Multiple SSL Certs in one SSL Proxy/VIP
Guys
I have a requirement to be able to provide SSL for two different sites that will resolve to the same VIP. Ive created alot of SSL sites before and these work a treat with HTTP to HTTPS redirection.
However Im not sure how are take two different SSL certs, and bind them to the same SSL Proxy, inorder for me to add them to the same VIP. The customer wants to use only port 443. I had thought about using a secondary port something like 8443, and adding another class under the multi-match policy.
Is this possible at all? I use a standard L4 class-map in the multi-match policy, that then nests down into L7 class-maps, for URL load balancing.
Because this is a multi-match policy can I just create another L4 Policy, which in turn nests down to a different L7 class-map, allowing me to match the second URL. And thus because I have another L4 policy I can assign a new SSL Proxy?
Thanks
Cathy
Thanks for the reply, thats what i was thinking. we use wild card certificates for several of the other domains, how we need to provide certificates for www.website.com and ww2.website.com due to cost.
Is it possible to replace the L4 policy map, with a straight L7 so that we are load balancing directly on URL as apposed to verifying L4 matches first? Or would this not be advisable / possible. I always thought it was the L4 policy that made the VIP proxy?
Can SAN certs not be used in this example?
Thanks
Similar Messages
-
Is it possible to view individual SSL-proxy service usage (TPS)?
Hi,
Can the ACE provide any detail above and beyond just the overall ssl-connection rate for a particular context?
I have an ACE with two contexts and multiple ssl-proxy services configured within each and it would be really helpful to know the ssl-connection rate associated with each service (current, average, peak, etc) as I've got the issue where the SSL resource limit for one of the contexts has been reached and I don't know which service has jumped up in usage;-
Allocation
Resource Current Peak Min Max Denied
ssl-connections rate 0 250 250 250 351
I can set up custom MIB pollers based on OID values within our SolarWinds network monitoring system so even if the information isn't directly available through the ACE CLI but has an associated OID I'd be grateful for the info if any one knows it (or even just the OIDs that contain the connection rate values from the 'sh resource usage' command so I can graph the overall usage against date/time within SolarWinds).
Thanks
MatthewMatthew,
I do not know the OID to poll the service-policy info.
But if you do a 'show service-policy ' at regular interval and compare the hitcon, you can compute the connection rate for each service policy individually.
Gilles. -
Security Management Appliance - Multiple SSL Cert support.
Does anyone know if the SMA supports multiple SSL certs? We would like to create a cert for our users that access the Spam Quarantine that uses a different FQDN from what we have now for admin access.
I noticed in instuctions for importing certs into the SMA, that it does ask if you want to use that cert for everything, but I haven't found anything that elaborates on what options you have if you say NO. I'm guessing from that question that it allows for a different cert for a different function, but I'd like confirmation and maybe direction on how to implement.
Thanks in advance.You can install a different cert for different process:
http://www.cisco.com/c/en/us/support/docs/security/content-security-management-appliance/118460-technote-sma-00.html
Certificates can be used for four different services:
Inbound TLS
Outbound TLS
HTTPS
LDAPS
When you say No, you'll just need to be prepared to enter in the separate certs as needed for each process. And, SMA is still CLI only for cert management.
-Robert -
Multiple SSL terminations - 1 CSS11506
Well the questions keep coming.
Can anyone point me in the right direction for setting up multiple SSL terminations, 443 port for them all and multiple VIPS. So far I have one SSL site working but when i try to make my 2nd ssl proxy list active it says only one active at a time. So looking for sample configs to make this happen.
Cheers
DaveThanks man, I read up a bit more and figured that out..Here is my config so far...
