SSL offloading - Backend Server problem.

I am configuring SSL offloading for the first time. After configuring my css 11503 to do the offloading I discoverd I can still access the secure web page through a normal HTTP request from the public internet. (as apposed to HTTPS). What is the best and esasiest way to stop this from happening.

The solution is to use a redirect from HTTP to HTTPS
You can let the server do the redirect or configure the CSS with a redirect service.
More info at
http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080094068.shtml
Gilles.

Similar Messages

Backend server in CSS

Hi
I am doing configuration for backend ssl, but it does not work.
When I config backend ssl, does the local server need config as ssl server? So they should install a certificate, and my CSS do not need a certificate?
Please advice if my understanding is correct?
Any comments will be appreciate
Thanks in advance

I think I have understood about question.
However, I have another problem now:
I have configured two backend services, one is alive and one is down. I believe both services are configured same.
the configuration is:
ssl-proxy-list ssl-slot3
backend-server 10
backend-server 10 ip address 10.1.1.51
backend-server 10 port 81
backend-server 10 server-ip 10.1.1.51
backend-server 10 cipher rsa-with-rc4-128-sha
backend-server 11
backend-server 11 ip address 10.1.1.52
backend-server 11 port 81
backend-server 11 server-ip 10.1.1.52
backend-server 11 cipher rsa-with-rc4-128-sha
service ssl-backend10
type ssl-accel-backend
protocol tcp
port 81
add ssl-proxy-list ssl-slot3
keepalive type ssl
keepalive port 443
ip address 10.1.1.51
active
service ssl-backend11
type ssl-accel-backend
protocol tcp
port 81
add ssl-proxy-list ssl-slot3
keepalive type ssl
keepalive port 443
ip address 10.1.1.52
active
# sh service summary | grep back
ssl-backend10 Alive 0 1 2 2
ssl-backend11 Down 0 1 255 0
I have checked both local servers, and port 443 for both of them are openned.
Could anyone advice me what problem it is? How to fix it?
For your information, I have configured content as:
content ssl-back
vip address 10.1.2.43
protocol tcp
port 81
url "/*"
add service ssl-backend10
add service ssl-backend11
balance leastconn
active
Any comments will be apprecited
Thanks in advance

Server 3 / SSL Certificate / Open Directory - Problem!

We've updated from Server 2 to Server 3 / OS X 10.9.
We have an SSL certificate for server from Comodo.
Under Server 2, all worked just fine, with the SSL certificate being used to secure all services (configure via Server app).
Under Server 3, all works just fine, but Open Directory will not accept certificate - so Certificates / Settings in Server 3 app shows "Custom Configuration" for Settings - and on inspecting this it is because Open Directory set to be not secured but everything else is using SSL.
I've tried setting the Open Directory to use the SSL, but when ever I do it simply bounces back to being unsecured.
Does this matter? Presumably it should be possible (as the standard setting appears to try and set Open Directory to use the SSL certificate), but not sure whether trying to fix is simply a fools errand.
Anyone got any clues as to whether to fix or not, and if to fix, how?
Thanks in advance.

Have you check to see that the certificate is indeed "Trusted" by your server?
Above, you stated that they're in the etc/certificates folder, but that doesn't mean that the server likes them. You can create a "Self Signed" Certificate and still have certificates in there. That doesn't mean that anyone else on the planet has to trust them.
Open Keychain Access in your utilities folder. Depending on how you have it configured, you may have to look around to find the certificate in question. It may be under login, or System.
When you select your Certificate, if it's there, does it show as trusted?
Another thing you can check... Often times Certificate authories, use Intermdeiate certificates. Since anyone can sell a certificate, in order to have it trusted, you need to have it signed by someone else. A good example is Godaddy. They sell both SSL and Code signing certificates of all flavours. In order to get them to be trusted, the "Intermediate Certificate" needs to also be installed in the keychain. My Godaddy cert looks to be trusted by Verisign via an intermediate.
Have a look here... https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid =1182
Not sure if it's directly relevant, but there it is.
The point is, I think you need to verify that your certificate is trusted by your server. OD won't use an untrusted certificate.
--an afterthought-- Anything in the logs?
Open up your server window where you try to select the certificate for OD. Also, in another window open up the terminal. In terminal, type:
tail -f /var/log/system.log
In the server window try to select the certificate and click done. See what the output in terminal says.

