ACE - Balance HTTP and sticky only SSL/TLS

Hi there,
I have a situation that I am trying to solve. We have lot of services trough ACE, but now I have to modify one of them, PROXY servers.
I have six (6) servers working with Sticky, but with a MASK 255.255.255.0, which produce an unbalanced situation some times, and that affect some servers on depending of how many users connected to that server. We have between 40K and 50K conns in that serverfarm, but in Sticky terms we have arround 700 /24 subnets.
I want to modify the configuration, specificaly the MASK to 255.255.255.255, which is going to increase a lot Sticky resources. But thinking in optimize Sticky resources, I want to know if there is a way to select only e-commerce, Home Banking or other kind of SSL/TSL traffic (always using port 80 trough proxy servers), so I could use Sticky only for connections that need it, and leave other HTTP traffic without this feature.
I´m sorry, may be I'm doing a silly question, but don´t have the experience to make this configuration, and I will apreciate your help.
Here is the actual configuration:
probe tcp HTTP
description Keepalive web servers
interval 20
passdetect interval 30
rserver host Server1
ip address 10.1.1.1
inservice
rserver host Server2
ip address 10.1.1.2
inservice
rserver host Server3
ip address 10.1.1.3
inservice
rserver host Server4
ip address 10.1.1.4
inservice
rserver host Server5
ip address 10.1.1.5
inservice
rserver host Server6
ip address 10.1.1.6
inservice
serverfarm host PRX
failaction purge
predictor leastconns
probe HTTP
rserver Server1
inservice
rserver Server2
inservice
rserver Server3
inservice
rserver Server4
inservice
rserver Server5
inservice
rserver Server6
inservice
sticky ip-netmask 255.255.255.0 address source sticky-PRX
timeout 60
serverfarm PRX
class-map match-any VIP-PRX
2 match virtual-address 10.10.10.101 tcp eq www
policy-map type loadbalance first-match POLICY-L7-PRX
class class-default
sticky-serverfarm sticky-PRX
policy-map multi-match PRX-Balance
class VIP-PRX
loadbalance vip inservice
loadbalance policy POLICY-L7-PRX
loadbalance vip icmp-reply
interface vlan 100
ip address 10.10.10.11 255.255.255.0
alias 10.10.10.10 255.255.255.0
peer ip address 10.10.10.12 255.255.255.0
no normalization
access-group output SOLO-SLB
service-policy input PRX-Balance
Thanks
Alexis

You might want to check out this new product called ITD.
Simple and faster solution:
ITD provides :
ASIC based multi-terabit/s L3/L4 load-balancing at line-rate
No service module or external L3/L4 load-balancer needed. Every N7k port can be used as load-balancer.
Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
IP-stickiness
Resilient (like resilient ECMP)
VIP based L4 load-balancing
NAT (available for EFT/PoC). Allows non-DSR deployments.
Weighted load-balancing
Load-balances to large number of devices/servers
ACL along with redirection and load balancing simultaneously.
Bi-directional flow-coherency. Traffic from A-->B and B-->A goes to same node.
Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
The servers/appliances don’t have to be directly connected to N7k
Monitoring the health of servers/appliances.
N + M redundancy.
Automatic failure handling of servers/appliances.
VRF support, vPC support, VDC support
Supported on both Nexus 7000 and Nexus 7700 series.
Supports both IPv4 and IPv6
N5k / N6k support : coming soon
Blog
At a glance
ITD config guide
Email Query or feedback:[email protected]

Similar Messages

Require Only SSL/TLS Connections

I would like to require that only SSL/TLS connections be allowed to my server. This is not to be confused with wanting SSL client authentication. I had initially thought I could do this with ACI using the authmethod="ssl", however after looking at the documentation closely and experimentation this refers to do client based SSL authentication as well. I do have SSL/TLS set up correctly, I just want to disallow non-encrypted traffic.
In OpenLDAP I would merely state "security ssf=128" to require SSL/TLS only connections.
Anyone know how to do this in Sun's Directory Server?

The reason I don't use a firewall (presumedly to block port 389) or set the non-secure port to 0 is that this would disallow TLS on port 389. Hence all I could do is SSL and only 636. I would like to be able to allow only TLS on 389 and not allow non-TLS traffic.

Would like to disable HTTP and use only HTTPS yet I get side effects

Hello,
I have established a secure connection between the AS ABAP and AS Java.
I would like assure that all communication between the servers is using https and for that, as a test, I have deactivated the http service using SMICM transaction.
The only side effect I could recognize so far is that the Web Dynpro for ABAP stuff doesn't work through transaction SE80, the working area simply doesn't come up. If I activate HTTP again it is working.
Am I doing the right thing by disabling HTTP completely and if yes, what else do I need to do in order to prevent this side effect from happening?
Roy

humuhumunukunukuapuaa wrote:
If I get some nice approvals on my app spree in 10 days, I would like to close Talbots and Abercrombie and Fitch store cards. Total CL for the 2 is $2,700 ($1,350 each) but I can make up for that closure and utilization loss by getting quite a bit more than those amounts on majors during my app spree. Talbots has only been open 4 months, A&F one year. I have other cards that are the same age or older so should not majorly affect AaoA. Thoughts? I know some will say don't close cards, but they're store cards and I don't need to be responsible for store cards I don't use.If you have no use for them and don't foresee using them in the future then you should probably close them out. They won't affect your AAoA as the cards will stay in your reports for 10 years. No sense in keeping cards that you don't want just to take up room in your sock drawer.

