Https through load balancer breaks declarative security

Similar Messages

• HTTPS with load balancing

  Hi guys,
  We have a portal system with instance 08, so we typically connect to the portal using port 50800 for HTTP, and 50801 for HTTPS.
  We have just created a second server node for this portal (in the config tool).
  When we connect to 50800, does this automatically load balance the user to the better server? From some reading on these forums, it seemed to indicate that load balancing will only occur if I connect using port 8109. (where 09 is the instance number for the SCS of our portal)
  When connecting to port 8109, we are redirected to port 50800, as I'd expect.
  Question 1 - do we need to use 8109 for load balancing, or can we still use 50800?
  Question 2 - If we need to use 8109, which is a HTTP port, how can we achieve load balancing with HTTPS. Is there a different port we need to use to have HTTPS with load balancing?
  Question 3 - Is the creation of a second server node the best way to accomodate additional users and load on the portal system, or is there a better way to do things?
  Thanks,
  Michael.

  Better late than never.
  The load balancing you describe through the message server has its limitation. It redirects you to one of the dialog server hosts which means that any bookmarks will always point directly to a dialog server which may be down at that moment.
  Access directly to a dialog server on port 50800 will sort of load balanc on the java server instances that are on that server but not on other servers.
  The general recommendation is to setup an external loadbalancer and SAP Web dispatcher is a good match if the load is not very high. SAP webdispatcher will then bind up the cluster address and act as a proxy towards the dialog servers of the portal. The user will therefore only see one address. This will also work for HTTPS.
  Regards
  Dagfinn

