SSL Session cache persistence

Similar Messages

• Http.keepAlive does not turn off SSL session cache?

  Hi there,
  I have a web service client that uses JSSE for making web service calls via https. In an effort to debug problems, I set http.keepAlive to false, I can see from the SSL debug output that KeepAlive timer messages no longer shows up, but I still see text such as "Cached client session" and "try to reuse cached session", etc.
  Should not turning off keepAlive disable the use of persistent sessions?
  Thanks.
  Yan

  They are unrelated features.
  HTTP Keep Alive allows the browser to maintain a Socket to the server and issue multiple HTTP requests over that same socket.
  SSL Session caching is when an SSL Session is assigned an ID, and additional SSL connects may be established with the same ID. These additional sockets then do not need to perform the full SSL handshake, since much of the data has already been negotiated previously.

• SSL session cache memory consumption

  Hello,
  I am implementing a high availability application that uses SSL session caching. How much memory does it consume? I mean, is setting session cache size to unlimited a 'safe' option?
  Thanks.

  Not for a server, limit it to something. It's in the server's interest to keep sessions few and short-lived, but conversely it's in the client's interest to keep sessions many and long-lived.
  A 'session' object contains the master secret and the current session key, and references to the peer certificate chain.

• SSL Session resume

  WLS 6.1 (Solaris 8)
  Apache 1.3
  We are using an EJB to create an HTTPSConnection (SSL connection) to a
  third party to retrieve data displayed in a JSP. We are using the
  Weblogic SSL implementation.
  I turned on the "-DSSL.debug" info and it looks like a new SSL session
  is being created for each request to our third part (it goes through
  the whole handshake every time).
  Is there any way to have the SSL session resumed using the Weblogic
  SSL implementation? During development, I was able to get the JSSE
  implementation to resume session by keeping the same URL object
  around...so I figured Weblogic would work the same way.
  If anyone knows how the Weblogic SSL session manager works, I'd love
  to hear about it. I read that SSL sessions were supposed to be fixed
  back in 5.1SP10, but that sounded like it was for Weblogic clients so
  maybe Weblogic "as the client" is different?
  Thanks,
  Chris

  Hi, Chris --
  The fixes to SSL session caching appear in WLS 6.1 SP11 and WLS 6.1 SP3.
  A WebLogic SSL client would normally retain its current session ID;
  however, this SSL session state information is associated only with the
  "current thread" - which might explain in part why new SSL sessions
  are being negotiated on subsequent calls to the EJB.
  -- Jim
  P.S. You may want to consider opening a case with WebLogic Support to
  explore this question further.
  Chris Snyder wrote:
  >
  WLS 6.1 (Solaris 8)
  Apache 1.3
  We are using an EJB to create an HTTPSConnection (SSL connection) to a
  third party to retrieve data displayed in a JSP. We are using the
  Weblogic SSL implementation.
  I turned on the "-DSSL.debug" info and it looks like a new SSL session
  is being created for each request to our third part (it goes through
  the whole handshake every time).
  Is there any way to have the SSL session resumed using the Weblogic
  SSL implementation? During development, I was able to get the JSSE
  implementation to resume session by keeping the same URL object
  around...so I figured Weblogic would work the same way.
  If anyone knows how the Weblogic SSL session manager works, I'd love
  to hear about it. I read that SSL sessions were supposed to be fixed
  back in 5.1SP10, but that sounded like it was for Weblogic clients so
  maybe Weblogic "as the client" is different?
  Thanks,
  Chris--
  Jim Brown
  Developer Relations Engineer
  BEA Support

• HTTPS persistence SSL session, ACN 4.2.1

  Customer is experiencing a problem resulting in the ACN software resolving the host.domain.com twice. Webapplication https://host.domain.com/webapp/index.jsp. The customer uses a ACN to proxy the https request. The host.domain gets resolve to 1 of 4 available application servers (webserver). At the application login page (index.jsp) the user is successfully authenticated by the application's Login servlet on webserver 1. The user is then redirected to the select application, local to the webserver 1. It appears that when the ACN receives the response from webserver 1 with the fully qualitfying URL. The redirection cause the ACN to resolve the host.domain against DNS and as a result, the user's browser is redirected to a different webserver. The users previous session is no longer valid, breaking the client/webserver trusted relationship
  If the above user uses 1 of the 4 available IP address on the DNS entry, the users successfully maintains the SSL session. The customer is migrating to a Cisco Content Engine 560 running version 4.2.1 ACN software.
  I understand there are ACN features that could effect the HTTP session persistence/SSL trust. The services/features include boomerang, Reverse Proxy, content balancing. I request information on the service or feature of the ACN that could cause the problem I speak of from above.
  I understand there are different methods of implementing session persistence, like sticky session and SSL sticky, but believe the ACN does provide this feature.