ACE sorry server and sticky

I have configured 3 different serverfarms with including realservers
2 of them are with websites, the other 1 is with webservices
I also have configured a sorry server farm and the including rserver.
On the sorry rserver i have configured 2 maintenance websites, listening to an unique hostheader.
So for serverfarm A & B i have configured a seperate maintenance website.
Now when i take rservers from serverfarm A or B down, the sorry server will get active for the needed farm.
However i can only reach 1 maintenance website. And even so, an url used to reach farm A gets on maintenance site from B
This is strange behaviour, doesnt a sorryserver just accept requests with the requested hostheader by the client ?
Also, when i put the rservers from A and B back into service i have to do a "clear stick database all" otherwise the sorryserver will remain active.
What is wrong here ?
probe http EHIC-http
description Test op WWW functionaliteit
interval 10
passdetect interval 30
request method get url http://acc.site-B.nl/web/
expect status 200 200
header Host header-value "acc.site-B.nl"
expect regex 1.8.0.2
probe http WWW-http
description Test op WWW functionaliteit
interval 10
passdetect interval 30
request method get url http://acc.site-A.nl/web/default.aspx
expect status 200 200
header Host header-value "acc.site-A.nl"
expect regex v1.9.2.327
serverfarm host EHIC-FARM
failaction purge
predictor leastconns slowstart 30
probe EHIC-http
rserver ehic_server01.site-B.nl
inservice
serverfarm host SORRY-FARM
failaction purge
predictor leastconns
rserver sorrypage.site-C.nl
inservice
serverfarm host WBS-FARM
failaction purge
predictor leastconns slowstart 30
probe ICMP-PROBE
rserver acc-wbs01v.site-D
inservice
rserver wbs_01.site-D
inservice
rserver wbs_02.site-D
inservice
serverfarm host WWW-FARM
failaction purge
predictor leastconns slowstart 30
probe WWW-http
rserver acc-www01v.site-A
inservice
rserver acc_server01.site-A
inservice
rserver acc_server02.site-A
inservice
sticky ip-netmask 255.255.255.255 address source EHIC-FARM-STICKY
serverfarm EHIC-FARM backup SORRY-FARM
sticky ip-netmask 255.255.255.255 address source WWW-FARM-STICKY
serverfarm WWW-FARM backup SORRY-FARM
class-map match-any EHIC-VIP
2 match virtual-address 172.30.9.4 tcp eq https
3 match virtual-address 172.30.9.4 tcp eq www
class-map match-any WBS-VIP
6 match virtual-address 172.30.5.4 tcp eq www
7 match virtual-address 172.30.5.4 tcp eq https
class-map match-any WWW-VIP
2 match virtual-address 172.30.6.4 tcp eq www
3 match virtual-address 172.30.6.4 tcp eq https
policy-map type loadbalance first-match EHIC-FARM-STICKY-BALANCE
class class-default
sticky-serverfarm EHIC-FARM-STICKY
policy-map type loadbalance first-match WBS-FARM-BALANCE
class class-default
serverfarm WBS-FARM
policy-map type loadbalance first-match WWW-FARM-STICKY-BALANCE
class class-default
sticky-serverfarm WWW-FARM-STICKY
policy-map multi-match LOADBALANCING-EHIC
class EHIC-VIP
loadbalance vip inservice
loadbalance policy EHIC-FARM-STICKY-BALANCE
loadbalance vip icmp-reply active
appl-parameter http advanced-options EHIC-PARAMETERS
policy-map multi-match LOADBALANCING-WBS
class WBS-VIP
loadbalance vip inservice
loadbalance policy WBS-FARM-BALANCE
loadbalance vip icmp-reply active
appl-parameter http advanced-options WBS-PARAMETERS
policy-map multi-match LOADBALANCING-WWW
class WWW-VIP
loadbalance vip inservice
loadbalance policy WWW-FARM-STICKY-BALANCE
loadbalance vip icmp-reply active
appl-parameter http advanced-options WWW-PARAMETERS
Regards,
Sebastian

Hi Gilles,
Here is our full config, i only changed some domain names.
I'll try to describe the problem again ;
We have published a website by vip 172.30.6.4
We have another website published by vip 172.30.9.4
These websites are hosted by realservers configured in 2 serverfarms and can be reached from the internet (secured by an ASA)
For both of these farms i have configured a sorryserver. This sorry server should serve a webpage containing a maintenance message whenever a farm should get down.
The sorry server is configured with 2 websites, each listening to the specific hostheader. This hostheader is the same as configured on the rservers for the specific farm 172.30.6.4 or 172.30.9.4.
So what i am trying to accomplish is that i only need 1 sorryserver to server 2 sorry webpages, ofcourse listening to a hostheader to get 2 different sorrypages to be returned.
Now when i take all realservers for both serverfarms down, except for the sorryserver, i can only reach 1 sorrypage.
For example, site A and B are down, when i try to reach site A i get to the sorrypage of site A. But when i try to reach site B i too get served the sorrypage of site A.
And also when i "inservice" all rservers again i have to do a "clear sticky database", otherwise the sorryserver will remain active.
Now i have upgraded to the last version of the ACE ios, but i still have to test if the same problem persists so i will give feedback on this later.
Regards,
Sebastian

