For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

waterfall_10467's avatar
waterfall_10467
Icon for Altostratus rankAltostratus
Jun 12, 2013

Oracle_IAS_issue

Hello,     We are trying to deploy oracle ias 10.1.2.3 application on the f5 product. However, eventhough the certificate which we imported from server to f5 is correct, when we use both http...
oracle
partner
Chris_Akker_129's avatar
Chris_Akker_129
Historic F5 Account
Jun 12, 2013

Hi Waterfall. It would be helpful if you could describe in more detail by what you mean the "application isn't working". Is this a) Layer4 failure - TCP resets from big-ip VS? b) Layer5 failure - SSL handshake error/issue ? c) Layer7 failure - can't login, links broken, URLs incorrect, pages/objects don't render ? Or other ?

 

 

Using the Perf L4 virtual server definition sets it in TCP forwarding mode, and the big-ip does not terminate the 3-way handshake first. It also removes protocol enforcement of http and SSL profiles, as they are not allowed on Perf L4 virtuals - which you found out. You will need to move back to a Standard vs with both HTTP and SSL profiles.

 

 

If you are trying to run in SSL Bridging mode, you probably have to load BOTH a server and client SSL certificate that is valid on the big-ip. The key word here is "valid". On the client side SSL, most browsers will not work, or pop-up SSL warnings if the SSL cerficate is not valid, including the virtual hostname used in DNS for the big-ip's Virtual Server. If you loaded the cert off the server, it may only have the server's hostname in the Common Name of the certificate, or may be invalid in other ways. You might need to add the virtual hostname as a Subject Alternative Name, or use a wildcard certificate. For the Server side SSL profile, you can't normally use the server's own certificate to present to the server. It will want a Client certificate presented, so you may need to load a Client cert/key, and use that in the SSL Server profile. It is hard to say if this is needed or not, because it depends on how the server is configured for SSL- to request a specific Client cert, accept any cert, or none required. ( And there are other options, too ).

 

 

If you are running SSO with IAS, then you will need to do this for both the SSO and IAS virtual servers. This deployment guide should get you pointed in the right direction. However, this guide does not include SSL on the server side.

 

http://www.f5.com/pdf/deployment-guides/oracle10g-iapp-dg.pdf

 

 

For more information on SSL in general, profiles, certs, and settings, AskF5 will be your best place to find details on all the SSL profile settings you might need.

 

 

If you are still stuck, you can always open an SR with F5 support, and they should be able to help you figure out what is wrong with tcpdump and ssldump tools. To help troubleshoot clientside issues, you can also use a browser plug-in with HTTPS decoding, like Fiddler2.

 

 

-Chris.