Forum Discussion
NimbostratusSSL and sticky sessions (offload at app server)
We are for better or worse offloading SSL based transactions at the application server. The F5 is responsible for port translation 443 to 9002 and needs to establish a sticky session. However we are told that a sticky session is impossible given the traffic is encrypted. That is, F5 does not know how to associate the request to a persistent connection.
The fix provided by F5 tech is to perform an SSL Offload at the F5, re-encrypt and send to app server. In this way, they can establish a sticky session. The application uses JSESSIONID.
Question, is this the way to do this? Seems like there should be another way.
Newbi
5 Replies
- Kevin_Stewart
Employee
If you're decrypting and re-encrypting, and this is HTTP traffic, the EASIEST and most stable mechanism is cookie persistence. The persistence cookie is inserted into the egress flow and returned on each request. To use the JSESSIONID, you must create an iRule that parses this value from the requests and/or responses and maintains a session table entry for the connection.
If you cannot decrypt and re-encrypt the SSL, your persistence option becomes limited to source address.
Mohamed_LrhaziAltocumulus
ssl cookie peristance works for the case where ssl is not terminated. Whats the F5 do exactly? whats 9002 for?- Kevin_StewartSSL cookie persistence isn't a thing. There's HTTP cookie persistence for decrypted/unencrypted HTTP traffic, and SSL sessionid for SSL traffic. I'd add that SSL sessionid is generally unreliable as it can change any time the browser or server initiates an SSL renegotiation.
EdH_135054Thanks folks. Will forward to our network admin.
To answer an earlier question port 9002 is the port hybris listens on for SSL traffic.
- edon_221112did you figure this out?
