ACE CLIENT CERTIFIATE INSERTION IN HEADER

Similar Messages

• ACE module only inserting X-Forwarder Header on first packet

  Hi,
  As above, I have a strange problem where if I use my proxy server to access an LB VIP then it is inserting the X-forwarding header for Each GET request.
  However if I make the request direct from my PC (not via Proxy) it inserts the header on the first packet but no subsequent packets unless I restart the browser.
  Any ideas????
  Thanks
  Scott

  Hi Scott,
  In the ACE documentation, check out the section on Configuring the ACE to Modify Headers on Every HTTP Request or Response.
  I hope this helps,
  Sean

• Dreamweaver mx 2004 in a php file I insert in head the

  I use dreamweaver mx 2004, well in a php file I insert in
  <head> the:
  <base href="
  http://www.Polis-Land.com/dialup"
  />
  but only images[status bar-browser show this] that link to
  external popup windows, all other links show eg.:
  <a href="/villas/thalassa.php">THALASSA VILLAS -
  LATCHI</a>
  show
  http://www.polis-land.com/villas/thalassa.php
  rather than
  http://www.polis-land.com/dialup/villas/thalassa.php
  the disired , well ?
  You can find php file at
  http://www.polis-land.com/dialup/villas/villas.php
  I have changed only one link I try
  <a href="villas/thalassa.php">THALASSA VILLAS -
  LATCHI</a>
  but same thing...
  Please note that images show:
  http://www.polis-land.com/dialup#
  well ???

  All links in a template file must be correct based on the
  location of the
  Template file. DW will manage them for you when you spawn
  child pages.
  Murray --- ICQ 71997575
  Adobe Community Expert
  (If you *MUST* email me, don't LAUGH when you do so!)
  ==================
  http://www.projectseven.com/go
  - DW FAQs, Tutorials & Resources
  http://www.dwfaq.com - DW FAQs,
  Tutorials & Resources
  ==================
  "Alan" <[email protected]> wrote in
  message
  news:C39E9C5B.2E6A11%[email protected]..
  >
  >
  >> You mean make it :
  >> <a href="index.php">HOME</a>
  >
  > No. In the template file that's in the Template folder,
  it would be:
  > <a href="../index.php">HOME</a>
  >
  >> Can I use this template for the dsl mode (no base
  url) ?
  >
  > Yes- if by that you mean them to be document relevant
  links that actually
  > go
  > where they point.
  >
  > --
  > Alan
  > Adobe Community Expert, dreamweaver
  >
  >
  http://www.adobe.com/communities/experts/
  >
  >
  >

• Not inserting Group Header

  Post Author: luvthehawks
  CA Forum: Publishing
  Crystal is not inserting the group header when I insert a new group. Itu2019s the same in a new or existing report.
  INSERT
  GROUP
  (Select field for new group)
  OK
  Crystal does insert a new group, but does not insert the group header field. If I insert the field into the blank group header, I canu2019t sort by the group.
  I have been using Crystal Reports for some time, with no problems with inserting group header. This problem is new since I got a new computer. (Coincidence?)

  "Why group header will not repeat on pages that are printing the just the group footer.
  Have you some tricks to forced the printing of group header on a new page ?"
  You can set the group header to NEW PAGE BEFORE, but if the group footer spans more than one page, the header will not repeat. It is just the way it is.
  Try setting the group header to new page before and put the info from group header in the page header-see how that works for you.

• Is it possible to insert a header/footer into a pages A5 size document?

  I'm trying to insert a header and/or a footer in a A5 sizes pages document. In the A4 version it's there automatically, but in this A5 one it's not and it's greyed out in the Insert drop down menu. What am I doing wrong? Thanks

  There is no Menu > Insert > Header/Footer
  You get Headers/Footers in:
  Inspector > Document > Document > Document Margins > check Header/Footer
  Peter

• ACE: dropped conns due to header insert

  My LB is dropping connections on port 443 when I have "insert-http source header-value "%is" configured. Other ports such as 80, or 8080 are working. The config is the same for all ports.
  class-map match-any Service_VIP_Class
  4 match virtual-address 1.1.1.1 tcp eq https
  policy-map type loadbalance first-match Service_L7_Policy
  class class-default
  serverfarm Service_Serverfarm
  insert-http source header-value "%is"
  policy-map multi-match Service_LB_Policy
  class Service_VIP_Class
  loadbalance vip inservice
  loadbalance policy Service_L7_Policy
  loadbalance vip icmp-reply active
  loadbalance vip advertise active
  I see dropped conns on the service policy. When I remove the header insertion config, it connects ok.
  Please help!

