ACE SSL termination with Hyperion Workspace

desmckee · ‎10-06-2008

Hi, I am currently trying to set up SSL termination for a Hyperion system that is using clear text at the back end. The SSL offloading is working fine, but the issue is that after a client login, the application requests certain locations as http rather than https. I initially thought that this would need SSL rewrite, but I now don't believe that it's a redirect from the server that is sent, therefore I can't use ssl rewrite.

Ive tried some HTTPS redirections, and while the theory would work, the URL matching seems complicated, and some matches work while others don't seem to - /workspace.* works, but the more important /Hyperion.* doesn't. Aside from this it would seem pretty messy to redirect every individual http request to https?

Has anyone any experience of these setups? From what I have read outboard SSL termination isn't officially supported by Oracle for this product, but I'm sure some people must be doing it?

Thanks a lot.

Gilles Dufour · ‎10-06-2008

this is the result of a poor web server configuration.

If the links are absolute and not relative, when a client click a link that points direclty to http://... the browser will open a cleartext connection.

If you want to solve this on the network, the only solution is the redirect.

But the best option should be to reconfigure the servers to use relative links.

Gilles.

desmckee · ‎10-07-2008

Thanks Gilles. I have managed to get a decoded trace, and can now clearly see that the server is using relative links, and does in fact send a HTTP 302 found redirect to the client. The Location: field states HTTP rather than HTTPS, so it looks like the URL rewrite feature is what I need to use.

What am I doing wrong in getting this to work? I am matching on all locations (.*), so that shouldn't be an issue. My ports are both non-standard, so the command is ssl url rewrite location .* sslport xxxxx clearport xxxxx. If I perform show service-policy detail, I can see that the action has many hits:

HTTP modify action : REWRITE_TO_SSL

hit count : 10

dropped conns : 0

but I never see the HTTP rewrite statistics increasing? Yesterday someone suggested that some servers use location as a non-capitalised field, but I tried this workaround as well with no success. Do you have any ideas at all?

Thanks a lot.

Gilles Dufour · ‎10-07-2008

The header matching is case sensitive.

Check the location field in the trace.

You need to exactly match what the server returns.

Also, is the server sending the port in the redirect or not ?

Gilles.

desmckee · ‎10-07-2008

In the trace location is definitely capitalised as Location: and the redirect also sets the port correctly -

Location: http://hostname.domain.com/X000/appname.jsp?Application=TestApp

When you say I must exactly match, do you mean I cannot use .* ? I have tried hostname\.domain\.com as well without success.

Thanks

Gilles Dufour · ‎10-07-2008

What I meant is that if Location wasn't spelled like this then you had to use a special header match.

Anyway, in this case, it seems the clearport is not specified in the location field.

So, do not specify any clear port in your ssl rewrite command.

Gilles.

des.mckee · ‎10-07-2008

Sorry, that was my typo - it does state the clear text port:

Location: http://hostname.domain.com:5000/appname.jsp?Application=TestApp

Are there any debugs i cant try on the ACE apart from packet caputure? I tried that yesterday but its only L4 info.

Thanks

Gilles Dufour · ‎10-07-2008

There is no debug.

The pattern matching function is done in HW.

If your config is correct and the server response matches what you show, it should work.

We would need your complete config and the trace to verify.

If you prefer to keep the info confidential, open a service request with the TAC and ask them to verify.

Gilles.