SSL Offloading

hello
I have an confusion. When we are talking about Load Balancing we heard SSL Offload. Do we need to configure it on Exchange or Load balancer or is it enable by default on the exchange ?
regards

SSL Offloading means that the load balancer or web publishing device decrypts the SSL messages ahead of the Exchange server. Whether you use it or not is between you and your network people. The main reason I don't recommend it is that you
generally want to re-encrypt the traffic between the load balancer and the Exchange server anyway, so it doesn't help with performance. A good reason for using it is that the web publishing device can inspect the contents of the packets.
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

SSL Offload Requests

When using any loadbalancer, CSS, CSM or ACE and doing SSL offload, how does the request to the backend server get created? For example if the client requests https://secure.example.com/privatedata.html and that url is configured for SSL offload on the loadbalancer, it the request from the LB to the server just http://secure.example.com/privatedata.html ? What would the request look like if SSL offload and backend SSL are both configured? Are there methods to modify the default behavior on any of the platforms?
TIA

First you have to understand that a url is not sent the way you type it in http.
So the request actually looks like this :
GET /privatedata.html
Host: secure.example.com
This request is encrypted with SSL if you enter the url with HTTPS:// and is sent in cleartext if you don't use SSL.
So, what the offloader will do is simply decrypt the traffic and whatever the request will send it in cleartext to the server ip address.
The offloader can't change the content of the request. However, it can add some lines in the header.
Also, instead of just transmitting in cleartext, the loadbalancer can re-encrypt so the communication between offloader and server is also SSL.
Again, the request (see above) does not change.
Gilles.

Does ADFS work with SharePoint 2013 with WFEs SSL-offloaded to a F5 load balancer?

Currently we are implementing a SharePoint 2013 Production environment with 2 WFEs load-balanced by F5. SSL is offloaded to F5 and is currently working fine with Integrated Windows Authentication with NTLM. We would like to implement ADFS 3.0
later for Single Sign-on, and we are wondering if ADFS supports SSL offload.
Do we need to bind the certificate to the WFEs as well to use ADFS?
Thank you!

Just got it confirmed that ADFS supports SSL offload. There is no direct communication between SharePoint and ADFS server during the authentication process. It is always the browser that's talking to ADFS server. We just need to do the following:
Configure SharePoint URLs in ADFS as replying parties with https.
Configure AAM in SharePoint to make sure internal URL is http and public URL is https.

SSL Offloading and Certificate Errors

I am attempting to offload SSL on an F5 load balancer. I made the certificate request from the load balancer, procured the certificate from Entrust, and installed on the load balancer. I then followed SSL Offloading TechNet instructions here:
http://technet.microsoft.com/en-us/library/dn635115(v=exchg.150).aspx. My two CAS servers still have the self-signed certificates bound in IIS. I am getting certificate
errors when making RPC over HTTPs connections in Outlook and the self-signed certificate is popping up.
My question is what do I do with the certificates on my 2 CAS servers? Do I leave the self-signed certificates on there and export the Entrust certificate from my F5 and then import it to my CAS servers and change the bindings in IIS?
Or do I have to make the CSR from a CAS server, issue a new Entrust certificate from that, import to both CAS servers, then import to the F5 and make sure all bindings are correct in IIS?
Or am I completely misunderstanding how this works and need to do something different entirely?
Thanks in advance for any guidance.

As I previously mentioned, I have already followed the SSL Offloading guide from technet, which included unticking Require SSL for all the various objects in IIS (OWA, ECP, EWS, RPC etc.)
Additionally I made sure SSL Offloading was enabled for Outlook Anywhere in Powershell. See for example output of Get-OutlookAnywhere:
RunspaceId                         : 1bdf6a03-d43d-4478-84cc-95e18806b11b
ServerName                         : TSTEXCG2013
SSLOffloading                      : True
ExternalHostname                   : tstowa.XXXX.com
InternalHostname                   : tstowa.XXXX.com
ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}
XropUrl                            :
ExternalClientsRequireSsl          : True
InternalClientsRequireSsl          : True
MetabasePath                       : IIS://TSTEXCG2013.tstXXX.tstXXXX.tst/W3SVC/1/ROOT/Rpc
Path                               : D:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc
ExtendedProtectionTokenChecking    : None
ExtendedProtectionFlags            : {}
ExtendedProtectionSPNList          : {}
AdminDisplayVersion                : Version 15.0 (Build 847.32)
Server                             : TSTEXCG2013
AdminDisplayName                   :
ExchangeVersion                    : 0.20 (15.0.0.0)
Name                               : Rpc (Default Web Site)
DistinguishedName                  : CN=Rpc (Default Web
                                     Site),CN=HTTP,CN=Protocols,CN=TSTEXCG2013,CN=Servers,CN=Exchange
Administrative
                                     Group (FYDIBOHF23SPDLT),CN=Administrative
Groups,CN=XXX XXXX,CN=Microsoft
                                     Exchange,CN=Services,CN=Configuration,DC=tstXXXX,DC=tst
Identity                           : TSTEXCG2013\Rpc (Default Web Site)
Guid                               : 9b2bc5e2-41c1-4219-9186-8e6b8cb63dc0
ObjectCategory                     : tstXXXX.tst/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                        : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                        : 7/10/2014 7:38:58 PM
WhenCreated                        : 6/23/2014 2:54:36 PM
WhenChangedUTC                     : 7/11/2014 12:38:58 AM
WhenCreatedUTC                     : 6/23/2014 7:54:36 PM
OrganizationId                     :
OriginatingServer                  : TSTXXXXDC02.tstXXXX.tst
IsValid                            : True
ObjectState                        : Changed

