CSS SSL termination problem

danielfalemo · ‎04-22-2008

Hi,

Have a problem with css11503 where i am running ssl termination, it is working so far that i can get to the login page at the server and if i login with the wrong username or password it checks this and comes back with a "wrong username or password" but if i try with a working login name it times out and displays "page cannot be found". Could this be due to the CSS and SSL termination or is it more thinkable that it is something wrong with the server?

Thanks in advance

/Daniel

Gilles Dufour · ‎04-23-2008

Daniel,

You'll need to sniff the backend and see what the request looks like from CSS to server.

The CSS does not modify the content of http body, so I really doubt that this would be a CSS issue.

Gilles.

danielfalemo · ‎04-23-2008

Thanks for your reply, i do not believe this to be a CSS issue either but wanted to hear if someone experienced this before or knew something about it. Thanks for your suggestion

//Daniel

jphilope · ‎04-23-2008

Daniel,

Does the same symptoms occur when going to the real address via HTTP?

We had a lot of trouble standing up a new process where the SSL was offloaded on our CSS. Ended up being Chimney Offloading and Win2K3 SP2, coupled with an out of date NIC driver. Also, not knowing how you have everything connected, make sure PROXY-ARPing isn't causing you problems. You may need to turn it off on the switches/VLANs/VRF/Routers in your infrastructure.

Throughout the testing to eliminate problems, the HTTP directly to the server performed the same as through HTTPS. So use this as a means to isolate the issue.

Good luck and let us know how it turns out.

Jim

danielfalemo · ‎05-13-2008

If i set this up without the ssl-termination it is working but not with the ssl-termination. What i have discovered is that when i log in the server sends a FIN to the client and opens another session which is not an https.

If i use this config it is working so i can log in but when i do this the server is initiating another session and it turns to http:

!*************************** GLOBAL ***************************

cdp run

ssl associate rsakey wcl1key wcl1key.080422.pem

ssl associate cert wcl1cert wcl1cert.080422.pem

ip route 0.0.0.0 0.0.0.0 10.200.133.129 1

!************************* INTERFACE *************************

interface 1/1

bridge vlan 4

interface 1/2

bridge vlan 40

!************************** CIRCUIT **************************

circuit VLAN4

ip address 10.200.133.137 255.255.255.128

circuit VLAN40

ip address 192.168.1.1 255.255.255.0

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list secure-SSL

ssl-server 212

ssl-server 212 rsakey wcl1key

ssl-server 212 rsacert wcl1cert

ssl-server 212 vip address 10.200.133.212

ssl-server 212 cipher rsa-with-rc4-128-md5 192.168.1.12 10038 weight 10

ssl-server 212 cipher rsa-export-with-rc4-40-md5 192.168.1.12 10038 weight 5

ssl-server 212 failure ignore

ssl-server 215

ssl-server 215 rsakey wcl1key

ssl-server 215 rsacert wcl1cert

ssl-server 215 vip address 10.200.133.214

ssl-server 215 cipher rsa-with-rc4-128-md5 192.168.1.15 80 weight 10

ssl-server 215 cipher rsa-export-with-rc4-40-md5 192.168.1.15 80 weight 5

ssl-server 212 http-header session

active

!************************** SERVICE **************************

service ssl-wcl1

type ssl-accel

slot 3

add ssl-proxy-list secure-SSL

keepalive type none

active

service wcl1

ip address 192.168.1.12

active

service wcldb2

ip address 192.168.1.11

active

service wclldap

ip address 192.168.1.14

active

service wclqr

ip address 192.168.1.13

active

service wclst

ip address 192.168.1.15

active

!*************************** OWNER ***************************

owner Forsvarsmakten

billing-info "Forsvaret"

address "Krutvagen 666"

email-address bomber@krut.se

content SSL-wcl1

vip address 10.200.133.212

add service ssl-wcl1

protocol tcp

port 443

active

content SSL-wclst

vip address 10.200.133.214

add service ssl-wcl1

protocol tcp

port 443

active

content http-wcl1

vip address 10.200.133.212

add service wcl1

advanced-balance cookies

protocol tcp

port 10038

active

content wcl1

protocol tcp

vip address 10.200.133.212

add service wcl1

content wclqr

protocol tcp

vip address 10.200.133.213

add service wclqr

active

content wclst

protocol tcp

vip address 10.200.133.214

add service wclst

active

Can i specify how the server make a connection so i can send the server session to the ssl vip address? This is a IBM Websphere Portal. If anyone have any suggestions i will be very glad to hear them.

Thanks

/Daniel

jphilope · ‎05-13-2008

Daniel,

You have two rules for the same VIP. One SSL and the other non-SSL. I presume you want a client to come in SSL, get decrypted/encrypted and go to the server on port 10038. If this is true, you really need two seperate VIPs. One for the SSL (and available to the public) and the second - different - for the rule to the server.

Think of it this way. Client connects to SSL-VIP, goes through the SSL Proxy and then connects to the non-SSL vip and rule. If those VIPs are the same address, well, which way does it go???

Here's mine below:

*********************** SSL PROXY LIST ***********************

ssl-proxy-list internet_DASHBOARD

ssl-server 1

ssl-server 1 rsakey cshorizons

ssl-server 1 rsacert cshorizons

ssl-server 1 vip address 192.168.66.20

ssl-server 1 cipher rsa-with-rc4-128-md5 192.168.66.21 80

ssl-server 1 urlrewrite 1 cshorizons.cswg.com

active

!************************** SERVICE **************************

service SSL_Service

type ssl-accel

keepalive type none

slot 2

add ssl-proxy-list internet_DASHBOARD

active

service Web_Server_1

ip address 192.168.66.220

protocol tcp

port 80

redundant-index 41

active

service Web_Server_2

ip address 192.168.66.221

protocol tcp

port 80

redundant-index 42

!*************************** OWNER ***************************

owner iD

email-address INTELSYSTEMSGROUP@cswg.com

case sensitive

billing-info "Business"

address "10 Optical Ave, Keene, NH"

content Dash_Back

add service Web_Server_1

add service Web_Server_2

vip address 192.168.66.21

protocol tcp

port 80

url "/*"

balance leastconn

sticky-inact-timeout 540

advanced-balance sticky-srcip

active

content Dashboard

add service SSL_Service

vip address 192.168.66.20

protocol tcp

port 443

active

content Redirect

vip address 192.168.66.20

redirect "https://cshorizons.cswg.com"

protocol tcp

port 80

active

!*************************** GROUP ***************************

group internet_Dashboard

add destination service Web_Server_1

add destination service Web_Server_2

redundant-index 47

vip address 192.168.66.20

active

danielfalemo · ‎05-13-2008

Found this reply from Gilles:

your tomcat server is either using absolute path (so link like http://.....) in this case the only thing you can do is modify the server, or the tomcat server is sending a redirect to the client to http://....

The SSL-mod can intercept the redirect and rewrite it to HTTPS.

You need to add a command 'ssl-server 19 urlrewrite 1 * sslport 443 clearport 8080'

A sniffer trace would tell you why the client keeps using http.

Gilles.

Added:

ssl-server 212 urlrewrite 1 * sslport 443 clearport 10038

And now it is working.

Thanks very much

/Daniel