Re: 9ias, jinitiator and ssl proxy server

From: Dave Barstis <dbarstis_at_nd.edu>
Date: 9 Nov 2004 07:16:31 -0800
Message-ID: <66758d84.0411090716.1bf1a7d6_at_posting.google.com>


Thanks Frank and Craig. I'll review the documents. It's not a problem with the cert. This was a standalone server before trying to put BigIP in front of it. The server handled https requests just fine. Now the server is configured to handle http requests since the ssl handshake is being handled by BigIP. It works just fine when http requests are pointed to it directly.

BigIP is supposed to strip off the "s" and communicate over an unencrypted port.
The logfiles look like they're getting http requests.

It's got to be something simple I'm missing but I've just been staring at this for too long.

Again, thanks for your help.

Dave

crwarman_at_yahoo.com (Craig Warman) wrote in message news:<a24e13f4.0411081441.33f78464_at_posting.google.com>...
> To follow up on Frank's response - One thing to keep in mind is that
> the http (Apache) and Forms servers need to know that they will be
> communicating via a reverse proxy with the client. In other words,
> they need to be aware that an intermediary will be handling the https
> side of things. This is usually done by modifying the virtual host
> settings in httpd.conf, and making some changes on the Forms server
> config.
>
> The error message you show below seems to indicate that the Forms
> server is trying to handle the request it sees as an encrypted (https)
> request - which won't be possible, since of course the request it's
> receiving is clear text, thanks to BigIP. If you have already dealt
> with virtual host settings and Forms server configs, then another
> route may be to have BigIP strip off the "https" - and also
> communicate over an unencrypted port. One test would be to look at
> the Forms server logfiles to see if it believes it's getting https
> requests that it needs to decrypt. If that's true, and you cannot get
> BigIP to strip off "https" (or in some way make it clear that it's not
> sending encrypted requests) then a sort of messy work-around would be
> to have Apache do something called "URL re-writes). I would recommend
> that you try your best to avoid this approach, however.
>
> The 9iAS version you're using leads me to believe that you're using
> Forms 6i server. Consider the following links as startings point for
> your research:
> http://download-east.oracle.com/docs/cd/A97335_01/apps.102/a86202/chap05.htm#1018024
>
> And
> http://download-east.oracle.com/docs/cd/A97335_01/apps.102/a86202/chap12.htm#84263
>
> Note that you must be using Oracle JInitiator, version 1.1.7.30 or
> later to utilize HTTPS.
>
> Two other places I would like to refer you to would be Metalink and
> OTN - look for something on configuring a reverse proxy in front of
> Forms Server. There are some whitepapers out there that specifically
> deal with this, however I don't have time at the moment to find them.
> I think you'll be able to locate them with a modest time investment
> though.
>
> If you need to research URL re-writes, here is where you might start:
> http://httpd.apache.org/docs/misc/rewriteguide.html
> Again I think you want to avoid this if possible.
>
> I don't know that what I've provided above will be a specific answer
> to your query. However if you haven't already looked at the material
> I've referenced, perhaps it will get you going in the right direction.
>
> Craig
>
>
>
> Frank van Bortel <fvanbortel_at_netscape.net> wrote in message news:<cmoe6v$c4s$1_at_news6.zwoll1.ov.home.nl>...
> > Dave Barstis wrote:
> > > We're trying to put a BigIP switch in front of our 9ias (1.0.2.2.2)
> > > server. BigIP will handle the encryption and pass an http request to
> > > the app server.
> > > Everything works fine when I bypass the BigIP server and only use http
> > > requests directly on the app server. I get an error when trying to
> > > access via BigIP.
> > >
> > > Here's what we have:
> > >
> > > 1. Client connects to https://host.name.edu:9098 (address
> > > 129.74.xx.xx) which is BigIP.
> > >
> > > 2. BigIP sends request to http://host.name.edu:9098 (address
> > > 172.19.xx.xx) which is 9i App Server behind the firewall.
> > >
> > > 3. Client gets menu form with
> > > https://host.name.edu:9098/dev60cgi/f60cgi?config=INSTANCE link on it.
> > >
> > > 4. While opening https://host.name.edu:9098/forms60java/oracle/forms/engine/Main.class,
> > > we get the following error:
> > >
> > > java.lang.ClassNotFoundException: oracle.forms.engine.Main
> > >
> > > with java.io.IOException: javax.net.ssl.SSLException: SSL handshake
> > > failed: X509CertChainInvalidErr appearing in the console window.
> > >
> > > I looked up the X509CertChainInvalidErr on Metalink but the solution
> > > doesn't apply here. Like I said, if I access the 9ias server
> > > directly, all works as advertised. I'm sure it's something simple
> > > that I'm overlooking but if anyone has any ideas, your help would be
> > > greatly appreciated.
> > >
> > > Thanks,
> > > Dave Barstis
> > > University of Notre Dame
> >
> > Install the dependent part of your certificate
> > on 9iAS; lots od browsers have base certificates on board,
> > 9iAS does not; and your certificate is only a partial one,
> > Verisign, I'd bet.
> >
> > Has been asked before; google is your friend
Received on Tue Nov 09 2004 - 16:16:31 CET

Original text of this message