HTTP & SSL Stickiness

Similar Messages

• ACE: HTTP followed by HTTPs/SSL termination, stickiness

  Dear Helpers,
  I'm trying to figure out the best sticky/persistence method for the following for ACE,
  Client X ----(HTTP)--------------------------------------------ACE LB ---to----Server 1
  Client X -----(HTTPs)---ACE/SSL termination ------ACE LB ---to---- Server1
  Both HTTP and HTTPs use the same VIP for HTTP and HTTPs)
  The same client to stick/persist to the same server using both HTTP and HTTPs. HTTPs/SSL is terminated by ACE.
  Could you point me to sample configurations for this requirement, please.
  Thank you
  SS

  HI Gilles,
  thanks for the response. Sorry had gotten distracted with a bunch of other things, didn't get a chance to get back to this. Anyway, so, I can generate the 302 response in my web-servers except I need to turn it around to a different domain name. Now assuming I use URL re-write when I see this coming back from the web-server, I can rewrite this to https and send to the client? A few questions about this and the links you sent above with using redirect service.
  a) can I do a a redirect to an https address or does it only do http (considering I only saw examples configs only using www.domain.com/index.html type redirects without specifying the protocol to use)?
  b) If not, then I use URL rewrite in conjunction with the 302 from the web-servers. But for my SSL off-load in a pair of CSS using VIP and Virtul Interface redundancy, do I buy 2xSSL Certs for the same domain-name or do I buy ONE (i.e. generate the key-pair/CSR in Master CSS) and import the same rsakey and SSL Cert recd. from CA into both CSSs?
  c) Does the CSS handle a wildcard SSL Cert without problems?
  Thanks again,
  \R

• CSS - SSL Stickiness

  Gilles,
  Could you please advice the CSS content configured with stickiness SSL ID and balance method round robin is recommended configuration or not.Are there are any issues with SSL stickiness with the browsers i.e IE .
  Note:- I am not using SSL Module in the CSS.
  Thanks in advance...

  There are two issues
  Some versions of IE (5.0, 5.5 --check http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q265369) will
  cause the client to change its SSL ID every 2 minutes and this will break
  stickyness with application ssl and advanced balance SSL as this is layer 5
  stickyness based on SSL session ID. A sniffer trace from the client will
  show the ID field change.
  You have to be aware that SSL stickiness will only work with SSL v3,
  because it comes with the session ID not encrypted. SSL v2 comes with the session ID encrypted and you can't do stickyness
  based on that version.So your appliaction servers must be using SSL v3, if you want to use SSL ID based stickiness.
  Hope it helps
  Syed Iftekhar Ahmed

• Persistent HTTPS/SSL connections

  Dear all,
  Does anybody know how to make an HTTPS/SSL connection persistent.
  We need to make multiple HTTPS requests to a server and we found that most of the time it gets new SSL session ID and makes all the master-secret processing whenever it gets the enw session ID.
  I have seen (with -Djavax.net.debug=ssl option) that the JSSE tries to resume, but the server sends new session id, do I need to set/force anything from my side?
  Thanks in advance for the answer!
  Vijay

  We have solved the problem!
  For those who wish to know what happened
  I have done some debugging with the JRE option -Djavax.net.debug=ssl and I could see the JSSE libraries (1.0.2, with JDK 1.3.1) trying to resume the seesion with the SSL session ID which it got from previous communication, however, the server gave a new session ID back and it had to do all the compautations for the secret exchanges from scratch.
  Then we found the load balancer transfers each requests to different servers causing the creation of new session IDs. The problem is solved after making our requests "sticky" to the load balancer and the SSL accelerator.

