ACE service module SSL termination for soap over HTTPS

Unanswered Question
Sep 30th, 2009

I have a virtual server configured to terminate SSL traffic and send to the real server in clear text. This works great when I test from my browser and access the web site on the server.

However when another group attempts to sent soap over HTTPS to the same virtual server the ACE drops the connection.

Just wondering if anyone has seen this before?

access-list PERMIT line 8 extended permit ip any any

serverfarm host SecureSite

probe PROBE_SERVICE_ICMP

rserver SecureSite 81

inservice

parameter-map type connection TCP_PARAM

syn-data drop

exceed-mss allow

class-map match-all SecureSite

2 match virtual-address 10.24.44.11 tcp eq https

policy-map type loadbalance first-match SecureSite-l7slb

class class-default

serverfarm SecureSite

policy-map multi-match POLICY

class SecureSite

loadbalance vip inservice

loadbalance policy SecureSite-l7slb

loadbalance vip icmp-reply active

nat dynamic 1 vlan 332

ssl-proxy server SecureSite

connection advanced-options TCP_PARAM

Service policy is applied at the interface.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
koltl-gold Wed, 09/30/2009 - 22:06

I suspect the server sends an HTTP redirect which will not be usable until you set up SSL URL rewrite. It is a very good practice to have this feature enabled for all SSL termination configs.

Peter

koltl-gold Wed, 09/30/2009 - 22:12

I assume you just omitted to paste the 'ssl-proxy service SecureSite' section with the cert and the key.

JeramyKoval Thu, 10/01/2009 - 04:21

Yes, I actually forgot to include the ssl-proxy service in my post. It is there and is configured. Works just fine with regular website traffic. I even tried a different ssl-proxy service just to see if there was any change.

huangedmc Fri, 10/09/2009 - 03:15

"However when another group attempts to sent soap over HTTPS to the same virtual server the ACE drops the connection."

Where's this group connecting to the VIP from?

Is it from a client-side or server-side vlan?

JeramyKoval Mon, 10/12/2009 - 11:15

We ended up resolving this issue. It turned out to be something really simple. The client that was sending the soap traffic did not have the proper SSL certificate installed on the server that was generating the soap traffic.

Actions

This Discussion