ACE Stickyness via SSL

Hello,
i've wanted to configure Stickyness via SSL Session ID.
I coul'd not find anything in the docs how to do this.
Is this feature not supported by the ACE?
Sven

I read somewhere it will be supported with the next major release or Gilles mentioned something like that.
AFAIK it is not supported right now.
Ergo -> geht nicht :)
Roble

Similar Messages

Connection problem while connecting to LDAP resource via SSL

Hi,
I am facing problem in connecting LDAP via SSL. I got the self signed certificate from the LDAP team and while importing it to the JVM keystore using command "keytool -import -file PathTo/ds-cert.txt -keystore ./cacerts -storepass changeit -trustcacerts", I am getting error "keytool error: java.security.SignatureException: Signature does not match". Since I am not able to import the cert, I am facing problem in connetcing to LDAP via SSL. I have gone thru other posts and found some answers for it.. but not able to do it correctly. I am using SIM 7.1 and tomcat. In some posts, I have seen, in the resource config wizard, use "true" instead of 1 in the SSL field.. For SIM 7.1, does the value 1 work?. Please help me in importing the cert to my local JVM keystore.
Thanks.
Edited by: dj123 on Oct 15, 2008 1:50 PM

Make sure you are importing the certificate of the issuer (CA) that issued the LDAP certificate, not the LDAP cert itself.

How send and receive XML file from PI 7.0 via SSL

Hello experts,
Can you point to some documentation , examples , links where I can get some information on how to send and receive XML files using PI 7.0 via SSL ?
Thanks in advance.

Hi,
refer to the following links.
Enabling SSL
http://help.sap.com/saphelp_nwpi71/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm
Adapter specific security
http://help.sap.com/saphelp_nwpi71/helpdata/en/f5/799add57aeee4f889265094a04695c/frameset.htm
regards,
MIlan Thaker.

Calling web service via SSL

Hi,
I do not succeed in calling a web service via SSL from within a Web Dynpro application.
Current settings of my logical port:
Target Address: https://...
Authentication: HTTP authentication, basic (username/password)
I do call methods _setUser and _setPassword to set userid and password before calling method execute() of my modelclass.
On calling method execute(), I get message "Connection closed by remote host".
Any suggestions ?
Many thanks.
Jorgen

Can you check the following?
1) Did you install the SAP Cryptographic toolkit for Java available from service.sap.com?
2) Did you install the "Java Cryptography Extension (JCE)
Unlimited Strength Jurisdiction Policy Files 1.4.2". For Sun they are available here: http://java.sun.com/j2se/1.4.2/download.html (last item on page)
3) How is the SSL server configured? Does it require client authentication? In this case you must send a client certificate.

How connect client to mySQL via SSL

Hi,
I created client in Swing/AWT and configured mySQL. How can I configure my client to enable connection via SSL (not necessary with certificate). I have to switch on field in driver JDBC, but that'a all? How can I verify if connection is really encoded?
Damian

Hi,
I created client in Swing/AWT and configured mySQL.
How can I configure my client to enable connection via
SSL (not necessary with certificate). I have to switch
on field in driver JDBC, but that'a all? How can I
verify if connection is really encoded?
DamianTo find out is the connection really encoded, there is a software called
ethereal - http://www.ethereal.com
which can monitor all the packets on your pc.

SQL Developer wont work via SSL (TCPS)

I am trying to get SQL Developer (1.5.1) to connect to our Oracle database using SSL (tcps -- port 2484) and am getting a very generic error. (I have no error connecting to the same database over the unencrypted port -- 1521).
Status: Failue - Test failed: Io exception: The Network Adapter could not establish the connection.
I personally think that the connection is timing out, but all logging/debuggig features I can find do not prove anything either way. I have successfully connected to the database via SSL using tnsping and sqlplus. I have also successfully imported the certificate from the database server into the cacerts file in sqldeveloper/jdk/jre/lib/security This error is the same whether I use my TNSNAMES file or a custom JDBC url.
Please reply if you have questions/ideas/solutions.
Thanks, Dan
block from TNSNAMES.ora
TEST =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = hostname.fqdn)(PORT = 1521))
(CONNECT_DATA =
(SID = test)
TEST_SSL =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCPS)(HOST = hostname.fqdn)(PORT = 2484))
(CONNECT_DATA =
(SID = test)
(SECURITY =
(SSL_SERVER_CERT_DN="CN=hostname.fqdn, OU=My Unit, O=My University, L=City, ST=State, C=US")
contents of sqlnet.ora
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, NTS)
SSL_VERSION = 0
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = C:\oracle\certs)
)

