Oracle JDBC SSL Termination failing on F5
We have created a new f5 VIP to terminate SSL and redirect the traffic to backend Oracle Database and the client is java application. We have configured the certificate using *.pfx file in f5 VIP, the same is used at client side to configure jks file to access. We have configure keystore and truststore on client side while accessing the VIP. But F5 is keep on complaining that the request received at f5 is not SSL Error in f5: cat ltm | grep Mar 17 13:15:46 abc.net warning tmm[11711]: 01260009:4: 10.0.0.0:58857 -> 10.0.0.0:8443: Connection error: ssl_passthru:5935: alert(40) not SSL Java code accessing F5 vip String jdbcUrl = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=F5ENDPOINT.net)(PORT=8443))(CONNECT_DATA=(SERVICE_NAME=ABC)))"; System.setProperty("javax.net.ssl.keyStore", "C:\\Apps\\rspt\\keystore.jks"); System.setProperty("javax.net.ssl.keyStoreType", "JKS"); System.setProperty("javax.net.ssl.keyStorePassword", "changeit"); System.setProperty("javax.net.ssl.trustStore", "C:\\Apps\\rspt\\trustStore.jks"); System.setProperty("javax.net.ssl.trustStoreType", "JKS"); System.setProperty("javax.net.ssl.trustStorePassword", "changeit"); Properties props = new Properties(); props.setProperty("user", userName); props.setProperty("password", password); props.setProperty("javax.net.ssl.keyStore", "C:\\Apps\\rspt\\keystore.jks"); props.setProperty("javax.net.ssl.keyStorePassword","changeit"); props.setProperty("javax.net.ssl.trustStore", "C:\\Apps\\rspt\\trustStore.jks"); props.setProperty("javax.net.ssl.trustStorePassword","changeit"); String query = "SELECT name FROM department WHERE departmentid= 1"; try { DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver()); con = DriverManager.getConnection(jdbcUrl,props); Statement statement = con.createStatement(); // Execute the query and obtain the result set ResultSet resultSet = statement.executeQuery(query); while (resultSet.next()) { String name = resultSet.getString("name"); System.out.println(" Name: " + name); } } catch (SQLException e) { e.printStackTrace(); } We have tried this with 80 PORT AND tcp as protocol in jdbc connection string and its working as expected. Only when we enable SSL termination on 8443, we have this issue. Can you guide what we are missing here ?SSL Connection Configuration between Apache Web server and Weblogic server
I'm currently using Apache web server as a front end server for Weblogic server 8.1 and now i' facing some configuration problem to setting up the SSL connection between this 2 server. When i open my web application page, it shows Failure of Server Apache bridge No backend server available for connection: timed out after 10 seconds or idempotent set to OFF. and my proxy.log shows: Thu Nov 03 09:36:41 2011 <182413202842013> INFO: SSL is configured Thu Nov 03 09:36:41 2011 <182413202842013> INFO: SSL configured successfully Thu Nov 03 09:36:41 2011 <182413202842013> Using Uri /favicon.ico Thu Nov 03 09:36:41 2011 <182413202842013> After trimming path: '/favicon.ico' Thu Nov 03 09:36:41 2011 <182413202842013> The final request string is '/favicon.ico' Thu Nov 03 09:36:41 2011 <182413202842013> SEARCHING id=[ebwdsk298.ebworx.com:7002] from current ID=[ebwdsk298.ebworx.com:7002] Thu Nov 03 09:36:41 2011 <182413202842013> The two ids matched Thu Nov 03 09:36:41 2011 <182413202842013> @@@FOUND...id=[ebwdsk298.ebworx.com:7002], server_name=[10.122.50.218], server_port=[80] Thu Nov 03 09:36:41 2011 <182413202842013> attempt 0 out of a max of 5 Thu Nov 03 09:36:41 2011 <182413202842013> general list: trying connect to '10.122.50.48'/7002/7002 at line 2696 for '/favicon.ico' Thu Nov 03 09:36:41 2011 <182413202842013> New SSL URL: match = 0 oid = 22 Thu Nov 03 09:36:41 2011 <182413202842013> Connect returns -1, and error no set to 10035, msg 'Unknown error' Thu Nov 03 09:36:41 2011 <182413202842013> EINPROGRESS in connect() - selecting Thu Nov 03 09:36:41 2011 <182413202842013> Setting peerID for new SSL connection Thu Nov 