• Forcing traffic through load balancer rather than zone to zone

  I have several T5140s with 2 LDOMs. Within each LDOM I have multiple zones which contain 2 environments. Each environment comprises the following, an apache instance behind a BigIP load balancer, a JBoss instance, and several misc. The jboss zone has three IP address assigned for multiple applications. Each server is configured identically as far as zone and LDOM layout. We use mod_cluster to cluster our apache and Jboss environment. What I'm trying to accomplish is forcing the apache zone's traffic through the BigIP rather than zone to zone.
  Referring to the information below, server2ldom1jboss is one jboss node which needs to connect to both server2ldom1japache and server1ldom1apache. server2ldom1jboss connects to server2ldom1apache via its DNS name which is a NAT address. So webserver2 resolves to 10.10.2.5 which NATs to 10.10.1.5 behind the BigIP. webserver2 responds directly to the jboss zone rather than through the BigIP. Not good. server1ldom1apache works correctly as it's not a local zone.
  Referring to this document, https://blogs.oracle.com/solarium/resource/solaris-container-guide-en-v3.1.pdf
  section 5.2.7.8
  "Connection of zones via external routers using the shared IP instance"
  I've created the following routes
  route add 10.10.2.5 10.10.1.5
  route add 10.10.0.34 10.10.1.5 -interface -reject
  route add 10.10.0.35 10.10.1.5 -interface -reject
  route add 10.10.0.87 10.10.1.5 -interface -reject
  route add 10.10.1.5 10.10.0.87 -interface -reject
  route add 10.10.1.5 10.10.0.34 -interface -reject
  route add 10.10.1.5 10.10.0.35 -interface -reject
  This does prevent the zone to zone traffic, but it also preventing any response. I've tried other options as well, but have not been successful yet. What concerns me is this "These interfaces must not be used elsewhere in the global zone." The 5140 has 4 ethernet ports, which are configured into two port channels. vnet0 and vnet1. The apache instances use vnet1. The remaining zones use vnet0, including the global zone (server2ldom1 10.10.0.21). I think this may be the issue, but do not see an easy resolution without breaking my port channels and losing redundancy and fail-over.
  If there is anything I'm missing or a better/different way to do this, I would greatly appreciate any input on this matter.
  Thank you.
  webserver2 10.10.2.5 NATs to 10.10.1.5
  jboss apps 10.10.0.34, 10.10.0.35, 10.10.0.87
  10.10.0.0/24 is the lan
  10.10.1.0/24 is the network behind the BigIP
  10.10.2.0/24 is the webserver network (in front of the BigIP)
  [1658]root@server2:~# ldm list-bindings
  NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME
  primary active -n-cv- SP 4 2G 1.1% 138d 5h
  MAC
  00:14:4f:ec:20:ff
  HOSTID
  0x84ec20b8
  VCPU
  VID PID UTIL STRAND
  0 0 2.0% 100%
  1 1 1.4% 100%
  2 2 0.7% 100%
  3 3 2.1% 100%
  MAU
  ID CPUSET
  0 (0, 1, 2, 3, 4, 5, 6, 7)
  MEMORY
  RA PA SIZE
  0x8000000 0x8000000 2G
  VARIABLES
  boot-device=/pci@0/pci@0/pci@2/scsi@0/disk@0,0:a disk net
  keyboard-layout=US-English
  nvramrc=devalias rootdisk /pci@0/pci@0/pci@2/scsi@0/disk@0,0:a devalias rootmirror /pci@0/pci@0/pci@2/scsi@0/disk@1,0:a
  security-mode=none
  security-password=
  use-nvramrc?=true
  IO
  DEVICE PSEUDONYM OPTIONS
  pci@0 pci
  niu@80 niu
  VCC
  NAME PORT-RANGE
  primary-vcc0 5000-5010
  CLIENT PORT
  group1@primary-vcc0 5000
  group1@primary-vcc0 5000
  VSW
  NAME MAC NET-DEV DEVICE DEFAULT-VLAN-ID PVID VID MODE
  primary-vsw0 00:14:4f:f9:ff:ff aggr1 switch@0 1 1
  PEER MAC PVID VID
  vnet0@ldom2 00:14:4f:fb:7b:ff 1
  vnet0@ldom1 00:14:4f:fb:1a:ff 1
  NAME MAC NET-DEV DEVICE DEFAULT-VLAN-ID PVID VID MODE
  primary-vsw1 00:14:4f:fb:8e:ff aggr2 switch@1 1 1
  PEER MAC PVID VID
  vnet1@ldom1 00:14:4f:f8:17:ff 1
  vnet1@ldom2 00:14:4f:f8:c2:ff 1
  VDS
  NAME VOLUME OPTIONS MPGROUP DEVICE
  primary-vds0 ldom2_swap /ldoms/swap/server2ldom2
  ldom2_root /dev/dsk/c4t600601601CE1210018F9E37BD2AADD11d0s2
  ldom1_swap /ldoms/swap/server2ldom1
  ldom1_root /dev/dsk/c4t600601601CE121007E02166CD2AADD11d0s2
  CLIENT VOLUME
  ldom2_swap@ldom2 ldom2_swap
  ldom2_root@ldom2 ldom2_root
  ldom1_swap@ldom1 ldom1_swap
  ldom1_root@ldom1 ldom1_root
  VCONS
  NAME SERVICE PORT
  SP
  NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME
  ldom1 active -n---- 5000 30 15G 3.7% 192d 6h
  MAC
  00:14:4f:f8:a5:ff
  HOSTID
  0x84f8a5f5
  VCPU
  VID PID UTIL STRAND
  0 4 0.4% 100%
  1 5 0.3% 100%
  2 6 0.1% 100%
  3 7 4.4% 100%
  4 8 0.2% 100%
  5 9 0.2% 100%
  6 10 14% 100%
  7 11 0.1% 100%
  8 12 8.1% 100%
  9 13 0.1% 100%
  10 14 0.1% 100%
  11 15 0.1% 100%
  12 16 0.3% 100%
  13 17 0.1% 100%
  14 18 0.1% 100%
  15 19 0.1% 100%
  16 20 0.3% 100%
  17 21 0.6% 100%
  18 22 0.3% 100%
  19 23 0.1% 100%
  20 54 1.0% 100%
  21 55 0.5% 100%
  22 56 1.2% 100%
  23 57 0.2% 100%
  24 58 4.5% 100%
  25 59 0.9% 100%
  26 60 0.0% 100%
  27 61 0.1% 100%
  28 62 0.1% 100%
  29 63 0.3% 100%
  MAU
  ID CPUSET
  1 (8, 9, 10, 11, 12, 13, 14, 15)
  2 (16, 17, 18, 19, 20, 21, 22, 23)
  6 (48, 49, 50, 51, 52, 53, 54, 55)
  7 (56, 57, 58, 59, 60, 61, 62, 63)
  MEMORY
  RA PA SIZE
  0x8000000 0x88000000 10G
  0x401800000 0x6b1800000 5G
  VARIABLES
  auto-boot?=true
  boot-device=ldom1_root:b
  NETWORK
  NAME SERVICE DEVICE MAC MODE PVID VID
  vnet0 primary-vsw0@primary network@0 00:14:4f:fb:1a:ff 1
  PEER MAC MODE PVID VID
  primary-vsw0@primary 00:14:4f:f9:ff:ff 1
  vnet0@ldom2 00:14:4f:fb:7b:ff 1
  NAME SERVICE DEVICE MAC MODE PVID VID
  vnet1 primary-vsw1@primary network@1 00:14:4f:f8:17:ff 1
  PEER MAC MODE PVID VID
  primary-vsw1@primary 00:14:4f:fb:8e:ff 1