ACE backup-server and sticky

Hi all,
a question:
     if a configure a serverfarm with backup-server
serverfarm host S_Das
rserver DAS1
    backup-rserver DAS1_1
    inservice
rserver DAS_1
    inservice standby
rserver DAS2
    backup-rserver DAS2_1
    inservice
rserver DAS_1
    inservice standby
sticky ip-netmask 255.255.255.255 address both SF_DAS
timeout 10
replicate sticky
serverfarm S_Das
and rserver DAS1 goes down what will be behaviour of sticky and balancing?
New connection wel'll go towards DAS2 or a tricky and clever sticky take precedence? (i mean persistence on DAS1_1 that is my backup server..)
tnx
Das

Hi Danilo,
If your primary rserver goes down the sticky entries associated with that server will be automatically flushed from the sticky table so that
all new incoming connections will be diverted to your backup rserver.
In case that primary rserver comes back then:
- Existing connections on backup keep accessing backup.
- For new connection requests ACE looks up sticky entries, if there's already an entry for backup server the connections is sent to the standby rserver.
- If a new client request (connection) doesn't match any sticky entry for backup rserver ACE forwards this request to primary.
In case that you want to use the primary rserver for all the connections after coming back to operational state then the backup option would be configured like this:
rserver Primary
ip address 10.10.10.2
inservice
rserver Standby
ip address 10.10.10.3
inservice
serverfarm host Primary
rserver Primary
    inservice
serverfarm host Standby
rserver Standby
    inservice
policy-map type loadbalance http first-match slb
class class-default
serverfarm Primary backup Standby
HTH

Load Balance Reverse Poxy using ACE and HTTP Header Sticky

Dear all,
I have a reverse proxy that makes HTTP and HTTPS requests to an ACE.
For implement persistence I want to configure HTTP HEADER Stickyness using the X-Forwarder-For information but I don't know:
How to implement it ( I'l apreciate a little example about it).
Which values I need for OFFSET and LENGHT fields.
Can you help me please?
Thanks a lot!!

Hi Cesar.
Thanks a lot for your answer but I think you misunderstand the question or I'm not explaninig very well
I don't need to insert anything.
The serverfarm X will be accesed by a reverse proxy. This reverse proxy already inserts the X-Forearder-From header, so the request from the reverse proxy comes with this header to the serverfarm X.
The problem is that now, the serverfarm X sticky the client based on source IP. This is a wrong behavior becasue all the request comes form the same source (Reverse proxy) and all the load forwards to the same real IP address.
This is because I want to change the sticky from source IP to HTTP header and looks for the X-Forwarder-For filed.
Hop it will clarify the question!

Both http and https on struts in tomcat using SSL

I want to apply both http and https as need, on a single web application on struts. My server is tomcat. I need a complete documentation. Some help me please.

If you are terminating SSL on ACE then there is no way to do it with one policy because of ssl-proxy command. However it is possible to use same serverfarms with two VIP like this:
access-list ACL line 10 extended permit ip any any
rserver host TEST
ip address 20.20.2.11
inservice
serverfarm host TEST
rserver TEST
    inservice
ssl-proxy service SSL_SERVER
key KEY12.PEM
cert CERT12.PEM
class-map match-any SSL
2 match virtual-address 10.10.2.101 tcp eq https
class-map match-any HTTP
2 match virtual-address 10.10.2.101 tcp eq http
policy-map type loadbalance first-match L7_POL
   class class-default
     serverfarm TEST
policy-map multi-match L7
   class SSL
     loadbalance vip inservice
     loadbalance policy L7_POL
     loadbalance vip icmp-reply
     ssl-proxy server SSL_SERVER
    class HTTP
    loadbalance vip inservice
    loadbalance policy L7_POL
    loadbalance vip icmp-reply
interface vlan 210
   ip address 10.10.2.1 255.255.255.0
   service-policy input L7
   access-group input ACL
   no shutdown
interface vlan 220
   ip address 20.20.2.1 255.255.255.0
   no shutdown
ip route 0.0.0.0 0.0.0.0 10.90.15.1
However, if you are not doing SSL termination on ACE and you are just doing L4 load-balancing, you will most likely need to configure SSL stickiness, which again leads to having separate policies because of the sticky serverfarms which need separate loadbalance policy lines.

Sharepoint and SSRS report trust relationship ssl/tls secure channel remote certificate is invalid

I have no experience with sharepoint at all. but this is what I observed.
I intermittently getting this error message on my sharepoint. could not establish trust relationship for the ssl/tls secure channel. Remote Certificate is invalid according to the validation procedure.
Screnshot of the error
This is how the sharepoint page layout.
I have report.aspx. and below is the content of the aspx file.
The url is http://sharepoint.COMPANY.com/Pages/Report.aspx.
The URL is intranet only.
The sharepoint is hosted in SERVER1 and the SSRS is hosted in SERVER.
I observed this error happens on both HTTP and HTTPS http sharepoint COMPANY com/Pages/Report.aspx OR https sharepoint COMPANY com/Pages/Report.aspx
So far, the step I did was to follow this blog http://krishnasangani.blogspot.ca/2013/06/the-remote-certificate-is-invalid.html Restarted
IIS in SERVER1 AND SERVER2. but the problem persist. Another I have done is to click the certificate in internet explorer and everything looks ok on that side to (certificate is valid)
It seems to only happen earlier during the morning, then it fixes itself around 9 Oclock. It has been on going for about 2 weeks. Please help troubleshooting this.
<%@ Page Inherits="Microsoft.SharePoint.Publishing.TemplateRedirectionPage,Microsoft.SharePoint.Publishing,Version=14.0.0.0,Culture=neutral,PublicKeyToken=71e9bsasdasdasd9c" %> <%@ Reference VirtualPath="~TemplatePageUrl" %> <%@ Reference VirtualPath="~masterurl/custom.master" %><%@ Register Tagprefix="SharePoint" Namespace="Microsoft.SharePoint.WebControls" Assembly="Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bsasdasdasd9c" %>
<html xmlns:mso="urn:schemas-microsoft-com:office:office" xmlns:msdt="uuid:547SF010-65B3-11d1-A29F-00457845FFSW"><head>