Failure of server APACHE bridge::No backend server available for connection

All,
I have an env: Browser -> OHS -> WLS(Apex Listener) -> Oracle DB.
If any SQL run for more than 5 mins, i get the below error.
Failure of server APACHE bridge:
No backend server available for connection: timed out after 10 seconds or idempotent set to OFF or method not idempotent.The only error i get is from the OHS's log
[2013-04-03T06:45:57.2946-05:00] [OHS] [ERROR:32] [] [core.c] [host_id: aa050] [host_addr: 121.146.60.102] [tid: 1260554560] [user: oracle] [ecid: 004qNDJn1du7m3KaETn3ES0004Ll00001T] [rid: 0] [VirtualHost: my.team.com:443] ap_proxy: trying POST /pls/apex/wwv_flow.show at backend host 127.0.0.1/7003; got exception 'Backend Server not responding'; state: reading status line or response headers from WLS (wrote? Y read? N); not failing over because method not idempotent, referer: https://my.team.com/pls/apex/f?p=4500:1003:16571271664493::NO:::Is there a timeout variable other than the below in WLS?
Session Timeout (in seconds): 3600 .
TIA,
JJ

Regardless of the version, this is not exactly a "Forms" failure. This is an issue between OHS and WLS. Basically it means that OHS (via mod_wl_ohs) was unable to communicate with WLS_FORMS (or whichever managed server you are trying to access). Most often this means the managed server is not running or not responding. If you believe it is running and is responsive (test by hitting it directly) then the problem is probably related to your installation. Generally, if you have not properly configured your networking before you installed WLS and FMw, then this can occur. For example, on Windows machine which do not have static IP addresses, the Installation Guide instructs you to install the Windows loopback adapter and configure it. If you did not do this, OHS likely will not be able to contact WLS_FORMS.
You can test what I have described above by attempting to access WLS_FORMS directly. For example:
http://yourHost:9001/forms/frmservlet
If that works, the issue is probably related to a net config issue.
If you have access to MyOracle Support, refer to these notes:
<blockquote><li>Failure Of Server APACHE Bridge After Running Report From Forms 11gR2 on Windows 64-bit platform (Doc ID 1457845.1)
<li>Oracle Fusion Middleware 11g - Troubleshooting the Error "Failure of server APACHE bridge" (Doc ID 1304095.1)</blockquote>
The product Documentation Library can be found here:
http://docs.oracle.com/cd/E24269_01/index.htm

[Fwd: Starting Managed server problem ......]

Forwarding to the security news group...
-------- Original Message --------
Subject: Starting Managed server problem ......
Date: 1 Jun 2004 23:02:53 -0700
From: Sameer <barsatkiraat2001>
Newsgroups: weblogic.developer.interest.management
Hi All,
I need you guy's help in this regard, that I am using solaris 8 and
installed Weblogic8.1 Server.
My Scenario is;
Have configured Admin Server and Managed server with nodemanager on one
unix machine.
So, what am facing the problem;
I am not able to get run Managed server after starting the nodemanager
and admin server, getting the error in nodemanager logs that is :
<Jun 2, 2004 9:44:26 AM GMT 04:00> <Warning> <Security> <BEA-090482>
<BAD_CERTIFICATE alert was received from PortalQA - 10.12.10.94. Check
the peer to determine why it rejected the certificate chain (trusted CA
configuration, hostname verification). SSL debug tracing may be required
to determine the exact reason the certificate was rejected.>
And in Admin Server logs it's saying;
<Jun 2, 2004 9:44:26 AM GMT 04:00> <Warning> <Security> <BEA-090504>
<Certificate chain received from PortalQA - 10.12.10.94 failed hostname
verification check. Certificate contained AdminQA but check expected
PortalQA>
The WebLogic Server did not start up properly.
Exception raised:
'weblogic.management.configuration.ConfigurationException: Due to faulty
SSL configuration, this server is unable to establish a connection to
the node manager.'
<Jun 2, 2004 9:44:26 AM GMT 04:00> <Warning> <NodeManager> <BEA-300038>
<The node manager is unable to monitor this server. Could not create an
SSL connection to the node manager. Reason :
[Security:090504]Certificate chain received from PortalQA - 10.12.10.94
failed hostname verification check. Certificate contained AdminQA but
check expected PortalQA>
Reason: weblogic.management.configuration.ConfigurationException: Due to
faulty SSL configuration, this server is unable to establish a
connection to the node manager.
<Jun 2, 2004 9:44:26 AM GMT 04:00> <Emergency> <WebLogicServer>
<BEA-000342> <Unable to initialize the server:
weblogic.management.configuration.ConfigurationException: Due to faulty
SSL configuration, this server is unable to establish a connection to
the node manager.>
If some one can help me, I do appreciate in all due respect.
Sameer.