  vnet1@ldom2 00:14:4f:f8:c2:ff 1
  DISK
  NAME VOLUME TOUT DEVICE SERVER MPGROUP
  ldom1_swap ldom1_swap@primary-vds0 disk@0 primary
  ldom1_root ldom1_root@primary-vds0 disk@1 primary
  VCONS
  NAME SERVICE PORT
  group1 primary-vcc0@primary 5000
  NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME
  ldom2 active -n---- 5000 30 15000M 0.8% 192d 6h
  MAC
  00:14:4f:fa:e8:ff
  HOSTID
  0x84fae839
  VCPU
  VID PID UTIL STRAND
  0 24 1.0% 100%
  1 25 1.0% 100%
  2 26 0.0% 100%
  3 27 0.0% 100%
  4 28 0.1% 100%
  5 29 0.3% 100%
  6 30 0.0% 100%
  7 31 0.0% 100%
  8 32 0.0% 100%
  9 33 0.1% 100%
  10 34 1.3% 100%
  11 35 0.0% 100%
  12 36 0.1% 100%
  13 37 1.0% 100%
  14 38 1.9% 100%
  15 39 0.0% 100%
  16 40 0.0% 100%
  17 41 0.0% 100%
  18 42 0.1% 100%
  19 43 0.5% 100%
  20 44 0.2% 100%
  21 45 0.0% 100%
  22 46 0.2% 100%
  23 47 0.4% 100%
  24 48 0.2% 100%
  25 49 0.0% 100%
  26 50 0.0% 100%
  27 51 0.0% 100%
  28 52 0.0% 100%
  29 53 0.0% 100%
  MAU
  ID CPUSET
  3 (24, 25, 26, 27, 28, 29, 30, 31)
  4 (32, 33, 34, 35, 36, 37, 38, 39)
  5 (40, 41, 42, 43, 44, 45, 46, 47)
  MEMORY
  RA PA SIZE
  0x8000000 0x308000000 15000M
  VARIABLES
  auto-boot?=true
  boot-device=/virtual-devices@100/channel-devices@200/disk@1:b ldom2_root
  keyboard-layout=US-English
  NETWORK
  NAME SERVICE DEVICE MAC MODE PVID VID
  vnet0 primary-vsw0@primary network@0 00:14:4f:fb:7b:ff 1
  PEER MAC MODE PVID VID
  primary-vsw0@primary 00:14:4f:f9:ff:ff 1
  vnet0@ldom1 00:14:4f:fb:1a:ff 1
  NAME SERVICE DEVICE MAC MODE PVID VID
  vnet1 primary-vsw1@primary network@1 00:14:4f:f8:c2:ff 1
  PEER MAC MODE PVID VID
  primary-vsw1@primary 00:14:4f:fb:8e:ff 1
  vnet1@ldom1 00:14:4f:f8:17:ff 1
  DISK
  NAME VOLUME TOUT DEVICE SERVER MPGROUP
  ldom2_swap ldom2_swap@primary-vds0 disk@0 primary
  ldom2_root ldom2_root@primary-vds0 disk@1 primary
  VCONS
  NAME SERVICE PORT
  group1 primary-vcc0@primary 5000
  [1657]root@server2ldom1:~# ifconfig -a
  lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
  inet 127.0.0.1 netmask ff000000
  lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
  zone server2ldom1z3
  inet 127.0.0.1 netmask ff000000
  lo0:2: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
  zone server2ldom1z2
  inet 127.0.0.1 netmask ff000000
  lo0:3: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
  zone server2ldom1z6
  inet 127.0.0.1 netmask ff000000
  lo0:4: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
  zone server2ldom1jboss
  inet 127.0.0.1 netmask ff000000
  lo0:5: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
  zone server2ldom1apache
  inet 127.0.0.1 netmask ff000000
  lo0:6: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
  zone server2ldom1z1
  inet 127.0.0.1 netmask ff000000
  vnet0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
  inet 10.10.0.21 netmask ffffff00 broadcast 10.10.0.255
  ether 0:14:4f:fb:1a:ff
  vnet0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
  zone server2ldom1z2
  inet 10.10.0.33 netmask ffffff00 broadcast 10.10.0.255
  vnet0:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
  zone server2ldom1z6
  inet 10.10.0.36 netmask ffffff00 broadcast 10.10.0.255
  vnet0:3: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
  zone server2ldom1jboss
  inet 10.10.0.34 netmask ffffff00 broadcast 10.10.0.255
  vnet0:4: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
  zone server2ldom1jboss
  inet 10.10.0.35 netmask ffffff00 broadcast 10.10.0.255
  vnet0:5: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
  zone server2ldom1z1
  inet 10.10.0.32 netmask ffffff00 broadcast 10.10.0.255
  vnet0:6: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
  zone server2ldom1z1
  inet 10.10.0.74 netmask ffffff00 broadcast 10.10.0.255
  vnet0:7: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
  zone server2ldom1jboss
  inet 10.10.0.87 netmask ffffff00 broadcast 10.10.0.255
  vnet1: flags=1000842<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
  inet 0.0.0.0 netmask 0
  ether 0:14:4f:f8:17:ff
  vnet1:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
  zone server2ldom1z3
  inet 10.10.1.101 netmask fffffc00 broadcast 10.10.47.255
  vnet1:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
  zone server2ldom1apache
  inet 10.10.1.5 netmask fffffc00 broadcast 10.10.47.255
  [1701]root@server2ldom1:~# zonecfg -z server2ldom1jboss info
  zonename: server2ldom1jboss
  zonepath: /zones/server2ldom1jboss
  brand: native
  autoboot: true
  bootargs:
  pool:
  limitpriv:
  scheduling-class:
  ip-type: shared
  inherit-pkg-dir:
  dir: /lib
  inherit-pkg-dir:
  dir: /platform
  inherit-pkg-dir:
  dir: /sbin
  inherit-pkg-dir:
  dir: /usr
  inherit-pkg-dir:
  dir: /opt/sfw
  inherit-pkg-dir:
  dir: /opt/
  net:
  address: 10.10.0.34
  physical: vnet0
  defrouter: 10.10.0.1
  net:
  address: 10.10.0.35
  physical: vnet0
  defrouter: 10.10.0.1
  net:
  address: 10.10.0.87
  physical: vnet0
  defrouter: 10.10.0.1
  attr:
  name: comment
  type: string
  value: server2ldom1jboss
  [1702]root@server2ldom1:~# zonecfg -z server2ldom1apache info
  zonename: server2ldom1apache
  zonepath: /zones/server2ldom1apache
  brand: native
  autoboot: true
  bootargs:
  pool:
  limitpriv:
  scheduling-class:
  ip-type: shared
  inherit-pkg-dir:
  dir: /lib
  inherit-pkg-dir:
  dir: /platform
  inherit-pkg-dir:
  dir: /sbin
  inherit-pkg-dir:
  dir: /usr
  inherit-pkg-dir:
  dir: /opt/sfw
  inherit-pkg-dir:
  dir: /opt/
  net:
  address: 10.10.1.5/22
  physical: vnet1
  defrouter not specified
  attr:
  name: comment
  type: string
  value: server2ldom1apache
  Edited by: coreyva on Feb 18, 2012 11:36 AM