<title>Report</title></head>
A few questions I have in mind is Any pointer to troubleshoot this problem AND By looking at the ASPX file, Would you be able to determine what method is my Sharepoint page calling the SSRS report , integrated mode, native mode? IEFrame? The reason I am asking
this is that maybe IF I google using the right terminology I can get to the similar problem and solution.
Thanks

Please let us know if you are using
SharePoint communicates to an external service via HTTPS
Please try perform following steps:
Fix is to setup a trust between SharePoint and the server requiring certificate validation.
In SharePoint Central Administration site, go to “Security” and then “Manage Trust”. Upload the certificates to SharePoint. The key is to get both the root and subordinate certificates on to SharePoint.
The steps to get the certificates from the remote server hosting the WCF service are as follows:
1. Browse from IE to the WCF service (e.g., https://remotehost/service.svc?wsdl)
2. Right click on the browser body and choose “Properties” and then “Certificates” and then “Certificate Path”.
This tells you the certificate chain that’s required by the other server in order to communicate with it properly. You can double-click on each level in the certificate chain to go to that particular certificate, then click on “Details” tab, “Copy to
File” to save the certificate with the default settings.
As an example, get both VeriSign & VeriSign Class 3 Extended Validation SSL CA.
reference : http://blogs.technet.com/b/sharepointdevelopersupport/archive/2013/06/13/could-not-establish-trust-relationship-for-ssl-tls-secure-channel.aspx
If my contribution helps you, please click Mark As Answer on that post and
Vote as Helpful
Thanks, ShankarSingh(MCP)

Pandora message "Pandora believes your browser does not support modern SSL/TLS" and everything seems disabled on the site-how fix?

I have been using Firefox for a long time as my browser and typically play Pandora while at my office most days. For the first time today I received a pop up message "Pandora believes your browser does not support modern SSL/TLS. Consider upgrading your browswer" when I logged on to Pandora. I checked and I am on the latest version of Mozilla Firefox. I am unable to control volume or log out of Pandora now. I did some google searches and found Mozilla disabled ssl3.0 due to a "Poodle" attack. Does that mean that I can no longer use Firefox as my browser when I want to listen to music on Pandora or is there "a fix"? Thanks!

Mozilla Firefox as of Firefox 34 has the vulnerable SSL 3.0 disabled and only allows for TLS 1.0 at minimum to 1.2 now.
https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
So Pandora is incorrect if they believe Firefox is not safe to use.
Actually Pandora potentially needs to do a bit of upgrading themselves.
https://www.ssllabs.com/ssltest/analyze.html?d=www.pandora.com&s=208.85.40.50

