Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Usenet -> c.d.o.misc -> Re: 9ias, jinitiator and ssl proxy server

Re: 9ias, jinitiator and ssl proxy server

From: Craig Warman <>
Date: 8 Nov 2004 14:41:36 -0800
Message-ID: <>

To follow up on Frank's response - One thing to keep in mind is that the http (Apache) and Forms servers need to know that they will be communicating via a reverse proxy with the client. In other words, they need to be aware that an intermediary will be handling the https side of things. This is usually done by modifying the virtual host settings in httpd.conf, and making some changes on the Forms server config.

The error message you show below seems to indicate that the Forms server is trying to handle the request it sees as an encrypted (https) request - which won't be possible, since of course the request it's receiving is clear text, thanks to BigIP. If you have already dealt with virtual host settings and Forms server configs, then another route may be to have BigIP strip off the "https" - and also communicate over an unencrypted port. One test would be to look at the Forms server logfiles to see if it believes it's getting https requests that it needs to decrypt. If that's true, and you cannot get BigIP to strip off "https" (or in some way make it clear that it's not sending encrypted requests) then a sort of messy work-around would be to have Apache do something called "URL re-writes). I would recommend that you try your best to avoid this approach, however.

The 9iAS version you're using leads me to believe that you're using Forms 6i server. Consider the following links as startings point for your research:


Note that you must be using Oracle JInitiator, version or later to utilize HTTPS.

Two other places I would like to refer you to would be Metalink and OTN - look for something on configuring a reverse proxy in front of Forms Server. There are some whitepapers out there that specifically deal with this, however I don't have time at the moment to find them. I think you'll be able to locate them with a modest time investment though.

If you need to research URL re-writes, here is where you might start: Again I think you want to avoid this if possible.

I don't know that what I've provided above will be a specific answer to your query. However if you haven't already looked at the material I've referenced, perhaps it will get you going in the right direction.


Frank van Bortel <> wrote in message news:<cmoe6v$c4s$>...
> Dave Barstis wrote:
> > We're trying to put a BigIP switch in front of our 9ias (
> > server. BigIP will handle the encryption and pass an http request to
> > the app server.
> > Everything works fine when I bypass the BigIP server and only use http
> > requests directly on the app server. I get an error when trying to
> > access via BigIP.
> >
> > Here's what we have:
> >
> > 1. Client connects to (address
> > 129.74.xx.xx) which is BigIP.
> >
> > 2. BigIP sends request to (address
> > 172.19.xx.xx) which is 9i App Server behind the firewall.
> >
> > 3. Client gets menu form with
> > link on it.
> >
> > 4. While opening,
> > we get the following error:
> >
> > java.lang.ClassNotFoundException: oracle.forms.engine.Main
> >
> > with SSL handshake
> > failed: X509CertChainInvalidErr appearing in the console window.
> >
> > I looked up the X509CertChainInvalidErr on Metalink but the solution
> > doesn't apply here. Like I said, if I access the 9ias server
> > directly, all works as advertised. I'm sure it's something simple
> > that I'm overlooking but if anyone has any ideas, your help would be
> > greatly appreciated.
> >
> > Thanks,
> > Dave Barstis
> > University of Notre Dame
> Install the dependent part of your certificate
> on 9iAS; lots od browsers have base certificates on board,
> 9iAS does not; and your certificate is only a partial one,
> Verisign, I'd bet.
> Has been asked before; google is your friend
Received on Mon Nov 08 2004 - 16:41:36 CST

Original text of this message