HTTPS persistence SSL session, ACN 4.2.1

Customer is experiencing a problem resulting in the ACN software resolving the host.domain.com twice. Webapplication https://host.domain.com/webapp/index.jsp. The customer uses a ACN to proxy the https request. The host.domain gets resolve to 1 of 4 available application servers (webserver). At the application login page (index.jsp) the user is successfully authenticated by the application's Login servlet on webserver 1. The user is then redirected to the select application, local to the webserver 1. It appears that when the ACN receives the response from webserver 1 with the fully qualitfying URL. The redirection cause the ACN to resolve the host.domain against DNS and as a result, the user's browser is redirected to a different webserver. The users previous session is no longer valid, breaking the client/webserver trusted relationship
If the above user uses 1 of the 4 available IP address on the DNS entry, the users successfully maintains the SSL session. The customer is migrating to a Cisco Content Engine 560 running version 4.2.1 ACN software.
I understand there are ACN features that could effect the HTTP session persistence/SSL trust. The services/features include boomerang, Reverse Proxy, content balancing. I request information on the service or feature of the ACN that could cause the problem I speak of from above.
I understand there are different methods of implementing session persistence, like sticky session and SSL sticky, but believe the ACN does provide this feature.

The customer is experiencing network issues when attempting to access our application. The customer is experiencing has been seen with a previous customers that had a similar network devices.
The customer uses a Cisco Content Engine CE-560 with Application and Content Networking Software (ACNS) version 4.2.1. The problem seems to a result of the ACNS resolving the hostname.domain.com twice. The webserver's DNS (hostname.domain.com) entry resolves to one of four available webservers (DNS round robining).
nslookup hostname.domain.com
webserver1 webserver2 webserver3 webserver4
nslookup hostname.domain.com
webserver2 webserver3 webserver4 webserver1
and so on.
All client/webserver communication is through SSL. When the customer uses the FQDN URL (https://hostname.domain.com/webapp/index.jsp) to access the application login page, the server portion of the URL is resolved to webserver1. At this time, the customer has an established HTTPS session with webserver1. Once a login servlet running on webserver1, receives the customer supplied login credentials, the servlet sends a server response 302 redirecting the customer to the selected application.
This redirection response seems to cause the ACNS to resolve the hostname.domain.com and as a result, the customer's browser is redirected to a different webserver, webserver2. The users previous session is no longer valid, causing the application to generate a false inactivity timeout.
If the customer sends a HTTPS request using anyone of the four IP address from DNS, the session is maintained and the customer does not receive the false inactivity timeout, because the session is not "broken".
The customer is migrating off of a Netscape (iPlanet) Web Proxy solution and does not experience the problem accessing the application, using the FQDN URL.
DNS caching is enabled on the customer CE.

Similar Messages

Http.keepAlive does not turn off SSL session cache?

Hi there,
I have a web service client that uses JSSE for making web service calls via https. In an effort to debug problems, I set http.keepAlive to false, I can see from the SSL debug output that KeepAlive timer messages no longer shows up, but I still see text such as "Cached client session" and "try to reuse cached session", etc.
Should not turning off keepAlive disable the use of persistent sessions?
Thanks.
Yan

They are unrelated features.
HTTP Keep Alive allows the browser to maintain a Socket to the server and issue multiple HTTP requests over that same socket.
SSL Session caching is when an SSL Session is assigned an ID, and additional SSL connects may be established with the same ID. These additional sockets then do not need to perform the full SSL handshake, since much of the data has already been negotiated previously.

