ACE: HTTP followed by HTTPs/SSL termination, stickiness

Dear Helpers,
I'm trying to figure out the best sticky/persistence method for the following for ACE,
Client X ----(HTTP)--------------------------------------------ACE LB ---to----Server 1
Client X -----(HTTPs)---ACE/SSL termination ------ACE LB ---to---- Server1
Both HTTP and HTTPs use the same VIP for HTTP and HTTPs)
The same client to stick/persist to the same server using both HTTP and HTTPs. HTTPs/SSL is terminated by ACE.
Could you point me to sample configurations for this requirement, please.
Thank you
SS

HI Gilles,
thanks for the response. Sorry had gotten distracted with a bunch of other things, didn't get a chance to get back to this. Anyway, so, I can generate the 302 response in my web-servers except I need to turn it around to a different domain name. Now assuming I use URL re-write when I see this coming back from the web-server, I can rewrite this to https and send to the client? A few questions about this and the links you sent above with using redirect service.
a) can I do a a redirect to an https address or does it only do http (considering I only saw examples configs only using www.domain.com/index.html type redirects without specifying the protocol to use)?
b) If not, then I use URL rewrite in conjunction with the 302 from the web-servers. But for my SSL off-load in a pair of CSS using VIP and Virtul Interface redundancy, do I buy 2xSSL Certs for the same domain-name or do I buy ONE (i.e. generate the key-pair/CSR in Master CSS) and import the same rsakey and SSL Cert recd. from CA into both CSSs?
c) Does the CSS handle a wildcard SSL Cert without problems?
Thanks again,
\R

Similar Messages

SOAP Adapter - HTTPS w/ client authentication -SSL termination @ dispatcher

Hi,
We have a SOAP client sending SOAP message over SSL to PI. We are using client cert for authentication, but terminating SSL at web dispatcher. In this scenario, i) do we need to configure security for XISOAPADAPTER in Visual admin on PI and ii) do we need to set HTTPS with client authentication security option in SOAp Sender communication channel?
My understanding is that since we are terminatinating SSL at web dispatcher (Server authentication happens between third-party gateway and our gateway and when web dispatcher terminates SSL, client cert for auth is passed via httpheader to PI where it is mapped to UME user with sufficient authorizations) we don't need to set the XISOAPADAPTER security (if it is end-to-end ssl we would i guess set up in V. Admin>Security provider service>clientcertloginmodule for XISOAPADAPTER) and we don't need to set the sender channel as https with client authentication ( it should just be http in SOAP sender channel).
Is my understanding correct? I will really appreciate any clues?
Thanks,
Saurabh

Hi saurabh
follow these links to SAP note
these will be helpful for you
Note 856597 - FAQ: XI 3.0 / PI 7.0 / PI 7.1 SOAP Adapter
https://websmp102.sap-ag.de/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=856597&_NLANG=E
Note 856599 - FAQ: XI 3.0 / PI 7.0 / PI 7.1 Mail Adapter
https://websmp102.sap-ag.de/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=856599&_NLANG=E
Note 870845 - XI 3.0 SOAP adapter SSL client certificate problem
https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=916664&nlang=EN&smpsrv=https%3a%2f%2fwebsmp102%2esap-ag%2ede
https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=870845&nlang=EN&smpsrv=https%3a%2f%2fwebsmp102%2esap-ag%2ede
regards
Sandeep
If helpful kindly reward points

SSL Termination in ACE 4710 not working

Hi,
I have configured a new ACE 4710 with only a sinlge context to redirect https traffic to http real servers using SSL Termination. When I do a telnet on port 443 or 80 to the VIP it works fine but when I try to open the URL it prompts me for accepting the certificate then it tries to find and establish connection to the URL but eventually dies out giving a "Page cannot be displayed error". I have done some troubleshooting and found that the connection to the VIP on 443 port is Established but the out connection from the real server to the client remains in the INIT state. I am attaching the configs and all the troubleshooting data I have collected. Pls someone help.

Yes the "server pkt count" for the "class: VIP_HTTPD_Redirect" is not incrementing and yes the servers do not have the default gateway towards the ACE.So as suggested I have configured default route in the servers towards the ACE interface vlan ip address. Still the server packet count is not incrementing. I am posting the updated configuration of the ACE as an attachment. Pls help.

