ibm

138 Topics

The remote server's SSL certificate has already expired - Plugin ID 15901
Hi Experts We are running Nessus Scan against our F5 BIG-IP LTM devices and getting following alert:- The remote server's SSL certificate has already expired - Plugin ID 15901 Now problem is that we are using IP address to logon to these devices instead of a common name (CN) which is used by SSL certs. We can`t remove it for sure. Now how to regenerate it without a common name (CN) is a concern for us ? Some of the information from F5:- http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos_management_guide_10_1/tmos_device_certif_config.html1019303 Here is our cert information:- General Properties Name server Certificate Subject(s) My Company Ltd Certificate Properties Expires Jan 16, 2013 Version 3 Serial Number XXXX Subject Common Name: Organization: My Company Ltd Division: Locality: Yes State Or Province: No Country: YO Issuer Self Any advice will be highly appreciated. Thanks
khiali_130513
Mar 07, 2014 Place Technical Forum
2.3KViews
0likes
12Comments
Block HTTP access from specific user agent(2)
Dear community, I want to arrange iRule which I learned in following URL. https://devcentral.f5.com/questions/block-https-access-from-specific-user-agentanswer118447 Can I use iRule like this? My client doesn't want to show even 404. when HTTP_REQUEST { log local0. "User-Agent:[HTTP::header "User-Agent"]" if { ([regexp sqlmap|havij|nmap|nessus|absinthe|nikto|w3af|pangolin|bsqlbf|prog.customcrawler|sql\ power\ injector|mysqloit|netsparker [string tolower [HTTP::header "User-Agent"]]]) && !([IP::addr [IP::client_addr] equals 192.168.115.100]) } { discard log local0. "[HTTP::header "User-Agent"] discarding." } }
Mick39_201768
May 27, 2015 Place Technical Forum
1.9KViews
0likes
1Comment
The remote service supports the use of week/medium strength SSL ciphers - Plugin ID (26928/42873)
Hi There We are running Nessus Scan for BIG-IP LTM devices and getting following Alerts :- The remote service supports the use of medium strength SSL ciphers - Plugin ID (26928) The remote service supports the use of weak SSL ciphers. - Plugin ID (42873) Description: The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits. Note: This is considerably easier to exploit if the attacker is on the same physical network. Solution: Reconfigure the affected application if possible to avoid use of medium strength ciphers. Basically these alerts only indicating Admin IP and the alert so we assume these alerts are related with the admin interface where low/medium end ciphers needs to be disabled. This was our initial cipher strength HTTPD - SSLCipherSuite: ALL:!ADH:!EXPORT56:!eNULL:!MD5:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP In the configuration, We have disabled low cypher i.e HTTPD -SSLCipherSuite ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW This disabling all the cipher length less than 128 bits length. http://support.f5.com/kb/en-us/solutions/public/7000/800/sol7815.html Even after aplying the fix, we are getting these alerts. Can anyone advice what is the possible solution/fix here ? Can we take them as false positive and close the alerts ? Thanks in advance !!