Hello Satya/All,
I'm also experiencing the exact problem you are facing. It would be great if
somebody could help in this regard at the earliest.
Thanks, senthil
Satya Ghattu <[email protected]> wrote:
Forwarding to the security news group...
-------- Original Message --------
Subject: Starting Managed server problem ......
Date: 1 Jun 2004 23:02:53 -0700
From: Sameer <barsatkiraat2001>
Newsgroups: weblogic.developer.interest.management
Hi All,
I need you guy's help in this regard, that I am using solaris 8 and
installed Weblogic8.1 Server.
My Scenario is;
Have configured Admin Server and Managed server with nodemanager on one
unix machine.
So, what am facing the problem;
I am not able to get run Managed server after starting the nodemanager
and admin server, getting the error in nodemanager logs that is :
<Jun 2, 2004 9:44:26 AM GMT 04:00> <Warning> <Security> <BEA-090482>
<BAD_CERTIFICATE alert was received from PortalQA - 10.12.10.94. Check
the peer to determine why it rejected the certificate chain (trusted
CA
configuration, hostname verification). SSL debug tracing may be required
to determine the exact reason the certificate was rejected.>
And in Admin Server logs it's saying;
<Jun 2, 2004 9:44:26 AM GMT 04:00> <Warning> <Security> <BEA-090504>
<Certificate chain received from PortalQA - 10.12.10.94 failed hostname
verification check. Certificate contained AdminQA but check expected
PortalQA>
The WebLogic Server did not start up properly.
Exception raised:
'weblogic.management.configuration.ConfigurationException: Due to faulty
SSL configuration, this server is unable to establish a connection to
the node manager.'
<Jun 2, 2004 9:44:26 AM GMT 04:00> <Warning> <NodeManager> <BEA-300038>
<The node manager is unable to monitor this server. Could not create
an
SSL connection to the node manager. Reason :
[Security:090504]Certificate chain received from PortalQA - 10.12.10.94
failed hostname verification check. Certificate contained AdminQA but
check expected PortalQA>
Reason: weblogic.management.configuration.ConfigurationException: Due
to
faulty SSL configuration, this server is unable to establish a
connection to the node manager.
<Jun 2, 2004 9:44:26 AM GMT 04:00> <Emergency> <WebLogicServer>
<BEA-000342> <Unable to initialize the server:
weblogic.management.configuration.ConfigurationException: Due to faulty
SSL configuration, this server is unable to establish a connection to
the node manager.>
If some one can help me, I do appreciate in all due respect.
Sameer.

Starting Managed server problem ......

Hi All,
I need you guy's help in this regard, that I am using solaris 8 and installed Weblogic8.1 Server.
My Scenario is;
Have configured Admin Server and Managed server with nodemanager on one unix machine.
So, what am facing the problem;
I am not able to get run Managed server after starting the nodemanager and admin server, getting the error in nodemanager logs that is :
<Jun 2, 2004 9:44:26 AM GMT 04:00> <Warning> <Security> <BEA-090482> <BAD_CERTIFICATE alert was received from PortalQA - 10.12.10.94. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.>
And in Admin Server logs it's saying;
<Jun 2, 2004 9:44:26 AM GMT 04:00> <Warning> <Security> <BEA-090504> <Certificate chain received from PortalQA - 10.12.10.94 failed hostname verification check. Certificate contained AdminQA but check expected PortalQA>
The WebLogic Server did not start up properly.
Exception raised: 'weblogic.management.configuration.ConfigurationException: Due to faulty SSL configuration, this server is unable to establish a connection to the node manager.'
<Jun 2, 2004 9:44:26 AM GMT 04:00> <Warning> <NodeManager> <BEA-300038> <The node manager is unable to monitor this server. Could not create an SSL connection to the node manager. Reason : [Security:090504]Certificate chain received from PortalQA - 10.12.10.94 failed hostname verification check. Certificate contained AdminQA but check expected PortalQA>
Reason: weblogic.management.configuration.ConfigurationException: Due to faulty SSL configuration, this server is unable to establish a connection to the node manager.
<Jun 2, 2004 9:44:26 AM GMT 04:00> <Emergency> <WebLogicServer> <BEA-000342> <Unable to initialize the server: weblogic.management.configuration.ConfigurationException: Due to faulty SSL configuration, this server is unable to establish a connection to the node manager.>
If some one can help me, I do appreciate in all due respect.
Sameer.