This has helped, but I am not 100% there.
After altering my setting to use OCI/Thick driver and upgrading to 11g client, (and verifying that I could sqlplus/tnsping/odbc as before) the following happens:
When testing the connection or trying to connect with tnsnames method, the dialog box comes up just telling me it's testing/connecting, and never stops trying (and therefore also never fails).
This also happens when I try to connect via a custom JDBC URL,
BUT
When I test the connection using the same JDBC URL, I 'succeed' -- so I must be close.
My Custom JDBC URL is
jdbc:oracle:oci:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)
(HOST=hostname.fqdn)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=test))
(SECURITY =(SSL_SERVER_CERT_DN="CN=hostname.fqdn, OU=My Unit, O=My University, L=City, ST=State, C=US")))
What might I be missing?
Thank you.

Consuming a Web Service via SSL with Basic Authentication

Hello,
I have a simple web service (returns a parameter value) and want to consume it. Therefore I have generated a proxy for its in Netweaver Studio SP13.
When I set up the web service to be accessed via HTTP and Basic Authentication (Username/Password), everything is fine. When I set up the web service to communicate via HTTPS, I get the following error message in my client:
java.rmi.RemoteException: Service call exception; nested exception is:
     java.lang.NullPointerException
     at priv.senw04.wsproxy.multisec_ssl.SSLBindingStub.pingText(SSLBindingStub.java:87)
     at priv.senw04.wsproxy.multisec_ssl.SSLBindingStub.pingText(SSLBindingStub.java:96)
     at priv.se.wsclient.MultiSecSSL.main(MultiSecSSL.java:38)
Caused by: java.lang.NullPointerException
     at com.sap.engine.services.webservices.jaxm.soap.HTTPSocket.disconnect(HTTPSocket.java:625)
     at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.HTTPTransport.closeSession(HTTPTransport.java:396)
     at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.MimeHttpBinding.call(MimeHttpBinding.java:1312)
     at priv.senw04.wsproxy.multisec_ssl.SSLBindingStub.pingText(SSLBindingStub.java:80)
     ... 2 more
Testing the web service with WebServiceNavigator and/or by using a generated WebDynpro Client results in the following error:
000D604C66BE004E0000001300000AFC00040922E0160632 : An error occurred during processing the timestamp. The error was: com.sap.security.core.ws.wss.NoSecurityHeaderException No wsse:Security header has been defined for role soap:finalActor. Please verify the policy configuration..
But my main focus is on the client implementation based on a proxy. Here comes the client's code:
public class MultiSecSSL {
    public static void main(String[] args) {
        try {
            MultiSecuritySSLAuthImpl serviceInterface = new MultiSecuritySSLAuthImpl();
            SSLBindingStub service = (SSLBindingStub)serviceInterface.getLogicalPort(MultiSecuritySSLAuthViDocument.class);
            SecurityProtocol protocol = (SecurityProtocol) service._getGlobalProtocols().getProtocol("SecurityProtocol");
            AuthenticationContext auth = protocol.getAuthenticationContext();
            auth.setIgnoreSSLServerCertificate(true);
            auth.setUsername("cfpcompany");
            auth.setPassword("demo");
            String ret = service.pingText("Called service MultiSecurity via SSL");
            System.out.println(ret);
        } catch (Exception e) {
             e.printStackTrace(System.out);
Here comes the logical port information of the generated proxy:
<?xml version="1.0" encoding="UTF-8"?>
<LogicalPorts Name='MultiSecuritySSLAuth' InterfaceName='priv.senw04.wsproxy.multisec_ssl.MultiSecuritySSLAuth'>
<LogicalPort Name='SSLPort_Document' Endpoint='https://192.168.129.76:50001/MultiSecuritySSLAuth/SSL?style=document' BindingName='SSLBinding' BindingUri='urn:MultiSecuritySSLAuthWsd/SSL/document' BindingImplementation='SOAP 1.1 HTTP Binding with Attachments' StubName='priv.senw04.wsproxy.multisec_ssl.SSLBindingStub' Default='true' InterfaceName='priv.senw04.wsproxy.multisec_ssl.MultiSecuritySSLAuthViDocument' Original='true' Valid='true'>
    <globalFeatures>
      <Feature Name='http://www.sap.com/webas/630/soap/features/headers/' Provider='SoapHeadersProtocol' Original='false'>
      </Feature>
      <Feature Name='http://www.sap.com/webas/630/soap/features/session/' Provider='SessionProtocol' Original='false'>
        <Property Name='SessionMethod' Value='httpCookies'>
        </Property>
      </Feature>
      <Feature Name='http://www.sap.com/webas/630/soap/features/authentication' Provider='SecurityProtocol' Original='true'>
        <Property Name='AuthenticationLevel' Value='None'>
        </Property>
        <Property Name='AuthenticationMechanism' Value='HTTP'>
        </Property>
        <Property Name='AuthenticationMethod' Value='BasicAuth'>
        </Property>
        <Property Name='SupportsSSO2Authentication' Value='false'>
        </Property>
      </Feature>
      <Feature Name='http://www.sap.com/webas/630/soap/features/transportguarantee' Original='true'>
        <Property Name='Level' Value='No'>
        </Property>
        <Property Name='TLSType' Value='SSL'>
        </Property>
      </Feature>
    </globalFeatures>
    <localFeatures>
      <Operation Name='pingText'>
        <Feature Name='http://www.sap.com/webas/630/soap/features/wss' Original='true'>
          <Property Name='RequestPolicy' Value='Signature'>
          </Property>
          <Property Name='ResponsePolicy' Value='None'>
          </Property>
        </Feature>
        <Feature Name='http://sap.com/webservices/authorization' Original='true'>
        </Feature>
      </Operation>
    </localFeatures>
</LogicalPort>
</LogicalPorts>
To me, this looks consistent. Any idea, what is misconfigured on my machine ?