  The customer is experiencing network issues when attempting to access our application. The customer is experiencing has been seen with a previous customers that had a similar network devices.
  The customer uses a Cisco Content Engine CE-560 with Application and Content Networking Software (ACNS) version 4.2.1. The problem seems to a result of the ACNS resolving the hostname.domain.com twice. The webserver's DNS (hostname.domain.com) entry resolves to one of four available webservers (DNS round robining).
  nslookup hostname.domain.com
  webserver1 webserver2 webserver3 webserver4
  nslookup hostname.domain.com
  webserver2 webserver3 webserver4 webserver1
  and so on.
  All client/webserver communication is through SSL. When the customer uses the FQDN URL (https://hostname.domain.com/webapp/index.jsp) to access the application login page, the server portion of the URL is resolved to webserver1. At this time, the customer has an established HTTPS session with webserver1. Once a login servlet running on webserver1, receives the customer supplied login credentials, the servlet sends a server response 302 redirecting the customer to the selected application.
  This redirection response seems to cause the ACNS to resolve the hostname.domain.com and as a result, the customer's browser is redirected to a different webserver, webserver2. The users previous session is no longer valid, causing the application to generate a false inactivity timeout.
  If the customer sends a HTTPS request using anyone of the four IP address from DNS, the session is maintained and the customer does not receive the false inactivity timeout, because the session is not "broken".
  The customer is migrating off of a Netscape (iPlanet) Web Proxy solution and does not experience the problem accessing the application, using the FQDN URL.
  DNS caching is enabled on the customer CE.

• CSS11503/ACE 4710 - SSL session id cache

  I have a couple of questions.
  1. I'd like to know what happens when the SSL session id cache (def 10k) gets filled on a CSS11503. Do new connections get dropped or do they still work but are they less efficient?
  2. What is the cache size on an ACE4710?

  The problem was caused by an incorrect nat pool.   Correct Mask was 255.255.255.0.

• Cache SSL Session ID

  Is the caching of SSL Session IDs implemented in JSSE? Is the option enabled by default? Thanks.

  Yes.
  See SSLContext.getServerSessionContext() and getClientSessionContext()

• Possible session caching issue in SSRS2014

  Using custom FormsAuth, User A can sign into our own main asp.net mvc app (WIF cookie), then SSRS (FormsAuth cookie) and all is well.  Here is where things go bad.  User A signs out of our main application (WIF cookie deleted) then back in into
  our main application as User B then back into SSRS.  SSRS report that displays User!UserID show UserA instead of current User B.  Its like there is either a session or cookie caching issue going on but not for sure.  
  1. What is the proper way to sign out of SSRS and prevent session caching?
  2. Do I need to worry about making my SSRS logon page non-cacheable?  If so, what is the recommended way of doing this?
  thanks
  scott

  Hi scott_m,
  According to your description, you used custom FormsAuthentication in Reporting Services, after user A sign out the application an sign in as user B, SSRS built-in user is shows user A instead of user B.
  Based on my search, once we configured SSRS to use Custom (Forms) authentication by deploying a custom security extension, we can logon to MS Report Manager (MSRM) using credentials of our custom security framework via a logon web page. But there is no way
  to logout or to expire the authentication cookie, so we need to close the browser manually. As a workaround, we can add a logout button to the Report Manager which is using Forms Authentication, then use code to clear the cookie and redirect to home page.
  In addition, if you extend Reporting Services to use Forms Authentication, it’s better to use Secure Sockets Layer (SSL) for all communications with the report server to prevent malicious users from gaining access to another user's cookie. SSL enables clients
  and a report server to authenticate each other and to ensure that no other computers can read the contents of communications between the two computers. All data sent from a client through an SSL connection is encrypted so that malicious users cannot intercept
  passwords or data sent to a report server.
  Here is a relevant thread you can reference:
  https://social.msdn.microsoft.com/Forums/sqlserver/en-US/5e33949d-7757-45d1-9c43-6dc3911c3ced/how-do-you-logout-of-report-manager
  For more information about Forms Authentication, please refer to the following document:
  https://technet.microsoft.com/en-us/library/aa902691%28v=sql.80%29.aspx?f=255&MSPPError=-2147217396
  If you have any more questions, please feel free to ask.
  Thanks,
  Wendy Fu
  If you have any feedback on our support, please click
  here.
  Wendy Fu
  TechNet Community Support