  There is no way any device (including ACE) can open an https packet to insert anything.
  Only exception:
  You offload ssl using server keys and certs.Then make changes to the decrypted packet.
  Syed

• ACE: wrong IP in HTTP header HEALTHCHECK packet

  Hi,
  I encounter a strange problem with ACE when the blade performs a HTTP healthcheck towards a RSERVER.
  Sometimes, ACE insert in the HTTP header a strange IP address, others then the IP address of the rserver, for which it performs a healthcheck.
  Anyone encountered the same problem?
  Thx, Wim

  Hi Gillis,
  I reported this issue to our integrator. I think they will open a cisco case right now.
  We are able to reproduce this problem. So, that might not be the problem to troubleshoot at this moment.
  For your information, we had version A1.6 running until last week. Now, we upgraded to A2, but the healthcheck issue is still present.
  I assume you 'll informed via the support case?

• Custom Inserted HTTP Header not showing up in Iplanet Logs

  ALL:
  I have some iPlanet Enterprise/6.0 web servers sitting behind a LoadBalancer. The LoadBalancer is setup in an 'one-armed mode', and takes a client HTTP request passes it onto the server, but during this process, changes the client source IP to that of local static IP that the LoadBalancer has. Due to our setup we cannot change this.
  By changing the client source IP to a local address, we have lost any useful user session tracking that was done by source IP.
  To get around this, I have the LoadBalancer inserting an HTTP header with the client real source IP. Reading the NSAPI Programmer's Guide (Table 7-1 "http://docs.sun.com/source/816-5686-10/07_magnu.htm"), there is an option "%Req->headers.headername%" that can be used with 'flex-int' to log any header value.
  My output from snoop looks as follows:
  HTTP: ----- HyperText Transfer Protocol -----
  HTTP:
  HTTP: GET /plugin.do HTTP/1.1
  HTTP: OrigClientAddr:10.5.4.28
  HTTP: Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
  HTTP: Accept-Language: en-us
  HTTP: Accept-Encoding: gzip, deflate
  HTTP: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
  HTTP:
  I have set the value to "%Req->headers.OrigClientAddr%" and it still does not show up in the log file. Any clues?
  Works fine in Apache with:
  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{OrigClientAddr}i\" \"%{User-Agent}i\"" headerinsert
  CustomLog logs/access_log headerinsert

  Always nice to find resolution to one's own question.
  Fix was to change the header value to all lower case.
  From:
  "%Req->headers.OrigClientAddr%"
  To:
  "%Req->headers.origclientaddr%"

• ACE - Load Balance insert cookie method for https

  I am trying to load balance between 2 web servers using the cookie insert method by ACE for achieving the session persistence. The servers are not inserting any cookie. It works fine for the http connections but when trying with https connection it is not working.
  Can anyone help me with this please.
  Is it that ACE cookie insert method of session persistence will not work with https connections.

  Hi,
  1. for https you can use src ip as sticky (mega proxy problem).
  2. you can terminate ssl connection on ace (ssl between client and ace only, between ace and server it's clear) and you can use any L7 sticky (for example cookie)
  3. if you need ssl terminate up to real server, you can first terminate ssl between client and ace on ace, then use L7 sticky and after then terminate second ssl to real server.
  in other words, if you don't decrypt ssl on ace, you can use only L2/3 data for sticky (or ssl id for ssl v2.0)
  martin

• Report Painter - how to insert sub header rows with no values

  In a report painter, I am designing a report with several rows with formulas. I need to insert a sub-header row in the middle of the rows. That will not have a value. It shall contain no value, but I am given only options of either insert a row of characteristics or a formula. I need neither of them. Can we have something excel  like feature in report painter (4.6c) just to insert a sub header row? If so how do we get that.
  e.g
  ADMINISTRATIVE EXPENSES (how to insert this row?)
  Account 1 - 10

  Hi,
  try to add a formular row containing a formular like = +x -x.
  Maybe you can use "formatting / row" and use overscores / underscores to get a blank row (underscore one line, overscore the line thats following).
  No other idea...
  best regards, Christian

• How to insert custom header in log files

  How i can insert a custom header in sun one 6.1 sp2 logging ( access logs)...
  In apache i can do it like :
  LogFormat "%v %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" X-Forwarded-For
  CustomLog /var/log/apache/www.example.com-xforwarded.log X-Forwarded-For
  so "X-Forwarded-For" header i want to put in the server access log file.
  Any idea's ?