Hi Martin,
that is exactly, what I did.
- Change Web Service Configuration in IDE
- Build and Deploy the Service to my local Server
- Check Service in Visual Administrator
- Deleted and Regenerated the Standalone Proxy
- Deleted and Recreated the link between CLient and Proxy Project in IDE
- Started Client
Here comes the section of the ws-deployment-descriptor.xml of the service. For me, it matches, what the proxy generated.
<webservice>
    <guid>ed8363_10876a54b6d__7fe9_192_168_129_76_1135862193037</guid>
    <ejb-name-temp>MultiSecWSBean</ejb-name-temp>
    <webservice-name>
      <namespaceURI>urn:MultiSecuritySSLAuthWsd</namespaceURI>
      <localName>MultiSecuritySSLAuth</localName>
    </webservice-name>
    <webservice-internal-name>MultiSecuritySSLAuth</webservice-internal-name>
    <standard-namespaceURI>urn:MultiSecuritySSLAuthWsd</standard-namespaceURI>
    <ws-configuration>
      <configuration-name>SSL</configuration-name>
      <ejb-name>MultiSecWSBean</ejb-name>
      <service-endpoint-name>
        <namespaceURI>urn:MultiSecuritySSLAuthWsd</namespaceURI>
        <localName>SSLPort</localName>
      </service-endpoint-name>
      <wsdl-porttype-name>
        <namespaceURI>urn:MultiSecuritySSLAuthWsd</namespaceURI>
        <localName>MultiSecuritySSLAuthVi</localName>
      </wsdl-porttype-name>
      <webservice-definition-ref>
        <package>com.technidata.cfp.i3rdparty.cfpxml</package>
        <name>MultiSecuritySSLAuthWsd.wsdef</name>
      </webservice-definition-ref>
      <service-endpoint-vi-ref>
        <package>com.technidata.cfp.i3rdparty.cfpxml</package>
        <name>MultiSecuritySSLAuthVi.videf</name>
      </service-endpoint-vi-ref>
      <transport-binding name="SOAPHTTP_TransportBinding">
        <wsdl-binding-name>
          <namespaceURI>urn:MultiSecuritySSLAuthWsd</namespaceURI>
          <localName>SSLBinding</localName>
        </wsdl-binding-name>
      </transport-binding>
      <transport-address>/MultiSecuritySSLAuth/SSL</transport-address>
      <global-features>
        <feature name="http://www.sap.com/webas/630/soap/features/transportguarantee" protocol="SecurityProtocol">
          <property name="TLSType" value="SSL"/>
        </feature>
        <feature name="http://www.sap.com/webas/630/soap/features/authorization" protocol="SecurityProtocol"/>
        <feature name="http://www.sap.com/webas/630/soap/features/authentication" protocol="SecurityProtocol">
          <property name="AuthenticationMethod" value="BasicAuth"/>
          <property name="AuthenticationMechanism" value="HTTP"/>
          <property name="SupportsSSO2Authentication" value="false"/>
        </feature>
      </global-features>
      <operation-configuration uniqueViName="pingText(java.lang.String)">
        <transport-binding-configuration>
          <input>
            <property name="soapAction" value=""/>
            <property name="encodingStyle" value="http://schemas.xmlsoap.org/soap/encoding/"/>
          </input>
          <output>
            <property name="encodingStyle" value="http://schemas.xmlsoap.org/soap/encoding/"/>
          </output>
        </transport-binding-configuration>
        <feature name="http://www.sap.com/webas/630/soap/features/wss" protocol="SecurityProtocol">
          <property name="RequestPolicy" value="None"/>
          <property name="ResponsePolicy" value="None"/>
        </feature>
        <feature name="http://sap.com/webservices/authorization" protocol="SecurityProtocol">
          <property name="security-roles">
            <property name="role1" value="use_multisec_service"/>
          </property>
        </feature>
      </operation-configuration>
    </ws-configuration>
</webservice>
Regards,
Stefan