Hello,
NodeManager requires proper SSL configuration. Are you sure you are using the right certificates?
Try running AS with following option
-Dweblogic.security.SSL.ignoreHostnameVerification=true
Ali

ACE 4700 configuring SSL termination weblogic server 10.3.6

Hello,
Im trying to configure an ACE 4700 so that SSL termination is done on the ACE and HTTP reaches the weblogic server instance.
I have a working setup of a Apache reverse proxy doing SSL offloading and using a weblogic module and that works fine
Was reading http://docs.oracle.com/cd/E23943_01/web.1111/e13709/load_balancing.htm#i1045186
Can anyone point me to a working config example for doing this with the ACE4700 or give me some directions here?
Kind regards,
Laurens

Hi Laurens,
Here is a basic configuration for SSL termination:
rserver host test
ip address 10.198.16.98
inservice
rserver host test2
ip address 10.198.16.93
inservice
serverfarm host test
rserver test 80
    inservice
rserver test2 80
    inservice
ssl-proxy service TEST
key cert
cert cert
class-map match-all VIPSSL
2 match virtual-address 10.198.16.122 tcp eq https
policy-map type loadbalance first-match test
class class-default
    serverfarm test
policy-map multi-match clients
class VIPSSL
    loadbalance vip inservice
    loadbalance policy test
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 112
    ssl-proxy server TEST
interface vlan 112
ip address 10.198.16.91 255.255.255.192
access-group input Allow_Access
nat-pool 1 10.198.16.122 10.198.16.122 netmask 255.255.255.192 pat
service-policy input NSS_MGMT
service-policy input clients
no shutdown
Cesar R
ANS Team

Webdispatcher SSL load balance server mismatch errors

We are setting up a webdispatcher to access an Enterprise Portal with multiple instances. Currently it is working but we are having to overide host mismatches. in webdispacther log we see
[Thr 4856] Mon Mar 07 11:38:02 2011
[Thr 4856] MatchTargetName("aaa.mycompany.com", "CN=bbb.mycompany.com, OU=xxx, O=ooo, L=ccc, SP=sss, C=US") FAILS
[Thr 4856] SSL NI-sock: local=##.21.13.137:50746 peer=##.21.13.131:51001
[Thr 4856] <<- ERROR: SapSSLSessionStart(sssl_hdl=0000000008565100)==SSSLERR_SERVER_CERT_MISMATCH
The Portal instances are on
aaa.mycompany.com
bbb.mycompany.com
Currently have a CA approved certificate for each server installed in the portal. Dispatcher on aaa uses aaa cert, dispatcher on bbb uses bbb cert.
Message server is on aaa, but it will load balance and place you on either instance.
have following related parameters
wdisp/ssl_encrypt = 2
wdisp/ssl_auth = 2
wdisp/ssl_cred = C:\usr\sap\XXX\W00\sec\XXX.pse
wdisp/ssl_certhost = aaa.mycompany.com
wdisp/ssl_ignore_host_mismatch = TRUE
C:\usr\sap\XXX\W00\sec\XXX.pse has ssl cert of both aaa and bbb servers.
All seems to be working, as users are load balancing. They are not getting certificate mismatches in their browser anymore. We are getting the SSSLERR_SERVER_CERT_MISMATCH errors, but the messages do not seem to cause an issue since we have wdisp/ssl_ignore_host_mismatch set.
Can we eliminate those mismatch errors instead of masking the problem with wdisp/ssl_ignore_host_mismatch?
Should each portal instance have their own ssl cert, or is there a way to use one cert such as the aaa.mycompany.com cert on each portal instance? It seems like that might eliminate the mismatch errors. However, what happens when you go directly to the bbb.mycompany.com portal instance? there is a certificate error if you specify aaa's and you go to bbb. I was wondering if the wdisp/ssl_auth and wdisp/ssl_certhost are valid in the portal system so that each server uses the aaa server and certificate. I could not tell if this parameter is valid for java-only portal systems.
Thanks for your help.
Edited by: Fett Patrick on Mar 7, 2011 8:35 PM