ACE - SSL Termination is not working

HTTPS is not working from official IE browser but it is working from test Firefox browser. However HTTP is working with both IE and Firefox browsers. This is true for multiple implementations on the ACE service module with SSL termination.
ACE software 3.0(0)A1(4a)
IE v6 SP3 Cipher 128
Firefox v3.6.3
Sample configuration:
access-list FT ethertype permit bpdu
access-list ALL-ACCESS extended permit icmp any any
access-list ALL-ACCESS extended permit ip any any
crypto chaingroup ROOT-CERT
cert abc.PEM
cert xyz.PEM
parameter-map type ssl SSL-PARAMETER-1
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_AES_128_CBC_SHA priority 2
cipher RSA_WITH_AES_256_CBC_SHA
cipher RSA_EXPORT1024_WITH_DES_CBC_SHA
parameter-map type ssl SSL-PARAMETER-2
cipher RSA_WITH_AES_128_CBC_SHA priority 2
ssl-proxy service SSL-1
key KEY-1.PEM
cert CERT-1.PEM
chaingroup ROOT-CERT
ssl advanced-options SSL-PARAMETER-1
ssl-proxy service SSL-2
key KEY-1.PEM
cert CERT-1.PEM
chaingroup ROOT-CERT
ssl advanced-options SSL-PARAMETER-2
ssl-proxy service SSL-3
key KEY-1.PEM
cert CERT-1.PEM
chaingroup ROOT-CERT
rserver host server1
ip address 10.100.15.89
inservice
rserver host server2
ip address 10.100.15.121
inservice
probe http PROBE-1
interval 30
faildetect 2
request method get url /keepalive.htm
expect status 200 200
serverfarm host SERVERFARM-1
probe PROBE-1
rserver server1 80
    inservice
rserver server2 80
    inservice
sticky ip-netmask 255.255.255.255 address both STICKY-1
timeout 30
replicate sticky
serverfarm SERVERFARM-1
class-map type management match-any REMOTE-ACCESS
match protocol icmp any
match protocol snmp any
match protocol ssh any
match protocol https any
class-map match-all VIP-1
match virtual-address 10.100.15.140 tcp eq https
class-map match-all VIP-2
match virtual-address 10.100.15.140 tcp eq www
policy-map type management first-match REMOTE-ACCESS
class REMOTE-ACCESS
    permit
policy-map type loadbalance first-match POLICY-1
class class-default
    sticky-serverfarm STICKY-1
policy-map multi-match LB-1
class VIP-1
    loadbalance vip inservice
    loadbalance vip icmp-reply active
    loadbalance policy POLICY-1
    ssl-proxy server SSL-1
(i have tried with ssl-proxy server SSL-2 and ssl-proxy server SSL-3 but did not helP)
policy-map multi-match LB-2
class VIP-2
    loadbalance vip inservice
    loadbalance vip icmp-reply active
    loadbalance policy POLICY-1
interface vlan 15
description client vlan
bridge-group 15
mac-sticky enable
access-group input FT
access-group input ALL-ACCESS
access-group output ALL-ACCESS
service-policy input REMOTE-ACCESS
service-policy input LB-1
service-policy input LB-2
no shutdown
interface vlan 2015
description server vlan
bridge-group 15
mac-sticky enable
access-group input FT
access-group input ALL-ACCESS
access-group output ALL-ACCESS
service-policy input REMOTE-ACCESS
no shutdown
interface bvi 15
description bridge group
ip address 10.100.15.5 255.255.255.0
peer ip address 10.100.15.6 255.255.255.0
alias 10.100.15.4 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.100.15.1
note: Subnet, Server Name, Certificate Name and Key Name are modified for security reason.

