I have an internal web app I need to load balance. this app is SSL and I would like to use cookie persistence. I have setup my cert on my LTM and setup persistence before for other apps and it works well. issue I have run across with this new app is that even though the apache cert on the app matches our cert on the LTM, there is a portion of this app that uses java with the companies certificate. this results in the ssl decryption\encryption needed for cookie persistence to break on the java portion making the web app not function all together. are there any options in this scenario of java cert being different from the web server cert or am I stuck changing my persistence from cookie to ssl? PS I have an older bigip 1600 with 9.4 running.

Would it be safe to say that the java app portion happens during the HTTP session, and that the java app 1) doesn't handle cookies, and/or 2) can't consume and use the cookie from the browser? Do you see the java app sending the persistence cookie? If you disable all pool members but one, does it work?

It appears you have two different SSL certs being used, am I correct? If that is the case then you need to update the cert being used by "that part" of that Java App to match that of you virtual or your cookie persistence will not work. In this scenario, you can try multiple persistence. Set cookie persistence as primary then SSL persistence as secondary.

to answer kevin stewart, I already have it down to 1 pool member and it still doesn't work. Kevin Davies, I will try this and post back results

Kevin Davies I just tried using a fallback persistence profile but after selecting cookie based on the default my only option on the fallback was source_addr

So just to level set, you said you now only have one server in the pool. If that's true, and it's still not working, then persistence is probably not to blame. So does it fail when the java app is invoked? Are there specific differences in the SSL requirements between the two apps?

LTM and java certs | DevCentral

Kevin_Stewart
Employee
Aug 30, 2013
Would it be safe to say that the java app portion happens during the HTTP session, and that the java app 1) doesn't handle cookies, and/or 2) can't consume and use the cookie from the browser? Do you see the java app sending the persistence cookie?

If you disable all pool members but one, does it work?
Kevin_Davies_40
Nacreous
Aug 31, 2013
It appears you have two different SSL certs being used, am I correct?

If that is the case then you need to update the cert being used by "that part" of that Java App to match that of you virtual or your cookie persistence will not work.

In this scenario, you can try multiple persistence. Set cookie persistence as primary then SSL persistence as secondary.
jnowlin_44976
Nimbostratus
Sep 03, 2013
to answer kevin stewart, I already have it down to 1 pool member and it still doesn't work.

Kevin Davies, I will try this and post back results
jnowlin_44976
Nimbostratus
Sep 03, 2013
Kevin Davies I just tried using a fallback persistence profile but after selecting cookie based on the default my only option on the fallback was source_addr
Kevin_Stewart
Employee
Sep 04, 2013
So just to level set, you said you now only have one server in the pool. If that's true, and it's still not working, then persistence is probably not to blame. So does it fail when the java app is invoked? Are there specific differences in the SSL requirements between the two apps?
jnowlin_44976
Nimbostratus
Sep 04, 2013
while persistence might not be the culprit it may be the decrypt\encrypt im doing on the F5 to be able to utilize persistence. if i change the persistence to SSL persistence (no decryption) it works.

i think the issue is with ssl decryption enabled BigIP can decrypt the IIS SSL traffic that has our cert on it but fails to decrypt the java traffic that has the vendors cert on it.

im guessing they are doing code signing on their java app. anyone ever run into this situation the cert used in the java app isnt the same as the cert used on the website itself?
nitass_89166
Noctilucent
Sep 04, 2013
can you try ssldump to see ssl handshake?

sol10209: Overview of packet tracing with the ssldump utility

http://support.f5.com/kb/en-us/solutions/public/10000/200/sol10209.html
- Kevin_Stewart
  Employee
  Sep 05, 2013
  I agree with Nitass. If SSL decryption/encryption is failing for the Java app, then you need to dig into the client OR server side SSL (it could be either or both). Just to be clear though, when you say it works with SSL session persistence, are you also implying that no decryption/encryption is happening (no client or server SSL profiles)?
nitass
Employee
Sep 04, 2013
can you try ssldump to see ssl handshake?

sol10209: Overview of packet tracing with the ssldump utility

http://support.f5.com/kb/en-us/solutions/public/10000/200/sol10209.html
- Kevin_Stewart
  Employee
  Sep 05, 2013
  I agree with Nitass. If SSL decryption/encryption is failing for the Java app, then you need to dig into the client OR server side SSL (it could be either or both). Just to be clear though, when you say it works with SSL session persistence, are you also implying that no decryption/encryption is happening (no client or server SSL profiles)?
jnowlin_44976
Nimbostratus
Sep 05, 2013
yes when it doees work i am doing NO decryption/encryption.

but i guess it could also be related to the HTTP profile since i select none for the http profile when i change the persistence to SSL and it works.

basically i can only get this app to work if i set http profile to none, remove both ssl profiles.
Kevin_Stewart
Employee
Sep 05, 2013
That could suggest a few things:

The SSL between the client and java app cannot be terminated (decrypted/re-encrypted)

The java app isn't HTTP-based, and/or

The java app doesn't support HTTP cookies

Try this (in this order, and with only ONE member in the pool):

Apply client and server SSL profiles with NO HTTP profile

If that still works, then add an HTTP profile

If that still works, then add a cookie persistence profile

If I had to guess, I'd say it breaks between 1 and 2 above.