• Pesistent HTTPS/SSL connections

  Dear all,
  Does anybody knows how to make an HTTPS/SSL connection persistent.
  We need to make multiple HTTPS requests to a server and we found that most of the time it gets new SSL session ID and makes all the crypto/certificate processing whenever it gets the enw session ID.
  I have seen (with -Djavax.net.debug=ssl option) that the JSSE tries to resume, but the server sends new session id, do I need to set/force anything from my side?
  Thanks in advacne for the answer!
  Vijay

  We have solved the problem!
  For those who wish to know what happened
  I have done some debugging with the JRE option -Djavax.net.debug=ssl and I could see the JSSE libraries (1.0.2, with JDK 1.3.1) trying to resume the seesion with the SSL session ID which it got from previous communication, however, the server gave a new session ID back and it had to do all the compautations for the secret exchanges from scratch.
  Then we found the load balancer transfers each requests to different servers causing the creation of new session IDs. The problem is solved after making our requests "sticky" to the load balancer and the SSL accelerator.

• SSL Sticky feature...

  We were trying SSL Sticky feature with two real http servers and it
  does not seem to work..
  When i configure ssl sticky for the https VIP, it apparently, sticks
  the connection to the first leg i.e, the SSL Termination. However, the
  second leg i.e, the decrypted session between the SSL card and real
  server are not sticking together.. I am not
  sure if this is supported in the first place.., Can someone confirm this please..? and you if you have some working configuration, please share..

  Btw, I am looking for a CSM-S config, but a CSM with SSLM config will help as well..
  Thanks

• Swf file not loading over Https(SSL) on Internet Explorer...

  hi ,
  I have a .swf file used in html file and i try to browse using "https(SSL)".it will loads fine in Firefox, but in Internet Explorer wont able to load. When right-clicking it says "movie not loaded".
  even i googling for the same and i got below option but i am still not able to get flash on html page. it will working fine in Internet Explorer,FireFox etc when we use"http".
  1) add headers like "Cache-Control: must-revalidate" or "Cache-Control: max-age=0" or "Cache-Control: no-store" etc
  2) use CrossDomain.xml
  we also able to load swf in https on Internet Explorer but for that we have to do below settings in Internet Explorer browser.
  1) Go to Tools --> Click on Internet Option --> click on Advanced tab --> Now in security section checked mark on "Do not save encrypted pages to disk".
  but above way is not a proper way to resolve the https issue
  Thanks.

  found this within the Adobe forums, seems to solve your issue.
  I would make sure to use the crossdomain file as well.

• Trying to understand SSL sticky with CSS 11506 / ssl-l4-fallback behavior

  Dear experts
  I have a CSS 11506 (v7.50) which is used to load balance several SSL-based sites. We use the following textbook content rule:
  content mysite-SSL
  vip address 10.0.0.1
  add service s01
  add service s02
  add service s03
  port 443
  protocol tcp
  advanced-balance ssl
  application ssl
  flow-timeout-multiplier 225
  active
  If I read the manual correctly, SSL L3 session IDs are going to be used till a flow is set up. Then the ssl-l4-fallback (it is enabled) directive kicks in and load balancing is done based on the source IP, destination port.
  However, my stats show:
  Sticky Statistics - SFM Slot 1, Subslot 1:
  Total number of new sticky entries is 4937735
  Total number of sticky table hits is 33476045
  Total number of sticky rejects (no entry) is 0
  Total number of sticky collision is 0
  Total number of available sticky entries is 0
  Total number of used sticky entries is 131071
  Total L3 sticky entries are 131
  Total L4 sticky entries are 0
  Total SSL sticky entries are 130940
  Total WAP sticky entries are 0
  Total number of SIPCID sticky entries is 0
  So, why don't I see anything in the L4 sticky entries?
  Also, I would expect that once the ssl-l4-fallback kicks in, a client will be always directed to the same server (since the CSS uses now source IP, dest port for load balancing). However, if I close and start again my browser I hit a different server.
  Your thoughts and suggestions are highly appreciated.
  John.