Hello,
We will not be able to determine why your SSL terminated connections fail with only your config. You may want to take a look at a similar thread where someone else was having problems with IE and SSL termination, but Firefox worked fine. It also includes a solid action plan you can use to gather data needed to diagnose root cause. That thread can be viewed at the following link:
https://supportforums.cisco.com/thread/2025417?tstart=0
Also, the ACE software you are running is extremely old now and very buggy. I would strongly urge you to upgrade to A2(2.4) as soon as possible. It will help you avoid some headaches as you move forward.
Hope this helps,
Sean

ACE SSL Terminator doesn't work

Hi,
I should implement a balancing HTTP and for HTTPS an SSL terminator on my ACE.
Public IP 22.235.121.6 port 80 --> balanced on 192.168.250.165-166 on port 8889
Public IP 22.235.121.6 port 443 --> my ace terminate ssl and balance the traffic in clear text to 192.168.250.165-166 on port 8889
This is the configuration:
probe http EXAMPLE_IT_HTTP
port 8889
interval 5
faildetect 2
passdetect interval 10
passdetect count 2
request method get url /probe/probe.html
expect status 200 206
expect status 300 307
open 1
serverfarm host example_IT_HTTP
failaction reassign across-interface
predictor leastconns
probe example_IT_HTTP
fail-on-all
rserver H-192.168.250.165 8889
inservice
rserver H-192.168.250.166 8889
inservice
serverfarm host example_IT_HTTPS-HTTP
failaction reassign across-interface
predictor leastconns
probe example_IT_HTTP
fail-on-all
rserver H-192.168.250.165 8889
inservice
rserver H-192.168.250.166 8889
inservice
sticky ip-netmask 255.255.255.255 address both example-IT-HTTPS-HTTP
timeout 60
replicate sticky
serverfarm example_IT_HTTPS-HTTP
ssl-proxy service SSL_example_IT
key example_it.key
cert example_it.cert
chaingroup SSL_CHAIN_example_IT
crypto chaingroup SSL_CHAIN_example_IT
cert example_it.ca
class-map match-all example_IT_HTTP
2 match virtual-address 22.235.121.6 tcp eq www
class-map match-all example_IT_HTTPS-HTTP
2 match virtual-address 22.235.121.6 tcp eq www
policy-map type loadbalance first-match example_IT_HTTP-l7slb
class class-default
serverfarm example_IT_HTTP
policy-map type loadbalance first-match example_IT_HTTPS-HTTP-l7slb
class class-default
sticky-serverfarm example-IT-HTTPS-HTTP
policy-map multi-match int41
class example_IT_HTTP
loadbalance vip inservice
loadbalance policy example_IT_HTTP-l7slb
loadbalance vip icmp-reply active primary-inservice
class example_IT_HTTPS-HTTP
loadbalance vip inservice
loadbalance policy example_IT_HTTPS-HTTP-l7slb
loadbalance vip icmp-reply active primary-inservice
ssl-proxy server SSL_example_IT
the balancing on http work properly, but doesn't work the ssl termination, when I try to connect from my client in https I don't see request on the server 192.168.250.165-166 coming.
Some show:
balancer# sh crypto certificate all
example_it.cert:
Subject: /C=GB/ST=United Kingdom/L=London/O=XXXXXXXX/OU=XXXXXXXXX/CN=*.xxxx.com
Issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
Not Before: Apr 11 00:00:00 2014 GMT
Not After: Apr 12 23:59:59 2015 GMT
CA Cert: FALSE
example_it.ca:
Subject: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
Not Before: Nov 8 00:00:00 2006 GMT
Not After: Jul 16 23:59:59 2036 GMT
CA Cert: TRUE
balancer# sh crypto session
SSL Session Cache Stats for Context
Number of Client Sessions: 0
Number of Server Sessions: 0
balancer#
balancer# sh crypto files
Filename File File Expor Key/
Size Type table Cert
cisco-sample-cert 1082 PEM Yes CERT
cisco-sample-key 887 PEM Yes KEY
example_it.ca 7444 PEM Yes CERT
example_it.cert 1812 PEM Yes CERT
example_it.key 1675 PEM Yes KEY
balancer#
balancer# crypto verify example_it.key example_it.cert
Keypair in example_it.key matches certificate in example_it.cert.
balancer#
the show stats crypto client/server give me all 0
Someone can help me to understand why is not working ?
for further information please ask me
Thanks a lot

Hi,
The problem is here:
class-map match-all example_IT_HTTPS-HTTP
2 match virtual-address 22.235.121.6 tcp eq www
You should change it to 443 instead of WWW which means port 80.
You will never match this class "example_IT_HTTPS-HTTP".
Regards,
Kanwal
Note: Please mark answers if they are helpful.