Solaris 8, pam_ldap and SSL/TLS

Has anyone got the experience of compiling and installing pam_ldap (padl version) with ssl/tls support on Solaris 8? I tried compiling pam_ldap with Netscape LDAP SDK, but it failed to compile ldap_ssl.h . So I am wondering... is that something I can do on solaris 8? (I am using iDS 5.1)
Error received on compilation:
# ./configure with-ldap-lib=netscape5 with-ldap-dir=/ldapsdk
loading cache ../config.cache
checking host system type... sparc-sun-solaris2.8
checking target system type... sparc-sun-solaris2.8
checking build system type... sparc-sun-solaris2.8
checking for a BSD compatible install... ../install-sh -c
checking whether build environment is sane... yes
checking for mawk... no
checking for gawk... no
checking for nawk... nawk
checking whether make sets ${MAKE}... yes
checking for working aclocal... missing
checking for working autoconf... found
checking for working automake... missing
checking for working autoheader... found
checking for working makeinfo... missing
checking for gnutar... no
checking for gtar... no
checking for tar... tar
checking for gcc... gcc
checking whether the C compiler (gcc ) works... yes
checking whether the C compiler (gcc ) is a cross-compiler... no
checking whether we are using GNU C... yes
checking whether gcc accepts -g... yes
checking how to run the C preprocessor... gcc -E
checking for a BSD compatible install... ../install-sh -c
checking for security/pam_appl.h... yes
checking for security/pam_misc.h... no
checking for security/pam_modules.h... yes
checking for pam/pam_appl.h... no
checking for pam/pam_misc.h... no
checking for pam/pam_modules.h... no
checking for des.h... no
checking for crypt.h... yes
checking for lber.h... yes
checking for ldap.h... yes
checking for ldap_ssl.h... yes
checking for main in -ldl... yes
checking for main in -lpam... yes
checking for main in -lresolv... yes
checking for main in -lcrypt... yes
checking for main in -lnsl... yes
checking for gethostbyname... yes
checking for main in -lldap50... yes
checking for main in -lpthread... yes
checking for ldap_init... yes
checking for ldap_get_lderrno... yes
checking for ldap_set_lderrno... yes
checking for ldap_parse_result... yes
checking for ldap_memfree... yes
checking for ldap_controls_free... yes
checking for ldap_set_option... yes
checking for ldap_get_option... yes
checking for ldapssl_init... yes
checking for ldap_start_tls_s... no
checking for ldap_pvt_tls_set_option... no
checking for ldap_initialize... no
checking for gethostbyname_r... yes
checking whether gethostbyname_r takes 6 arguments... 5
checking for ldap_set_rebind_proc... yes
checking whether ldap_set_rebind_proc takes 3 arguments... 3
updating cache ../config.cache
creating ./config.status
creating Makefile
creating config.h
# make
cd . && /padl/pam_ldap-161/missing aclocal
WARNING: `aclocal' is missing on your system. You should only need it if
you modified `acinclude.m4' or `configure.in'. You might want
to install the `Automake' and `Perl' packages. Grab them from
any GNU archive site.
cd . && /padl/pam_ldap-161/missing automake --gnu Makefile
WARNING: `automake' is missing on your system. You should only need it if
you modified `Makefile.am', `acinclude.m4' or `configure.in'.
You might want to install the `Automake' and `Perl' packages.
Grab them from any GNU archive site.
cd . && autoconf
/bin/sh ../config.status --recheck
running /bin/sh ./configure with-ldap-lib=netscape5 with-ldap-dir=/ldapsdk no-create no-recursion
checking build system type... sparc-sun-solaris2.8
checking host system type... sparc-sun-solaris2.8
checking target system type... sparc-sun-solaris2.8
checking for a BSD-compatible install... ../install-sh -c
checking whether build environment is sane... yes
checking for gawk... no
checking for mawk... no
checking for nawk... nawk
checking whether make sets $(MAKE)... yes
checking for working aclocal... missing
checking for working autoconf... found
checking for working automake... missing
checking for working autoheader... found
checking for working makeinfo... missing
checking for gnutar... no
checking for gtar... no
checking for tar... tar
checking for gcc... gcc
checking for C compiler default output... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ANSI C... none needed
checking how to run the C preprocessor... gcc -E
checking for a BSD-compatible install... ../install-sh -c
