Forum Discussion
Chris_G_Davis_1
Nimbostratus
NimbostratusOracle 10g SSL Offload - JInitiator:X509CertChainInvalidErr error
Hi,
We are in the process of implementing ssl offload on our LTM-3400’s for Oracle 10g. The servers we are load balancing to on the backend are listening on port 80. We have a valid Verisign cert in place. The first time you connect to the ssl vip the server downloads “JInitiator” to the local computer which is a java program. Once the installation is complete it attempts to load the app from the server. But it fails with an “X509CertChainInvalidErr” java error. I figured out a work around for individual computers, but this isn’t a valid solution for the general public. The work around is to add the cert assigned to the ssl vip to what a I think is a cert chain file call “C:\Program Files\Oracle\JInitiator 1.3.1.26\lib\security\certdb.txt on the local computer. Once added I restart the browser and all is well.
Like I said earlier this isn’t a practical work around as this site will be used by the public.
Has anyone seem this or know how to fix it?
I attached a copy of the certdb.txt (example-certdb.txt) file without my cert for an example.
Any help would be greatly appreciated.
Thanks,
Christopher G Davis
Sr. Network Engineer
SITA Atlanta Data Center
14 Replies
hoolioCirrostratus
Hi Chris,
You should be able to import the chain cert under Local Traffic >> SSL certificates and then specify it in the client SSL profile.
SOL6401: Configuring the BIG-IP to use an intermediate or chain certificate with a client SSL profile (Click here)
Aaron- Jacquiec_105785Hi Chris
Did you ever manage to get this to work. You probably don't remember now it was so long ago but I'm having the same issues.
Would appreciate any tips for getting it working.
Cheers
Jacquie - hoolioHi Jacquie,
Did you try importing the intermediate cert and configuring that in the client SSL profile?
Aaron - Jacquiec_105785No I have a certificate & key for the website configured in the client SSL profile. Do I need to convert this into a certificate bundle? I wasn't sure how to do that.
- hoolioYou can check SOL6401 (linked above) for details on configuring an intermediate cert:
https://support.f5.com/kb/en-us/solutions/public/6000/400/sol6401.html
Aaron - Jacquiec_105785Tried adding the ca-bundle from the chain drop down as well as having the website certificate and key configured but still getting the same error.
- hoolioSorry, I was suggesting that you download the most current intermediate certificate from the certificate authority, add that to the bundle and then update the client SSL profile by clicking save. The last step loads the changed cert file into LTM memory for use. If you get stuck in this process, you could open a case with F5 Support and ask for help.
Aaron 
Yuliy_100882I am trying to implement the SSL for Oracle 10g Forms/Reports standalone behind the BIG-IP 9.3.1 Build 37.1.
I have three (will be more) servers in teh Load Balanced pool.
I am have isntalled the Certificate on the F5 unit and want to terminate the SSL communcation on the F5 instead of the Oracle servers.
Can someone explain/assist with understanding on how to configure the F5 to line up to the ports that Oracle is listening to.- Hi Yuliy, take a look at the F5 deployment guide for Oracle 10g. It has a section on SSL offload, here: http://www.f5.com/pdf/deployment-guides/f5-oracle10g-dg.pdf
-Chris. 
jrcma_oracle_47hi chris,
where can we find the deployment guide for 9iAS release 2? we're still using this version in our reporting services. does it also include an SSL implementation guide as well? we're experiencing similar error messages during our testing phase in our TEST environment.
regards,
bhotskie