SSL Termination not working in ACE

Hi,
The context was configured for Load Balancing Port 80 and 443 traffic before the SSL Configs was Applied.
The SSL Termination is configured on ACE module running the software version A2(1.6a) [build 3.0(0)A2(1.6a)
The load balacing is working without no issues, But when i do a https://abc.www.abc.qa/wps/portal/login
the browser reconganizes the certificate from ACE, but does not show up any thing, just shows this symbol €
in a blank page.
Plese let me know if you have any suggestions.
Thanks in Advance.
Here is the relevant config.
===================
crypto csr-params ABC-II-PRAMS
country XX
state XXXX
locality XXXX
organization-name abc council
common-name abc.www.abc.qa
serial-number 1
email [email protected]
rserver host abcserver1
ip address 10.14.1.165
inservice
rserver host abcserver2
ip address 10.14.1.177
inservice
ssl-proxy service abc.www.proxy
key abc-II-key.pem
cert abc-II-cert.pem
serverfarm host abc.www.abc.qa-443
failaction purge
rserver abcserver1
    probe abcicmp
    inservice
rserver abcserver2
    probe abcicmp
    inservice
serverfarm host abc.www.abc.qa-80
failaction purge
rserver abcserver1
    probe abcicmp
    inservice
rserver abcserver2
    probe abcicmp
    inservice
sticky ip-netmask 255.255.255.255 address source abc.www.abc.qa-sticky-80
timeout 120
serverfarm abc.www.abc.qa-80
sticky ip-netmask 255.255.255.255 address source abc.www.abc.qa-sticky-443
timeout 120
serverfarm abc.www.abc.qa-443
class-map match-all abc.www.abc.qa-443
match virtual-address 10.14.1.203 tcp eq https
class-map match-all abc.www.abc.qa-80
match virtual-address 10.14.1.203 tcp eq www
policy-map type loadbalance first-match abc.www.abc.qa-VIP-443
class class-default
sticky-serverfarm abc.www.abc.qa-sticky-443
policy-map type loadbalance first-match abc.www.abc.qa-VIP-80
class class-default
sticky-serverfarm abc.www.abc.qa-sticky-80
policy-map multi-match abc-POLICY
class abc.www.abc.qa-80
    loadbalance vip inservice
    loadbalance policy abc.www.abc.qa-VIP-80
    loadbalance vip icmp-reply
class abc.www.abc.qa-443
    loadbalance vip inservice
    loadbalance policy abc.www.abc.qa-VIP-443
    loadbalance vip icmp-reply
    ssl-proxy server abc.www.proxy
=============================

Hi,
You may want to check this thread I think it would be very helpful.
https://supportforums.cisco.com/thread/2027253
HTH
Pablo
Cisco TAC

Cisco ACE SSL termination

Hello Friends,
Need ur help on cisco ACE SSL termination.
If i import the certificate and key (.PEM), where this files will be saved ?
can we able to download the .PEM file any time as we need(back-up)?
suppose if my .PEM is got hacked, hacker is sniffing the data packet which going through the web server, can it be possiable to deencrypt the packet and see the exact packet ?
Regards,
Naren

Naren,
1. In order to import certs and keys, please see the following link to the command reference. To summarize, any time you import/export/delete keys/certs, you are doing so via commands in exec mode. Regarding how and where the ACE actually saves this information, I do not know this answer.
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/command/reference/execmds.html#wp1616651
2. You can import a key as non-exportable if you do not want it to be able to be exported. If you import it as exportable, you can always export it later for backups or what not.
3. You can decrypt captured HTTPS traffic if you have the private key. It is important to limit access to it. Please see this link for more info on using Wireshark to view decrypted HTTPS traffic: http://wiki.wireshark.org/SSL
Hope this helps!
Regards,
Matt