ssl associate rsakey myrsakey1 CSSrsakey1
ssl associate cert myrsacert1 CSScertfile1
ssl associate rsakey myrsakey2 CSSrsakey2
ssl associate cert myrsacert2 CSScertfile2
ip route 0.0.0.0 0.0.0.0 192.168.20.1 1
!************************** CIRCUIT **************************
circuit VLAN1
ip address 192.168.20.20 255.255.255.0
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list ssl-list
ssl-server 90
ssl-server 90 vip address 192.168.20.100
ssl-server 90 cipher rsa-with-des-cbc-sha 192.168.20.50 80
ssl-server 90 cipher rsa-with-3des-ede-cbc-sha 192.168.20.50 80
ssl-server 90 cipher rsa-with-rc4-128-sha 192.168.20.50 80
ssl-server 90 cipher rsa-with-rc4-128-md5 192.168.20.50 80
ssl-server 90 rsacert myrsacert1
ssl-server 90 rsakey myrsakey1
ssl-server 90 urlrewrite 22 www.test.com
ssl-server 91
ssl-server 91 vip address 192.168.20.101
ssl-server 91 cipher rsa-with-des-cbc-sha 192.168.20.60 80
ssl-server 91 cipher rsa-with-3des-ede-cbc-sha 192.168.20.60 80
ssl-server 91 cipher rsa-with-rc4-128-sha 192.168.20.60 80
ssl-server 91 cipher rsa-with-rc4-128-md5 192.168.20.60 80
ssl-server 91 rsacert myrsacert2
ssl-server 91 rsakey myrsakey2
ssl-server 91 urlrewrite 23 www.test1.com
active
!************************** SERVICE **************************
service SSLWWW
type ssl-accel
slot 6
keepalive type none
add ssl-proxy-list ssl-list
active
service rprox1
ip address 192.168.20.50
protocol tcp
port 80
active
service rprox2
ip address 192.168.20.60
protocol tcp
port 80
active
!*************************** OWNER ***************************
owner CMPA
content HTTP_rule
protocol tcp
add service rprox1
port 80
url "//www.test.com/*"
vip address 192.168.20.100
content SSLrule2
protocol tcp
vip address 192.168.20.101
application ssl
add service SSLWWW
port 443
active
content ssl
vip address 192.168.20.100
application ssl
add service SSLWWW
port 443
protocol tcp
active -
ACE SSL Proxy performance issue
Hi I've got an ACE module in a 6500 that is being used as an SSL Proxy For a web service.
So the configuration is fairly basic, matches a VIP which has been Nat'ed from the public IP address port 443 and load balances over a number of reservers with the server ports being set to 80.
The problem is the main web site is hosted elsewhere and so when they switch to checkout on a secure port the browser page requests multiple https:// files .
The users are seeing very slow page loads a considerable amount longer than equivalent on http and more than you'd expect. The ACE is no where near any throughout or transaction limits.
My concern is on how the session is tracked, would the ACE attempt to renegotiate with every https:// get? I've seen example configs for stickiness inserting cookies for normal end-end load balancing but not with an SSL proxy configuration.
Sent from Cisco Technical Support iPad AppHi Craig,
The SSL negotiation/handshake will happen everytime a client opens a new TCP connection i.e comes with a different source port.
To make sure that ACE doesn't renegotiate you can try and use this command:
(config-parammap-ssl)# session-cache timeout . You can use 24 hours or anytime you think is suitable.
This is basically to enable SSL session reuse. A little explanation below for your reference:
When client connects to a server over SSL, the server creates a session for that connection. This session ID is sent as a part of the Server Hello message. This is to make things efficient, in case the client has any plans of closing the current connection and reconnect in the near future. Most of the servers have a time out for these sessions (I think 24 hours is a common value, unless pressed for space).
When the client connects to the same server again, it can send the same session ID as a part of the Client Hello. The server will first look up if it can find any sessions with that ID. If found, the same session will be reused. Thus the time spent in verifying the certs and negotiating the keys is saved. If the server cannot find a matching session, then it responds with a new session ID and its certificate in Server Hello message. The client knows that it has to verity the cert and negotiate the key again.
Considerable amount of time is spent in validating server certs. Reusing SSL session will save this time.
Having said that you need to check if the client is coming with a session ID which it got in previous handshake or not. If it doesn't and it is a new TCP connection then SSL handshake will happen. Please enable that command before testing.
Also, ensure that you have allocated proper SSL resources to your context. Lack of resources can also cause dropped connections and sluggish performance.
Regards,
Kanwal -
Ace ssl-proxy problem, Online store.
Hello!
I have a problem with moving our online store loadbalancing to a Cisco ACE solution from Windows NLB that it runs on now. And also relive the servers from the ssl encrypt and decrypting of sessions.