  6.1 SP2 contains known security vulnerabilities that allow anyone to completely take over your web server. Unless you a) don't care what happens to your web server or b) trust everyone completely, you should install the latest service pack.
  That said, you can configure your log format string using the Server Manager UI or by manually editing the files in the config subdirectory. In both cases, adding \"%Req->headers.x-forwarded-for%\" to the log format string will tell the server to log the value of the X-Forwarded-For header. This is documented, albeit poorly.

• HELP! I've created a template for event badges and have been instructed by the client to insert the (200 ) names and relevant companies into it...Is there a script that can do this in illustrator? Should I be using Indesign?

  An events client I'm working for have asked me to create a template for badges. Rather than ask the printers to insert the names and companies of the individuals present at the event though, they want me to create all of the pdf files for (200+) people!
  I have an excel sheet of the people that will be present. My question is: is there a way to automate this? to define editable areas in a template and run some sort of batch processing script?
  Thanks!

  This would be a perfect job for Data Merge in InDesign. You can place your AI design into InDesign (minus the text fields), and then easily create a merge.

• ACE client authentication performance degredation

  Hi,
  If possible is anybody able to provide any advice & guidance WRT the below:
  According to; http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_1_0/command/reference/sslproxy.html “When you enable client authentication, a significant performance decrease may occur in the ACE module.”
  The statement raises a lot of questions;
  1. Presumably the degradation can only happen as a result of an SSL client performing a handshake with the ACE (SSL server), the ACE requesting a client certificate and the client responding with a certificate at which stage the ACE has to verify the Client certificate?
  2. Some metrics are needed from Cisco around the degradation – for example how many certificate verifications per second can the ACE support (1,10,100,1000)? If this is dependent on RSA key size then metrics are needed  for 1024 and 2048 keys.
  3. The Cisco ACE supports partitioning of resources (http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Module_Troubleshooting_Guide,_Release_A2%28x%29_--_Managing_Resources_ and therefore I assume that the ACE can be protected from degradation by setting a limit on SSL handshakes per second which is well below the limit from 2?
  4. Any references to some relevant documentation ?

  Hello Preck-
  As a first point, we don't generally document ever possible aspect of performance numbers on products because there are many factors that play into the numbers.  This is one of the grey areas where we cannot pin down any hard numbers due to too many outside factors.
  Here is the full story on SSL client authentication:
  Under a normal SSL handshake, the SSL server exchanges the public key and certificate file to the client, and a cipher is chosen to encrypt the communication between the two entities.  Past that communication, there are a few things that could result in extra packets, or a new SSL handshake i.e. SSL version negotiation and/or cipher related issues.  Some things can shorten the handshake time like SSL session ID's and using specific SSL protocols (i.e. if the client and server only ever used TLS v1.1 and never had to negotiate from SSL v3.0 to TLS).
  Once the handshake is done, the performance only depends on network latency and the amount of time it takes to encrypt/decypt the traffic which is dependent on the SSL version, cipher, and SSL strength (key bits).  This is important to your questions because the only thing that effects performance is the initial handshake process.
  When you enable client authentication, before the handshake is complete, the server requests the client to send a certificate.  The client may send multiple certificates, or just 1. When the server recieves the certificate, it checks that it matches the certificate that it has installed for client authentication. As well, the server may do an extra check against the CRL to see if the certificate has been revoked (this is an external call to the CA via TCP or LDAP generally)  The amount of certs, size of the certs, and size of the CRL are not known to the server, hence, it has to work with what it recieves.  The larger the files, the longer the handshake takes to complete.
  Specific to ACE:
  The degredation you are going to see is exactly what I stated in the last paragraph - it will be related to how many certs the ACE has to parse, how long it takes to get the CRL and check it all the way through.  Because every client could give the ACE a different amount of certificates and the CRL could be any size/take any amount of time to retrieve and scan, there is no such thing as a common metric we can state about the difference in performance.
  We can tell you that the performance degredation is limited to the VIP that you have this enabled on and should not effect any other vips/context/the whole ACE in general.  It also only relates to the amount of possible transactions per second, and not to total SSL concurrent connections or throughput.  Throughput is not effected because the SSL Nitrox and Cadvium engines are not used to scan the client certificate - the XScale Microengine is, so the throughput of the SSL daughter cards are not effected here.
  The bit count within the keypair is non-effecting to the performance when enabling client authentication if you are comparing the same as without client authentication.  Certainly, you will see a drop in performance when moving from 1024 to 2048 bit keys due to the extra complexity involved in encrypting/decrypting - but no additional loss with client authentication.  On a side note, keep in mind that doubling you key bit strength means your performance will take an exponential drop - not a linear drop.  If you are planning on deploying 2048bit keys, make sure you test your environment prior to production release so that you know exactly what kind of performance to expect.
  About your question on partitioning resources, because this only effects the vip you have the authentication on, you don't need to worry about sandboxing off a context to handle this.
  Regards,
  Chris Higgins

