Is it possible to view individual SSL-proxy service usage (TPS)?

Similar Messages

• Is it possible to make an OSB Proxy service offline/online based on BS

  JMS QUEUE
  |
  |_____ Proxy Service <-------->Business Service <---------> External System URL
  I have a configuration as shown above.
  There is a way to make the Business Service offline/online based on the External system URL being offline/online by setting the
  Business service-> Operational Settings->Offline Endpoint URIs with a timesatmp.
  Is it possible to make the state of the proxy service to enabled/disabled based on this state of BS based on external enpoint URI?
  This is a requirement such that the messages in the JMS queue doesnot get lost or consumed when the external system is offline.
  Thanks in Advance!

  I have thought about this. There are some problems here....
  I cannot use the same proxy to invoke the java callout and then based on the code or handler disable it, since
  1) i would have no way to enable back the proxy again.
  2) Also there is some amount of message loss.
  So i will have to use another proxy to do the same, but in this case
  1) what would be the trigger to this proxy?
  2) And how often do i invoke the java callout to see if the URI is up or not? (wouldnt that affect the performance?)
  I am just wondering why did they give an offline URI option in the business service and no similar option in the proxy service, Any Idea?
  Thanks

• Ace ssl-proxy problem, Online store.

  Hello!
  I have a problem with moving our online store loadbalancing to a Cisco ACE solution from Windows NLB that it runs on now. And also relive the servers from the ssl encrypt and decrypting of sessions.
  The load balancing works', as long the session is Http, but when the "customer" comes to the point that i is going to pay. Our shop is jumping over to HTTPs and this is where the problem appear.
  The "customer" is getting the certificate right but the site is not displayed = the session to the shop seems to die.
  If i have missed something in the config or if someone have any other idea why this dont work for me..
  Appreciate any help!
  My config:
  (at the moment only web5 is in use)
  ACE-1/CO-WEB1# show run
  access-list ANY line 10 extended permit ip any any
  access-list icmp line 8 extended permit icmp any any
  probe http PROBE-HTTP
  interval 3
  passdetect interval 10
  passdetect count 2
  expect status 200 200
  expect status 300 323
  parameter-map type ssl SSLPARAMS
  cipher RSA_WITH_RC4_128_MD5
  rserver host vmware-server1
  description testserver1
  ip address 219.222.4.180
  probe PROBE-HTTP
  inservice
  rserver host vmware-server2
  description testserver 2
  ip address 219.222.4.181
  probe PROBE-HTTP
  inservice
  rserver host web5
  description testserver from windows nlb
  ip address 219.222.4.185
  probe PROBE-HTTP
  inservice
  ssl-proxy service SSL-PROXY-SE
  key cert-se.key
  cert cert-se.pem
  ssl advanced-options SSLPARAMS
  serverfarm host WM-ware_servers
  rserver vmware-server1
  inservice
  serverfarm host webtest
  description testserver-farm
  predictor leastconns
  rserver vmware-server1 80
  rserver vmware-server2 80
  rserver web5
  inservice
  sticky ip-netmask 255.255.255.0 address source STICKY-GROUP1
  timeout 60
  serverfarm webtest
  class-map match-all VIP-HTTP
  2 match virtual-address 219.222.4.178 tcp eq www
  class-map match-all VIP-HTTPS
  2 match virtual-address 219.222.4.178 tcp eq https
  class-map type management match-any icmp
  description for icmp reply
  2 match protocol icmp any
  policy-map type management first-match icmp
  class icmp
  permit
  policy-map type loadbalance first-match VIP-HTTP
  class class-default
  sticky-serverfarm STICKY-GROUP1
  policy-map type loadbalance first-match VIP-SSL
  class class-default
  serverfarm webtest
  policy-map multi-match SLB-VIP-HTTP
  class VIP-HTTP
  loadbalance vip inservice
  loadbalance policy VIP-HTTP
  loadbalance vip icmp-reply
  class VIP-HTTPS
  loadbalance vip inservice
  loadbalance policy VIP-SSL
  loadbalance vip icmp-reply
  ssl-proxy server SSL-PROXY-SE
  interface vlan 21
  description ### ACE OUTSIDE mot FW ###
  ip address 219.222.4.171 255.255.255.240
  access-group input ANY
  access-group output ANY
  service-policy input icmp
  service-policy input SLB-VIP-HTTP
  no shutdown
  interface vlan 22
  description ### ACE INSIDE Gateway for Web-servers ###
  ip address 219.222.4.177 255.255.255.240
  access-group input ANY
  access-group output ANY
  service-policy input icmp
  no shutdown
  ip route 0.0.0.0 0.0.0.0 219.222.4.161
  ACE-1/CO-WEB1#
  as seen in "show conn" the sessions is established, first when i enter site, and go to payment (jumping over to SSL):
  ACE-1/CO-WEB1# show conn
  total current connections : 4
  conn-id np dir proto vlan source destination state
  ----------+--+---+-----+----+---------------------+---------------------+------+
  4 1 in TCP 21 219.222.0.2:49972 219.222.4.178:443 ESTAB
  14 1 out TCP 22 219.222.4.185:443 219.222.0.2:49972 ESTAB
  11 2 in TCP 21 219.222.0.2:49923 219.222.4.178:80 ESTAB
  3 2 out TCP 22 219.222.4.185:80 219.222.0.2:49923 ESTAB
  ACE-1/CO-WEB1#