WWSAPI - Cannot connect to web service via SSL and HTTP proxy authentication with NTLM, errorCode 0x803d0016, HTTP status 407

Hi,
I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
a second request with NTLMSSP_AUTH is sent.
Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
Any idea?
Thanks

Hi,
I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
a second request with NTLMSSP_AUTH is sent.
Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
Any idea?
Thanks

Can't access IBM mainframe 3270 session via SSL self-signed cert.

Can't access IBM mainframe 3270 session via SSL self-signed cert since sometime last week. Using Mochasoft tn3270 lite on android works fine but iPad ios7 says "IBM mainframe has closed the session". Any clues would be appreciated.

I'm thinking the problem may be the IBM cert is 1024 bit. Investigating choices to implement 2048 bit cert into IBM.

MSSQL 2012 connect toDB2 AIX via SSL

i need to load data from a db2 into my mssql 2012ee. i only can connect the db2 via ssl. i was try with the MS OLE DB Provider for DB2 V4, but i was not successfully. testing the connection returned
SQLSTATE=08S01 SQLCODE=340
my counterpart cant support me, due there bash only skills ;( so i hope to get some informations here.
i can see the ssl certificate when i check with openssl.exe s_client -connect server port
do i need to put the client part of the certificate somewhere? the db2-guys told me that i should announce the ssl files with
db2 update dbm cfg using SSL_CLNT_KEYDB /apps/home/db2inst1/Client_SSL/keyclient.kdb
db2 update dbm cfg using SSL_CLNT_STASH /apps/home/db2inst1/Client_SSL/keyclient.sth
does anybody has expierince to build a linked server with a SSL encryption?

OLEDB simply has no support for SSL
Arthur My Blog

Discoverer DE 9i via SSL = end of communication channel

Has anyone encountered problems when working with Discoverer Desktop Edition 9i via SSL connection? I get ORA-3113 during initial loading while open workbook. SQL+ via SSL works fine.
Any suggestions?

Intermedia text is now Oracle Text. Please as Oracle Text questions in the Oracle Text forum, you will get a quicker and more expert response there.