SSL Session cache persistence

Hello,
I've been scratching my head for while on a problem concerning SSL session caching. Upon examining memory usage of the session cache I noticed that the number of cached sessions is reset at some point while new session are created. For example sometimes at around 300 -1500 sessions the number drops to under 10. I have set the session cache size to unlimited (via SSLSessionContext.setSessionCacheSize()) and session timeout to 24 hours (via setSessionTimeout()).
I noticed that this has probably something to do with garbage collection. I made a server application that receives SSL connections and every few seconds prints the number sessions in the cache and the amount of consumed memory (in megs). I also enabled garbace collection information printing and ran java VM with a maximum heap size of 512M. I ran a client application against it that continuously initializes a new sessions. Here's what I got:
Sessions: 484     Memory: 1.7913589477539062
[GC [DefNew: 503K->4K(576K), 0.0007350 secs] 2234K->1734K(3796K), 0.0008700 secs]
[GC [DefNew: 513K->63K(576K), 0.0009260 secs] 2243K->1793K(3796K), 0.0010680 secs]
Sessions: 490     Memory: 1.7832870483398438
[GC [DefNew: 569K->37K(576K), 0.0021150 secs] 2299K->1773K(3796K), 0.0022560 secs]
Sessions: 495     Memory: 2.1244659423828125
[GC [DefNew: 543K->37K(576K), 0.0019000 secs] 2279K->1775K(3796K), 0.0034750 secs]
[GC [DefNew: 549K->57K(576K), 0.0009080 secs] 2287K->1796K(3796K), 0.0010290 secs]
[Full GC [Tenured: 1739K->1635K(3220K), 0.0865340 secs] 1962K->1635K(3796K), [Perm : 3267K->3267K(8192K)], 0.0885000 secs]
Sessions: 6     Memory: 1.7752304077148438
[GC [DefNew: 512K->58K(576K), 0.0016310 secs] 2147K->1694K(3796K), 0.0017680 secs]
[GC [DefNew: 568K->37K(576K), 0.0009750 secs] 2204K->1678K(3796K), 0.0011110 secs]
Sessions: 12     Memory: 1.7010269165039062
[GC [DefNew: 549K->56K(576K), 0.0014310 secs] 2190K->1699K(3796K), 0.0015600 secs]Notice how the number of sessions drops from 495 to 6? And in between there's a garbage collection print "[Full GC...". Why is this? Shouldn't the session cache keep the sessions until there's either too many of the them or they get too old? Here only a few minutes have elapsed and memory consumption is under control (1 to 3 megs).

In my implementation I avoid session renegotiation as
much as possible to achieve high throughput. My goal
is to preserve sessions for the entire session
timeout time. This raises a few questions:Understood, but you also have to protect the server against resource exhaustion. It's in the client's interest to cache lots of sessions for a long time; the server's interest is to conserve resources so it can keep itself running.
You actually don't want to cache all the sessions, just the 'hot' ones, so you're better off having the SessionContext remove sessions on an LRU basis by having a finite limit, rather than just letting them be GC'd. The fact that so many sessions were collected in your runs indicates pretty severe memory usage.
(1) Is there any way to tweak this behavior? For
example can make the sessions live longer by using
some GC flags for the VM? Allocate more heap space, or cache fewer sessions.
(2) How about keeping regular references to all the
sessions in my application?That would save them from GC of course. But then you'll quickly discover that you really do need a finite limit.
(3) Is the behavior of the session cache or the inner
workings of the SSL API in general documented
somewhere?Only in the source code of JSSE, and that's only a property of Sun's JRE implementation. Session caching is not even a required feature, and J2ME implementations for example generally don't do it at all.

ACE 3.0(0) SW / LB with SSL Session-ID

Hello!
I want to use "SSL Session-ID" sticky method in load-balancing, but can't find any info about it in 3.0(0)A1(2) sw configuration guides. Where i can find info about it? Or this method is supported only in old A2(1.0) release?
Thanks.