  Hello Krille
  i had the same problem.
  The HTT Probe you define will do a check if
  the return code is
  expect status 200 200
  expect status 300 323
  Now if a user is accessing the hppts site, in the flow there will be an expect status like 404, the ACE now is not establish an sticky connection, cause it think that the flow is not ok.
  The only output after ther Certificates is a blank site.
  If you change the Probing to ICMP you will be able to access the https site and the connection is sticky. With a litte tool like IE Watch you will be able to see the wrong Status codes.
  regards
  eberhard

• Mapping Stuck Threads to Proxy Services

  Hello OSB Experts:
  Is there a way I can map the information of a thread dump showing stuck threads to the proxy service that those threads are executing?
  I am facing a situation that seems to be usual: one of several backends is performing poorly, producing stuck threads in the OSB app. servers. After a while, the performance of the whole OSB is affected because of the number of threads in stuck state.
  I would like to be able to pinpoint the backend with problems in order to solve the problem before the health of the whole OSB is affected.
  Can this be done without 3rd party tools?
  Thanks
  Sebastián

  No, it is not possible to get the the proxy service name from the thread dump. The OSB stuff is handled under a weblogic wrapper thread.
  One of the main reason for stuck threads is some of the proxy service calls taking a lot of time through the business services and there is no appropriate timeout set for the calls on the business service.
  You have couple of options to find out the culprit. You can enable tracing on the proxy services and the business services and capture the metrics that should help you find a pattern for the performance. The numbers will help you find which backend is taking more time.
  You can get nmore details on OSB Monitoring @ http://docs.oracle.com/cd/E23943_01/admin.1111/e15867/monitoring_ops.htm#OSBAG472
  Secondly, always set some realistic timeout value (like 30 seconds/60 seconds depending on the sla of the back-end) on the business service. Leaving it to default (that is 0) is like configuring a indefinite timeout (in which case it uses the default weblogic connection timeout setting of 10/15 minutes).
  This way the threads are not stuck waiting for the response and dont cause issues.
  Additionally you use OSB alerts to notify you for service behavior discrepancies w.r.t response times, number of errors etc .. Refer http://docs.oracle.com/cd/E23943_01/admin.1111/e15867/monitoring_console.htm#CACDCDAH for more details.
  Hope this information helps.
  Thanks,
  Patrick
  It is considered good etiquette to reward answerers with points (as "helpful" - 5 pts - or "correct" - 10pts).+
  https://forums.oracle.com/forums/ann.jspa?annID=893

• Is it possible to use single ssl certificate for multiple server farm with different FQDN?

