Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: 9ias, jinitiator and ssl proxy server

Re: 9ias, jinitiator and ssl proxy server

From: Craig Warman <crwarman_at_yahoo.com>
Date: 8 Nov 2004 14:41:36 -0800
Message-ID: <a24e13f4.0411081441.33f78464@posting.google.com> 





To follow up on Frank's response - One thing to keep in mind is that
the http (Apache) and Forms servers need to know that they will be
communicating via a reverse proxy with the client.  In other words,
they need to be aware that an intermediary will be handling the https
side of things.  This is usually done by modifying the virtual host
settings in httpd.conf, and making some changes on the Forms server
config.



The error message you show below seems to indicate that the Forms
server is trying to handle the request it sees as an encrypted (https)
request - which won't be possible, since of course the request it's
receiving is clear text, thanks to BigIP.  If you have already dealt
with virtual host settings and Forms server configs, then another
route may be to have BigIP strip off the "https" - and also
communicate over an unencrypted port.  One test would be to look at
the Forms server logfiles to see if it believes it's getting https
requests that it needs to decrypt.  If that's true, and you cannot get
BigIP to strip off "https" (or in some way make it clear that it's not
sending encrypted requests) then a sort of messy work-around would be
to have Apache do something called "URL re-writes).  I would recommend
that you try your best to avoid this approach, however.



The 9iAS version you're using leads me to believe that you're using
Forms 6i server.  Consider the following links as startings point for
your research:


http://download-east.oracle.com/docs/cd/A97335_01/apps.102/a86202/chap05.htm#1018024



And


http://download-east.oracle.com/docs/cd/A97335_01/apps.102/a86202/chap12.htm#84263



Note that you must be using Oracle JInitiator, version 1.1.7.30 or
later to utilize HTTPS.



Two other places I would like to refer you to would be Metalink and
OTN - look for something on configuring a reverse proxy in front of
Forms Server.  There are some whitepapers out there that specifically
deal with this, however I don't have time at the moment to find them. 
I think you'll be able to locate them with a modest time investment
though.



If you need to research URL re-writes, here is where you might start:
http://httpd.apache.org/docs/misc/rewriteguide.html
Again I think you want to avoid this if possible.



I don't know that what I've provided above will be a specific answer
to your query.  However if you haven't already looked at the material
I've referenced, perhaps it will get you going in the right direction.



Craig





Frank van Bortel <fvanbortel_at_netscape.net> wrote in message news:<cmoe6v$c4s$1_at_news6.zwoll1.ov.home.nl>...


> Dave Barstis wrote:

> > We're trying to put a BigIP switch in front of our 9ias (1.0.2.2.2)

> > server.  BigIP will handle the encryption and pass an http request to

> > the app server.

> > Everything works fine when I bypass the BigIP server and only use http

> > requests directly on the app server.  I get an error when trying to

> > access via BigIP.

> > 

> > Here's what we have:

> > 

> > 1. Client connects to https://host.name.edu:9098 (address

> > 129.74.xx.xx) which is BigIP.

> > 

> > 2. BigIP sends request to http://host.name.edu:9098 (address

> > 172.19.xx.xx) which is 9i App Server behind the firewall.

> > 

> > 3. Client gets menu form with

> > https://host.name.edu:9098/dev60cgi/f60cgi?config=INSTANCE link on it.

> > 

> > 4. While opening https://host.name.edu:9098/forms60java/oracle/forms/engine/Main.class,

> > we get the following error:

> > 

> > java.lang.ClassNotFoundException: oracle.forms.engine.Main

> > 

> > with java.io.IOException: javax.net.ssl.SSLException: SSL handshake

> > failed: X509CertChainInvalidErr appearing in the console window.

> > 

> > I looked up the X509CertChainInvalidErr on Metalink but the solution

> > doesn't apply here.  Like I said, if I access the 9ias server

> > directly, all works as advertised.  I'm sure it's something simple

> > that I'm overlooking but if anyone has any ideas, your help would be

> > greatly appreciated.

> > 

> > Thanks,

> > Dave Barstis

> > University of Notre Dame

> 

> Install the dependent part of your certificate

> on 9iAS; lots od browsers have base certificates on board,

> 9iAS does not; and your certificate is only a partial one,

> Verisign, I'd bet.

> 

> Has been asked before; google is your friend

Received on Mon Nov 08 2004 - 16:41:36 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US