checking for egrep... egrep
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... no
checking for unistd.h... yes
checking security/pam_appl.h usability... yes
checking security/pam_appl.h presence... yes
checking for security/pam_appl.h... yes
checking security/pam_misc.h usability... no
checking security/pam_misc.h presence... no
checking for security/pam_misc.h... no
checking security/pam_modules.h usability... no
checking security/pam_modules.h presence... yes
configure: WARNING: security/pam_modules.h: present but cannot be compiled
configure: WARNING: security/pam_modules.h: check for missing prerequisite headers?
configure: WARNING: security/pam_modules.h: proceeding with the preprocessor's result
configure: WARNING: ## ------------------------------------ ##
configure: WARNING: ## Report this to [email protected]. ##
configure: WARNING: ## ------------------------------------ ##
checking for security/pam_modules.h... yes
checking pam/pam_appl.h usability... no
checking pam/pam_appl.h presence... no
checking for pam/pam_appl.h... no
checking pam/pam_misc.h usability... no
checking pam/pam_misc.h presence... no
checking for pam/pam_misc.h... no
checking pam/pam_modules.h usability... no
checking pam/pam_modules.h presence... no
checking for pam/pam_modules.h... no
checking des.h usability... no
checking des.h presence... no
checking for des.h... no
checking crypt.h usability... yes
checking crypt.h presence... yes
checking for crypt.h... yes
checking lber.h usability... yes
checking lber.h presence... yes
checking for lber.h... yes
checking ldap.h usability... yes
checking ldap.h presence... yes
checking for ldap.h... yes
checking ldap_ssl.h usability... no
checking ldap_ssl.h presence... yes
configure: WARNING: ldap_ssl.h: present but cannot be compiled
configure: WARNING: ldap_ssl.h: check for missing prerequisite headers?
configure: WARNING: ldap_ssl.h: proceeding with the preprocessor's result
configure: WARNING: ## ------------------------------------ ##
configure: WARNING: ## Report this to [email protected]. ##
configure: WARNING: ## ------------------------------------ ##
checking for ldap_ssl.h... yes
checking for main in -ldl... yes
checking for main in -lpam... yes
checking for main in -lresolv... yes
checking for main in -lcrypt... yes
checking for main in -lnsl... yes
checking for gethostbyname... yes
checking for main in -lldap50... yes
checking for main in -lpthread... yes
checking for ldap_init... yes
checking for ldap_get_lderrno... yes
checking for ldap_set_lderrno... yes
checking for ldap_parse_result... yes
checking for ldap_memfree... yes
checking for ldap_controls_free... yes
checking for ldap_set_option... yes
checking for ldap_get_option... yes
checking for ldapssl_init... yes
checking for ldap_start_tls_s... no
checking for ldap_pvt_tls_set_option... no
checking for ldap_initialize... no
checking for gethostbyname_r... yes
checking whether gethostbyname_r takes 6 arguments... 5
checking for ldap_set_rebind_proc... yes
checking whether ldap_set_rebind_proc takes 3 arguments... 3
configure: creating ../config.status
cd . \
&& CONFIG_FILES=Makefile CONFIG_HEADERS= /bin/sh ./config.status
config.status: creating Makefile
config.status: executing default-1 commands
gcc -DHAVE_CONFIG_H -DLDAP_REFERRALS -D_REENTRANT -I/ldapsdk/include -g -O2 -Wall -fPIC -c -o pam_ldap.o pam_ldap.c
gcc -DHAVE_CONFIG_H -DLDAP_REFERRALS -D_REENTRANT -I/ldapsdk/include -g -O2 -Wall -fPIC -c -o md5.o md5.c
/usr/ccs/bin/ld -o pam_ldap.so -B dynamic -M ../exports.solaris -G -B group -lc -L/ldapsdk/lib -R/ldapsdk/lib pam_ldap.o md5.o -lpthread -lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 -lnsl -lcrypt -lresolv -lpam -ldl
cd . && autoheader
WARNING: Using auxiliary files such as `acconfig.h', `config.h.bot'
WARNING: and `config.h.top', to define templates for `config.h.in'
WARNING: is deprecated and discouraged.
WARNING: Using the third argument of `AC_DEFINE' and
WARNING: `AC_DEFINE_UNQUOTED' allows to define a template without
WARNING: `acconfig.h':
WARNING: AC_DEFINE([NEED_MAIN], 1,
WARNING: [Define if a function `main' is needed.])
WARNING: More sophisticated templates can also be produced, see the
WARNING: documentation.
cd . \
&& CONFIG_FILES= CONFIG_HEADERS=config.h \
/bin/bash ../config.status
config.status: creating config.h
config.status: executing default-1 commands