03 09:36:41 2011 <182413202842013> 0a7a 3230 5a1b 0000 .z20Z... Thu Nov 03 09:36:41 2011 <182413202842013> Local Port of the socket is 2121 Thu Nov 03 09:36:41 2011 <182413202842013> Remote Host 10.122.50.48 Remote Port 7002 Thu Nov 03 09:36:41 2011 <182413202842013> general list: created a new connection to '10.122.50.48'/7002 for '/favicon.ico', Local port:2121 Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[Host]=[10.122.50.218] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[Connection]=[keep-alive] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[Accept]=[*/*] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[User-Agent]=[Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[Accept-Encoding]=[gzip,deflate,sdch] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[Accept-Language]=[en-US,en;q=0.8] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[Accept-Charset]=[ISO-8859-1,utf-8;q=0.7,*;q=0.3] Thu Nov 03 09:36:41 2011 <182413202842013> URL::sendHeaders(): meth='GET' file='/favicon.ico' protocol='HTTP/1.1' Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Host]=[10.122.50.218] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Accept]=[*/*] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[User-Agent]=[Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Accept-Encoding]=[gzip,deflate,sdch] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Accept-Language]=[en-US,en;q=0.8] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Accept-Charset]=[ISO-8859-1,utf-8;q=0.7,*;q=0.3] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Connection]=[Keep-Alive] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[WL-Proxy-SSL]=[false] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[WL-Proxy-Client-IP]=[10.122.50.48] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Proxy-Client-IP]=[10.122.50.48] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[X-Forwarded-For]=[10.122.50.48] Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[X-WebLogic-Force-JVMID]=[unset] Thu Nov 03 09:36:41 2011 <182413202841921> INFO: No session match found Thu Nov 03 09:36:41 2011 <182413202842013> INFO: No CA was trusted, validation failed Thu Nov 03 09:36:41 2011 <182413202841921> INFO: DeleteSessionCallback Thu Nov 03 09:36:41 2011 <182413202842013> ERROR: SSLWrite failed Thu Nov 03 09:36:41 2011 <182413202842013> SEND failed (ret=-1) at 789 of file ../nsapi/URL.cpp Thu Nov 03 09:36:41 2011 <182413202842013> *******Exception type [WRITE_ERROR_TO_SERVER] raised at line 790 of ../nsapi/URL.cpp Thu Nov 03 09:36:41 2011 <182413202842013> Marking 10.122.50.48:7002 as bad Thu Nov 03 09:36:41 2011 <182413202842013> got exception in sendRequest phase: WRITE_ERROR_TO_SERVER [os error=0, line 790 of ../nsapi/URL.cpp]: at line 3078 Thu Nov 03 09:36:41 2011 <182413202842013> INFO: Closing SSL context Thu Nov 03 09:36:41 2011 <182413202842013> INFO: Error after SSLClose, socket may already have been closed by peer Thu Nov 03 09:36:41 2011 <182413202842013> Failing over after WRITE_ERROR_TO_SERVER exception in sendRequest() Here is my step to setup the SSL connection: 1. Create a keystore( SSLkey.jks ) for weblogic use. 2. Create a certificate signing request(certreq.pem) and sent to the trusted certificate authority. 3. Download Root CA(rootca.cer) and signed certificate(supportcert.pem) from certificate authority. 4. Import rootca.cer into a custom trust key store(supporttrust.jks). 5. Configure the Weblogic console -> keystores and ssl -> Custom identity and custom trust. 6. use SSLkey.jks as custom identity keystore and supporttrust as custom trust keystore. 7. Extract the trusted CA file from supporttrust.jks to trustedcafile.der 8. Convert trustedcafile.der into trustedcafile.pem 9. Copy trustedcafile.pem into 10. Configure httpd.conf in apache LoadModule weblogic_module modules/mod_wl_20.so Notes: replace [ to < [IfModule mod_weblogic.c] WebLogicHost abc WebLogicPort 7002 SecureProxy ON TrustedCAFile conf/ssl/trustedcafile.pem RequireSSLHostMatch false Debug ALL WLLogFile logs/proxy.log [/Ifmodule] [ Location /secureWebAuth] SetHandler weblogic-handler [/Location] Can anyone tell me what should i do in order to correct this error? Your help is kindly appreciate!!! Please~