The load balancing works', as long the session is Http, but when the "customer" comes to the point that i is going to pay. Our shop is jumping over to HTTPs and this is where the problem appear.
The "customer" is getting the certificate right but the site is not displayed = the session to the shop seems to die.
If i have missed something in the config or if someone have any other idea why this dont work for me..
Appreciate any help!
My config:
(at the moment only web5 is in use)
ACE-1/CO-WEB1# show run
access-list ANY line 10 extended permit ip any any
access-list icmp line 8 extended permit icmp any any
probe http PROBE-HTTP
interval 3
passdetect interval 10
passdetect count 2
expect status 200 200
expect status 300 323
parameter-map type ssl SSLPARAMS
cipher RSA_WITH_RC4_128_MD5
rserver host vmware-server1
description testserver1
ip address 219.222.4.180
probe PROBE-HTTP
inservice
rserver host vmware-server2
description testserver 2
ip address 219.222.4.181
probe PROBE-HTTP
inservice
rserver host web5
description testserver from windows nlb
ip address 219.222.4.185
probe PROBE-HTTP
inservice
ssl-proxy service SSL-PROXY-SE
key cert-se.key
cert cert-se.pem
ssl advanced-options SSLPARAMS
serverfarm host WM-ware_servers
rserver vmware-server1
inservice
serverfarm host webtest
description testserver-farm
predictor leastconns
rserver vmware-server1 80
rserver vmware-server2 80
rserver web5
inservice
sticky ip-netmask 255.255.255.0 address source STICKY-GROUP1
timeout 60
serverfarm webtest
class-map match-all VIP-HTTP
2 match virtual-address 219.222.4.178 tcp eq www
class-map match-all VIP-HTTPS
2 match virtual-address 219.222.4.178 tcp eq https
class-map type management match-any icmp
description for icmp reply
2 match protocol icmp any
policy-map type management first-match icmp
class icmp
permit
policy-map type loadbalance first-match VIP-HTTP
class class-default
sticky-serverfarm STICKY-GROUP1
policy-map type loadbalance first-match VIP-SSL
class class-default
serverfarm webtest
policy-map multi-match SLB-VIP-HTTP
class VIP-HTTP
loadbalance vip inservice
loadbalance policy VIP-HTTP
loadbalance vip icmp-reply
class VIP-HTTPS
loadbalance vip inservice
loadbalance policy VIP-SSL
loadbalance vip icmp-reply
ssl-proxy server SSL-PROXY-SE
interface vlan 21
description ### ACE OUTSIDE mot FW ###
ip address 219.222.4.171 255.255.255.240
access-group input ANY
access-group output ANY
service-policy input icmp
service-policy input SLB-VIP-HTTP
no shutdown
interface vlan 22
description ### ACE INSIDE Gateway for Web-servers ###
ip address 219.222.4.177 255.255.255.240
access-group input ANY
access-group output ANY
service-policy input icmp
no shutdown
ip route 0.0.0.0 0.0.0.0 219.222.4.161
ACE-1/CO-WEB1#
as seen in "show conn" the sessions is established, first when i enter site, and go to payment (jumping over to SSL):
ACE-1/CO-WEB1# show conn
total current connections : 4
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
4 1 in TCP 21 219.222.0.2:49972 219.222.4.178:443 ESTAB
14 1 out TCP 22 219.222.4.185:443 219.222.0.2:49972 ESTAB
11 2 in TCP 21 219.222.0.2:49923 219.222.4.178:80 ESTAB
3 2 out TCP 22 219.222.4.185:80 219.222.0.2:49923 ESTAB
ACE-1/CO-WEB1#Hello Krille
i had the same problem.
The HTT Probe you define will do a check if
the return code is
expect status 200 200
expect status 300 323
Now if a user is accessing the hppts site, in the flow there will be an expect status like 404, the ACE now is not establish an sticky connection, cause it think that the flow is not ok.
The only output after ther Certificates is a blank site.
If you change the Probing to ICMP you will be able to access the https site and the connection is sticky. With a litte tool like IE Watch you will be able to see the wrong Status codes.
regards
eberhard -
Modifying an "ssl-proxy-list" without disturbing the active sessions.