SSL Session ID Sticky to ensure Client Persistence
1. Demonstrate the ability to provide stickiness using SSL
Session ID. To do this you will need to the Generic Protocol Parsing
framework on ACE. With the right regular expression you will be successful!!
2. Before you begin to configure the SSL Sticky group, be sure that
you have allocated resources to the sticky group. Note this done in the
Admin context.
resource-class cart
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 1.00 maximum equal-to-min
context Lab-Cart-11
allocate-interface vlan 211
allocate-interface vlan 411
member cart
3. Create an SSL-v3 sticky group and associate the serverfarm. Good
idea to configure a sticky timeout value. This specifies the period of time
that the ACE keeps the sticky information in the sticky table. Note the ACE
resets the timer each time ACE opens connections matching that entry. Also
configure the Layer 4 sticky parameters for 32 bytes session ID.
sticky layer4-payload ssl-v3
timeout 600
serverfarm HTTPS-FARM
response sticky
layer4-payload offset 43 length 32 begin-pattern "\x20"
When a new session is established between client and server, the server
generates a session id. The session id is an arbitrary sequence of bytes.
The length of the session id is 16 bytes for SSLv2 sessions and between 1
and 32 bytes for SSLv3/TLSv1. The session id is not security critical but
must be unique for the server. Additionally, the session id is transmitted
in the clear when reusing the session so it must not contain sensitive
information.
4. Create a class-map to match the layer 4 payload.
class-map type generic match-any SSL-v3-32
2 match layer4-payload regex "\x16\x03\x00..\x01.*"
3 match layer4-payload regex "\x16\x03\x01..\x01.*"
5. Create a new generic load balance policy map and assoiciate the
sticky-serverfarm understand the class.
policy-map type loadbalance generic first-match SSL-v3-Sticky
class SSL-v3-32
sticky-serverfarm ssl-v3
6. Change to the client-vips policy map to represent the new
SSL-v3-Sticky policy you just created
policy-map multi-match client-vips
class VIP-HTTPS
loadbalance vip inservice
loadbalance policy SSL-v3-Sticky
loadbalance vip icmp-reply active
7. Verify the VIP is accessible by trying to hit the VIP.
8. View the connection using the show cons command.
Pod1-ACE/Lab-Cart-11# show conn
total current connections : 1
conn-id np dir proto vlan source destination
state
----------+--+---+-----+----+---------------------+---------------------+---
---+
10 1 in TCP 211 209.165.201.11:1115 172.16.11.190:443
ESTAB
9. Interesting I can see that the first connection has been setup. Why
is ACE not load balancing the connection to the server?
10. Great I need to configure a L7 parameter map with a max parse-length
parameter-map type generic SSL-v3
set max-parse-length 70
11. Associate the parameter map to the client-vips policy map
policy-map multi-match client-vips
class VIP-HTTPS
loadbalance vip inservice
loadbalance policy SSL-v3-Sticky
loadbalance vip icmp-reply active
appl-parameter generic advanced-options SSL-v3
12. Verify the VIP is now accessible by trying to hit the VIP.

Disable non-SSL session tracking?

Hi, all,
I wonder if one can disable all session tracking in JSP's whenever SSL is not being used? I would like to turn off all cookie-setting and URL-rewriting and use SSL-session tracking only (if I use session-tracking at all on a given page). I also want to specify this behavior programmatically (inside my JSP's) and not in my server's config files.
I'm basically concerned that if my user leaves one of my HTTPS pages, they will still retain a non-secure cookie with their session information. This seems to be indeed the default behavior: when I run my tests and transition from an HTTPS page to an HTTP one, the browser does store a cookie. I know I can invalidate the session as the next step, but I'd rather have the cookie not being set altogether to begin with. Imagine the situation where the user leaves my HTTPS page for a totally different (HTTP) website: in this setting I won't get a chance to invalidate the session and delete the cookie.
Any ideas, therefore, on how to programmatically disable non-SSL session-tracking?
Thanks,
Dmitri.