ACE : Stickyness problem with http cookies

Hi,
I am facing a serious problem with stickyness in a e-commerce configuration.
Here is the setup :
An ACE load balance user requests on two Apache servers
cookie-insert is used to stick a user on one Apache server
The home page is accessed via http on port 80
On the Home page, there is a link to allowing the user to login
The login process uses SSL
During the login, backend SSL is required between the ACE and the selected Apache server
The login is a POST request to the Apache server
After a successful login, the home page is reloaded on port 80 and the name of the user should appear on the top of the page
The ACE configuration :
Two sticky groups are configured : one for HTTP acess and another for HTTPS access
Two server farms are defined, both using the same real servers, but with different ports (80 and 441)
     sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTP
       cookie insert browser-expire
       timeout 240
       replicate sticky
       serverfarm ECOM_FARM_TEST_HTTP
          sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTPS
       cookie insert browser-expire
       timeout 240
       replicate sticky
       serverfarm ECOM_FARM_TEST_HTTPS
     serverfarm host ECOM_FARM_TEST_HTTP
       description *** e-Commerce Test Server Farm ***
       probe ECOM_PROBE_TEST
       rserver HQCHECOM01 80
        inservice
       rserver HQCHECOM02 80
        inservice
         serverfarm host ECOM_FARM_TEST_HTTPS
      description *** e-Commerce Test Server Farm ***
      probe ECOM_PROBE_TEST
      rserver HQCHECOM01 443
       inservice
      rserver HQCHECOM02 443
       inservice
The problem :
Let analyse the sequence of events and the value of the http cookie for each of them :
When the the home page is originally loaded, the ACE selects SERVER-1
The ACE inserts the cookie "A" in the server responses
The user is sticked to SERVER-1
Then, the user tries to login and an SSL session is established with the ACE
The user sends a POST request containing the cookie "A"
A backend SSL session is established with SERVER-1
The POST request is forwarded to SERVER-1
SERVER-1 responds with a 200 OK and the ACE generates another cookie "B" as it belongs to the sticky group ECOM_STICKY_TEST_HTTPS
The client browser reloads the page on port 80 and provides the cookie "B" (the last received) !!
The ACE sees the cookie "B" but does not find it in its database for the sticky group ECOM_STICKY_TEST_HTTP
The ACE perform another load balancing decision and selects SERVER-2 ! (instead of SERVER-1)
The page is reloaded, but the name of the user does not appear on it
The question :
As it is not possible to have only one sticky group in this configuration what would be the solution to make sure that the same server is selected for http and https ?
Thank you for any hints,
Yves

Hi Gilles,
I followed your recommendation to configure static cookie entries in each sticky group, but I still experience the problem of sessions getting re-load balanced to the second server when returning from HTTPS to HTTP :
It seems that the ACE ignores the static entries !
To make my question clear, I repeat hereafter the setup and the encountered problem :
Here is the setup :
An ACE load balance user requests on two Apache servers
cookie-insert is used to stick a user on one Apache server
The home page is accessed via http on port 80
On the Home page, there is a link to allowing the user to login
The login process uses SSL
During the login, backend SSL is required between the ACE and the selected Apache server
The login is a POST request to the Apache server
After a successful login, the home page is reloaded on port 80 and the name of the user should appear on the top of the page
The ACE configuration :
Two sticky groups are configured : one for HTTP acess and another for HTTPS access
Two server farms are defined, both using the same real servers, but with different ports (80 and 443)
In the ECOM_STICKY_TEST_HTTP stick group the two following cookies are automatically generated :
R105816849   for the server HQCHECOM01
R105852786   for the server HQCHECOM02
In the ECOM_STICKY_TEST_HTTPS stick group the two following cookies are automatically generated :
R355972695   for the server HQCHECOM01
R357158616   for the server HQCHECOM02
I statically configured in the each sticky group the cookies used by the other sticky group, to allow stickiness when the browser switches from HTTP to HTTPS and vice versa :
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTP
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTP backup WEB_REDIRECT_001
56 static cookie-value "R355972695" rserver HQCHECOM01
64 static cookie-value "R357158616" rserver HQCHECOM02
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTPS
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTPS backup WEB_REDIRECT_001
72 static cookie-value "R105816849" rserver HQCHECOM01
80 static cookie-value "R105852786" rserver HQCHECOM02
serverfarm host ECOM_FARM_TEST_HTTP
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 80
   inservice
rserver HQCHECOM02 80
   inservice
serverfarm host ECOM_FARM_TEST_HTTPS
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 443
   inservice
rserver HQCHECOM02 443
   inservice
The problem :
Let analyse the sequence of events and the value of the http cookie for each of them :
When the the home page is originally loaded, the ACE selects SERVER-1
The ACE inserts the cookie "A" in the server responses
The user is sticked to SERVER-1
Then, the user tries to login and an SSL session is established with the ACE
The user sends a POST request containing the cookie "A"
A backend SSL session is established with SERVER-1
The POST request is forwarded to SERVER-1
SERVER-1 responds with a 200 OK and the ACE generates another cookie "B" as it belongs to the sticky group ECOM_STICKY_TEST_HTTPS
The client browser reloads the page on port 80 and provides the cookie "B" (the last received)
The ACE sees the cookie "B" and should use the static cookie entry to select the SERVER-1
But instead, the ACE perform another load balancing decision and selects SERVER-2 !
The page is reloaded, but the name of the user does not appear on it
LiveHTTP Trace on Firefox :
GET /ecom/medias/sys_master/8800775602206/Home-page-main-banners-video.jpg HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105816849;
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105816849; path=/
Date: Mon, 18 Oct 2010 15:31:37 GMT
Server: Apache/2.2.13 (Red Hat)
Connection: close
Transfer-Encoding: chunked
Content-Type: image/jpeg
Here we switch on HTTPS :
https://ecom.test.toto.com/uk/en/j_spring_security_check
POST /uk/en/j_spring_security_check HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105816849; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
spring-security-redirect=&j_username=yves144%40yahoo.com&j_password=junon01
Here we see cookie for the same server but for the HTTPS sticky group :
HTTP/1.1 302 Moved Temporarily
Set-Cookie: STICKED-TO=R355972695; path=/
Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Date: Mon, 18 Oct 2010 15:31:39 GMT
Server: Apache/2.2.13 (Red Hat)
Location: http://ecom.test.toto.com/uk/en/home
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
Here we switch back to HTTP :
http://ecom.test.toto.com/uk/en/home
GET /uk/en/home HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R355972695; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
Here we see that the second server has been wrongly selected !
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105852786; path=/
Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Set-Cookie: JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2; Path=/; HttpOnly
Date: Mon, 18 Oct 2010 15:31:40 GMT
Server: Apache/2.2.13 (Red Hat)
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store
Content-Language: en-GB
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8
http://ecom.test.toto.com/ecom/medias/sys_master/8796174057502/uk.gif
GET /ecom/medias/sys_master/8796174057502/uk.gif HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105852786; JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2;
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105852786; path=/
Date: Mon, 18 Oct 2010 15:31:40 GMT
Server: Apache/2.2.13 (Red Hat)
Content-Length: 382
Connection: close
Content-Type: image/gif
Hypothesis :
It seems that the static entries are not considered by the ACE...

