For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Geoff_R_32204's avatar
Geoff_R_32204
Icon for Nimbostratus rankNimbostratus
Jun 08, 2010

9.4.8 LTM between apache and weblogic server SSL config.

we are trying (from questions brought up during our most recent PCI compilance exercise) to set up the following.

 

 

Apache2/WLPlugin <-SSL-> F5 9.4.8LTM <-SSL-> Oracle/BEA Weblogic server 10.0 MP1

 

 

after much wailing and gnashing of teeth I have it working as

 

 

Apache2/WLPlugin <-SSL-> Oracle/BEA Weblogic server 10.0 MP1

 

 

once we plug the F5 in the middle the weblogic plugin cannot communicate with the weblogic server.

 

 

the conjecture is that we need to terminate the SSL on the F5 and re-encrypt for the trip to Weblogic Server.

 

 

we have never attempted this before and since this is not a critical production issue, I get to try to figure it out. I have almost no knowledge of F5 configuration so would greatly appreciate any pointers! especially if this is or is not possible.

 

 

 

 

oracle
partner

14 Replies

Show More
  • Bart_18836's avatar
    Bart_18836
    Icon for Nimbostratus rankNimbostratus
    Oct 31, 2010
    Hi,

     

     

    I was wondering if you have some kind of similar idea for SSL server profile while having Apache server behind BigIP listening to SSL traffic. I am struggling with that for a weeks.

     

     

    Any help will be appreciated.

     

     

    PS.

     

     

    I have tried above solution.

     

     

    This setup des not work :

     

     

    Client (SSL) ---> BigIP (SSL client and server) ---> Apache server (SSL)

     

     

    This setup works:

     

     

    Client (HTTP) ---> BigIP (SSL server) ---> Apache server (SSL)

     

     

    Best regards,

     

    Bart

     

  • Chris_Akker_129's avatar
    Chris_Akker_129
    Historic F5 Account
    Nov 01, 2010
    Hi Bart, your first config is called SSL decrypt / re-encrypt, and is quite common with big-ip. You will need to use both the Client SSL and Server SSL Profiles on your virtual server.

     

    There is some good info on how big-ip handles SSL traffic here: http://support.f5.com/kb/en-us/solutions/public/12000/000/sol12015.html?sr=10905129

     

     

    When you say "does not work", can you clarify - no TCP connection, no/bad ssl handshake, ssl cert error, other ? Have you looked at the traffic with any tools - httpwatch, fiddler, etc ?

     

     

    -Chris.
  • vamshinr_95731's avatar
    vamshinr_95731
    Icon for Nimbostratus rankNimbostratus
    Mar 09, 2012
    Chris,

     

     

    We are running into same issue. I am using IIS6 as the reverse proxy to WebLogic 9.2. There is F5 Load Balance infront of WebLogic. So IIS6 is configured to use this LoadBalanced url over SSL. Below are the configurations on IIS6:

     

     

    WebLogicHost=hostname

     

    WebLogicPort=portnumber

     

    WlForwardPath=/

     

    PathTrim=/

     

    SecureProxy=ON

     

    EnforeBasicConstraints=OFF

     

    RequireSSLHostMatch=false

     

    TrustedCAFile=D:\trustercert.cer

     

     

    Apart from configuring IIS for SSL configurations, WL-Proxy-SSL parameter is enabled on F5 load Balancer. No Luck with that. I am still getting "no backend server available for connection" error message.

     

     

    Any help on this would be much appreciated.

     

     

    Thanks!