• Checkbox selects client and inserts value in table

  Hi,
  I have requirement where I need to create form which displays all Client Names with checkbox infront of them
  so that user can select client for whom they want to process orders.
  I have created checkboxes and trying to insert client in a table but it is not working. Here is my code.
  Any help will be greatly appreciated.
  IF :block.checkbox='Y' THEN
  insert into client values(:block.client,600,user,sysdate);
  Thanks
  Sandy

  Sorry but it didnt work. I am getting error 'Another Order is running please exit' and client could not get inserted in client_log table when client_count !=0 BUT when I give say Client_count>5 then it will insert client in table but then again one problem suppose i have checked 2,5,9,10 clients it will be inserted in table in 2,10,9,5 sequence. Can we make it in same sequence in which I have checked in form.
  Here is my code in When_Button_Pressed trigger. I have two blocks Client and Detail.
  Client data block has Checkbox, client name and detail data block has Process Button.
  PACKAGE BODY CLIENT_PKG IS
  Procedure process_call is
  client_count number;
  return_value number:= NULL;
  begin     
  select count(*) into client_count from client_log
  where log_group_source_id= 600;
  if client_count !=0 then
       message('Another Order is running please exit');
  else
       go_block('Client');
  first_record;
  loop
  if :Client.Checkbox = 'Y' then
  insert into client_log values(:client.client,600,user,sysdate);
  end if;
  exit when :system.last_record = 'TRUE';
  next_record;
  end loop;
  first_record;
  commit;
  if form_success or sqlcode = 0 then
       message('records successfully saved into database');
  message(' ',no_acknowledge);
  else
  message('Error saving records: '||sqlerrm);
  message(' ',no_acknowledge);
  end if;
       process_pkg.process_orders(600,return_value);
            message('Process Called');
       if return_value =0 then
            message('Successful processing');
       else
            message('there is some problem with'||2);
       end if;
  end if;
            end;
  END;
  Edited by: sandy162 on Mar 23, 2009 8:12 AM

• SNMP Ace client packets

  Hi All,
  I am doing an snmpwalk on our ACE using the following oid:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman","serif";}
  1.3.6.1.4.1.9.9.161.1.4.2.1.9
  The problem is that on some vips after doing an snmp walk I am receiving  0 for bandwidth utilisation.
  When I scan the device I see there is bandwidth usage.
  Below is output form snmpwalk and the device itself.
  SNMP-Walk
  1.3.6.1.4.1.9.9.161.1.4.2.1.2.2.222 : Counter: 0
  sh service policy CM-Rebranding-888-http
  class: CM-Rebranding-888-http
       VIP Address:    Protocol:  Port:
       10.x.x.x      tcp        eq    80
        loadbalance:
          L7 loadbalance policy: PM-Rebranding-888-http
          VIP Route Metric     : 77
          VIP Route Advertise  : DISABLED
          VIP ICMP Reply       : DISABLED
          VIP State: INSERVICE
          curr conns       : 3374      , hit count        : 8113708
          dropped conns    : 82195
          client pkt count : 186343165 , client byte count: 17308888870
         server pkt count : 292836401 , server byte count: 362759465286
          conn-rate-limit      : -         , drop-count : -
          bandwidth-rate-limit : -         , drop-count : -
          L7 Loadbalance policy : PM-Rebranding-888-http
            class/match : class-default
               LB action: :
                 sticky group: Rebranding-888-http
                    primary serverfarm: SF-Rebranding-888-http
                      state: UP
                    backup serverfarm : -
              hit count        : 8113703
              dropped conns    : 0
          Parameter-map(s):
            Rebranding-888-http-Idle
  It looks like a bug to me.
  Any help would be appreciated in understanding this issue.
  If anyone has encounterd this issue and overcome it please let me know.
  Thanks.
  Jack.

  Jack
  Probably easiest if we can set it up in the lab and test it. Would you be willing to share your config ? Or maybe open a tac case and I can take a look at it. Which version of s/w ?
  Matthew