Hello,
I would like to know if it is possible to have two SSL modules installed in a CSS11503 with each one having it's own "ssl-proxy-list" ("ssl-proxy-list list1" and "ssl-proxy-list list2"), but the two lists (list1 and list2) are exactly the same.
I will explain my idea:
In normal situation the two "ssl-proxy-list" are active and the user's encrypted sessions are load balanced between the two SSL modules. But when we need to make a change to the "ssl-proxy-list", like changing a server's certificate, I would like to be able to suspend one service (type ssl-accel with the "ssl-proxy-list List1" attached to it for example) and wait for all active sessions to terminate before suspending the "ssl-proxy-list list1" for applying the changes.
Once the first "ssl-proxy-list" is updated I would make it active again and apply the same changes to the second "ssl-proxy-list".
Doing this this way I would like to be able to upgrade the servers's certificate during the working houres without disturbing the connected users...
Do you think this way of doing would be possible, or do you have an other solution to modify a "ssl-proxy-list" without disturbing the active running sessions ?
Thank you for your answer,
Best regardsHi Francois,
An SSL proxy list may belong to multiple SSL services (one SSL proxy list per service), and an SSL service may belong to multiple content rules. You can apply the services to content rules that allow the CSS to direct SSL requests for content.
The CSS supports one active SSL service for each SSL module in the CSS, one SSL service per slot. You can configure more than one SSL service for a slot but only a single SSL service can be active at a time.
No modifications to an SSL proxy list are permitted on an active list. Suspend the list prior to making changes, and then reactivate the SSL proxy list once the changes are complete. Once you have modified the SSL proxy list, suspend the SSL service, reactivate the SSL proxy list, and then reactivate the SSL service.
You can use maximum 4 different certificates at a time.
Use the suspend command to suspend an active SSL proxy list.
To suspend an active SSL proxy list, enter:
(config-ssl-proxy-list[ssl_list1])# suspend
use the url below for your reference:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.10/command/reference/CmdSSLC.html
Kind regards,
Sachin Garg
Senior Specialist Security
HCL Comnet Ltd.
http://www.hclcomnet.co.in
A-10, Sector 3, Noida- 201301
INDIA
Mob: +91-9911757733
Email: [email protected] -
Hosting Multiple SSL Sites on Separate IP Addresses
Hosting Multiple SSL Sites on Separate IP Addresses
I currently have a web server (XServe) hosting a number of different sites from its main IP address on port 80 using Apache 1.3. This has been working great, the ServerAdmin GUI has been pretty good about creating the appropriate Apache configs, and everybody is happy.
I have one particular site that I want to use SSL with so I decided to purchase a cert (from GoDaddy). Since I have one other cert on the server assigned to the main server IP, I understand that the appropriate way to setup additional SSL certificates is to bind another IP address to the XServe and use that IP. I was unable to use ServerAdmin to install my new certificate (not surprisingly) probably since it is a chain certificate, however I have been able to do it by hand and it seems to be working as intended…mostly.
This is where my problem begins. The site that I wanted to add SSL to is currently hosted on the main IP address (x.x.x.173:80) and the SSL certificate is working on the newly bound IP address (x.x.x.178:443). Fundamentally it would seem appropriate to change the IP address of the non-SSL site to match the new IP, except on port 80 – So I can achieve a seamless blend between standard and SSL (when necessary). The problem is that I can’t get Apache to work this way. Maybe I am missing a step, or overlooking something.
Excerpt from current, working (non-SSL) config: (Names have been changed to protect the innocent.)
<VirtualHost x.x.x.173:80>
ServerName www.site.com
ServerAdmin [email protected]
DocumentRoot "/Library/WebServer/Documents/www.site.com"
</VirtualHost>
Excerpt from current, working (SSL) config:
<VirtualHost x.x.x.178:443>
ServerName www.site.com
ServerAdmin [email protected]
DocumentRoot "/Library/WebServer/Documents/www.site.com"
</VirtualHost>
changing the first entry’s ip address to match the second one causes the site to be unresponsive (using the IP address to point the browser to the site) but the SSL version keeps working. Any suggestions would be greatly appreciated.