• ACE 3.0(0) SW / LB with SSL Session-ID

  Hello!
  I want to use "SSL Session-ID" sticky method in load-balancing, but can't find any info about it in 3.0(0)A1(2) sw configuration guides. Where i can find info about it? Or this method is supported only in old A2(1.0) release?
  Thanks.

  SSL Session ID Sticky to ensure Client Persistence
  1. Demonstrate the ability to provide stickiness using SSL
  Session ID. To do this you will need to the Generic Protocol Parsing
  framework on ACE. With the right regular expression you will be successful!!
  2. Before you begin to configure the SSL Sticky group, be sure that
  you have allocated resources to the sticky group. Note this done in the
  Admin context.
  resource-class cart
  limit-resource all minimum 0.00 maximum unlimited
  limit-resource sticky minimum 1.00 maximum equal-to-min
  context Lab-Cart-11
  allocate-interface vlan 211
  allocate-interface vlan 411
  member cart
  3. Create an SSL-v3 sticky group and associate the serverfarm. Good
  idea to configure a sticky timeout value. This specifies the period of time
  that the ACE keeps the sticky information in the sticky table. Note the ACE
  resets the timer each time ACE opens connections matching that entry. Also
  configure the Layer 4 sticky parameters for 32 bytes session ID.
  sticky layer4-payload ssl-v3
  timeout 600
  serverfarm HTTPS-FARM
  response sticky
  layer4-payload offset 43 length 32 begin-pattern "\x20"
  When a new session is established between client and server, the server
  generates a session id. The session id is an arbitrary sequence of bytes.
  The length of the session id is 16 bytes for SSLv2 sessions and between 1
  and 32 bytes for SSLv3/TLSv1. The session id is not security critical but
  must be unique for the server. Additionally, the session id is transmitted
  in the clear when reusing the session so it must not contain sensitive
  information.
  4. Create a class-map to match the layer 4 payload.
  class-map type generic match-any SSL-v3-32
  2 match layer4-payload regex "\x16\x03\x00..\x01.*"
  3 match layer4-payload regex "\x16\x03\x01..\x01.*"
  5. Create a new generic load balance policy map and assoiciate the
  sticky-serverfarm understand the class.
  policy-map type loadbalance generic first-match SSL-v3-Sticky
  class SSL-v3-32
  sticky-serverfarm ssl-v3
  6. Change to the client-vips policy map to represent the new
  SSL-v3-Sticky policy you just created
  policy-map multi-match client-vips
  class VIP-HTTPS
  loadbalance vip inservice
  loadbalance policy SSL-v3-Sticky
  loadbalance vip icmp-reply active
  7. Verify the VIP is accessible by trying to hit the VIP.
  8. View the connection using the show cons command.
  Pod1-ACE/Lab-Cart-11# show conn
  total current connections : 1
  conn-id np dir proto vlan source destination
  state
  ----------+--+---+-----+----+---------------------+---------------------+---
  ---+
  10 1 in TCP 211 209.165.201.11:1115 172.16.11.190:443
  ESTAB
  9. Interesting I can see that the first connection has been setup. Why
  is ACE not load balancing the connection to the server?
  10. Great I need to configure a L7 parameter map with a max parse-length
  parameter-map type generic SSL-v3
  set max-parse-length 70
  11. Associate the parameter map to the client-vips policy map
  policy-map multi-match client-vips
  class VIP-HTTPS
  loadbalance vip inservice
  loadbalance policy SSL-v3-Sticky
  loadbalance vip icmp-reply active
  appl-parameter generic advanced-options SSL-v3
  12. Verify the VIP is now accessible by trying to hit the VIP.

• How can I monitor the Session Cache when using HTTP Session-Replication?

  I want to see the session cache content

  To see the list of session IDs in the cache you can iterate over the keys of the cache returned from the following code:
  NamedCache cacheCatalog = CacheFactory.getReplicatedCacheService("$FilterService$").ensureCache("CoherenceSession.CATALOG", getClass().getClassLoader());Then to see the contents of a session you can take a look a the cache returned from the following code:
  String sId = // keys from cacheCatalog
  NamedCache cacheDetails = cacheCatalog.getCacheService().ensureCache(sId, getClass().getClassLoader());Hope this helps.
  We have received your request for a development license and we hould have ti out to you today.
  Later,
  Rob Misek
  Tangosol, Inc.
  Coherence: Cluster your Work. Work your Cluster.

• How to add a new object to Toplink session cache?

  Toplink Experts,
  I have a question on Toplink 9.0.4.5 (I know this is older version of Toplink but this is what we are using right now). Let me give you little context before I ask the question.
  Toplink server session brokers client sessions (that are spawned by it) and gets changes made in client sessions into server session through transaction commits. Process involved in getting some thing into database using Toplink is: 1) Get client session 2) Register object to be written into database with Toplink's UnitOfWork (UOW). This registration creates two copies of the object registered (original object). Working clone for client application for modifications, backup clone for Toplink to compare the changes made to the working clone later 4) Make changes to the working clone 5) Complete the transaction (and so commit UOW). If transaction commits successfully, Toplink writes the changes from the working clone into database first and applies the same changes made to the working clone to the original object in Toplink server session cache next. Oracle recommends using UOW to write some thing into database. Using UOW involves a transaction and it writes changes into database first before the original object in Toplink server session cache is refreshed.
  Now comes my question: Is there a way to add a brand new object (persistent object) into Toplink server session cache with out writing it first into database? I am OK if I need to use UOW and also to use transaction to make the change but I just want to be able to refresh the original object in the server session cache with out writing any thing into database. If there is a way to do this? What are the disadvantages in doing this way though? I have read Oracle's Toplink developer guide (10.1.3) and Javadocs from Oracle on UnitOfWork/Session etc all related interfaces and classes but I could not find a way. Please help!
  Syam

  There are a couple things wrong with the method you posted. The first being uow.registerObject() is going to cause the object to be treated as new if you are not using the TopLink cache.
  There really is not any supported mechanism to do what you are looking to do. TopLink 11g has the hooks to replace the TopLink cache with a distributed cache (and the TopLink-Grid product uses these to use Coherence as the TopLink cache) but earlier versions did not have this.
  If you are willing to work outside what would be officially supported and no component of the application is using the ServerSession cache (ie all queries refresh) then something like the following may work for you:
  public void prepareObjectForSave(Object userEditedObject, Object gigaSpacesObject)
  UnitOfWork unitOfWork = this.dbContext.getSession().acquireUnitOfWork();
  Descriptor descriptor = this.dbContext.getSession().getDescriptor(gigaSpacesObject);
  Object pkVector = descriptor.getObjectBuilder().extractPrimaryKeyFromObject(gigaSpacesObject, this.dbContext.getSession());
  Object cloneOfMostRecentlyUpdatedObject = (Object)unitOfWork.cloneAndRegisterObject(gigaSpacesObject, new CacheKey(pKVector), descriptor);
  unitOfWork.mergeCloneWithReferences(userEditedObject);
  unitOfWork.commit();
  }You will need to tweak the above code to have it match the APIs in your version of TopLink and you should test thoroughly.
  --Gordon                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

• Disable non-SSL session tracking?

  Hi, all,
  I wonder if one can disable all session tracking in JSP's whenever SSL is not being used? I would like to turn off all cookie-setting and URL-rewriting and use SSL-session tracking only (if I use session-tracking at all on a given page). I also want to specify this behavior programmatically (inside my JSP's) and not in my server's config files.
  I'm basically concerned that if my user leaves one of my HTTPS pages, they will still retain a non-secure cookie with their session information. This seems to be indeed the default behavior: when I run my tests and transition from an HTTPS page to an HTTP one, the browser does store a cookie. I know I can invalidate the session as the next step, but I'd rather have the cookie not being set altogether to begin with. Imagine the situation where the user leaves my HTTPS page for a totally different (HTTP) website: in this setting I won't get a chance to invalidate the session and delete the cookie.
  Any ideas, therefore, on how to programmatically disable non-SSL session-tracking?
  Thanks,
  Dmitri.