  Hi Gilles
  Thank you for your response. If I may ask the group for a final further clarification, so as to put this matter to rest. Since there are a lot of frames transmitted in either direction, I would expect the following to be happening and overriding the use of SSLv3 session IDs. Following is the section of the manual that seems to contradict what you say (and I see on the stats). Am I reading the manual wrong?
  "Cisco Content Services Switch
  Content Load-Balancing
  Configuration Guide
  Software Version 8.20
  November 2006
  page 11-14
  Configuring SSL-Layer 4 Fallback
  Insertion of the Layer 4 hash value into the sticky table occurs when more than
  three frames are transmitted in either direction (client-to-server, server-to-client)
  or if SSL version 2 is in use on the network. If either condition occurs, the CSS
  inserts the Layer 4 hash value into the sticky table, overriding the further use of
  the SSL version 3 session ID."

• Https ssl config Oracle AS, webcache, portal...almost works

  Hi,
  I have searched the forums and I havent found anything that works for me.
  I have Oracle infrastructure on one server, and Oracle App server/portal on another server. I can get as far as the http server showing the "welcome to oracle" page in https form. When I try to access a page in the portal (plsql) I get a blank page. It does convert the "https://myserver:xxxx//pls/portal/url/page/IRWEB/HOME
  " to "https://myserver:xxxx/portal/page?_pageid=73,86254,73_86264:73_86316:73_8632...." but nothing comes up.
  Also, it uses the Infrastructure server for single-sign-on...so I need to make the app server do the single sign-on. I've tried by adding /pls/orasso entry in DADS.conf of http server..
  So as far as I can tell...the http server IS operating in https/ssl, but the single-sign-on and the pages in the portal are not.
  I have to do everything manually since I am using 10.1.2 (no Oracle Collab Suite installed, so no SSLConfigTool and other assistants)
  Here is what I've done to get https://myserver:xxxx/ to come up ok.
  server 1: Oracle Infrastructure and Oracle database release 1 10.1.2.0.0
  server 2: Oracle Application Server / Portal with webcache release 2 10.1.2
  using Oracle Wallet for certificate,
  http server -> process management "ssl-enabled",
  http server -> advanced -> ssl.config: SSLWallet file:, SSLWalletPassword, virtual host for ssl
  webcache -> added settings for ssl (I used the current entries for non-ssl as a guide for the ssl entries)
  Interesting issue...with the ports in the ssl.conf file example:
  Port 4459
  Listen 4459
  VirtualHose myserver.blah.edu:4450
  Port 4458
  When I get the blank page trying to use ssl and 4459, I can manually change the url in my browser to 4458 (or maybe its the other way around) and get this message: "Error: The portlet could not be contacted"
  Is this a problem with webcache? Do I have to do any ssl config on the server with the database?
  I've even tried disabling the webcache, both with the oracle sql script and through web interface but neither made a difference...same problem.
  Any help would be greatly appreciated..I feel as if I'm almost there.
  If I did not post enough info for accurate help, please ask what you need to know to provide help! Thanks in advance.

  Hi,
  Yes you can go for SSl configuration without re-installing any of the components.
  Regards,
  access_tammy

• Https / SSL needed for my website

  I hope someone can help me.
  I have a website
  http://www.to-shea.com
  I purchased a SSL package from register.com (they host my
  site too). They told me "anyone who sees my site would see the
  https prefix. I received an email from them stating that they could
  not put the https prefix on my site, although it is on their secure
  servers. needless to say, I was quite upset. Anyone on the web
  knows that an https prefix means it is a secure site. Is there ANY
  thing I can do to fix this problem. (it only cost me $28.00)
  Is there a program I can use to force the https prefix.
  I am on a Mac (OSX) and I use Dreamweaver CS3. I am a LITTLE
  familiar with html code but not a alot.
  Can someone there help me???

  What exactly are you asking a question about?
  https and SSL are usually only used for secure transfer of
  information when
  ordering and sending sensitive information. You do not want
  people viewing
  the web site using https and not completing an order to be in
  https SSL
  because it slows things down. It involves encoding/decoding
  of everything in
  the page including graphics.
  In other words- I shop at the site. I add things to the cart.
  I am viewing
  the site in http until it's time to check out and i am asked
  for my card
  numbers.
  Does the certificate not work or throw an error?
  Do you understand how to change links from https to http?
  When to use http or https?
  And if you want to force https, what is the server side
  scripting language.
  What's the question please.
  Alan
  Adobe Community Expert, dreamweaver
  http://www.adobe.com/communities/experts/

• How to do http session stickiness based on URL patterns?