I don't think you can do this programatically.
However I also don't think it is a problem.
Cookies are related to zone names aren't they?
http://mysite and https://mysite are two different
zones as far as cookies are concerned. One should
not be able to see the other.
It issues a new cookie for the http site you are just
navigating to. That cookie has nothing to do with
the secure site you just came from, and shouldn't be
able to tell them any info about the secure site.
I think you are worrying about something that isn't
really there.
What is your concern? That they pick up a JSESSIONID
from the cookie and can then pretend to be a
different user?Yes. A cookie is transmitted and stored unencrypted, I imagine (in any case, it should be more easily crackable than SSL). I wish Sun came up with an extension to the Session API where you would be able to explicitly specify which session-tracking protocols you want used and which ones you don't. At the moment their API abstracts and manages too much detail for you.
I mean, if my site is supposed to be secure while I'm using SSL, then you'd expect that no information about those secure sessions should leak outside the SSL protocol, wouldn't you say?

Im trying to clear the SSL sessions on my browser. How can i do so?

im trying to get a device working with my computer. im needing to clear my SSL sessions on my browser for it to work

Try to clear the Active Logins via Clear Recent History.
*https://support.mozilla.com/kb/Clear+Recent+History
You may also need to rename or delete the file secmode.db in the Firefox Profile Folder
*http://kb.mozillazine.org/Profile_folder_-_Firefox
Help > Troubleshooting Information > Profile Directory: Open Containing Folder

SSL Session Resume in WLS6.0sp2

When I access a WLS6.0sp2 Server via https, SSL sessions are not
resumed. Every request triggers a new handshake. The SSL relevant parts
of the config file (config.xml) look like below. Any hints on how to
motivate WLS to resumse SSL sessions are very welcome.
Thanks, Toby
<SSL ClientCertificateEnforced="false" Enabled="true"
ListenPort="7002" LoginTimeoutMillis="20000" Name="myserver"
ServerCertificateChainFileName="config/mydomain/ca.pem"
ServerCertificateFileName="config/mydomain/democert.pem"
ServerKeyFileName="config/mydomain/demokey.pem"
TrustedCAFileName="config/mydomain/tarsectestca.pem"/>

Well, for HTTPS I want to do SSL with client authentication based on a
smartcard. Thus, crypto processing happens on the slow card hardware. If every
HTTPS request requires a new SSL handshake with client authentication, I rely
very hard on the patience of my customer ;-) It is a no go. All SSL
implementation I came in touch with support SSL session resume. I understand
that there is no way to configure WLS do resume session. Can somebody elaborate
more on the plan to add this feature?
Thanks Toby
Michael Girdley wrote:
I do not believe that this is a supported feature. We plan to offer it in
the future.
Michael Girdley
BEA Systems
Learning WebLogic? http://learnweblogic.com
Buy the only book covering J2EE & WebLogic 6:
http://www.amazon.com/exec/obidos/ASIN/0130911119/learnweblogic/103-9227026-
4636613
"Tobias Murer" <[email protected]> wrote in message
news:[email protected]..
When I access a WLS6.0sp2 Server via https, SSL sessions are not
resumed. Every request triggers a new handshake. The SSL relevant parts
of the config file (config.xml) look like below. Any hints on how to
motivate WLS to resumse SSL sessions are very welcome.
Thanks, Toby
<SSL ClientCertificateEnforced="false" Enabled="true"
ListenPort="7002" LoginTimeoutMillis="20000" Name="myserver"
ServerCertificateChainFileName="config/mydomain/ca.pem"
ServerCertificateFileName="config/mydomain/democert.pem"
ServerKeyFileName="config/mydomain/demokey.pem"
TrustedCAFileName="config/mydomain/tarsectestca.pem"/>

Error in scenario "FILE to HTTP(with SSL)" - HTTP client code 110 reason.

