Forum Discussion
AltostratusOracle_IAS_issue
Hello,
We are trying to deploy oracle ias 10.1.2.3 application on the f5 product. However, eventhough the certificate which we imported from server to f5 is correct, when we use both http and ssl profiles , application isn't working. But when we remove both ssl profiles and http profile , it is working on standtart vip.on the other hand the apllication is working over f5 when we set the vip as perfermonce layer 4. f5 is able to monitor pool members as up no problem on that.
for examle;
firstly, you call https://hash.ortal.com then a popup screen is opened and you can login over the popup screen to oracle application server. as i mentioned above no issue when we use the vip performance layer4 also no problem when we don't use http and ssl profiles.
Note: we are trying to run the vip as bridging mode, i mean that the certificate is being used on both client and server ssl profile for the vip.
LTM version: 11.3.0 HF5 and actually device is running on production environment.
Thank you in advance...
1 Reply
Hi Waterfall. It would be helpful if you could describe in more detail by what you mean the "application isn't working". Is this a) Layer4 failure - TCP resets from big-ip VS? b) Layer5 failure - SSL handshake error/issue ? c) Layer7 failure - can't login, links broken, URLs incorrect, pages/objects don't render ? Or other ?
Using the Perf L4 virtual server definition sets it in TCP forwarding mode, and the big-ip does not terminate the 3-way handshake first. It also removes protocol enforcement of http and SSL profiles, as they are not allowed on Perf L4 virtuals - which you found out. You will need to move back to a Standard vs with both HTTP and SSL profiles.
If you are trying to run in SSL Bridging mode, you probably have to load BOTH a server and client SSL certificate that is valid on the big-ip. The key word here is "valid". On the client side SSL, most browsers will not work, or pop-up SSL warnings if the SSL cerficate is not valid, including the virtual hostname used in DNS for the big-ip's Virtual Server. If you loaded the cert off the server, it may only have the server's hostname in the Common Name of the certificate, or may be invalid in other ways. You might need to add the virtual hostname as a Subject Alternative Name, or use a wildcard certificate. For the Server side SSL profile, you can't normally use the server's own certificate to present to the server. It will want a Client certificate presented, so you may need to load a Client cert/key, and use that in the SSL Server profile. It is hard to say if this is needed or not, because it depends on how the server is configured for SSL- to request a specific Client cert, accept any cert, or none required. ( And there are other options, too ).
If you are running SSO with IAS, then you will need to do this for both the SSO and IAS virtual servers. This deployment guide should get you pointed in the right direction. However, this guide does not include SSL on the server side.http://www.f5.com/pdf/deployment-guides/oracle10g-iapp-dg.pdf
For more information on SSL in general, profiles, certs, and settings, AskF5 will be your best place to find details on all the SSL profile settings you might need.
If you are still stuck, you can always open an SR with F5 support, and they should be able to help you figure out what is wrong with tcpdump and ssldump tools. To help troubleshoot clientside issues, you can also use a browser plug-in with HTTPS decoding, like Fiddler2.
-Chris.