ACE : Stickyness with static cookies problem

Hi Gilles
I restart a conversatoion as a question to clarify the situation :
I followed your recommendation to configure static cookie entries in each sticky group, but I still experience the problem of sessions getting re-load balanced to the second server when returning from HTTPS to HTTP :
It seems that the ACE ignores the static entries !
To make my question clear, I repeat hereafter the setup and the encountered problem :
Here is the setup :
An ACE load balance user requests on two Apache servers
cookie-insert is used to stick a user on one Apache server
The home page is accessed via http on port 80
On the Home page, there is a link to allowing the user to login
The login process uses SSL
During the login, backend SSL is required between the ACE and the selected Apache server
The login is a POST request to the Apache server
After a successful login, the home page is reloaded on port 80 and the name of the user should appear on the top of the page
The ACE configuration :
Two sticky groups are configured : one for HTTP acess and another for HTTPS access
Two server farms are defined, both using the same real servers, but with different ports (80 and 443)
In the ECOM_STICKY_TEST_HTTP stick group the two following cookies are automatically generated :
R105816849   for the server HQCHECOM01
R105852786   for the server HQCHECOM02
In the ECOM_STICKY_TEST_HTTPS stick group the two following cookies are automatically generated :
R355972695   for the server HQCHECOM01
R357158616   for the server HQCHECOM02
I statically configured in the each sticky group the cookies used by the other sticky group, to allow stickiness when the browser switches from HTTP to HTTPS and vice versa :
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTP
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTP backup WEB_REDIRECT_001
56 static cookie-value "R355972695" rserver HQCHECOM01
64 static cookie-value "R357158616" rserver HQCHECOM02
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTPS
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTPS backup WEB_REDIRECT_001
72 static cookie-value "R105816849" rserver HQCHECOM01
80 static cookie-value "R105852786" rserver HQCHECOM02
serverfarm host ECOM_FARM_TEST_HTTP
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 80
   inservice
rserver HQCHECOM02 80
   inservice
serverfarm host ECOM_FARM_TEST_HTTPS
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 443
   inservice
rserver HQCHECOM02 443
   inservice
The problem :
Let analyse the sequence of events and the value of the http cookie for each of them :
When the the home page is originally loaded, the ACE selects SERVER-1
The ACE inserts the cookie "A" in the server responses
The user is sticked to SERVER-1
Then, the user tries to login and an SSL session is established with the ACE
The user sends a POST request containing the cookie "A"
A backend SSL session is established with SERVER-1
The POST request is forwarded to SERVER-1
SERVER-1 responds with a 200 OK and the ACE generates another cookie "B" as it belongs to the sticky group ECOM_STICKY_TEST_HTTPS
The client browser reloads the page on port 80 and provides the cookie "B" (the last received)
The ACE sees the cookie "B" and should use the static cookie entry to select the SERVER-1
But instead, the ACE perform another load balancing decision and selects SERVER-2 !
The page is reloaded, but the name of the user does not appear on it
LiveHTTP Trace on Firefox :
GET /ecom/medias/sys_master/8800775602206/Home-page-main-banners-video.jpg HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105816849;
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105816849; path=/
Date: Mon, 18 Oct 2010 15:31:37 GMT
Server: Apache/2.2.13 (Red Hat)
Connection: close
Transfer-Encoding: chunked
Content-Type: image/jpeg
Here we switch on HTTPS :
https://ecom.test.toto.com/uk/en/j_spring_security_check
POST /uk/en/j_spring_security_check HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105816849; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
spring-security-redirect=&j_username=yves144%40yahoo.com&j_password=junon01
Here we see cookie for the same server but for the HTTPS sticky group :
HTTP/1.1 302 Moved Temporarily
Set-Cookie: STICKED-TO=R355972695; path=/
Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Date: Mon, 18 Oct 2010 15:31:39 GMT
Server: Apache/2.2.13 (Red Hat)
Location: http://ecom.test.toto.com/uk/en/home
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
Here we switch back to HTTP :
http://ecom.test.toto.com/uk/en/home
GET /uk/en/home HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R355972695; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
Here we see that the second server has been wrongly selected !
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105852786; path=/
Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Set-Cookie: JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2; Path=/; HttpOnly
Date: Mon, 18 Oct 2010 15:31:40 GMT
Server: Apache/2.2.13 (Red Hat)
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store
Content-Language: en-GB
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8
http://ecom.test.toto.com/ecom/medias/sys_master/8796174057502/uk.gif
GET /ecom/medias/sys_master/8796174057502/uk.gif HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105852786; JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2;
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105852786; path=/
Date: Mon, 18 Oct 2010 15:31:40 GMT
Server: Apache/2.2.13 (Red Hat)
Content-Length: 382
Connection: close
Content-Type: image/gif
Hypothesis :
It seems that the static entries are not considered by the ACE...