Has anyone got the experience of compiling and installing pam_ldap (padl version) with ssl/tls support on Solaris 8? I tried compiling pam_ldap with Netscape LDAP SDK, but it failed to compile ldap_ssl.h . So I am wondering... is that something I can do on solaris 8? (I am using iDS 5.1)
Error received on compilation:
# ./configure with-ldap-lib=netscape5 with-ldap-dir=/ldapsdk
loading cache ../config.cache
checking host system type... sparc-sun-solaris2.8
checking target system type... sparc-sun-solaris2.8
checking build system type... sparc-sun-solaris2.8
checking for a BSD compatible install... ../install-sh -c
checking whether build environment is sane... yes
checking for mawk... no
checking for gawk... no
checking for nawk... nawk
checking whether make sets ${MAKE}... yes
checking for working aclocal... missing
checking for working autoconf... found
checking for working automake... missing
checking for working autoheader... found
checking for working makeinfo... missing
checking for gnutar... no
checking for gtar... no
checking for tar... tar
checking for gcc... gcc
checking whether the C compiler (gcc ) works... yes
checking whether the C compiler (gcc ) is a cross-compiler... no
checking whether we are using GNU C... yes
checking whether gcc accepts -g... yes
checking how to run the C preprocessor... gcc -E
checking for a BSD compatible install... ../install-sh -c
checking for security/pam_appl.h... yes
checking for security/pam_misc.h... no
checking for security/pam_modules.h... yes
checking for pam/pam_appl.h... no
checking for pam/pam_misc.h... no
checking for pam/pam_modules.h... no
checking for des.h... no
checking for crypt.h... yes
checking for lber.h... yes
checking for ldap.h... yes
checking for ldap_ssl.h... yes
checking for main in -ldl... yes
checking for main in -lpam... yes
checking for main in -lresolv... yes
checking for main in -lcrypt... yes
checking for main in -lnsl... yes
checking for gethostbyname... yes
checking for main in -lldap50... yes
checking for main in -lpthread... yes
checking for ldap_init... yes
checking for ldap_get_lderrno... yes
checking for ldap_set_lderrno... yes
checking for ldap_parse_result... yes
checking for ldap_memfree... yes
checking for ldap_controls_free... yes
checking for ldap_set_option... yes
checking for ldap_get_option... yes
checking for ldapssl_init... yes
checking for ldap_start_tls_s... no
checking for ldap_pvt_tls_set_option... no
checking for ldap_initialize... no
checking for gethostbyname_r... yes
checking whether gethostbyname_r takes 6 arguments... 5
checking for ldap_set_rebind_proc... yes
checking whether ldap_set_rebind_proc takes 3 arguments... 3
updating cache ../config.cache
creating ./config.status
creating Makefile
creating config.h
# make
cd . && /padl/pam_ldap-161/missing aclocal
WARNING: `aclocal' is missing on your system. You should only need it if
you modified `acinclude.m4' or `configure.in'. You might want
to install the `Automake' and `Perl' packages. Grab them from
any GNU archive site.
cd . && /padl/pam_ldap-161/missing automake --gnu Makefile
WARNING: `automake' is missing on your system. You should only need it if
you modified `Makefile.am', `acinclude.m4' or `configure.in'.
You might want to install the `Automake' and `Perl' packages.
Grab them from any GNU archive site.
cd . && autoconf
/bin/sh ../config.status --recheck
running /bin/sh ./configure with-ldap-lib=netscape5 with-ldap-dir=/ldapsdk no-create no-recursion
checking build system type... sparc-sun-solaris2.8
checking host system type... sparc-sun-solaris2.8
checking target system type... sparc-sun-solaris2.8
checking for a BSD-compatible install... ../install-sh -c
checking whether build environment is sane... yes
checking for gawk... no
checking for mawk... no
checking for nawk... nawk
checking whether make sets $(MAKE)... yes
checking for working aclocal... missing
checking for working autoconf... found
checking for working automake... missing
checking for working autoheader... found
checking for working makeinfo... missing
checking for gnutar... no
checking for gtar... no
checking for tar... tar
checking for gcc... gcc
checking for C compiler default output... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ANSI C... none needed
checking how to run the C preprocessor... gcc -E
checking for a BSD-compatible install... ../install-sh -c
checking for egrep... egrep
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... no
checking for unistd.h... yes
checking security/pam_appl.h usability... yes
checking security/pam_appl.h presence... yes
checking for security/pam_appl.h... yes
checking security/pam_misc.h usability... no
checking security/pam_misc.h presence... no
checking for security/pam_misc.h... no
checking security/pam_modules.h usability... no
checking security/pam_modules.h presence... yes
configure: WARNING: security/pam_modules.h: present but cannot be compiled
configure: WARNING: security/pam_modules.h: check for missing prerequisite headers?
configure: WARNING: security/pam_modules.h: proceeding with the preprocessor's result
configure: WARNING: ## ------------------------------------ ##
configure: WARNING: ## Report this to [email protected]. ##
configure: WARNING: ## ------------------------------------ ##
checking for security/pam_modules.h... yes
checking pam/pam_appl.h usability... no
checking pam/pam_appl.h presence... no
checking for pam/pam_appl.h... no
checking pam/pam_misc.h usability... no
checking pam/pam_misc.h presence... no
checking for pam/pam_misc.h... no
checking pam/pam_modules.h usability... no
checking pam/pam_modules.h presence... no
checking for pam/pam_modules.h... no
checking des.h usability... no
checking des.h presence... no
checking for des.h... no
checking crypt.h usability... yes
checking crypt.h presence... yes
checking for crypt.h... yes
checking lber.h usability... yes
checking lber.h presence... yes
checking for lber.h... yes
checking ldap.h usability... yes
checking ldap.h presence... yes
checking for ldap.h... yes
checking ldap_ssl.h usability... no
checking ldap_ssl.h presence... yes
configure: WARNING: ldap_ssl.h: present but cannot be compiled
configure: WARNING: ldap_ssl.h: check for missing prerequisite headers?
configure: WARNING: ldap_ssl.h: proceeding with the preprocessor's result
configure: WARNING: ## ------------------------------------ ##
configure: WARNING: ## Report this to [email protected]. ##
configure: WARNING: ## ------------------------------------ ##
checking for ldap_ssl.h... yes
checking for main in -ldl... yes
checking for main in -lpam... yes
checking for main in -lresolv... yes
checking for main in -lcrypt... yes
checking for main in -lnsl... yes
checking for gethostbyname... yes
checking for main in -lldap50... yes
checking for main in -lpthread... yes
checking for ldap_init... yes
checking for ldap_get_lderrno... yes
checking for ldap_set_lderrno... yes
checking for ldap_parse_result... yes
checking for ldap_memfree... yes
checking for ldap_controls_free... yes
checking for ldap_set_option... yes
checking for ldap_get_option... yes
checking for ldapssl_init... yes
checking for ldap_start_tls_s... no
checking for ldap_pvt_tls_set_option... no
checking for ldap_initialize... no
checking for gethostbyname_r... yes
checking whether gethostbyname_r takes 6 arguments... 5
checking for ldap_set_rebind_proc... yes
checking whether ldap_set_rebind_proc takes 3 arguments... 3
configure: creating ../config.status
cd . \
&& CONFIG_FILES=Makefile CONFIG_HEADERS= /bin/sh ./config.status
config.status: creating Makefile
config.status: executing default-1 commands
gcc -DHAVE_CONFIG_H -DLDAP_REFERRALS -D_REENTRANT -I/ldapsdk/include -g -O2 -Wall -fPIC -c -o pam_ldap.o pam_ldap.c
gcc -DHAVE_CONFIG_H -DLDAP_REFERRALS -D_REENTRANT -I/ldapsdk/include -g -O2 -Wall -fPIC -c -o md5.o md5.c
/usr/ccs/bin/ld -o pam_ldap.so -B dynamic -M ../exports.solaris -G -B group -lc -L/ldapsdk/lib -R/ldapsdk/lib pam_ldap.o md5.o -lpthread -lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 -lnsl -lcrypt -lresolv -lpam -ldl
cd . && autoheader
WARNING: Using auxiliary files such as `acconfig.h', `config.h.bot'
WARNING: and `config.h.top', to define templates for `config.h.in'
WARNING: is deprecated and discouraged.
WARNING: Using the third argument of `AC_DEFINE' and
WARNING: `AC_DEFINE_UNQUOTED' allows to define a template without
WARNING: `acconfig.h':
WARNING: AC_DEFINE([NEED_MAIN], 1,
WARNING: [Define if a function `main' is needed.])
WARNING: More sophisticated templates can also be produced, see the
WARNING: documentation.
cd . \
&& CONFIG_FILES= CONFIG_HEADERS=config.h \
/bin/bash ../config.status
config.status: creating config.h
config.status: executing default-1 commands