  After further research, I think the best course of action will be to create a VLAN for the zone behind the BigIP and then create the corresponding interface in the vlan and zone. Using this links as my references in case anyone is interested. I'll post what I come up with.
  https://blogs.oracle.com/stw/entry/using_ip_instances_with_vlans
  https://blogs.oracle.com/stw/entry/solaris_zones_and_networking_common
  http://docs.oracle.com/cd/E19253-01/816-4554/816-4554.pdf # AdministeringVirtualLocalAreaNetworks
  http://docs.oracle.com/cd/E19053-01/ldoms.mgr11/820-4913-10/820-4913-10.pdf # Assign VLANs to a Virtual Switch and Virtual
  Network Device

• Http session load balancing

            Hi,
            My application is clustered on multiple machines. The application receives
            request mainly through the http protocol, and the application keeps session information
            of the user. I am using HttpClusterServlet to proxy request to the cluster.
            How can I get the servlet to proxy requests to the right machine that has the
            session information. (Currently, it's just using the round robin algorithm)
            Thanks
            

            It should do this automatically - it looks at the WebLogicSession (or jsession)
            cookie to determine where to send the request.
            Mike
            "Mark Liu" <[email protected]> wrote:
            >
            >Hi,
            >
            > My application is clustered on multiple machines. The application
            >receives
            >request mainly through the http protocol, and the application keeps session
            >information
            >of the user. I am using HttpClusterServlet to proxy request to the cluster.
            >
            >How can I get the servlet to proxy requests to the right machine that
            >has the
            >session information. (Currently, it's just using the round robin algorithm)
            >
            >Thanks
            >
            

• Load balance traffic to a service based on a added field in the HTTP Header

  I am trying to use HTTP Header Load balancing but the field we want to use in order to load balance is "user-defined", example HTTP_TOTO = toto1.
  Do you have any idea on how I could perform this ?
  Thanks in advance

  Load balancing using pre-defined headers is supported. Not sure if load balancing using user defined fields is possible. You could refer to the following document.
  http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_710/bsccfggd/httphead.htm
  We would appreciate it if someone could share their experience if they know more about this.