  Hi
  We generated the CSR request for versign secure site pro certificate
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  SSL Certificate for cn=abc.com   considering abc.com as our major domain. now we have servers in this domain like    www.abc.com,   a.abc.com , b.abc.com etc. we installed the verisign certificate and configured ACE-20 accordingly for ssl-proxy and we will use same certificate gerated for abc.com for all servers like www.abc.com , a.abc.com , b.abc.com etc. Now when we are trying to access https//www..abc.com or https://a.abc.com through mozilla , we are able to access the service but we are getting this message in certfucate status " you are connected to abc.com which is run by unknown "
  And the same message when trying to access https://www.abc.com from Google Chrome.
  "This is probably not the site you are looking for! You attempted to reach www.abc.com, but instead you actually reached a server identifying itself as abc.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of adgate.kfu.edu.sa. You should not proceed"
  so i know as this certficate is for cn=abc.com that is why we are getting such errors/status in ssl certficate.
  Now my question is
  1. Is is possible to  remove above errors doing some ssl configuration on ACE?
  2. OR we have to go for VerisgnWildcard Secure Site Pro Certificate  for CSR generated uisng cn =abc.com to be installed on ACE  and will be used  for all servers like  www.abc.com , a.abc.com etc..
  Thanks
  Waliullah

  If you want to use the same VIP and port number for multiple FQDNs, then you will need to get a wildcard certificate.  Currently, if you enter www.abc.com in your browser, that is what the browser expects to see in the certificate.  And right now it won't beause your certificate is for abc.com.  You need a wildcard cert that will be for something like *.abc.com.
  Hope this helps,
  Sean

• Apache 1.3.12 running with Raven SSL Proxy

            Hi All,
            I am currently having an issue clustering 2 WLS 5.1 sp8 app servers using Apache
            1.3.12 with the Raven SSL 1.4.3 plugin. (All on Solaris 7)
            Here is my scenario:
            The cluster "seems" to work. A session is processed fine on it's primary server,
            while the session information is replicated to the secondary server.
            Yet when we crash the primary server to test failover, all of the sessions on the
            primary server are lost and NOT processed by the secondary server. It is almost
            like the cookie was not updated to reflect that the primary had gone down, so the
            secondary server does not know it is now the primary.
            Any ideas?.. As long as the primary does not fail the system works fine.. so I know
            the sessions are being directed to the correct server the rest of the time, just
            not during failover.
            NOTE: I have had no problems with failover using Apache Stronghold using the mod_wl_ssl.so
            proxy, this problem only seems to occur with the Apache using Raven SSL and the mod_wl_ssl_raven.so
            proxy. Is there a bug with this proxy?
            Thank you for any ideas.
            -Nick
            

  The Web server plug-ins do not natively support outbound SSL connections
  yet(i.e. SSL from the plug-in to WebLogic). This is a feature for version
  6.0. You can use SSL from the browser to Apache or from the browser to
  WebLogic directly.
  The majority of our customers use strict firewall rules to protect the
  traffic between Apache and WebLogic. If they are paranoid, they use an SSL
  proxy or a VPN product.
  Thanks,
  Michael
  Michael Girdley
  BEA Systems Inc
  "Josh Kwan" <[email protected]> wrote in message
  news:39d4e8a5$[email protected]..
  >
  Hello,
  I want to know how to connect Apache 1.3.12 with mod_ssl to BEA WebLogic5.1.0 on Solaris via HTTPS. I have heard that this can only work over t3...
  is that true? If so, how can it be done securely? If that isn't the case,
  how can httpd.conf/weblogic.conf be configured on the Apache server to talk
  to the WebLogic server on port 7002? Both of the machines I am using are
  running Solaris 7 with necessary patches. I have installed SP5 for WebLogic
  and I have copied mod_wl.so and mod_wl_ssl.o to the Apache server for
  inclusion as modules.
  >
  The two servers communicate correctly over HTTP, but I want to be able toserve some JSPs via HTTPS from the WebLogic server through the Apache web
  server. I have generated all the required CA and server certificates for
  each server, and they both individually answer HTTPS requests, but do not
  work when an HTTPS request is sent to the Apache server for a JSP that is
  served from the WebLogic server. I read somewhere in the documentation for
  5.1.0 that WebLogic will communicate via HTTPS to various web and proxy
  servers.
  >
  Any help would be greatly appreciated... thanks!
  Regards,
  Josh Kwan
  Sr. Systems Engineer
  iXL

