Forum Discussion

jnowlin_44976's avatar
jnowlin_44976
Icon for Nimbostratus rankNimbostratus
Aug 30, 2013

LTM and java certs

I have an internal web app I need to load balance. this app is SSL and I would like to use cookie persistence. I have setup my cert on my LTM and setup persistence before for other apps and it works well. issue I have run across with this new app is that even though the apache cert on the app matches our cert on the LTM, there is a portion of this app that uses java with the companies certificate. this results in the ssl decryption\encryption needed for cookie persistence to break on the java portion making the web app not function all together.

 

are there any options in this scenario of java cert being different from the web server cert or am I stuck changing my persistence from cookie to ssl?

 

PS I have an older bigip 1600 with 9.4 running.

 

application delivery
BIG-IP
cookie persistence
design
LTM
security

19 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 30, 2013

    Would it be safe to say that the java app portion happens during the HTTP session, and that the java app 1) doesn't handle cookies, and/or 2) can't consume and use the cookie from the browser? Do you see the java app sending the persistence cookie?

     

    If you disable all pool members but one, does it work?

     

  • Kevin_Davies_40's avatar
    Kevin_Davies_40
    Icon for Nacreous rankNacreous
    Aug 31, 2013

    It appears you have two different SSL certs being used, am I correct?

     

    If that is the case then you need to update the cert being used by "that part" of that Java App to match that of you virtual or your cookie persistence will not work.

     

    In this scenario, you can try multiple persistence. Set cookie persistence as primary then SSL persistence as secondary.

     

  • jnowlin_44976's avatar
    jnowlin_44976
    Icon for Nimbostratus rankNimbostratus
    Sep 03, 2013

    to answer kevin stewart, I already have it down to 1 pool member and it still doesn't work.

     

    Kevin Davies, I will try this and post back results

     

  • jnowlin_44976's avatar
    jnowlin_44976
    Icon for Nimbostratus rankNimbostratus
    Sep 03, 2013

    Kevin Davies I just tried using a fallback persistence profile but after selecting cookie based on the default my only option on the fallback was source_addr

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 04, 2013

    So just to level set, you said you now only have one server in the pool. If that's true, and it's still not working, then persistence is probably not to blame. So does it fail when the java app is invoked? Are there specific differences in the SSL requirements between the two apps?

     

  • jnowlin_44976's avatar
    jnowlin_44976
    Icon for Nimbostratus rankNimbostratus
    Sep 04, 2013

    while persistence might not be the culprit it may be the decrypt\encrypt im doing on the F5 to be able to utilize persistence. if i change the persistence to SSL persistence (no decryption) it works.

     

    i think the issue is with ssl decryption enabled BigIP can decrypt the IIS SSL traffic that has our cert on it but fails to decrypt the java traffic that has the vendors cert on it.

     

    im guessing they are doing code signing on their java app. anyone ever run into this situation the cert used in the java app isnt the same as the cert used on the website itself?

     

    • Kevin_Stewart's avatar
      Kevin_Stewart
      Icon for Employee rankEmployee
      Sep 05, 2013
      I agree with Nitass. If SSL decryption/encryption is failing for the Java app, then you need to dig into the client OR server side SSL (it could be either or both). Just to be clear though, when you say it works with SSL session persistence, are you also implying that no decryption/encryption is happening (no client or server SSL profiles)?
    • Kevin_Stewart's avatar
      Kevin_Stewart
      Icon for Employee rankEmployee
      Sep 05, 2013
      I agree with Nitass. If SSL decryption/encryption is failing for the Java app, then you need to dig into the client OR server side SSL (it could be either or both). Just to be clear though, when you say it works with SSL session persistence, are you also implying that no decryption/encryption is happening (no client or server SSL profiles)?
  • jnowlin_44976's avatar
    jnowlin_44976
    Icon for Nimbostratus rankNimbostratus
    Sep 05, 2013

    yes when it doees work i am doing NO decryption/encryption.

     

    but i guess it could also be related to the HTTP profile since i select none for the http profile when i change the persistence to SSL and it works.

     

    basically i can only get this app to work if i set http profile to none, remove both ssl profiles.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 05, 2013

    That could suggest a few things:

     

    1. The SSL between the client and java app cannot be terminated (decrypted/re-encrypted)

       

    2. The java app isn't HTTP-based, and/or

       

    3. The java app doesn't support HTTP cookies

       

    Try this (in this order, and with only ONE member in the pool):

     

    1. Apply client and server SSL profiles with NO HTTP profile

       

    2. If that still works, then add an HTTP profile

       

    3. If that still works, then add a cookie persistence profile

       

    If I had to guess, I'd say it breaks between 1 and 2 above.