khiali_130513
Mar 07, 2014 Place Technical Forum
1.1KViews
0likes
10Comments
Can't open java applet component when connecting to the application through Load balancer F5
Hi We have one new building and the workstations are connected to our network. There is two systems that has java applet components that when clicked, it does not load the java applet. But when connecting to the application server node directly, these java applet components are opened. Al other buildings in other locations are working fine even through the current F5. Only this site has the issue !!! Our collegues checked for the workstation configurations and also bring one workstation to our IT department building and connected to same applications through the same F5, it Worked without any issues. I have one system for Oracle applications 12.1 that I enabled the java debugging console. The output showed exception network: Connecting http://hrms.domain.org:8080/ with proxy=DIRECT java.lang.InterruptedException at java.lang.Object.wait(Native Method) at sun.plugin2.message.Queue.waitForMessage(Unknown Source) at sun.plugin2.message.Pipe.receive(Unknown Source) at sun.plugin2.main.client.MessagePassingExecutionContext.doCookieOp(Unknown Source) at sun.plugin2.main.client.MessagePassingExecutionContext.getCookie(Unknown Source) at sun.plugin2.main.client.PluginCookieSelector.getCookieFromBrowser(Unknown Source) at com.sun.deploy.net.cookie.DeployCookieSelector.getCookieInfo(Unknown Source) at com.sun.deploy.net.cookie.DeployCookieSelector.get(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.setCookieHeader(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.writeRequests(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at com.sun.deploy.net.DownloadEngine.getJarFileWithoutCache(Unknown Source) at com.sun.deploy.net.DownloadEngine.downloadJarWithoutCache(Unknown Source) at sun.plugin.PluginURLJarFileCallBack$2.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at sun.plugin.PluginURLJarFileCallBack.retrieve(Unknown Source) at sun.net.www.protocol.jar.URLJarFile.retrieve(Unknown Source) at sun.net.www.protocol.jar.URLJarFile.getJarFile(Unknown Source) at sun.net.www.protocol.jar.JarFileFactory.get(Unknown Source) at sun.net.www.protocol.jar.JarURLConnection.connect(Unknown Source) at sun.plugin.net.protocol.jar.CachedJarURLConnection.connect(Unknown Source) at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFileInternal(Unknown Source) at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFile(Unknown Source) at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source) at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$1000(Unknown Source) at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source) at com.sun.deploy.security.DeployURLClassPath$JarLoader.(Unknown Source) at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source) at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source) at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source) at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source) at sun.plugin2.applet.Plugin2Manager.createApplet(Unknown Source) at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source) at java.lang.Thread.run(Unknown Source) network: Cookie service is not available - use cache to determine "Cookie" network: Connecting http://hrms.domain.org:8080/OA_JAVA/oracle/apps/fnd/jar/fndewt.jar with cookie "HRPROD=rClRylxIBeH_r2yj3qbDh_n8:S; BIGipServerPool-NDC-HRMS-8080=269161644.16415.0000; oracle.uix=0^^GMT+3:00^p" network: Downloading resource: http://hrms.domain.org:8080/OA_JAVA/oracle/apps/fnd/jar/fndewt.jar Content-Length: 2,241,848 Content-Encoding: null We are using BIG-IP 11.0.0 Build 8037.0 Final The issue only happen for that building, all other buildings connecting the same F5 are working fine without any issues. When opening the page directly from the application server, like http://node1.domain.org:8080 , the java applet is downloadable and can be displayed. Kindly advice Thank you C.
CuteDBA_135397
Oct 10, 2013 Place Technical Forum
1.1KViews
0likes
4Comments
Combine Client accepted and http_request.
I have an requirement to forward a source IP to particular pool member. Since I already have http_request configured is it a good idea to add client_accepted into the same irule ? when HTTP_REQUEST { if { [HTTP::host] == "my fqdn" } { HTTP::redirect "https://myfqdn/irj/portal/" pool pool_t_portal } if { [HTTP::uri] equals "/" or [HTTP::uri] equals "/index.html" or [HTTP::uri] equals "/webdynpro/welcome/Welcome.jsp" } { HTTP::redirect "https://[HTTP::host]/irj/portal/" } if { [HTTP::uri] starts_with "/~" and [HTTP::uri] ends_with "index.html"} { HTTP::redirect "https://[HTTP::host]/irj/portal/" } if { [HTTP::uri] starts_with "/uddiclient" or [HTTP::uri] equals "/uddiclient/process"} { HTTP::redirect "https://[HTTP::host]/irj/portal/" } if { [HTTP::uri] equals "/nwa" } { HTTP::redirect "https://[HTTP::host]/irj/portal/" } } when CLIENT_ACCEPTED { if {[IP::addr [IP::client_addr] equals "src.src.src.src"]}{ pool "pool_q_portal" member dst.dst.dst.dst} }
Anand_128528
Feb 05, 2014 Place Technical Forum
900Views
0likes
8Comments
Configure X-forwarded-for on WebSphere App server
Hi, I need to use X-forwarded-for to print data from the client that hit the load balance in WebSphere app server. My architecture as follows: 5 app server connect to --- F5 ---- directed request to 2 app server Can I use X-forwarded-for to print these data directly from F5 to the app servers SystemOut since I do not use HTTP servers? Regards,
EGhannam_210078
Jul 06, 2015 Place Technical Forum
899Views
0likes
3Comments
Websphere Portal and webmaster access error
Dear all I had Virtual Server 172.16.80.72 with pool 3 APP Webshpere 172.16.85.71:10039,172.16.85.72:10050, 172.16.85.73:10050. VS's irule redirect from http://172.16.80.72 to http://172.16.80.72/wcs/portal. After configuration, client access it well but webmaster has few complaints. After login to admin website, admin interface broken icons. When click the tab for system administrator, error message display "Google chrome could not connect http://172.16.80.72:10050/wcs/myportal". I want to use VS replace the edge server 172.16.80.32. If click the tab for system administrator on 172.16.80.32, access link is http://172.16.80.32/wcs/myportal. How to resolve problem ? I need config on F5 or request webmaster config for http response from server app to F5 auto change the service port from 10050 to 80. Best Regard
vhv84_96225
Mar 27, 2014 Place Technical Forum
800Views
0likes
15Comments
How to Use Web Server for SSL instead of F5 via F5
Hello, I am trying to use the Certs that are installed on the webserver instead of the certs on the F5. how can i achieve it.