Thank you Martin for your prompt reply. Can you clarify please, can we use the wdisp/ssl_certhost parameter in the instance profiles of the portal instances? I wasn't sure if that is only valid for webdispatchers or can also be used in abap/java systems?
We orginally had the aaa server certificate listed for each dispatcher in the portal under ssl provider runtime server identity. That caused a browser "certificate error" when accessing the bbb server. So we then installed an ssl certificate for bbb for its dispatcher. We could then go to either server with no browser "certificate mismatch" error.
Then when we added the webdispatcher, we started getting the server mismatch errors at the webdispatcher level. If the wdisp/ssl_certhost can be used in the portal profiles, then that would hopefully resolve direct access or via web dispatcher aceess mismatches. I.E. only the aaa ssl certificate would be used and parameters would be set at both the webdispatcher and portal profiles
Thanks, Pat.

How to pass client IP address via CSS with SSL offload?

Hello,
We use Cisco CSS 11501S to do the SSL offload of web servers in one-armed mode. So we have to SNAT client IP in order to guaranty correct return path via the CSS. In this case web server can see only the IP address of the VIP used for SNAT. If there is a way to pass customer?s IP to the web server - i.e insert customized HTTP HEADER something like HTTP_REMOTEADDRESS:<IP address of the client> - similar to what is possible with BIG IP device for instance?
Second question if there is a way to get from the CSS access log data similar to what we have in Apache access.log file to be used by Webalizer or similar application to analyze web traffic.

Scott,
if you're not doing src nat, the css will spoof the client ip and therefore, there is no need to save the client ip in the http header.
Gilles.

JAX-WS client - WebLogic - SSL with proxy server

Good night!
I'm having trouble communicating with webservices using certificate authentication (weblogic.wsee.jaxws.sslclient.PersistentSSLInfo) through and going through a proxy server (weblogic.wsee.jaxws.proxy.ClientProxyFeature) .
If communication with the webservice is done directly (no proxy server) everything happens perfectly, but to set the proxy server I get the exception "BAD_CERTIFICATE." it is as if the certificate was not attached in the request.
The webservice client was generated by JDeveloper.
Has anyone experienced this problem?
Sorry for my bad english
Exception
javax.xml.ws.WebServiceException: javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
     at com.sun.xml.ws.transport.http.client.HttpClientTransport.readResponseCodeAndMessage(HttpClientTransport.java:218)
     at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:204)
     at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:124)
     at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:121)
     at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:866)
     at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:815)
     at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:778)
     at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:680)
     at com.sun.xml.ws.client.Stub.process(Stub.java:272)
     at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:153)
     at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:115)
     at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:95)
     at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:136)
     at $Proxy30.cleCadastroLote(Unknown Source)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at weblogic.wsee.jaxws.spi.ClientInstanceInvocationHandler.invoke(ClientInstanceInvocationHandler.java:84)
     at $Proxy31.cleCadastroLote(Unknown Source)
     at br.com.tbl.ws.CleCadastroPortClient.main(CleCadastroPortClient.java:51)
Webservice client with proxy server (error)
import weblogic.wsee.jaxws.sslclient.PersistentSSLInfo;
import javax.xml.ws.BindingProvider;
import weblogic.wsee.jaxws.JAXWSProperties;
import weblogic.wsee.jaxws.proxy.ClientProxyFeature;
import weblogic.wsee.jaxws.sslclient.SSLClientUtil;
public class CleCadastroPortClient
public static void main(String [] args)
try{
CleCadastro_Service cleCadastro_Service = new CleCadastro_Service();
CleCadastro cleCadastro = cleCadastro_Service.getCleCadastroPort();
String clientKeyStore = "C:\\certificados.jks";
String clientKeyStorePasswd = "xxxxx";
String clientKeyAlias = "xxxxx";
String clientKeyPass = "xxxxx";
String trustKeystore = "C:\\keystore_completo.jks";
String trustKeystorePasswd = "xxxxx";
PersistentSSLInfo sslInfo = new PersistentSSLInfo();
sslInfo.setKeystore(clientKeyStore);
sslInfo.setKeystorePassword(clientKeyStorePasswd);
sslInfo.setKeyAlias(clientKeyAlias);
sslInfo.setKeyPassword(clientKeyPass);
sslInfo.setTrustKeystore(trustKeystore);
sslInfo.setTrustKeystorePassword(trustKeystorePasswd);
ClientProxyFeature clientProxy = new ClientProxyFeature();
clientProxy.setProxyHost("proxy.com");
clientProxy.setProxyPort(Integer.parseInt("3128") );
clientProxy.setProxyUserName("user");
clientProxy.setProxyPassword("pass");
clientProxy.attachsPort(cleCadastro);
((BindingProvider) cleCadastro).getRequestContext().put(JAXWSProperties.CLIENT_PERSISTENT_SSL_INFO, sslInfo);
((BindingProvider) cleCadastro).getRequestContext().put(JAXWSProperties.SSL_SOCKET_FACTORY, SSLClientUtil.getSSLSocketFactory(sslInfo));
((BindingProvider) cleCadastro).getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, "https:/xxxx/ws");
String retorno = cleCadastro.cleCadastroLote("xml", "xml");
}catch(Exception ex){
ex.printStackTrace();
Webservice client without proxy server (OK)
import weblogic.wsee.jaxws.sslclient.PersistentSSLInfo;
import javax.xml.ws.BindingProvider;
import weblogic.wsee.jaxws.JAXWSProperties;
import weblogic.wsee.jaxws.proxy.ClientProxyFeature;
import weblogic.wsee.jaxws.sslclient.SSLClientUtil;
public class CleCadastroPortClient
public static void main(String [] args)
try{
CleCadastro_Service cleCadastro_Service = new CleCadastro_Service();
CleCadastro cleCadastro = cleCadastro_Service.getCleCadastroPort();
String clientKeyStore = "C:\\certificados.jks";
String clientKeyStorePasswd = "xxxxx";
String clientKeyAlias = "xxxxx";
String clientKeyPass = "xxxxx";
String trustKeystore = "C:\\keystore_completo.jks";
String trustKeystorePasswd = "xxxxx";
PersistentSSLInfo sslInfo = new PersistentSSLInfo();
sslInfo.setKeystore(clientKeyStore);
sslInfo.setKeystorePassword(clientKeyStorePasswd);
sslInfo.setKeyAlias(clientKeyAlias);
sslInfo.setKeyPassword(clientKeyPass);
sslInfo.setTrustKeystore(trustKeystore);
sslInfo.setTrustKeystorePassword(trustKeystorePasswd);
((BindingProvider) cleCadastro).getRequestContext().put(JAXWSProperties.CLIENT_PERSISTENT_SSL_INFO, sslInfo);
((BindingProvider) cleCadastro).getRequestContext().put(JAXWSProperties.SSL_SOCKET_FACTORY, SSLClientUtil.getSSLSocketFactory(sslInfo));
((BindingProvider) cleCadastro).getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, "https:/xxxx/ws");
String retorno = cleCadastro.cleCadastroLote("xml", "xml");
}catch(Exception ex){
ex.printStackTrace();
}

Hi,
I tried to use the option "-DUseSunHttpHandler=true" and enabled "JSSE SSL", but it did not work, now showing the exception "General SSLEngine problem".
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <javax.xml.ws.WebServiceException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at com.sun.xml.ws.transport.http.client.HttpClientTransport.readResponseCodeAndMessage(HttpClientTransport.java:218)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:204)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:124)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:866)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:121)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:815)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:778)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:680)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at $Proxy308.cleCadastroLote(Unknown Source)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:136)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:95)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:115)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:153)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at com.sun.xml.ws.client.Stub.process(Stub.java:272)>

Unable to read SEARCH response from backend server

Currently we have problem when searching huge amounts of users against new SunOne Directory Server v6.3
in production and acceptance.
[17:12:43] root@ecdiala03-2[!]# /opt/app/sun/ds6/bin/dsadm -V
[dsadm]
dsadm : 6.3 B2008.0311.0058 NAT
[slapd 64-bit]
Sun Microsystems, Inc.
Sun-Java(tm)-System-Directory/6.3 B2008.0311.0058 64-bit
ns-slapd : 6.3 B2008.0311.0058 NAT
Slapd Library : 6.3 B2008.0311.0058
Front-End Library : 6.3_MTR_5087249_1_20081209 B2008.1210.1821
==============================================================
Its not working while searching huge amounts of users against DPS.However, Its working while searching huge amounts of users against DS.
Below is the error from access log of DPS when the problem occurred.
==================================
31/Mar/2009:14:08:17 +0200] - CONNECT - INFO - conn=4565433 client=153.88.247.15:2719 server=ecdiala03-1:389 protocol=LDAP
[31/Mar/2009:14:08:17 +0200] - PROFILE - INFO - conn=4565433 assigned to connection handler cn=default connection handler, cn=connection handlers, cn=config
[31/Mar/2009:14:08:17 +0200] - OPERATION - INFO - conn=4565433 op=0 BIND dn="uid=itimadm1,ou=system accounts,o=ericsson" method="SIMPLE" version=3
[31/Mar/2009:14:08:17 +0200] - SERVER_OP - INFO - conn=4565433 op=0 BIND dn="uid=ITIMADM1,ou=system accounts,o=Ericsson" method="SIMPLE"" version=3 s_msgid=17 s_conn=ecditna03-2:72725
[31/Mar/2009:14:08:17 +0200] - SERVER_OP - INFO - conn=4565433 op=0 BIND RESPONSE err=0 msg="" s_conn=ecditna03-2:72725
[31/Mar/2009:14:08:17 +0200] - PROFILE - INFO - conn=4565433 assigned to connection handler cn=BindDone,cn=connection handlers,cn=config
[31/Mar/2009:14:08:17 +0200] - OPERATION - INFO - conn=4565433 op=0 BIND RESPONSE err=0 msg="" etime=0
[31/Mar/2009:14:08:17 +0200] - OPERATION - INFO - conn=4565433 op=1 msgid=2 SEARCH base="ou=External,o=Ericsson" scope=2 filter="(objectclass=inetorgperson)" attrs="*"
[31/Mar/2009:14:08:17 +0200] - SERVER_OP - INFO - conn=4565433 op=1 SEARCH base="ou=external,o=ericsson" scope=2 filter="(objectclass=inetorgperson)" attrs="*" s_msgid=18 s_conn=ecditna03-2:72725
[31/Mar/2009:14:12:25 +0200] - OPERATION - INFO - conn=4565433 op=1 SEARCH RESPONSE err=1 msg="Unable to read SEARCH response from backend server : Timeout when waiting to read from input stream" nentries=33959 etime=248309
[31/Mar/2009:14:17:25 +0200] - DISCONNECT - INFO - conn=4565433 reason="other" msg="Exception caught while polling client connection LDAP.153.88.247.15.2719 -- java.io.IOException: Connection reset by peer"
================================
>>
> > [15:12:29] root@ecdiala03-1[!]# ./dpadm -V
> >
> > [dpadm]
> >
> > dpadm :
> >
6.3_PD_COMBO_CUMULATIVE_VIRTUAL_15112008_ED2.0+6774589+6780423+6778308+6782659_2
> > B2008.1212.0459 NAT
> >
> >
> >
> > [DPS]
> >
> > Sun Microsystems, Inc.
> >
> >
Sun-Java(tm)-System-Directory-Proxy-Server/6.3_PD_COMBO_CUMULATIVE_VIRTUAL_15112008_ED2.0+6774589+6780423+6778308+6782659_2
> > B2008.1212.0436
> >
> > =================

We have changed the value of data-source-read-timeout in DPS from 20s to 30m.As per application test, the "time out" error has gone, but we get a new error as following.
==========================
[27/Apr/2009:05:28:36 +0200] - SERVER_OP - INFO - conn=209469 op=8 SEARCH base="ou=internal,o=ericsson" scope=2 filter="(objectclass=ericssonInternal)" attrs="EriCA-AttesterNL EriCA-EmploymentForm EriCA-KeyRecoveryNL-Auth EriCA-NL-Auth EriCA-NLOTP-Admin EriCA-NLOTP-User EriCA-accountExpires c cn departmentNumber description displayName eriCompanySynch eriCountry eriCountryCode eriEmployeeStatus eriExpired eriIsManager eriMasterDomain eriOpOrgUnitAbbreviation eriOpOrgUnitIdentifier eriOpOrgUnitName eriOperationalManager eriPartner eriPartnerTrigram eriPwSynchDate eriSignType eriSignum eriSignumStatus facsimileTelephoneNumber givenName isMemberOf l mail memberOf mobile objectClass ou sametimebrowseldap sametimehomeserver sametimeuser smChallResp smDisabled smXauthRADIUSServer sn telephoneNumber title uid uidNumber " s_msgid=27 s_conn=ecditna03-2:8645
[27/Apr/2009:06:06:23 +0200] - SERVER_OP - INFO - conn=209469 op=8 SEARCH RESPONSE err=0 msg="" nentries=236367 s_conn=ecditna03-2:8645
[27/Apr/2009:06:06:23 +0200] - OPERATION - INFO - conn=209469 op=8 SEARCH RESPONSE err=0 msg="" nentries=236367 etime=2266483
[27/Apr/2009:06:11:27 +0200] - DISCONNECT - INFO - conn=209469 reason="other" msg="Exception caught while polling client connection LDAP.153.88.247.15.4862 -- java.io.IOException: Connection reset by peer"
================
Each time while application client (153.88.247.15) connecting DPS to read, they will exit with connection reset error.
Could you please kindly give us some suggestion if this error is realted to the DPS?

SSL offloading - Backend Server problem.

Similar Messages

Maybe you are looking for