Thanks,
Jake
PowerBook, XServe G5 Mac OS X (10.4.6)Thanks for your reply Roger, here are the results that you’ve requested:
I deleted a few lines that were redundant and unrelated (no errors)
Results of apachectl configtest:
Processing config directory: /etc/httpd/sites/*.conf
Processing config file: /etc/httpd/sites/0012x.x.x.173_80www.site.com.conf
Processing config file: /etc/httpd/sites/0016x.x.x.178_443www.site.com.conf
Processing config file: /etc/httpd/sites/virtualhostglobal.conf
[Thu Apr 6 09:06:27 2006] [warn] module mod_php4.c is already added, skipping
Syntax OK
Results from netstat -a -n | egrep 178:
tcp4 0 0 x.x.x.178.53 . LISTEN
udp4 0 0 x.x.x.178.123 .
udp4 0 0 x.x.x.178.53 .
Results from tail -f /var/log/httpd/error_log
/etc/httpd/sites/0012x.x.x.173_80www.site.com.conf
Processing gonfig file:
/etc/httpd/sites/0016x.x.x.178_443www.site.com.conf
Processing config file: /etc/httpd/sites/virtualhostglobal.conf
[Thu Apr 6 09:21:10 2006] [warn] module mod_php4.c is already added, skipping
[Thu Apr 6 09:21:10 2006] [notice] Apache/1.3.33 (Darwin) PHP/4.3.11 mod_ssl/2.8.24 OpenSSL/0.9.7i configured -- resuming normal operations
[Thu Apr 6 09:21:10 2006] [notice] Accept mutex: flock (Default: flock)
When I try to hit the site on port 80 http://x.x.x.178 there are no results, https://x.x.x.178 works great.
Thanks again for your help, hopefully this can shed some light on my problem,
Jake
PowerBook, XServe G5 Mac OS X (10.4.6)
PowerBook Mac OS X (10.4.6) -
CSS SSL Proxy - how can I write the original source address in http header
I'm replacing some BigIP's with CSS11500's that are configured to do front/backend ssl proxying in a one-armed configuration. The BigIP's write the original source IP address as a http header value when the traffic is sent to the application, and the application uses the IP to match against an application ACL. How can I do the same in the CSS.
thanks,
Brianhere is what you can insert with the SSL module :
http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080292a76.html#wp1027619
Gilles. -
Is there is any way that multiple SSL identities out of a single DS instanc
Hi All,
I am facing bit challenging question:
Is there is any way that multiple SSL identities out of a single DS6.2 instance, and DS6.2 instances cant be convinced to replicate over SSL successfully using only a single shared SSL identity across many instances.
I am trying to find out that is there is a way to use multiple SSL identities out of one instance of DS6.2 ; and configure accordingly, with client facing service using a shared common identity and replication using distinct identities.
Thanks
PramodYou can look at the code that that page (website) uses and create an overriding rule to set the cursor in [http://kb.mozillazine.org/userContent.css userContent.css] or [https://addons.mozilla.org/firefox/addon/2108 Stylish]
See http://kb.mozillazine.org/Editing_configuration#How_to_edit_configuration_files
Can you post a link? -
Hi,
I have 1 ssl-proxy-list with 3 virtual ssl servers defined. I also have the ssl-proxy-list added to several services. I need to add the following to each of the 3 servers:
ssl-server 3 tcp server window 40960
ssl-server 3 tcp virtual window 40960
Sample of existing ssl-proxy-list:
ssl-server 3
ssl-server 3 rsakey DATA-test-su
ssl-server 3 rsacert DATA-test-su
ssl-server 3 vip address 10.1.5.14
ssl-server 3 cipher rsa-with-rc4-128-md5 10.1.5.14 88
ssl-server 3 urlrewrite 3 *
ssl-server 3 ssl-queue-delay 0
ssl-server 3 tcp virtual nagle disable
My questions:
1. When I suspend this list, is it best practice to do "no ssl-proxy-list LIST", modify in a notepad and re-paste or just add to each server ? and then re-activate (active) ?
2. Do the order of the items in list matter, like in an ACL ?
3. Will I require removing and re-adding it to each and every service that has it defined ?
3. Due to the rsakey and rsacert, will this change require a reboot of the CSS ?
Thank you in advance !!!