Windows Server 2003 and problem with SSL connection (TLS)

Hi,
We are forcing a problem with SLL/TLS connection on a machine Windows Server 2003 SP2.
We spent hours trying to solve it without any result.
SYMPTOMS
No SSL connection can be established in any application since last year, e.g.:
we cannot do any windows update, because there is a time verification over SSL on the windows update website (there is an error that the time is incorrect while it is up-to-date)
we cannot open any website in Internet Explorer over https
when we try to connect to the SQL Server (database SQL 2008 hosted on the same server) with Management Studio it fails with an error: "A connection
was successfully established with the server, but then an error occurred during the pre-login handshake.(provider: SSL Provider, error: 0 - Could not
contact LSA)(Microsoft SQL Server)"
in a custom applications which sends requests over https we receive an error: "Could not establish trust relationship for SSL/TLS secure channel"
Everything seems to point at some SSL problem somewhere deep inside Windows.
We installed several patches, but without any result.
Can anybody help?
Regards,
Dawid

Hi, thanks for answers,
- In IE both SSL2.0 and TLS1.0 are checked. We tried to disable TLS1.0 - with no results.
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel both SSL2.0
and TLS1.0 are enabled. We also tried to dislable TLS1.0 on the Client side - with no resuts.
- In
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL EventLogging is set to 3, so it should log warnings
and errors. But we cannot find any related logs in EventLog
Unfortunately we are still in the same place.

IOS CardDAV and SSL/TLS

Will iOS 7.0.2 and iOS 8.1 devices running CardDAV clients work with CardDAV server that only supports TLS and deprecated SSL?

For those with interest to upgrade your CardDAV and CalDAV servers and intend to deprecate SSL v3 on your servers, I am able to share and report that iOS 7.1.2 and iOS 8.1 contacts clients are able to do away with SSL v3 and use TLS 1.1/1.2 for encryption to void POODLE attacks.
This is my experience and thought it might be worthwhile to share.
Cheers!

Configuration SAP EP systems in HTTPS and SSL

Hi,
Can anyone tell me the regarding the configuration SAP EP systems in HTTPS and SSL.
The scenario is Client -->Application gateway( Web Dispatcher) -->EP6
Regards,
Moulinath Ray

Hi,
I am giving to you the steps we do for our securization (EP 7.0):
Prerequisites:
-Download SAP Cryptographic ToolKit at http://service.sap.com/ swdc and -> SAP Crypto-graphic Software -> SAP JAVA CryptoToolkit (J2EE Engine as of Release 6.30)
-Unzip it with SAPCAR
Logon in SDM and deploy the file
Check in Visual Admin -> Dispatcher/Server -> Libraries -> core_libs iaik_jce.jar is included
Loof for SSL Service in Config Tool in Server and Dispatcher, it should be "always"
Steps:
-Asking for a certificate
Visual Admin -> Cluster -> Server (central instance ) -> Services -> Key storage -> Service_ssl -> Create
Fill in all the data, and be careful with the common name:
-It shouldn´t have "http" or "https" on it
-It shouldn´t have port number on it
For example: "https
www.myportal.domain:port", the common name should be "www.myportal.domain"
Visual Admin -> Key Storage -> service_ssl -> Select your certificate and u201CGenerate CSR Requestu201D
Send the file to a CA
-Importing the validated certificate:
Visual Admin -> Key Storage -> Import CSR Response
In each Server, under SSL Provider, assign the certificate to port 50001, in each Dispatcher
Now, the portal is secure, and you can check it now.
A last step would be export the certificate and send it to your Network Team, so they can export it in the load balancing server, reverse proxy, etc.
You can have a look at this link:
http://help.sap.com/saphelp_nw04/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm
Some of the threads link:
/message/5568001#5568001
/thread/853387
Regards,
Niraj
Edited by: Niraj Kumar on Jan 22, 2009 3:59 PM

HTTP and HTTPS (SSL) at the same time?

Hi
In our company we will use SAP Portal as a external facing portal and as portal that uses authorisation and authentication (logon) . The question for us is: Is it possible to run the EFP without SSL and the securede portal with SSL? Where do I find documentation?
Thanks
Christian Thulstrup

Hi Christian,
yes, you can run the portal with HTTP and HTTPS at the same time - it's just a question of the URL you are entering in the browser...
<b>BUT:</b>
If you access your portal with HTTPS <b>all</b> content provided by the portal should be accessed with HTTPS too - otherwise you will get security warnings in IE and maybe some strange behavior of the integrated content. Session Management to SAP backend systems will not work also...
Vice-versa: if you access you portal with HTTP all content should be accessed with HTTP... obviously...
So if your content for the external facing portal is completely seperated from the internal content - yes you can access the portal with differen protocolls.
If it is not seperated - and that includes KM objects also - then better use one protocoll for both only!!
Hth,
Michael

Cisco ACE - Exempt HTTP URL from SSL Offloading

Hi,
I have a cisco ACE module A2 (3.6). I am offloading url www.abc.com on cisco ACE. HTTP redirection to https is working & over https I am able to browse website perfectly. real servers are redirecting some pages over http. Due to page redirection from webserver I have to exempt one URL (http://www.abc.com/modules/docs/abc.aspx) from ssl offloading. It is possible or as a work around i have to rewrite complete url www.abc.com as ssl port.
Your inputs highly appreciated.
Regards,

Hi Masif,
In case you have not gotten assistance with this one, you just need to specify the specific URL and match it on top of the loadbalance policy that is already doing the redirection.
class-map type http loadbalance match-any No-Redirect
2 match http url /docs/abc.aspx
policy-map type loadbalance first-match ABC
class No-Redirect
serverfarm HTTP-Servers
class class-default
serverfarm Redirect
Hope this helps.
Pablo

ACE - Balance HTTP and sticky only SSL/TLS

Similar Messages

Maybe you are looking for