• Any concern on persistent search through a load balancer?

  We have access manager 7 installed which make use of persistent search. My understanding is that persistent search required to maintain a connection so that the server can refresh/update the client whenever entry in the result set changed. If we configure the system to connect to ldap through load balancer, will that cause any problem? What will happen if the load balancer refresh connection after a period of time? Or , if the original ldap server failed and the load balancer try load balance the client to another ldap server, will the persistent search still works?
  Also, if the ldap server that the persistent search initially established connection with crashed, will the client get error message and in that case, is it the client's responsibility to re-run/retry the persistent search with other failover ldap server?
  Thanks,

  Your best bet, even when using a hardware load balancer, is to front your DS instances with a pair of load-balanced Directory Proxy Servers. This way, you have physical redundancy at the load balancer level, and intelligent LDAP-aware load balancing at the proxy server level. DPS 6 is very nice in that you can split binds, searches, and updates amongst several backend DS instances, and the connection state is maintained by the proxy, not the DS instance (i.e. if an instance fails, you really shouldn't be forced to rebind, the proxy fails-over to another DS for searching).
  We have our Directory Servers on a pair of Solaris 10 systems, each with a zone for a replicated Master DS, and another zone each for a DPS instance. The DPS instances are configured to round-robin binds/searches/updates/etc. among the DS master zones. This works out very well for us.

• 11i load balancing web nodes without use of Hardware http load balancer

  I am looking at note 217368.1 (Advanced Configurations and Topologies for Enterprise Deployments of E-Business Suite 11i) and some other notes on load balancing but some aspects are not clear.
  Aim is to implement load balancing traffic to web nodes without using Hardware ( BigIP, cisco etc) for HTTP layer load balancing.
  Which is more preferable between dns or Apache Jserv load balancer ?
  Need details like failover capabilities, death detection of node, functionality testing and ways to monitor Apache Jserv load balancer.
  Any help in this regard is welcome .
  thx
  arun

  Oracle recommends using loadbalancing hardware rather than using DNS. If you want the features you mention above, you will need a hardware loadbalancer.
  http://blogs.oracle.com/stevenChan/2006/06/indepth_loadbalancing_ebusines.html
  http://blogs.oracle.com/stevenChan/2009/01/using_cisco_ace_series_hardware_load-balancers_ebs12.html
  HTH
  Srini

• Send Email issue using "Mail Server Load balancer"  (Cisco ACE 20)

  I have asked this question in SAP MII forum too but it appears issue could be in NetWeaver Mail API. Please let me know if someone have experienced this kind of issue or any suggestions.
  The send email action was working file in MII with smtp mail server on port 25. Recently basis did a change in mail server ip address and they installed a new Load Balancer . The Load balancer is between SMTP and MII. After this change MII does not send email (unknown source error). now MII send email action has ip address or qualified path of Load balancer in MII send email configuration instead of direct ip address of SMTP server. Below is the error message in Net Weaver logs.
  MII still sends email if direct ip address of email server  provided instead of Email Load balancer but not through Load balancer .
  Any suggestions ?
  Could not authenticate mail account (Unknown Source)
  [EXCEPTION]
  javax.mail.AuthenticationFailedException
  at javax.mail.Service.connect(Service.java:319)
  at javax.mail.Service.connect(Service.java:169)
  at javax.mail.Service.connect(Service.java:118)
  at com.sap.xmii.storage.connections.MailConnection.sendMail(MailConnection.java:202)
  at com.sap.xmii.bls.executables.actions.mail.MailActions.send(MailActions.java:223)
  at sun.reflect.GeneratedMethodAccessor1412.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:592)
  at com.sap.xmii.bls.engine.ReflectiveAction.doExecute(ReflectiveAction.java:747)
  at com.sap.xmii.bls.engine.BaseNode.executeNode(BaseNode.java:198)
  at com.sap.xmii.bls.engine.BaseAction.execute(BaseAction.java:76)
  at com.sap.xmii.bls.engine.runners.ProductionRunner.runAction(ProductionRunner.java:147)
  at com.sap.xmii.bls.executables.sequences.Sequence.execute(Sequence.java:50)
  at com.sap.xmii.bls.engine.runners.ProductionRunner.runSequence(ProductionRunner.java:126)
  at com.sap.xmii.bls.executables.controls.Switch.doExecute(Switch.java:131)
  at com.sap.xmii.bls.engine.BaseNode.executeNode(BaseNode.java:198)
  at com.sap.xmii.bls.engine.BaseControl.execute(BaseControl.java:127)