MThe frame below, sent by the client 2 minutes and 64 seconds later, has values of 40 and 01 for the same fields.
- - - - - - - - - - - - - - - - - - - - Frame 945 - - - - - - - - - - - - - - - - - - - -
Frame Status Source Address Dest. Address Size Rel. Time Delta Time Abs. Time Summary
945 [161.44.175.145] [208.184.140.161] 153 0:02:35.533 0.001.228 10/19/2001 04:00:09
PM TCP: D=443 S=3464 ACK=1374357434 SEQ=105608315 LEN=99 WIN=9520
----- DLC Header -----
DLC:
DLC:
DLC: Frame 945 arrived at 16:00:09.5404; frame size is 153 (0099 hex) bytes.
DLC: Destination = Station Cisco107AC01
DLC: Source = Station Xircm2229D27
DLC: Ethertype = 0800 (IP)
DLC:
----- IP Header -----
IP:
IP:
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: 000. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: .... ..0. = ECT bit - transport protocol will ignore the CE bit
IP: .... ...0 = CE bit - no congestion
IP: Total length = 139 bytes
IP: Identification = 63628
IP: Flags = 4X
IP: .1.. .... = don't fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 128 seconds/hops
IP: Protocol = 6 (TCP)
IP: Header checksum = 53C8 (correct)
IP: Source address = [161.44.175.145]
IP: Destination address = [208.184.140.161]
IP: No options
IP:
----- TCP header -----
TCP:
TCP:
TCP: Source port = 3464
TCP: Destination port = 443 (Https)
TCP: Sequence number = 105608315
TCP: Next expected Seq number= 105608414
TCP: Acknowledgment number = 1374357434
TCP: Data offset = 20 bytes
TCP: Flags = 18
TCP: ..0. .... = (No urgent pointer)
TCP: ...1 .... = Acknowledgment
TCP: .... 1... = Push
TCP: .... .0.. = (No reset)
TCP: .... ..0. = (No SYN)
TCP: .... ...0 = (No FIN)
TCP: Window = 9520 --------------- > this line is of your interest
TCP: Checksum = E691 (correct)
TCP: No TCP options
TCP: [99 Bytes of data]
TCP:
ADDR HEX ASCII
0000: 00 00 0c 07 ac 01 00 80 c7 22 9d 27 08 00 45 00 | ......"'..E.
0010: 00 8b f8 8c 40 00 80 06 53 c8 a1 2c af 91 d0 b8 | [email protected],
0020: 8c a1 0d 88 01 bb 06 4b 74 7b 51 eb 07 ba 50 18 | ...Kt{Q.P.
0030: 25 30 e6 91 00 00 80 61 01 03 01 00 48 00 00 00 | %0..a....H...
0040: 10 8f 80 01 80 00 03 80 00 01 81 00 01 81 00 03 | ..........
0050: 82 00 01 00 00 04 00 00 05 00 00 0a 83 00 04 84 | .............
0060: 80 40 01 00 80 07 00 c0 03 00 80 00 00 09 06 00 | @...........
0070: 40 00 00 64 00 00 62 00 00 03 00 00 06 83 00 04 | @..d.
Hope this will bring some useful information to you regarding your case.
Still if you want to discuss any thing in this regard kindly revert back me.
I will be very happy if I can be part of any further assistance.
Please do not hesitate to revert back any time.
Till then ,
Kind Regards,
[email protected] -
Apache 1.3.12 running with Raven SSL Proxy
Hi All,
I am currently having an issue clustering 2 WLS 5.1 sp8 app servers using Apache
1.3.12 with the Raven SSL 1.4.3 plugin. (All on Solaris 7)
Here is my scenario:
The cluster "seems" to work. A session is processed fine on it's primary server,
while the session information is replicated to the secondary server.
Yet when we crash the primary server to test failover, all of the sessions on the
primary server are lost and NOT processed by the secondary server. It is almost
like the cookie was not updated to reflect that the primary had gone down, so the
secondary server does not know it is now the primary.
