Server_2
vip address 192.168.66.21
protocol tcp
port 80
url "/*"
balance leastconn
sticky-inact-timeout 540
advanced-balance sticky-srcip
active
content Dashboard
add service SSL_Service
vip address 192.168.66.20
protocol tcp
port 443
active
content Redirect
vip address 192.168.66.20
redirect "https://cshorizons.cswg.com"
protocol tcp
port 80
active
!*************************** GROUP ***************************
group internet_Dashboard
add destination service Web_Server_1
add destination service Web_Server_2
redundant-index 47
vip address 192.168.66.20
active
05-13-2008 04:35 AM
Found this reply from Gilles:
your tomcat server is either using absolute path (so link like http://.....) in this case the only thing you can do is modify the server, or the tomcat server is sending a redirect to the client to http://....
The SSL-mod can intercept the redirect and rewrite it to HTTPS.
You need to add a command 'ssl-server 19 urlrewrite 1 * sslport 443 clearport 8080'
A sniffer trace would tell you why the client keeps using http.
Gilles.
Added:
ssl-server 212 urlrewrite 1 * sslport 443 clearport 10038
And now it is working.
Thanks very much
/Daniel
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: