Forum Discussion

jnowlin_44976's avatar
jnowlin_44976
Icon for Nimbostratus rankNimbostratus
Aug 30, 2013

LTM and java certs

I have an internal web app I need to load balance. this app is SSL and I would like to use cookie persistence. I have setup my cert on my LTM and setup persistence before for other apps and it works well. issue I have run across with this new app is that even though the apache cert on the app matches our cert on the LTM, there is a portion of this app that uses java with the companies certificate. this results in the ssl decryption\encryption needed for cookie persistence to break on the java portion making the web app not function all together.

 

are there any options in this scenario of java cert being different from the web server cert or am I stuck changing my persistence from cookie to ssl?

 

PS I have an older bigip 1600 with 9.4 running.

 

  • i just got off a call with the application vendor. they use a JSESSIONID cookie, that if is not found on the client will result in the same experience i am seeing. will F5 prevent a JSESSIONID cookie from being installed on the end users machine?

     

  • yes. in order for the app to allow users to login it has to see this JSESSIONID cookie, according to the vendor.

     

    but i can see this being created so im back to the http profile being the issue. if i use an http profile in order to do cookie persistence it fails. if i set http profile to none it works.

     

  • Very interesting. Okay, another two questions for clarification:

     

    1. It works with client and server SSL profiles applied to the VIP but NO HTTP profile. Correct? Decrypting and re-encrypting the java app's traffic.

       

    2. With client and server SSL profiles applied, if you enable a basic HTTP profile on the VIP, but DO NOT enable any persistence or any iRule, does it work?

       

  • i think the problem is about ssl handshake.

     

    without ssl profile, http profile cannot be used because bigip cannot parse http header (since it is encrypted). so, i understand it is expected that you have to remove http profile when not doing ssl offloading.

     

    normally bigip does not alter cookie, so i do not think there is an issue on jsessionid cookie. also, you have mentioned it does not work even using one pool member/server.

     

    just my 2 cents.

     

  • i think the problem is about ssl handshake.

     

    I'm not sure that we've established that just yet. While the functioning of the HTTP profile DOES require, at the very least, a client SSL profile, I don't believe jnowlin has definitively answered the following questions:

     

    1. It works with client and server SSL profiles applied to the VIP but NO HTTP profile. Correct? Decrypting and re-encrypting the java app's traffic.

       

    2. With client and server SSL profiles applied, if you enable a basic HTTP profile on the VIP, but DO NOT enable any persistence or any iRule, does it work?

       

    It could indeed be that the Java client can handle the SSL termination and re-encryption, but it could also be that it simply can't handle the HTTP manipulation.

     

    1. with client and server SSL profiles but NO http profile it does not work. returns to login page
    2. with ssl profiles applied, basic HTTP profile on the VIP, and NO persistence\irule it does not work. returns to login page.