Hi friends,
Our scenario is as follows:
We are trying to send XML file from our SAP-XI to external tool "COMMunix XC" (a multi-protocol EDI platform tool).
We have configured " FILE TO HTTP(with SSL)" scenario (trying to connect HTTPS/port)
1. We have created RFC destination of type G and refered the same RFC in Communication channel (Adapter type: HTTP)
2. We have send the SSL Server certificate to other party and ensure that they have imported at thier end.
3. We have included the certificates from other party in our SAP XI STRUST under SSL Client (Standard) node.
4. We have tried " CONNECTION TEST " in the RFC destination created in type G (in STEP 1) and it shows the GREEN TICK at bottom, no other message nor any error message
When we trigger the communication we recieve the error: HTTP client code 110 reason in SXMB_MONI.
Please let us know if we have missed out some step.
What does error message indicate,
Regards,
Rehan

Hi Rehan,
I see that the PROCTIMEOUT was already at a very high value.
Does this occur for messages of a particularly large size? If yes, you could increase the parameter
icm/HTTP/max_request_size_KB = 2097152
This would need to be done in the sender/receiver system as well as XI.
Otherwise you could try reproducing the issue and checking the dev_icm log in the work directory, or go to SMICM -> Goto -> Display trace file
check for errors like NIECONN_REFUSED or "no service for protocol HTTPS" which can often be related to this type of issue.
Kind regards,
Sarah

Http client------ XI (via HTTP with SSL),

hi forum,
we have a http client that sends a http erquest to XI, by using sap/xi/adapter_plain
service, i mean plain http adapter
but for scurity reasons i need HTTPS communication,
can u tell me how to enable HTTPS (HTTP with SSL) communiaction in the same scenario,
http client------>XI (via HTTP with SSL)

hi sudeep,
u need to create a comm ch of adapter type http n set the security level there.
refer this for help:
http://help.sap.com/saphelp_nw04/helpdata/en/14/80243b4a66ae0ce10000000a11402f/frameset.htm
[reward if helpful]
regards,
latika.

Https unsupported: SSL implementation?

Hi there,
II have a web service client that connects to a WLS 8.1.5 server
through SSL. In fact I have two servers with the same .ear file. I can
browse to the test pages for the web services on both servers.
Connecting with the client to one server works perfectly. But
connecting to the other server gives me the following error.
java.rmi.RemoteException: SOAP Fault:javax.xml.rpc.soap.SOAPFaultException: Failed to send request
Detail:
<detail>
<bea_fault:stacktrace xmlns:bea_fault="http://www.bea.com/servers/wls70/webservice/fault/1.0.0">java.io.IOException: https unsupported: SSL implementation not available or not c
onfigured correctly.
at weblogic.webservice.client.NullSSLAdapter.createSocket(NullSSLAdapter.java:27)
at weblogic.webservice.binding.https.HttpsClientBinding.createSocket(HttpsClientBinding.java:44)
at weblogic.webservice.binding.https.HttpsClientBinding.createSocket(HttpsClientBinding.java:62)
at weblogic.webservice.binding.soap.HttpClientBinding.send(HttpClientBinding.java:177)
at weblogic.webservice.core.handler.ClientHandler.handleRequest(ClientHandler.java:37)