  Is there a feature within the WL plugin for Apache that would allow me to emulate the "jvmroute" session stickiness behaviour as provided by Tomcat and its plugin. I would like to have the control to tie requests from http clients to particular WLS servers in a cluster depending on the URL. For example http://foo.com/web01 requests would be forwarded to an appsererver app01 and so on. For all other requests (e.g http://foo.com/web), the WL plugin would do its normal load balancing ignoring the stickiness. From my understanding the WLS inbuilt http session stickiness is based on JSessionIDs which are exchanged using cookies - which is something i cannot use in my case since i want the stickiness based on URL patterns.
  I am using WLS 10.0 with Apache 2.2.4 on Linux.
  Thanks
  Ramdas

  Session is not replicated across all the servers in the Cluster.
  Apache knows which server to go using the JSession ID.
  There is a concept of primary and secondary, secondary is selected based on the replication groups there are configured in the cluster.
  you can configure the cluster so that /web01 requests go to different cluster, and /web requests go to different cluster.
  but you can get all the funtiionalities from the single cluster.
  Do you have any java caching that you are not able to replicate across the cluster ?(I know this can be done too).
  let me know what you are actually trying to solve by doing the behavior you explained.

• How the external system will talk to ECXpert 3.5 for transfering files via HTTP SSl?

  We are using ECxpert3.5 on Solaris box. One of our Trading Partner want to communicate through HTTP-SSL and we are doing XML/EDI mapping. Could you guide us what steps we need to take care to implement this.
  How the external system will talk to ECXpert for transferring files. (We need the syntax for the URL). How ECXpert will receive XML file through HTTP-SSL protocol from External System and file submittion.
  Please send is there any other document which explain about. Thanks in advance for your help. [email protected] or [email protected]

  Hi Steve,
  You can bring the GRC framework to a state equivalent to a raw install by following options:
  Option 1.) You should have a base-line backup before GRC installation. If so then apply that base-lin backup and deploy GRC components. If there is no base-lin backup, then
  Option 2.) Uninstall and re-install J2EE and then follow up with rest of the installation process. If you don't want to go through re-install process, then
  **Correction to Option 3**
  Option3.) SAP is in process of creating a SAP Note for Delete script, Instead of delivering Delete Script script via OSS message.  Will update you as soon as the Note gets released.
  Please refere to Note # 1416728 to Manage your deletion in RAR 5.3 SP10.
  Hope this helps.
  Best Regards,
  Sirish Gullapalli.

• Http cookie stickiness

  Hi,
  I have an http session between Web Server farm and Application Server Farm.
  After firt http request, Application Server send this pck (see file http_header.txt ).
  So, I configured http cookie Stickiness with Dynamic cookie learning:
  sticky http-cookie JSESSIONID Cookie-Bea-Group
  cookie offset 0 length 64
  timeout 70
  timeout activeconns
  replicate sticky
  serverfarm BEA8-SFARM-3
  But it doesn't work. But if web server received an answer from Application server with only one set-cookie
  Set-Cookie:JSESSIONID=xxxxx
  It work
  if in the http header there are two set-cookie doesn't work.
  I need stick the session based only on JSESSIONID cookie.
  Is it possible and how?
  Thanks
  Dino

