cancel
Showing results for 
Search instead for 
Did you mean: 

LTM and java certs

jnowlin_44976
Nimbostratus
Nimbostratus

I have an internal web app I need to load balance. this app is SSL and I would like to use cookie persistence. I have setup my cert on my LTM and setup persistence before for other apps and it works well. issue I have run across with this new app is that even though the apache cert on the app matches our cert on the LTM, there is a portion of this app that uses java with the companies certificate. this results in the ssl decryption\encryption needed for cookie persistence to break on the java portion making the web app not function all together.

 

are there any options in this scenario of java cert being different from the web server cert or am I stuck changing my persistence from cookie to ssl?

 

PS I have an older bigip 1600 with 9.4 running.

 

19 REPLIES 19

Kevin_Stewart
F5 Employee
F5 Employee

Would it be safe to say that the java app portion happens during the HTTP session, and that the java app 1) doesn't handle cookies, and/or 2) can't consume and use the cookie from the browser? Do you see the java app sending the persistence cookie?

 

If you disable all pool members but one, does it work?

 

Kevin_Davies_40
Nacreous
Nacreous

It appears you have two different SSL certs being used, am I correct?

 

If that is the case then you need to update the cert being used by "that part" of that Java App to match that of you virtual or your cookie persistence will not work.

 

In this scenario, you can try multiple persistence. Set cookie persistence as primary then SSL persistence as secondary.

 

jnowlin_44976
Nimbostratus
Nimbostratus

to answer kevin stewart, I already have it down to 1 pool member and it still doesn't work.

 

Kevin Davies, I will try this and post back results

 

jnowlin_44976
Nimbostratus
Nimbostratus

Kevin Davies I just tried using a fallback persistence profile but after selecting cookie based on the default my only option on the fallback was source_addr

 

Kevin_Stewart
F5 Employee
F5 Employee

So just to level set, you said you now only have one server in the pool. If that's true, and it's still not working, then persistence is probably not to blame. So does it fail when the java app is invoked? Are there specific differences in the SSL requirements between the two apps?

 

jnowlin_44976
Nimbostratus
Nimbostratus

while persistence might not be the culprit it may be the decrypt\encrypt im doing on the F5 to be able to utilize persistence. if i change the persistence to SSL persistence (no decryption) it works.

 

i think the issue is with ssl decryption enabled BigIP can decrypt the IIS SSL traffic that has our cert on it but fails to decrypt the java traffic that has the vendors cert on it.

 

im guessing they are doing code signing on their java app. anyone ever run into this situation the cert used in the java app isnt the same as the cert used on the website itself?

 

nitass
F5 Employee
F5 Employee

can you try ssldump to see ssl handshake?

 

sol10209: Overview of packet tracing with the ssldump utility

 

http://support.f5.com/kb/en-us/solutions/public/10000/200/sol10209.html

 

I agree with Nitass. If SSL decryption/encryption is failing for the Java app, then you need to dig into the client OR server side SSL (it could be either or both). Just to be clear though, when you say it works with SSL session persistence, are you also implying that no decryption/encryption is happening (no client or server SSL profiles)?

nitass_89166
Noctilucent
Noctilucent

can you try ssldump to see ssl handshake?

 

sol10209: Overview of packet tracing with the ssldump utility

 

http://support.f5.com/kb/en-us/solutions/public/10000/200/sol10209.html

 

I agree with Nitass. If SSL decryption/encryption is failing for the Java app, then you need to dig into the client OR server side SSL (it could be either or both). Just to be clear though, when you say it works with SSL session persistence, are you also implying that no decryption/encryption is happening (no client or server SSL profiles)?

jnowlin_44976
Nimbostratus
Nimbostratus

yes when it doees work i am doing NO decryption/encryption.

 

but i guess it could also be related to the HTTP profile since i select none for the http profile when i change the persistence to SSL and it works.

 

basically i can only get this app to work if i set http profile to none, remove both ssl profiles.

 

Kevin_Stewart
F5 Employee
F5 Employee

That could suggest a few things:

 

  1. The SSL between the client and java app cannot be terminated (decrypted/re-encrypted)

     

  2. The java app isn't HTTP-based, and/or

     

  3. The java app doesn't support HTTP cookies

     

Try this (in this order, and with only ONE member in the pool):

 

  1. Apply client and server SSL profiles with NO HTTP profile

     

  2. If that still works, then add an HTTP profile

     

  3. If that still works, then add a cookie persistence profile

     

If I had to guess, I'd say it breaks between 1 and 2 above.

 

jnowlin_44976
Nimbostratus
Nimbostratus

i just got off a call with the application vendor. they use a JSESSIONID cookie, that if is not found on the client will result in the same experience i am seeing. will F5 prevent a JSESSIONID cookie from being installed on the end users machine?

 

Kevin_Stewart
F5 Employee
F5 Employee

Not usually. So the java app uses a JSESSIONID??

 

jnowlin_44976
Nimbostratus
Nimbostratus

yes. in order for the app to allow users to login it has to see this JSESSIONID cookie, according to the vendor.

 

but i can see this being created so im back to the http profile being the issue. if i use an http profile in order to do cookie persistence it fails. if i set http profile to none it works.

 

Kevin_Stewart
F5 Employee
F5 Employee

Very interesting. Okay, another two questions for clarification:

 

  1. It works with client and server SSL profiles applied to the VIP but NO HTTP profile. Correct? Decrypting and re-encrypting the java app's traffic.

     

  2. With client and server SSL profiles applied, if you enable a basic HTTP profile on the VIP, but DO NOT enable any persistence or any iRule, does it work?

     

nitass
F5 Employee
F5 Employee

i think the problem is about ssl handshake.

 

without ssl profile, http profile cannot be used because bigip cannot parse http header (since it is encrypted). so, i understand it is expected that you have to remove http profile when not doing ssl offloading.

 

normally bigip does not alter cookie, so i do not think there is an issue on jsessionid cookie. also, you have mentioned it does not work even using one pool member/server.

 

just my 2 cents.

 

Kevin_Stewart
F5 Employee
F5 Employee

i think the problem is about ssl handshake.

 

I'm not sure that we've established that just yet. While the functioning of the HTTP profile DOES require, at the very least, a client SSL profile, I don't believe jnowlin has definitively answered the following questions:

 

  1. It works with client and server SSL profiles applied to the VIP but NO HTTP profile. Correct? Decrypting and re-encrypting the java app's traffic.

     

  2. With client and server SSL profiles applied, if you enable a basic HTTP profile on the VIP, but DO NOT enable any persistence or any iRule, does it work?

     

It could indeed be that the Java client can handle the SSL termination and re-encryption, but it could also be that it simply can't handle the HTTP manipulation.

 

jnowlin_44976
Nimbostratus
Nimbostratus
  1. with client and server SSL profiles but NO http profile it does not work. returns to login page
  2. with ssl profiles applied, basic HTTP profile on the VIP, and NO persistence\irule it does not work. returns to login page.