Yves,
you have to specify the destination port
56 static cookie-value "R355972695" rserver HQCHECOM01 80
64 static cookie-value "R357158616" rserver HQCHECOM02 80
serverfarm host ECOM_FARM_TEST_HTTP
description *** e-Commerce Test Server Farm ***
   probe ECOM_PROBE_TEST
rserver HQCHECOM01 80
   inservice
   rserver HQCHECOM02 80
   inservice
Gilles.

Coldfusion 11 - Web Sockets via SSL

Help!
I can't seem to figure out how to handle WSS (Websockets over SSL). I have a cert that has already been sent/received by verifier. I have a cert and an intermediate cert. I've been looking at documentation and from what I've gathered i need to add the certs to the "keystore". I issued a command like this ->>> D:\CF11\jre\bin\keytool -import -v -alias myCert-cert -file myCert.cer -keystore D:\CF11\jre\lib\security\cacerts -storepass changeit <-- I see the cert is added. And if list the keystore i see the number of certs increased by one. I then enable the SSL WS, use default port (built in server.. not proxied), and point it to the keystore D:\CF11\jre\lib\security\cacerts and for pass i simply use the default changeit.... I've modified my cfcode to have the secure="true" attribute. So I think everything is setup correctly ....but... when i goto the webpage the web socket will try to connect then simply not connect (Firebug says the connection was refused) (The code works fine removing the secure attribute and accessing via http) ... So i guess i'm not sure exactly what i should be doing. Can i use the same cert that I had created via IIS. The cert looks valid. Also further more i see nothing showing up in the log files.. I see a log called WebSocket.log but the size is 0 and nothing is being thrown in the exception log either.. I'm completely confused.