  Hi Ahmed,
  I don't have experience with Blackberry, but, as the document mentions, the first thing to do would be making sure that the connection timeout  is set to something high enough
  You can find more details on how to modify this value at the link below:
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/security/guide/tcpipnrm.html#wp1074289
  I hope this helps
  Daniel

• Authentication vs load balancing

  Hi all u guru's
  We are developing an application which must communicate securely with a farm of application servers through load balancing (all servers are assigned virtual ip). The constraint is that all servers are independent ( do not manage back end db to save common secure context for example). We are also constrained on communication between the servers.
  Does anybody knows the protocol (or any other solution) for establishing secure communication in such conditions ?
  the problem is establishing symmetric key (we don't know to which application server the message is sent).
  We proposed next solution:
  1. Client invents symmetric key.
  2. a payload with symmewtric key encypted (with server public key) and signed (with client private key) is added to every message.
  3. every Application server can decrypt and verify the key and store it for future use (if the message come with the the same payload id).
  Can someone tell is there any main disadvantages to the scheme, that can ruin it all?
  please answer also to [email protected]

  The major drawback is transaction size and speed, depending on the type of application. Have you considered using sticky sessions (where every user is assigned to the same machine he first hit)? The other option is serializing the info/key from machine to machine as needed, which in my opinion is not a secure thing to do.
  Those are the other two options off the top of my head. I'm guessing that you have some sort of client capable of mainting the key information for the user. If not, and all you have is a browser, I don't think this will work like you think it will.

• SmartView connections using load balancing

  Is there a way to create a connection in SmartView to the Planning application that uses the load balancing functionality? When we log into the Planning web application we have a connection that provides load balancing between the 2 Planning servers. It appears that the only connection you can provide in SV for Planning is a direct connection to a web server like this: http(s)://<servername>:8300/HyperionPlanning/SmartView.

  I did a second look at my configuration and it actually looks like Workspace is the only Smartview connection that I have load balanced. For Planning, once connected to the Hyperion Provider Service URL the Planning applications show under the Common Provider Connections. The Planning connections point to the URL of the APS.....which is just like what you use. http://servername:8300/HyperionPlanning/SmartView
  Reading through the EPM High Availability Guide, it appears that it can be done for APS but it seems that might no longer support Planning:
  The following list specifies supported clustering methodologies for EPM System product and components (with sublists for components) and options for removing single points of failure from the architecture and maintaining consistent performance through load balancing.
  Oracle Essbase—Clustering with Oracle Hyperion Provider Services for high availability and load balancing
  Note: High availability for Essbase with Provider Services does not support write-back.
  See the Oracle Hyperion Enterprise Performance Management System Manual Deployment Guide.
  - Essbase Administration Services—None
  - Oracle Essbase Integration Services Server—None
  - Essbase services
  - Oracle Essbase Studio Server—None
  - Essbase services—Provider Services clustering for high availability and load-balancing (read-only)
  See Chapter 3, “Clustering EPM System Products with Proprietary Application Servers.”
  - Provider Services Web application—Java application server clustering for high availability and load-balancing
  See the Oracle Hyperion Enterprise Performance Management System Manual Deployment
  Guide.
  Clustering with Provider Services
  If Essbase is clustered with Provider Services and no third-party tool:
  - Smart View must be used rather than an Excel add-in.
  - Essbase has no write-back capability and should be used for reporting only; therefore, Oracle Hyperion Planning, Fusion Edition is not supported.
  - Nodes must be loaded and calculated individually.