ADFS 3.0 Monitor not working
Hi All, I have been tussling with this for a couple of days now. I have used the links, http://www.f5.com/pdf/deployment-guides/microsoft-adfs-dg.pdf and https://devcentral.f5.com/articles/big-ip-and-adfs-part-5-working-with-adfs-30-and-sni to follow with no success. I have uploaded the script and set the variable but i still get the monitor down, when i browse directly to the server i am able to get to the sign in page, so I know at least ADFS configuration is correct. Below is the script i am using: !/bin/sh These argument This script expects the following Name/Value pairs: s supplied automatically for all external monitors: $1 = IP (nnn.nnn.nnn.nnn notation) $2 = port (decimal, host byte order) SNI = the host name of the SNI-enabled site URI = the URI to request RECV = the expected response Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format) NODE= echo ${1} | sed 's/::ffff://' if [[ $NODE =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then node is v4 NODE=${NODE} else node is v6 NODE=[${NODE}] fi PORT=${2} PIDFILE="/var/run/ basename ${0} .sni_monitor_${SNI}_${PORT}_${NODE}_sni.pid" kill of the last instance of this monitor if hung and log current pid if [ -f $PIDFILE ] then echo "EAV exceeded runtime needed to kill ${SNI}:${PORT}:${NODE}" | logger -p local0.error kill -9 cat $PIDFILE > /dev/null 2>&1 fi echo "$$" > $PIDFILE curl-apd -k -v --resolve $SNI:$PORT:$NODE https://$SNI$URI 2>&1 > /dev/null | grep -i "${RECV}" STATUS=$? rm -f $PIDFILE if [ $STATUS -eq 0 ] then echo "UP" fi exit Variable are: SNI= sso.mysite.com URI= adfs/ls/idpinitiatedsignon.htm RECV= HTTP/1.1 200 Please assist if you can. Thanks!
Maximum length/legal characters for JSESSIONID cookie
My setup is using JSESSIONID persistence to load-balance a weblogic application, and the JSESSIONID values they send to the client are quite convoluted: JSESSIONID=4k97S6kYZcX0LpD5tLLSC54yy9y2fzrtzbR90R6Qd31hGY7QQm2L!916453517 Is that length in bounds of what would work with the following persistence iRule? My version is 9.4.4: when HTTP_RESPONSE { if { [HTTP::cookie exists "JSESSIONID"] } { persist add uie [HTTP::cookie "JSESSIONID"] } } when HTTP_REQUEST { if { [HTTP::cookie exists "JSESSIONID"] } { persist uie [HTTP::cookie "JSESSIONID"] } } Thanks.Another thread for command to create pool and VIP
Hi there, I have just started working on a new project that requires me to create new pool on command-line. I am just a beginner for F5 network. So far I have found this link which tells me how to create a new pool. https://devcentral.f5.com/questions/command-to-create-pool-and-vip. But when I was trying the 1st command-line such as follows, that is what I got. c9admin@pd-bigip-slc-dev03a(Active)(tmos) c9admin@pd-bigip-slc-dev03a(Active)(tmos) create ltm pool myfirstpool members add { 10.255.255.255:80 } monitor http Syntax Error: "pool" unexpected argument Does anyone know why ? Thanks for the help. Chun
F5 memory usage
Just worried about high memory usage on my F5 8950, v11.1: [root@f5:Active] config tmsh show sys memory | head Sys::System Memory Information ------------------------------------------------------------------ Memory Used(bytes) Current Average Max(since 05/21/14 23:20:00) ------------------------------------------------------------------ Total Phys Memory 15.7G 15.7G 15.7G OS Used Memory 15.4G 15.4G 15.4G TMM Alloc Memory 8.2G 8.2G 8.2G TMM Used Memory 954.3M 924.8M 954.8M [root@f5:Active] config free -m total used free shared buffers cached Mem: 16078 15844 233 0 567 4195 -/+ buffers/cache: 11081 4997 Swap: 1023 7 1016 The TMM shows low usage but the Linux OS shows only 233MB free out of 15.7GB. Here is a top: top - 02:45:07 up 451 days, 4:34, 5 users, load average: 0.53, 0.34, 0.19 Tasks: 359 total, 4 