skethi_183651
Jan 21, 2015 Place Technical Forum
715Views
0likes
14Comments
Error creating an ltm monitor template on an F5 Loadbalancer BigIP 11.x device using the iControl Java API call: LocalLB__Monitor__create_template
Hi, I'm trying to create an ltm monitor template on an F5 Loadbalancer BigIP 11.x device using the iControl Java API to make the create_template call as described here: link text I have a few questions as to how the IP Address is created. I have tried a number of combinations and none of them seem to work. Some will allow the creation of the template but the IP address information seems to be missing. My understanding from the LocalLB__AddressType API is that the following is true: MemberValueDescription ATYPE_UNSET0The address type is unknown. ATYPE_STAR_ADDRESS_STAR_PORT1For example, ":". ATYPE_STAR_ADDRESS_EXPLICIT_PORT2For example, ":80". ATYPE_EXPLICIT_ADDRESS_EXPLICIT_PORT3For example, "10.10.10.1:80". ATYPE_STAR_ADDRESS4For example, "". ATYPE_EXPLICIT_ADDRESS5For example, "10.10.10.1". There may be errors with my assumption or the documentation though as my interpretation differs from the documentation for the following members: ATYPE_STAR_ADDRESS and ATYPE_EXPLICIT_ADDRESS [link text](https://devcentral.f5.com/wiki/iControl.LocalLB__AddressType.ashx) So the questions I have are: Q1. Are my assumptions regarding the address members correct? (If so, I can edit the API). Q2. As I have to specify an ip address and port number in the creation of the CommonIPPortDefinition:LocalLBMonitorIPPort (String, long), what ip address and port numbers are given for the following scenarios? "*"[0.0.0.0, 0]? ":"[0.0.0.0, 0]? "10.10.10.10" [10.10.10.10, 0 if my assumption is correct for ATYPE_EXPLICIT_ADDRESS]? I seem to be having problems with this part of the code. Code // create inputCommonAttributes CommonIPPortDefinition ipPort = new CommonIPPortDefinition("*:*", 0); LocalLBMonitorIPPort monitorIPPort = new LocalLBMonitorIPPort( LocalLBAddressType.ATYPE_STAR_ADDRESS_STAR_PORT, ipPort); From the API, I understand that the call needs to be made in the following way after creating the LocalLBMonitorBindingStub: Code // inputs for create template LocalLBMonitorMonitorTemplate[] inputTemplateArray = new LocalLBMonitorMonitorTemplate[1]; LocalLBMonitorCommonAttributes[] inputCommonAttributes = new LocalLBMonitorCommonAttributes[1]; // create template LocalLBMonitorTemplateType templateType = LocalLBMonitorTemplateType.TTYPE_DIAMETER; LocalLBMonitorMonitorTemplate monitorTemplate = new LocalLBMonitorMonitorTemplate("TestTemplate", templateType); // add template to inputTemplateArray inputTemplateArray[0] = monitorTemplate; // create inputCommonAttributes CommonIPPortDefinition ipPort = new CommonIPPortDefinition("*", 80); LocalLBMonitorIPPort monitorIPPort = new LocalLBMonitorIPPort( LocalLBAddressType.ATYPE_STAR_ADDRESS_EXPLICIT_PORT, ipPort); LocalLBMonitorCommonAttributes commonAttributes = new LocalLBMonitorCommonAttributes("diameter", 10, 31, monitorIPPort, false, true); // add common attributes to inputCommonAttributes array inputCommonAttributes[0] = commonAttributes; // make the call to the device localLBMonitorBindingStub.create_template(inputTemplateArray,inputCommonAttributes); Output of exception: AxisFault faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server faultSubcode: faultString: Exception caught in LocalLB::urn:iControl:LocalLB/Monitor::create_template() Exception: Common::OperationFailed primary_error_code : 16908320 (0x01020020) secondary_error_code : 0 error_string : 01020020:3: The text string cannot be converted to an IP address. faultActor: faultNode: faultDetail: {http://xml.apache.org/axis/}stackTrace:Exception caught in