  Hi Dear,
  The ACE appliance/module has the dynamic cookie feature.
  You then just need configure the cookie name and the box does the rest.
  When static cookies are used there will only be one entry in the cookie database per real server. So, if ace-cookie is the only cookie defined and there are two servers, there will only be two entries in the sticky database, even if there are thousands of user sessions.
  Dynamic cookie learning is another option for keeping the SAP session persistent. The sticky table can hold a maximum of four million dynamic entries (four million simultaneous users). The key is choosing the right cookie name.
  Lets take an example of SAP sets a number of cookies for various purposes (note the ace_cookie was set by Cisco ACE using cookie insert, not SAP), but the saplb_* cookie is set by SAP specifically for load-balancers. It has the format saplb_=()[].
  Here, the cookie value also helps to verify which server instance and physical node you are connected to.
  The configuration process for cookie learning is similar-with a few changes in the syntax.
  Example configuration:
  ssticky http-cookie saplb_* ep-cookie
  replicate sticky
  serverfarm EP-HTTP
  policy-map type loadbalance http first-match ep-policy
  class class-default
  sticky-serverfarm ep-cookie
  In the above examples, the replicate sticky command is used so that the cookie information is replicated to the standby Cisco ACE context. With this implementation, session persistence is maintained in the event of a failover. The default timeout is one day.
  The show sticky data command retrieves the active sticky entries that have been dynamically learned. The value shown is not the actual cookie value, but a function of it created by Cisco ACE.
  Example configuration:
  switch/SAP-Datacenter# show sticky data
  sticky group : ep-cookie
  type : HTTP-COOKIE
  timeout : 100 timeout-activeconns : FALSE
  sticky-entry rserver-instance time-to-expire flags
  ---------------------+--------------------------------+--------------+-------+
  6026630525409626373 SAP-EP:50000 5983
  Load Balancing Identifier
  The Load Balancing Identifier used for Load balancing to Web AS Java instances has the following syntax.
  saplb_=()[]
  The cookie is set on path=”/” and domain=.
  The same syntax applies if the identifier is used via url rewriting.
  The applies only to the J2EE Engine where session stickyness on a process (JVM) level is required. The uniquely identifies a set of instances. If there are no special group definitions then the special group identifier '*' is used. This will be the case for a default installation.
  The SAP Web Dispatcher checks for path prefix match and thereby determines group name. This allows to obtain from the set of dispatch cookies or to do initial load balancing for the group. The Java dispatcher receives the request and also checks for the group. The Java dispatcher then reads from the appropriate dispatch cookie or performs initial dispatch on his local nodes.
  The CSS does not have the possibility to learn dynamic cookie value created on the server.
  So, you can either use arrowpoint cookies which is quite simple or have your server team add a static value to the jsessionid in order to identify the server.
  We can then configure the CSS to locate this static value and match it to a service.
  If possible kindly rate.
  Keep in touch.
  Kind regards,
  Sachin Garg

• WebDAV over HTTPS/SSL

  Will Oracle Portal support WebDAV using HTTPS/SSL?

  Jeff, while OraDAV does suppot SSL, some WebDAV clients do not. For example, on NT/Windows 2000 Web Folders, IE, and Mozilla (Netscape 7.0) support SSL. Dreamweaver and GoLive do not. On Unix, Linux and the Mac OS, Mozilla and Cadaver support SSL.

• Do oracle HTTP servers support https/SSL failover??

  Dear all,
  my company plans to use a load balancer (F5) to distribute the workload to multiple
  oracle http servers and oc4j servers (in different machines).
  we prefer to put the ssl encrypt/decrypt to the http server (ssl pass throuhgh, not put
  on the load balancer due to some reasons).
  so i want to know if using https / ssl, will the ssl state replicate to multiple oracle http
  servers so that when one http server / machine down, the existing ssl traffic can
  transparently rout to other servers?
  if yes, how can i achieve that ??
  thanks.
  lsp

  I now have the standalone version of the Oracle HTTP server 10g.
  I also have a signed certificate that I have been using on the old 9i Oracle HTTP server (with the parameters mentioned above).
  It seems on the 10g version I have to use a wallet file.
  I go into Oracle Wallet manager but I can't import a certificate request, I can only create a new one. Then when I import the signed user certificate I already
  have, it tells me it doesn't match the certificate request file. I need to be able to create a wallet for my existing signed certificate.
  cheers
  Robert