ACE SSL termination with Hyperion Workspace

Unanswered Question

Hi, I am currently trying to set up SSL termination for a Hyperion system that is using clear text at the back end. The SSL offloading is working fine, but the issue is that after a client login, the application requests certain locations as http rather than https. I initially thought that this would need SSL rewrite, but I now don't believe that it's a redirect from the server that is sent, therefore I can't use ssl rewrite.

Ive tried some HTTPS redirections, and while the theory would work, the URL matching seems complicated, and some matches work while others don't seem to - /workspace.* works, but the more important /Hyperion.* doesn't. Aside from this it would seem pretty messy to redirect every individual http request to https?

Has anyone any experience of these setups? From what I have read outboard SSL termination isn't officially supported by Oracle for this product, but I'm sure some people must be doing it?

Thanks a lot.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Mon, 10/06/2008 - 14:05

this is the result of a poor web server configuration.

If the links are absolute and not relative, when a client click a link that points direclty to http://... the browser will open a cleartext connection.

If you want to solve this on the network, the only solution is the redirect.

But the best option should be to reconfigure the servers to use relative links.


Thanks Gilles. I have managed to get a decoded trace, and can now clearly see that the server is using relative links, and does in fact send a HTTP 302 found redirect to the client. The Location: field states HTTP rather than HTTPS, so it looks like the URL rewrite feature is what I need to use.

What am I doing wrong in getting this to work? I am matching on all locations (.*), so that shouldn't be an issue. My ports are both non-standard, so the command is ssl url rewrite location .* sslport xxxxx clearport xxxxx. If I perform show service-policy detail, I can see that the action has many hits:

HTTP modify action : REWRITE_TO_SSL

hit count : 10

dropped conns : 0

but I never see the HTTP rewrite statistics increasing? Yesterday someone suggested that some servers use location as a non-capitalised field, but I tried this workaround as well with no success. Do you have any ideas at all?

Thanks a lot.

Gilles Dufour Tue, 10/07/2008 - 06:03

The header matching is case sensitive.

Check the location field in the trace.

You need to exactly match what the server returns.

Also, is the server sending the port in the redirect or not ?


Gilles Dufour Tue, 10/07/2008 - 07:12

What I meant is that if Location wasn't spelled like this then you had to use a special header match.

Anyway, in this case, it seems the clearport is not specified in the location field.

So, do not specify any clear port in your ssl rewrite command.


Gilles Dufour Tue, 10/07/2008 - 07:37

There is no debug.

The pattern matching function is done in HW.

If your config is correct and the server response matches what you show, it should work.

We would need your complete config and the trace to verify.

If you prefer to keep the info confidential, open a service request with the TAC and ask them to verify.



This Discussion