  I don't think you can do this programatically.
  However I also don't think it is a problem.
  Cookies are related to zone names aren't they?
  http://mysite and https://mysite are two different
  zones as far as cookies are concerned. One should
  not be able to see the other.
  It issues a new cookie for the http site you are just
  navigating to. That cookie has nothing to do with
  the secure site you just came from, and shouldn't be
  able to tell them any info about the secure site.
  I think you are worrying about something that isn't
  really there.
  What is your concern? That they pick up a JSESSIONID
  from the cookie and can then pretend to be a
  different user?Yes. A cookie is transmitted and stored unencrypted, I imagine (in any case, it should be more easily crackable than SSL). I wish Sun came up with an extension to the Session API where you would be able to explicitly specify which session-tracking protocols you want used and which ones you don't. At the moment their API abstracts and manages too much detail for you.
  I mean, if my site is supposed to be secure while I'm using SSL, then you'd expect that no information about those secure sessions should leak outside the SSL protocol, wouldn't you say?

• Cache persistence

  Hi,
  In RPD, we have an option for cache persistence.
  We do have an option for specifiying hours to persist cache and another option for never expires.
  But my requirement is to clear the cache whenever a particular table gets loaded for a day.
  Is there any way to achieve this automated rather than clearing the cache manually?
  Thanks

  Thanks!
  Few more doubts:
  a)consider that my ETL process runs only once in the day and it updates the Event table also:
  I have polling frequency as 10 mins. So it will check the Event table and purge the cache. Here will it delete the record from Event table also?
  Because if it's not deleting the record from Event table,in the next polling(aftr 10 mins), it ll find the record in Event table and again purge the cache which is not needed,
  b)in addition to polling frequency 10 mins, if we set cache persistence time as 2 hrs, will it purge the cache once in the 2 hrs?
  Here both Event polling as well as cache persistence option both simulataneously in effect?
  c)In my RPD i have several reports. is it possible that to clear the cache specific to certain reports(rather than the entire places wherever the object is used)?
  Is it possible to set the Polling event table accordingly?
  Thanks

• Transaction cache VS Session cache

  Hi,
  Some one please help me to understand the concepts of ttransaction cache VS Session cache.
  In the user guide its given that
  For AM : Any data stored on the transaction is accessible to all pages that share the same root application module instance .
  For Session : Session cache only when you need to set and access simple values in many pages, which have different root application modules
  (The transaction cache discussed above isn't an option)
  Are these 2 different ? if so how ? Why the transaction cache is different from session cache, both are used to store data and both are available across pages assuming all pages share the same AM.
  Thank you for all your help.

  GustavoJimenez,
  Thank for taking time and explaining it.
  I understand that, if multiple pages share the same AM and retainAM flag ='N' then it will create multiple instances of same AM. so is the AM cache is common for all the AM instances ?
  Can you please explain more about session cache and where it comes into picture ? Is session cache and AM cache has same attributes ?

• UnitOfWork and server session cache

  Hello,
  seems like in some situations UoW does not update server session cache:
  SessionManager manager = SessionManager.getManager();
  Server server = (Server) manager.getDefaultSession();
  Session client = server.acquireClientSession();
  UnitOfWork unit = client.acquireUnitOfWork();
  // stored procedure call preserves caching !
  StoredProcedureCall call = new StoredProcedureCall();
  call.setProcedureName("security.set_current_user");
  call.addNamedArgumentValue("p_user", 123);
  unit.executeNonSelectingCall(call);
  // these objects should always be cached (if caching is enabled) !
  List list = unit.readAllObjects(Naudotojas.class);
  unit.commit();
  client.release();
  server.release();
  The presented source code executes stored procedure and read query within singe transaction. Problem is that selected data is not cached. But if stored procedure call is removed, then records will be cached. Is it expected behaviour ? That workarounds could be applied to force caching ?

  When the first modify call is performed in a UnitOfWork it then assumes that the transactional state of the database is transient and therefore and data read could be non-committed. At this point it is not safe to load the objects into the shared cache.
  If you are attempting to make use of VPD security you should read up on the support offered in TopLink. It will give you additional call-backs for setting the user credentials.
  Doug