running, 354 sleeping, 0 stopped, 1 zombie Cpu(s): 7.3%us, 1.6%sy, 0.4%ni, 90.6%id, 0.2%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 16464436k total, 16233548k used, 230888k free, 581124k buffers Swap: 1048504k total, 7448k used, 1041056k free, 4302064k cached VIRT PID USER PR NI RES SHR S %CPU %MEM TIME+ COMMAND 1365m 15565 root RT 0 126m 125m S 12.9 0.8 893:22.50 tmm 1365m 15566 root RT 0 126m 125m S 10.6 0.8 717:47.65 tmm 1365m 15567 root RT 0 126m 125m S 8.9 0.8 810:56.81 tmm 1365m 15568 root RT 0 126m 125m R 7.3 0.8 955:00.22 tmm 1365m 15569 root RT 0 126m 125m S 6.3 0.8 723:16.05 tmm 1365m 15570 root RT 0 126m 125m S 6.6 0.8 768:51.00 tmm 1365m 15571 root RT 0 126m 125m S 6.0 0.8 606:04.78 tmm 1365m 15572 root RT 0 126m 125m S 7.6 0.8 621:15.98 tmm 445m 8188 mysql 20 0 66m 5468 S 0.0 0.4 125:29.68 mysqld 301m 8313 tomcat 20 0 251m 3016 S 0.0 1.6 302:25.53 java 181m 16014 root 20 0 30m 15m S 0.0 0.2 1:46.32 eam 171m 6643 root 20 0 39m 4036 S 0.0 0.2 80:17.65 java 138m 6450 root 20 0 97m 9.9m S 0.3 0.6 3022:29 mcpd 134m 15828 root 20 0 36m 18m S 0.0 0.2 4:04.94 apd 134m 5694 root 20 0 29m 11m S 0.7 0.2 4169:52 md 124m 16124 root 20 0 4676 3228 S 0.0 0.0 0:01.41 dpid 104m 6395 root 20 0 19m 9356 S 0.0 0.1 0:42.31 apmd 91992 6644 root 20 0 20m 7512 S 0.0 0.1 166:19.54 cbrd 87428 5750 root 20 0 9896 5788 S 0.0 0.1 28:12.64 chmand 80092 5646 root 20 0 15m 7476 S 0.0 0.1 5:09.39 monpd 75544 16263 root 20 0 23m 14m S 0.3 0.1 12:31.71 websso 75544 16292 root 20 0 23m 14m S 0.7 0.1 12:32.09 websso 75544 16349 root 20 0 23m 14m S 0.0 0.1 12:31.50 websso 74520 16169 root 20 0 23m 14m R 0.0 0.1 12:32.60 websso 74520 16276 root 20 0 23m 14m S 0.3 0.1 12:32.08 websso 74520 16305 root 20 0 23m 14m S 0.0 0.1 12:37.58 websso 74520 16319 root 20 0 23m 14m S 0.0 0.1 12:30.79 websso 74520 16333 root 20 0 23m 14m S 0.3 0.1 12:31.37 websso Is this OK, or will the Linux OS run out of memory?Webcenter Cookie persistence
Hello, I have some problems when implementing cookie persistence for an Oracle WebCenter pool . The problem is that when i add persistence using an irule, the value is not mantained and the persistence fails. I have writed this irule to troubleshoot the problem. Please, any clue if is possible to enhance the solution? Or i have any mistake on the writed fields. when HTTP_REQUEST priority 300 { if { [HTTP::cookie "F5test"] ne "" } { pool "p_evo_wl" persist uie [HTTP::cookie "F5test"] if {[HTTP::cookie "F5test"] starts_with "f5id_"}{ HTTP::cookie remove "F5test" } } else { pool "p_evo_wl" } } when HTTP_RESPONSE { if { [HTTP::cookie "F5test"] eq "" }{ set rndumb "f5id_[expr { int(100000000 * rand()) }]" HTTP::cookie insert name "F5test" value $rndumb" persist add uie $rndumb 14400 } else { persist add uie [HTTP::cookie "F5test"] } } Many thanks in advance! Javier
APM: Insert a cookie on a HTTP Response inside apm flow
Hi all, this is the situation: I'm performing a simple authentication on an Oracle LDAP by APM, in case of password expiration I configured an endig that redirect on an external change password page. I need to send to this page, and so to the user, a cookie (or a header, it doesn't matter) with the user name of the user that made login. I've tried with an iRule on HTTP Response event but it doesn't seems to be triggered when the ending of the apm flow is a redirect. This is the simple iRule that I used: when HTTP_RESPONSE { log local0. "Inserisco il cookie con il nome utente" HTTP::cookie insert name "user" value "Pippo" } I can't see log on ltm, so I imagined that in case of redirect I don't exit from APM, so I tried to insert an iRule on ACCESS_POLICY_AGENT_EVENT: when ACCESS_POLICY_AGENT_EVENT { HTTP::cookie insert name "user" value "pippo" log local0. "INSERTUSER: Sto inserendo il cookie" } But still nothing.... Can you help me? Cristian
ORACLE RAC IRULE ISSUES (JDBC QUERY)