Sticky session for SSL termination

We have a server farm with 2 servers. The ACE is perfoming SSL termination to this farm, and talking tcp/80 on the back end. How can I ensure these sessions are sent to the same servers?
Thanks

since you are doing ssl termination you can do cookie sticky and have the ace either learn a cookie from the server or insert a cookie to provide sticky.
for instance to do cookie insert
sticky http-cookie COOKIE1 GROUP3
cookie insert browser-expire <-- this makes it a session based cookie. If you want the cookie to expire at a set time you can leave off browser-expire
and then set a timeout . the timeout is not on ace rather we will send a utc expire time to the browser
serverfarm test
then call the sticky serverfarm in your load balance policy
policy-map type loadbalance first-match L7PLBSF_STICKY-COOKIE_POLICY
class class-default
sticky-serverfarm GROUP3
you can also use other sticky methods see
http://www.cisco.com/en/US/customer/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/sticky.html#wp1070365

ACE 4700 configuring SSL termination weblogic server 10.3.6

Hello,
Im trying to configure an ACE 4700 so that SSL termination is done on the ACE and HTTP reaches the weblogic server instance.
I have a working setup of a Apache reverse proxy doing SSL offloading and using a weblogic module and that works fine
Was reading http://docs.oracle.com/cd/E23943_01/web.1111/e13709/load_balancing.htm#i1045186
Can anyone point me to a working config example for doing this with the ACE4700 or give me some directions here?
Kind regards,
Laurens

Hi Laurens,
Here is a basic configuration for SSL termination:
rserver host test
ip address 10.198.16.98
inservice
rserver host test2
ip address 10.198.16.93
inservice
serverfarm host test
rserver test 80
    inservice
rserver test2 80
    inservice
ssl-proxy service TEST
key cert
cert cert
class-map match-all VIPSSL
2 match virtual-address 10.198.16.122 tcp eq https
policy-map type loadbalance first-match test
class class-default
    serverfarm test
policy-map multi-match clients
class VIPSSL
    loadbalance vip inservice
    loadbalance policy test
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 112
    ssl-proxy server TEST
interface vlan 112
ip address 10.198.16.91 255.255.255.192
access-group input Allow_Access
nat-pool 1 10.198.16.122 10.198.16.122 netmask 255.255.255.192 pat
service-policy input NSS_MGMT
service-policy input clients
no shutdown
Cesar R
ANS Team

Using ACE to load balance HTTP/S traffic between client & proxy server using tcp 8080

Folks,
I have a scenario where ACE is in load balancing connections to a bunch of Websense servers in a one-armed topology. ACE presents a single VIP to web browser clients and each client's browser proxy configuration is populated with the VIP DNS name. Traffic then gets load balanced between the Websense servers. The problem arises due to Websense requiring the 'X-Forwarded-For' HTTP header in order to obtain the source IP of the client.
ACE inserts this header into the standard HTTP 'proxied' traffic but doing this for HTTPS traffic has required the configuration of the ACE SSL proxy client server.
So the problem I have is this:
How to configure ACE to load balance both HTTP & HTTPS applications using a single VIP and tcp port number ie tcp 8080
The ACE hardware being used is ACE20-MOD-K9 - MODULE
I have attempted to use a L7 class map to match all ciphers and attach this to a L7 Policy-Map but the documentation highlights the fact the 'match cipher' configuration is only available on the ACE appliance.
I believe I am on the correct track. The HTTPS traffic must be identified and used to match against PolicyA and HTTP traffic matched against PolicyB
I'm looking for ideas! I'm hopeful someone must have solved this problem previously!!
Regards,
Simon

Hi Simon,
The classification has to work on different ports. Whether client types http or https doesn't matter to client. His request will reach VIP which will classify the traffic based on port, protocol first and then it can look into further detail to send the traffic to appropriate serverfarm.
You can class-map match-any xxxxx
2 match virtual-address x.x.x.x tcp any
and then you configure further classification on the basis of L7 like url, header etc.
But again, you will still need SSL termination on ACE.
Regards,
Kanwal
Note: Please mark answers if they are helpful.

ACE maintenance page for HTTPS connection (non offloaded mode)?