• Issue in setting flex app in load balanced environment using SSL

  I have developed the dashboard in my application using flex 3.0. For this I have used JSP wrapper around the flex application. My application runs on JBoss application server. for communication between flex app and my application i am using LCDS. HTTPService component is being used to receive data from the server. Channel definitions are given in service-config.xml for amf and http channels and for both secure secure and not secure mode. In my proxy-config.xml i have defined Channels and destinations.
  services-config.xml
  <channel-definition id="my-amf" class="mx.messaging.channels.AMFChannel">
      <endpoint url="http://{server.name}:{server.port}/{context.root}/messagebroker/amf" class="flex.messaging.endpoints.AMFEndpoint"/>
      <properties>
            <polling-enabled>false</polling-enabled>
      </properties>
  </channel-definition>
  <channel-definition id="my-secure-amf" class="mx.messaging.channels.SecureAMFChannel">
      <endpoint url="https://{server.name}:{server.port}/{context.root}/messagebroker/amfsecure" class="flex.messaging.endpoints.SecureAMFEndpoint"/>
      <properties>
            <add-no-cache-headers>false</add-no-cache-headers>
      </properties>
  </channel-definition>
  <channel-definition id="my-http" class="mx.messaging.channels.HTTPChannel">
      <endpoint url="http://{server.name}:{server.port}/{context.root}/messagebroker/http" class="flex.messaging.endpoints.HTTPEndpoint"/>
  </channel-definition>
  <channel-definition id="my-secure-http" class="mx.messaging.channels.SecureHTTPChannel">
      <endpoint url="https://{server.name}:{server.port}/{context.root}/messagebroker/httpsecure" class="flex.messaging.endpoints.SecureHTTPEndpoint"/>
      <properties>
          <add-no-cache-headers>false</add-no-cache-headers>
      </properties>
  </channel-definition>
  proxy-config.xml
  <default-channels>
      <channel ref="my-http"/>
      <channel ref="my-amf"/>
      <channel ref="my-secure-http"/>
      <channel ref="my-secure-amf"/>
  </default-channels>
  <destination id="dashboardService">
      <properties>
  <url>/kr/servlet/DashboardServlet</url>
      </properties>
  </destination>
  <destination id="dashboardJSPService">
      <properties>
  <url>/kr/krportal/dashboardJSPService.jsf</url>
      </properties>
  </destination>
  In my development environment both secure and non secure mode were working fine. Now when I have deployed it behind the load balancer(which accepts secure requests only and if the request is not secure it redirects it to secure url) there is no response from the message broker servlet. One thing more I have observed is when the environment is non load balanced there are request like 'http://{server.name}:{server.port}/{context.root}/messagebroker/http'. and these requests are post request. But in load balanced environment with ssl the request is again like 'http://{server.name}:{server.port}/{context.root}/messagebroker/http' which is a post request and it is redirected to 'https://{server.name}:{server.port}/{context.root}/messagebroker/http' which is a get request. The content returned by this get request is null.
  Looking for some comments
  Thanks
  Abhishek Gupta

  if the load balancing environment is already well configured, thes rest is very easy, there is no difference between a configuration of load balancing environment and a simple one, for you that is transparent, except the manual deployment and manual copying
  of files in the directory 15

• Weblogic 10.3.6 - Load balancing- sending duplicate requests 5 min

  Hello,
           We have configured clustering and load balancing to our integration solution as mentioned at http: //abhinavgupta3.blogspot.in/2012/02/osb-clustering-load-balancer.html
  But when ever a requests goes through load balancer and if that requests goes beyond 5 min (300Sec), then load balancer generating new request and that request is being redirected to another node.
  As per my blogging  I found there is some setting need t
  Because of this we are going to ambiguous situation.o configured at load balancer for not falling in to this situation.Its about a property called 'Idempotent'
  Please help me on this.
  Thanks,
  Satyendra

  "The datasource is created successfully from the console so there's no problem with the jar file."
  Did you also test the data source when you created it?
  - when yes then WebLogic can indeed find the derbyclient.jar as the driver org.apache.derby.jdbc.ClientDriver is part of it.
  "I specified in the weblogic.xml that the antlr.* classes should be taken from the application. Also tried this option for org.apache.derby.* classes."
  Have you only defined a
  <prefer-application-packages>
      <package-name>antlr.*</package-name>
      <package-name>org.apache.derby.*</package-name>
  </prefer-application-packages>in weblogic.xml or did you also turn on prefer-web-inf-classes?
  It is smart to start from scratch and delete all the jar files in all the directories. To make the derbyclient.jar part of the WebLogic classpath you can do the following:
  - edit setDomainEnv: When you open setDomainEnv there is an entry like "SET THE CLASSPATH". Just before - if [ "${JAVA_VENDOR}" != "BEA" ] ; then
  you can put something like: CLASSPATH=${CLASSPATH}${CLASSPATHSEP}location/derbyclient.jar
  If the class must be available on every server in a cluster, you can edit the commEnv file (located in the ${WL_HOME}/common/bin directory)
  Search for the entry "set up WebLogic Server's class path". And below the WEBLOGIC_CLASSPATH you can add something like:
  WEBLOGIC_CLASSPATH=${WEBLOGIC_CLASSPATH}${CLASSPATHSEP}location/derbyclient.jar
  Hope this helps you a little