I need help on my Oracle Database VIP. It is configured and green,however,when a JDBC call is made to virtual Ip, there is TNS LISTENER ERROR. Part of my irule goes thus, service name is "tpp_n4" when CLIENT_ACCEPTED { set last_service_name "tpp_n4" Change to a non-zero number if your clients are specifying an INSTANCE_NAME in their connect stings and you wish to remove it. This allows you to have clients connect through the BIG-IP without the need to worry which instance of your database the connection gets load-balanced to. As a result, the individual nodes will not reject a connection because of a Instance Name mismatch. set remove_instance_name 0 Map service names to the pool on which they run. Use lower case instance names since arrays are case-sensitive and we are converting everything to lower case when we do comparisons later on. array set switch_map { "tpp_n4" "ORACLE_11G_PRIMARY" } TCP::collect }
Replace SID to SERVICE_NAME in Oracle connnection string
Hi, I am trying to replace SID with SERVICE_NAME in an Oracle connection string using an irule on an F5 Oracle VS. I have used as a starting point the irule documented here - https://devcentral.f5.com/articles/oracle-rac-connection-string-rewrite - I am basically doing the reverse. ie SID to SERVICE_NAME not SERVICE_NAME to SID My setup.. A VS with a pool configured, lets call it "default_pool" - this pool should be used if no SID replacement needs to occur. Then, I have another pool not configured to any VS, lets call it "other_pool" - this pool should be used if the SID is replaced with SERVICE_NAME. The problem I am facing is that when replacing the SID with SERVICE_NAME in the TCP::payload it overwrites any trailing parts of the Oracle Connection string. eg. Original connecting string from application to the VS (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.11.110.10)(PORT=1521))(CONNECT_DATA=(SERVER=DEDICATED)(SID=MYSID)(CID=(PROGRAM=sqlplus)(HOST=xxxxxxx)(USER=xxxxxx)))) Replacement connection string after irule manipulation (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.11.110.10)(PORT=1521))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=MYSERVICENAME)(HOST=xxxxxxx)(USER=xxxxxx)))) As you can see from above the irule below has replaced the SID but has not preserved the trailing data entirely, ie. (CID=(PROGRAM=sqlplus) has been overwritten. My question is how can I replace SID=MYSID, with SERVICE_NAME=MYSERVICENAME whilst preserving the trailing connection data and then send the connection onto "other_pool" given the application connect string mentioned above and the irule below? when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { if { [TCP::payload] contains "(CONNECT_DATA=" } { set sid_match "" log local0. "Have access to TCP::Payload" set sid_match [regexp -all -inline -indices "\(SID=MYSID\)" [TCP::payload]] log local0. "Found a sid_match = $sid_match" set service_name "SERVICE_NAME=MYSERVICENAME" set tmp [lindex $sid_match 1] set newservice [list $tmp] foreach instance $newservice { log local0. "Iterating through connect strings in the payload. Raw: $instance" set sid_start [lindex $instance 0] set original_tcp_length [TCP::payload length] TCP::payload replace $sid_start 34 $service_name log local0. "Inserted Servicename at $sid_start offset." TCP::payload replace 0 2 [binary format S1 [TCP::payload length]] log local0. "Updated packet with new length: [TCP::payload length] - original $original_tcp_length" set looking_for_connect [findstr [TCP::payload] "(DESCRIPTION" 0] log local0. "Looking for connect: $looking_for_connect" set connect_data_length [string length [findstr [TCP::payload] "(DESCRIPTION" 0]] TCP::payload replace 24 2 [binary format S1 $connect_data_length] log local0. "New Oracle data length is $connect_data_length" } } if { [TCP::payload] contains "(CONNECT_DATA=" } { set looking_for_connect [findstr [TCP::payload] "(DESCRIPTION" 0] log local0. "2. Looking for connect: $looking_for_connect" } TCP::release TCP::collect if { $sid_match != "" } { pool other_pool } else { do nothing further - found no SID match - use the VS default_pool log local0 "No match - use the VS default_pool" } }