CSS, SSL, JSessionid Query

Unanswered Question
Aug 13th, 2010

Hi All,

I have asked question in relation to the above here before, but it has rared it's head for me again.

Can a CSS handle sticky sessions with a Jsession ID in the URL header, and have an SSL

connection between the CSS and the client?

The JsessionIds from Servers, will have constant strings attached to them depending on which server they come

from.

This has not worked for me in the past due to the frontend SSL (I think). I would seek any advice or partial/full example configurations from anyone gratefully

Thanks in advance

Stephen

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Pablo Fri, 08/13/2010 - 15:55

Hi Stephen,

Sure you can do this with the CSS but as you nailed it this has not worked for you due to the SSL connection, SSL means that all the traffic comes encrypted to the CSS thus layer 5 information (headers, cookies, etc) can't be read at all.

The only way you can get this done is if you have an SSL module installed on the CSS or any other device that can act as an SSL offloader before the traffic reaches the CSS. Once the traffic was decrypted and l5 info readable then you can configure stickiness based on cookie URL to mantain your clients stuck to one server until they finish the session.


Here you can find some info about cookie url

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.50/configuration/quick/guide/Sticky.html#wp1115543

If you have an SSL module installed let me know perhaps I can provide you with a good example for this.

Cheers!

__ __

Pablo

stephen.stack Sat, 08/14/2010 - 03:57

HI Pablo,

Pretty much as i expected. However, ther might a difference this time.

Before when i attempted this, we had 11501s deployed.

Now we have 11506s with SSL Modules, Can we do stickiness with the SSL Module?

Can you share your configs?

Thanks

Stephen

NAME: "module 3  ",  DESCR: "CSS11500 SSL Module (Strong Encryption)"
PID: CSS5-SSL-K9       ,  VID: V01,  SN: XXXXXXXXXXXX

Pablo Mon, 08/16/2010 - 12:30

Hi Stephen,

Now that you have the SSL module you can configure SSL termination to decrypt the SSL traffic and then apply the sticky method you prefer. I've attached a config sample for SSL termination and cookie URL where the CSS should stick a client based on the cookie string that is embedded into the URL during the session.

In a nutshell:

- The client will come on https://mydomain2.com which resolves to 10.10.10.100 hitting the 443 content rule.

- The traffic will be sent to the SSL service which is attached to the SSL proxy list (Web) here the SSL module uses your private key to decrypt the traffic.

- Once decrypted the traffic will be sent to the IP 10.10.10.100 but this time in port 80 to make a load balancing decision

- The  CSS looks for the configured string prefix, which is the cookie name.  In this example, the string prefix in the content rule is cookieid=.

- If  the CSS finds the prefix, then it looks for the value that matches one  of the string values configured in one of the services. For example, the  string value for service Apache-1 is server1. The CSS begins searching  for the prefix and value at the beginning of the cookie field in the  header and searches the entire field until the end of the field.

- If  the CSS cannot find the string prefix or match the cookie value with  one of the service string values, then the CSS load balances the request  according to the configured balance method (roundrobin by default).

On this example I'm assuming that SSL cert and key have been uploaded and associated already onto the box, if you need any help with this let me know.

Hope this helps.


___ ___

Pablo

stephen.stack Tue, 08/17/2010 - 07:49

Thanks Pablo,

This all makes perfect sense to me. I had deployed something very similar previously on a CSS11501S-C-K9.

Does the fact that i now have an 11506 with an SSL module make a difference?  and Why?

The config is great, but one thing confuses me. You have a content group with

'content 80' and 'content 443' configured, Then you have a 'group web' configured also.

What is this configs purpose?

I have noticed that the SSL rule, the owner group and the 'Group web' are all configured with the same name - 'web'

is this important, or just coincidence?

Thanks again. I intened testing this tomorrow evening.

Regards

Stephen

pablo.nxh Tue, 08/17/2010 - 08:33

Hi Stephen,

Nope the fact that you have now CSS11506 with SSL modules doesn't change anything both HW's use same CLI commands and work exactly the same way I'm pretty sure the only difference is the number of transactions per second that each box can handle.

About that "Web" group I put it on the config just in case you have a similar design, as you can see on my config I'm just using a one-armed mode where the VIPs and the servers are sitting on the same vlan (179), commonly on this topology you face asymmetrical routing issues where the response from the servers bypass the CSS which breaks the connection, the group is used to NAT the incoming connection and force the backend servers to reply back to the CSS. If you have a routed mode where the clients and servers are on different vlans then you don't need to worry about this.

About the names ... that was merely a coincidence or a lack of thinking for a better name I'd say lol , you can use whatever name you want under each portion of the configuration. =)

ps. Checking the config I made a typo under the SSL list,  the  "ssl-server 1 vip address 10.86.178.198" should've been "ssl-server 1 vip address 10.10.10.100" I was thinking on my own network when editing the configuration.

If something comes up with the testing let me know.

Cheers!

__ __


Pablo

stephen.stack Tue, 08/17/2010 - 08:37

Thanks Pablo,

Your config is quite basic, as is mine, so it should be easy to integrate them appropriatly.

No worries about the naming and IPs.

I think the web group maybe important, and i wonder if it is for stickiness for the servers to return

traffic to the VIP instead of the source IP of the host directly. My CSSs are in bridged mode (dont ask )

so i think this maybe important to impelment.

Will let you know how it goes.

Thanks


Stephen

Actions

This Discussion