Hello experts
how do we configure a "redirected" maintenance page for HTTPS Serverfarm when the serverfarm is down/probefailed?
lets say users are accessing https://xyz.com, and if the serverfarm is down, I want users to get redirected to https://abc.com or even http://abc.com
(getting a certificate error or a https to http redirection error is acceptable)
What i understand from TAC, since we are not terminating SSL on ACE, we have few restrcitions on using redirect. Thereafter, TAC hasnt been too helpful on this query.
HTTPS connection is directly terminated on Server with certificate. And we are using SSL Session Stickyness on ACE (I know not the best thing to do..)
Pls. assist.

so do i assume there is no way to do this without using ACE for SSL termination?
In our case, not using ACE for termiating SSL connections is to draw a line between Network and System administration, a business requirement.
Thanks for your replies.

HTTPS balance without a SSL Module

I have read thru the forum and found a couple threads talking about this issue but didnt find a solution to my problem.
I have 2 CSS11503s without SSL modules. I now have a need to balance a KVMoIP system that uses ssl on the servers(currently only 5 concurrent users). My balance is simply for ease of use for my customers so they dont have to know the url for the primary and secondary servers. Here is what I have right now:
interface 1/1
bridge vlan 241
description "to users"
interface 1/2
description "to servers"
bridge vlan 700
circuit VLAN700
ip address 172.20.241.181 255.255.255.192
ip virtual-router 100 priority 1
ip redundant-interface 100 172.20.241.183
ip critical-service 100 css-up-down
ip critical-reporter 100 css-sc1
circuit VLAN241
ip address 172.20.241.71 255.255.255.192
ip virtual-router 1 priority 1
ip redundant-interface 1 172.20.241.73
ip redundant-vip 1 172.20.241.100
ip critical-service 1 css-up-down
ip critical-reporter 1 css-sc1
service obsidian
ip address 172.20.241.172
keepalive port 80
keepalive type tcp
active
owner avocent
content kvm (Does not work)
vip address 172.20.241.100
protocol tcp
port 443
add service obsidian
content kvm_80 (This works)
protocol tcp
port 80
add service obsidian
vip address 172.20.241.100
active
The http to the server works fine but the https get "The page can not be displayed" when you go to https://172.20.241.100
Thanks for any insight into this issue.

Hi Gill,
thats what i?ve found:
config-owner-content) application
To specify the application type associated with the content rule, use the application command. The application type enables the CSS to correctly interpret the data stream matching the content rule and parse them. Otherwise, the data stream packets are rejected. Use the no form of this command to reset the application type to its default setting of HTTP.
application type
no application
Syntax Description
type
Application type. Enter one of the following:
?bypass - Bypasses the matching of the content rule and send the request directly to the origin server
?http (default) - Processes HTTP data streams
?ftp-control - Processes FTP data streams
?sip - Processes Session Initiation Protocol (SIP) data streams
?ssl - Processes Secure Sockets Layer (SSL) protocol data streams

APEX Oracle 11g HTTP Server - Cannot get SSL working

I have installed APEX on Oracle 11g with the Oracle HTTP Server on MS Windows server.
Data base up and running, APEX up an running.
All works as expected on port 7777
When I try 4443 I get error message re self signed certificate by Oracle, but if I click through error message I get an https connection.
I want to replace default cert with a locally signed cert, and get SSL working on 4443, then switch to port 443.
I have used the Oracle Wallet manager, generated a CSR, had this signed by my corproate CA, and installed the corporate CA cert and the newly signed server cert into the wallet (with Auto Login Set) and saved it in:
D:\orahttp\Oracle_WT1\instances\apex\config\OHS\ohs1\keystores\infosec2wallet
This creates two files: ewallet.p12 and cwallet.sso
I then manually add the group/users "SYSTEM" and "Administrators" to these two files to match the security tab on the default wallet.
I T then go to the ssl.conf file located at:
D:\orahttp\Oracle_WT\instances\apex\config\OHS\ohs1\ssl.conf
and changed the entry:
#SSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/default"
SSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/infosec2wallet"
I then stop and start the Oracle HTTP Server - ohs1 from the start menu.
Then I try to connect from my desk top machine using the following URL:
https://us-pghinfosec2.ariba.com:4443/pls/apex/f?p=101:1:
I get the clasic MS IE Message:
==========
Internet Explorer cannot display the webpage
Most likely causes:
You are not connected to the Internet.
The website is encountering problems.
There might be a typing error in the address.
What you can try:
Diagnose Connection Problems
More information
This problem can be caused by a variety of issues, including:
Internet connectivity has been lost.
The website is temporarily unavailable.
The Domain Name Server (DNS) is not reachable.
The Domain Name Server (DNS) does not have a listing for the website's domain.
If this is an HTTPS (secure) address, click Tools, click Internet Options, click Advanced, and check to be sure the SSL and TLS protocols are enabled under the security section.
For offline users
You can still view subscribed feeds and some recently viewed webpages.
To view subscribed feeds
Click the Favorites Center button , click Feeds, and then click the feed you want to view.
To view recently visited webpages (might not work on all pages)
Click Tools , and then click Work Offline.
Click the Favorites Center button , click History, and then click the page you want to view.
==========
I am at a loss as to what to do. It acts like Oracle HTTP can not open my wallet.
I suspect it needs the password to the wallet but I cannot find any place to specify the password, and Auto Login should have addressed that issue.
Any insights welcome.
Thanks - Elton Hay