Any ideas?.. As long as the primary does not fail the system works fine.. so I know
the sessions are being directed to the correct server the rest of the time, just
not during failover.
NOTE: I have had no problems with failover using Apache Stronghold using the mod_wl_ssl.so
proxy, this problem only seems to occur with the Apache using Raven SSL and the mod_wl_ssl_raven.so
proxy. Is there a bug with this proxy?
Thank you for any ideas.
-Nick
The Web server plug-ins do not natively support outbound SSL connections
yet(i.e. SSL from the plug-in to WebLogic). This is a feature for version
6.0. You can use SSL from the browser to Apache or from the browser to
WebLogic directly.
The majority of our customers use strict firewall rules to protect the
traffic between Apache and WebLogic. If they are paranoid, they use an SSL
proxy or a VPN product.
Thanks,
Michael
Michael Girdley
BEA Systems Inc
"Josh Kwan" <[email protected]> wrote in message
news:39d4e8a5$[email protected]..
>
Hello,
I want to know how to connect Apache 1.3.12 with mod_ssl to BEA WebLogic5.1.0 on Solaris via HTTPS. I have heard that this can only work over t3...
is that true? If so, how can it be done securely? If that isn't the case,
how can httpd.conf/weblogic.conf be configured on the Apache server to talk
to the WebLogic server on port 7002? Both of the machines I am using are
running Solaris 7 with necessary patches. I have installed SP5 for WebLogic
and I have copied mod_wl.so and mod_wl_ssl.o to the Apache server for
inclusion as modules.
>
The two servers communicate correctly over HTTP, but I want to be able toserve some JSPs via HTTPS from the WebLogic server through the Apache web
server. I have generated all the required CA and server certificates for
each server, and they both individually answer HTTPS requests, but do not
work when an HTTPS request is sent to the Apache server for a JSP that is
served from the WebLogic server. I read somewhere in the documentation for
5.1.0 that WebLogic will communicate via HTTPS to various web and proxy
servers.
>
Any help would be greatly appreciated... thanks!
Regards,
Josh Kwan
Sr. Systems Engineer
iXL -
Invoke webservice behind ssl proxy
Trying to connect to a webservice behind SSL Proxy with
following url:
https://ssl.xyz.com/is-db/cfc/listingservice.cfc?WSDL,DanaInfo=servername.int.com
if i open this url direct i got a clean XML Page, but if i
use it in a cfinfoke statement i get following error
Could not generate stub objects for web service invocation.
Name:
https://ssl.xyz.com/is-db/cfc/listingservice.cfc?WSDL,DanaInfo=servername.int.com.
WSDL:
https://ssl.xyz.com/is-db/cfc/listingservice.cfc?WSDL,DanaInfo=servername.int.com.
org.xml.sax.SAXException: Fatal Error: URI=null Line=15: The
element type "link" must be terminated by the matching end-tag "".
It is recommended that you use a web browser to retrieve and
examine the requested WSDL document for correctness. If the
requested WSDL document can't be retrieved or it is dynamically
generated, it is likely that the target web service has programming
errors.
anyone got an idee about that
DanielWe had the same problem. Our work around involved saving the
WSDL locally and then using that to run the web service. As long as
the WSDL contains a service port element, it will still send the
data to the correct server.
In order to ensure that the WSDL stayed up to date, we have a
scheduled task that hits the server and downloads the WSDL on a
regular basis. Of course, CFHTTP has problems with SSL as well, so
you need to include 2 custom headers when you post. You should be
able to find them by doing a search on cfhttp and SSL. -
Bordermanager 3.8 SSL Proxy & Macintosh/Safari Browser
Does anyone know if the Safari browser now included with the Mac OS X
10 is
compatible with BM 3.8 SSL Proxy? The SSL Proxy we have set up works
with
all other PCs, but I can't get it to work with the Safari and I can't
get an
answer from either Novell or Apple as to whether this is even a
supported
configuration. All I get is a reference to the login page with an
error
that a secure connection cannot be made. I have a school client who
was
just given 180 of these IMAC notebooks by the State and I need to get
them
working through their Bordermanager. I see there are definitely some
issues
with IE and Macs with SSL Proxy. Is there another browser, such as
Netscape, where this might work better.