at weblogic.webservice.core.HandlerChainImpl.handleRequest(HandlerChainImpl.java:143)
at weblogic.webservice.core.ClientDispatcher.send(ClientDispatcher.java:231)
at weblogic.webservice.core.ClientDispatcher.dispatch(ClientDispatcher.java:143)
at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:471)
at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:457)
at weblogic.webservice.core.rpc.StubImpl._invoke(StubImpl.java:303)
at com.te.myapp.generic.command.wsclient.MyappCommonFacadePort_Stub.listMunicipals(MyappCommonFacadePort_Stub.java:543)
at com.te.myapp.generic.command.MyappCommonFacadeProxy.listMunicipals(MyappCommonFacadeProxy.java:251)
at com.te.myapp.generic.command.ListMunicipalsCommand.performExecute(ListMunicipalsCommand.java:50)
at com.te.tee.command.CommandBase.execute(Unknown Source)
at com.te.tee.client.application.communication.CfCommandCommunication.executeCommand(Unknown Source)
at com.te.tee.client.application.communication.CfCommandCommunication.doSend(Unknown Source)
at com.te.tee.client.application.communication.CfAbstractCommunication.executeRequest(Unknown Source)
at com.te.tee.client.application.communication.CfRequestQueue.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
</bea_fault:stacktrace>
</detail>; nested exception is:
javax.xml.rpc.soap.SOAPFaultException: Failed to send request
at com.te.myapp.generic.command.wsclient.MyappCommonFacadePort_Stub.listMunicipals(MyappCommonFacadePort_Stub.java:551)
at com.te.myapp.generic.command.MyappCommonFacadeProxy.listMunicipals(MyappCommonFacadeProxy.java:251)
at com.te.myapp.generic.command.ListMunicipalsCommand.performExecute(ListMunicipalsCommand.java:50)
at com.te.tee.command.CommandBase.execute(Unknown Source)
at com.te.tee.client.application.communication.CfCommandCommunication.executeCommand(Unknown Source)
at com.te.tee.client.application.communication.CfCommandCommunication.doSend(Unknown Source)
at com.te.tee.client.application.communication.CfAbstractCommunication.executeRequest(Unknown Source)
at com.te.tee.client.application.communication.CfRequestQueue.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.xml.rpc.soap.SOAPFaultException: Failed to send request
at weblogic.webservice.core.ClientDispatcher.receive(ClientDispatcher.java:314)
at weblogic.webservice.core.ClientDispatcher.dispatch(ClientDispatcher.java:144)
at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:471)
at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:457)
at weblogic.webservice.core.rpc.StubImpl._invoke(StubImpl.java:303)
at com.te.myapp.generic.command.wsclient.MyappCommonFacadePort_Stub.listMunicipals(MyappCommonFacadePort_Stub.java:543)
... 8 more
The client reads the servers URL from a property file. The only thing
that changes, when I modifiy a client to communicate with the other
server, is the property file. Since to client hardly changes one would
think that this problem is due to some incorrect configuration of one
server. But NullSSLAdapter.createSocket(), where the exception
originates, is on the client. So as far as I can tell the client never
connects with the server. If so, the problem can't be on the server
either. This is realy strange!
Has anyone seen anything like this before, or have any idea, any at
all, what the cause could be?
Regars