Hello Lakshmi,
>
I got your point but in our case HTTP Server and Oracle Database (APEX) running on different machines.
Oracle HTTP Server running on a Windows 2003 server and Oracle Database running on Sun Solaris machine.
So do i need to change Oracle 10g HTTP Server? do i need to install Oracle 11g HTTP SErver?
Please let me know if my question is not clear.
>
<ul><li>
I got your point but in our case HTTP Server and Oracle Database (APEX) running on different machines.Did I missed something?
You should have mentioned this additional information in the original question itself.
</li>
<li>Oracle HTTP Server running on a Windows 2003 server and Oracle Database running on Sun Solaris machine.As long as [url http://docs.oracle.com/cd/E37097_01/doc/install.42/e35123/otn_install.htm#BHAFJJDA]dads.conf is configured correctly there should not be a problem with this.
From Original question:
We are having Oracle APEX 3.1 version on Oracle 10g Database and Oracle 10g HTTP Server as web server in our organization.How did this setup of APEX worked?(i.e. on different machines)
If you still have doubt about this you can do the setup and find out before upgrading.
</li>
<li>So do i need to change Oracle 10g HTTP Server? do i need to install Oracle 11g HTTP SErver?This question is answered in the above post. As long as you fulfill the [url http://docs.oracle.com/cd/E37097_01/doc/install.42/e35123/pre_require.htm#CFHIIJBE]HTTP Server Requirements for APEX 4.2 (Also we are discussing this long about only Oracle 10g HTTP Server but which version?)
</li></ul>
Hope now I am more clear!
Regards,
Kiran

ACE: wrong IP in HTTP header HEALTHCHECK packet

Hi,
I encounter a strange problem with ACE when the blade performs a HTTP healthcheck towards a RSERVER.
Sometimes, ACE insert in the HTTP header a strange IP address, others then the IP address of the rserver, for which it performs a healthcheck.
Anyone encountered the same problem?
Thx, Wim

Hi Gillis,
I reported this issue to our integrator. I think they will open a cisco case right now.
We are able to reproduce this problem. So, that might not be the problem to troubleshoot at this moment.
For your information, we had version A1.6 running until last week. Now, we upgraded to A2, but the healthcheck issue is still present.
I assume you 'll informed via the support case?

Configuring using AAEI have been going through the following document. http

I have been going through the following document.
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/700058f0-b1a1-2a10-39a8-ab2627b87cfa?quicklink=index&overridelayout=true
1. I have a JMS to Proxy scenario async. How do I make this scenario configured using Integrated configuration in 7.11 using AAE to improve the performance of this scenario?
I know it is not supported by Proxies?
Plz let me know the steps required for the same?
2. I have a file to Proxy scenario - Async. Can I configure the same using integrated configuration scenario?
Thanks
~N

Hi
Please check the following links for AAE with proxy
ABAP Proxy sender possible in integrated configuration AAE with PI 7.11
/people/makoto.sugishita/blog/2009/10/23/a-new-feature-in-netweaver-pimessage-protocol-xi-30-in-soap-adapter
Regards
Abhijit

ACE: HTTP followed by HTTPs/SSL termination, stickiness

Similar Messages

Maybe you are looking for