What about using a third party novell client for Macs (like from
proform).
Would that be able to use clntrust authentication instead or is it not
a
true client32? Thanks!!Hi Craig,
you've misunderstood what I meant (I guess I should have worded it
better).
What I meant was:
1. If you've already logged in (using another browser) Safari seems to
work
OK (but not necessarily for SSL)
2. that (it looks like) the reason Safari can't be used to login is
because
it's not using the proxy for the SSL login page requests - and to
login to
BM you must use the proxy to make the login request.
Safari error:
Could not open the page.
Could not open the page
https://proxy:444/BM-Login/?%22http:...novell.com/%22 because
Safari
could not establish a secure connection to the server "proxy".
Again, from this (and more) Safari is trying to Connect directly to
https://proxy:444 - instead of requesting the entire URL from the BM
proxy
(proxy:8080).
The same sort of problem can be created in other browsers by
configuring
them to not use a proxy for HTTPS/SSL requests.
-Sandy
"Craig Johnson" <[email protected]> wrote in message
news:[email protected]..
> In article <HLaLb.8715$[email protected]>, Sandy
wrote:
> > Once authenticated (using IE or Mozilla), Safari works through the
proxy.
> > (It looks like Safari is bypassing the proxy for SSL requests.)
> >
> Once a host is authenticated, a browser doesn't 'bypass' the ssl
login, it
> is already authenticated. Once authenticated, the proxy holds the
> authentication association between the requesting IP and the user
ID.
> Until the idle timeout expires, another authentication request is
not sent
> to the browser from the proxy.
>
> Craig Johnson
> Novell Support Connection SysOp
> *** For a current patch list, tips, handy files and books on
> BorderManager, go to http://www.craigjconsulting.com ***
> -
I am trying to combine multiple pdf's into one, using preview, but when I drag the additional pages they show up as separate documents. When I drag the doc in a line would show up in the past, and if I went above th eline all was good. It doesn't have a line, and no matter what I try I am having no success.
Please help!According to an Apple Support article, unless there are unforeseen issues
in file ownership or permissions, the combining of .PDFs should be simple.
•OS X: Combining PDF documents using Preview - Apple Support
There are a few variable and similar methods, some change with version
of OS X in use; some vintage OS X may vary a little in the process...
A variety of similar topics appear in search results, with terms:
" mac os x combine pdf into one " such as this page shows...
https://www.google.com/?gws_rd=ssl#q=mac%20os%20x%20combine%20pdf%20into%20one
If the system is older than Mavericks there may be other methods to try.
Suggestions are among linked results in the search. I see a few fair ones.
•Here's another that offers generally similar suggestions...* this info looks OK, extra links, do not:
http://osxdaily.com/2014/06/27/how-to-join-multiple-pdf-files-into-a-single-pdf- document-in-mac-os-x/
{ note: avoid clicking on links to products in * this ^ page, since they likely will not help & may be adware prone }
If you have a problem after trying other methods, based on an OS X
your computer is running, post back with more exact information...
Good luck & happy computing!
edited
Maybe you are looking for
-
Error while running a Query which has measures from both facts
Hi Guys, I have three tables. 1 Dimension table D1 and two fact tables F1 and F2. D1 has columns ------> Accountid, Account Number F1 has Columns ------> Accountid,Current Balance1, Balance Type F2 has Columns ------> Accountid,Current Balance2 Now i
-
When using the output viewer at runtime I get R30run32 performed illegal operation when I try to print or use printer setup. If I try to output to a PDF file, I get an error that say's that one of my column formulas has no PL/SQL. Neither of errors o
-
Steps to exporting from FCP to Compressor/DVD studio pro
Hello, I have just completed editing my video and would like to know the steps to exporting my video so that I can burn it on a DVD. I need help with the steps involved in exporting my project to compressor then to DVD studio pro. Thank you for your
-
I use groups, how can I delete one in the group for a new note?
When I select a group to send messages to, sometimes I wish to delete one, just for this message, not the group list. For example, forwarding a message without forwarding it to the one that sent the original
-
How can I get a Mac laptop on the Internet to upgrade it from OS 9.1 to OS X? it only has a CD-ROM drive..... no USB port or cat 5 port.