Hi there,
II have a web service client that connects to a WLS 8.1.5 server
through SSL. In fact I have two servers with the same .ear file. I can
browse to the test pages for the web services on both servers.
Connecting with the client to one server works perfectly. But
connecting to the other server gives me the following error.
java.rmi.RemoteException: SOAP Fault:javax.xml.rpc.soap.SOAPFaultException: Failed to send request
Detail:
<detail>
<bea_fault:stacktrace xmlns:bea_fault="http://www.bea.com/servers/wls70/webservice/fault/1.0.0">java.io.IOException: https unsupported: SSL implementation not available or not c
onfigured correctly.
at weblogic.webservice.client.NullSSLAdapter.createSocket(NullSSLAdapter.java:27)
at weblogic.webservice.binding.https.HttpsClientBinding.createSocket(HttpsClientBinding.java:44)
at weblogic.webservice.binding.https.HttpsClientBinding.createSocket(HttpsClientBinding.java:62)
at weblogic.webservice.binding.soap.HttpClientBinding.send(HttpClientBinding.java:177)
at weblogic.webservice.core.handler.ClientHandler.handleRequest(ClientHandler.java:37)
at weblogic.webservice.core.HandlerChainImpl.handleRequest(HandlerChainImpl.java:143)
at weblogic.webservice.core.ClientDispatcher.send(ClientDispatcher.java:231)
at weblogic.webservice.core.ClientDispatcher.dispatch(ClientDispatcher.java:143)
at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:471)
at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:457)
at weblogic.webservice.core.rpc.StubImpl._invoke(StubImpl.java:303)
at com.te.myapp.generic.command.wsclient.MyappCommonFacadePort_Stub.listMunicipals(MyappCommonFacadePort_Stub.java:543)
at com.te.myapp.generic.command.MyappCommonFacadeProxy.listMunicipals(MyappCommonFacadeProxy.java:251)
at com.te.myapp.generic.command.ListMunicipalsCommand.performExecute(ListMunicipalsCommand.java:50)
at com.te.tee.command.CommandBase.execute(Unknown Source)
at com.te.tee.client.application.communication.CfCommandCommunication.executeCommand(Unknown Source)
at com.te.tee.client.application.communication.CfCommandCommunication.doSend(Unknown Source)
at com.te.tee.client.application.communication.CfAbstractCommunication.executeRequest(Unknown Source)
at com.te.tee.client.application.communication.CfRequestQueue.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
</bea_fault:stacktrace>
</detail>; nested exception is:
javax.xml.rpc.soap.SOAPFaultException: Failed to send request
at com.te.myapp.generic.command.wsclient.MyappCommonFacadePort_Stub.listMunicipals(MyappCommonFacadePort_Stub.java:551)
at com.te.myapp.generic.command.MyappCommonFacadeProxy.listMunicipals(MyappCommonFacadeProxy.java:251)
at com.te.myapp.generic.command.ListMunicipalsCommand.performExecute(ListMunicipalsCommand.java:50)
at com.te.tee.command.CommandBase.execute(Unknown Source)
at com.te.tee.client.application.communication.CfCommandCommunication.executeCommand(Unknown Source)
at com.te.tee.client.application.communication.CfCommandCommunication.doSend(Unknown Source)
at com.te.tee.client.application.communication.CfAbstractCommunication.executeRequest(Unknown Source)
at com.te.tee.client.application.communication.CfRequestQueue.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.xml.rpc.soap.SOAPFaultException: Failed to send request
at weblogic.webservice.core.ClientDispatcher.receive(ClientDispatcher.java:314)
at weblogic.webservice.core.ClientDispatcher.dispatch(ClientDispatcher.java:144)
at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:471)
at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:457)
at weblogic.webservice.core.rpc.StubImpl._invoke(StubImpl.java:303)
at com.te.myapp.generic.command.wsclient.MyappCommonFacadePort_Stub.listMunicipals(MyappCommonFacadePort_Stub.java:543)
... 8 more
The client reads the servers URL from a property file. The only thing
that changes, when I modifiy a client to communicate with the other
server, is the property file. Since to client hardly changes one would
think that this problem is due to some incorrect configuration of one
server. But NullSSLAdapter.createSocket(), where the exception
originates, is on the client. So as far as I can tell the client never
connects with the server. If so, the problem can't be on the server
either. This is realy strange!
Has anyone seen anything like this before, or have any idea, any at
all, what the cause could be?
Regars