• Multiple SSL Certs in one SSL Proxy/VIP

  Guys
  I have a requirement to be able to provide SSL for two different sites that will resolve to the same VIP.  Ive created alot of SSL sites before and these work a treat with HTTP to HTTPS redirection.
  However Im not sure how are take two different SSL certs, and bind them to the same SSL Proxy, inorder for me to add them to the same VIP.  The customer wants to use only port 443.  I had thought about using a secondary port something like 8443, and adding another class under the multi-match policy.
  Is this possible at all?  I use a standard L4 class-map in the multi-match policy, that then nests down into L7 class-maps, for URL load balancing.
  Because this is a multi-match policy can I just create another L4 Policy, which in turn nests down to a different L7 class-map, allowing me to match the second URL. And thus because I have another L4 policy I can assign a new SSL Proxy?
  Thanks

  Cathy
  Thanks for the reply, thats what i was thinking. we use wild card certificates for several of the other domains, how we need to provide  certificates for www.website.com and ww2.website.com due to cost.
  Is it possible to replace the L4 policy map, with a straight L7 so that we are load balancing directly on URL as apposed to verifying L4 matches first?  Or would this not be advisable / possible.  I always thought it was the L4 policy that made the VIP proxy?
  Can SAN certs not be used in this example?
  Thanks

• Modifying an "ssl-proxy-list" without disturbing the active sessions.

  Hello,
  I would like to know if it is possible to have two SSL modules installed in a CSS11503 with each one having it's own "ssl-proxy-list" ("ssl-proxy-list list1" and "ssl-proxy-list list2"), but the two lists (list1 and list2) are exactly the same.
  I will explain my idea:
  In normal situation the two "ssl-proxy-list" are active and the user's encrypted sessions are load balanced between the two SSL modules. But when we need to make a change to the "ssl-proxy-list", like changing a server's certificate, I would like to be able to suspend one service (type ssl-accel with the "ssl-proxy-list List1" attached to it for example) and wait for all active sessions to terminate before suspending the "ssl-proxy-list list1" for applying the changes.
  Once the first "ssl-proxy-list" is updated I would make it active again and apply the same changes to the second "ssl-proxy-list".
  Doing this this way I would like to be able to upgrade the servers's certificate during the working houres without disturbing the connected users...
  Do you think this way of doing would be possible, or do you have an other solution to modify a "ssl-proxy-list" without disturbing the active running sessions ?
  Thank you for your answer,
  Best regards

  Hi Francois,
  An SSL proxy list may belong to multiple SSL services (one SSL proxy list per service), and an SSL service may belong to multiple content rules. You can apply the services to content rules that allow the CSS to direct SSL requests for content.
  The CSS supports one active SSL service for each SSL module in the CSS, one SSL service per slot. You can configure more than one SSL service for a slot but only a single SSL service can be active at a time.
  No modifications to an SSL proxy list are permitted on an active list. Suspend the list prior to making changes, and then reactivate the SSL proxy list once the changes are complete. Once you have modified the SSL proxy list, suspend the SSL service, reactivate the SSL proxy list, and then reactivate the SSL service.
  You can use maximum 4 different certificates at a time.
  Use the suspend command to suspend an active SSL proxy list.
  To suspend an active SSL proxy list, enter:
  (config-ssl-proxy-list[ssl_list1])# suspend
  use the url below for your reference:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.10/command/reference/CmdSSLC.html
  Kind regards,
  Sachin Garg
  Senior Specialist Security
  HCL Comnet Ltd.
  http://www.hclcomnet.co.in
  A-10, Sector 3, Noida- 201301
  INDIA
  Mob: +91-9911757733
  Email: [email protected]

• Is it possible to view your current history for a single tab in safari lion

  Is it possible to view your current history for a single tab in safari lion?

  Not once the tab has been closed. If it hasn't, clicking and holding the Back button will display the titles of recently visited sites in that tab.
  (68280)

• Is it possible to install an SMTP proxy that will handle splitting group mail?

