F5 SSL Termination for Oracle Server

Hello, I've Oracle Server that has unencrypted connection between it and F5 and I'd like to apply SSL termination to the F5 so the client has a secure connection. The configuration I've works with HTTP normally, however nothing works with HTTPS and I've added a certificate for client side. The configuration is shown below;

Noting that the pool listens to port 9502

HTTP vServer Configuration

ltm virtual ORACLE_HTTP { destination 10.155.0.126:http ip-protocol tcp mask 255.255.255.255 pool ORACLE_POOL profiles { http { } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled vs-index 300 }

HTTPS vServer Configuration

ltm virtual ORACLE__HTTPS { destination 10.156.0.126:https ip-protocol tcp mask 255.255.255.255 pool ORACLE_POOL profiles { SECURE_CERT { context clientside } HTTP_HTTPS { } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled vs-index 301 }

===============POOL CONFIGURATION===============

admin@(F5-INT-01)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool ORACLE_REPORTING_POOL ltm pool ORACLE_POOL { members { 10.100.39.4:9502 { address 10.100.39.4 session monitor-enabled state up } } monitor TCP_9502

========================MONITORING CONFIGURATION===========

ltm monitor tcp TCP_9502 { adaptive disabled defaults-from tcp destination *:9502 interval 5 ip-dscp 0 recv none recv-disable none send none time-until-up 0 timeout 16

application delivery

iRules

LTM

Yoann_Le_Corvi1
Cumulonimbus
Apr 12, 2019
Hi
¬†

We would need a bit more info on your situation.
¬†

What behaviour do you have in your browser ?
¬†
Could you do a tcpdump on the BigIP capturing client side and ? And/Or use a logging iRule here
¬†

Then we should see a bit clearer into this.
¬†

Yoann
¬†
Root44
Altostratus
Apr 12, 2019
First of all, I hope those are not your actual IP addresses. If yes, from next time, always replace it with something like x.x.x.x or z.z.z.z.

Second, if the server is using the secure port with certs on it, you need to add the serverssl profile with context serverside.

If this doesn't help, please share the error or issue you are facing.
Mustapha_388336
Nimbostratus
Apr 12, 2019
Regarding tcpdump, i'm still new to F5 and it might be not that easy to get some valuable info. If there's an exact command you can guide me with as I've checked the irule, but i'm not sure how to run it on the cli
Yoann_Le_Corvi1
Cumulonimbus
Apr 12, 2019
In your browser, you used HTTPS right and not HTTP ?

Can you send us the output of

list ltm profile client-ssl SECURE_CERT ? removing the passphrase if you have one :)

Yoann
Mustapha_388336
Nimbostratus
Apr 13, 2019
Thank you for your reply, yes in my browser i'm accessing the web using https which is not working and i cannot see the certificate the f5 should reply back with.

the client-ssl profile is as below, i've replaced all the names as well just for your info.

ltm profile client-ssl SECURE_CERT { app-service none cert CERT.crt cert-key-chain { CERT_DIGICERT { CERT.crt chain CERT_DIGICERT.crt key KEY.key } } chain CERT_DIGICERT.crt cipher-group none ciphers DEFAULT defaults-from clientssl inherit-certkeychain false key KEY.key passphrase none
Mustapha_388336
Nimbostratus
Apr 13, 2019
so if i need to apply the mentioned irule earlier. how can i view the result of tcpdump on the cli screen ?
boneyard
MVP
Apr 13, 2019
tcpdump you would run on the bash shell, not tmsh

if this isn't a huge production environment which is high on cpu you can do

tcpdump -nn -i 0.0:nnnp host 10.156.0.126

for more info see: https://support.f5.com/csp/article/K13637

something like

curl http://10.100.39.4:9502

can also be interesting

if you have a support contract just contacting F5 is probably easier, this place isn't that great for trouble shooting like this.
Yoann_Le_Corvic
Nimbostratus
Apr 15, 2019
Just a thought,

Can you use the defautl SSL profile as clientssl profile on your VS and see if it makes a difference ?

You confirm you do not have no other module that could interfere ? Like AFM ?

Yoann
boneyard
MVP
Apr 15, 2019
you missed the nnnp which would have given us the server side connection. now it is just client side.

you HTTPS capture shows three SYNs and no response, something odd is going on there.

why the HTTP_HTTPS tcp profile and no HTTP profile on that virtual server?

i would really start with more defaults, similar to what Yoann is suggesting.
Mustapha_388336
Nimbostratus
Apr 17, 2019
Thank you. Problem solved after I've removed the vServer and created it from scratch :D