Hi Sharma,
I also sent you a note directly via email (see below). I am having a similar issue to Prem without resolution.
Our CF11 server configuration:
Windows 2012 Server R2
IIS 8
We have a *.balboadigital.com registered RapidSSL certificate installed on our server which resolves to https://dev.balboadigital.com on this particular development box. I've been unable to locate any online resources which would show me how to utilize this certificate for websockets within CF11. Due to this, I was happy to find your reference to try a self-signed certificate. I followed your instructions. Here is the breakdown:
1. I generated the keystore per your instructions which created the websocket.crt file.
2. The CF server XML was uncommented and updated to:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
                keystoreFile="C:\ColdFusion11\jre\bin\websocket.crt" keystorePass="[my password]"/>
3. I restarted the CF11 Application Windows service.
4. The "Use Built-In WebSocket Server" radio button was selected with PORT: 8575 for non-SLL and PORT: 8543 for SSL as defaults. The KeyStore was set to "C:/ColdFusion11/jre/bin/websocket.crt" and the KeyStore Password to "[MyPassword]" and changes posted.
5. I restarted the CF11 Application Windows service.
6. I then ran a test web page: https://dev.balboadigital.com/admin/websocket/index_withssl.cfm (this is live for you to test)
Application.cfc
<CFCOMPONENT>
    <CFSCRIPT>
    this.name = "balboa";
    this.wschannels = [{name="phone"}];
    </CFSCRIPT>
</CFCOMPONENT>
index_withSSL.cfm
<script type="text/javascript">
    function mymessagehandler(atoken)
        if (atoken.data != null) {
            var message = ColdFusion.JSON.encode(atoken.data);
            var txt = document.getElementById("myDiv");
            txt.innerHTML += message + "<br>";
    function publishmessage()
        var msg = document.getElementById("message").value;
        mycfwebsocketobject.publish("phone.4",msg );
</script>
<cfwebsocket name="mycfwebsocketobject" onmessage="mymessagehandler" subscribeto="phone" secure="true">
"Phone" Message: <input id ="message" type="text" > <input type="button" onclick="publishmessage();" value="Publish Message"><br />
<cfdiv id="myDiv"></cfdiv>
The test fails and returns the following from the Google Chrome Console:
WebSocket connection to 'wss://dev.balboadigital.com:8543/cfusion/cfusion' failed: WebSocket opening handshake was canceled
7. The script was copied and modified to eliminate SSL as follows: http://dev.balboadigital.com/admin/websocket/index_nossl.cfm (this is live for you to test)
index_nossl.cfm
<script type="text/javascript">
    function mymessagehandler(atoken)
        if (atoken.data != null) {
            var message = ColdFusion.JSON.encode(atoken.data);
            var txt = document.getElementById("myDiv");
            txt.innerHTML += message + "<br>";
    function publishmessage()
        var msg = document.getElementById("message").value;
        mycfwebsocketobject.publish("phone",msg );
</script>
<cfwebsocket name="mycfwebsocketobject" onmessage="mymessagehandler" subscribeto="phone">
"Phone" Message: <input id ="message" type="text" > <input type="button" onclick="publishmessage();" value="Publish Message"><br />
<cfdiv id="myDiv"></cfdiv>
This test passes and works as expected, but no SSL.
Please advise as our application absolutely requires that SSL is working for us.
Thanks,
Kevin

ACE 4700 configuring SSL termination weblogic server 10.3.6

Hello,
Im trying to configure an ACE 4700 so that SSL termination is done on the ACE and HTTP reaches the weblogic server instance.
I have a working setup of a Apache reverse proxy doing SSL offloading and using a weblogic module and that works fine
Was reading http://docs.oracle.com/cd/E23943_01/web.1111/e13709/load_balancing.htm#i1045186
Can anyone point me to a working config example for doing this with the ACE4700 or give me some directions here?
Kind regards,
Laurens

Hi Laurens,
Here is a basic configuration for SSL termination:
rserver host test
ip address 10.198.16.98
inservice
rserver host test2
ip address 10.198.16.93
inservice
serverfarm host test
rserver test 80
    inservice
rserver test2 80
    inservice
ssl-proxy service TEST
key cert
cert cert
class-map match-all VIPSSL
2 match virtual-address 10.198.16.122 tcp eq https
policy-map type loadbalance first-match test
class class-default
    serverfarm test
policy-map multi-match clients
class VIPSSL
    loadbalance vip inservice
    loadbalance policy test
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 112
    ssl-proxy server TEST
interface vlan 112
ip address 10.198.16.91 255.255.255.192
access-group input Allow_Access
nat-pool 1 10.198.16.122 10.198.16.122 netmask 255.255.255.192 pat
service-policy input NSS_MGMT
service-policy input clients
no shutdown
Cesar R
ANS Team

ACE Stickyness via SSL

Similar Messages

Maybe you are looking for