  I am running OS X 10.9.3 with Server 3.1.2 on a Mac-Mini Mid-2012. I learned on my last implementation of OS X 10.9.3 that Mavericks sometimes has issues with handling group mail.  As I rebuild my network, I am wondering if it is possible to install a SMTP proxy that can receive, process, then forward mail on to the primary mail server.
  For example, if mail is sent to a group account, this SMTP proxy would repackage the message as a message to a carbon copy list of all the group members, but if the mail is sent to a user account, the mail is forwarded unmodified.  Like this:
  As an alternative to this, I would also be interested a solution in which the Linux Mail Server referenced the Open Directory for account information, including password authentication, so that if a user in the Mac Network updates his password, that he can use the same password to access his mail on a webmail client or via the Mail.app.
  This is a callout for discussion points, ideas and recommendations. There is no problem here to fix necessarily.

  I am not aware of a tool to do the group splitting for you, this is normally the responsibility of the mail server itself.
  However with regards to your second query, a lot of people use a product called Kerio Connect instead of Apple's Mail server. Kerio can run on the same Mac server but in general is a far more powerful mail server. It does include the ability to authenticate user accounts against Open Directory.
  There is one issue you need to be aware of, like nearly all mail servers it uses the 'username' as the main email address, so if you want an email account of [email protected] then your Open Directory short name need to be jsmith, if you want your email address to be [email protected] then your user short name needs to be john.doe and so on.
  Note: While I have specifically talked about Kerio most other mail server including those for Linux would be able to link to Open Directory via LDAP and authenticate email accounts. The same link between email address and short name would usually apply.

• Is it possible to view the content of multiple lists(located in multiple webs) in one ListViewWebpart? And how can I filter a multivalue column?

  Is it possible to view the content of multiple lists, that are located in different webs as well, in just one ListViewWebpart? Could I maybe change the query programmatically so that it get's the content this way?
  I know that I could use the Content Query Webpart instead - actually I have been using that so far, but the problem is, that it brings no standard Sharepoint functionality for lists with it... I had to write the xsl style sheet, there are no dynamic filters
  that the user could set, there are no default list operations the user could use.
  The ListViewWepart has all of these, but it only shows the content of one list...
  And my second problem:
  One column can contain multiple values (like a column that contains multiple users or user groups that are related to one entry). I can filter every other column with the standard filters, but not the column with multiple values in it. Is it possible to
  activate that or maybe add this feature programmatically?

  You can fetch data from multiple lists in ListViewWebpart, this can be possible through Content Query web part or Custom Web Part using visual studio but in that case you can not get the standard SharePoint funcationality for list (which is available in
  ListViewWebparts).
  No OOB filter available for multi-choice column, you also have to go with custom solution to achieve this.
  Adnan Amin MCT, SharePoint Architect | If you find this post useful kindly please mark it as an answer.

• Is it possible to view information such as play count on Artist view in itunes 11?

  is it possible to view information such as play count on Artist view in itunes 11?

  There is no column view for the artist tab in iTunes 11. The songs are chunked up by album, no option for list view, let alone column chooser. Also, everything under view > column browser is grayed out.

• Is it possible to view attachments in calendar?

  Is it possible to view attachments on an iphone when using the calendar?

  As far as I know, not possible.  You can always install an older Mac OS X on your Mac using a separate partition.  See this tip:
  http://discussions.apple.com/docs/DOC-1948

• I've a Pc with Win7. Is it possible to view the movies I've there (and listening to the music also there) in my TV using Apple TV? And navigate in the web? Can I choose my browser?

  I've a Pc with Win7. Is it possible to view the movies I've there (and listening to the music also there) in my TV using Apple TV? And navigate in the web? Can I choose my browser?
  I'm just starting in this area so please explain in detail.
  Thanks.

  Welcome to the Apple Community.
  You can't browse the web on an Apple TV
  You can view any content that is in your iTunes library on the PC via the Apple TV if it is in the correct format.

• CSS SSL Proxy - how can I write the original source address in http header

  I'm replacing some BigIP's with CSS11500's that are configured to do front/backend ssl proxying in a one-armed configuration. The BigIP's write the original source IP address as a http header value when the traffic is sent to the application, and the application uses the IP to match against an application ACL. How can I do the same in the CSS.
  thanks,
  Brian

  here is what you can insert with the SSL module :
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080292a76.html#wp1027619
  Gilles.