Get Http Request in Session Listener?

Is it possible get Http Request in Session Listener when session is created? I need to get cookies when session is created.
anyone knows?

No, it is not possible.

CSS11503/ACE 4710 - SSL session id cache

I have a couple of questions.
1. I'd like to know what happens when the SSL session id cache (def 10k) gets filled on a CSS11503. Do new connections get dropped or do they still work but are they less efficient?
2. What is the cache size on an ACE4710?

The problem was caused by an incorrect nat pool. Correct Mask was 255.255.255.0.

CSM HTTPS or SSL Health Probe

We are currently using TCP probe for HTTPS webServer health checking. Is there a HTTPS or SSL probe available on CSM to send a url to detect if the HTTPS Apache WebServer is up or not?
Many Thx, Q.Xie

You can download the TCL script file from the same locstion as the CSM software.
In this TCL file you should find the following scripts
[root@linux-1 cisco]# cat /tftpboot/c6slb-apc.4-2-1.tcl | grep -i "name ="
#!name = CHECKPORT_STD_SCRIPT
#!name = ECHO_PROBE_SCRIPT
#!name = FINGER_PROBE_SCRIPT
#!name = FTP_PROBE_SCRIPT
#!name = HTTPCONTENT_PROBE
#!name = HTTPHEADER_PROBE
#!name = HTTPPROXY_PROBE
#!name = HTTP_PROBE_SCRIPT
#!name = IMAP_PROBE
#!name = LDAP_PROBE
#!name = MAIL_PROBE
#!name = POP3_PROBE
#!name = PROBENOTICE_PROBE
#!name = RTSP_PROBE
#!name = SSL_PROBE_SCRIPT
#!name = TFTP_PROBE
There is a SSL_PROBE_SCRIPT that will verify that the SSL server respond to a client SSL HELLO message.
It does not verify if you can send an HTTP request.
It only sends a HELLO as a client and wait for the server HELLO.
With the SSLM for the CSM, there might be a way to achieve HTTPS probe.
I never tried it, but the solution I see would be to create an HTTP probe on the CSM and direct to the SSLM which will do the encryption and forward it to the server.
Regards,
Gilles

Proxyless clustering and SSL session state

The current 6.0 docs are a bit quiet on SSL and clustering, so can I check
          whether it is the case that when proxy-less clustering is used with SSL, a
          failover results in a new certificate exchange and crypto session
          establishment? In other words, the clustering isn't attempting to replicate
          the SSL session state or similar super-subtle strategy.
          Thanks!
          Alex Thomas
          Lehman Brothers
          London


          "Alex Thomas" <[email protected]> wrote in message
          news:[email protected]..
          > The current 6.0 docs are a bit quiet on SSL and clustering, so can I check
          > whether it is the case that when proxy-less clustering is used with SSL, a
          > failover results in a new certificate exchange and crypto session
          > establishment? In other words, the clustering isn't attempting to
          replicate
          > the SSL session state or similar super-subtle strategy.
          Alex,
          A failover will result in a new SSL connection being started. As you say
          this will mean that certificate exchange and session key exchange will occur
          again. All of the replicated state is kept at a higher level in the server
          so that we can use different SSL implementations including hardware
          accelerators.
          Regards,
          Adam

Configuration SAP EP systems in HTTPS and SSL

Hi,
Can anyone tell me the regarding the configuration SAP EP systems in HTTPS and SSL.
The scenario is Client -->Application gateway( Web Dispatcher) -->EP6
Regards,
Moulinath Ray

Hi,
I am giving to you the steps we do for our securization (EP 7.0):
Prerequisites:
-Download SAP Cryptographic ToolKit at http://service.sap.com/ swdc and -> SAP Crypto-graphic Software -> SAP JAVA CryptoToolkit (J2EE Engine as of Release 6.30)
-Unzip it with SAPCAR
Logon in SDM and deploy the file
Check in Visual Admin -> Dispatcher/Server -> Libraries -> core_libs iaik_jce.jar is included
Loof for SSL Service in Config Tool in Server and Dispatcher, it should be "always"
Steps:
-Asking for a certificate
Visual Admin -> Cluster -> Server (central instance ) -> Services -> Key storage -> Service_ssl -> Create
Fill in all the data, and be careful with the common name:
-It shouldn´t have "http" or "https" on it
-It shouldn´t have port number on it
For example: "https
www.myportal.domain:port", the common name should be "www.myportal.domain"
Visual Admin -> Key Storage -> service_ssl -> Select your certificate and u201CGenerate CSR Requestu201D
Send the file to a CA
-Importing the validated certificate:
Visual Admin -> Key Storage -> Import CSR Response
In each Server, under SSL Provider, assign the certificate to port 50001, in each Dispatcher
Now, the portal is secure, and you can check it now.
A last step would be export the certificate and send it to your Network Team, so they can export it in the load balancing server, reverse proxy, etc.
You can have a look at this link:
http://help.sap.com/saphelp_nw04/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm
Some of the threads link:
/message/5568001#5568001
/thread/853387
Regards,
Niraj
Edited by: Niraj Kumar on Jan 22, 2009 3:59 PM

HTTPS persistence SSL session, ACN 4.2.1

Similar Messages

Maybe you are looking for