LocalLB::urn:iControl:LocalLB/Monitor::create_template() Exception: Common::OperationFailed primary_error_code : 16908320 (0x01020020) secondary_error_code : 0 error_string : 01020020:3: The text string cannot be converted to an IP address. at org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:222) at org.apache.axis.message.SOAPFaultBuilder.endElement(SOAPFaultBuilder.java:129) at org.apache.axis.encoding.DeserializationContext.endElement(DeserializationContext.java:1087) at org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown Source) at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanEndElement(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source) at org.apache.xerces.jaxp.SAXParserImpl.parse(Unknown Source) at org.apache.axis.encoding.DeserializationContext.parse(DeserializationContext.java:227) at org.apache.axis.SOAPPart.getAsSOAPEnvelope(SOAPPart.java:696) at org.apache.axis.Message.getSOAPEnvelope(Message.java:435) at org.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:796) at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) at org.apache.axis.client.Call.invokeEngine(Call.java:2784) at org.apache.axis.client.Call.invoke(Call.java:2767) at org.apache.axis.client.Call.invoke(Call.java:2443) at org.apache.axis.client.Call.invoke(Call.java:2366) at org.apache.axis.client.Call.invoke(Call.java:1812) at com.intelliden.drivers.f5.generated.LocalLBMonitorBindingStub.create_template(LocalLBMonitorBindingStub.java:1025) at com.intelliden.drivers.f5.F5TestMonitor.main(F5TestMonitor.java:70 {http://xml.apache.org/axis/}hostname:IBM988-R901C8N1 Any help would be greatly appreciated. Thanks in advance. Kind regards, Don
Solved
Spidey_27_16399
Sep 18, 2014 Place Technical Forum
652Views
0likes
4Comments
F5 as an SSL Forward proxy for IBM Websphere MQ
Hello , We designed our Websphere MQ Communication system using F5 as an Forward proxy and also off loading SSL Encryption & authentication to be done from F5 layer between 2 Queue Managers. Unfortunately for messages greater than 32KB we are having problem in decoding SSL encrypted message coming via F5, coz its not in MQ expected format. I have illustrated the detailed description of our design and the scenarios we tried out while implementation. •SSL Certificate loaded in Queue Manager A(QMA). And the channel is enabled with Cipher Spec “TRIPLE_DES_SHA_US” •Queue Manager B (QMB) SSL certificate is offloaded in BIG-IP F5. Between QMB and F5 there is no SSL enabled. •F5 takes care of SSL handshake, encryption and decryption of message with QMA SSL enabled channel. Scenario 1:[success – No SSL –Two Way] •Message send successfully between QMB and QMA via F5 without any SSL. •Messages of any size are transferred successfully between QMB and QMA successfully. Scenario 2:[Success – With SSL for message size below 32 KB – Two Way] •SSL enabled in F5 and in QMA channel. •Message of size 32 KB and below are send successfully from QMB via F5(SSL encryption takes place) , messages gets decrypted by QMA SSL and received in queue. Scenario 3:[Failure – With SSL for message size above 32 KB – One Way from QMB to QMA] •When message of size above 32 KB is send via QMB. The message gets encrypted by F5. But when the message is received in QMA, its receiving the message without TSH header. Scenario 4:[Success - With SSL for message size above 32 KB – One Way from QMA to QMB] •When message of size above 32 KB is send from QMA. The message is encrypted from QMA, It gets properly decrypted by F5 and passed on to QMB. So our problem is in scenario 3 for message size above 32 KB coming via F5 with SSL enabled. Please let us know if there is any solution for this problem.
Shojan_141011
Jan 09, 2014 Place Technical Forum
633Views
0likes
4Comments