• Pluugin vs load balancer

            I have a Load balancer, I was wondering if an Apache with weblogic Apache pluggin
            is also required in the dmz along with the load balancer, we know this would reduce
            performance, but will having both increase security in any way. i.e does the pluggin
            have any in-built security.I assume having a load balancer would be secure enough
            as the pluggin does not have any security.
            Please suggest a recommendation for this architecture.
            Thanks
            Anil
            

  Hi Anil,
            "Anil Jacob" <[email protected]> wrote in message
            news:3e61117b$[email protected]..
            >
            > I have a Load balancer, I was wondering if an Apache with weblogic Apache
            pluggin
            > is also required in the dmz along with the load balancer, we know this
            would reduce
            > performance, but will having both increase security in any way. i.e does
            the pluggin
            > have any in-built security.I assume having a load balancer would be secure
            enough
            > as the pluggin does not have any security.
            >
            > Please suggest a recommendation for this architecture.
            It depends on whether the load balancer supports weblogic clustering.
            If it doesn't, you will have to have the plugin.
            I checked with BIG 5 and Cisco at eWorld. They do provide such support.
            Regards,
            Slava Imeshev
            

• Cisco RV042 - Dual Wan Load Balancing - Secure Site (HTTPS) Trouble

  PID VID :
  RV042 V03
  Firmware Version :
  v4.0.0.07-tm (Aug 19 2010 19:19:50)
  Ever since I setup my RV042 with load balancing using the Dual Wan system I have had trouble staying connected to some secure sites. After doing some searching I found that the potential issue is the IP change mid session.
  "http://www.broadbandreports.com/forum/r25537589-Cisco-RV042-can-not-use-load-balancing-for-some-web-sites"
  Although my interface is significantly different I was able to find the same area in my RV042 admin area however, it doesn't seem to work.
  System Management
  > Dual Wan
  In Wan 1 & Wan 2 I have HTTPS and HTTPS Secondary all forwarded to use Wan 2 under Protocol Binding
  This however has not managed to do anything at all for my network and every computer conneceted experiences the same HTTPS irregularities at some websites.
  I'm sure I must be doing something wrong, but I don't know what it is.
  Both incoming connections are from the same service provider although the plans are different.
  Any help with this would greatly help me stop losing my mind trying to fight with my website control panel for 10 minutes to just login and get something done.
  Thanks

  Any ideas or advice from anyone?

• Database Native web services - load balancing,  Instrumentation , security

  Hello –
  I’m proposing use of Database Native web service in our company. Our architects are asking following questions so appreciate your help
  a.     How do you load balance across the DB WS (is there a way to use the F5 to detect downtime and balance the load across the DB servers)? We will be using RAC configuration with 3 nodes.
  b.     Our architect have security concern as user id/password information are in the web service URL, which may prove to be an issue. Is there a way to mitigate this risk?
  c.     Instrumentation in this approach (db native services) is questionable due to development/auto gen of the service logic from the DB itself. We may investigate wrapping the services with OSB to give us an additional instrumentation, policy enforcement, endpoint mediation and security proxy. Thoughts??
  d.     Architect are curious regarding any potential performance issues this may have on the DB server.
  Thanks

  Hi
  We've recently begun using Native Web Services, intending to roll out this approach across the enterprise, but we've encountered 2 significant problems so far, which you may want to consider before proceeding ...
  1. NWS returns an exception if the underlying PL/SQL returns a null value - even if the PL/SQL has completed successfully, and null is a legitimate return value (see SR 3-6201969101 - it contains simple instructions to recreate the problem)
  (I raised it in this forum but there were no replies - SOAP Fault when returning null from a Native Web Service Stored Procedure
  2. The sequence of values returned in the NWS response message is the opposite to the sequence declared in the auto-generated wsdl - i.e. schema validation will fail (see SR 3-6209016991 - it also contains simple instructions to replicate)
  We have coded a workaround for problem 1. where we return <EMPTY> in place of null, and check for it in the client, but without proper resolution we're not prepared to use NWS elsewhere
  As a workaround for problem 2. we removed schema validation, again not ideal
  Both SRs were escalated 9 days ago, but are still outstanding
  Incidentally our database is 11.2.0.1, but I've tested on 11.2.0.3 and both problems are still present
  We also wrap the NWS services using an OSB Proxy Service, and came across the same security issue that you describe (b) - to provide the credentials required for the NWS, simply create a Service Account (containing the credentials) inside OSB and attach it to the Business Service which invokes the NWS (http://docs.oracle.com/cd/E17904_01/doc.1111/e15867/service_accounts.htm)
  HTH